Posts by gerbil

RECYCLER is your recycle bin... there is a bin for each partition. May I suggest that you go into explorer, tools, folder options, view, and Hide Protected OpSys files?
Next:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

That code, PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&16793A72&0&20F0 would be for an Intel Pro/Wireless 2200BG? So get the driver for that from Intel's site, and browse to it to install it. Just take the latest version. Google this: Intel Pro/Wireless 2200BG driver

...

jB, if you come on could you please remove that URL w3.av5scan.com? Folks are sure to click it to see what it is and a javascript will lock down their browser until they click that and get loaded with a problem. [Best solution if you do click something like that is to close the browser process in Task Manager...]

Yes.
When you install the RC at the beginning the sys is under the control of Windows Setup, and it happily recognises your cdrom. Once the RC is installed the sys is under its control, and it will not recognise removable drives [your cdrom]. It is supposed to be for security.. it is truly regrettable.
Look, go into RC and try using those SET commands I gave you... the restriction may have been removed in later disk versions...

Yeah.. it was not very thoughtful of M$ to place that restriction [for security?] in the RC.
RC will not work with removable drives [once it is the OS] without that reg change. Unfortunately you have to do it before you need to use the console.
You will have to install an OS into another partition or onto another drive and use that to copy in your file, else slave the drive and do it..

The Recovery Console has some restrictions applied by default. It will not let you acess filesin My Documents or on a removable drive ; you need to do a couple of things:
Save this as a .reg file on your desktop and run it:

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
"SetCommand"="1"

Start RC from your disk, then make these commands at the prompt:
set allowallpaths = true
set AllowRemovableMedia = true
set AllowWildCards = true
[set NoCopyPrompt = true]

And see what you can do.

Well, you could help, because the final arbiter on this matter is M$, and they will make their authority known when validation is sought. M$ do allow upgrading, parts replacement, and if a machine is more than a year old it can be major surgery. Don't they track the MAC.addy? Which is very likely tied to the e-machine by a block of codes, and so M$ would know a different NIC was in place, not an emachine, and so express their judgement on that? I dunno, I just wondering.. and I don't know the finer points of the software licences.
All I know about those two files is that they should be in i386 for the OEM Setup's purposes. But I don't know how to help.

Fine, pg. When you have used that Symantec removal tool could you post a final hijackthis log, please?

I would be stunned if SR in one OS restored the registry in another OS....
If you are still able to start the OS in C:, and there are restore points available [ie. made at times] then I don't see why you don't just copy them into current registry.. ie, config.

Well, there ya go... I often rework ppl's monickers, caper, mostly for simplicity, mostly keep them in my head..... mine for Bob was Twisted Bob, but i didn dare address him as that.
Absolutely no offence in that, Bob, it's just easier to think than your proper room name.
And Bob, if you are not using your own machine in those pc lounges then it must be an effect of an aura about there, your's or the earth's.

I was just making sure that those files are gone, pg. If you could not find them, that is fine.
Some antivirus software, for example Symantec's [and McAfee's too] cannot be simply removed without special software. Your McAfee is fine, no need to touch it, but there are still parts of Symantec remaining on your machine. If you visit the Symantec website you will be able to find and download the correct removal tool which you then run.
Would you do this for me please:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat to your desktop; dclick it to run, then post the file showkey.txt

reg query "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce" /s >showkey.txt
reg query "HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce"  /s >>showkey.txt
reg query "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce" /s >>showkey.txt
reg query "HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce" /s >>showkey.txt
start showkey.txt
pause

Post the notepad that pops onto your desktop, please.

Hello, pg, yes, that is what i wanted.
Please start hijackthis again, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [bone thunk axis copy] C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
O4 - HKCU\..\Run: [Sect Real] C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1\Gplantitype.exe
O4 - HKCU\..\Run: [swg] C:\WINDOWS\system32\regsvr32.exe

Good, now find and delete these files:
C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
C:\Documents and Settings\PERFECT_GIRL\Application Data\IDLE01~1\Gplantitype.exe
-IDLE01~1 is an abbreviation of some folder name, I do not know what, but it commences with IDLE01, and is the only one that starts like that.

Please visit the Symantec website and download and run the appropriate removal tool for the version of their antivirus that you once used.
Make and post a fresh hijackthis log, please.

Ah.. I find comfort in that, caper. The world is safe.. some people are not obsessed by computers, to them they are mere tools. Ripper.

:), so he did.... should have worn all the rough bits off it, then.
GEAR is what I was hoping you would find in that file, spyder. It is a set of drivers that interface iTunes with your cd burner.
That all looks good. Go Start, Run and type or paste in :
combofix /u
-this will remove combofix and its quarantine.
Orright, get out there and play again, but in a less muddy spot, okay? That was quite a collection of rootkit gear.

Poaching happens. I don't hold a torch for any browser... I switched from IE early on to Opera [it just made sense to have tabs on one browser process]. After a bit I experimented with FF and while I was doing that it became my main. But several months ago it started to fault on long pages and so I switched back to Opera.
Not going to say I love it, it doesn't "excite" me , I just prefer it. Atm. I have all 3 on quicklaunch.
Opera has just a few % of the market, I don't know why. I do know it takes a crowbar to get ppl weaned off IE. I have heard that some ppl use Netscape. Or did.
And still we have nothing to offer poor Bob.

Ah. See? It was worth running Combofix also, wasn't it?
I take it that you ran random's sys info tool?
Is this associated with your iPod? c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
Right...
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\system32\cont_adsoftinc-remove.exe
C:\srelqu.exe
c:\windows\system32\ibtuaivlrurj.exe
C:\-723922735
c:\windows\system32\nsf57.dll
c:\windows\system32\dllcache\s3legacy.dll
c:\windows\DUMP61b7.tmp

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Then get rid of the Symantec stuff.

"I say that FF3 is fine, because from my standpoint it is." That is fine then, hot; if it works for you, well, that is all that is required of it [FF]. I have no strong point to make on this issue... it is just that for some it works, some of the time [check caper's posts...], and for some it does not, most of the time [me ..]. Perhaps is works for some, all of the time. I do not know networking, or much about browsers.. I don't think I know NKOTB either...

Those two tools have done a superb job. You had a pretty comprehensive infection there. MBAM took out the ADS file attached to svchost.exe, so no action by you is required there.
May I see the Combofix log, please? This is important.
Your hijack this log shows as clean, but you should go to the Symantec website and identify and download the tool to remove the specific Symantec AV protection you once had. There are parts of it still running. A simple Remove instruction in Add/Remove Pgms does not suffice.

:)... I jus dunno, caper.... an Bob, I was afraid you would say that. "as I get the problem from the download of the cover page where I need to log on from."

Caper, I have FF3.04 [latest] and it will not pull in that page I put up. Opera does. Anyway... poor ole Bob...
Bob, try creating another account...

Spyder, this will remove the ADS ext.exe from C:\WINDOWS\system32\svchost.exe:ext.exe
ext.exe is an ADS [alternate data stream] attached to C:\WINDOWS\system32\svchost.exe, and you need a special tool to remove it.
Get this tool, ADS Spy from http://www.bleepingcomputer.com/files/adsspy.php - you will need to dl the file , extract ADSSpy.exe and then copy that into your sys [via that flashdrive].
Simply dclick it to start it,
-select Scan only this Folder,
-type into the box C:\Windows [or browse to it via the .. box]
-press Scan the sys...
If it appears, check C:\windows\svchost.exe... and then Remove Selected Items.

At work and online? Then grab a flashdrive and dl Combofix into it from http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or : http://subs.geekstogo.com/ComboFix.exe
Change the filename combofix.exe to mycfix.exe, and copy it to your DESKTOP..... It does not need to update, and does not want the web connected...:
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Ah, thank you, pg. Could you poat a fresh hijack this log, please?

FF, the latest update, 3 .04? without checking [came in last week?] Zero plugins.
Opera has no ads, it is just good, clean, fast. Crash? Never. FF is a copy of it.
I'll point you at a long post so you can see what I mean about FF... http://www.daniweb.com/forums/thread155796-4.html
Does it render the whole page? Perfectly? No omissions, blank spaces, black areas?

Firefox does NOT like DW. I don't know why, but one particular symptom is tha it cannot render pages containing a long post.
Opera copes admirably.. no problems at all.

Browse the sr.inf installer to your C:\WINDOWS\Driver Cache\i386\sp3.cab or C:\WINDOWS\ServicePackFiles\i386\sp3.cab so tht it can use the most recent files.

Hello, spyder, your sys has been knocked silly by some malwares. Being midnight in Aust Cohen has likely wandered off to bed.
I see these things in running processes:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\HP_Administrator\Desktop\mbam-setup.exe
So, delete the folder C:\Program Files\Malwarebytes' Anti-Malware
Rename this file C:\Documents and Settings\HP_Administrator\Desktop\mbam-setup.exe to mambo-sup.exe
Before you try starting the installer again though, let's do this [some of it may stick...].
At this point you may wish to dl this program:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Right. Set? Rename hijackthis.exe to imabunny.exe, then start it, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: C:\WINDOWS\system32\jsdf8j3dgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O4 - HKLM\..\Run: [txitbnqzugza] C:\WINDOWS\System32\regsvr32.exe /s "C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\xngaotwnxcst.dll"
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: gsgehtaw - C:\WINDOWS\SYSTEM32\gsgehtaw.dll
O22 - SharedTaskScheduler: lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\hsd63geff.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe

Good, now delete these files:
C:\WINDOWS\system32\jsdf8j3dgf.dll
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\xngaotwnxcst.dll
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\WINDOWS\SYSTEM32\gsgehtaw.dll
C:\WINDOWS\system32\hsd63geff.dll
C:\WINDOWS\system32\svchost.exe:ext.exe

Be aware that C:\WINDOWS\system32\svchost.exe is a valid system file …

"No possibility to Run System Restore either, not even in Save Mode."
Ah, but have you had SR enabled? Cos if you have restore points available we can fish those out and plug them into your registry.
Try to get SR running by navigating to C\windows\inf, and dclicking sr.inf; choose Install.
If it works after that, then fine. If not, then because you are still able to start in your C: drive OS there is a workaround to get at those restore points. Say if you want it.

dukane seemed interested in M$'s method #2. Which is the same as the B PE method..... and if you have the XP cd already, then... done.

Re the Shift-Delete of those objects.. that is okay, perfect girl. I admit to mildly panicking when I saw that abbreviated hijackthis log from your previous post with most of the entries missing!
Now, if you ran this tool that I referred to earlier:
"==Download NoLop from the link on this page; some information is shown under the Proper Use button, press Search and Destroy to run the scan. Post the report C:\NoLop.log.
http://thespykiller.co.uk/index.php?action=tpmod;dl"
..you would still have this log: report C:\NoLop.log
If you have not already run it, please do so. Then make a fresh hijackthis log, post it plus the NoLop report.

No, that should be all, whoost. Play safe out there... :)
Basically, there should be no need to have anything in the internet trusted zone because that bypasses certificate checking. Safe sites are safe by definition, so no need to have them in there.

This was the other report I wished to see, the one now saved at C:\NoLop.log
Could you please post that?

pg, this may be important.
Please start hijackthis, press the View the List of Backups button.
In the new Backups window make sure that you place a checkmark in EVERY box, then press the Restore button.
Close hijckthis.
Next, open your Recycle Bin and restore all that you have deleted.
Good, now start Hijackthis again and run a fresh scan, post that new log.

Yep... should only take 1/2hour or so... doing a fresh installation beside the old.

Mmm... they were all quarantined by Combofix... and MBAM found them in there. I think you are clear to go, what is your opinion?
Go Start, run:
combofix /u
This will uninstall combofix and its files and quarantine folder.

Sweet. How are things now?
Run this: Go Start, paste in:
combofix /u
-this will uninstall combofix and remove quarantined files.
Post a final hijackthis log.

Looks good, sickofit.
Try MBAM now. Remember to update it first, and run the Quick Scan.

You're welcome, oos.

Looks good, oos. Is it working well for you?

