spywad

[Leythos]

In article <Xns9994B24B0AD14HHI2948AJD832@69.28.186.121>,
spamfilterineffect.see.sig@nowhere.com says...
> Leythos <void@nowhere.lan> wrote in news:MPG.2136116b31514121989854
> @adfree.Usenet.com:
>
> > In article <mn.b1b57d781b5dbf29.70004@nonegone.com>, faux@none_gone.com
> > says...
> >> Arovax tells me spywad each week and points to user and machine:
> >> Software-Microsoft-Windows-Curr.Version-Policies........I have done a
> >> complete restore of said machine, without change. I have been to
> >> KellysKorner, and a multitude of honorable forums trying to find the
> >> answer.
> >
> > That can't be correct - if you had done a complete restore from clean
> > media you would not have these problems you describe.
> >
> > It's time to actually do a wipe/reinstall, where you actually format
>
> I still, respectfully, disagree with this. I would prefer to explore the
> policy key settings more thoroughly before deciding the machine needs to
> be reloaded to restore a tab. It still seems, at this point in time, alot
> of work when it could be fixed easier. It would be alot easier if the
> person had vnc, or if the machine was here... lol. As it is, we have to
> wait for the poster to reply and *hope* they did as we asked, properly.
>
> It may not be worth the time over usenet to try and resolve this, but I'd
> like to give it a few more tries before we hose the box, personal data,
> personal settings, documents, mp3s and everything else the owner might
> have present.

If the person were technical in nature I would agree to have "Fun" and
continue to play at finding the cause. It appears that the OP just wants
to "Use" the computer and could not care less about the issue once it's
fixed.

This has been going on for days, and who knows how long before posting
here - it's still a problem. The best solution, since we don't know if
the malware was actually removed completely, is to wipe and reinstall in
a clean environment, which would fix the problem and give the OP a clean
machine.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

[Dustin Cook]

CindyLouWhooo <faux@none_gone.com> wrote in
news:mn.b3857d7857043e31.70004@nonegone.com:

> thanks again Dustin, I appreciate have someone working with me towrds
> a resolve.

I'm not sure what help I'll be at this rate, but I have a few more ideas.


> --- System info ---
> OS: Microsoft Windows XP Service Pack 2
> IE version: 6.0.2900.2180
> MPC: 76477-OEM
> CPU: Intel(R) Celeron(R) CPU 2.93GHz (~2933MHz)
> BIOS: 10/5/2004
> Memory (approx): 1526MB
> Uptime: 3 hour(s)
> Current directory:
> C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.500\Dial-a-fix-v0.60.0.24
> ---
>
> 8/22/2007 2:58:28 PM -- Dial-a-fix : [v0.60.0.24] -- started
> 2:58:28 PM | Policy scan started
> 2:58:28 PM | The following restrictive policies were found:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntversion\Policies\Ex
> plorer\NoSetActiveDesktop
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\Policies\E
> xplorer\NoRecentDocsMenu --- Emptying temp folders ---

This isn't exactly, good. Okay then...

Any chance you could export those keys to a text file and send them via
email to me? I bet you have alot of policy keys present.. Hopefully,
every single one is set to 0.

> ***no desktop tab on new admin user either.

Interesting. Okay, did you find a file called DESK.CPL in the c:\WINDOWS
\SYSTEM32 folder?



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[yomama]

On Aug 22, 8:48 am, Default User <defa...@user1.invalid> wrote:
> On Wed, 22 Aug 2007 10:58:53 -0400, Leythos <v...@nowhere.lan> wrote:
> >In article <mn.b1b57d781b5dbf29.70...@nonegone.com>, faux@none_gone.com
> >says...
> >> Arovax tells me spywad each week and points to user and machine:
> >> Software-Microsoft-Windows-Curr.Version-Policies........I have done a
> >> complete restore of said machine, without change. I have been to
> >> KellysKorner, and a multitude of honorable forums trying to find the
> >> answer.
>
> >That can't be correct - if you had done a complete restore from clean
> >media you would not have these problems you describe.
>
> >It's time to actually do a wipe/reinstall, where you actually format the
> >drive and erase all data/files - this, provided you get a clean set of
> >install CD's, will give you a working machine that doesn't contain
> >malware.
>
> >After that, before you connect to the internet, you need a working
> >firewall to allow you to connect without being compromised while getting
> >updates and patches....
>
> >If you have the XP cd you could also try a repair/reinstall of XP, but
> >you could easily re-compromise your system.
>
> >http://www.michaelstevenstech.com/XPrepairinstall.htm
>
> I agree with Leythos - time to cut your losses by completely wiping and
> reloading your system. I always recommend that when reinstalling your
> system due to a malware installation, that you go take extra step of nuking
> the entire disk. The reason being that malware can remain on a disk after
> a "format" if the format does not actually write to the sectors where the
> malware resides. Use "Boot 'n Nuke" and run several passes to be sure the
> disk is cleanhttp://dban.sourceforge.net/.- Hide quoted text -
>
> - Show quoted text -

