XP Home infected , cannot restore

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
systray. Have to use task manager to run programs [ with the "create new
task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and certain
others with error message insufficient permissions ] from running. I tricked
it by installing to alternate directories, like program files\malwarebytes2
and programfiles\HJT2, and have run these in safe mode. Mbam told me that it
found 6 trojans, and removed them, but I still cannot boot to the destop
with icons again. I see only the wallpaper when booted up. [ nothing in
safemode except the safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan found no
additional viruses.

Process list is very clean: Very little cpu activity is seen . Every process
is at zero after booting. It is so clean that I suspect somebody else has
come in and cleaned the extraneous processes.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and I can
see nothing unusual in it, but as above, when booted, no activity is noted.



--
Tommy

CuMorrigu had written this in response to
http://www.secure-gear.com/antivirus...ore-32744-.htm
:
What I would do is boot from a jump drive into another OS and delete some
of the files off of it that way.

UBCD4Win (http://www.ubcd4win.com) has a utility in the install directory
that will let you create a USB drive that you can boot off of and run win.
I believe you can even modify it to run AV

If you like linux, Fedora has a new tool out that will do the same thing,
expect with linux. (https://fedorahosted.org/liveusb-creator/)

I would reccomend ClamAV for the Linux distro, it's free and it's good.

Once you are booted off of the jump drive run the A/V scan that comes with
it on you internal HDD and clean it up that way.

That is all if you can't get into the HDD. Once you do get into the HDD,
try running TrendMicro's Houscall (http://housecall.trendmicro.com/) and
Kaspersky's (it's down right now) online A/V tool. The reason I like
running the online programs for cleaning an infected machine is that 1)
you know it's going to be clean 2) you can run multiple programs w/o
having to worry about installing them on your machine (you can only have
one A/V program)

Once I get the online A/V scans done I install my A/V program, I usually
use either AVG Free (http://free.avg.com/us-en/homepage) or the A/V
program included in Iolo's System Mechanic Pro (http://www.iolo.com/). I
REALLY like Iolo, lots of great tools to help you out for a not too bad
price. I also know that used to (don't know if this still works) if you
downloaded the demo and then bought the product through the demo, you
could save like half of the price.

Once you get all of that done, it's time for the Malware scanners. I
usually use a cocktail, Adaware by Lavasoft, Spybot Search and Destroy and
Windows Defender. With those three you'll catch just about everything. I
then usually leave Spybot SnD on there, it's got some useful tools under
the advanced settings.

CuMo


-------------------------------------
tommy wrote:





> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
> normal
> windows screen to. It boots to a desktop wallpaper, no icons, no
> taskbar, no
> systray. Have to use task manager to run programs [ with the
> "create new
> task / run" function ].

> The virus has somehow modified permissions to stop AV programs [ and
> certain
> others with error message insufficient permissions ] from running. I
> tricked
> it by installing to alternate directories, like program
> filesmalwarebytes2
> and programfilesHJT2, and have run these in safe mode. Mbam told me
> that it
> found 6 trojans, and removed them, but I still cannot boot to the
> destop
> with icons again. I see only the wallpaper when booted up. [ nothing
> in
> safemode except the safemode stamps in the corners ]

> I cannot find the gpedit.msc. I cannot open windows explorer to allow
> hidden
> files to show.
> I can open mmc.msc, but cannot find the gpedit snap-on available.

> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
> found no
> additional viruses.

> Process list is very clean: Very little cpu activity is seen . Every
> process
> is at zero after booting. It is so clean that I suspect somebody else
> has
> come in and cleaned the extraneous processes.

> Running processes:
> C:WINDOWSSystem32smss.exe
> C:WINDOWSsystem32winlogon.exe
> C:WINDOWSsystem32services.exe
> C:WINDOWSsystem32lsass.exe
> C:WINDOWSsystem32svchost.exe
> C:WINDOWSsystem32taskmgr.exe
> C:WINDOWSsystem32ctfmon.exe
> C:Program FilesTrend MicroHijackThis2HijackThis.exe

> The HJT log shows that there is lots of BHOs, other entrys etc, and I
> can
> see nothing unusual in it, but as above, when booted, no activity is
> noted.

