Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91627 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Recent bad juju - please help...


  • Please log in to reply
36 replies to this topic

#16 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 11 June 2008 - 05:41 PM

Thanks for noticing - its like those broken image things when windows or a browser can't render\draw an image. It's like being redirected to a file or site that is not there anymore - this is why I think there is something else or a re-written registry entry\key. (???) Its only blank blue when I hide the icons. Oh and by the way - under the customize desktop>web tab: nothing is checked and only one entry is on there: "My Current Home Page".

    Advertisements

Register to Remove


#17 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 11 June 2008 - 05:49 PM

I guess I've never tried to hide the icons. Do you know how to use Regedit to edit the registry?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#18 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 11 June 2008 - 05:55 PM

Try hiding your icons and see what happens - this is how I do it: right click on desktop>Arrange Icons>"uncheck" show desktop icons. Not an expert on the registry but yes and only when I'm sure of what I'm after.

#19 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 11 June 2008 - 05:59 PM

OK. After you do that can you right click on the desktop > properties> desktop and change the background / wallpaper to the one you like?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#20 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 11 June 2008 - 06:08 PM

I've tried that too but I can't. Even though it shows the right preview of what the wallpaper would look like, I still cant force it to change other than that blank blue. On the edges of that blank blue screen though, looks like I can grab it and resize it but Icant - I really think its a broken link image to somewhere\something.

#21 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 11 June 2008 - 06:10 PM

Let me see if I can find some help on this part. It might not be until tomorrow, but I'll see what I can do.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#22 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 11 June 2008 - 06:18 PM

It's nothing big - it's just an annoyance. You've done so much - above and beyond! :thumbup: But if you feel like tackling it I would really appreciate it getting taken cared of. It'll be a nice learning experience for both of us... or maybe just me. :blush:

#23 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 11 June 2008 - 06:19 PM

We'll see what the others suggest :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#24 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 11 June 2008 - 06:30 PM

Thank you. By the way, what was it that infected my system? Was I right with the "csrssc.exe"? Or was that just part of it?

#25 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 11 June 2008 - 07:32 PM

Thank you. By the way, what was it that infected my system? Was I right with the "csrssc.exe"? Or was that just part of it?

That was one of the infected files.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#26 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 11 June 2008 - 07:54 PM

Removed link

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#27 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 11 June 2008 - 11:03 PM

Unfortunately that did'nt do the trick. Been snooping around my system, doing my own investigation (damage control - more like it) and I remembered an old registry cleaner I used to use. I won't say just yet until you give me the thumbs up to do so because I don't want to seem like I'm promoting anything. Anyway, I remember this tool had an option of showing me new software installs and here are some of the new entries that I did not recognize with my comments in red beside the entry:

Age : New

HKEY_LOCAL_MACHINE\Software\ProtectionId>>>no clue
HKEY_LOCAL_MACHINE\Software\swearware>>>from ComboFix???
HKEY_CURRENT_USER\Software\SCC>>>no clue
HKEY_CURRENT_USER\Software\wget>>>no clue
HKEY_CURRENT_USER\Software\ArenaNet\Guild Wars>>>no clue, did not install anything like this
HKEY_LOCAL_MACHINE\Software\ArenaNet\Guild Wars>>>no clue, did not install anything like this
HKEY_LOCAL_MACHINE\Software\MusicNet>>>no clue


Now here's the interesting part this tool also had a startup list report and here's what I got:

These programs are run everytime you start your computer. Try to keep this list as short as possible
[syntax: Program, Filename, Loaded from ]

AutoStart IR, N/A, Start Menu (Common User)
CTZDetec.exe, C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe, HKEY_CU\Run
Desktop, N/A, Start Menu
Desktop, N/A, Start Menu (Common User)

Logitech SetPoint, N/A, Start Menu (Common User)
LogonStudio, "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM, HKEY_LM\Run


Here's my question: Is it possible another desktop was generated by the virus? (I have no clue??? :blush: stop laughing at me, please :blush: )

Here is my current startup list from HJT:

StartupList report, 6/11/2008, 7:45:27 PM
StartupList version: 1.52.2
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP3 (6.00.2900.5512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\RegCleaner\RegCleanr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Avast4\ashDisp.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LogonStudio = "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTZDetec.exe = C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Microsoft_Hardware_Launch_IPoint_exe.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSDcode.dll
CODEBASE = https://support.micr...veX/MSDcode.cab

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
CODEBASE = http://www.creative....030/CTSUEng.cab

[{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
CODEBASE = http://static.windup...bridge-c356.cab

[Installation Support]
InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[AxProdInfoCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\nprdtinf.dll
CODEBASE = http://www.symantec....ta/nprdtinf.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[EPUImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg...l_v1-0-3-17.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by122fd.bay12...es/MsnPUpld.cab

[DeviceEnum Class]
InProcServer32 = C:\Program Files\Hp\Common\HPDeviceDetection.dll
CODEBASE = http://h20264.www2.h...nosticsxp2k.cab

[Symantec Download Manager]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symant...ex/symdlmgr.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1162651316640

[NVIDIA Smart Scan]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NVIDIA~1.OCX
CODEBASE = http://www.nvidia.co...iaSmartScan.cab

[Yahoo! Webcam Upload Wrapper]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yuplapp.dll
CODEBASE = http://chat.yahoo.com/cab/yuplapp.cab

[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\system32\MSXML4.dll
CODEBASE = http://ipgweb.cce.hp...oads/msxml4.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8214.9734837963

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcaf...,20/mcgdmgr.cab

[{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}]
CODEBASE = https://www-secure.s...sa/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[{D27CDB6E-AE6D-11CF-96B8-444553548000}]
CODEBASE = http://download.macr...ash/swflash.cab

[Open3DPlayer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Open3DPlayer.dll
CODEBASE = http://www.kaiyodo.c...pen3DPlayer.cab

[{E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD}]
CODEBASE = http://download.abac...abasetup152.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTPID.ocx
CODEBASE = http://www.creative....15033/CTPID.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 9,042 bytes
Report generated in 0.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Not to add to what is a closed case with my system. Just some things I wanna share with you is all. If you want to pass me unto somebody else or direct me to another forum its your call. I know I have taken up so much of your time already but if you want to pursue this - have at it. Thank you.

#28 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 12 June 2008 - 12:01 AM

Hey LDTate,

I may have found something. This is in: C:\WINDOWS\system32\config\systemprofile\Desktop. Points to a site I'm not gonna post here unless you want me to. Created on the same day and around the same time I started having problems. Check out the attachment. Again thanks for your time.

Attached Thumbnails

  • ISS.png

Edited by Mig, 12 June 2008 - 12:04 AM.


#29 Metallica

Metallica

    Spyware Veteran

  • Classroom Teacher
  • 2,145 posts

Posted 12 June 2008 - 06:02 AM

Hi Mig,

LDTate asked me to have a look.
Can you try something for me?
This only works if you have XP Pro.

Start > Run > type or copy&paste gpedit.msc > OK

In the Policy editor choose and expand User Configuration > Administrative Templates > Desktop > Active Desktop
Then select and rightclick Disable Active desktop and choose Properties
Select Disabled > Apply and close the Policy Editor. You may have to reboot for the change to take effect.

Edited by Metallica, 12 June 2008 - 06:16 AM.


#30 Mig

Mig

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 12 June 2008 - 03:10 PM

Hey Metallica,

Thank you for looking at this. Sorry, I'm only running XP Home. I don't have the GPEdit feature :blush:
I had a brilliant idea of hiding the icons on my guest acct to see what would happen and amazingloy enough it did it the normal way! :woot:
I can hide the icons with the wallpaper still showing and I can also change the wallpapaer while the icons are still hidden - to boot!
That's my guest user acct though back to my log-in and the desktop is still a mystery. I do have a batch file titled: install-privacy-danger.bat from original folder: C:\Documents and Settings\f4ucorsair\Local Settings\Temp\desktop_background.zip. The temp folder is not there anymore and the batch file is locked up in the Avast virus chest. I would love to tear into that batch file but am afraid to do so :blush: Stop laughing at me - I've been licked by fire and have the scars to prove it: my poor desktop... :blush:

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users