Folder Options Gone!!!

Umar

i had a virus or smethin in my comp sme time back...n da thing is tht it deleted da folder options frm da comp completely....ne idea on how can i get it back?

mtunick

Thanks for the eloquent request.....can you explain anything else how it happened? Did it happen after doing something. Anything else wrong?

Umar

da virus im sure had come frm my coll comps...a lot of them were infected..i had avg anti virus tht time n it didnt detect it...quick heal detectd da virus n it said tht it had removed it bt..folder options had gone..also registry editing gone..nw if i try doin regedit it comes "Registry Editing has been disabled by ur administrator"
n i cant access my c: system vol info folders..da restore folder tht is,,nt tht i need to do nethin with it bt jus sayin..gives an error "access denied"..


n nw theres a new prob in my comp too!!!...not related in any way to this prob..well wen im on da net, a new connection is made randomly to da net...u knw a new connection to connect to da internet...smetimes da name is CoolWeb or New Internet Connection...these r dial up connections made auto..dont knw how...certain processes strt auto..win54Etmp.exe n win66tmp.exe or smethin..also makes broadband connections...user118411 n keeps on makin them after sme time..da prob is tht da internet connection jus goes kaput wen such a new connection is made auto...

so if neone has ne ideas or hv faced smethin like this then plz help..

mtunick

Ok please post a hijackthis log. You can download it here:http://www.bleepingcomputer.com/files/Merijn/HijackThis.zip

Save it to your C drive. If you don't have access then to your desktop. Extract to wherever you have it downloaded. Click on scan & save log file. Post that file here. Are you the administrator on your computer?

Just for future referance. Try to type in complete sentences and coherent words, because it makes reading your replies much much easier.

--9608-Mike--9608-

Also, are you an administrator on your computer? And what version of Windows do you have?

Umar

Ok thanks. Im sorry about writing short forms. Anyways, i did what you told me and ran that software. Its given me a log file as below. And yeah i am the administrator. I can access all the folders in the comp except the system volume info in C: and ofcourse the folder options. Its completely missing.

Umar

Ok the file is attached

Umar

Windows XP Professional Version 2002 Service Pack 2

--9608-Mike--9608-

Well i see malacious processes such as win146.tmp.exe . Go to ur browser and delete all cookies, and delete temp internet files, and offline files. If you can access ur program files, can u tell me what folders are "QuickH*" ?
In your HTJ log delete these entries:

O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 www.grisoft.cz
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 www.sarc.com
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 www.norman.com
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 www.secunia.com
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 www.winantivirus.com
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 www.esafe.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 www.bhs.com
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 www.datafellows.com
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 www.cheyenne.com
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 www.ontrack.com
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 www.sands.com
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 www.icubed.com
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 www.perantivirus.com
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 www.virusalert.nl
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 www.pagina.nl
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 www.castlecops.com
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 www.vaksin.com
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O10 - Broken Internet access because of LSP provider 'catlsp.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{22B70F94-BCA7-49D5-8ADC-FE49B3FA6594}: NameServer = 218.248.255.145 61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{22B70F94-BCA7-49D5-8ADC-FE49B3FA6594}: NameServer = 218.248.255.145 61.1.96.71

And can you tell me what Anti-virus you are running?

mtunick

Beat me to it.

--9608-Mike--9608-

Sorry, I didnt mean to take ur position, I just got bored. You can still post your knowledge of the subject. It would be helpful for both of us.

mtunick

Haha no it's alright the more people the better!

Umar

Ok. Fixed those entries. QuickH* folders are of my antivirus programs. Im running an antivirus software known as Quick Heal, its locally made here in India (Pune). Pretty decent, does fix quite a lot of viruses and has a good firewall in it too

--9608-Mike--9608-

Umar wrote:

Ok. Fixed those entries. QuickH* folders are of my antivirus programs. Im running an antivirus software known as Quick Heal, its locally made here in India (Pune). Pretty decent, does fix quite a lot of viruses and has a good firewall in it too

So is problem solved? Can you also post HJT log from in Safemode.
The reason why I was asking about Quick Heal, is because it is not recognized in my processes database. So Just making sure that they were not malacious.

Crunchie

You also need to do the following;

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\Common Files\{38AE833F-0766-1033-1203-040624040001}\Update.exe
C:\WINDOWS\TEMP\win146.tmp.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HiJackThis, then check(tick) the following, if present:


O4 - HKLM\..\Run: [b100c03.exe] C:\WINDOWS\system32\b100c03.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [b100c03.exe] C:\Documents and Settings\Amd Athlon\Local Settings\Application Data\b100c03.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: winjrs32 - C:\WINDOWS\SYSTEM32\winjrs32.dll


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Common Files\{38AE833F-0766-1033-1203-040624040001}
C:\Program Files\ipwins
C:\Program Files\TClock

files...

C:\WINDOWS\TEMP\win146.tmp.exe
C:\WINDOWS\system32\b100c03.exe
C:\Documents and Settings\Amd Athlon\Local Settings\Application Data\b100c03.exe
C:\WINDOWS\SYSTEM32\winjrs32.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Oh....and please no leet speak as it's hard enough to solve these problems without having to resort to an interpretor as well .