Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple spy sheriff problems [RESOLVED]


  • This topic is locked This topic is locked

#16
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
found and deleted
C:\WINDOWS\blank.mht
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\win.dat

But desktop.html couldn't be found in a search.


Anywho, I deleted those three files, ran the two .regs and restarted the computer and still no display tabs.


Perhaps I deleted them wrong? I searched for them and sent them t the recycle bin and emptied it. Should I have done it some way else?



and no, this is the only user account on this computer.

Edited by niccolai, 09 August 2005 - 08:18 AM.

  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I just sent you a PM. I want you to try this:

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.
  • 0

#18
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I don't have a windows CD, so hopefully I won't need to use it.

running the search now...

Edited by niccolai, 09 August 2005 - 09:36 AM.

  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That's not good. What happens if you need to repair or reinstall Windows?

If you or the manufacturer installed Windows without the .CAB files in your Windows folder, then you WILL need the CD if it finds anything missing.

I was actually hoping that it will find something to see if it can repair the search and missing tabs problem.
  • 0

#20
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I have A windows xp CD, but it came with a different computer by a different manufacturer, I'm hoping one of two things:

1. the disk for the other computer will work
2. It will produce a log of missing or damaged files that I can download manually.
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The disk might/should? work for this computer. You may try it out if it does ask for the CD and see if it works.

It probably won't produce a log. At most, it will tell you what file is missing. You have to be careful when downloading them online though. Some are either fake/infected files or they are different versions which may cause other problems.
  • 0

#22
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
It didn't tell me wich file was missing unfortunately. And the disk from the other computer didn't work.

The reason I don't have the disk for this is I'm not the original owner
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
But is this your computer now or the other person's? If your's, the previous owner should have given you the CD or you should have asked for it :tazz:

OK, do this:

Go to Start > Run - copy and paste this in the box:

regedit /e c:\deskpol.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Click OK.

Navigate to c:\deskpol.txt and post that file here.
  • 0

#24
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"NoActiveDesktopChanges"=hex:00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

Edited by niccolai, 09 August 2005 - 03:26 PM.

  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, that looks ok. Try this:

Open Windows Explorer.
Go up to Tool > Folder Options
Click the View tab.
Select "Show hidden files and folders"
UNcheck "hide file extensions for known file types"
Click Apply. Click OK.

Using Windows Explorer, look to see if you can find this file:

C:\WINDOWS\WindowsShell.Manifest

Let me know! Do NOT delete it if it's there.
  • 0

Advertisements


#26
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Nope, don't see it.

Also, I think that svchost came back. Whenever I view taks manager every 2 seconds or so it comes on and as a system process and disapears and takes 48% of my memory.

I ran HJT and an item that was not there before apeared at the bottom. a scvhost but different than the last one.


O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe

Edited by niccolai, 10 August 2005 - 11:29 AM.

  • 0

#27
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
This seems to be getting worse, I can no longer use ctrl alt delete.


Edit: I ran highjack, ewido, avg, and active scan and the viruses seem to be coming back.

Ewido healed like 13, and AVG found and deleted these three.

womr/agbot TF in C:\WINDOWS\svchost.eve

and 2 GM trojans in C:\System Volume Information|_restore...

Here are the logs:



Logfile of HijackThis v1.99.1
Scan saved at 3:38:53 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe




_____________________________






smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/09/2005
The current time is: 15:39:34.26

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:



____________________________






Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, August 09, 2005 3:42:53 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R347 26.10.2004
Internal build : 281
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1379284 Bytes
Signature data size : 1356739 Bytes
Reference data size : 22481 Bytes
Signatures total : 29961
Target categories : 10
Target families : 587
8-9-2005 3:42:46 PM Error retrieving update


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:19 %
Total physical memory:129008 kb
Available physical memory:23264 kb
Total page file size:314428 kb
Available on page file:253048 kb
Total virtual memory:2097024 kb
Available virtual memory:2056696 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


8-9-2005 3:42:53 PM - Scan started. (Custom mode)


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : owner@adrevolver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 3:53:28 AM
Last accessed : 8/9/2005 11:43:02 PM
Last modified : 8/9/2005 3:53:33 AM



Tracking Cookie Object recognized!
Type : File
Data : owner@adrevolver[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 3:53:28 AM
Last accessed : 8/9/2005 11:43:02 PM
Last modified : 8/9/2005 3:53:33 AM



Tracking Cookie Object recognized!
Type : File
Data : owner@cgi-bin[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 6:47:33 PM
Last accessed : 8/9/2005 11:43:03 PM
Last modified : 8/9/2005 6:47:33 PM



Tracking Cookie Object recognized!
Type : File
Data : owner@clickbank[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/8/2005 6:48:20 PM
Last accessed : 8/9/2005 11:43:03 PM
Last modified : 8/8/2005 6:48:20 PM



Tracking Cookie Object recognized!
Type : File
Data : owner@maxserving[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 6:16:06 AM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/9/2005 6:16:06 AM



Tracking Cookie Object recognized!
Type : File
Data : owner@metriweb[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/5/2005 4:33:28 AM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/5/2005 4:33:28 AM



Tracking Cookie Object recognized!
Type : File
Data : owner@realmedia[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 8:34:34 PM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/9/2005 8:51:09 PM



Tracking Cookie Object recognized!
Type : File
Data : owner@tripod[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 8:51:14 PM
Last accessed : 8/9/2005 11:43:05 PM
Last modified : 8/9/2005 8:51:14 PM



Tracking Cookie Object recognized!
Type : File
Data : owner@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 9:15:12 PM
Last accessed : 8/9/2005 11:43:05 PM
Last modified : 8/9/2005 9:15:14 PM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 9

3:59:46 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:16:52:516
Objects scanned :93111
Objects identified :9
Objects ignored :0
New objects :9





__________________



Active scan:


Incident Status Location

Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\ztoolbar.bmp

Edited by niccolai, 10 August 2005 - 04:16 PM.

  • 0

#28
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Could you send me an email (see my profile)? Just ask me for this file in the email:

C:\WINDOWS\WindowsShell.Manifest

I will send that to you and we'll see if that can fix up some of the problems here with the display properties. So send me an email so I can email you that file.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM32\ztoolbar.bmp
C:\WINDOWS\svchost.exe - ONLY delete it in this folder and no where else


Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#29
niccolai

niccolai

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I downloaded C:\WINDOWS\WindowsShell.Manifest and still no change in the display tabs.
Still missing

ctrl alt delete is now pretty much useless, when I hit it the task manager cymbol apears in the task bar and stays there and the taskbar window doesn't actually come up and if I try it again, a bunch more taskmanager icons apear in the task bar with no windows and I can't turn the pc off because it asks me over and over again if I want to end taskmanager, so I haveto hit the power button on my pc.


This is a nightmare, I've always taken good care of my pc and have been quick to repair viruses and always keep spyware away, but I clicked that one little link google supplied me and I get 5 million viruses and spyware progs and it screws up my controll alt delete and display tabs.

Why the [bleep] would a website do that? and better yet, why would google return it in a search as a 'recomended result'. I want to kill thier famillies. :tazz:

Edited by niccolai, 11 August 2005 - 09:41 AM.

  • 0

#30
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I would suggest doing a Windows repair, but without the CD you can't do this at all :tazz:

Something obviously went wrong here and the Windows CD is probably your best chance to fix this up.

Where is the new HijackThis log?

OK, I will ask you to run through a variety of scans again. Please do them anyway (I know you did some of these already):

Run BOTH of these online scans:
Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Then check for any updates for Ad-aware, Spybot and Ewido. Next boot into Safe Mode and run the CleanUp program you downloaded earlier.

Then run those three programs (Ad-aware, Spybot and Ewido). Fix what they find. Save the Ewido log.

Restart and do this scan:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.


Once that's done, give me that mwav scan result and the Ewido log.

I'm pretty sure you need the Windows CD. Like I said earlier, you should always have the Windows CD handy, just in case you encounter problems like this....
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP