Author Topic: Folder Option Lost CMD disabled (Read 857 times)

Mar91 · « **on:** October 02, 2007, 11:14:33 AM »

Hi.. i searched google when i had this problem to see hidden files..then i saw a topic on this forum tht was back in 2006...so i tried wht it says...but it didnt worked.. T_T... maybe my problem is a bit different from his...

so any1 can help me? this is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:14:10 AM, on 10/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Flash.10.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Macromedia.10.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F3 - REG:win.ini: load=Flash.10.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [Windows MSN] C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
O4 - Global Startup: (Empty).empty
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/

thx

and i just reformat my comp by copying my documents to an external hdisk...and i thought it worked...but the moment i copied the documents from the hdisk the problem occurs again...pls help

guestolo · « **Reply #1 on:** October 02, 2007, 06:28:59 PM »

The problem seems to be, after you clean installed, whatever you transferred to you external, contained infected files
So it is probably corrupt also

Try the following
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back the log from combofix please along with a fresh hijackthis log

Mar91 · « **Reply #2 on:** October 03, 2007, 12:07:10 AM »

ComboFix 07-10-03.8 - a_abcdef_133 2007-10-03 12:58:38.1 - [color=\"red\"]FAT32[/color]x86
Input Error: There is no script engine for file extension ".vbs".
Running from: C:\Documents and Settings\a_abcdef_133\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(empty).empty
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\dxdiag.com
C:\WINDOWS\system32\msconfig.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com

.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 12:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 12:55 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-03 12:42 76,351 --a------ C:\WINDOWS\War3Unin.dat
2007-10-03 12:42 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-10-03 12:42 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-10-03 12:39 <DIR> d-------- C:\Program Files\Warcraft III
2007-10-03 11:04 48,128 --a------ C:\WINDOWS\system32\Remove.exe
2007-10-03 11:04 <DIR> d-------- C:\WINDOWS\PixArt
2007-10-03 11:04 <DIR> d-------- C:\Program Files\PC Camer@
2007-10-03 11:04 <DIR> d-------- C:\Program Files\Common Files\PAC207
2007-10-03 08:42 <DIR> d-------- C:\Documents and Settings\PriNceSs KaUthAr~96\WINDOWS
2007-10-03 08:42 <DIR> d-------- C:\Documents and Settings\PriNceSs KaUthAr~96\Application Data\Yahoo!
2007-10-03 08:42 <DIR> d-------- C:\Documents and Settings\PriNceSs KaUthAr~96\Application Data\InterTrust
2007-10-03 08:42 <DIR> d-------- C:\Documents and Settings\PriNceSs KaUthAr~96\Application Data\Google
2007-10-02 16:01 6,656 --a------ C:\WINDOWS\system32\dllcache\batt.dll
2007-10-02 16:01 22,016 --a------ C:\WINDOWS\system32\dllcache\agt0408.dll
2007-10-02 16:01 19,968 --a------ C:\WINDOWS\system32\dllcache\agt040e.dll
2007-10-02 16:01 19,456 --a------ C:\WINDOWS\system32\dllcache\agt041f.dll
2007-10-02 16:01 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0419.dll
2007-10-02 16:01 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0415.dll
2007-10-02 16:01 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0405.dll
2007-10-02 15:53 <DIR> d-------- C:\Program Files\Google
2007-10-02 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-02 15:50 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-02 15:50 <DIR> d-------- C:\Program Files\Stardock
2007-10-02 15:50 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-10-02 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-02 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-02 09:19 <DIR> d-------- C:\Documents and Settings\tek masam\WINDOWS
2007-10-02 09:19 <DIR> d-------- C:\Documents and Settings\tek masam\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 23:39 --------- d-------- C:\Program Files\Yahoo!
2007-10-02 23:15 6912 --a------ C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-10-02 23:15 --------- d-------- C:\Program Files\NewTech Infosystems
2007-10-02 23:14 --------- d-------- C:\Program Files\CyberLink
2007-10-02 23:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-02 23:13 --------- d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InterTrust
2007-10-02 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-10-02 23:12 --------- d-------- C:\Program Files\Realtek Sound Manager
2007-10-02 23:12 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-10-02 23:12 --------- d-------- C:\Program Files\AvRack
2007-10-02 23:07 --------- d-------- C:\Program Files\microsoft frontpage
2007-09-06 18:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 18:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 18:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 18:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 18:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 18:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 18:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-10 10:30:32 57,344 --sha-r C:\WINDOWS\system32\JambanMu.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 18:15]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 15:34 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-10-31 11:45]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 18:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows MSN"="C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn" [2007-05-10 18:30]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 15:10]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-02 15:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebad2c25-7178-11dc-8a09-86b67773921b}]
AutoRun\command- RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- E:\Flash.10.Setup.exe
Open\command- E:\Flash.10.Setup.exe
Scan for Viruses\command- E:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebad2c26-7178-11dc-8a09-86b67773921b}]
AutoRun\command- RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
Explore\command- F:\Flash.10.Setup.exe
Open\command- F:\Flash.10.Setup.exe
Scan for Viruses\command- F:\Scanner.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 12:59:19
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 12:59:41
C:\ComboFix-quarantined-files.txt ... 2007-10-03 12:59
.
--- E O F ---[/quote]

Quote

Logfile of HijackThis v1.99.1
Scan saved at 1:02:41 PM, on 10/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Flash.10.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Macromedia.10.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HijackThis13.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Windows MSN] C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

guestolo · « **Reply #3 on:** October 04, 2007, 12:32:20 AM »

Not sure why you wrapped your reply in quotes, but there is no need to do so

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.

Download the latest version of Java Runtime Environment (JRE) 6u2.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (13.90 MB).
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.

- Examples of older versions in Add or Remove Programs:

* Java 2 Runtime Environment, SE v1.4.2
* J2SE Runtime Environment 5.0
* J2SE Runtime Environment 5.0 Update 6

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.

DON'T install the latest version yet

Plug your external harddrive and any other USB thumbdrive, flash device into your computer

Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\system32\JambanMu.com
E:\Flash.10.Setup.exe
E:\Flash.10.Setup.exe
E:\Scanner.exe
F:\Flash.10.Setup.exe
F:\Scanner.exe
C:\WINDOWS\system32\Flash.10.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows MSN"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebad2c25-7178-11dc-8a09-86b67773921b}]

Save this as txtfile
CFScript

Take note the pic above
Drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt..
I will need to see this log again later

Do also the following
Using browser Internet Explorer
Run an online virus scan at [color=\"#2E8B57\"]Kaspersky's[/color]
At the link click the button Kaspersky Online Scanner
Accept the prompt at the Welcome screen
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now under select a target to scan:

Select My Computer

This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

***Now click on the Save as Text button:

Save the file to your desktop. I will need to see it later

Post back that report later please

Along with the following
1. The new combofix log>>C:\ComboFix.txt
2. A new Hijackthis log
3. Don't forget to post the report from Kaspersky's

Keep me informed how things are running

TheTechGuide Forum

News:

Author Topic: Folder Option Lost CMD disabled (Read 857 times)

Mar91

Folder Option Lost CMD disabled

guestolo

Folder Option Lost CMD disabled

Mar91

Folder Option Lost CMD disabled

guestolo

Folder Option Lost CMD disabled