36 replies to this topic

[Mig]

Thanks for noticing - its like those broken image things when windows or a browser can't render\draw an image. It's like being redirected to a file or site that is not there anymore - this is why I think there is something else or a re-written registry entry\key. (???) Its only blank blue when I hide the icons. Oh and by the way - under the customize desktop>web tab: nothing is checked and only one entry is on there: "My Current Home Page".

[LDTate]

I guess I've never tried to hide the icons. Do you know how to use Regedit to edit the registry?

[Mig]

Try hiding your icons and see what happens - this is how I do it: right click on desktop>Arrange Icons>"uncheck" show desktop icons. Not an expert on the registry but yes and only when I'm sure of what I'm after.

[LDTate]

OK. After you do that can you right click on the desktop > properties> desktop and change the background / wallpaper to the one you like?

[Mig]

I've tried that too but I can't. Even though it shows the right preview of what the wallpaper would look like, I still cant force it to change other than that blank blue. On the edges of that blank blue screen though, looks like I can grab it and resize it but Icant - I really think its a broken link image to somewhere\something.

[LDTate]

Let me see if I can find some help on this part. It might not be until tomorrow, but I'll see what I can do.

[Mig]

It's nothing big - it's just an annoyance. You've done so much - above and beyond! But if you feel like tackling it I would really appreciate it getting taken cared of. It'll be a nice learning experience for both of us... or maybe just me.

[LDTate]

We'll see what the others suggest

[Mig]

Thank you. By the way, what was it that infected my system? Was I right with the "csrssc.exe"? Or was that just part of it?

[LDTate]

Thank you. By the way, what was it that infected my system? Was I right with the "csrssc.exe"? Or was that just part of it?

That was one of the infected files.

[LDTate]

Removed link

[Mig]

Unfortunately that did'nt do the trick. Been snooping around my system, doing my own investigation (damage control - more like it) and I remembered an old registry cleaner I used to use. I won't say just yet until you give me the thumbs up to do so because I don't want to seem like I'm promoting anything. Anyway, I remember this tool had an option of showing me new software installs and here are some of the new entries that I did not recognize with my comments in red beside the entry:

Age : New

HKEY_LOCAL_MACHINE\Software\ProtectionId>>>no clue
HKEY_LOCAL_MACHINE\Software\swearware>>>from ComboFix???
HKEY_CURRENT_USER\Software\SCC>>>no clue
HKEY_CURRENT_USER\Software\wget>>>no clue
HKEY_CURRENT_USER\Software\ArenaNet\Guild Wars>>>no clue, did not install anything like this
HKEY_LOCAL_MACHINE\Software\ArenaNet\Guild Wars>>>no clue, did not install anything like this
HKEY_LOCAL_MACHINE\Software\MusicNet>>>no clue


Now here's the interesting part this tool also had a startup list report and here's what I got:

These programs are run everytime you start your computer. Try to keep this list as short as possible
[syntax: Program, Filename, Loaded from ]

AutoStart IR, N/A, Start Menu (Common User)
CTZDetec.exe, C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe, HKEY_CU\Run
Desktop, N/A, Start Menu
Desktop, N/A, Start Menu (Common User)
Logitech SetPoint, N/A, Start Menu (Common User)
LogonStudio, "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM, HKEY_LM\Run

Here's my question: Is it possible another desktop was generated by the virus? (I have no clue??? stop laughing at me, please )

Here is my current startup list from HJT:

StartupList report, 6/11/2008, 7:45:27 PM
StartupList version: 1.52.2
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP3 (6.00.2900.5512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\RegCleaner\RegCleanr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Avast4\ashDisp.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LogonStudio = "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTZDetec.exe = C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Microsoft_Hardware_Launch_IPoint_exe.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSDcode.dll
CODEBASE = https://support.micr...veX/MSDcode.cab

[Creative Software AutoUpdate]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTSUEng.ocx
CODEBASE = http://www.creative....030/CTSUEng.cab

[{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
CODEBASE = http://static.windup...bridge-c356.cab

[Installation Support]
InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[AxProdInfoCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\nprdtinf.dll
CODEBASE = http://www.symantec....ta/nprdtinf.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[EPUImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg...l_v1-0-3-17.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by122fd.bay12...es/MsnPUpld.cab

[DeviceEnum Class]
InProcServer32 = C:\Program Files\Hp\Common\HPDeviceDetection.dll
CODEBASE = http://h20264.www2.h...nosticsxp2k.cab

[Symantec Download Manager]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symant...ex/symdlmgr.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1162651316640

[NVIDIA Smart Scan]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NVIDIA~1.OCX
CODEBASE = http://www.nvidia.co...iaSmartScan.cab

[Yahoo! Webcam Upload Wrapper]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yuplapp.dll
CODEBASE = http://chat.yahoo.com/cab/yuplapp.cab

[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\system32\MSXML4.dll
CODEBASE = http://ipgweb.cce.hp...oads/msxml4.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8214.9734837963

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcaf...,20/mcgdmgr.cab

[{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}]
CODEBASE = https://www-secure.s...sa/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[{D27CDB6E-AE6D-11CF-96B8-444553548000}]
CODEBASE = http://download.macr...ash/swflash.cab

[Open3DPlayer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Open3DPlayer.dll
CODEBASE = http://www.kaiyodo.c...pen3DPlayer.cab

[{E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD}]
CODEBASE = http://download.abac...abasetup152.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CTPID.ocx
CODEBASE = http://www.creative....15033/CTPID.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 9,042 bytes
Report generated in 0.046 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Not to add to what is a closed case with my system. Just some things I wanna share with you is all. If you want to pass me unto somebody else or direct me to another forum its your call. I know I have taken up so much of your time already but if you want to pursue this - have at it. Thank you.

[Mig]

Hey LDTate,

I may have found something. This is in: C:\WINDOWS\system32\config\systemprofile\Desktop. Points to a site I'm not gonna post here unless you want me to. Created on the same day and around the same time I started having problems. Check out the attachment. Again thanks for your time.

Attached Thumbnails

• 

Edited by Mig, 12 June 2008 - 12:04 AM.

[Metallica]

Hi Mig,

LDTate asked me to have a look.
Can you try something for me?
This only works if you have XP Pro.

Start > Run > type or copy&paste gpedit.msc > OK

In the Policy editor choose and expand User Configuration > Administrative Templates > Desktop > Active Desktop
Then select and rightclick Disable Active desktop and choose Properties
Select Disabled > Apply and close the Policy Editor. You may have to reboot for the change to take effect.

Edited by Metallica, 12 June 2008 - 06:16 AM.

[Mig]

Hey Metallica,

Thank you for looking at this. Sorry, I'm only running XP Home. I don't have the GPEdit feature
I had a brilliant idea of hiding the icons on my guest acct to see what would happen and amazingloy enough it did it the normal way!
I can hide the icons with the wallpaper still showing and I can also change the wallpapaer while the icons are still hidden - to boot!
That's my guest user acct though back to my log-in and the desktop is still a mystery. I do have a batch file titled: install-privacy-danger.bat from original folder: C:\Documents and Settings\f4ucorsair\Local Settings\Temp\desktop_background.zip. The temp folder is not there anymore and the batch file is locked up in the Avast virus chest. I would love to tear into that batch file but am afraid to do so Stop laughing at me - I've been licked by fire and have the scars to prove it: my poor desktop...