Unknown Virus, Please Help

[Tesla Coil]

Hey,

This virus is on an XP Pro System

The virus has made the following changes:
1. Desktop is full of spam type icons, ie. porn & gambling web site
shortcuts.
2. No task bar or start.
3. "Task Manager disabled by Admin." message after "CRL+ALT+DEL" is
pressed.
4. No right or left click function.

I remember an old virus that did the icon thing, but this thing is
locked tight.

Does anyone know the name or have a solution for this virus?

TIA

 

[David H. Lipman]

From: <Tesla Coil>

| Hey,
|
| This virus is on an XP Pro System
|
| The virus has made the following changes:
| 1. Desktop is full of spam type icons, ie. porn & gambling web site
| shortcuts.
| 2. No task bar or start.
| 3. "Task Manager disabled by Admin." message after "CRL+ALT+DEL" is
| pressed.
| 4. No right or left click function.
|
| I remember an old virus that did the icon thing, but this thing is
| locked tight.
|
| Does anyone know the name or have a solution for this virus?
|
| TIA
| -----------------
| www.Newsgroup-Binaries.com - *Completion*Retention*Speed*
| Access your favorite newsgroups from home or on the road
| -----------------


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Tesla Coil]

Hey,

Thanks for the quick follow-up.
I have sysbot and Symantic 9.0. The problem is that
windows is locked tight and there is no command function.

The only thing I can do is boot.

?
TIA

From: <Tesla Coil>

| Hey,
|
| This virus is on an XP Pro System
|
| The virus has made the following changes:
| 1. Desktop is full of spam type icons, ie. porn & gambling web site
| shortcuts.
| 2. No task bar or start.
| 3. "Task Manager disabled by Admin." message after "CRL+ALT+DEL" is
| pressed.
| 4. No right or left click function.
|
| I remember an old virus that did the icon thing, but this thing is
| locked tight.
|
| Does anyone know the name or have a solution for this virus?
|
| TIA
| -----------------
| www.Newsgroup-Binaries.com - *Completion*Retention*Speed*
| Access your favorite newsgroups from home or on the road
| -----------------


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: <Tesla Coil>

| Hey,
|
| Thanks for the quick follow-up.
| I have sysbot and Symantic 9.0. The problem is that
| windows is locked tight and there is no command function.
|
| The only thing I can do is boot.
|
| ?

Is that SpyBot S&D v1.4 ?


You can't go to; start --> Run
and enter a command ?

You can't open a Command Prompt ?

 

[Tesla Coil]

There is no Start or Run or Task Bar, just an empty stripe.
In "Safe Mode" I can only get to the windows dir. The "CD" command
responds as an unknown command.

I haven't used safe mode since WIn 95. Have the commands changed?
I assumed this is part of the virus.

I also use zap pro and a hardware firewall.
I haven't had virus in years. So I'm a little rusty here.
This is a friend's system for his small business and I thought I would
try to help.

I have never seen anything like this before.
I was hoping that this was something common right now and
could be easly identified. Maybe it's a new one.

?

 

[David H. Lipman]

From: <Tesla Coil>

| There is no Start or Run or Task Bar, just an empty stripe.
| In "Safe Mode" I can only get to the windows dir. The "CD" command
| responds as an unknown command.
|
| I haven't used safe mode since WIn 95. Have the commands changed?
| I assumed this is part of the virus.
|
| I also use zap pro and a hardware firewall.
| I haven't had virus in years. So I'm a little rusty here.
| This is a friend's system for his small business and I thought I would
| try to help.
|
| I have never seen anything like this before.
| I was hoping that this was something common right now and
| could be easly identified. Maybe it's a new one.
|
| ?


* It may be past your expertise and bringing it to a qualified service center may be
warranted. *

 

[pcbutts1]

I need to see a copy of your hijackthis log. Download it from here
http://www.pcbutts1.com/downloads/hijackthis.zip boot into safe mode and run
it post the log so I can see it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Noel Paton]

I need to see a copy of your hijackthis log. Download it from here
http://www.pcbutts1.com/downloads/hijackthis.zip boot into safe mode and
run it post the log so I can see it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

Hey,

This virus is on an XP Pro System

The virus has made the following changes:
1. Desktop is full of spam type icons, ie. porn & gambling web site
shortcuts.
2. No task bar or start.
3. "Task Manager disabled by Admin." message after "CRL+ALT+DEL" is
pressed.
4. No right or left click function.