[CindyLouWhooo]

> CindyLouWhooo <faux@none_gone.com> wrote in
> news:mn.b3857d7857043e31.70004@nonegone.com:
>
>> thanks again Dustin, I appreciate have someone working with me towrds
>> a resolve.
>
> I'm not sure what help I'll be at this rate, but I have a few more ideas.
>
>
>> --- System info ---
>> OS: Microsoft Windows XP Service Pack 2
>> IE version: 6.0.2900.2180
>> MPC: 76477-OEM
>> CPU: Intel(R) Celeron(R) CPU 2.93GHz (~2933MHz)
>> BIOS: 10/5/2004
>> Memory (approx): 1526MB
>> Uptime: 3 hour(s)
>> Current directory:
>> C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.500\Dial-a-fix-v0.60.0.24
>> ---
>>
>> 8/22/2007 2:58:28 PM -- Dial-a-fix : [v0.60.0.24] -- started
>> 2:58:28 PM | Policy scan started
>> 2:58:28 PM | The following restrictive policies were found:
>>
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntversion\Policies\Ex
>> plorer\NoSetActiveDesktop
>>
>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\Policies\E
>> xplorer\NoRecentDocsMenu --- Emptying temp folders ---
>
> This isn't exactly, good. Okay then...
>
> Any chance you could export those keys to a text file and send them via
> email to me? I bet you have alot of policy keys present.. Hopefully,
> every single one is set to 0.
>
>> ***no desktop tab on new admin user either.
>
> Interesting. Okay, did you find a file called DESK.CPL in the c:\WINDOWS
> \SYSTEM32 folder?

yes I have desk.cp_


will email to you tonight

[pcbutts1]

Here is what I am thinking has happened and how I would fix it. I think you
have a rogue or corrupted policy setting on your laptop, this is a laptop
right?. Look for two files called registry.pol you should find one or both
inside these folders C:\WINDOWS\system32\GroupPolicy\Machine or
C:\WINDOWS\system32\GroupPolicy\user. Rename the registry.pol file and
either copy one from a good computer to it and reboot or reboot the computer
and a new one should be created. I have not tried it in while but I believe
this method will work. It is easy enough to try and you still have the old
renamed registry.pol file just in case.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"CindyLouWhooo" <faux@none_gone.com> wrote in message
news:mn.acff7d78a0e75f17.70004@nonegone.com...
>> That shows you have no idea what you are talking about, what you are
>> doing, and have no idea what the problem is. This thread is way beyond
>> you comprehension skills so stay out of it.
>
>
> ================================================== ====================
> thanks again for plugging thru this with me!
>
>
>
> user:
> http://img3.freeimagehosting.net/uploads/1ffadd0f85.png
>
>
>
> machine for the heck of it)....notice it is a little p......couldn't
> find anything on it, if it is unusual or not.
>
> http://img3.freeimagehosting.net/ima...7dcbcb3fe0.png
>
>

[Dustin Cook]

CindyLouWhooo <faux@none_gone.com> wrote in
news:mn.b3da7d78383d5350.70004@nonegone.com:

>> CindyLouWhooo <faux@none_gone.com> wrote in
>> news:mn.b3857d7857043e31.70004@nonegone.com:
>>
>>> thanks again Dustin, I appreciate have someone working with me
>>> towrds a resolve.
>>
>> I'm not sure what help I'll be at this rate, but I have a few more
>> ideas.
>>
>>
>>> --- System info ---
>>> OS: Microsoft Windows XP Service Pack 2
>>> IE version: 6.0.2900.2180
>>> MPC: 76477-OEM
>>> CPU: Intel(R) Celeron(R) CPU 2.93GHz (~2933MHz)
>>> BIOS: 10/5/2004
>>> Memory (approx): 1526MB
>>> Uptime: 3 hour(s)
>>> Current directory:
>>> C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.500\Dial-a-fix-v0.60.0.24
>>> ---
>>>
>>> 8/22/2007 2:58:28 PM -- Dial-a-fix : [v0.60.0.24] -- started
>>> 2:58:28 PM | Policy scan started
>>> 2:58:28 PM | The following restrictive policies were found:
>>>
>>> HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntversion\Policies\
>>> Ex plorer\NoSetActiveDesktop
>>>
>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\Policies
>>> \E xplorer\NoRecentDocsMenu --- Emptying temp folders ---
>>
>> This isn't exactly, good. Okay then...
>>
>> Any chance you could export those keys to a text file and send them
>> via email to me? I bet you have alot of policy keys present..
>> Hopefully, every single one is set to 0.
>>
>>> ***no desktop tab on new admin user either.
>>
>> Interesting. Okay, did you find a file called DESK.CPL in the
>> c:\WINDOWS \SYSTEM32 folder?
>
> yes I have desk.cp_

Was the underscore a typo? It's a very important distinction. I
specifically need to know if a file called DESK.CPL is present in the
C:\WINDOWS\SYSTEM32 folder. a File by the name of desk.cp_ implies it's
compressed and not the file I want, although we can always uncompress it
if needed.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[pcbutts1]

The desk.cpl is not your problem. That file is a regenerating file. If you
delete it 3 seconds later it comes back. If however you don't have that file
then something is stopping it from coming back. You may be still infected
with malware.


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"CindyLouWhooo" <faux@none_gone.com> wrote in message
news:mn.b3da7d78383d5350.70004@nonegone.com...
>> CindyLouWhooo <faux@none_gone.com> wrote in
>> news:mn.b3857d7857043e31.70004@nonegone.com:
>>> thanks again Dustin, I appreciate have someone working with me towrds
>>> a resolve.
>>
>> I'm not sure what help I'll be at this rate, but I have a few more ideas.
>>
>>
>>> --- System info ---
>>> OS: Microsoft Windows XP Service Pack 2
>>> IE version: 6.0.2900.2180
>>> MPC: 76477-OEM
>>> CPU: Intel(R) Celeron(R) CPU 2.93GHz (~2933MHz)
>>> BIOS: 10/5/2004
>>> Memory (approx): 1526MB
>>> Uptime: 3 hour(s)
>>> Current directory:
>>> C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.500\Dial-a-fix-v0.60.0.24
>>> ---
>>>
>>> 8/22/2007 2:58:28 PM -- Dial-a-fix : [v0.60.0.24] -- started
>>> 2:58:28 PM | Policy scan started
>>> 2:58:28 PM | The following restrictive policies were found:
>>>
>>> HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntversion\Policies\Ex
>>> plorer\NoSetActiveDesktop
>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\Policies\E
>>> xplorer\NoRecentDocsMenu --- Emptying temp folders ---
>>
>> This isn't exactly, good. Okay then...
>>
>> Any chance you could export those keys to a text file and send them via
>> email to me? I bet you have alot of policy keys present.. Hopefully,
>> every single one is set to 0.
>>
>>> ***no desktop tab on new admin user either.
>>
>> Interesting. Okay, did you find a file called DESK.CPL in the c:\WINDOWS
>> \SYSTEM32 folder?
>
> yes I have desk.cp_
>
>
> will email to you tonight
>
>

[Dustin Cook]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in
news:fanqfo$1u1$1@blackhelicopter.databasix.com:

> The desk.cpl is not your problem. That file is a regenerating file. If
> you delete it 3 seconds later it comes back. If however you don't have
> that file then something is stopping it from coming back. You may be
> still infected with malware.

True, it is a protected system file. Assuming windows has a good copy to
replace it with, you mean. And I agree, that's not the issue. I'm starting
to suspect either a problem with IE, as we all know (you should, I'm giving
you the benefit of the doubt here since you did post some registry keys and
was able to explain their purpose) controls windows desktop interface,
and/or a group policy setting. The registry as far as I can tell, except
for one potentially bad setting, which I think? they have cleared up now,
is okay.

I intend to have them check for the global policy files, and then iefix, if
that all fails, a repair install of windows with sp2 is probably in order.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml