Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

multiple spy sheriff problems [RESOLVED]

Started by niccolai , Aug 05 2005 01:30 PM

This topic is locked

#16
niccolai

Posted 09 August 2005 - 08:17 AM

Member

Topic Starter
Member
92 posts

found and deleted
C:\WINDOWS\blank.mht
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\win.dat

But desktop.html couldn't be found in a search.

Anywho, I deleted those three files, ran the two .regs and restarted the computer and still no display tabs.

Perhaps I deleted them wrong? I searched for them and sent them t the recycle bin and emptied it. Should I have done it some way else?

and no, this is the only user account on this computer.

Edited by niccolai, 09 August 2005 - 08:18 AM.

#17
greyknight17

Posted 09 August 2005 - 09:30 AM

Malware Expert

Visiting Consultant
16,560 posts

I just sent you a PM. I want you to try this:

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

#18
niccolai

Posted 09 August 2005 - 09:34 AM

Member

Topic Starter
Member
92 posts

I don't have a windows CD, so hopefully I won't need to use it.

running the search now...

Edited by niccolai, 09 August 2005 - 09:36 AM.

#19
greyknight17

Posted 09 August 2005 - 09:57 AM

Malware Expert

Visiting Consultant
16,560 posts

That's not good. What happens if you need to repair or reinstall Windows?

If you or the manufacturer installed Windows without the .CAB files in your Windows folder, then you WILL need the CD if it finds anything missing.

I was actually hoping that it will find something to see if it can repair the search and missing tabs problem.

#20
niccolai

Posted 09 August 2005 - 10:01 AM

Member

Topic Starter
Member
92 posts

I have A windows xp CD, but it came with a different computer by a different manufacturer, I'm hoping one of two things:

1. the disk for the other computer will work
2. It will produce a log of missing or damaged files that I can download manually.

#21
greyknight17

Posted 09 August 2005 - 10:13 AM

Malware Expert

Visiting Consultant
16,560 posts

The disk might/should? work for this computer. You may try it out if it does ask for the CD and see if it works.

It probably won't produce a log. At most, it will tell you what file is missing. You have to be careful when downloading them online though. Some are either fake/infected files or they are different versions which may cause other problems.

#22
niccolai

Posted 09 August 2005 - 11:03 AM

Member

Topic Starter
Member
92 posts

It didn't tell me wich file was missing unfortunately. And the disk from the other computer didn't work.

The reason I don't have the disk for this is I'm not the original owner

#23
greyknight17

Posted 09 August 2005 - 12:16 PM

Malware Expert

Visiting Consultant
16,560 posts

But is this your computer now or the other person's? If your's, the previous owner should have given you the CD or you should have asked for it :tazz:

OK, do this:

Go to Start > Run - copy and paste this in the box:

regedit /e c:\deskpol.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Click OK.

Navigate to c:\deskpol.txt and post that file here.

#24
niccolai

Posted 09 August 2005 - 03:20 PM

Member

Topic Starter
Member
92 posts

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"NoActiveDesktopChanges"=hex:00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

Edited by niccolai, 09 August 2005 - 03:26 PM.

#25
greyknight17

Posted 09 August 2005 - 07:29 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, that looks ok. Try this:

Open Windows Explorer.
Go up to Tool > Folder Options
Click the View tab.
Select "Show hidden files and folders"
UNcheck "hide file extensions for known file types"
Click Apply. Click OK.

Using Windows Explorer, look to see if you can find this file:

C:\WINDOWS\WindowsShell.Manifest

Let me know! Do NOT delete it if it's there.

#26
niccolai

Posted 10 August 2005 - 09:22 AM

Member

Topic Starter
Member
92 posts

Nope, don't see it.

Also, I think that svchost came back. Whenever I view taks manager every 2 seconds or so it comes on and as a system process and disapears and takes 48% of my memory.

I ran HJT and an item that was not there before apeared at the bottom. a scvhost but different than the last one.

O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe

Edited by niccolai, 10 August 2005 - 11:29 AM.

#27
niccolai

Posted 10 August 2005 - 12:25 PM

Member

Topic Starter
Member
92 posts

This seems to be getting worse, I can no longer use ctrl alt delete.

Edit: I ran highjack, ewido, avg, and active scan and the viruses seem to be coming back.

Ewido healed like 13, and AVG found and deleted these three.

womr/agbot TF in C:\WINDOWS\svchost.eve

and 2 GM trojans in C:\System Volume Information|_restore...