....and *then* flatten and rebuild?

"CuMorrigu" <mbrast_at_gmail_dot_com@foo.com> wrote in message
news:7684d$4ad8a1e0$4834ce0a$12745@news.flashnewsgroups.com...
> CuMorrigu had written this in response to
> http://www.secure-gear.com/antivirus...ore-32744-.htm
> :
> What I would do is boot from a jump drive into another OS and delete
> some
> of the files off of it that way.
>
> UBCD4Win (http://www.ubcd4win.com) has a utility in the install
> directory
> that will let you create a USB drive that you can boot off of and run
> win.
> I believe you can even modify it to run AV
>
> If you like linux, Fedora has a new tool out that will do the same
> thing,
> expect with linux. (https://fedorahosted.org/liveusb-creator/)
>
> I would reccomend ClamAV for the Linux distro, it's free and it's
> good.
>
> Once you are booted off of the jump drive run the A/V scan that comes
> with
> it on you internal HDD and clean it up that way.
>
> That is all if you can't get into the HDD. Once you do get into the
> HDD,
> try running TrendMicro's Houscall (http://housecall.trendmicro.com/)
> and
> Kaspersky's (it's down right now) online A/V tool. The reason I like
> running the online programs for cleaning an infected machine is that
> 1)
> you know it's going to be clean 2) you can run multiple programs w/o
> having to worry about installing them on your machine (you can only
> have
> one A/V program)
>
> Once I get the online A/V scans done I install my A/V program, I
> usually
> use either AVG Free (http://free.avg.com/us-en/homepage) or the A/V
> program included in Iolo's System Mechanic Pro (http://www.iolo.com/).
> I
> REALLY like Iolo, lots of great tools to help you out for a not too
> bad
> price. I also know that used to (don't know if this still works) if
> you
> downloaded the demo and then bought the product through the demo, you
> could save like half of the price.
>
> Once you get all of that done, it's time for the Malware scanners. I
> usually use a cocktail, Adaware by Lavasoft, Spybot Search and Destroy
> and
> Windows Defender. With those three you'll catch just about
> everything. I
> then usually leave Spybot SnD on there, it's got some useful tools
> under
> the advanced settings.
>
> CuMo
>
>
> -------------------------------------
> tommy wrote:
>
>
>
>
>
>> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
>> normal
>> windows screen to. It boots to a desktop wallpaper, no icons, no
>> taskbar, no
>> systray. Have to use task manager to run programs [ with the
>> "create new
>> task / run" function ].
>
>> The virus has somehow modified permissions to stop AV programs [ and
>> certain
>> others with error message insufficient permissions ] from running. I
>> tricked
>> it by installing to alternate directories, like program
>> filesmalwarebytes2
>> and programfilesHJT2, and have run these in safe mode. Mbam told me
>> that it
>> found 6 trojans, and removed them, but I still cannot boot to the
>> destop
>> with icons again. I see only the wallpaper when booted up. [ nothing
>> in
>> safemode except the safemode stamps in the corners ]
>
>> I cannot find the gpedit.msc. I cannot open windows explorer to allow
>> hidden
>> files to show.
>> I can open mmc.msc, but cannot find the gpedit snap-on available.
>
>> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
>> found no
>> additional viruses.
>
>> Process list is very clean: Very little cpu activity is seen . Every
>> process
>> is at zero after booting. It is so clean that I suspect somebody else
>> has
>> come in and cleaned the extraneous processes.
>
>> Running processes:
>> C:WINDOWSSystem32smss.exe
>> C:WINDOWSsystem32winlogon.exe
>> C:WINDOWSsystem32services.exe
>> C:WINDOWSsystem32lsass.exe
>> C:WINDOWSsystem32svchost.exe
>> C:WINDOWSsystem32taskmgr.exe
>> C:WINDOWSsystem32ctfmon.exe
>> C:Program FilesTrend MicroHijackThis2HijackThis.exe
>
>> The HJT log shows that there is lots of BHOs, other entrys etc, and I
>> can
>> see nothing unusual in it, but as above, when booted, no activity is
>> noted.
>
>
>
>
>
>
>
>
>
>
>
>

tommy wrote:
> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
> windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
> systray. Have to use task manager to run programs [with the "create new
> task / run" function ].
>
> The virus has somehow modified permissions to stop AV programs[...]


Had the same problem, managed to cure the system 99.99% (the "Turn
computer off" button is still not visible on the welcome screen). It
took me the better part of two _long_ days. But I'll tell you, it's
better to flatten and rebuild. So that's what I recommend.

You may be able to boot off an external drive, CD/DVD, or USB stick, and
burn data to a DVD or two. If so, don't be tempted to repair.

FWIW, Stopzilla found and repaired the corrupted registry entries, after
which other anti-malware programs functioned. I would _not_ recommend
Stopzilla as a regular AV program; it's close to being malware itself.

When you do rebuild then:
a) create a data partition, and save _all_ data on it. Modify
applications default settings to save to suitable folders on that data
expeditionary, and/or do a manual copy from My Documents and the other
stoopid default data locations.

b) get a partition backup program, and create system partition images at
regular intervals.

HTH
wolf k.

tommy wrote:
>
>I have an XP home pc,

<~~~>

>I cannot find the gpedit.msc.

I didn't think the group policy editor came in the home edition,
unless you put it in later as I did http://tinyurl.com/gpedit-msc

>The HJT log shows that there is lots of BHOs, other entrys etc, and I can
>see nothing unusual in it,

Lots of BHO's aren't unusual?

ASCII wrote:
> tommy wrote:
>>
>> I have an XP home pc,
>
> <~~~>
>
>> I cannot find the gpedit.msc.
>
> I didn't think the group policy editor came in the home edition,
> unless you put it in later as I did http://tinyurl.com/gpedit-msc
>
>> The HJT log shows that there is lots of BHOs, other entrys etc, and
>> I can see nothing unusual in it,
>
> Lots of BHO's aren't unusual?

9 BHOs

if you want to see it [ I know this isn't the usual place to post it ]

here it is, see if you see anything [ sending to your email addr ]

tommy wrote:
>
>
>
>ASCII wrote:
>> tommy wrote:
>>>
>>> I have an XP home pc,
>>
>> <~~~>
>>
>>> I cannot find the gpedit.msc.
>>
>> I didn't think the group policy editor came in the home edition,
>> unless you put it in later as I did http://tinyurl.com/gpedit-msc
>>
>>> The HJT log shows that there is lots of BHOs, other entrys etc, and
>>> I can see nothing unusual in it,
>>
>> Lots of BHO's aren't unusual?
>
>9 BHOs
>
>if you want to see it [ I know this isn't the usual place to post it ]
>
>here it is, see if you see anything [ sending to your email addr ]
>

As many who frequent this and other fora populated with the more esoteric
elements of usenet, I employ a bogus email addy, as you probably have found out
by now.
FWIW: I use HJT to delete "fix' any BHOs that appear,
usually after a new or re-installation of the OS.
IOW: there aren't any on my system, even one is too many.

tommy wrote:
> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
> normal windows screen to. It boots to a desktop wallpaper, no icons,
> no taskbar, no systray. Have to use task manager to run programs [
> with the "create new task / run" function ].
>
> The virus has somehow modified permissions to stop AV programs [ and
> certain others with error message insufficient permissions ] from
> running. I tricked it by installing to alternate directories, like
> program files\malwarebytes2 and programfiles\HJT2, and have run these
> in safe mode. Mbam told me that it found 6 trojans, and removed them,
> but I still cannot boot to the destop with icons again. I see only
> the wallpaper when booted up. [ nothing in safemode except the
> safemode stamps in the corners ]
>
> I cannot find the gpedit.msc. I cannot open windows explorer to allow
> hidden files to show.
> I can open mmc.msc, but cannot find the gpedit snap-on available.
>
> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
> found no additional viruses.
>
> Process list is very clean: Very little cpu activity is seen . Every
> process is at zero after booting. It is so clean that I suspect
> somebody else has come in and cleaned the extraneous processes.
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\taskmgr.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>
> The HJT log shows that there is lots of BHOs, other entrys etc, and I
> can see nothing unusual in it, but as above, when booted, no activity
> is noted.

