Solved Badly infected computer, reformat best option??

Not the results I was expecting, and leave me a bit more perplexed.

Download ATF Cleaner by Atribune and save it to your Desktop.
Run it and click Select All, then click Empty Selected.
When you get the "Done Cleaning" message, click OK then exit.

Open HijackThis and do a Scan only. Place a check next to the following entry, then click Fix Checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

Close HijackThis.

Highlight and copy the bolded text below.

sc stop ssbgdcxf
sc delete ssbgdcxf
ipconfig /release
ipconfig /flushdns
ipconfig /renew
exit
cls

Click Start>Run and type cmd then hit Enter to open a command window. Now, close all IE windows then right click in the command window and select Paste. When the command window closes, restart the computer.

Check to see if there's any change in IE and if not, copy the bolded command below, click Start>Run and paste the command on the run line, then hit enter.

notepad %systemroot%\system32\drivers\etc\hosts

Post the contents of the notepad file that opens.

 

I also noticed an entry in the Deckard's log that although the data appears correct, the fact that it shows up in the log suggests that something about it is incorrect, so lets fix it. Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
 "Notification Packages "=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
 "Notification Packages "=hex(7):73,63,65,63,6c,69,00,00

The icon for fix.reg should now look like a rubics cube. Double click fix.reg and allow it to merge with the registry.

 

Ugh...no change

I have completed the steps in your 1st reply and unfortunately, no changes (I did restart the computer as directed.)

Here is a copy of the text from that run command you asked me to do:

# Copyright © 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

Am on my way to proceed with the next suggestion (the rubics cube). Will report back after I have that completed.

 

Something didn't go right

I did get the fix.reg saved to the desktop as per your instructions. But when I double clicked on it to run, I received the following "pop up ":

Oh my, this is all so "greek" to me! But then alot of the processes I've been doing have been! Sure am glad to have your help in guiding me, I'd never know where/how to proceed otherwise!

 

My bad. I missed the most important part of the reg script. I've fixed the code box above. Please right click on the fix.reg file and select Edit to open it with notepad. Copy the contents of the code box above and replace the current contents of fix.reg with it. Close and save the changes, then double click and allow it to merge with the registry.

 

completed

Did as you suggested (recopied the corrected code box) and that worked okay. Still no changes in the way IE responds (but not sure if that was the expected outcome of that fix/repair?)

Sorry that this is seemingly such a difficult fix for you (& me!) I was encouraged at the beginning when you mentioned "it should be easy to clean up ". Unfortunately it hasn't appeared to be going in that direction!

But I have also heard how reformatting/reinstalling can be a pain as well, thus my determination to try my best to do whatever you suggest to resolve the issues on this loused up computer!

I want you to know how much I have appreciated your time and help so far!!

~Vicki

 

Care to do a test? I'm curious to know if the IE problem is specific to the user account or global. To test, open the Control Panel, then User accounts. Create a new user named test (or whatever). Log off and then log onto the test account and check IE's behavior.

 

User account questions

I have never attempted to do this (creating a new user account). Am currently writing this from my computer so I can refer back/forth to the ailing computer.

I currently have opened the control panel and selected "create a new user account ". I named the account "Test" (as suggested). When I clicked on "next" the question(s) asked to "Pick an account type" are:

1. Computer Administrator
2. Limited

Which of these should I be choosing or won't that make any difference?

 

Administrator is fine.

 

A few more questions...

I have now created the new user account (Test-with administrator privileges). But I'm not sure how to "log off" on his current account? He doesn't use a log in screen or a password when starting up his computer, it just goes directly to the desktop (after the initial welcome screen).

Will I be able to do this after logging out of his account and using the new "test" account, (when/if I am to go back to the his original account?)

Sorry to keep pestering you with questions, but I certainly don't want to make matters worse!

 

Just click Start>Log Off
It should return to the Welcome screen where you can choose the account to logon to.
Once the test account is removed, the computer should again load straight to the desktop without stopping at the welcome screen.

 

No change?

I was able to get the "Test" account set up (thanks for your directions!).

Here is what I found/saw after doing that.

Items on the Desktop: (these were shortcut icons)

1. Ad-Aware 2007
2. Adobe Reader 7.0
3. AVG 7.5
4. Recycle Bin

Didn't see any shortcuts or icons on the desktop for IE. So I used the start menu. It did show up (among the other things listed) but it didn't have the "normal" "E" icon?? It shows more like a "file" type icon?

I clicked on it and it opened up to the MSN web page. However, trying to type in an URL in the address bar produced the same results as always! (New window opening with nothing displayed, having to "end task" to close). Same thing happened when I tried the "control + n ".

I also notice down next to the "notification area "--if that's what the correct term is--(down by the clock) there are 3 very small icons showing. If I hover over them the one with the "?" says "help ", the one that appears to be little file boxes(?) says "Restore ", the other an upside down triangle(?) says "options ". (Note these icons are VERY tiny on that computer screen, so not sure if I'm describing what they really are, only what they appear to be to me). Don't know if this is normal (I use MSN explorer on my computer and don't know if those are normal things displayed for a regular IE connection without changing some settings or something? I have never seen them on anyones computer.)

