Cant make Windows Explorer show hidden files/folders

[DanDroiD]

called as w32.USBWorm

No offense but you are assuming that not only is this the worm\virus that is on his system,but that it is the only one.... and that the "System Volume Information" is not hiding anything either and is clean. AFAIK @Nikhil has already tried solutions that should have worked for the worm you are mentioning. IMO it is best to be sure that these little pests are completely gone, I have had problems with these types of worms before, and they are very stubborn and usually come in multiples... not singles

 

[Systemic Anamoly]

if u Still have the Folder Problems y dont u give WinXP manager a try?????



and make sure u always export registry when u install a new software/once in a fortnight whichever is earlier its easier to do a restore in case it got baddie

@artful thts cause its the same one i guess
Link

 

[medpal]

hmm its surprising that its not going off.

were you able to find folder i mentioned c:\heap41b or heap41a
if not then worm may also reside in a folder called microsoftpowerpoint which may be in your local settings folder.

now from your hijackthis log it seems apparently fine except,
you are using two antiviruses simultaneously AVG and NOD32 : its not advisable to use two simultaneously so uninstall one.

you are still using Flashget : i have experienced its affinity towards worms and so many negetive reviews about it if you can use some other download manager the better.

now put hijack this into some permanent folder (not on desktop) and then run it. Click on scan only and then select follwing two entries and click fix.

And one more advise if you dont need it desperately please uninstall the Yahoo toolbar. (i dont know why but somehow i dont find any toolbars with my browser, being comfortable).

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - Global Startup: Logitech SetPoint.lnk = ?

can you post a screenshot of all the processes running in task manager.

 

[Nikhil]

Ok, I can finally reply.

I am not able to find this ---

Then navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\Explorer\Run " and delete the "winlogon" key.

there is no policies in that folder.

And I did everything else recommended.

@Medpal -- The heap41 folder is hidden. And I cant see hidden files and folders. So, dead end there.

I tried going inside the folder and saying "One level up". But it takes me to C:\ and there I cant see the Heap41 folder...

What else do you suggest now ??

I also did fix those 2 things you told me to via hijack logfile.

But it doesnt help. Because It just removes Setpoint from starting at bootup which is annoying. Setpoint is the mouse software for my mouse.

@prash --- Regarding this

Step 1:

First you need to see all the running processes on your system, for that you need to press Alt+Ctrl+Del. This will launch 'Task Manager' then click on Process tab to see all the running processes. Then you need to manually search for 'svchost.exe' (you will find many, but you need to carefully select the one which is having 'User Name' as your Windows login name). After finding the process, right click on the process and click 'End Process Tree', and then click on OK. This will kill the running virus on your system.

I had already done that ages ago.

 

[medpal]

nikhil you will not be able to look at the culprit folder straight away.

go to search and search for svchost.exe and in advanced options check the show hidden files and folders.

 

[Nikhil]

nikhil you will not be able to look at the culprit folder straight away.

go to search and search for svchost.exe and in advanced options check the show hidden files and folders.

Nahi Doc,

I did that. It showed me the files (2.mp3, icon.ico and so on). I deleted those files. Could not delete the folder itself as it was invisible if I went "up one level"

 

[Systemic Anamoly]

hey nikhil have u even identified the virus/worm yet????? cause it will be very easy to pin it down....
if atall its w32usb one then u can check the link in my post

I wanted to check my mail so ran my beloved browser Firefox, it opened and with in couple of seconds a message box popped up which said ” “I DNT HATE MOZILLA BUT USE IE OR ELSE…” and the header read “USE INTERNET EXPLORER YOU DOPE.” I was like what? It also terminated Firefox
[quote name=' Usi ka Solution']
Now to rectify this go to Start Menu>Run and type regedit . In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all” key reset it back to 1 from 2. Now you can change the settings in the folders option. Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run which says heap41a.

Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.

All the best. Untill a tool is out for this worm, you can follow this method to remove w32.USBWorm.

[/quote]

 

[prash]

I am not able to find this ---

Then navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows \Cur rentVersion\policies\Explorer\Run " and delete the "winlogon" key.

there is no policies in that folder.

There will be, see this pick

I too had that worm in my sys, and i had to remove "winlogon" key from there.

 

[Nikhil]

there are two different things.

One is a CURRENT folder.

another is a CUR RENT folder. With the space.

I find the policies in the CURRENT folder and deleted the WInlogon key. It didnt help.

According to what you guys have posted, I need to find it in the CUR RENT folder. I am not finding policies in that folder to delete winlogon.

 

[zhopudey]

Try another anitvirus, like kaspersky.

 

[Systemic Anamoly]

lol nik theres only 1 CurrentVersion (in which u have to do the work) in "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows " theres no Curr<space> entVersion in it and the one we are mentioning is the same currentversion not curr entversion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion it will split after Curr even if u dont put ne space in between

 

[Nikhil]

lol nik theres only 1 CurrentVersion (in which u have to do the work) in "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows " theres no Curr<space> entVersion in it and the one we are mentioning is the same currentversion not curr entversion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion it will split after Curr even if u dont put ne space in between

I didnt get you.

I have two options. Current (without a space) and a CURR ENT with a space.

 

[Systemic Anamoly]

post a screenie then cause i have no key named Curr entVersion

wat i meant was if u type "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" the space automatically comes after the Cur, even if u havent givens ne space inbetween it automatically splits type the same thing and preview ur post see it will get split

 

[prash]

it was a typo by me nikhil, sorry. if you have deleted the winlogon key, then you have to change the checked values of "SHOWALL" as i have told above and then do a search for that folder again and delete it.

To delete it you can try this yar:
1. Search the file "svchost.exe" first including hidden folders options
2. After you get it , check its properties and copy the name of the folder it is located in.
3. Search for that folder and you will definitely get it dude, then delete it.