IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> Cannot view hidden and system files, When my computer was infected by worm...
ramartx
post 19.05.2007 11:27
Post #1


Member
**

Group: Members
Posts: 11
Joined: 19.05.2007




Hi everybody

I am new in this forum and also to world of computing/it stuff. I am having the following problem with my computer:

Problem
I want to view hidden and system files on the Windows XP SP2 and for this purpose I am going to Tools/Folder Options/View and removing tick from Hide Protected operating system files and checking Show hidden files and folders
option. But the windows doesn't show me them anyway. I have checked once again view settings and noticed that the system automatically checks the Hide hidden files and folders option.

Reason
I have scanned my computer with the russian version of Kaspersky Anti-Virus 6.0.1.411 and it found several infected areas with Worm.Win32.VB.el and several files like sal.xls.exe. I gave a permission to kaspersky to delete all the things that it finds as a virus. By the way, I have scanned with yesterdays update of the kaspersky virus bases. The kaspersky successfully finished its work. There were no items put into the quarantine. But the problem of not viewing hidden files still remains.

After Kaspersky scan there was one more problem whenever I tried to open my disk drives. I know that things like sal.xls.exe, copy.exe or recycler/info.exe (they are hidden files and they were all present on my computer in some times) creates files like hidden autorun.ifi that is text file containing things like that:
[AutoRun]
open=sal.xls.exe
shellexecute=sal.xls.exe
shell\Auto\command=sal.xls.exe
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk11

The problem would be solved if just deleted this file but I couldn't view the hidden files. Than i have googled it on the web and found two more ways to enable viewing hidden files:
1) Total Commander using this I have deleted autorun.ifi
2)Unhide files by going to Start->Run and type in regsvr32 /u occache.dll and hit OK. Rehide files - Start->Run and type in regsvr32 occache.dll and hit OK.
in http://forums.spywareinfo.com/lofiversion/...php/t83083.html
this way didn't work. The windows gave a message box with action was performed successfully text.

Research and Actions Done
I have googled the suggestions on removing registry entries done by sal.xls.exe on http://www.trendmicro.com/vinfo/virusencyc...VB.CII&VSect=Sn
and deleted entries:
MsServer = "msfir80.exe" in HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
IMJPMIG8.2 = "msime80.exe" in
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run

but the topic problem still remains

Radical Solution
To format hard disc and reinstall the windows
or To update windows that will itself recorrect the
mistakes

Questions
1) Is there any way to fix this problem without employing radical solutions and how can I do that please be as much detailed as possible?
2) Why 2 alternative way of unhiding files using start -> run doesn't work for my case?
3) In my C and D drives I have found the Recycler folder it contains this folder S-1-5-21-583907252-2147030267-725345543-1008 and this folder itself contains several folders. Is it smth like recycler on my desktop or is it a virus that
is stated earlier as recycler/info.exe? Do I need it? I have deleted it will this cause any problems?
4) What is System Volume Information folder on the disk drives I am an administrator but cannot access it?

I hope for the quick reply!!!

Multo Gracio

Ramartx

This post has been edited by ramartx: 19.05.2007 11:28
Go to the top of the page
 
+Quote Post
Lucian Bara
post 19.05.2007 15:45
Post #2


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
1. there probably is by editing some registry entries
2. probably because the worm restores the settings
3. no those are correct, that's the recylce bin for your user, not added by the worm
4. that's the system restore, and only the SYSTEM can access it without modifications to the folder permissions.
Go to the top of the page
 
+Quote Post
p2u
post 19.05.2007 17:30
Post #3


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(ramartx @ 19.05.2007 12:27)
Problem
I want to view hidden and system files on the Windows XP SP2 and for this purpose I am going to Tools/Folder Options/View and removing tick from Hide Protected operating system files and checking Show hidden files and folders
option. But the windows doesn't show me them anyway. I have checked once again view settings and noticed that the system automatically checks the Hide hidden files and folders option.
Questions
1) Is there any way to fix this problem without employing radical solutions and how can I do that please be as much detailed as possible?
2) Why 2 alternative way of unhiding files using start -> run doesn't work for my case?
*

Hi, ramartx!

Go to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

DELETE the value CheckedValue in the right window. (Its type should be REG_SZ and data should be 2.)

Now create a new DWORD value called CheckedValue (same as above, except that the type is REG_DWORD). Modify the value data to 1 (0x00000001).

This should let you change the "Hidden Files and Folders" option.
Please report your results.

Paul


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post
ramartx
post 22.05.2007 10:23
Post #4


Member
**

Group: Members
Posts: 11
Joined: 19.05.2007




Hi Guys

Thanks for your suggestions now I have solved my problem with showing hidden and system files. Special thanks to p2u your solution with registry editing was super way out of my headache.

I just want to ask some more things about the virus.

Does anyone know what kind of damages the Worm.Win32.VB.el causes?
I have looked at the viruslist.com but there a little description about this malware.
So does anyone has any information about this virus?
In my first post i have said that I have cleaned registry files that sal.xls.exe creates
and deleted autorun.ifi files from the disc drives. Should I do smth similar to this actions
to exclude the consequences of other viruses listed?

Multo Gracio

Ramziddin

This post has been edited by ramartx: 22.05.2007 10:29
Go to the top of the page
 
+Quote Post
jianpey
post 22.05.2007 11:43
Post #5


Newbie
*

Group: Members
Posts: 4
Joined: 22.05.2007




Hi, p2u!!! Actually i also having d same problem as ramartx which cannot open d hidden files.

I already follow all d steps tat u type above.I modify d value data to 1, den after tat i try n c whether can open d hidden files anot. Unfortunately, it cant b open. So, i went back to d registry key n found tat value data has been change to 0. I try to modify d value data for several times but it still change back to 0 after tat. Pls tell me wat to do, i need to use my hidden files.....
Go to the top of the page
 
+Quote Post
p2u
post 22.05.2007 11:52
Post #6


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(jianpey @ 22.05.2007 12:43)
Hi, p2u!!! Actually i also having d same problem as ramartx which cannot open d hidden files.

I already follow all d steps tat u type above.I modify d value data to 1, den after tat i try n c whether can open d hidden files anot. Unfortunately, it cant b open. So, i went back to d registry key n found tat value data has been change to 0. I try to modify d value data for several times but it still change back to 0 after tat. Pls tell me wat to do, i need to use my hidden files.....
*

Hi, jianpey!

Could you make a screenshot of what you have here?
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

Paul

This post has been edited by p2u: 22.05.2007 11:52


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post
p2u
post 22.05.2007 12:09
Post #7


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(ramartx @ 22.05.2007 11:23)
In my first post i have said that I have cleaned registry files that sal.xls.exe creates
and deleted autorun.ifi files from the disc drives. Should I do smth similar to this actions
to exclude the consequences of other viruses listed?
*

Yes. I advise you to download TweakUI (Powertools for Windows):
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Download link on the right.
Install. You can find it afterwards under Powertools for Windows.

Now open it and look for:
* My Computer (Expand it)
* Expand 'Autoplay'
- Drives (UNCHECK ALL)
- Types (UNCHECK ALL)

Apply - OK.

Now you will be protected against this kind of nasty tricks.

Paul

This post has been edited by p2u: 22.05.2007 12:10


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post
jianpey
post 22.05.2007 12:38
Post #8


Newbie
*

Group: Members
Posts: 4
Joined: 22.05.2007




p2u, here's my screen shot








Jian Pey
Go to the top of the page
 
+Quote Post
p2u
post 22.05.2007 13:13
Post #9


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(jianpey @ 22.05.2007 13:38)
p2u, here's my screen shot

Jian Pey
*

Are you sure you have admin rights? If yes, right-click on the SHOWALL parameter on the left and check the permissions for the admin group. You should have Full Access.
Then double click the CheckedValue parameter on the right, change to 1 and hit Enter. Reboot your computer and try again...

Paul


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post
Lucian Bara
post 22.05.2007 13:19
Post #10


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
which kaspersky version is installed (looking at your screenshot i can't see anything). did it detect something?
Go to the top of the page
 
+Quote Post
p2u
post 22.05.2007 13:23
Post #11


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(Lucian Bara @ 22.05.2007 14:19)
hello
which kaspersky version is installed (looking at your screenshot i can't see anything). did it detect something?
*

Lucian, when I right-click on it and pick "ViewImage" I see his screenshot...
It's the following link:
http://i95.photobucket.com/albums/l136/summerkid123/1.jpg

Paul

This post has been edited by p2u: 22.05.2007 13:25


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post
Lucian Bara
post 22.05.2007 13:24
Post #12


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




Hi paul
i mean for an av software i can only see the security center warning.

This post has been edited by Lucian Bara: 22.05.2007 13:25
Go to the top of the page
 
+Quote Post
jianpey
post 23.05.2007 09:48
Post #13


Newbie
*

Group: Members
Posts: 4
Joined: 22.05.2007




Sorry for disturbing u again, p2u....

I ady check, i'm d admin n i hav all d full access. But i still cant solve my problem. So i formated my harddisk after tat, it seems ok but after i tick Donot show hidden folders and files, d value data has been change back to 0. I try to change it back to 1 but useless. I really hav no idea!! N now i have another problem, my date setting is out. I check my date setting in bios setup n safe mode, d date was correct but when in normal startup, d date was incorrect. Oni d year is incorrect, while d time, day n month are correct. I really dono how to solve all tat problem.

At first my pc was juz fine, but after my pc infected with somekind of virus tat kept on make my pc auto restart, den all d above problem occured. I formated my hardddisk for 4 times, but still cannot solve it. I wonder if i should change my harddisk. Pls giv me some idea...thx!!
Go to the top of the page
 
+Quote Post
p2u
post 23.05.2007 10:05
Post #14


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(jianpey @ 23.05.2007 10:48)
I wonder if i should change my harddisk. Pls giv me some idea...thx!!
*

I suggest you take your computer to the shop and have the pro's have a look at it. Might be something with your BIOS settings...

Paul


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post
jianpey
post 23.05.2007 10:28
Post #15


Newbie
*

Group: Members
Posts: 4
Joined: 22.05.2007




Ok, btw thanks for ur help, p2u.


Jian Pey
Go to the top of the page
 
+Quote Post
Chappy
post 23.05.2007 11:24
Post #16


Newbie
*

Group: Members
Posts: 5
Joined: 23.05.2007




QUOTE(jianpey @ 23.05.2007 01:28)
Ok, btw thanks for ur help, p2u.
Jian Pey
*


Hi jianpey

A suggestion for future reference.

Whenever you have a question to ask, always start your own topic for it and don't ask it within someone else's post.
This is known as "Post Hijacking", and while the folks here allowed it to happen in this thread, it's very confusing for helpers when there's more than one person asking questions in a single post and the answers can get confused or misunderstood.
It's also a great dis-service to the OP (Original Poster) because his question may not get answered as now the helpers are trying to help you.

All online forums request that members start their own thread (post) for every seperate question asked and Never ask your question inside of someone else's thread. So for future reference here and in any other forums you may visit, Please remember this simple rule and you'll get along fine.

Thx

This post has been edited by Chappy: 23.05.2007 11:25


--------------------
Dave

user posted image user posted image

In Memory of our Fallen Brothers & Sisters, May we NEVER Forget
Go to the top of the page
 
+Quote Post
Jayzias
post 27.08.2007 08:40
Post #17


Newbie
*

Group: Members
Posts: 1
Joined: 27.08.2007




p2u,

Thank you SO MUCH! I have searched the web high and low for a solution, and this one finally worked.

Muchos Gracias.

Jayzias.
Go to the top of the page
 
+Quote Post
p2u
post 27.08.2007 09:00
Post #18


Guest
**************

Group: Gold beta testers
Posts: 7775
Joined: 7.12.2005
From: Ring 0




QUOTE(Jayzias @ 27.08.2007 09:40)
Muchos Gracias.
[right][snapback]425606[/snapback][/right]

De nada. You are welcome. smile.gif

Paul


--------------------
Adblock Plus content blocking filter: * (= show text only anywhere)
Exception rule for all: @@*$stylesheet (= show style sheet only anywhere)
Default exception rule for white-listed sites: domain name/$background,image (= images only from that domain only; no scripts, objects, or other elements)
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 28.11.2014 21:02