I remember an old virus that did the icon thing, but this thing is
locked tight.

Does anyone know the name or have a solution for this virus?

TIA

Why not post the link directly - with proper instructions on how to use
it? - instead of sending the OP to download a zipfile that contains a text
file that says simply
<quote>
Hijackthis can be downloaded directly from

http://216.180.233.162/~merijn/files/HijackThis.exe
</quote>
- which leaves the OP none the wiser as to whether the file is likely to be
a clean copy, or an infested copy!

The correct place to get HJT is from the AUTHORISED sources - which also
host the proper instructions for use, and usually have specialist forums for
the interpretation of the results.
The correct (and original) source for HJT is
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

the FAQ's explain the process of malware removal - other forums have their
own FAQ's and these should be read BEFORE using HJT at all
http://forums.spywareinfo.com/index.php?showtopic=227

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Gabriele Neukam]

2. No task bar or start.

What happens, if you press the windows key on the keyboard, or a
combined Ctrl-Esc? Normally, this should open the start menu.


Gabriele Neukam

(e-mail address removed)

 

[Nick Skrepetos \(SuperAdBlocker.com\)]

Hello,

This sounds like some of the Lop.com infections we have seen recently. You
may wish to try Super Ad Blocker with SUPERAntiSpyware:
http://www.superadblocker.com

Super Ad Blocker | SUPERAntiSpyware offers several unique features such as
using a system level driver to delete detected items, so pests do not come
back once detected and cleaned.

Super Ad Blocker offers a fully functional 15-day trial. You can scan and
clean your computer and then remove Super Ad Blocker if you do not wish to
keep it. We do appreciate when users support our development efforts by
purchasing the product

If that does not find and/or remove the spyware/adware on your machine, you
can submit a diagnostic and I will diagnose your machine for free and post
the results back to the group and update our rules with anything found:
http://www.superadblocker.com/diagnostic.html?id=nicks

You may also wish to "see" what is running on your computer here:
http://www.fileresearchcenter.com

Nick Skrepetos
SuperAdBlocker.com - SUPERAntiSpyware
http://www.superadblocker.com
http://blogs.superadblocker.com
http://forums.superadblocker.com

** Please note that I am the author of the above programs and sites and I do
have a vested interest in Super Ad Blocker, SUPERAntiSpyware and
FileResearchCenter.com. You, the user, have no obligation to purchase the
software and are free to try the software, clean/fix your system, and then
uninstall.

 

[Befunge Sudoku]

From: <Tesla Coil>

| There is no Start or Run or Task Bar, just an empty stripe.
| In "Safe Mode" I can only get to the windows dir. The "CD" command
| responds as an unknown command.
|
| I haven't used safe mode since WIn 95. Have the commands changed?
| I assumed this is part of the virus.
|
| I also use zap pro and a hardware firewall.
| I haven't had virus in years. So I'm a little rusty here.
| This is a friend's system for his small business and I thought I would
| try to help.
|
| I have never seen anything like this before.
| I was hoping that this was something common right now and
| could be easly identified. Maybe it's a new one.
|
| ?


* It may be past your expertise and bringing it to a qualified service center may be
warranted. *

Maybe the "Ultimate Boot CD For Windows" would be handy here,
if somebody else can burn one (or is the PC still functioning
enough, perhaps?)

 

[pcbutts1]

Sucker! if it had been anything other then that link your ass would have
tried to report me. Why did you download it anyway? That link was given to
me to use by Merijn now **** off and stop trying to cause trouble.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Shane]

You **** off, you pathetic little ****.

Shane

I need to see a copy of your hijackthis log. Download it from here
http://www.pcbutts1.com/downloads/hijackthis.zip boot into safe mode and
run it post the log so I can see it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[noahdfear]

Sucker! if it had been anything other then that link your ass would have
tried to report me. Why did you download it anyway? That link was given to
me to use by Merijn now **** off and stop trying to cause trouble.

Merijn has given you nothing! You are hosting HijackThis without his
permission, just like several other tools. Just why is it that you
won't get permission to host these tools or send people to authorized
sites to get them? Do you really think that hosting them, or stealing
others (like mine) will gain you trust or respect among internet users?
The only thing you're gaining is a bad reputation! If you really want
to help, and build your credibility, join a forum that specializes in
HijackThis logs, go through the training and post good advice with
proper links and credit.


Tesla,

This sounds alot like one of the smitfraud infections. See if you can
get into the registry, maybe in safe mode, and go to the following key.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Look for an entry named
DisableTaskMgr
Right click and modify the value to zero if present. This should allow
you to open the Task Manager with Ctrl+Alt+Del in normal mode, where
you can end task on what will likely be rogue processes hogging your
resources. Then try installing/updating and running Ad-aware, Spybot,
Panda ActiveScan, etc.

If this gets you going again, I recommend you seek further assistance
in a well known malware removal forum, such as SpywareInfo, GeekToGo,
CastleCops, TechSupportGuy, BleepingComputer, etc.

 

[pcbutts1]

I'm still waiting for that lawsuit thief. Where is it?

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Noel Paton]

Sucker! if it had been anything other then that link your ass would have
tried to report me. Why did you download it anyway? That link was given to
me to use by Merijn now **** off and stop trying to cause trouble.

On the contrary - if you'd posted a 'proper' link to a legal source of HJT,
I'd have ignored your post completely.

As it was, someone need to:-
1) point out to the OP the proper source
2) let you know that you had committed a boo-boo
3) check to make sure that the file downloaded was not a virus

I took it upon myself to do that.

You obviously didn't care enough about the OP to even come back to this
thread until three days later, by which time almost anything could have
happened.


--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Tesla Coil]

Hey,

Been out of town.
Thanks, that sounds like a good approach.

 

[David H. Lipman]

From: <Tesla Coil>

| Hey,
|
| Been out of town.
| Thanks, that sounds like a good approach.
|


The following can be used to make corrections.
Copy and Paste the text between the dashes (----------) into notepad and save the file as
FixReg.REG.

How you can import this into the Registry will depend if you can get the command line.

For example, boot into Safe Mode with Command Prompt and copy FixReg.REG to C:\
regedit c:\fixreg.reg

----------

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"ForceActiveDesktopOn"=-
"NoSaveSettings"=-
"NoChangeStartMenu"=-
"NoSetTaskbar"=-
"NoStartMenuSubFolders"=-
"NoStartMenuMFUprogramsList"=-
"NoStartMenuMorePrograms"=-
"NoToolbarsOnTaskbar"=-
"NoViewContextMenu"=-
"NoFind"=-
"NoRun"=-
"NoSetFolders"=-
"NoDesktop"=-
"NoControlPanel"=-
"NoSMHelp"=-
"NoWinKeys"=-
"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktopChanges"=-
"ForceActiveDesktopOn"=-
"NoSaveSettings"=-
"NoChangeStartMenu"=-
"NoSetTaskbar"=-
"NoStartMenuSubFolders"=-
"NoStartMenuMFUprogramsList"=-
"NoStartMenuMorePrograms"=-
"NoToolbarsOnTaskbar"=-
"NoViewContextMenu"=-
"NoFind"=-
"NoRun"=-
"NoSetFolders"=-
"NoDesktop"=-
"NoControlPanel"=-
"NoSMHelp"=-
"NoWinKeys"=-
"DisableTaskMgr"=-

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>


Opps ! My Mistake !!!

The following is correct. I showed Policies\Explorer and it should have been
Policies\System !


| The following can be used to make corrections.
| Copy and Paste the text between the dashes (----------) into notepad and save the file as
| FixReg.REG.
|
| How you can import this into the Registry will depend if you can get the command line.
|
| For example, boot into Safe Mode with Command Prompt and copy FixReg.REG to C:\
| regedit c:\fixreg.reg
|

----------

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-
"DisableRegistryTools"=-
"DisableRegedit"=-
"DisableTaskMgr"=-
"NoDispSettingsPage"=-
"NoDispScrSavPage"=-
"NoDispCPL"=-