Solved Badly infected computer, reformat best option??

Make sure the disc is clean. I generally use warm water with a mild detergent, then dab dry with a lint free paper towel. If you get the same result, check for an i386 folder in C: and C:\Windows, then browse to and select it. If not found, try C:\Windows\ServicePackFiles

 

Can't find??

I did try cleaning the disk as you recommended, and still received the same results. Of course that bothers me now as well! (Something wrong with the XP disk??!!)

I'm sorry but I can't seem to find any of those folders? I never have been able to figure out this new XP search thing, but haven't used it much either, so maybe I'm not looking/searching correctly??

What a mess I've got huh? Hope you're not ready to give up on me!

Vicki

 

Not at all!

Instead of using search, open My Computer, then Local Disc C:
If you don't see an i386 folder, open the Windows folder and look.
If not there, open the ServicePackFiles folder and look
Once you locate it, click Browse in the 'copy files' dialog and use the drop down arrow next to the address field (top of the dialog box that opens) to select My Computer, then double click Local disk C: in the window, then Windows folder, etc.

 

Still no luck

This has to be very perplexing for you (I know it certainly is for me!!)

I did do the checking via your instructions;

Local disk C:
shows 24 "boxes ", containing folders/files. Most of these are notebook log/txt files.

Actual folders listed are:


Documents and Settings, Temp, Fanfish 2, Windows
Program Files, Cabs (empty),ComboFix, QooBox and Deckard.

So I proceded to check in the Windows folder to look there:

What I found were MANY (muted yellow color) folders with $NTuninstallKb(w/numbers), numerous notebook logfiles, Bmp's & dll's, and several others that I don't remember. There were many actual folders listed, but once again neither the i386 or the servicepackfile folders are listed there.

 

Yes, this is a bit perplexing for me. If you haven't already done so, just cancel out of the current repair operation. We'll try something else.

Please click here to download ie-rereg.zip, written by a fellow MVP named Kai Schätzl. Save the file to the desktop, then right click and Extract it. It should create a folder on the desktop named ie-rereg. Open the folder and double click on the ie-rereg.cmd file to run it. Be patient and wait for it to close, then reboot and see if Internet Explorer works properly.

 

No change

I did get that zip file downloaded/run on the infected computer. I got a chuckle out of the instruction box when it said "we're almost done" and then the part that said it would take awhile and to just be patient. (didn't really take that long though).

Unfortunately, this repair made no difference either. I did reboot and tried using internet explorer. I can view the homepage (set to MSN) and click on any article in there, but as soon as I type an address into the address bar, a new (blank) window will open and I'm back to where I was before (having to "end task" to close out).

Have we gone from being perplexed to frustrated yet?

 

Hmmm, open Internet Options, Programs tab, then click Reset Web Settings. OK the homepage popup then OK out when done. Open a new IE window and see how it behaves.

 

Internet Options

I wasn't sure if it made any difference on where I opened the internet options? I did try via control panel>internet options and clicked on the reset web settings as you instructed. There wasn't any homepage "pop up "? So I tried the same changes while having the Internet Explorer open via the "tools" options drop down. Still no homepage pop up?

This time when trying to type an address in the address bar, it locks up...no new window opens or even appearing to trying to load the address. Once again have to "end task" to close.

 

This is very odd Vicki ....... brought me a brain teaser, heh?
If you click links within a web page, do they resolve properly?
Can you right click a link and 'Open in New Window' and it resolve properly?
While viewing a page, hold down the Ctrl key and press the N key to open a new window. Does it resolve properly?

Since you are able to access the internet with the comp, can you set the homepage to windowsbbs.com and browse this forum? Post a reply?

dss.exe should still be on the desktop, and will need to be for this. Copy the bolded command below.

"%userprofile%\desktop\dss.exe" /config

Now click Start>Run and paste it on the Run line and hit Enter.
The Deckard's System Scanner interface will open.
Click Check All. If not available, click Uncheck All then Check All.
Click Scan.
When it completes, post the contents of both the main.txt and the extra.txt logs (extra.txt will be minimized) here. They will probably be too big for one post, so try the main.txt in 1 and the extra.txt in another.

 

I did try clicking on different links within the MSN homepage and they seemingly responded/loaded okay. I then tried your other suggestions (i.e right click>open new window & the Ctrl & N) but both of these generated the same problem....would lock up and have to "end task" to close.

Changed the homepage to this BBS and this response (hopefully) is coming from the infected computer.

I will try the next step you have listed and post back with the log (hopefully can do it from here rather than running back and forth to my computer!)

 

scan completed

I finished the scan and will now attempt to post the logs as you requested:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-24 21:41:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
147: 2008-01-25 03:42:02 UTC - RP159 - Deckard's System Scanner Restore Point
146: 2008-01-25 02:15:25 UTC - RP158 - System Checkpoint
145: 2008-01-24 02:08:30 UTC - RP157 - System Checkpoint
144: 2008-01-23 02:00:26 UTC - RP156 - System Checkpoint
143: 2008-01-20 16:44:44 UTC - RP155 - ComboFix created restore point


-- First Restore Point --
1: 2007-12-22 00:18:01 UTC - RP13 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-24 21:42:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downl...-495c-b89f-c1c34c691085/LegitCheckControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141944401843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slmdmsr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


--
End of file - 8208 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RecAgent - c:\windows\system32\drivers\sldrv\recagent.sys <Not Verified; ; Modem>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>

S0 ssbgdcxf - c:\windows\system32\drivers\qeeeicen.dat (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iscFlash - c:\windows\system32\drivers\iscflash.sys (file missing)
S3 Mtlmnt5 - c:\windows\system32\drivers\sldrv\mtlmnt5.sys <Not Verified; ; Modem>
S3 Mtlstrm - c:\windows\system32\drivers\sldrv\mtlstrm.sys <Not Verified; ; Modem>
S3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\sldrv\slntamr.sys <Not Verified; ; Modem>
S3 SlNtHal - c:\windows\system32\drivers\sldrv\slnthal.sys <Not Verified; ; Modem>
S3 SlWdmSup - c:\windows\system32\drivers\sldrv\slwdmsup.sys <Not Verified; ; Modem>
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SLService (SmartLinkService) - slmdmsr.exe <Not Verified; ; Modem>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 656)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 864)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 932)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 972)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 1044)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 1148)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 1200)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\explorer.exe (pid 1396)
2007-08-20 04:04:37 6058496 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2007-08-20 04:04:38 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\system32\svchost.exe (pid 2288)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>

C:\WINDOWS\explorer.exe (pid 3200)
2005-07-06 16:16:28 225280 --a------ C:\Program Files\Webroot\Spy Sweeper\ssi.dll <Not Verified; Webroot Software, Inc.; Spy Sweeper SDK>
2007-08-20 04:04:37 6058496 --a------ C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2007-08-20 04:04:38 267776 --a------ C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>


-- Scheduled Tasks -------------------------------------------------------------

2008-01-13 16:35:18 240 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2007-12-24 and 2008-01-24 -----------------------------

2008-01-31 00:07:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04:40 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-17 11:05:50 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:40:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-17 09:30:38 102912 --a------ C:\WINDOWS\system32\islzma.dll
2008-01-17 09:30:24 428032 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-01-17 09:30:24 0 d-------- C:\Program Files\Webroot
2008-01-17 09:30:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-01-13 08:36:30 0 dr-h----- C:\$VAULT$.AVG
2008-01-13 08:33:16 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08:27 0 d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:37:24 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-01-11 12:32:56 0 d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36:49 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-11 10:36:48 0 d-------- C:\Program Files\SpywareBlaster
2008-01-02 19:52:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-02 19:31:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-02 17:05:46 0 d-------- C:\cabs
2008-01-02 17:05:42 126976 --a------ C:\WINDOWS\system32\unzdll.dll <Not Verified; ; BCB/Delphi UnZip>
2008-01-02 17:05:41 0 d-------- C:\Program Files\Gateway
2008-01-02 17:03:03 17505 -ra------ C:\DBI.EXE
2008-01-02 17:00:31 13696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
2008-01-02 16:47:25 0 d-------- C:\WINDOWS\Prefetch
2007-12-30 18:24:39 0 d-------- C:\Program Files\Spyware Doctor
2007-12-28 22:16:13 0 d-------- C:\WINDOWS\BDOSCAN8
2007-12-28 15:58:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-28 03:00:18 6291456 --a------ C:\Documents and Settings\Owner\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-02-07 17:13:05 0 d-------- C:\Program Files\Logitech
2008-02-01 09:46:30 0 d-------- C:\Program Files\Kodak
2008-01-22 22:12:29 5632 --ahs---- C:\Program Files\Thumbs.db
2008-01-20 10:47:37 0 d-------- C:\Program Files\Common Files
2008-01-17 17:43:41 0 d-------- C:\Program Files\Java
2008-01-13 10:53:27 0 d-------- C:\Program Files\QuickTime
2008-01-11 12:40:33 0 d-------- C:\Program Files\Google
2008-01-10 17:42:18 56264 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-01-03 02:08:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-01-02 16:37:05 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-23 22:04:22 618 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-23 20:44:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 23:06:42 0 d-------- C:\Program Files\LimeWire
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [12/24/2007 08:14 AM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/24/2007 01:57 AM]
"SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [01/12/2008 09:06 PM]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [07/06/2005 04:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [01/12/2008 12:20 PM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/24/2007 08:14 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [1/2/2008 7:52:09 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "




-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch #SpySweeperCASS
127.0.0.1 \blank.htm #SpySweeperCASS
127.0.0.1 http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm #SpySweeperCASS
127.0.0.1 http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm #SpySweeperCASS
127.0.0.1 http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome #SpySweeperCASS
127.0.0.1 endmatch.com #SpySweeperCASS
127.0.0.1 www.startmatch #SpySweeperCASS
127.0.0.1 www.exactmatch.com #SpySweeperCASS
127.0.0.1 partialmatch #SpySweeperCASS
127.0.0.1 besstsearchs.com #SpySweeperCASS

1072 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-24 21:45:36 ------------

 

extra txt log

Here's the extra txt log:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.50GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 494.73 MiB / 123.81 MiB
Pagefile Memory (total/avail): 1155.76 MiB / 681.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.66 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 56.85 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380013A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-CBA41CA1A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-CBA41CA1A
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-CBA41CA1A
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll "
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe "
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire PRO 4.10.0 --> "C:\Program Files\LimeWire\uninstall.exe "
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech Resource Center --> C:\PROGRA~1\Logitech\RESOUR~1\rem\UNWISE.EXE C:\PROGRA~1\Logitech\RESOUR~1\rem\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe "
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe "
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Smart Link 56K Voice Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe "
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe "
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe "
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe "


-- Application Event Log -------------------------------------------------------

Event Record #/Type1959 / Error
Event Submitted/Written: 01/24/2008 09:27:34 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1958 / Error
Event Submitted/Written: 01/24/2008 09:24:29 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1957 / Error
Event Submitted/Written: 01/24/2008 01:38:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1956 / Error
Event Submitted/Written: 01/24/2008 01:25:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1955 / Error
Event Submitted/Written: 01/24/2008 01:24:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22299 / Warning
Event Submitted/Written: 01/24/2008 01:38:30 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type22294 / Warning
Event Submitted/Written: 01/24/2008 01:26:34 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type22289 / Warning
Event Submitted/Written: 01/24/2008 09:56:52 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type22284 / Warning
Event Submitted/Written: 01/24/2008 08:41:08 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type22263 / Warning
Event Submitted/Written: 01/24/2008 08:11:19 AM / 01/24/2008 08:11:43 AM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down



-- End of Deckard's System Scanner: finished at 2008-01-24 21:45:36 ------------

 

I'm at least happy that I can post here from the infected computer....saves me alot of extra "steps "!

Sure is alot of mumbo jumbo to me with all those logs! Sure am glad that there are people like you who are willing and able to try to interpret them!

Awaiting the results of your expertise.

Again, thank you so very much!!

Vicki

 

Please download HostsXpert.

1. Unzip HostsXpert.zip to it's own folder.
2. Open the folder and double click on HostsXpert.exe
3. Then click on "Restore Original Hosts" to restore your Hosts file to its default condition.
4. Close program when complete.

Please download the HijackThis Installer from here and install it, then run a scan. Place a check next to each of the following entries, close ALL other open windows, then click Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


Close HijackThis and reboot.

If prompted about changes being made to the Google search settings (or others), make sure the changes are allowed and not reversed.

Check the IE behavior after rebooting.

 

questions

I did get the Hostsxpert file downloaded, run, restored as directed.

I have also downloaded/intalled the Hijack this installer, but have a question on what to do for a scan? It gives several options:

Do a system scan and save a logfile
Do a system scan only
View the list of backups
Open the Misc tool section
Open online Hijack this Quickstart
None of the above, just start the program

I certainly don't want to chose the incorrect option, so will wait for confirmation on which one to use. Also, once the scan is complete, will it open up something that shows more than just what you want me to check to fix? (And the entries you have selected are the only ones that I should check right?)

Sorry for my confusion.
Vicki

 

Hi Vicki,

Do a system scan only, check only the items I listed, then click Fix Checked and close HijackThis when it completes.

 

Ran the Hijack installer scan using the scan system only as you requested. I haven't checked anything to fix because I don't see any of those that you requested me too!

There are only 2 of the "R1" items listed from that scan and neither of them appear to be anything that are similar to what you wanted me to check? (I wish I could post the listing here so you could see it?)

Things aren't getting any better are they?

Vicki

 

Just click the Save Log button and it will save then open the log. You can then copy and post it here.

 

Next problem

I tried to save the log as you requested (by choosing save log option). I saw the hour glass running and thought it was saving, but appeared to be taking forever! Then I notice at the top of the Hijack this window it shows that the program is "Not Responding "! (Didn't notice if that was there prior to my trying to save the log?)

Now what? Should I close the program, try the scan again and then try to save the log?

 

If it doesn't snap out of the 'not responding' phase after a few minutes, then yes ...... close it. Open it again but this time select 'Do a scan and save a logfile'. It should open the log when it's done.