I am now running Sophos under Multi-AV. I tricked the virus again by
changing the name of Startmenu to Startmenu2 after copying the AV-CLS folder
to the target. Its been hours. I am going to try them all, but since MBAM
usually gets this stuff, I will be amazed if its cleared up the whole
problem..

tommy wrote:
> tommy wrote:
>> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
>> normal windows screen to. It boots to a desktop wallpaper, no icons,
>> no taskbar, no systray. Have to use task manager to run programs [
>> with the "create new task / run" function ].
>>
>> The virus has somehow modified permissions to stop AV programs [ and
>> certain others with error message insufficient permissions ] from
>> running. I tricked it by installing to alternate directories, like
>> program files\malwarebytes2 and programfiles\HJT2, and have run these
>> in safe mode. Mbam told me that it found 6 trojans, and removed them,
>> but I still cannot boot to the destop with icons again. I see only
>> the wallpaper when booted up. [ nothing in safemode except the
>> safemode stamps in the corners ]
>>
>> I cannot find the gpedit.msc. I cannot open windows explorer to allow
>> hidden files to show.
>> I can open mmc.msc, but cannot find the gpedit snap-on available.
>>
>> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
>> found no additional viruses.
>>
>> Process list is very clean: Very little cpu activity is seen . Every
>> process is at zero after booting. It is so clean that I suspect
>> somebody else has come in and cleaned the extraneous processes.
>>
>> Running processes:
>> C:\WINDOWS\System32\smss.exe
>> C:\WINDOWS\system32\winlogon.exe
>> C:\WINDOWS\system32\services.exe
>> C:\WINDOWS\system32\lsass.exe
>> C:\WINDOWS\system32\svchost.exe
>> C:\WINDOWS\system32\taskmgr.exe
>> C:\WINDOWS\system32\ctfmon.exe
>> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>>
>> The HJT log shows that there is lots of BHOs, other entrys etc, and I
>> can see nothing unusual in it, but as above, when booted, no activity
>> is noted.
>
> I am now running Sophos under Multi-AV. I tricked the virus again by
> changing the name of Startmenu to Startmenu2 after copying the AV-CLS
> folder to the target. Its been hours. I am going to try them all, but
> since MBAM usually gets this stuff, I will be amazed if its cleared
> up the whole problem..

Sophos found nothing except some [ minor?] corrupted files. > 8 hrs scanning
Trend found 1 [ minor? ] spyware item . Still no improvement.
I am going to try searching for registry items after McAfee and KAV
MultiAV is a nice idea.

I suspect that Ialdabaoth created Imperfection so that on this day Sun, 18 Oct
2009 09:26:54 -0500, one purporting to be "tommy"
<tommylee9_2000@removeyahoo.dropcom> could write :

>Sophos found nothing except some [ minor?] corrupted files. > 8 hrs scanning
>Trend found 1 [ minor? ] spyware item . Still no improvement.
>I am going to try searching for registry items after McAfee and KAV
>MultiAV is a nice idea.

It must be obvious to you by now that you are in the company of some
very very strange people! Would you trust advice from the local village
idiot? You are now in the company of a cyberspace version of a
village community, complete with a troupe of performing idiots!

Now! See you all have a nuce day.

Jerry.
..
--------------------------
The Internet will become the
Sacred Sanctuary for Nutters and Idiots.
(Michel Nostradamus, December 14, 1503, July 2, 1566).
--------------------------

tommy wrote:
> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
> normal windows screen to. It boots to a desktop wallpaper, no icons,
> no taskbar, no systray. Have to use task manager to run programs [
> with the "create new task / run" function ].
>
> The virus has somehow modified permissions to stop AV programs [ and
> certain others with error message insufficient permissions ] from
> running. I tricked it by installing to alternate directories, like
> program files\malwarebytes2 and programfiles\HJT2, and have run these
> in safe mode. Mbam told me that it found 6 trojans, and removed them,
> but I still cannot boot to the destop with icons again. I see only
> the wallpaper when booted up. [ nothing in safemode except the
> safemode stamps in the corners ]
>
> I cannot find the gpedit.msc. I cannot open windows explorer to allow
> hidden files to show.
> I can open mmc.msc, but cannot find the gpedit snap-on available.
>
> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
> found no additional viruses.
>
> Process list is very clean: Very little cpu activity is seen . Every
> process is at zero after booting. It is so clean that I suspect
> somebody else has come in and cleaned the extraneous processes.
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\taskmgr.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>
> The HJT log shows that there is lots of BHOs, other entrys etc, and I
> can see nothing unusual in it, but as above, when booted, no activity
> is noted.

I ran all 4 av clients in Multi-Av, and still couldn't fix it that way.
It does have a D: recovery drive, and it does appear to work.
So, thats probably what will happen, using the recovery reinstall.

How are you certain this was caused by a virus?

--



"tommy" <tommylee9_2000@removeyahoo.dropcom> wrote in message
news:hba0pd$i4f$1@news.eternal-september.org...
>
> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
> windows screen to. It boots to a desktop wallpaper, no icons, no taskbar,
> no
> systray. Have to use task manager to run programs [ with the "create new
> task / run" function ].
>
> The virus has somehow modified permissions to stop AV programs [ and
> certain
> others with error message insufficient permissions ] from running. I
> tricked
> it by installing to alternate directories, like program
> files\malwarebytes2
> and programfiles\HJT2, and have run these in safe mode. Mbam told me that
> it
> found 6 trojans, and removed them, but I still cannot boot to the destop
> with icons again. I see only the wallpaper when booted up. [ nothing in
> safemode except the safemode stamps in the corners ]
>
> I cannot find the gpedit.msc. I cannot open windows explorer to allow
> hidden
> files to show.
> I can open mmc.msc, but cannot find the gpedit snap-on available.
>
> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan found
> no
> additional viruses.
>
> Process list is very clean: Very little cpu activity is seen . Every
> process
> is at zero after booting. It is so clean that I suspect somebody else has
> come in and cleaned the extraneous processes.
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\taskmgr.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>
> The HJT log shows that there is lots of BHOs, other entrys etc, and I can
> see nothing unusual in it, but as above, when booted, no activity is
> noted.
>
>
>
> --
> Tommy
>
>

The Central Scrutinizer wrote:
> How are you certain this was caused by a virus?
>
>
> "tommy" <tommylee9_2000@removeyahoo.dropcom> wrote in message
> news:hba0pd$i4f$1@news.eternal-september.org...
>>
>> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
>> normal windows screen to. It boots to a desktop wallpaper, no icons,
>> no taskbar, no
>> systray. Have to use task manager to run programs [ with the "create
>> new task / run" function ].
>>
>> The virus has somehow modified permissions to stop AV programs [ and
>> certain
>> others with error message insufficient permissions ] from running. I
>> tricked
>> it by installing to alternate directories, like program
>> files\malwarebytes2
>> and programfiles\HJT2, and have run these in safe mode. Mbam told me
>> that it
>> found 6 trojans, and removed them, but I still cannot boot to the
>> destop with icons again. I see only the wallpaper when booted up. [
>> nothing in safemode except the safemode stamps in the corners ]
>>
>> I cannot find the gpedit.msc. I cannot open windows explorer to allow
>> hidden
>> files to show.
>> I can open mmc.msc, but cannot find the gpedit snap-on available.
>>
>> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
>> found no
>> additional viruses.
>>
>> Process list is very clean: Very little cpu activity is seen . Every
>> process
>> is at zero after booting. It is so clean that I suspect somebody
>> else has come in and cleaned the extraneous processes.
>>
>> Running processes:
>> C:\WINDOWS\System32\smss.exe
>> C:\WINDOWS\system32\winlogon.exe
>> C:\WINDOWS\system32\services.exe
>> C:\WINDOWS\system32\lsass.exe
>> C:\WINDOWS\system32\svchost.exe
>> C:\WINDOWS\system32\taskmgr.exe
>> C:\WINDOWS\system32\ctfmon.exe
>> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>>
>> The HJT log shows that there is lots of BHOs, other entrys etc, and
>> I can see nothing unusual in it, but as above, when booted, no
>> activity is noted.
>>
>>
>>
>> --
>> Tommy

The guy said he had experienced re-direction dating back to 6 mos ago.
He has little pc experience.
There were viruses on there. Malwarebytes took off 6 of them.
Important programs were blocked by policy [permissions], including all
antivirus pgms. [ I had to change names for any AV client to run ]
He has a restore partition, but wants to do that himself.
I was able to install gpedit, but no policies had been set.

--
Tommy

sounds like the whole operation needs to be nuked! Holy crap
on all of that!!!!

--



"tommy" <tommylee9_2000@removeyahoo.dropcom> wrote in message
news:hbpo0k$pqu$1@news.eternal-september.org...
>
>
>
> The Central Scrutinizer wrote:
>> How are you certain this was caused by a virus?
>>
>>
>> "tommy" <tommylee9_2000@removeyahoo.dropcom> wrote in message
>> news:hba0pd$i4f$1@news.eternal-september.org...
>>>
>>> I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
>>> normal windows screen to. It boots to a desktop wallpaper, no icons,
>>> no taskbar, no
>>> systray. Have to use task manager to run programs [ with the "create
>>> new task / run" function ].
>>>
>>> The virus has somehow modified permissions to stop AV programs [ and
>>> certain
>>> others with error message insufficient permissions ] from running. I
>>> tricked
>>> it by installing to alternate directories, like program
>>> files\malwarebytes2
>>> and programfiles\HJT2, and have run these in safe mode. Mbam told me
>>> that it
>>> found 6 trojans, and removed them, but I still cannot boot to the
>>> destop with icons again. I see only the wallpaper when booted up. [
>>> nothing in safemode except the safemode stamps in the corners ]
>>>
>>> I cannot find the gpedit.msc. I cannot open windows explorer to allow
>>> hidden
>>> files to show.
>>> I can open mmc.msc, but cannot find the gpedit snap-on available.
>>>
>>> I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
>>> found no
>>> additional viruses.
>>>
>>> Process list is very clean: Very little cpu activity is seen . Every
>>> process
>>> is at zero after booting. It is so clean that I suspect somebody
>>> else has come in and cleaned the extraneous processes.
>>>
>>> Running processes:
>>> C:\WINDOWS\System32\smss.exe
>>> C:\WINDOWS\system32\winlogon.exe
>>> C:\WINDOWS\system32\services.exe
>>> C:\WINDOWS\system32\lsass.exe
>>> C:\WINDOWS\system32\svchost.exe
>>> C:\WINDOWS\system32\taskmgr.exe
>>> C:\WINDOWS\system32\ctfmon.exe
>>> C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe
>>>
>>> The HJT log shows that there is lots of BHOs, other entrys etc, and
>>> I can see nothing unusual in it, but as above, when booted, no
>>> activity is noted.
>>>
>>>
>>>
>>> --
>>> Tommy
>
> The guy said he had experienced re-direction dating back to 6 mos ago.
> He has little pc experience.
> There were viruses on there. Malwarebytes took off 6 of them.
> Important programs were blocked by policy [permissions], including all
> antivirus pgms. [ I had to change names for any AV client to run ]
> He has a restore partition, but wants to do that himself.
> I was able to install gpedit, but no policies had been set.
>
> --
> Tommy
>
>
>
>
>

On Fri, 16 Oct 2009 09:42:51 -0500, "tommy"
<tommylee9_2000@removeyahoo.dropcom> wrote:

>
>I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
>windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
>systray. Have to use task manager to run programs [ with the "create new
>task / run" function ].
My friend, boot a nice little linux dist, move as much of your
data as you can to some other media (burn it to DVDs), then reformat,
reinstall windows. Your "executable" "open-withs" are probably all
re-directed to the bag-guy-worm/trojan.
Not much you can do, about it. Unless you don't mind weeks and
weeks of painful cleaning-up.
A linux dist with clamav or f-prot will probably clean up the
bad guy, but not the registry damage.
Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?