Somebody plz help me!!!

[bigziggyz]

I have a problem in my computer. Since yesterday i think i have a virus or spyware. I downloaded the latest versions of both spysweeper and norton internet security and scanned my system and cleaned it out but there is still a problem. My background is gone; now there is just a black screen with icons (in pic). Also when I right click from desktop and go to properties (display properties) there are only two options, screen saver and settings, there use to be 5 options (see attatched pic). My question is do I have a virus and if I do how do I remove it from my system. As i said before, i have the latest norton antivirus software and scanned my system and removed what I could. Somebody plz help!!!

Thanks in advance

 

[GJSNeptune]

Those two programs are just a part of a possible solution. I've never seen anything like what's going on with your computer, but it doesn't seem like something spyware would do. Anyway, here are some spyware options.

Free Spyware Removers:
CCleaner
Ad-Aware
Spyware Blaster
Spybot S&D
Microsoft Antispyware

I use all of the above, except now that I use Firefox, CCleaner is about all I ever use anymore to get rid of internet junk and cookies and such.



Something else you might try is to turn off System Restore, boot into Safe Mode, and scan for viruses and spyware.

 

[Carnival Forces]

i use AVG Free Edition for viruses (www.grisoft.com)

have you tried going to desktop properties and seeing if you have "Active Desktop" enabled/disabled? try changing that setting...

 

[bigziggyz]

Thanks for the advices. I downloaded all the recommended softwares and still the problem remains. How do i get to active desktop properties to see if it is enabled or disabled. When i right click there is nothing about active desktop nor is it in the desktop properties,

 

[Carnival Forces]

are you sure that none of the above worked?
did you enable Heuristics on AVGFree ?

try going to the advanced tab of Desktop Properties, idk where it is though, maybe that'll help.


why not just stick in your Windows XP CD and install windows over your current copy?

 

[Drucifer]

Right click on your desktop, and turn Active Desktop back on. Might be marked as something like "Recover Active Desktop".

OR

Are you logged on as an Administrator? The other posibility is that someone dropped a GPO on ya, and locked you out of those settings. If that is what happened, then you need to figure out who, and remove the GPO.

 

[Carnival Forces]

Right click on your desktop, and turn Active Desktop back on. Might be marked as something like "Recover Active Desktop".

OR

Are you logged on as an Administrator? The other posibility is that someone dropped a GPO on ya, and locked you out of those settings. If that is what happened, then you need to figure out who, and remove the GPO.

read the original post, he can't do anything but get to two options when he right clicks

and what's a "GPO" ?

 

[Drucifer]

GPO = Group Policy Object.


EG: Comp sits on the family LAN, Mom/Dad/Spouse knows enough about computers, and is tired of porn/whatever wallpapers. Enters MMC.exe, creates an object, and *boom* no more desktop. We do it all the time here at work... takes about 15 seconds to write and implement. No reboot required. Good for teaching people who forget security a lesson.

 

[Carnival Forces]

where is this MMC.exe file you speak of...

 

[Drucifer]

Start -> Run -> MMC.exe

 

[Carnival Forces]

thanks.

 

[Some Llama]

GPO = Group Policy Object.


EG: Comp sits on the family LAN, Mom/Dad/Spouse knows enough about computers, and is tired of porn/whatever wallpapers. Enters MMC.exe, creates an object, and *boom* no more desktop. We do it all the time here at work... takes about 15 seconds to write and implement. No reboot required. Good for teaching people who forget security a lesson.

This is what it looks like alright, but I have seen spyware and viruses that will do this same thing, it helps the virus/spyware because it makes it harder to delete the files or diagnose the problem (try fixing spyware when you can't enable the taskmanager )

 

[Drucifer]

This is what it looks like alright, but I have seen spyware and viruses that will do this same thing, it helps the virus/spyware because it makes it harder to delete the files or diagnose the problem (try fixing spyware when you can't enable the taskmanager )

Been there... done that, and does it suck. I digress though... IF the OP has Admin access, boot into safe mode, kill any GPO in effect, and hunt down the spyware, if it is there.

 

[bigziggyz]

Are you logged on as an Administrator? The other posibility is that someone dropped a GPO on ya, and locked you out of those settings. If that is what happened, then you need to figure out who, and remove the GPO.

I'm not sure what a gpo is but no one touches this computer except me. It is logged in as me and i never change it to administrator and its not on a network (just use a dsl router). And as another user pointed out, I only have two options when I right click and go to properties. If you have any more ideas for me, plz do lemme know. Thanks for the help

 

[bigziggyz]

are you sure that none of the above worked?
did you enable Heuristics on AVGFree ?

why not just stick in your Windows XP CD and install windows over your current copy?

Yep none of the above worked. I'll enable heuristics and try it that way. But I think i'm just gonna re-install xp and hope that solves the problem. I'll install it and let you know what happens.

 

[Carnival Forces]

try logging in as administrator and do the above.

 

[bigziggyz]

Ok guys, i just re-installed xp on my machine and still the same problem (the black screen). I will long in as administrator and see if it helps. Any more ideas???

 

[Drucifer]

Did you reformat before re-installing?


When you re-install XPwithout formatiing, it merely preserves the settings of the existing OS. Failure to reformat, will only result in the problem continuing to appear.

 

[bigziggyz]

Did you reformat before re-installing?


When you re-install XPwithout formatiing, it merely preserves the settings of the existing OS. Failure to reformat, will only result in the problem continuing to appear.

No i didn't reformat b/c i am waiting to get another harddrive so I can back up all my stuff. As soon as i get that then I will reformat and reinstall xp. I was hoping i could get the problem solved without reformatting but I guess thats my last option. Thanks for the help

 

[Drucifer]

Did you bother to check to see in mmc.exe if your account was being blocked by a GPO?

 

[Grimmda]

Did you bother to check to see in mmc.exe if your account was being blocked by a GPO?

I'll say it's 99.9% not a GPO that's cuasing this. In my desktop support/home user support life It's spyware/virus related.

It's almost 99.9% impossible to completely remove when it gets this bad. You CAN clean it up but when it's this bad a re-install of the O/S is the best method, good luck on that

This spyware stuff is really a pain in the butt ya know? DANG.

 

[djnes]

Also, if you come to a point where it's going to take several hours to tinker and attempt to remove spyware, it's easier just to re-install anyway. Especially if your using Ghost or some other imaging software.

 

[Grimmda]

Also, if you come to a point where it's going to take several hours to tinker and attempt to remove spyware, it's easier just to re-install anyway. Especially if your using Ghost or some other imaging software.

QFT

That's how I approach it these days. Not only with my own systems but with families/friends I support.

 

[Drucifer]

On the machines I help my buddy out with when he gets overrun... I don't even attempt to remove spyware/adware/viruses/etc.

FDISK, OS re-install. If the customer pays for the data recovery, then I'll spend some time doing that. If not, c'est la vie!

 

[bigziggyz]

Drucifer I checked the mmc.exe and there is nothing so i'm assuming everything is fine. I reinstalled my OS but didn't fix the problem (didn't format my harddrive though). Will do that as soon as i get another harddrive to back up my stuff. In the mean time more ideas are appreciated and yea this virus and spyware thing is a pain in the a**

 

[Some Llama]

ill help you with spyware, download hijackthis and post the scan log...

http://www.merijn.org/files/hijackthis.zip

 

[bigziggyz]

Thanks some llama. I think this is what you are asking for


C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zeeshan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.31.79.180/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.180/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.31.79.180/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.180/search.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {D46984CE-1720-17FE-5DB2-48A199913C9C} - C:\WINDOWS\System32\hqu.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Microsoft AntiSpyware helper - {2FEBFF22-4A51-4C44-A7A9-C34B6015CBDD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2FEBFF22-4A51-4C44-A7A9-C34B6015CBDD} - (no file) (HKCU)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} (DownloadFile Control) - http://68.157.138.250/cab/DownloadFile.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://68.157.138.250/cab/Live.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

 

[mhenley]

Quote:
Originally Posted by Drucifer
Right click on your desktop, and turn Active Desktop back on. Might be marked as something like "Recover Active Desktop".

read the original post, he can't do anything but get to two options when he right clicks

Carnival, right clicking on the desktop will bring up a menu, and then if you go to properties like bigziggyz did (btw, read the original post) then he gets the two options.


On to the problem at hand. Looking at the hijackthis log that you posted, you've got quite a few problems... Too many... The most noticable ones are the spyware toolbars (like Flashget), the trusted zones URLs and the IPs are backdoor portals, and lets not forget the Trojan.Win32.Stervis.b hijacker that was on your system at some point under the name of svcproc.exe. That final note is probably the biggest reason you're having the issues you are now, because it intermittently changes your Internet Explorer settings / Desktop to the link of it’s author’s sponsors. The damage that it and the other items I mentioned before are not easily reversible, and when I say "not easily" I mean I doubt you're going to find somebody who is going to be able to properly restore your UI.

Your best bet would be to put another hard drive in or burn a CD, copy your important files (ONLY the ones you know you absolutely can't live without and won't be able to replace), clear partition data, and start over with a fresh install of XP. This OS is now completely, and literally, FUBAR.

 

[bigziggyz]

Thanks mehenly for your help.

I think you are trying to say I have a lot of problems lol. If I can go in regedit.exe and delete all the stuff that doesn't belong will that solve the problem or is there more to it than just deleting?

I would like to solve the issue w/o formatting my harddrive if possible b/c I have so much stuff on my computer that I would have to get another harddrive.

 

[Carnival Forces]

yes, but i think if you knew enough to hack the reg and delete everything bad w/o screwing shit up, you wouldn't be in the position you are now.

reformat.

 

[Drucifer]

Agreed. Viewing the HiJack This log, I also concur that it is apparent your OS, is, well, toast.

Reformat.

 

[RobB]

I fixed this on a friend's computer, by switching them to a new user account. Whatever the cause was, I don't know. But it gave back access to the missing tabs in Display Properties

 

[Carnival Forces]

I fixed this on a friend's computer, by switching them to a new user account. Whatever the cause was, I don't know. But it gave back access to the missing tabs in Display Properties

that's a thought, try creating a new User Account, logging in to it, and then running Spybot S&D, Adaware Personal, and AVG Free Edition (in that order; download them, install them, update them, run them)

make sure you have the newest version of Adaware--1.06 is out.

 

[bigziggyz]

Thanks RobB and Carnival Forces

I will do that and hope it solves the problem