Nu Apare Folderul Ascuns Hepl Pls!

maryyus
maryyus
în Discu355ii malware

Sault. Am o mica problema cu windows. Atunci cand incerc sa il setez sa-mi apara fisierele ascunse, nu mai merge :(. Am incercat cu antivirusul si nimic, la fel se intampla. Dupa ce bifez "show hidden files and folder" , clik ok si nimic, intru iar acolo si e bifat sa nu afiseze :( . Inca ceva . Atunci cand intru in My Computer, dupa ce selectez sa intru intr-o partitie, in loc sa se deschida in fereastra cu my computer, se mai deschide una separat cu partitia. Va rog ajutati-ma. Ms !

Comentarii

  • alexcrist
    alexcrist

    Salut maryyus,


    Te rog sa postezi un log HijackThis, pentru a vedea ce ruleaza in sistemul tau. Ai AICI instructiuni.


    Cris.

  • maryyus
    maryyus
    editat august 2008

    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 23:13:18, on 17.08.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\SOUNDMAN.EXE


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\VIA\RAID\raid_tool.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\Documents and Settings\maryus\Desktop\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/


    O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll


    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    --


    End of file - 1737 bytes


    ..sper ca am procedat bine :) .. si de mentionat , ca atunci cand folosesc internet explorer apare o eroare gen "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience." :-s

  • alexcrist
    alexcrist

    Descarca Combofix, ruleaza-l, si posteaza log-ul.


    Cat timp Combofix ruleaza, nu mai deschide alte aplicatii. De asemenea, conexiunea la internet iti va fi oprita, ceea ce este normal (va reveni automat cand Combofix termina).


    Dupa ce rulezi combofix, fa un nou log HijackThis si posteaza-l alaturi de cel al Combofix.


    Cris.

  • maryyus
    maryyus

    Salut Cris,


    Vreau sa-ti multumesc ca m-ai ajutat. Imediat dupa ce am rulat Combofix mi s-a rezolvat problema:). Iti multumesc mult de tot. Nu stiu daca mai este important sa afisez log-ul de la "Combofix" (nu vreau sa incarc prea mult pagina). Uite de la Combofix. Inca o data iti multumesc frumos .


    ComboFix 08-08-18.01 - maryus 2008-08-19 0:30:26.1 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT 3:00]


    Running from: C:\Documents and Settings\maryus\My Documents\ComboFix.exe


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\autorun.inf


    C:\Documents and Settings\maryus\Cookies\maryus@ad.yieldmanager[2].txt


    C:\Documents and Settings\maryus\Cookies\maryus@oa.torrent-toolbar[1].txt


    C:\Documents and Settings\maryus\UserData


    C:\Documents and Settings\maryus\UserData\FO0MFZNF\sn[1].xml


    C:\Documents and Settings\maryus\UserData\index.dat


    C:\WINDOWS\system32\fool0.dll


    C:\WINDOWS\system32\ieso0.dll


    C:\WINDOWS\system32\kxvo.exe


    .


    ((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))


    .


    2008-08-17 23:48 . 2008-08-17 23:48 <DIR> d-------- C:\Program Files\Realtek Sound Manager


    2008-08-17 23:48 . 2008-08-17 23:48 <DIR> d-------- C:\Program Files\AvRack


    2008-08-17 23:48 . 2004-11-17 11:08 16,162,816 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL


    2008-08-17 23:48 . 2004-11-17 11:11 9,319,936 --a------ C:\WINDOWS\system32\RTLCPL.EXE


    2008-08-17 23:48 . 2004-11-17 14:05 2,297,664 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS


    2008-08-17 23:48 . 2004-11-05 11:29 208,896 --------- C:\WINDOWS\alcupd.exe


    2008-08-17 23:48 . 2004-09-07 09:23 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll


    2008-08-17 23:48 . 2002-02-05 08:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV


    2008-08-17 23:48 . 2004-09-01 15:04 139,264 --------- C:\WINDOWS\alcrmv.exe


    2008-08-17 23:48 . 2004-11-15 13:20 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE


    2008-08-17 23:48 . 2004-10-27 10:47 40,960 --------- C:\WINDOWS\system32\ChCfg.exe


    2008-08-17 23:48 . 2001-07-05 19:19 164 --------- C:\WINDOWS\avrack.ini


    2008-08-17 23:39 . 2008-08-17 23:45 <DIR> d-------- C:\Program Files\Winamp


    2008-08-17 23:39 . 2008-08-17 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!


    2008-08-17 23:31 . 2008-08-17 23:31 <DIR> d-------- C:\Program Files\Yahoo!


    2008-08-17 19:49 . 2008-08-17 23:25 <DIR> d-------- C:\Program Files\SopCast4.5


    2008-08-11 06:49 . 2008-05-27 02:03 16,792 --a------ C:\WINDOWS\system32\gorun2.exe


    2008-08-11 06:43 . 2008-08-11 06:43 16 --a------ C:\WINDOWS\system32\runy.bat


    2008-08-11 05:03 . 2008-08-13 09:07 23,040 --a------ C:\WINDOWS\system32\systemcore.ocx


    2008-08-11 05:03 . 2008-05-27 02:03 16,792 --a------ C:\WINDOWS\system32\gorun.exe


    2008-08-11 05:03 . 2008-08-13 09:03 1,173 --a------ C:\WINDOWS\system32\systemcore.inf


    2008-08-11 05:03 . 2008-08-11 05:44 174 --a------ C:\WINDOWS\system32\codecs.bat


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-08-18 21:32 --------- d-----w C:\Program Files\Norton AntiVirus


    2008-08-18 05:59 --------- d-----w C:\Program Files\BSplayer_WhenUSave_Installer


    2008-08-17 20:48 --------- d-----w C:\Program Files\Common Files\InstallShield


    2008-08-17 03:50 --------- d-----w C:\Program Files\VIA


    2008-08-17 03:37 --------- d-----w C:\Program Files\microsoft frontpage


    2008-07-28 05:57 147,355 --sh--r C:\63.com


    2004-01-01 05:01 224,143 ----a-w C:\Documents and Settings\maryus\maryus.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]


    "Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-11-05 17:43 1258248]


    "maryus"="C:\Documents and Settings\maryus\maryus.exe" [2004-01-01 08:01 224143]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 13:04 84640]


    "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 07:22 26248]


    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]


    "ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" [2006-09-03 05:36 100032]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]


    --a------ 2007-02-13 21:29 35328 C:\Program Files\Winamp\winampa.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


    --a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]


    --a------ 2004-11-15 13:20 77824 C:\WINDOWS\SOUNDMAN.EXE


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]


    "DisableMonitoring"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]


    "DisableMonitoring"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]


    "DisableMonitoring"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    .


    Contents of the 'Scheduled Tasks' folder


    2004-01-01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - maryus.job


    - C:\PROGRA~1\NORTON~1\Navw32.exe [2006-09-07 11:38]


    2004-01-01 C:\WINDOWS\Tasks\Uniblue SpyEraser.job


    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-11-05 17:43]


    .


    - - - - ORPHANS REMOVED - - - -


    MSConfigStartUp-kxva - C:\WINDOWS\system32\kxvo.exe


    .


    ------- Supplementary Scan -------


    .


    R0 -: HKCU-Main,Start Page = hxxp://www.google.ro/


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-08-19 00:33:05


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe


    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe


    C:\WINDOWS\system32\wdfmgr.exe


    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe


    .


    **************************************************************************


    .


    Completion time: 2008-08-19 0:52:21 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-08-18 21:52:17


    Pre-Run: 12,685,393,920 bytes free


    Post-Run: 12,749,774,848 bytes free


    123

  • alexcrist
    alexcrist
    editat august 2008

    Te rog sa postezi un nou log HijackThis.


    De asemenea, cauta fisierele urmatoare, pune-le intr-o arhiva cu parola infected si ataseaz-o la urmatorul tau post:


    C:\WINDOWS\system32\ChCfg.exe
    C:\WINDOWS\system32\gorun.exe
    C:\WINDOWS\system32\gorun2.exe
    C:\Documents and Settings\maryus\maryus.exe
    C:\63.com
    C:\WINDOWS\system32\runy.bat
    C:\WINDOWS\system32\codecs.bat


    Inainte sa le cauti, asigura-te ca setezi Window sa iti afiseze fisiere ascunse si de sistem. Detali AICI.


    Cris.

  • maryyus
    maryyus
    editat august 2008

    Salut Cris,


    Uite si log-ul de la HijackThis . sper ca am procedat corect cu upload-ul, dar nu am gasit "C:\Documents and Settings\maryus\maryus.exe" . Te salut si iti multumesc inca o data pentru ajutor. :-)


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 00:28:09, on 01.01.2004


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe


    C:\Program Files\ErrorSmart\ErrorSmart.exe


    C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe


    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe


    C:\Documents and Settings\maryus\Desktop\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"


    O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe


    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


    O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m


    O4 - HKCU\..\Run: [maryus] C:\Documents and Settings\maryus\maryus.exe


    O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized


    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe


    --


    End of file - 2268 bytes


    ..revin putin..m-am uitat pe log-ul de la HijackThis, si obs ca exista un program "maryus.exe" in C, m-am uitat mai atent.. si nu este nimic acolo, si am procedat corect la setarea XP-ului sa-mi afiseze fisierele ascunse :(

  • csalgau
    csalgau ✭✭

    Te rog sa stergi fisierul c:\63.com.orig deoarece este malware.


    De asemenea, fisierul C:\windows\system32\runy.bat, daca nu este pus de tine si folosit, ar fi o idee sa-l stergi. La executie iti restarteaza calcualtorul.

  • alexcrist
    alexcrist

    Daca acum nu mai ai niciun fel de problema, mai ramane de rezolvat problema cu eroarea Generic Host Process.


    Problema a fost recunoscuta de Microsoft (este cauzata de o vulnerabilitate) si au fost lansate doua patch-uri pe Windows Update care rezolva problema:


    WindowsXP-KB921883-x86-ENU.exe


    WindowsXP-KB894391-x86-ENU.exe


    Instaleaza-le pe rand, da restart dupa fiecare, si apoi nu ar mai trebui sa iti apara eroarea respectiva.


    Cris.

  • maryyus
    maryyus

    Inca o data va multumesc frumos pentru ajutorul acordat :-) . Sunteti de nota 10 ! ms frumos

Liderul tuturor timpurilor

Categorii de discuții

Defenders of the month