1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Missing Control panel

Discussion in 'Virus & Other Malware Removal' started by lostProf, Oct 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. lostProf

    lostProf Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    2
    My computer was infected with the TROJAN.KILLAV virus. My pre installed Norton tried to remove it twice. it didnt work. Then i started getting a WINDOWS SECURITY ALERT that my files are being copied, if OK is hit, it brings me to a spyware link.
    I have lost the control panel and get the restrictions box that says "This operation has been cancelled due to restrictions in effect on this computer....."

    I have run a scan through hijackthis.exe. its pasted below.
    please help
    to remove the trojan and bring back the control panel.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:42:25 PM, on 10/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Citrix\ICA Client\pnagent.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\Program Files\Dell Network Assistant\hnm_svc.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071002
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071002
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/OneClickFix/tgctlsr.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: sulimo.dat
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6523 bytes
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!



    Please download (save) SmitfraudFix (by S!Ri) to your desktop. SmitfraudFix runs under W2K, XP only.

    Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
    to a new folder called SmitfraudFix.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. lostProf

    lostProf Thread Starter

    Joined:
    Oct 27, 2007
    Messages:
    2
    Here is the log


    SmitFraudFix v2.242

    Scan done at 11:53:37.70, Sat 10/27/2007
    Run from C:\Documents and Settings\Bansal\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Dell\QuickSet\Quickset.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Citrix\ICA Client\pnagent.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\Program Files\Dell Network Assistant\hnm_svc.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bansal


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bansal\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Bansal\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="sulimo.dat"
    "LoadAppInit_DLLs"=dword:00000001


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
    DNS Server Search Order: 68.87.85.98
    DNS Server Search Order: 68.87.69.146

    Description: Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.2.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{122322E8-BC6B-4FFC-8F69-1AC8D220C868}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{A47F6F60-65E4-4074-ADD4-A452AA98A5A0}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{122322E8-BC6B-4FFC-8F69-1AC8D220C868}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A47F6F60-65E4-4074-ADD4-A452AA98A5A0}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{122322E8-BC6B-4FFC-8F69-1AC8D220C868}: DhcpNameServer=192.168.2.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{A47F6F60-65E4-4074-ADD4-A452AA98A5A0}: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O20 - AppInit_DLLs: sulimo.dat

    Close all applications and browser windows before you click "fix checked".



    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • Open the c:\SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.


    After you have restarted the machine Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select ALL
    • in the Additional scans sections please press select ALL
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
    Please post the resulting log here as an attachment.

    • Click on the orange Post a Reply! button
    • scroll down to Manage Attachments
    • Click in the box that says Upload File from your Computer
    • Click the Browse... button and find the file then click open
    • Click the Upload button
    • Wait until you see Current Attachment and your file name
    • Click on Close this window
    • Then submit the reply.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/644104

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice