Sp0rkeh 0wNs y0u

[sadrobot]

Well this is annoying to say the least.

First off I do not/did not try to cheat in CS:S, **** I only played CS last night for the first time in almost a month.

But alas I have a virus and thankfully I know from expierence that it can be much much worse .

Well I don't have any virus software installedbecause I think of myself as a ver capable computer user (also ifyou havent noticed I am missing a lot of letters ut that is just a side effect of this virus and it is messing with my typeing so please bear with me) Anyway, this virus effects the shellext32.exe and because of that I cant run any program to install virus software (as Iam typing thisthough I am running a trend onine scan but so far nothing f this specific virus) I looked around online and followed a tutorial on how to get rid of it but it didnt work (it said to search shellext32.exe then delete everything that turns up > restart >then remove shell from registry with regedit)

While I am not mad I'm jus supurbly annoyed. My theory is that somehow it was put on my computr along side of al the .wave fils that servers add but I dont really know.

If anyone has any tips, or knows how I could get around the shellext32.exe error so I can install avg/avast then I could fix it but right now I am stuck on a mostly useles computer.

Also I noticed tat fter reboting my computer acts normal untill I ty to run anyhing then the virus kicks in.

 

[talldude123]

post a hijackthis log here, then i'll analyze it. One HiJackThis log is often enough to fix your computer.

 

[sadrobot]

well after following another tutorial i fixed most of it.

this is what I did
1. Delete Sp0rkeh.exe (didnt have one so skipped it)
2. go to your system32 folder and delete shellext32.exe
3. go to your services panel (in control panel/adminstration) and disable MS shell32 Services.
4. Reboot, your mouse will now work correctly
5. go to your windows folder and find regedit.exe
6. rename regedit.exe to regedit.com, then load it.
7. Search the registry for "shellext32.exe"
8. The first place it finds it is under HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command and the value will be c:\windows\system32\shellext32.exe and some other stuff as well.
9. Replace the entire value with "%1" %*


well now I just cant change my time or change my resolution (says another program is using w/e , you know what I mean)

here is that log btw, before I followed those instructions I couldnt run any .exe without an error/crash/ or a "Select a program to run in" window popping up. BTW that "Please Select..." kinda scared me because I have never once had that pop up with an exe. Usually its just with wierd media files

Logfile of HijackThis v1.99.1
Scan saved at 4:51:15 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cain\Abel.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.124.157.59:80:80
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: I0CDEAJF - {6B306976-08F1-284D-2AC0-34030FD75933} - C:\WINDOWS\System32\Ldfbij32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

(i have no idea what any of that means or even what that program is)

 

[Osiris]

what tutorial did u follow?

Remove these entries


C:\Program Files\Cain\Abel.exe Uninstall that if its not legit, isnt that a password cracker?

O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll

O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll

O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe

 

[sadrobot]

able was half of Cain & able that I put on my computer ~2 years ago. cain is brute force cracker/sniffer and able is a remote sniffer to use over a network.

I still cant change my resolution or even get into my desktop properties ("Display Settings")

 

[Osiris]

did u go thru my guide?

go to your display settings, click desktop, customize, click web, do you have two boxes in there? if so uncheck them both, what are the names of the boxes?

 

[sadrobot]

i followed your guide kinda. at this point i dont have the space to install all 11 programs nor do i really want to, i have avg and adaware on and both have scanned/cleaned up.

My problem is I can't get into diplay settings. Either by going through control panel or R-click desktop > properties. This is what pops up each time (even if I try as soon as I start up my computer)

Now that I check I can't use anything out of the control panel, mouse, system, nothing

 

[Osiris]

did you go thru msconfig?


post a screen shot of your task manager processes

 

[sadrobot]

yes i went through that and here is my task manager......I know I know there is a bunch of crap and half of it I dont know what it is

http://img241.imageshack.us/img241/1191/untitledby2.jpg

also just in my messing around I restarted explorer.exe and now when ever I try to use the control panel instead of an error I just get nothing (nothing launches)

I think it has to do with this

6. rename regedit.exe to regedit.com, then load it.
7. Search the registry for "shellext32.exe"
8. The first place it finds it is under HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command and the value will be c:\windows\system32\shellext32.exe and some other stuff as well.
9. Replace the entire value with "%1" %*

part of the guide I followed but what do i know

 

[Osiris]

try this

http://members.lycos.co.uk/dns2php/