Thanks, crunchie.
pg, could I see this please :"Post the report C:\NoLop.log." NoLop appears to have not worked.
Uninstall those pgms as Crunchie suggests, then:

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
O4 - HKLM\..\Run: [bone thunk axis copy] C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
O4 - HKCU\..\Run: [Sect Real] C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1\Gplantitype.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

Good. Now delete these files:
C:\Windows\system32\blank.htm
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1\Gplantitype.exe
- this last is C:\Docs & Settings\Perfect Girl\Application Data\IDLE01~1\Gplantitype.exe

Delete these folders:
C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1 - I do not know the long form of IDLE01~1
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About
C:\Documents and Settings\All Users\Application Data\pure coal bone thunk

Don't you love the names Lop constructs? "pure coal bone thunk"
I would have thought that NoLop would have removed those, which is …

Crunchie, Avast flicks up a warning about a trojan -Swizzor from the removal tool site which is linked on that page you just gave. It is in the tool itself... Avast picked it up as Opera did a pre-download of the removal tool while I was reading on the site.
This from F-Secure:
TrojanDownloader.Win32.Swizzor is a small program that can end up on a user's system when he is browsing the Web. The program downloads and installs a LOP.COM-related plugin that acts as spyware/adware and provides customized search capabilities.
As downloading and installation occurs without a notification to the user and without the user's approval, we added detection for the downloader as a trojan.
To remove the downloader, it's enough to delete its file from the hard drive.

That rather looks like a Lop infection there - it's pretty pesky adware. These two entries point it out:

O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
O4 - HKLM\..\Run: [bone thunk axis copy] C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe

Best to use the proper tool, and then follow up with a clean and general adware/spyware scan.
==Download NoLop by Derek from the link on this page; some information is shown under the Proper Use button, press Search and Destroy to run the scan. Post the report C:\NoLop.log.
http://thespykiller.co.uk/index.php?action=tpmod;dl
Next clean with:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
And finally run another hijackthis scan and post that log also, please.

My head is spinning from thread hijacks, moving posts.... wheee.. :)
Oos, glad you had some malware for Smitfraudfix to work on... it gets dissatisfied if it cannot find any to fix when requested to do so by choice #2, and busts your desktop as revenge. I targetted a specific infection with that tool, namely this one: C:\WINDOWS\system32\avt.dll . I see that you had it.
Run a fresh hijackthis scan please, and post it.

Ok. How annoying. You have a version of ISpyNow which is protected by a rootkit, it is very likely TDSS. So a few things we can try before you have to go walking with a flashdrive in your hot lil hand, to find a friendly type who will let you dl Combofix. We need it. Make sure to load the dl addy into the flashdrive... But first:
There is always another online scan: http://www.f-secure.com/security_center/
If it won't run, then:
==Download [currently it will not dl correctly with Opera; use IE] the latest standalone version of Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - Start it, accept the agreement and Scan.

Else if we assume that it is TDSS, go into C:\WINDOWS\system32 and rename every file commencing with the letters TDSS to XXXTDSS. Here is a typical selection.. you may have some or none or similar others :

c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSScshc.dll
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSojtp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSurev.dll
c:\windows\system32\TDSSwhke.log
c:\windows\system32\TDSSxnyq.dll
You may find some in c:\windows\system32\drivers\...
eg: c:\windows\system32\drivers\TDSSrfpc.sys

Try to run MBAM now [rename mbam.exe to mybm.exe first]. And then try to dl Combofix...
As crunchie said, you could delete any TDSS... files in system32 if you so wished. TDSS is a play on TSDDD, which is a valid displaydriver.

Nice!
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
C:\WINDOWS\system32\drivers\TDSSrfpc.sys
c:\windows\000002_.tmp

Driver::
TDSSrfpc

Service::
TDSSSERV

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
And could you now try to install and run MBAM, please? Update and run the Quick scan.

K, as I thought, there was a rootkit attached to that spyware, which hid it.
I must stop for 20 mins, will get back to you within the half hour.

We can ignore that. Nice to have it installed though, in any case. Does not take up much disk space. But the installation cd carries it, and is not too inconvenient.

Sickofit, can you try to access a Combofix dl site from Safe Mode with Networking? If successful, run Combofix from Safe mode.
You could try these scans, one should do, again from safe mode:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

Restart your sys in Safe Mode, delete that file C:\WINDOWS\system32\mst120.dll, and then run Combofix while still in Safe Mode.