Virus - Can't Run Programs

Lost my AVG program, and can't run many programs and printer won't print...downloaded AVG anew, and ran scan...5 items came up as infected...spuninst.exe, verclsid.exe (2 of these), update.exe, and script.ini...sent them to vault...also showed kernel32.dll & shell32.dll as changed. Showed a parite virus. Just checked the vault, and on the regular scan last PM, a jillion viruses were found and moved to vault, all with .exe files listed as infected. Tried a few fixes from the boards tonight, but none would run (fixreg.com - didn't seem to exist, and 2 others I can't recall now). At first was getting all kinds of windows popping up for installing new updates...prompts for WORKS SUITE disk, etc....got WORD back in that manner, but then those windows stopped popping up...restarted...no go...can anyone help me to restore my kernel and shell and to fix the .exe programs??? Any help is greatly appreciated! It's a mess!

 

Hello and welcome to WindowsBBS Removing Spyware & Viruses forum.

Lets get a couple of online scans then a HijackThis! log file to see what is present.

Panda ActiveScan

• Click the [Scan your PC] button. ( You may have to disable any pop up blockers)
• Then press the green [Check Now] button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

==============================================================================
KAV SCAN
Kaspersky Online Scanner

Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes

The program will then begin downloading the latest definition files. This will take a good while, even with hi-speed Internet access.
Once the files have been downloaded click on Next

Now click on [Scan Settings] button.
In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)

• Scan Options:
  Scan Archives
  Scan Mail Bases

Click OK

Now under the Please select a target to scan:
Select My Computer

The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on the [Save as Text] button
Save the file to your desktop.

Copy and paste that information in your next post for me to review.

**Notelease edit out any references to 'cookies', 'Recyler folder' and 'System Volume Information Folder' from all logs.

Then download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Thanks...

Thanks, TeMerc...will have to tackle this later, as today is a long workday for me...I will post back the results though, likely over the weekend. Thanks for the prompt reply!

 

Logs...

I got the Panda Scan done, and the Hijack This, but the Kasperski won't work...tried to download, accepted, and ok'd the download of Active X Controls, but no go...tried 4 or 5 times...just kept getting a screen like the accept screen, but with nowhere to go...anyway...here are the logs from the other two...I have since read about Avast...will this work to set the registry and other infected files to right?
Thanks for your help!!
Barb
Logfile of HijackThis v1.99.1
Scan saved at 2:23:36 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pineandlakes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0002_ho
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: TDS Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\TDS Accelerator\Toolband.dll (file missing)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\TDS Accelerator\slipcore.exe "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\HP\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: TDS Accelerator.lnk = C:\Program Files\TDS Accelerator\slipgui.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdccommon/download/tgctlins.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Panda Scan...

Incident Status Location

Adware:Adware/BHO Not disinfected C:\Program Files\STLinks\STLinks2.dll
Adware:adware/ncase Not disinfected c:\temp\salmau.dat
Adware:adware/stiebar Not disinfected c:\program files\STHomePage
Adware:adware/cws Not disinfected C:\Documents and Settings\Owner\Favorites\health
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:adware/oemji Not disinfected Windows Registry
Spyware:spyware/bundleware Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/sidestep Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.fsx[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1105982933.ssb[C:\WINDOWS\system32\exul1.exe]
Adware:Adware/BHO Not disinfected C:\Program Files\STHomePage\STHomePage2.dll
Adware:Adware/BHO Not disinfected C:\Program Files\STLinks\STLinks.dll

 

Additional Info.

I miscommunicated something in my original post...the AVG scan showed the Win32/Parite virus, which had infected the files I listed, and changed the kernel32.dll, and shell32.dll...also, I am running Win XP, IE7 with SP2...also, printer still disabled...
Thanks!
Barb

 

What are the locations of those two files, shell32.dll and kernel32.dll?

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


Access your Add or Remove Programs Control Panel by hitting your [Start] button, select Control Panel and click on Add or Remove Programs. Then find the following programs and click the [Change|Remove] button for each, if they are listed. If they are not, continue with instructions
TDS Accelerator
STLinks


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... on&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... on&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0002_ho


O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: TDS Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\TDS Accelerator\Toolband.dll (file missing)


Search for, and delete, if found, the following files/folders:
C:\Program Files\TDS Accelerator<<<<---this folder
C:\Program Files\STLinks<<<<---this folder

Reboot into Normal mode and post a new HJT log back into this thread please.

 

Getting ready to execute your instructions...

Hey...the shell32.dll file is listed many times in the search I did...all are in C:\WINDOWS and all are Application Extension file types...the specific locations are: C:\WINDOWS\$NTServicePackUninstall$, C:\WINDOWS\system32, C:\WINDOWS\ServicePackFiles\i386, five of them are similar, except for the KB# in the middle...C:\WINDOWS\$hf_mig$\KB890047\SP2QFE, and seven of them are similar, except for the numbers after KB...C:WINDOWS\$NtUninstallKB839645$, and one is C:\WINDOWS\$UninstallQ817357$

The kernel32.dll file is listed several times...all are in C:\WINDOWS...all are Application Extension type files...the specific locations are: C:\WINDOWS\$NTServicePackUninstall$, C:\WINDOWS\wywtem32, C:\WINDOWS\ServicePackFiles\i386, C:\WINDOWS\$hf_mig$\KB917422\SP2QFE, C:\WINDOWS\$NtUninstallKB840987$, and C:\WINDOWS\$NtUninstallKB917422$

All of the shell and kernel listings are dated in years past...none recent...

Does this change anything I should do before or during your list of steps??
Thanks for your help!!
Barb

 

Should I also mention...

Perhaps I should also mention that in the Add/Remove Programs window, there are several programs listed that have no amount of KB or MB listed to the right...it's just blank there...they are:
Agere Systems Modem, Creative (Media Source) Driver, High Definition Audio Driver Package, LinksHelper, Macromedia Flash Player, a screen saver, Microsoft Money, Microsoft Money System Pack, Encarta Encyclopedia, Microsoft Streets & Trips, Microsoft Works, Microsoft Visual J# .NET Redistributable Package 1.1, Microsoft Works Suite Add-In for Microsoft Word, mIRC, NVIDIA Display Driver, NVIDIA Ethernet Driver, Panda Active Scan, PS2, & Microsoft Quicken. Does this mean those programs are still there, or gone? Will I have to reinstall them? How do I know what else might be missing??? YOIKS, what a mess!
Thanks again for all your help!
Barb

 

Results...

OK...followed your instructions...did not have either of the programs you listed in Add/Remove Programs...checked items and clicked the fix checked button...got several messages after that, notifying me that my IE settings had been changed (defaults)...I chose to keep the new settings...hope that was ok...only one of the two folders you listed was present...the STLinks folder...I deleted that...rebooted, ran HJT and here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 9:37:12 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pineandlakes.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\TDS Accelerator\slipcore.exe "
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe "
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\HP\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: TDS Accelerator.lnk = C:\Program Files\TDS Accelerator\slipgui.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdccommon/download/tgctlins.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

*NOTE: I still have no printer in taskbar, and cannot open the toolbox for the printer, or communicate with it in any way. The programs I mentioned in my earlier post are still "blank" in the size column in Add/Remove Programs window, and I still cannot open or run any of the programs I mentioned earlier.

What next?

Thanks!
Barb

 

OK last log looks good, other than the printer related problems, how is the machine behaving? Let me know.

For the printer problems, uninstall and reinstall the software. Be sure you reboot after uninstalling and perhaps run your fav registry cleaner as well.

Then reinstall.

For items in add\Remove I also have many apps which do not show a size allocation, but they are indeed there and running. I'd wager is a minimal limitation which prevents the size to be displayed. But nothing to worry about.

For the two files I mentioned all those locations that you mentioned are legit locations and there is nothing we have to worry about.


So, it appears we are done. If there are any more issues please advise.


We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Not happy surfing

Hey...no, the problems are not fixed...the printer will not uninstall, or reinstall from the disk...when I tried uninstalling it, a bunch of programs flew by in a window titled "clean-up ", then everything got "stuck "...it asked for some file it couldn't find on the reinstall, then it started behaving like when I first noticed the virus's damage the other night...bunches of little windows opening and reopening, unable to cancel them, doing what I don't know...all of the programs that came with my computer, except a few, are non-functional...they may be showing up on the desktop, and in the add/remove programs list, but when I click on them, they will not open, and I get the flashlight thingy saying it can't find the programs....I got on line to "chat" with an HP rep., and they suggested a total system recovery, which would wipe everything...they say it's the only way to get rid of the virus totally, and get things working again (get all my software back)...so...I am TOTALLY confused, and TOTALLY afraid that things are very ******* up...you are saying things look great on the hjt log, but I still can't run any of those programs...it's like the virus destroyed the signal for them to run...I was able to restore WORD, and Encarta from disk when those wacky windows appeared, or when I tried to open them and it asked for the disks...nothing else will do that...all of the programs that don't work show the blank window icon next to them, rather than their original icons. I did an AVG scan a while ago (before trying to reinstall the printer), and it came out clean. Any other suggestions? I do not really want to wipe my whole system and lose all my files...I can back up some things, but will have a lot of programs to re-download, etc. I also don't know for sure how to back up my address book in outlook express or my favorites in ie, if that's possible. Any suggestions?
Thanks!
Barb

 

If you're on hi-speed access lets try and get the trial Kaspersky for you to download.
http://usa.kaspersky.com/trials/tri...ownloads/trial-versions.php&chapter=146481750

Lets also run AVG Anti-Spyware, also a trial:
Download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.

• Next select the [Start Update] button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
• Under "Reports "
• Select "Automatically generate report after every scan "
• Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot, into safe mode, this way:

• Turn on the computer
• Immediately begin tapping the <F8> key.
• Use the arrow keys to highlight Safe Mode and press the <Enter> key.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions "
• Next select the "Reports" icon at the top.
• Select the [Save report as[ button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.(Please edit out any cookie, Recyler and System Volume Information Folder references)

After those have been run, you can also run a couple of system utilities to repair some of the damage.

System File Checker and ChkDsk

Let me know how that goes.

Not sure I understand something no being able to uninstall. What model HP is it?

 

I have downloaded the Kaspersky, but have not done anything yet...it says on their website that you shouldn't be running any other anti-virus program at the same time...do I first need to uninstall AVG free, then? You didn't specify when to run the K... thing...do I do that first, before the AVG Anti-Spyware thing?

As for the printer....I have tried several times to uninstall it, then reinstall it...each time, it seems to go crazy and get stuck on "clean-up" windows that keep re-opening as fast as I try to close them...then they get "stuck" and there'll be several of them open...when I tried to reinstall the printer, the one time I got to that window in the process, it did everything, and then said it needed an hp file that was not being found...I had the choice of directing it to find that file, but that didn't work. I don't know what file that is, exactly...it had a long number/letter name only, not giving a clue as to what it might do. I'm figuring it was on my computer, but now is messed up, along with the others that are messed up.

I will download the other AVG Spyware Scan thing, and wait for your instructions about the Kaspersky thing...whether to uninstall AVG free, and at what point to run K.

Thanks!
Barb

 

I think you will be able to just shut down all the AVG related processes and KAV will run fine, just make sure you don't allow it to start up once you reboot, that may cause conflicts.

I need to know what model HP printer you have and if you can, try and get as much of the name as you can so we can find alternative source for it so you can download it.

 

Results

OK...here are the results from the Kaspersky scan:

Detected
--------
Status Object
------ ------
detected: adware not-a-virus:AdWare.Win32.MetaSearch.a File: C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP734\A0035358.dll
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Inbox\[From:<abuse@bankofamerica.com>][Subject:news][Time:2006/12/26 21:48:58]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Sent Items\[From: "Barb & Drew Hines" <drewbarbpi@tds.net>][Subjecthishing/email abuse][Time:2006/12/26 22:06:12]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From: "Sears" <sears@e.sears.com>][Subject:Sears: 3 Big Days of Savings - save up to 50% on select items][Time:2005/11/10 02:59:19]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From:<suspension@ebay.com>][Subject:TKO Notice: ***Urgent Safeharbor Department Notice***][Time:2005/10/16 20:53:43]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From:<suspension@ebay.com>][Subject:TKO Notice: ***Urgent Safeharbor Department Notice***][Time:2005/10/16 21:16:40]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From: "PayPal Account Review Department" <service@paypal.com>][Subject:Notification of Limited Account Access][Time:2005/10/17 05:08:06]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From:<service@chase.com>][Subject:Chase Bank Update][Time:2006/02/15 17:51:49]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From:<service@chase.com>][Subject:CHASE Bank - Multiple Password Failures][Time:2006/01/11 16:19:27]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From:<service@chase.com>][Subject:CHASE Bank - Multiple Password Failures][Time:2006/01/12 13:59:33]/text/html
detected: Trojan program Trojan-Spy.HTML.Bayfraud.kh Email message body: Main Identity\Local Folders\Deleted Items\[From:<member@ebay.com>][Subject:Message from eBay Member][Time:2006/02/13 18:59:45]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From:<update@email-chase.com>][Subject:Technical services of the Chase Bank][Time:2006/12/18 13:17:27]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From: "PayPal" <service@email.paypal.com>][Subject:Your account access has been limited !][Time:2007/01/29 19:25:20]/text/html
detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: Main Identity\Local Folders\Deleted Items\[From: "PostCard Service" <member@PostCard.ORG>][Subject:Message from PostCard.ORG Member][Time:2007/01/29 23:36:38]/text/html
detected: adware not-a-virus:AdWare.Win32.MetaSearch.a File: C:\Program Files\Hijackthis\backups\backup-20070202-212743-589.dll
detected: adware not-a-virus:AdWare.Win32.BargainBuddy.n File: C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1105982933.ssb/C:\WINDOWS\system32\exul1.exe
detected: adware not-a-virus:AdWare.Win32.MetaSearch.a File: C:\Program Files\STHomePage\STHomePage2.dll
detected: adware not-a-virus:AdWare.Win32.MetaSearch.a File: C:\RECYCLER\S-1-5-21-3148872437-1030097784-2477760182-1003\Dc11\STLinks.dll
detected: Trojan program Backdoor.IRC.Zapchast File: C:\WINDOWS\system\sup.reg


And from the AVG Spyware scan:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:45:22 PM 2/3/2007

+ Scan result:



C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1105982933.ssb/C:\WINDOWS\system32\exul1.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
HKU\S-1-5-21-3148872437-1030097784-2477760182-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B9CB0F8-118B-49C1-956D-B703E976F8E3} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Picasa\pinstall.dll -> Adware.LookMe : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20070202-212743-589.dll -> Adware.MetaSearch : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3148872437-1030097784-2477760182-1003\Dc11\STLinks.dll -> Adware.MetaSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP734\A0035358.dll -> Adware.MetaSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP738\A0035859.dll -> Adware.MetaSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP738\A0035861.dll -> Adware.MetaSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\STLinks.STLinksCtrl -> Adware.QuickMetaSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\STLinks.STLinksCtrl.1 -> Adware.QuickMetaSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\STLinks.STLinksCtrl\CLSID -> Adware.QuickMetaSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\STLinks.STLinksCtrl\CurVer -> Adware.QuickMetaSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3148872437-1030097784-2477760182-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B54BFA47-D897-49CA-9657-05EC9F80A32B} -> Adware.QuickMetaSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP738\A0035862.reg -> Backdoor.Zapchast : Cleaned with backup (quarantined).
C:\WINDOWS\system\sup.reg -> Backdoor.Zapchast : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\WINDOWS\system\sup.bat -> Trojan.Zapchas.F : Cleaned with backup (quarantined).


::Report end

I am going to now run System File Checker, and ChkDsk as you suggested, and then try AGAIN to uninstall and reinstall my printer, which is an HP PSC 2175 all in one.

Thanks!
Barb

 

Still programs missing

OK...ran the sfc and the chkdsk, all to no avail...I still have many missing programs....get the flashlight for all of my PC Tools & Help (which includes system recovery, etc.), my Software Repair Wizard, most of my HP recovery and support stuff, some Microsoft stuff, like Microsoft Plus!, Quicken, Web Publishing Wizard, my HP Director and Image Zone (which are part of my photo stuff, which should be with the printing software, but isn't), and several programs we had downloaded from the net. I did finally get the printer to install, and it prints from WORD, but I can't get the icon to appear in the taskbar. I am also missing my Sound Blaster Audigy 2ZS, which I believe is my sound card. So...guess I need to go to the HP folks for help with some of that, if I can download some of it from them. Not sure about the Microsoft stuff. Not trusting the printer software, and haven't yet tried scanning, copying, or printing from various sources. It's been a long few days of running this and that and restarting the computer! OY! I appreciate your help, and any advice would be much appreciated at this point.

 

OK...now what???

Please help! I have been to the HP site to "chat" live with a technician who told me I needed to try a system recovery...here's the deal...
my computer's PC Help & Tools section is wiped by the worm...
so I tried the F10 at start-up, but that just gets caught in a loop...it says it's starting system recovery, then the monitor clicks off and back on, and Windows just starts back up...I can sit and push F10 a zillion times, hold it, caress it...it doesn't make any difference....
so the HP guy says I need the recovery discs (to the tune of $30) since my computer won't do it on it's own...
so the discs arrive, and I finally have time to try a standard recovery...the same loop starts, where it says it's starting system recovery, then the monitor goes off, and back on again, and Windows starts up again like usual...I tried hitting esc during start-up, and choosing the drive that the recovery disc was in to start from, but that just looped back again as well.
I have not yet tried the "full system recovery" option, as I was avoiding that unless it was the last resort. But I'm pretty sure it will similarly loop back to Windows restarting anyway. That little worm must be hell-bent on me not being able to recover my programs!
SO, folks...any suggestions as to how to work around the wormy system, and run a recovery? I don't even have defrag any more, or anything, I discovered today. Any suggestions would be greatly appreciated!!
Thanks!
Barb

 

Well, sorry I let this go by for so long.

I have to say that I'm at a loss as to how to fully repair the system, without reformatting. I'm not quite sure the worm did this type of damage as it's not typical of most.

My best advice is to save whatever data you have and reformat. Be sure you have all your install disks and save any emails with download links if they were installed that way.

Beyond that, not being able to physically look at the machine, maybe you could try a local repair shop for a more hands on diagnosis.

I'll have one of the other members have a peek here and see if they can offer any other solutions.

 

Thanks, TeMerc...I'm not sure how to do a "reformat ", or if that will work since everything else gets caught in a loop when I try to run it...any further advice would be appreciated.
Thanks!
Barb

 

Well the first thing you're going to need is your original installation XP CD. Once you pop that sucker in, it will boot automatically from that CD and give you options to either reformat or repair.

You should also download anti-virus software as well as a firewall to install before going offline to reformat.

Follow the directions on this page. Or at the very least, write down the instructions so you can follow along. It's actually very simple. The most important part is to select to a 'clean install' when presented with the option to 'repair' or 'do a clean install'.

And don't forget to save all valuable data as I mentioned above.

Once you have completed the install, first install the anti-virus from the previous download disk a well as the firewall then you must immediately go to windows update to get all security patches. This will take some time as there is likely to be 65 or so critical updates.

Let us know if you have any questions.