So I'm guessing that the infection on that computer is not limited to a single user? (the reason you had me set up/try the test account).

One really messed up computer huh?

 

Sorry

Hi Vicki and Noadfear, Sorry to interfere.

What at heroic struggle the two of you are fighting.

It made me think of 2 things you could try.
A) ccleaner to fix old temp files, and to clean up registry
B) install a secondary browser like firefox. That could provide vicki with ability to get to the net from the bad pc, when she needs to post or download.

But I will let noadfear drive.

Best regards
Jens

 

Hi Vicki,

The new user test confirmed that the problem with IE is not user specific. I'd like to get a look at some of the registry keys associated with IE. Click Start>Run and type cmd then hit Enter to open a command window. Now highlight and copy the bolded text below, then right click in the command window and select Paste.

reg query "HKLM\SOFTWARE\Microsoft\Internet Explorer" /s > "%userprofile%\desktop\IEexport.txt "
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /s >> "%userprofile%\desktop\IEexport.txt "
exit
cls

The command window should close on it's own and a file named IEexport.txt should be created on the desktop. Please attach that text file to an email to me for review.

 

Sent

Hope you received the email (with the attachment you requested). I've never sent one with an attachment before, so I'm hoping I did it correctly!

I wasn't able to send it via the infected computer, so I copied it to a cd and sent it from my computer.

Do you wish that I remove that "test" account that was created? Or should I keep it in case it's needed for further testing?

Thanks bunches Dave!

~Vicki~

 

Hi Vicki,

I did get the email, and the attachment (good job! ). I've only had a chance to skim through it, and will study it more closely tonight or tomorrow (it's been a hectic week). In the meantime, I noticed quite a number of remnants of IE7, and I'm wondering if the rollback to IE6 wasn't completely successful. Please see if you can download IE7, then install it. Once installed and after rebooting, see how it works. If it has problems, uninstall it via Add/Remove programs. My hope is that if the installation goes bad, that at least maybe the rollback will.

You can remove the test account if you like. You would do that via Control Panel>User Accounts as well. It will ask if you want to keep the account files ...... no need to.

 

Ie7

No need to hurry with reviewing that attachment I sent, I know you're very busy! That's quite evident with all the posts you have and and I'm sure there are other aspects of your life keeping you occupied as well! I don't know how you find the time to get it all done!

I did get IE7 downloaded/installed on the "infected" computer (posting from that one now). I did have a little trouble doing that as it was asking me to activate/enable "active x ". But I didn't see where to do that? But then I remembered we had "disabled" alot of the "add-ons" at one point (I noticed the triangle with the ! in the task bar (?) area). So I clicked on that and enabled the ones that were from Microsoft and got the download to working.

Because I have never used IE7, I'm not certain if it's working correctly? Anything in particular I should look for? This whole "tab" thing is a little confusing to me! Not to mention where the address bar is located (above all the file/edit/view/favorites/tools/help sections!) I'm guessing that's why my son didn't want to keep it either and "rolled back" to IE6??

I'm sure he would prefer to have IE6, but if that won't be an option, he'll just have to learn to get accustomed to IE7!

~Vicki~

 

What you need to look for is if links open properly, links in new tabs or windows open properly, typed addresses populate, etc. Rolling back to IE6 is always an option, and if you prefer to do that give it a go and see what happens.

Great work RE: ActiveX too! Me thinks you're more computer savvy than you give yourself credit for.

For the record, upgrading to IE7 would be a good move since it is a more secure browser. It doesn't take long to get used to, and even hooked on, a tabbed browser. Firefox, which jbrej suggested (thanks for you input, BTW) is also a tabbed browser, which was one of it's more powerful lures to installing it. You can take a tour of IE7's features, as well as watch a video, all of which might help to make IE7 a bit easier to use.

 

So far, so good!

Been "testing" out the new IE7 and I think it appears to be working okay?! Haven't had any problems thus far anyhow!

I would imagine it should be kept/tried for several more days at least before I/we considered the issue resolved? I'm tending to think that IE7 should remain on here anyway, just for the reason(s) you suggested-it being more secure! Especially considering this whole thing probably started with a security issue in the first place!

Just a few questions about all the "icons" on the desktop (from programs, reports, etc. from our "fixes "). Can any of these be deleted now? Or should I create a new desktop icon/folder and move them to there? (Only to try and clean up the desktop) Or would this be an undesirable move until it's concluded that this computer is now functioning okay?

Should I run another Hijackthis and/or Deckard's scan now for you now that the computer is apparently functioning like it should? Or is this not necessary?

Thank you for your vote of confindence in my competency in computers! I do spend alot of time reading on this great website and I credit all my knowledge to the wonderful folks on here!

~Vicki~

 

Yes, please run a new dss scan and post the log. You can delete the logs we've created. I'll look back through the topic to see what all can be removed now.