intell32 again; tried previous removal procedure - no luck:

Went along fine for several weeks, but got the "intell32" again.
I tried removing by following the procedure successfully used last time, but it didn't work. I think I need a refresher on how to remove it. Here is the HJT log:
THANKS!
Alex
==================
Logfile of HijackThis v1.99.1
Scan saved at 9:09:07 PM, on 9/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\RUSH 24-7 MEDIA CENTER\RUSH 24-7 MEDIA CENTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\PROGRAM FILES\RUSH 24-7 MEDIA CENTER\RUSH 24-7 MEDIA CENTER.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

 

Please download smitRem.exe, save it to your desktop, then double click it and click start to extract it to it's own folder. Reboot your computer to safe mode, then open the smitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to run when the tool completes.

Reboot back into normal mode and post the contents of the log file the tool creates, C:\smitfiles.txt

 

OK, here it is, and I didn't delete 'intell32' as I did the last couple of times after rebooting. Oh, I deleted the empty lines from the log...
=====================
smitRem log file
version 2.3
by noahdfear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk
~~~ Favorites ~~~
~~~ system folder ~~~
intell32.exe
oleext.dll
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Present!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk
~~~ Favorites ~~~
~~~ system folder ~~~
oleext.dll
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll INFECTED!!
================================
Next?

thanks,
Alex

 

Open the C:\Windows\system folder and locate the file wininet.dll
Right click and select copy. Now right click a blank space on your desktop and paste. Click the eTrust Online Virus scan link in my signature, wait for it to connect and download it's signatures, then click the plus signs next to Local disk C: to expand, navigate to and select the desktop folder (should be C:\Windows\Desktop), then start the scan. It should identify and clean the infected wininet.dll

If successful, you should print out the following.
Reboot to a command prompt only. At the prompt, type the following commands, one at a time, making sure to add the proper spaces (after attrib and after -r, etc) and hitting enter after each.

attrib -r C:\Windows\system\wininet.dll
attrib -h C:\Windows\system\wininet.dll
attrib -s C:\Windows\system\wininet.dll
rename C:\Windows\system\wininet.dll wininet.old
copy C:\Windows\Desktop\wininet.dll C:\Windows\system

Reboot to safe mode and run the smitRem tool again. Post the contents of the smitfiles.txt when back in normal mode.

 

Tasks Completed:

DONE> Open the C:\Windows\system folder and locate the file wininet.dll
DONE> Right click and select copy.
DONE> Now right click a blank space on your desktop and paste.
DONE> Click the eTrust Online Virus scan link in my signature,
DONE> wait for it to connect and download it's signatures,
DONE> then click the plus signs next to Local disk C: to expand,
DONE> navigate to and select the desktop folder (should be C:\Windows\Desktop),
DONE> then start the scan.
<ALSO CLICKED ON [Cure Files]
YES> It should identify and clean the infected wininet.dll
PRINTED RESULTS> If successful, you should print out the following.
INFECTION = "Win32.Alemod.H = cured!

DON'T KNOW WHAT THIS IS OR HOW> Reboot to a command prompt only.

So I tried entering "attrib -r C:\Windows\system\wininet.dll" at a DOS Command Line from C:\Windows\Desktop, but it said "Sharing violation reading drive C:, Abort, Retry, Fail" <<I hadn't seen this in years!!>

So I entered CD\ to access just "C:\" and reentered "attrib -r C:\Windows\system\wininet.dll" there, but got the same error message.

So I am just to this point right now:
--------------------
"...At the prompt, type the following commands, one at a time, making sure to add the proper spaces (after attrib and after -r, etc) and hitting enter after each.

attrib -r C:\Windows\system\wininet.dll
attrib -r C:\Windows\system\wininet.dll
attrib -r C:\Windows\system\wininet.dll
rename C:\Windows\system\wininet.dll wininet.old
copy C:\Windows\Desktop\wininet.dll C:\Windows\system

Reboot to safe mode and run the smitRem tool again. Post the contents of the smitfiles.txt when back in normal mode.
----------------------

Simple question:
Once you let me know how to proceed from "...At the prompt..." do I actually enter the same command line "attrib -r c:\..." three times?

BTW, the PC still appears to work OK (haven't rebooted or anything yet) but the Explorer display is weird, with some of the folder icons missing, and the task bar also has 'blank' icons.

Thanks

Alex

 

Hi Alex,

To restart in command prompt only mode, at bootup, begin tapping F8 to enable the startup menu, where you will be given several bootup options; Safe mode, command prompt only, etc.

I see now that I erred in the commands I gave you and have edited my previous post. Thanks for pointing that out.

 

Dave,
Sorry to be such a PITA, but I don't get a 'command prompt'. I'm running Win ME, BTW.
When I tap [F8], the menu I get is the same as when I RUN>'msconfig' > Advanced > 'enable startup menu' and the choices are:
1. Normal
2. Logged
3. Safe
4. Step-by-step

Sorry...
Q1: What should I do as far as entering the 'attrib -r ...' commands?

Q2: When I reboot, do I have to run "eTrust" so it can cure 'wininet.dll' again?

Thanks

Alex

 

Hi Alex,

Do you have a boot disk? If not, you need a blank floppy disk. You can create one from your own files or download and create one.

Insert the floppy disk and reboot. You should be offered to startup 'With CD-Rom support', 'Without CD-Rom support' or 'View help file'. Choose without cd-rom support. You will end up at an A:> prompt.

Type

C:

and hit enter.

At the C:> prompt, type the following commands, one at a time, hitting enter after each.

attrib -r C:\Windows\system\wininet.dll
attrib -h C:\Windows\system\wininet.dll
attrib -s C:\Windows\system\wininet.dll
rename C:\Windows\system\wininet.dll wininet.old
copy C:\Windows\Desktop\wininet.dll C:\Windows\system

Take out the floppy disk and restart the machine. Boot to safe mode and run smitRem again. When complete, restart to normal mode and post the contents of C:smitfiles.txt

 

Dave - it worked!
DONE> Do you have a boot disk? > YES
DONE> Insert the floppy disk and reboot
DONE> Choose without cd-rom support. You will end up at an A:> prompt.
DONE> Type C: and hit enter. (to change from A: to C
DONE> At the C:> prompt, type the following commands, one at a time, hitting enter after each.
attrib -r C:\Windows\system\wininet.dll
attrib -h C:\Windows\system\wininet.dll
attrib -s C:\Windows\system\wininet.dll
rename C:\Windows\system\wininet.dll wininet.old
copy C:\Windows\Desktop\wininet.dll C:\Windows\system
• I tried using F3 to display the last command entred, but forgot that back-arrow deletes as it moves along.
• I hadn't read the lsat two commands - to replace the infected wininet.dll file with the fixed one from the desktop. Is it necessary to keep the infected one, wininet.old?)
DONE> Take out the floppy disk and restart the machine.
DONE> Boot to safe mode and run smitRem again.
DONE> When complete, restart to normal mode and post the contents of C:smitfiles.txt (less empty lines
=======================
smitRem log file
version 2.3
by noahdfear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
intell32.exe
oleext.dll
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Present!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
oleext.dll
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Clean!!
------------------------------------

That'll do it, right?

Thanks!

Dave, I tried several of the Anti-Virus programs, and I bought a Norton version as well about a year ago, but it really messed up my PC.

Are there any that could protect my PC against this sort of infection?

Alex

 

Looks like there's still a file hanging in there. Use the boot disk again to go to a C:> prompt and type the following commands, hitting enter after each.

attrib -r C:\Windows\system\oleext.dll
attrib -h C:\Windows\system\oleext.dll
attrib -s C:\Windows\system\oleext.dll
del C:\Windows\system\oleext.dll
del C:\Windows\system\wininet.old
deltree /y C:\Windows\temp\*.*


Reboot back into normal mode and empty your Temporary Internet Files.

Scan your PC with Panda ActiveScan, allowing it to clean anything reported infected. When complete, click 'Save report', save it to your desktop and post it's contents, along with a new HijackThis log.

I like and recommend eTrust Antivirus and firewall. The firewall is a re-branded version of Zone Alarm, so if you opted for the free trial AV and installed Zone Alarm free, you would have the same basic setup that you would get with the AV/firewall package from eTrust.

There is no single antivirus and or firewall, or any other application at this time, that will give you 100% protection against infection, since new things are introduced on a daily, if not hourly basis. eTrust and Zone Alarm will give you a good measure of protection (works for me ), but there are a few more things I recommend that will increase that level of protection.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

Download and install both Spybot 1.4 and Ad-aware SE Personal 1.06 (both free) from the links in my signature. Allow Spybot to load SDHelper upon installation (this is a bad download blocker). Allow it to Immunize the system also. Immediately check for updates to both programs. Run Spybot fix everything it finds and prechecks (items in red). Run Ad-aware in the full scan mode, right click within the scan results and select all, then click next and allow removal. These scans should be done often. How often depends upon your internet usage, sites you frequent, etc. Always check for updates prior to running a scan.

Stay up-to-date with Windows Updates.

Run frequent online virus scans in addition to your installed AV. They can find things that may slip in and hide from your installed AV.

 

Hi Dave,
Did everything up to the Panda ActiveScan.
I stopped it the first time I ran it because it 'appeared' to get stuck at C:\Restore\Temp\A0xxxxxxx.CPY. I ran it a second time, and the xxxxxxx started at 0374800 and I stopped it after 12 minutes at 0400000. I tried to delete the Restore\Temp directory (or folder) but couldn't. Why do I need it? I never restore anyway...

The reports say:
-------------------------
Incident Status Location
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\ptainfo1.ico
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM\javex80.vxd
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\CONSCORR.INF
Adware:adware/searchexe No disinfected Windows Registry
Adware:Adware/StartPage.AES No disinfected C:\_RESTORE\TEMP\A0375605.CPY
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0378626.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0379865.CPY
Virus:Trj/Sachek.A Disinfected C:\_RESTORE\TEMP\A0379866.CPY
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0379867.CPY
-----------------------------------
And the HJT log:
-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:48:04 PM, on 9/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\RUSH 24-7 MEDIA CENTER\RUSH 24-7 MEDIA CENTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_179090] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 179090
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\PROGRAM FILES\RUSH 24-7 MEDIA CENTER\RUSH 24-7 MEDIA CENTER.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
-----------------------------------------

Let me know what to do next when you can - In the meantime, the PC appears to be running OK.

Thanks

Alex

 

Hi Alex,

Open a command window (click Start>run, type command and hit enter) and type (or you can copy/paste them from here) the following, hitting enter after each.

attrib -r -h C:\WINDOWS\SYSTEM\ptainfo1.ico
attrib -r -h C:\WINDOWS\SYSTEM\winupdt.bin
attrib -r -h C:\WINDOWS\SYSTEM\javex80.vxd
attrib -r -h C:\WINDOWS\INF\CONSCORR.INF
deltree /y C:\WINDOWS\SYSTEM\ptainfo1.ico
deltree /y C:\WINDOWS\SYSTEM\winupdt.bin
deltree /y C:\WINDOWS\SYSTEM\javex80.vxd
deltree /y C:\WINDOWS\INF\CONSCORR.INF

Turn off System Restore, reboot and turn System Restore back on, then create a new restore point.

Run Panda one more time and let us know the results.

BTW, Panda has created a file to run on your next bootup, most likely to delete a file that was in use and could not be deleted. You may or may not see it run upon restarting.

 

Hi Dave,
I must have one weird PC!

DONE> Open a command window
DONE> attrib -r -h C:\WINDOWS\SYSTEM\ptainfo1.ico
DONE> attrib -r -h C:\WINDOWS\SYSTEM\winupdt.bin
DONE> attrib -r -h C:\WINDOWS\SYSTEM\javex80.vxd
DONE> attrib -r -h C:\WINDOWS\INF\CONSCORR.INF
DONE> deltree /y C:\WINDOWS\SYSTEM\ptainfo1.ico
DONE> deltree /y C:\WINDOWS\SYSTEM\winupdt.bin
DONE> deltree /y C:\WINDOWS\SYSTEM\javex80.vxd
DONE> deltree /y C:\WINDOWS\INF\CONSCORR.INF

DONE> Turn off System Restore (actually, disable system restore WAS checked already)
DONE> reboot
CAN'T > and turn System Restore back on (after I uncheck the box next to disable system restore, and whether I hit [Apply] or just [close] it doesn't stay that way. If I look at it again without rebooting, or if I reboot, it comes back checked!
CANT' > then create a new restore point. (I get a message saying that it can't create a restore point, to reboot the PC. I did, three times.)

DONE> Run Panda one more time
SAME AS BEFORE, gets stuck at the restore\temp\A04xxxxx.CPY
Report this time:
Incident Status Location
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\ptainfo2.ico
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM\psis80ex.ax
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\POLALL1R.INF
Adware:adware/searchexe No disinfected Windows Registry

Sorry about all this!

Alex

 

Use the same set of attrib and deltree commands for those files found by Panda.

Will you post another HJT log please?

 

First:
DONE> Changed r and h attributes, and then deleted: ptainfo2.ico, psis80ex.ax, POLALL1R.INF
SECOND:
Ran HJT:
--------------------------Logfile of HijackThis v1.99.1
Scan saved at 8:19:47 PM, on 9/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\RUSH 24-7 MEDIA CENTER\RUSH 24-7 MEDIA CENTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\PROGRAM FILES\RUSH 24-7 MEDIA CENTER\RUSH 24-7 MEDIA CENTER.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
-------------------------------
Alex

 

Please do a search of the drive for a file named wininit.ini

If found, right click and select Open With>notepad. Post the contents here.

 

NOT FOUND: wininit.ini

FOUND (Close relatives):
WININIT.SAV dated 6/14/2004
WININIT.EXE dated 6/8/2000
WININIT.ERR dated 9/22/2005
wininitlog.old dated 7/25/2005
WININIT.BAK dated 9/25/2005

Alex

 

Please copy the following command in the quote box, including quotes, then click Start>run and paste it in the run dialog box. Hit enter.

Locate the file c:\restore.txt and post it's contents please.

 

Dave,
Here are the file contents:
-------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VxDMon]
"StaticVxD "= "*VxDMon "
"LogDir "= "c:\\_RESTORE\\LOGS "
"TempDir "= "c:\\_RESTORE\\TEMP "
"VxdDat "= "C:\\_RESTORE\\VxDMon.dat "
"VxdCfg "= "C:\\_RESTORE\\VxDMon.cfg "
"SystemFileProtection "= "Y "
"SystemRestore "= "Y "
"FirstRun "= "Y "
--------------------

Alex

 

Unfortunately, you computer doesn't contain the registry value I was hoping to see (some don't), so we'll take another approach.

Insert the boot disk and restart. At the A:> prompt, type c: and then press enter.
Type the following commands, pressing enter after each.

attrib -r -s -h _RESTORE
ren _RESTORE oldrest

Take out the boot disk and restart. Verify that System Restore is turned on and create a new restore point.