Missing Control Panel

I have a Windows XP workstation that is hooked to a network. A Winavxx spy/malware program got installed on the machine. I was able to remove the program and got the control panel restored under the administrator profile however now the users log on and the control panel is missing and it indicates that the administrator has disabled or restricted it.

Is there a way to get the control panel back to all the users. If they also right click on My Computer from the start menu they get the same message?

Thanks

 

Welcome to WindowsBBS Gary41

It's probable that restrictions have been set (by the malware) in the HKEY_CURRENT_USER hive. Possibly the easiest and best way to identify if that's the case is to do a scan with Deckards System Scanner. That would also give us a better look at some other things often affected by malware infections. It should be run from the affected user's account, which will be required to have Administrative Privledges.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

If you have HijackThis, it will use it to create a HijackThis log. If you do not, it will automatically download and install HijackThis. Please keep your internet connection active and allow access through your firewall if applicable.

 

Control Panel

Here are the files from the main.txt after the scan was completed. THANKS FOR THE HELP!!!

Deckard's System Scanner v20070826.66
Run by Administrator on 2007-09-03 20:22:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-09-04 01:22:19 UTC - RP1110 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-03 20:23:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\SYSTEM32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\WINDOWS\SYSTEM32\explore.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\administrator.ACSO\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: Shell= "Explorer.exe "
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - Startup: info.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Chariton Valley P7.lnk = C:\Program Files\Common Files\Chariton Valley P7\TrueWeather.exe
O4 - Global Startup: info.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159286251131
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = ACSO.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{01AC77DC-40F1-46CB-968D-B86B8D9A4A3F}: NameServer = 192.168.1.1
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ACSO.local
O17 - HKLM\SYSTEM\CS4\Services\Tcpip\Parameters: Domain = ACSO.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ACSO.local
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe



-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R2 AsfAlrt - c:\windows\system32\drivers\asfalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>

S3 ip6fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ASFAgent (ASF Agent) - c:\program files\intel\asf agent\asfagent.exe <Not Verified; Intel Corporation; Intel® PRO Alerting Suite ASF 1.0 and ASF 2.0 Compatible>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-03 20:21:00 224 --a------ C:\WINDOWS\Tasks\TIME SYNCH.job


-- Files created between 2007-08-03 and 2007-09-03 -----------------------------

2007-09-03 20:17:59 9728 --a------ C:\WINDOWS\system32\explore.exe
2007-09-03 20:17:55 9728 --a------ C:\WINDOWS\explore.exe
2007-09-03 14:48:50 0 d-------- C:\Documents and Settings\A5507\Application Data\Macromedia
2007-09-03 14:45:32 0 d-------- C:\Documents and Settings\A5507\.housecall6.6
2007-09-03 14:16:41 232 --a------ C:\RESTORE.REG
2007-09-03 13:08:24 0 d-------- C:\Documents and Settings\administrator.ACSO\Application Data\Prevx
2007-09-03 11:40:52 0 d-------- C:\hijackthis
2007-09-03 10:14:09 0 d-------- C:\Documents and Settings\CPD\Application Data\Prevx
2007-09-03 09:28:08 0 d-------- C:\Documents and Settings\A5507\Application Data\Prevx
2007-09-03 09:27:32 0 d-------- C:\Program Files\Prevx2
2007-09-03 09:27:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-03 09:12:56 20992 --a------ C:\WINDOWS\pdoakac.exe
2007-09-03 07:35:05 0 d-------- C:\Documents and Settings\CPD\.housecall6.6
2007-09-03 04:57:19 39424 --a------ C:\WINDOWS\system32\vtr.dll <Not Verified; ; IEHelper Module>
2007-08-24 08:29:44 0 d-------- C:\Documents and Settings\p9496\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2007-09-03 15:55:38 0 d-------- C:\Program Files\NetWork Access
2007-08-10 13:04:50 3806 --a------ C:\PrintTemp


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [01/08/2004 11:35 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 05:48 PM]
"DVDSentry "= "C:\WINDOWS\System32\DSentry.exe" [08/14/2002 06:22 PM]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [08/16/2007 08:19 AM]
"PrevxOne "= "C:\Program Files\Prevx2\PXConsole.exe" [08/29/2007 11:05 AM]
"DoNotDelete "= "C:\WINDOWS\system32\explore.exe" [09/03/2007 08:17 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"DoNotDelete "= "C:\WINDOWS\system32\explore.exe" [09/03/2007 08:17 PM]

C:\Documents and Settings\administrator.ACSO\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 12:58:38 PM]
info.exe [9/3/2007 8:17:55 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Chariton Valley P7.lnk - C:\Program Files\Common Files\Chariton Valley P7\TrueWeather.exe [2/8/2006 7:32:59 PM]
DESKTOP.INI [3/20/2004 12:58:38 PM]
info.exe [9/3/2007 8:17:55 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)
"NoWindowsUpdate "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\systems.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "




-- Hosts -----------------------------------------------------------------------

192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net

92 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-09-03 20:24:50 ------------

 

Hi Gary,

Here's the entries disabling the Control Panel, and also Windows Updates.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)
"NoWindowsUpdate "=1 (0x1)

Change the values to zero or delete them entirely.

Since this is a domain client, I'm aware there may be tweaks I'm not familiar with, so I'm questioning things I would normally consider are bad.


Do you know if the following was put there legitimately, or if it's the trojan?

O4 - Startup: info.exe
O4 - Global Startup: info.exe

If you're not sure, best to locate that file and scan it at jotti

Another concern is with the explorer.exe run entries, the recent modification of explorer.exe in the Windows folder, and the presence of explorer.exe in the system32 folder. Was this done intentionally?

O4 - HKEY_LOCAL_MACHINE\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe
O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\system32\explore.exe

2007-09-03 20:17:59 9728 --a------ C:\WINDOWS\system32\explore.exe
2007-09-03 20:17:55 9728 --a------ C:\WINDOWS\explore.exe


I'm also very interested in the entry for appinit_dlls. Do you know anything about it?

"appinit_dlls "=C:\WINDOWS\system32\systems.txt


It looks like the machine is meant to be using a custom hosts file. Is it? If so, I believe the address being used is incorrect. It should be the machine's internal address of 127.0.0.1

 

Hey Gary! Any update for us?