malware.trace infection replaces itself upon deletion

[Larusso]

Hy there.

The filenames in your Wallpapers folder looks a little bit strange. Are you able to open them ?

Do this appear only on Images ?

Could you please open your Control Panel --> Appearance and Themes --> Folderoptions ( hopefully this is the correct name ).

Open the View tab and look if "Always show icons, never thumbnails" is unchecked.

[orreso]

the file names are unusual because I got the wallpaper images from deviantart and it names each file in that style, name-artist-hascode.

 

I was able to fix the icons problem by unchecking the option you mentioned, but when I close the folder the problem reasserts itself

[Larusso]

Hy there and sorry for the delay. We are working on your issues which is a registry error.

Please download SystemLook to your Desktop.

• Double-click SystemLook_x64.exe to run it.
• Copy the content of the following codebox into the main textfield:

  :regfind{42aedc87-2188-41fd-b9a3-0c966feabec1}{fbeb8a05-beee-4442-804e-409d6c4515e9}

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

[orreso]

SystemLook.txt:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:02 on 30/06/2013 by Andrew Nassen
Administrator - Elevation successful

========== regfind ==========

Searching for "{42aedc87-2188-41fd-b9a3-0c966feabec1}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

Searching for "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\PropertySheetHandlers\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]

-= EOF =-

[Larusso]

Could you please try to clear the Thumbnail Cache as written here.

http://www.sevenforums.com/tutorials/10797-thumbnail-cache-clear-reset.html

Please let me know if this helped

[orreso]

that did not solve the problem unfortunately

[Larusso]

Hy there.

Please try the following. ( thanks to picasso )

Please press the + R Key and type notepad into the Run box.

Copy/paste the entire contents of the codebox below, into notepad:

Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags][-HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU][-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags][-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU][-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU][-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags]

• Now on the top of the window choose File --> Save as
• Into the Save as line type in regfix.reg
• Change the Save as type to All Files (*.*)
• Save it on your Desktop.

It should look like this:

Double-click on the regfix.reg file located on the desktop. A warning regarding changes applied to the registry will pop up, click on Yes as we know what we are doing here and OK.

Reboot your system.

[orreso]

ran regfix, no change in file behavior

[Larusso]

Hy there.

I was able to fix the icons problem by unchecking the option you mentioned, but when I close the folder the problem reasserts itself

Could you please uncheck the ""Always show icons, never thumbnails" again as instructed above, closing the controlpanel and look if this option has been rechecked.

Also, please try if thumbnails works in Safemode.

Reboot your System in Safe Mode.

• Restart the computer. The computer begins processing a set of instructions known as BIOS.
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
• Instead of Windows loading as normal, a menu should appear
• Use the arrow key to highlight Safe Mode and press Enter.

[orreso]

option in control panel remains unchecked consistently and problem persists through safe mode

[Larusso]

Hy there.

We are still working on this issue. My connection was completely down over the whole weekend and still horrible slow. Loading this page took over 10 minutes >.<

What we can do so far is to look for corrupt system files.

Please hit the Windows Key, type cmd into the search line. Right-click on the cmd.exe and choose "Run as Administrator". Into the CP-Window type

sfc /scannow

hit enter.

[orreso]

Windows Resource Protection did not find any integrity violations

[Larusso]

Okay, lets try this one.

a) OpenDisk Cleanup.

b) Check the Thumbnails box and click on OK.

c) Click on the Delete Files button.

d) Disk Cleanup will now clear the thumbnail cache and close.

( from here --> http://answers.microsoft.com/en-us/windows/forum/windows_7-desktop/missing-desktop-backgrounds-and-thumbnails/d2abd1cf-6424-4ea6-8585-1f5bbff1a33e )

[orreso]

still did not work unfortunately.

 

if I drag a file from an offending folder to the desktop, its thumbnail will appear, but when returned will lose it.

[Larusso]

A really odd issue. So I understand you correct, that your thumbs works on the desktop and not in folders ?

I am out of ideas now, so I am going to consult some other windows experts and hopefully, they have a solution.

( I bet it is too simple for me to find it )

Thanks for your patience

[Larusso]

That was quick.

Please run this tool --> http://support.microsoft.com/mats/windows_file_and_folder_diag/

Let me know if that helped

[orreso]

did not help

[Larusso]

Did the FixIT fix anything ?

Could you please download a picture from google ( or anywhere else ) and safe it to your desktop. Let me know if you can see the thumbnail

[orreso]

the FixIt did not seem to fix anything unfortunately.

 

downloading an image from google works fine on the desktop but not in a folder.

[Larusso]

In all Folders or only the one with your wallpapers ?

I got a registry fix from one of my colleagues ( thanks Jenae ). They reset to default, folder and Icon reg settings.

Please download both attached files, extract them and doubleclick on both of the .reg files.

Allow them to change the registry, reboot and let me know.

Fixes.zip

Icons.zip

[orreso]

the problem is in all folders set to view icons in "Large Icons".

 

additionally, and most unfortunately, the reg fixes did not seem to help

[Larusso]

:/

Please, try to create a new user account. http://www.bleepingcomputer.com/tutorials/create-new-user-account-in-windows-vista-7/

[orreso]

the problem is not exclusive to one single account

[Larusso]

start search and type, cmd, right click on the returned cmd.exe and select "run as administrator" at the prompt copy paste (post the notepad outcome here please)

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" > 0 & notepad 0 

[orreso]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Start_SearchFiles    REG_DWORD    0x2
    ServerAdminUI    REG_DWORD    0x0
    Hidden    REG_DWORD    0x2
    ShowCompColor    REG_DWORD    0x1
    HideFileExt    REG_DWORD    0x0
    DontPrettyPath    REG_DWORD    0x0
    ShowInfoTip    REG_DWORD    0x1
    HideIcons    REG_DWORD    0x0
    MapNetDrvBtn    REG_DWORD    0x0
    WebView    REG_DWORD    0x1
    Filter    REG_DWORD    0x0
    SuperHidden    REG_DWORD    0x0
    SeparateProcess    REG_DWORD    0x0
    AutoCheckSelect    REG_DWORD    0x0
    IconsOnly    REG_DWORD    0x0
    ShowTypeOverlay    REG_DWORD    0x1
    ListviewAlphaSelect    REG_DWORD    0x1
    ListviewShadow    REG_DWORD    0x1
    TaskbarAnimations    REG_DWORD    0x1
    StartMenuInit    REG_DWORD    0x4
    TaskbarSizeMove    REG_DWORD    0x0
    DisablePreviewDesktop    REG_DWORD    0x0
    TaskbarSmallIcons    REG_DWORD    0x0
    TaskbarGlomLevel    REG_DWORD    0x0
    EnableBaloonTips    REG_DWORD    0x0
    ShowSuperHidden    REG_DWORD    0x0