Author Topic: "your computer is infected" black screen (Read 3698 times)

ckak · « **on:** August 27, 2005, 08:54:55 AM »

My PC got infected with spyware. we got a black screen on the desktop saying "your computer is infected" and directing us to a url where we could buy anti spyware software.

I ran the Microsoft antispyware software (beta version), Adware SE special 1.06, and spybot search and destroy.

The black screen and text went away. BUT, there is still something on top of my desktop (I can tell because the desktop shows up when I boot the machine or turn it off without the white background, and in fact googletalk launches while my theme of choice for the desktop is still there).

also, when I open control panel/display and look at the themes tab, the picture of the themes has the usual pictures but on top of it comes a smaller "Active Window."

Here is my HJT log - pls help

Logfile of HijackThis v1.99.1
Scan saved at 9:46:58 AM, on 8/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\andrew\Desktop\hijackthis.exe

O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

guestolo · « **Reply #1 on:** August 27, 2005, 07:38:18 PM »

==Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

Place a shortcut to Panda ActiveScan on your desktop.
Steps>>Click the Scan your PC
Fill in the appropriate info
Load the Active X control and the virus definitions
Click the "1-Click ActiveScan"
Install shortcut to desktop
Don't run the scan yet, close out
We'll run this later

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart

Stay in safe mode
Open the SmitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck everything you find in there.
Exclude "My Current Home Page" if selected

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

Restart back to Normal mode

Back in Windows
click the Panda ActiveScan shortcut and scan your whole computer
When it's done save the report and post it back here

Along with the following
Run another scan with Hijackthis and post a fresh log
SmitRem would of produced a log found here
C:\smitfiles.txt
Please post the smitfiles.txt
Also post the report from Ewidos

ckak · « **Reply #2 on:** August 28, 2005, 07:09:47 PM »

here is the output:

**********1) smitRem.txt***********

smitRem log file
version 2.3

by noahdfear

The current date is: Sun 08/28/2005
The current time is: 0:19:00.75

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

*********** 2) Ewido ***************

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         2:30:10 PM, 8/28/2005
+ Report-Checksum:      48FCB9F6

+ Scan result:

   :mozilla.23:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.24:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.35:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.36:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.37:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.60:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.61:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
   :mozilla.73:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.74:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.77:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   :mozilla.78:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   :mozilla.79:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   :mozilla.84:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.85:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.86:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.94:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   :mozilla.95:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   :mozilla.96:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.97:C:\Documents and Settings\andrew\Application Data\Mozilla\Firefox\Profiles\c5tv0e2d.Default User\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup

::Report End

************************** 3) Panda *************

Incident Status Location

Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\thun.dll
Adware:adware/findspy No disinfected C:\DOCUMENTS AND SETTINGS\ANDREW\FAVORITES\ Free Hidden Cams World - Realtime.url
Adware:adware/topmoxie No disinfected C:\WINDOWS\cache371
Adware:adware/wupd No disinfected Windows Registry
Virus:Trj/Ppdoor.AH Disinfected C:\WINDOWS\system32\crypmg32.dll

***************** 4) HJT ***********************

Logfile of HijackThis v1.99.1
Scan saved at 8:04:11 PM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Documents and Settings\andrew\Desktop\hijackthis.exe

O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

guestolo · « **Reply #3 on:** August 28, 2005, 07:20:31 PM »

Find and delete the following files
C:\WINDOWS\SYSTEM32\thun.dll <-file
C:\DOCUMENTS AND SETTINGS\ANDREW\FAVORITES\ Free Hidden Cams World - Realtime.url
and the following folder
C:\WINDOWS\cache371

Your log is looking a little slim, I want to ensure you have no nasties installed
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list to desktop then copy and paste the contents back here

Could you also open Hijackthis>>Open Misc tools>>Open Hosts file manager
Click the "Open In Notepad" button
A text file will open, copy and paste back the whole contents please

ckak · « **Reply #4 on:** August 28, 2005, 07:24:25 PM »

here is the list:

3D Groove Playback Engine
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe SVG Viewer 6.0
Adware Patrol 1.0.8
AlertSpy 1.0.8
Avance AC'97 Audio
Big Action Construction
BigFix
BitTorrent 4.1.2-Beta
Bricks Of Egypt (remove only)
Chessmaster 10th Edition
CleanUp!
Coelho Sabido e a Estrela Cintilante
CompuServe
Conexant SoftK56 Modem(M)
DELL TrueMobile 1180 Wireless USB
DivX
DivX Player
ewido security suite
GameSpy Arcade
Google Talk (remove only)
Google Toolbar for Internet Explorer
Gutterball
HijackThis 1.99.1
Intel® Extreme Graphics Driver Software
Internet Chess
iPod mini 1.0 for Windows User Guide
iPod mini Software Updater 1.0
iPodder.NET
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_02
JetSuite Pro for the HP LaserJet 3150
JumpStart Advanced 1st Grade
JumpStart Advanced 2nd Grade
JumpStart Field Trip Adventure
JumpStart Phonics
KODAK Picture CD
Learn to Play Chess with Fritz and Chesster
Learn to Play Chess with Fritz and Chesster 2
LEGO My Style Preschool
Macromedia Shockwave Player
Math Missions Grades K-2
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office PowerPoint Viewer 2003
Microsoft Works 6.0
Mozilla Firefox (1.0.5)
MSN Messenger 6.2
Mystery Club Detective Academy
Outlook Express Q837009
Panda ActiveScan
Playhouse Disney's Stanley Wild for Sharks
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit Playtime for Baby
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit Toddler
Reader Rabbit's Math Ages 6-9
RealPlayer
Registrar Lite 2.00
Rescue Heroes Hurricane Havoc
Rescue Heroes Meteor Madness
Rescue Heroes Mission Select
Rescue Heroes(tm) Lava Landslide
Rescue Heroes(tm) Tremor Trouble
Shockwave
Spinner the Space Kid (remove only)
Spy Kids 3D
Spybot - Search & Destroy 1.3
SpyCatcher 3.0
Update for Windows XP (KB894391)
Viewpoint Media Player (Remove Only)
Vodei Multimedia Processor 1.09
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
Yahoo! Companion
Zoombinis Logical Journey(tm)

guestolo · « **Reply #5 on:** August 28, 2005, 07:26:02 PM »

That was quick

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Did you see what I added above to my last reply, can you also supply the contents of the Hosts notepad

Here's what I added

Quote

Find and delete the following files
C:\WINDOWS\SYSTEM32\thun.dll <-file
C:\DOCUMENTS AND SETTINGS\ANDREW\FAVORITES\ Free Hidden Cams World - Realtime.url <-file
and the following folder
C:\WINDOWS\cache371 <-folder

Your log is looking a little slim, I want to ensure you have no nasties installed
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list to desktop then copy and paste the contents back here

Could you also open Hijackthis>>Open Misc tools>>Open Hosts file manager
Click the "Open In Notepad" button
A text file will open, copy and paste back the whole contents please

ckak · « **Reply #6 on:** August 28, 2005, 07:38:15 PM »

I am desperate!! Thanks for getting back so fast. I removed the folders and files you specified. Here is the hosts notepad output

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

guestolo · « **Reply #7 on:** August 28, 2005, 07:57:23 PM »

I'm looking at some of the Spyware tools you have on your computer
A few are not recommended

Take a look at this link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

I recommend you access your Add/Remove programs via Control Panel and remove the
following
Adware Patrol 1.0.8
AlertSpy 1.0.8
Both above are reported to give false positives and urge you to try and purchase them

Also, the next one is mentioned on the link, but was not added to the rogue list
SpyCatcher 3.0
You may of paid for this, if you didn't can you remove it
It's not a recommended removal tool

While your in your Add/Remove programs can you remove the following too
Viewpoint Media Player (Remove Only)
and finally
Spybot - Search & Destroy 1.3
Spybot is legit but we'll update you too the latest version

Restart your computer after removing all or any of the above

Back in Windows, can you do the following
Download and Install Spybot 1.4 from
HERE
or HERE
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Don't run a scan yet
We'll do this in a bit

I see no Anti-Virus software on your computer
Download and install the free version of AVG 7
Access the following link
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Scroll down to the bottom part of the page
and click on the following

AVG Free Edition installation files
File Version
avg70free_344a618.exe <-this link, or similiar
Save the installer to desktop
Double click to install, follow the prompts
Restart the computer if prompted
Ensure that AVG is right up to date

Let's try some scan's in safe mode
Again Print this out or save too a notepad file on desktop

Restart into safe mode
Run a full system scan with AVG
When it's done

Open Spybot
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

Restart back to Normal mode
Run Hijackthis again and post a fresh log

Let me know of any problems afterwards

ckak · « **Reply #8 on:** August 28, 2005, 10:47:40 PM »

OK. AVG found nothing. Spybot found and fixed mediaplex and avenue A.

I still have the original problem: a white background shows up between my background of choice (windows xp theme) and the icons on my desktop, right after googletalk and the antivirus start. Also, if i go to control panel-> display -> themes and choose any theme (eg, windows XP), i get the usual picture but on top of it there is a little pop up window on top of the picture. it is labeled Active X window, and it is a white window with
"window text" written within it.

Here is my hjt

Logfile of HijackThis v1.99.1
Scan saved at 11:40:40 PM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\andrew\Desktop\hijackthis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

guestolo · « **Reply #9 on:** August 28, 2005, 11:09:43 PM »

Can you check the following for me again
Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck everything you find in there.
Log off user and back on again

Also,
Download and UNZIP to desktop Search.zip
So you now have Search.bat extracted to desktop
Double click on Search.bat
A text file will open
Copy and paste back here the WHOLE contents please

ckak · « **Reply #10 on:** August 28, 2005, 11:26:08 PM »

" Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck everything you find in there.

the only box checked was a security box, which I unchecked, but when i logged off and on again it was checked back.

here are the results of display.txt

=================================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"LoadedBefore"="1"
"ThemeActive"="1"
"LastUserLangID"="1033"
"DllName"=hex(2):25,00,00,00,53,00,00,00,79,00,00,00,73,00,00,00,74,00,00,00,\
65,00,00,00,6d,00,00,00,52,00,00,00,6f,00,00,00,6f,00,00,00,74,00,00,00,25,\
00,00,00,5c,00,00,00,72,00,00,00,65,00,00,00,73,00,00,00,6f,00,00,00,75,00,\
00,00,72,00,00,00,63,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,54,00,00,\
00,68,00,00,00,65,00,00,00,6d,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,\
6c,00,00,00,75,00,00,00,6e,00,00,00,61,00,00,00,5c,00,00,00,6c,00,00,00,75,\
00,00,00,6e,00,00,00,61,00,00,00,2e,00,00,00,6d,00,00,00,73,00,00,00,73,00,\
00,00,74,00,00,00,79,00,00,00,6c,00,00,00,65,00,00,00,73,00,00,00,00,00,00,\
00
"ColorName"="NormalColor"
"SizeName"="NormalSize"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\Web\\desktop.html"
"SubscribedURL"="C:\\WINDOWS\\Web\\desktop.html"
"FriendlyName"="Security"
"Flags"=dword:00006002
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,20,03,00,00,57,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,32,00,00,00,32,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,20,03,00,00,57,02,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,20,03,00,00,58,02,\
00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

guestolo · « **Reply #11 on:** August 28, 2005, 11:54:47 PM »

Try this again,
Find and delete the following file if it exists
C:\WINDOWS\Web\desktop.html <-this file

Afterwards
Go back to
start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck "Security"
Now click OK>>APPLY>>OK

Log off and back on again

Let me know if that helps, if not we'll try another method

ckak · « **Reply #12 on:** August 29, 2005, 12:06:59 AM »

YOU ARE THE BEST!! It is gone, and I now have the right theme.

Thanks!!!!

guestolo · « **Reply #13 on:** August 29, 2005, 09:59:38 PM »

Good work ckak

If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

Now would be a good time to update to Service Pack 2
This is important in keeping your system secure also
Please see these links
http://www.microsoft.com/windowsxp/sp2/topten.mspx
http://www.microsoft.com/windowsxp/sp2/default.mspx

TheTechGuide Forum

News:

Author Topic: "your computer is infected" black screen (Read 3698 times)

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen

ckak

"your computer is infected" black screen

guestolo

"your computer is infected" black screen