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:53 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe

_____________________________

smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/09/2005
The current time is: 15:39:34.26

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

____________________________

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, August 09, 2005 3:42:53 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R347 26.10.2004
Internal build : 281
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1379284 Bytes
Signature data size : 1356739 Bytes
Reference data size : 22481 Bytes
Signatures total : 29961
Target categories : 10
Target families : 587
8-9-2005 3:42:46 PM Error retrieving update

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:19 %
Total physical memory:129008 kb
Available physical memory:23264 kb
Total page file size:314428 kb
Available on page file:253048 kb
Total virtual memory:2097024 kb
Available virtual memory:2056696 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

8-9-2005 3:42:53 PM - Scan started. (Custom mode)

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : owner@adrevolver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 3:53:28 AM
Last accessed : 8/9/2005 11:43:02 PM
Last modified : 8/9/2005 3:53:33 AM

Tracking Cookie Object recognized!
Type : File
Data : owner@adrevolver[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 3:53:28 AM
Last accessed : 8/9/2005 11:43:02 PM
Last modified : 8/9/2005 3:53:33 AM

Tracking Cookie Object recognized!
Type : File
Data : owner@cgi-bin[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 6:47:33 PM
Last accessed : 8/9/2005 11:43:03 PM
Last modified : 8/9/2005 6:47:33 PM

Tracking Cookie Object recognized!
Type : File
Data : owner@clickbank[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/8/2005 6:48:20 PM
Last accessed : 8/9/2005 11:43:03 PM
Last modified : 8/8/2005 6:48:20 PM

Tracking Cookie Object recognized!
Type : File
Data : owner@maxserving[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 6:16:06 AM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/9/2005 6:16:06 AM

Tracking Cookie Object recognized!
Type : File
Data : owner@metriweb[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/5/2005 4:33:28 AM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/5/2005 4:33:28 AM

Tracking Cookie Object recognized!
Type : File
Data : owner@realmedia[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 8:34:34 PM
Last accessed : 8/9/2005 11:43:04 PM
Last modified : 8/9/2005 8:51:09 PM

Tracking Cookie Object recognized!
Type : File
Data : owner@tripod[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 8:51:14 PM
Last accessed : 8/9/2005 11:43:05 PM
Last modified : 8/9/2005 8:51:14 PM

Tracking Cookie Object recognized!
Type : File
Data : owner@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 8/9/2005 9:15:12 PM
Last accessed : 8/9/2005 11:43:05 PM
Last modified : 8/9/2005 9:15:14 PM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 9

3:59:46 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:16:52:516
Objects scanned :93111
Objects identified :9
Objects ignored :0
New objects :9

__________________

Active scan:

Incident Status Location

Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\ztoolbar.bmp

Edited by niccolai, 10 August 2005 - 04:16 PM.

#28
greyknight17

Posted 10 August 2005 - 07:42 PM

Malware Expert

Visiting Consultant
16,560 posts

Could you send me an email (see my profile)? Just ask me for this file in the email:

C:\WINDOWS\WindowsShell.Manifest

I will send that to you and we'll see if that can fix up some of the problems here with the display properties. So send me an email so I can email you that file.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM32\ztoolbar.bmp
C:\WINDOWS\svchost.exe - ONLY delete it in this folder and no where else

Restart and run a new HijackThis scan. Save the log file and post it here.

#29
niccolai

Posted 11 August 2005 - 09:40 AM

Member

Topic Starter
Member
92 posts

I downloaded C:\WINDOWS\WindowsShell.Manifest and still no change in the display tabs.
Still missing

ctrl alt delete is now pretty much useless, when I hit it the task manager cymbol apears in the task bar and stays there and the taskbar window doesn't actually come up and if I try it again, a bunch more taskmanager icons apear in the task bar with no windows and I can't turn the pc off because it asks me over and over again if I want to end taskmanager, so I haveto hit the power button on my pc.

This is a nightmare, I've always taken good care of my pc and have been quick to repair viruses and always keep spyware away, but I clicked that one little link google supplied me and I get 5 million viruses and spyware progs and it screws up my controll alt delete and display tabs.

Why the [bleep] would a website do that? and better yet, why would google return it in a search as a 'recomended result'. I want to kill thier famillies. :tazz:

Edited by niccolai, 11 August 2005 - 09:41 AM.

#30
greyknight17

Posted 11 August 2005 - 09:53 AM

Malware Expert

Visiting Consultant
16,560 posts

I would suggest doing a Windows repair, but without the CD you can't do this at all :tazz:

Something obviously went wrong here and the Windows CD is probably your best chance to fix this up.

Where is the new HijackThis log?

OK, I will ask you to run through a variety of scans again. Please do them anyway (I know you did some of these already):

Run BOTH of these online scans:
Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Then check for any updates for Ad-aware, Spybot and Ewido. Next boot into Safe Mode and run the CleanUp program you downloaded earlier.

Then run those three programs (Ad-aware, Spybot and Ewido). Fix what they find. Save the Ewido log.

Restart and do this scan:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Once that's done, give me that mwav scan result and the Ewido log.

I'm pretty sure you need the Windows CD. Like I said earlier, you should always have the Windows CD handy, just in case you encounter problems like this....