Totally frustrated,

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dave menche, May 14, 2004.

  1. dave menche

    dave menche Private E-2

    I have windows 2000 on a gateway, and have some real virus trouble, i have pop up stopper, and Mcafee installed.

    Symptoms:

    1. Home page keeps going to "I can find it, search for pleasure" no matter how I erase the cookies, history, change home page. It just keeps coming back.

    2. My favorite places keep getting undesirable web sites added, no mater how many times I remove them, they keep coming back, sometimes one at a time, but they keep coming back

    3. When i try to open some web links, and on all the CWshredder links, i keep getting a funny search page to come up (not the home one, but a differnt one. this prevents down load of the shreader.)

    4. On my desk top page, in the bottom left there is a new little window that says "Windows/obdc" I cannot remove it, I tried right click, and it just made my screen turn white.

    5. Computer is getting slow, and sometimes locks up, requirering restart.

    6. I keep getting these grey colored pop up as a "messenger service" that want me to go to some "mnsoft" (or something like that) site, and down load some protection, it tells me my computer is vulnerable etc...sometimes I get ten in a row of these grey pop up screens, all with different messages wanting me to run some up date.

    7. Get RUNDAL error on start up, but I just close it, and it goes away (didn't used to happen)


    Questions:

    A). Can some one explain what each of the above symptoms are, virus, hijack, trojan (and please explain what that means)

    B). Tell me how to remove these things?

    C). Tell me how to prevent these in the future?


    I have a $40 Mcafee virus program, and it is useless, I tried writing to Mcafee about two weeks ago on their help page on their own web site, and have gotten no reply, i asked them if they could not fix my problems to refund my $40 (thirty day refund period) but they have given me no reply whatsoever, and now my thrity days are up, how can i get refund from these fly by night bums. (frankly Mcafee has pissed me off more then the above viruses, and they have no customer service, and their virus blocking software is not working, and I am out $40 to these crooks, boy am I pissed.


    At any rate, can any one help, and please explain in low tech level to me, I am new to computers

    Let me state this: MCAFEE IS WORTHLESS, THEY ARE CROOKS, AND STOLE MY MONEY, THEY DO NOT REPLY TO MAIL, DEAD SILENT, MIGHT AS WELL BURNED MY $40.


    PLEASE HELP

    THANKS DAVE
     
  2. dave menche

    dave menche Private E-2

    I have windows 2000, the instructions shown for removing the restore function only list windows xp, and millinium. These instruction do not seem right for windows 2000, so I still do not know how to remove the system restore. any advice on windows 2000 restore removal, or is it not an issue with windows 2000?


    thanks dave
     
  3. dave menche

    dave menche Private E-2

    Thanks abby sue and xflat, I just tried xflats instruction of removing the restore,a nd it does not seem tomatch my computer. (by the way is windows 2000 professional different that plain windows 2000 (if there is a difference) Mine is 2000 professional (i think)

    anyway when i right click "my computer" I then scrool down to "properties" and left click it, it then gives me options on a window titled "system properties" as follows:

    General

    Network Identification

    Hardware

    User profile

    Advanced.


    I tried opening each of the above five options, and can not find anything that appears to be related to restore, so I am still unable to turn off restore,

    I did try running both abby sues, and xflats suggest downloads (whilest unable to remove the restore) and on each attempt at download just after i get the screen that says wait five seconds, the search page comes up. This search page appears to be blocking any downloads I try(and is the one interfering when i am on the web) its address is :

    http://searchpagecc/1526/

    I do how ever have spybot already saved on my desk top, and ran it last night, it found some things, which I had it fix, but apperantly they made no difference. I cannot access spybot per a download as suggested, nor any of the other down loads.

    How to remove the restore????


    thank you

    dave
     
  4. dave menche

    dave menche Private E-2

    Also forgot to add, do not know anything about windows updates, how is this done?


    thanks dave
     
  5. dave menche

    dave menche Private E-2

    Abby Sue; i just looked at my email, i donot see anything from you. you said you emailed to my profile, what is that???


    I think i joined this group with an email as (email addy removed)

    I know that hotmail sometimes cannot take big files, maybe that is the problem (assuming thats where it is getting sent???)

    at any rate I have other email (email addy removed)
    so maybe you can try that,

    thanks

    dave
     
    Last edited by a moderator: May 14, 2004
  6. dave menche

    dave menche Private E-2

    OK, thanks both of you, appreciate your help here.

    I opened the control panel and got following info:

    Microsoft Windows 2000
    5.00.2195 service pack 4

    AMD-6k(tm) 3D processor
    AT/AT compatible
    65.012 KB RAM


    I will now try the update as suggested, and let you know how that goes.


    thank you

    dave
     
  7. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Ok didnt see you there Abbeysue so i sent him the files myself, guess hell plenty of them now ;)

    AFAIK Windows 2000 does not support system restore in the same manner as XP and ME so no need to worry yourself about that one Dave

    Just a quick question do you see anything in task manager that you think shouldnt be there, if you are not sure, how about opening Task manager stretching the window to show all processes(not applications) and taking a screenshot and letting me take a look at it
    If you dont know how to take a screenshot look here

    http://www.majorgeeks.com/vb/showthread.php?t=26019
     
  8. dave menche

    dave menche Private E-2

    OK, just got windows updates done, was 18 updates all loaded now (took about 40 minutes) I have restarted the computer. This did not fix the problems yet, they are still here


    I tried checking the task manager, i have no idea what should or should not be on it. i tried to copy it to you to examine, and tried to use the irfanview download from major geeks, however I cannot even download the irfanview as the search page keeps coming up when I try to download. Uhm.... I guess I will need to type it manually too you:


    So this is what my task manager says:

    (I will leave out the PID, CPU, CPU Time, and Mem Usage, I will give just the Image name, let me know if you need more)

    System Idle Process
    System
    SMSS.EXE
    WINLOGON.EXE
    CRSS.EXE
    SERVICES.EXE
    LSASS.EXE
    svchost.exe
    spoolsv.exe
    svchost.exe (Note duplicate , see below)
    mcvsrte.exe
    regsvc.exe
    mstask.exe
    WinMgnt.exe
    mspmspsv.exe
    svchost.exe (Note this is a duplicate, see above)
    wuauclt.exe
    mcvsshld.exe
    McShield.exe
    WZCSLDR.exe
    AirCFG.exe
    hpztsb04.exe
    McVSEscn.exe
    mcagent.exe
    explorer.exe
    PSFree.exe
    mshta.exe (note this is duplicate, see below)
    mshta.exe (Note this is duplicate, see above)
    deinst_qfe002.e
    TASKMGR.EXE
    IEXPLORE.EXE
    svchost.exe

    ok this is what is on my task manager, any clues here????



    thank you for the help.
     
  9. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    mshta.exe this is the windows scripting host and its probably the spyware running the scripts, can you try killing the process

    Did you try CWShredder
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Here is some additional info on mshta.exe to add to what the General has said:

    mshta - mshta.exe - Process Information
    Process File: mshta or mshta.exe
    Process Name: Microsoft HTML Application Host

    Description: Application that is used to run HTA files in Windows. The application is loaded as soon as an .HTA application needs to run and then terminates when the application completes.
    Company: Microsoft Corp.
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No

    Common Errors: N/A
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  12. dave menche

    dave menche Private E-2

    Ok, just completed the Panda scan as suggested by xflat. This is what it got:


    virus: Trj/StartPage.CS Operating system Disinfected
    virus: Trj/Runet.A C:/windows/homepagehtm. Disinfected
    virus: Trj/Runet.A C:/windows/odbs.log Disinfected
    virus: Trj/StartPage.CS C:/windows/SYSTEM32/mshelper.dll Renamed
    virus: Trj/UrbinA C:/windows/SYSTEM32/msvsres.dll Disinfected




    So it appear that Panda picked up five viruses that Mcafee totally missed (and they cost $40, Panda was free!!!)

    Question, why was the fourth one renamed, rather than disinfected, does that mean it is still present ,and a problem or not?

    at any rate i am going to give the computer a try, and see what happens, I will let you all know shortly.

    thank you
    dave
     
    Last edited: May 14, 2004
  13. dave menche

    dave menche Private E-2

    OK, some sucess here now. After running panda, the unwanted search page is no more (ie http://searchpagecc/1526/) and I no longer appear to have the icanfindit home page being forced on me (it was there once, but after I switched to google as my home page, google is still there) I then shut down, and restarted.


    Shutdown went faster! upon restart still have some errors:

    The same RUNDLL erroe is still there. what this is is on my desk top on start up, I get a grey box with following: "error loading C:/WINDOWS/image.dll the specified module could not be found" below this is a "OK" button. also on the bottom left on the bar is the word "RUNDLL" When I left click on the "OK" both the grey box, and the "RUNDLL" disappear, this is just as it was before, so no change here.

    The second thing that still is not fixed is the rectangular box in the lower left of the desk top that reads "C:/windows/odbc.hta" now what happens whn I click on this box, is about 3/4 of my desk top screen goes white, and i cannot remove the white box, unless I shut down, it goes white, right over my icons and wall paper. This is the same as before, however there is a twist, this time there are two identical rectangles in the lower left with the same wording, before there was only one.

    I now have tried downloading from this web site one of the suggested programs called smart killer. recall that before I could do no downloads, as the searchpage cc/1526/ kept coming up, that no longer happens (I am beginning to taste victory!)

    However I have no idea how to get the program loaded, i right click on open when prompted, and then the computer asked my what method I want to open it with, and gives a scroll down list of options or other. i have no idea what to choose. (I have run into this before, and just avoided the problem by not downloading what i wanted to.

    Question: what method should I choose to open a program I am downloading?

    (or should have i picked save rather than open?)

    at anyrate thats were we are now.

    still have the RUNLL error, and got two of them odbc,hta boxes on my desktop, that should be removed, and i need advice on how to open (or save) things I download. I'd like to run all the downloads that were suggested to run off of this site, but do not know which method to pick when asked.

    can anyone help?

    also I deleted the objectionable favorite places, I will empty the waste can, and see if they come back or not.

    again, many thanks, i think we made huge progress here, just a bit more.

    thanks dave
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's probably not a good idea to click on the c:\windows\odbc.hta window. Sounds something like the TrojanClicker virus.

    Take a look at this link too: http://dnscops.com/check24611next.html

    Is there a reason why a HiJaak This log has not been posted yet?
     
  15. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Getting there Dave ;)

    @ the X man, sorry m8 i came in this thread late so missed some of what was going on, so good job reccomending the Panda scan seems to have done the trick ;)

    @Chaslang, good work as usual and im in agreement probably time we had a look at a Hijack log so we can finish this one off


    @Dave_menche, your best bet would be to create a folder on your desktop and call it something like "Downloads" then whenever you download something use the Save option and save to the "Downloads" folder you have created
    Once your download is complete you can then go to that folder and run or install the application,numerous downloads come in a zipped format so make sure you have either winzip or winrar (my choice) installed to open these with
    get them here
    http://www.majorgeeks.com/downloads17.html

    So to finish up please download Hijack This, open with Winzip or Winrar then run the exe file and select scan, then save the log to a notepad file( you will see a save log option) then either attach the txt file to a new post or copy and paste all the text into a new post
    get hijack here
    http://www.majorgeeks.com/download3155.html

    Any questions just ask ;)
     
  16. alanc

    alanc MajorGeek


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds