Solved Badly infected computer, reformat best option??

Vicki · 2008/01/17

[Resolved] Badly infected computer, reformat best option??

I have been working on my son's computer for several days trying to figure out what's causing his infection (Trojan? malware? virus?). But I'm beginning to think that a reformat would probably be the best solution to this problem!

He is running WinXP Home, IE6. (all updates are current to the best of my knowledge). I have tried using various anti-virus, anti-spyware programs to no avail. (some say they have detected/removed the offending nasties, but his computer still doesn't function properly-i.e can't connect to the internet, only gets blank pages--sometimes several of them and the only way to close is to use task manager to "end program ")

Here are the different programs I have tried:

Ad-Aware 2007
Spybot S & D
Spy Sweeper (retail version)
Spyware Blaster
AVG 7.5
Spyware Doctor (via google updater)

Many of these programs I downloaded from my computer to a disk and then installed them on his computer because trying to connect to the internet is almost impossible on his! I have found that if I change his home page (via internet options) to the page that I wish to view, that will come up, but whenever trying to click on a link in that page another window will open up, but doesn't show anything (not even an error message!)

I had even tried to download the "hijackthis" from his computer, but can't even get there to do that!

If reformatting his computer would be the best option for me to do at this point, how do I go about doing that? I know he has many pictures, some vidoes, music files, etc. on there that I would like to "save "...how do I go about doing that?

Appreciate all the help I have been given here in the past and hope you can once again assist me with this dilemma!

Regards,
Vicki

noahdfear · 2008/01/17

Hi Vicki

Lets get a look at what you have there. Download Deckard's System Scanner (dss.exe) and transfer it to the desktop of the ailing computer.

Close all applications and windows.

Double click on dss.exe to run it and follow the prompts.

When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

The logs are located in a subfolder of C:\Deckard. Post the contents of main.txt only for now.

It would be best to physically disconnect that computer from the internet until it's determined what infection(s) might be present. Not a big loss since it won't allow you to do anything online anyway. Whilst connected though, it can continue to become more infected.

Vicki · 2008/01/17

A few more questions...

Thank you, noahdfear, for your response to the issues I'm having with my son's computer. I do have a few more questions to ask before I proceed:

1). You stated to close all applications & windows--does this mean that only the desktop would be showing? Would there be anything in the background running that I should be aware of that needed to be shutdown?? (Internet will be disconnected as you stated before installing/running the deckard scan).

2.) How do I go about posting the contents of the main txt. log here (when I can't connect to the internet using his computer)? Can it also be copied to a disk and then transfered to here?

Sorry if these are simple questions that a novice should understand, but I'm not quite there yet and I certainly don't want to make matters worse than they already are!

Thanks again!
Vicki

noahdfear · 2008/01/17

does this mean that only the desktop would be showing?
Click to expand...

Yes.

Would there be anything in the background running that I should be aware of that needed to be shutdown??
Click to expand...

No.

Can it also be copied to a disk and then transfered to here?
Click to expand...

Yes.

Vicki · 2008/01/18

Here goes:

I'm hoping I did this correctly (note fingers crossed) and here is the main txt log of Decards sytem scan:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-18 14:20:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
139: 2008-01-18 20:14:28 UTC - RP151 - Deckard's System Scanner Restore Point
138: 2008-01-17 19:56:30 UTC - RP150 - Spyware Doctor: Cleaning Threats
137: 2008-01-16 00:05:59 UTC - RP149 - Spyware Doctor: Cleaning Threats
136: 2008-01-16 00:05:23 UTC - RP148 - Spyware Doctor: Cleaning Threats
135: 2008-01-15 13:16:02 UTC - RP147 - System Checkpoint

-- First Restore Point --
1: 2007-12-22 00:18:01 UTC - RP13 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-18 14:21:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {f6f3eabe-8524-180b-0de4-dfc9d2dd21a4} - {4a12dd2d-9cfd-4ed0-b081-4258ebae3f6f} - C:\WINDOWS\system32\vpojplps.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BD87A919-001A-4049-875E-659D6DE99AEC} - C:\WINDOWS\system32\advpack(2.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\ddcbbcb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downl...-495c-b89f-c1c34c691085/LegitCheckControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141944401843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcbbcb - C:\WINDOWS\system32\ddcbbcb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slmdmsr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 8309 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RecAgent - c:\windows\system32\drivers\sldrv\recagent.sys <Not Verified; ; Modem>
R0 ssbgdcxf - c:\windows\system32\drivers\qeeeicen.dat
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>

S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iscFlash - c:\windows\system32\drivers\iscflash.sys (file missing)
S3 Mtlmnt5 - c:\windows\system32\drivers\sldrv\mtlmnt5.sys <Not Verified; ; Modem>
S3 Mtlstrm - c:\windows\system32\drivers\sldrv\mtlstrm.sys <Not Verified; ; Modem>
S3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\sldrv\slntamr.sys <Not Verified; ; Modem>
S3 SlNtHal - c:\windows\system32\drivers\sldrv\slnthal.sys <Not Verified; ; Modem>
S3 SlWdmSup - c:\windows\system32\drivers\sldrv\slwdmsup.sys <Not Verified; ; Modem>
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SLService (SmartLinkService) - slmdmsr.exe <Not Verified; ; Modem>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-13 16:35:18 240 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job

-- Files created between 2007-12-18 and 2008-01-18 -----------------------------

2008-01-31 00:07:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04:40 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-17 11:05:50 0 d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:40:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-17 09:30:38 102912 --a------ C:\WINDOWS\system32\islzma.dll
2008-01-17 09:30:24 428032 --a------ C:\WINDOWS\WRServices.dll <Not Verified; Webroot Software, Inc; >
2008-01-17 09:30:24 0 d-------- C:\Program Files\Webroot
2008-01-17 09:30:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-01-13 08:36:30 0 dr-h----- C:\$VAULT$.AVG
2008-01-13 08:33:16 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08:27 0 d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:37:24 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-01-11 12:32:56 0 d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36:49 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-11 10:36:48 0 d-------- C:\Program Files\SpywareBlaster
2008-01-10 14:59:01 0 d-------- C:\Documents and Settings\Owner\Application Data\PrivacyConductor
2008-01-10 14:50:00 0 d-------- C:\Program Files\Common Files\PrivacyConductor
2008-01-10 14:47:09 18688 --a------ C:\WINDOWS\system32\drivers\qeeeicen.dat
2008-01-10 14:47:05 53248 --a------ C:\WINDOWS\system32\browsew.dll
2008-01-10 14:46:34 100608 --a------ C:\WINDOWS\system32\advpack(2.dll
2008-01-02 19:52:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-02 19:31:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-02 17:05:46 0 d-------- C:\cabs
2008-01-02 17:05:42 126976 --a------ C:\WINDOWS\system32\unzdll.dll <Not Verified; ; BCB/Delphi UnZip>
2008-01-02 17:05:41 0 d-------- C:\Program Files\Gateway
2008-01-02 17:03:03 17505 -ra------ C:\DBI.EXE
2008-01-02 17:00:31 13696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
2008-01-02 16:47:25 0 d-------- C:\WINDOWS\Prefetch
2007-12-30 18:24:39 0 d-------- C:\Program Files\Spyware Doctor
2007-12-28 22:16:13 0 d-------- C:\WINDOWS\BDOSCAN8
2007-12-28 15:58:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-28 03:00:18 6291456 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-12-21 18:17:50 19278 --ahs---- C:\WINDOWS\system32\yycdd.ini2

-- Find3M Report ---------------------------------------------------------------

2008-02-07 17:13:05 0 d-------- C:\Program Files\Logitech
2008-02-07 17:13:05 0 d-------- C:\Program Files\Common Files
2008-02-01 09:46:30 0 d-------- C:\Program Files\Kodak
2008-01-17 17:43:41 0 d-------- C:\Program Files\Java
2008-01-13 10:53:27 0 d-------- C:\Program Files\QuickTime
2008-01-11 16:37:53 5632 --ahs---- C:\Program Files\Thumbs.db
2008-01-11 12:40:33 0 d-------- C:\Program Files\Google
2008-01-10 17:42:18 56264 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-01-03 02:08:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-01-02 16:37:05 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-23 22:04:22 618 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-23 20:44:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 23:06:42 0 d-------- C:\Program Files\LimeWire
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a12dd2d-9cfd-4ed0-b081-4258ebae3f6f}]
C:\WINDOWS\system32\vpojplps.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD87A919-001A-4049-875E-659D6DE99AEC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
C:\WINDOWS\system32\ddcbbcb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/13/2008 08:32 AM]
"SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" []
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [07/06/2005 04:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/02/2008 07:52 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [1/2/2008 7:52:09 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} "= C:\WINDOWS\system32\ddcbbcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbbcb]
ddcbbcb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\ddcyy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88644ab1]
rundll32.exe "C:\WINDOWS\system32\dhyufagf.dll ",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ddcyy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

-- End of Deckard's System Scanner: finished at 2008-01-18 14:25:01 ------------

Will wait for further instructions of course. Is it safe to shutdown/turn off the infected computer at this point? (File logs have been saved).

Thanks again for your assistance!

Vicki

noahdfear · 2008/01/18

Not too bad from what I can see. We should be able to clean it up easily enough.

Download ComboFix by sUBs from here, and transfer it to the desktop.

It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. You can re-enable the internet connection now and post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Vicki · 2008/01/18

A couple more questions...

This sure sounds encouraging :

Not too bad from what I can see. We should be able to clean it up easily enough
Click to expand...

I have downloaded & transfered the combofix program to the infected computer and disabled everything that was suggested from that link you sent.

But I haven't run the program yet (am headed off to work now, but will attempt it in the morning.)

Here is where the question comes in:

When finished, it will open a log for you. You can re-enable the internet connection now and post that log in your next reply.
Click to expand...

Do I need to re-enable all those things I disabled before I connect to the internet to post that log? I'm leary of not being protected!

Thanks again for all your help!
Vicki

noahdfear · 2008/01/18

Not sure what you disabled, but it's fine if you do re-enable them.

I'm working tomorrow so it may be late afternoon or evening before I check in.

Vicki · 2008/01/19

Combo fix results

I did run the Combofix, and tried to connect to the internet (using the infected computer) but had the same results as prior -i.e multiple IE windows would open after typing in an address, but no page errors. "end task" was the only way I could exit out of them.

I also noticed there was a new icon for IE (wasn't a shortcut icon) on the desktop, so wasn't sure which one I should use to connect to the internet. The old desktop one or the newly created one. When I tried clicking on that new icon, it generated another IE icon-this one showed it to be a shortcut.

Sorry if this sounds confusing, but that's my general state of mind when dealing with computers!

Anyway, I did save the txt log from combofix so that I could post it here using my computer:

ComboFix 08-01-18.5 - Owner 2008-01-19 16:13:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.163 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\advpack(2.dll
C:\WINDOWS\system32\drivers\qeeeicen.dat
C:\WINDOWS\system32\fgafuyhd.ini
C:\WINDOWS\system32\gbmdouby.ini
C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SSBGDCXF
-------\ssbgdcxf

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-31 00:07 . 2008-02-06 19:31 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04 . 2007-12-10 01:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-19 16:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 14:13 . 2008-01-18 14:13 <DIR> d-------- C:\Deckard
2008-01-17 11:05 . 2008-01-17 11:06 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-01-17 09:30 . 2005-07-06 16:16 428,032 --a------ C:\WINDOWS\WRServices.dll
2008-01-17 09:30 . 2005-05-19 14:06 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2008-01-13 08:33 . 2008-01-19 08:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32 . 2008-01-13 08:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32 . 2008-01-13 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08 . 2008-01-12 12:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37 . 2008-01-11 12:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-01-11 12:37 . 2008-01-19 16:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:37 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-11 12:37 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-11 12:37 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-11 12:37 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-11 12:32 . 2008-01-11 12:32 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36 . 2008-01-16 21:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 10:36 . 2005-08-25 18:19 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-11 10:36 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-11 10:36 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-10 14:59 . 2008-01-10 14:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PrivacyConductor
2008-01-10 14:50 . 2007-12-20 14:13 <DIR> d-------- C:\Program Files\Common Files\PrivacyConductor
2008-01-10 14:47 . 2004-08-04 06:00 53,248 --a------ C:\WINDOWS\system32\browsew.dll
2008-01-02 19:52 . 2008-01-19 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-02 19:31 . 2008-01-16 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-02 17:09 . 2004-08-20 15:50 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-02 17:05 . 2008-01-02 17:05 <DIR> d-------- C:\Program Files\Gateway
2008-01-02 17:05 . 2008-01-02 17:05 126,976 --a------ C:\WINDOWS\system32\unzdll.dll
2008-01-02 17:05 . 2008-01-02 17:05 199 --a------ C:\WINDOWS\system32\oeminfo.ini
2008-01-02 17:03 . 2004-12-28 23:57 17,505 -ra------ C:\DBI.EXE
2008-01-02 17:00 . 2005-03-16 00:23 13,696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys
2008-01-02 16:43 . 2004-08-04 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-02 16:42 . 2004-08-04 06:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-02 16:41 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-01-02 16:39 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-02 16:38 . 2004-08-04 06:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-01-02 16:38 . 2004-08-04 06:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-01-02 16:38 . 2004-08-04 06:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-01-02 16:38 . 2004-08-04 06:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-01-02 15:17 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-01-02 15:17 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-30 18:24 . 2008-01-17 10:08 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:23 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-28 22:16 . 2007-12-28 23:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-28 15:58 . 2007-12-28 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-27 21:05 . 2007-12-27 21:05 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-23 20:41 . 2007-12-23 20:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 20:41 . 2007-12-23 20:41 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 14:03 . 2007-12-24 08:14 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-22 14:03 . 2007-12-24 08:14 118,784 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-22 14:03 . 2008-01-12 12:20 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 23:13 --------- d-----w C:\Program Files\Logitech
2008-02-01 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-01 15:46 --------- d-----w C:\Program Files\Kodak
2008-01-17 23:43 --------- d-----w C:\Program Files\Java
2008-01-13 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 16:53 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:37 5,632 --sha-w C:\Program Files\Thumbs.db
2008-01-11 18:40 --------- d-----w C:\Program Files\Google
2008-01-11 15:05 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-24 04:04 618 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-24 02:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:08 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-20 20:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-10 05:06 --------- d-----w C:\Program Files\LimeWire
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-07-28 00:02 338 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2007-07-27 23:34 13,046 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2007-07-27 23:34 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
2007-07-27 23:11 177,152 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-08-24 00:46 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
2006-08-05 05:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb9912.dat
2006-08-05 05:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat
2006-05-24 11:54 84,992 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1869.dat
2006-05-23 13:15 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
2006-05-05 10:07 0 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
.
Code:
<pre>
----a-w            68,856 2007-12-24 14:14:57  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           579,072 2007-12-24 07:57:12  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           219,136 2007-12-30 22:00:32  C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w           132,496 2007-12-24 14:14:57  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         1,065,288 2008-01-13 03:06:06  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w            15,360 2008-01-12 18:20:10  C:\WINDOWS\system32\ctfmon .exe
----a-w           118,784 2007-12-24 14:14:55  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2007-12-24 14:14:55  C:\WINDOWS\system32\igfxtray .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a12dd2d-9cfd-4ed0-b081-4258ebae3f6f}]
C:\WINDOWS\system32\vpojplps.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-02 19:52 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 08:32 579072]
"SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 08:32 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-02 19:52:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbbcb]
ddcbbcb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88644ab1]
C:\WINDOWS\system32\dhyufagf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ddcyy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-08-25 17:28 1871872 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-02 19:52 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 00:23]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 03:50]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-05-18 12:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 22:35:18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job "
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 16:18:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 16:20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 22:20:36
.
2008-01-11 15:09:03 --- E O F ---

Next step?

Really appreciate all your help in assisting me with this!!
Vicki

noahdfear · 2008/01/19

ComboFix has yet more updates, so please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to the desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to the desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
RenV::
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Grisoft\AVG7\avgcc .exe
C:\Program Files\Grisoft\AVG7\avgw .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxtray .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a12dd2d-9cfd-4ed0-b081-4258ebae3f6f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbbcb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88644ab1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

See how the computer reacts being connected after completing the above ComboFix routine.

Vicki · 2008/01/20

No change

I just finished completing all the steps you advised and had my hopes that this would help, but alas, no such luck!

I can connect to the internet and view whatever I set the "home page" to (via internet options). But as soon as I type in an address in the address bar, a new IE window will open, but with nothing displayed. The only way to close it is by "ending task" and that does generate a "this program is not responding" message (just as it previously did).

I did save the Combofix log (from the new scan you instructed me to do):

ComboFix 08-01-20.1 - Owner 2008-01-20 7:57:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-31 00:07 . 2008-02-06 19:31 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04 . 2007-12-10 01:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-19 16:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 14:13 . 2008-01-18 14:13 <DIR> d-------- C:\Deckard
2008-01-17 11:05 . 2008-01-17 11:06 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-01-17 09:30 . 2005-07-06 16:16 428,032 --a------ C:\WINDOWS\WRServices.dll
2008-01-17 09:30 . 2005-05-19 14:06 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2008-01-13 08:33 . 2008-01-20 08:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32 . 2008-01-13 08:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32 . 2008-01-13 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08 . 2008-01-12 12:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37 . 2008-01-11 12:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-01-11 12:37 . 2008-01-20 08:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:37 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-11 12:37 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-11 12:37 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-11 12:37 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-11 12:32 . 2008-01-11 12:32 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36 . 2008-01-16 21:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 10:36 . 2005-08-25 18:19 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-11 10:36 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-11 10:36 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-10 14:59 . 2008-01-10 14:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PrivacyConductor
2008-01-10 14:50 . 2007-12-20 14:13 <DIR> d-------- C:\Program Files\Common Files\PrivacyConductor
2008-01-10 14:47 . 2004-08-04 06:00 53,248 --a------ C:\WINDOWS\system32\browsew.dll
2008-01-02 19:52 . 2008-01-20 07:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-02 19:31 . 2008-01-16 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-02 17:09 . 2004-08-20 15:50 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-02 17:05 . 2008-01-02 17:05 <DIR> d-------- C:\Program Files\Gateway
2008-01-02 17:05 . 2008-01-02 17:05 126,976 --a------ C:\WINDOWS\system32\unzdll.dll
2008-01-02 17:05 . 2008-01-02 17:05 199 --a------ C:\WINDOWS\system32\oeminfo.ini
2008-01-02 17:03 . 2004-12-28 23:57 17,505 -ra------ C:\DBI.EXE
2008-01-02 17:00 . 2005-03-16 00:23 13,696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys
2008-01-02 16:43 . 2004-08-04 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-02 16:42 . 2004-08-04 06:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-02 16:41 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-01-02 16:39 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-02 16:38 . 2004-08-04 06:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-01-02 16:38 . 2004-08-04 06:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-01-02 16:38 . 2004-08-04 06:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-01-02 16:38 . 2004-08-04 06:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-01-02 15:17 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-01-02 15:17 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-30 18:24 . 2008-01-20 07:57 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:23 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-28 22:16 . 2007-12-28 23:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-28 15:58 . 2007-12-28 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-27 21:05 . 2007-12-27 21:05 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-23 20:41 . 2007-12-23 20:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 20:41 . 2007-12-23 20:41 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 14:03 . 2007-12-24 08:14 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-22 14:03 . 2007-12-24 08:14 118,784 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-22 14:03 . 2008-01-12 12:20 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-22 14:03 . 2008-01-12 12:20 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 23:13 --------- d-----w C:\Program Files\Logitech
2008-02-01 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-01 15:46 --------- d-----w C:\Program Files\Kodak
2008-01-17 23:43 --------- d-----w C:\Program Files\Java
2008-01-13 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 16:53 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:37 5,632 --sha-w C:\Program Files\Thumbs.db
2008-01-11 18:40 --------- d-----w C:\Program Files\Google
2008-01-11 15:05 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-24 04:04 618 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-24 02:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:08 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-20 20:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-10 05:06 --------- d-----w C:\Program Files\LimeWire
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-07-28 00:02 338 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2007-07-27 23:34 13,046 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2007-07-27 23:34 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
2007-07-27 23:11 177,152 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-08-24 00:46 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
2006-08-05 05:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb9912.dat
2006-08-05 05:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat
2006-05-24 11:54 84,992 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1869.dat
2006-05-23 13:15 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
2006-05-05 10:07 0 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_16.20.05.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 22:12:47 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 13:56:35 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 22:12:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 13:56:35 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 22:12:47 1,400,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 13:56:35 1,400,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 22:12:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 13:56:35 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 22:12:48 6,144,000 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-20 13:56:35 6,144,000 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 22:12:48 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 13:56:35 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-01-12 12:20 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-24 08:14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-24 08:14 132496]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 01:57 579072]
"SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-12 21:06 1065288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 16:00 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-02 19:52:09 124400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-12 12:20 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-12-24 08:14 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-12-24 08:14 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-08-25 17:28 1871872 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-24 08:14 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 00:23]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 03:50]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-05-18 12:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 22:35:18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job "
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 08:01:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Are we getting any closer??

I really truly do appreciate your assistance. I can't imagine how difficult this must be when you can't actually physically see what is happening on the computer you're trying to fix!

Will await further instructions.

Thanks again!
Vicki

noahdfear · 2008/01/20

Yes, we're getting closer.

Right click the desktop and select New>Shortcut
Enter the bolded address below into the location field

http://www.pandasoftware.com/products/activescan.htm

Click Next then type Panda for the name field.
Click Finish

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\system32\browsew.dll
C:\Documents and Settings\Owner\Application Data\inifile41.ini
C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
C:\Documents and Settings\Owner\Application Data\internaldb9912.dat
C:\Documents and Settings\Owner\Application Data\internaldb153.dat
C:\Documents and Settings\Owner\Application Data\internaldb1869.dat
C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
Folder::
C:\WINDOWS\system32\SearchTool
C:\Documents and Settings\Owner\Application Data\PrivacyConductor
C:\Program Files\Common Files\PrivacyConductor
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

After you've run ComboFix, double click the Panda shortcut. Internet Explorer should open to the Panda ActiveScan page.

Once you are on the Panda site click the Scan your PC now button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Select the appropriate Yes or No to receiving marketing information

Click the Free Online Scan button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with the ComboFix log.

Vicki · 2008/01/20

Still no luck

I'm beginning to think I've goofed up somewhere?! I did all the steps you stated doing, but even after creating that new shortcut on the desktop (for the Panda site), I couldn't view the website.

So I did change the homepage on the IE icon (that is normally used)-- via internet properties--to that address and it did load up, but as soon as I clicked on the "scan my computer" and the new window opened, it was back to the same results as previous tries. (not responding, having to "end task" to quit program, etc.) So I was unable to do the scan (thus no log from there to post).

I did save the new Combofix log:

ComboFix 08-01-20.1 - Owner 2008-01-20 10:45:00.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Owner\Application Data\inifile41.ini
C:\Documents and Settings\Owner\Application Data\internaldb153.dat
C:\Documents and Settings\Owner\Application Data\internaldb1869.dat
C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
C:\Documents and Settings\Owner\Application Data\internaldb9912.dat
C:\WINDOWS\system32\browsew.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inifile41.ini
C:\Documents and Settings\Owner\Application Data\internaldb153.dat
C:\Documents and Settings\Owner\Application Data\internaldb1869.dat
C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
C:\Documents and Settings\Owner\Application Data\internaldb9912.dat
C:\Documents and Settings\Owner\Application Data\PrivacyConductor
C:\Documents and Settings\Owner\Application Data\PrivacyConductor\Logs\update.log
C:\Program Files\Common Files\PrivacyConductor
C:\WINDOWS\system32\browsew.dll
C:\WINDOWS\system32\SearchTool
C:\WINDOWS\system32\SearchTool\SearchTool.dll
C:\WINDOWS\system32\SearchTool\uninstallSE.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-31 00:07 . 2008-02-06 19:31 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-31 00:04 . 2007-12-10 01:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-19 16:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 14:13 . 2008-01-18 14:13 <DIR> d-------- C:\Deckard
2008-01-17 11:05 . 2008-01-17 11:06 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-17 09:30 . 2008-01-17 09:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-01-17 09:30 . 2005-07-06 16:16 428,032 --a------ C:\WINDOWS\WRServices.dll
2008-01-17 09:30 . 2005-05-19 14:06 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2008-01-13 08:33 . 2008-01-20 08:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-13 08:32 . 2008-01-13 08:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 08:32 . 2008-01-13 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:08 . 2008-01-12 12:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-11 12:37 . 2008-01-11 12:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-01-11 12:37 . 2008-01-20 10:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 12:37 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-11 12:37 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-11 12:37 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-11 12:37 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-11 12:32 . 2008-01-11 12:32 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-11 10:36 . 2008-01-16 21:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 10:36 . 2005-08-25 18:19 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-11 10:36 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-11 10:36 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-02 19:52 . 2008-01-20 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-02 19:31 . 2008-01-16 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-02 17:09 . 2004-08-20 15:50 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-02 17:05 . 2008-01-02 17:05 <DIR> d-------- C:\Program Files\Gateway
2008-01-02 17:05 . 2008-01-02 17:05 126,976 --a------ C:\WINDOWS\system32\unzdll.dll
2008-01-02 17:05 . 2008-01-02 17:05 199 --a------ C:\WINDOWS\system32\oeminfo.ini
2008-01-02 17:03 . 2004-12-28 23:57 17,505 -ra------ C:\DBI.EXE
2008-01-02 17:00 . 2005-03-16 00:23 13,696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys
2008-01-02 16:43 . 2004-08-04 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-02 16:42 . 2004-08-04 06:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-02 16:41 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-01-02 16:39 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-02 16:39 . 2008-01-02 16:39 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-02 16:38 . 2004-08-04 06:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-01-02 16:38 . 2004-08-04 06:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-01-02 16:38 . 2004-08-04 06:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-01-02 16:38 . 2004-08-04 06:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-01-02 15:17 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-01-02 15:17 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-30 18:24 . 2008-01-20 07:57 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 18:23 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-28 22:16 . 2007-12-28 23:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-28 15:58 . 2007-12-28 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-27 21:05 . 2007-12-27 21:05 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-23 20:41 . 2007-12-23 20:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 20:41 . 2007-12-23 20:41 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 14:03 . 2007-12-24 08:14 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-22 14:03 . 2007-12-24 08:14 118,784 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-22 14:03 . 2008-01-12 12:20 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-22 14:03 . 2008-01-12 12:20 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 23:13 --------- d-----w C:\Program Files\Logitech
2008-02-01 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-01 15:46 --------- d-----w C:\Program Files\Kodak
2008-01-17 23:43 --------- d-----w C:\Program Files\Java
2008-01-13 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 16:53 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:37 5,632 --sha-w C:\Program Files\Thumbs.db
2008-01-11 18:40 --------- d-----w C:\Program Files\Google
2008-01-11 15:05 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-24 04:04 618 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-24 02:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:08 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-12-20 20:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-10 05:06 --------- d-----w C:\Program Files\LimeWire
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2006-05-05 10:07 0 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_16.20.05.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 22:12:47 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 16:44:49 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 22:12:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 16:44:49 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 22:12:47 1,400,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 16:44:49 1,400,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 22:12:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 16:44:49 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 22:12:48 6,144,000 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-20 16:44:50 6,148,096 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 22:12:48 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 16:44:50 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-01-12 12:20 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-24 08:14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-24 08:14 132496]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 01:57 579072]
"SDTray "= "C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2008-01-12 21:06 1065288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 16:00 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-02 19:52:09 124400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-12 12:20 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-12-24 08:14 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-12-24 08:14 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-08-25 17:28 1871872 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-24 08:14 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 00:23]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-11-07 03:50]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-05-18 12:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca291ff0-c325-11da-84c1-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L "

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 22:35:18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job "
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 10:47:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 10:48:51
ComboFix-quarantined-files.txt 2008-01-20 16:48:41
ComboFix2.txt 2008-01-20 14:04:39
ComboFix3.txt 2008-01-19 22:20:41
.
2008-01-11 15:09:03 --- E O F ---

This is starting to worry me! How about you?

Awaiting your next advice.

Regards,
Vicki

noahdfear · 2008/01/20

Try the Panda scan again. This time, when the new window opens blank, right click in the window and select Refresh. Let me know if it loads then.

noahdfear · 2008/01/20

A couple of other things to try .......

Go to Internet Options>Programs tab and click Manage Add-ons.
In the Show field, select 'Add-ons currently loaded in Internet Explorer'
Select each one and then disable it.
OK out.
Now click 'Reset Web Settings'
Do not reset the homepage
OK out
Close all IE windows then re-open and check Panda again

If no joy, continue with the following.

Close all IE windows.
Go to Start->Run and type in the following bolded command and click OK. Make sure to leave a space between regsvr32 and the filename.

regsvr32 Urlmon.dll

When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK.
Then do each of the following.

regsvr32 Shell32.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
regsvr32 Shdocvw.dll

Reboot and check IE again.

Vicki · 2008/01/21

update

Sorry I hadn't responded sooner, but haven't had an opportunity to try your suggestions until now.

Here are the results:

Try the Panda scan again. This time, when the new window opens blank, right click in the window and select Refresh. Let me know if it loads then.
Click to expand...

No change when trying to open the desktop Panda icon (won't load, have to use "end task" to close)

Using the IE icon (original desktop shortcut) w/the homepage set to that Panda site, will load, clicking on the scan computer will open a new window, right clicking in that window wouldn't do anything (the hourglass was showing and right-clicking wouldn't work?)

A couple of other things to try .......

Go to Internet Options>Programs tab and click Manage Add-ons.
In the Show field, select 'Add-ons currently loaded in Internet Explorer'
Select each one and then disable it.
OK out.
Now click 'Reset Web Settings'
Do not reset the homepage
OK out
Close all IE windows then re-open and check Panda again
Click to expand...

The only one that I was not able to disable was the "windows advantage tool ". All others disabled, but no change in trying to view webpage.

Close all IE windows.
Go to Start->Run and type in the following bolded command and click OK. Make sure to leave a space between regsvr32 and the filename.
Click to expand...

Did all of those you listed & rebooted. However when rebooting I did receive a notice from the "Spy Sweeper" program under "alerts ". It stated that "Spyware sweeper has detected changes to the Internet Explorer default pages, such as the Search Assistant page. To restore the original pages click "restore ". To update Spy Sweeper with the new pages, click "keep new ". This being a new program for me and not really sure if any of those "fixes" we had tried might have made any changes? I chose "keep new ".

Tried to go to the Panda site once more & still no luck (either using the Panda Icon you had me create or by using the original IE desktop icon.)

I did notice that this time I could actually use the "x" close button and not have to use the "end task" , but still receive the "program not responding" message after closing.

Are we back to square one?
Thanks again for your time & assistance!
Vicki

noahdfear · 2008/01/21

Let's see if we can re-install Internet Explorer.

Click Start>Run and type (or copy and paste) %systemroot%\inf, then press Enter

Locate the Ie.inf file

Right-click the Ie.inf file, then select Install

If prompted for the XP installation cd, insert it to the cd-rom drive and click OK, or click Browse and navigate to and select the i386 folder on your drive (you may want to do a search for this ahead of time .... usually in C: or C:\Windows) then click OK

Restart the computer when the file copy process is complete

See if Internet Explorer is working properly now

Vicki · 2008/01/22

Somewhat confused...

Ok, maybe alot confused!

After performing the start>run directions you gave, I am currently sitting with the "files needed" open on the infected computer. It does prompt me for the XP installation disk, but also shows in the "copy files from" : C:\WINDOWS\inf\i386

I think I need a little more help. If I use the cd, do I need to change the "copy files" from to something else? Or if I use the copy files from what is currently listed, is that the correct place that they will be found?

I know you mentioned doing a search for this ahead of time, but I guess I wasn't really sure what it was I should be searching for (I know you stated i386) but not to sure on how to search for it?? (That's the beginner status in me shining through!)

Thanks again for all your help!
Vicki

noahdfear · 2008/01/22

i386 is a folder, and it's generally located in Local Disc C: or C:\Windows. I doubt the one in C:\Windows\inf is the correct one. Best to just insert the cd, then click Browse on the 'copy files' dialog. In the browse dialog, select the cd-rom drive and navigate to the 1386 folder on the cd. Select the folder and click OK, then OK on the 'copy files' dialog.

Vicki · 2008/01/22

New problem?

Thank you noahdfear for all your patience with me in trying to resolve the issues I've been having! I really, truly do appreciate it!

I did insert the cd and clicked browse like you suggested. Found the i386 folder and clicked "Open" (on the file IEXPLORE.EX_ that was already preselected) but when trying to copy, I get the copy error message "Setup cannot copy the file IEXPLORE.EX_" Clicking on "retry" produces the same results.

Good grief, I hope there's not something wrong with the XP disk too!!

Vicki

Log in or Sign up

Solved Badly infected computer, reformat best option??

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Badly infected computer, reformat best option??

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

noahdfear Inactive

Vicki Well-Known Member Thread Starter

Share This Page

Useful Searches