skate1968

I've been trying to clean up my computer on my own but have not been able to. And i fear that i might have made it worse by not eradicating problems immediately.

I found the following malwares running from taskmanager:

Windows Police
msa.exe
a.exe
b.exe

I deleted them and cleaned out my recycle bin.

When i reboot i get a blank screen. I run Windows Restore from task manager to get back my desktop screen.

I'm unable to update and/or run Spybot Search &D. And now the SpybotSD exe file appears to have vanished from my computer.

EDIT to Add: I did disable TeaTimer


I'm not even able to to find the, MRT.exe runs and then stops abruptly. Windows defender came up and then stopped abruptly

I'm unable to access firefox and or IExplorer after ebooting in safe mode. I have not been able to use IExplorer in any mode -- safe or regular.

I'm unable to access the control panel. Attempting to do so causes a problem (either the screen went black or the computer shut off -- one of the two, i forget which).

Hence i'm unable to download Windows security updates.

I've not been able to download any anti virus except for 'GMER' from this site. I've run GMER as per instructions from CatByte:

Windows Police pro virus!! Please Help me!

GMER produced the following warning

WARNING
GMER has found system modification caused by ROOTKIT activity.

I have not yet pressed OK.

Can someone advise me? Worse case scenario i'll have to get a hold of an antivirus disk from someone else's computer and run that.

Thanks in advance.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-17 14:15:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwliapoc.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [404] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [480] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [920] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1036] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1164] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1240] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1488] 0x35670000
Library \\?\globalroot\Device\__max++>\8CCD65EC.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1596] 0x35670000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

To Add: I find that i'm unable to do many functions because many files and folders are 'read only.' I am unable to change this. This trojan is preventing me from backing up my files.

skate1968

Problem solved.

I found one more malware file running which i did not delete earlier; b.exe. I deleted it and then found i was able to download and install anti spyware updates.

So it appears as though i'm now on my way to solving this problem on my own. I'll soon do full anti-virus scans.

Let me say that i am very impressed with what i've read on this site and i'm grateful for having access to it. A friend of mine said HP wanted 250 dollars from her to fix her computer. I see that that volunteers here fix computers and ask only that one have a little patience -- a very small price to pay, IMO.

Keep up the good work.

Thanks again.

skate1968

Ok, i posted earlier about a problem. But then i quickly found a solution on my own -- or so i thought.

But I'm now at the point where i can not even my computer to boot up.

"Windows could not start up because of the following file is either missing or corrupt: C:\Windows\System32\XXXX.XXXX

[sorry, i now see that I neglected to write down the actual filename before leaving my home to use this computer.]

You could attempt to repair this file by starting Windows Setup using the original Set Up CD-Rom."

I don't have the this CD-Rom (honestly i don't remember it coming with my computer).

I would think that i'd be able to get a hold of a Windows XP disk. But i'm not sure if that'd help me.

The issue that directly preceeded this problem was me running SpyBot SD in safe mode. It was version 1.3 -- and probably not a currently updated version. The SpyBot supposedly found 64 errors -- most on the system32 folder -- many SmitFraud-Cs and few others. But when i when i hit the 'fix problems' button all i got were error messages.

"Spybot can not fix the error because the doesn't exist -- false image" -- or some kind of message like that. I must have hit OK to over 35 of these error messages.

Nasty Virus, need help

As i said in my earler post i found viruses -- Windows Police, msa.exe, a.exe,
b.exe, etc.

I was able to download AVG -- and that seemed to work.

But then AVG didn't seem to work that great. Meanging that the computer was still acting funny. It appeared as though AVG would get 'hung up' -- it would stop scanning and freeze.

The only way that i could get my desktop back was to run Microsoft Restore -- restore to an earlier point and my desktop & start menu came back.

So I was downloading security updates for Windows Xp. I needed 14 critical updates. Some of them weren't taking -- 'failed to install.' So i'd redownload and try again.

But then the download was taking too long. I got annoyed and canceled the update in progress -- and that seems to have been a big mistake.

It froze up so i rebooted. And then i could not get my desktop back. I tried using 'restore' again to get the old settings but it would only give me error messages.


So should i try to get a Windows XP disk? (i don't expect that this alone will fix it) Get a WindowsXP disk AND download a copy of COMBOFIX from someone else's computer?

Or should i just ask around for a reputable computer shop and let them handle it? I'm close to a few colleges and i'd imagine that there'd be a reasonably priced place close to them.

My computer, embarrassing, is an old HP pavillion 503n; 1.7 celeron, 40 gig memory, 128 something of RAM. I've got several work files on the computer -- some of which i didn't back up .

Hewlitt Packer support told me to just buy a new computer.

Thanks for reading.

Ried

Hello skate1968,

If you find you still need assistance, post fresh logs.

Ried

Hello skate1968,

I'll merge your threads for continuity.

Try booting into Last known good configuration and see if you can get back into Windows


1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (on some computers it is F5)
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Last known good configuration and press Enter.


It's important you tell me all tools that have been run on this system while you were attempting to clean it yourself. Please list them out for me.

skate1968

Hi Ried,

Thanks for responding.

I believe that i've already tried that twice already: f8 & last good configuration.

But maybe i haven't tried it for this latest problem. I'll try again when i get home.

My google searches lead me to believe that i have an f11 emergency save feature. As if i have some kind of 'recovery disk' built in the computer.

But at this point I don't want to play with the f11 feature without really knowing what i'm doing.

You know that's a good question. I'll try to remember them.

I've stopped virus files from the running using taskmanager, i probably disabled them from starting on the configuration utility and i've also deleted them using Windows Explorer (explorer NOT Inernet Explorer).

I've used Spybot, GMER, AVG, Windows Update and Windows Restore.

I've rebooted in safemode using f8.

Also using f8 i've done safe mode w/ netoworking, last known good configuration, diagnostic mode. (and i might have used one other option -- i don't have the list in front of me)

That is all i can remember at the moment.

thanks again

Ried

If you use this, it will reformat and reinstall Windows and all the pre-loaded HP programs that came bundled with it when you purchased it. You will lose your files.

Did you run ComboFix at all? This is important to know as we may have a backup we can pull up via the Recovery Console -- if you permitted ComboFix to install the Recovery Console.

If not, we move on to 'Plan C'

skate1968

Thanks for responding.


I never ran combofix.

So i guess we go to Plan C?

Ried

Plan C is it, then.

You will need a blank CD to write to. Visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html (This is a very large download)

After you've created the bootdisc, insert it into the CDRom/DVD drive of the problem computer. Make sure the BIOS is set to boot from that drive first, then boot up the system.

The BootCD should load. Select Start Mini Windows XP

You can now navigate through the system. Locate Spybot's reports and post the most recent one here for me so I can see what it did/removed.

skate1968

Thanks again, Ried.

I'm going to drive to a friend's place and use her computer to download that file. While i'm over there are there any other files that i should download which might be useful? I'm asking in hopes of possibly preventing the need for a second and or third trip.

Ried

Yes, as a matter of fact. Download this tool and run it once you get into the system with the Hiren's boot cd. Post the log it produces.

skate1968

Thanks for the quick reply, Ried!

skate1968

OK, i now have internet access. I downloaded the files that Ried has asked me to. I'll also download a copy a fresh of spybot & maybe another AVG.

Can anyone think of anything else to download before i lose acces to my friend's internet connection?

Ried

That's it for now. Remember -- don't install the updated Spybot until you get me the report from the existing Spybot. I need to see what it did in order to even try to figure out what went wrong here.

skate1968

I did this exactly as instructed.

I didn't know how to 'make sure the BIOS is set to boot from.' And i'm now thinking that i should have asked you.

I never got this option of 'Mini Windows'


After turning on the computer I pressed f10 thinking that would allow me the option of booting from the disk. Instead it went in to recovery mode (I have no idea why it had not done this before.) I selected 'Non Destructive Recovery' which is supposed to restore factory original settings while preserving all data files.

I ran the spybot report and loaded to a floppy.

I was able to get online and here i am.

skate1968

I opened spybot and then used the create registry function. Then i ran the report:


--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2009-10-08 Includes\Adware.sbi
2009-10-13 Includes\AdwareC.sbi
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2009-10-13 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2004-05-12 Includes\Hijackers.sbi
2009-10-13 Includes\HijackersC.sbi
2004-05-12 Includes\Keyloggers.sbi
2009-10-06 Includes\KeyloggersC.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2009-10-14 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-10-13 Includes\PUPSC.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2009-10-13 Includes\SecurityC.sbi
2004-05-12 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-10-13 Includes\Spyware.sbi
2009-10-13 Includes\SpywareC.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi
2009-10-14 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600)
/ Windows XP / SP1 / Q308676: Windows XP Hotfix (SP1) [See Q308676 for more information]
/ Windows XP / SP1 / Q308677: Windows XP Hotfix (SP1) [See Q308677 for more information]
/ Windows XP / SP1 / Q309521: Windows XP Hotfix (SP1) [See Q309521 for more information]
/ Windows XP / SP1 / Q309691: Windows XP Hotfix (SP1) [See Q309691 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311842 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311889 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q312370 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315000 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315403 for more information]


--- Startup entries list ---
Located: HK_LM:Run, CamMonitor
command: c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
file: c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
size: 69632
MD5: 8cee5bf9488bac527408fbb80096e3da

Located: HK_LM:Run, DDCActiveMenu
command: "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
file: C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
size: 86016
MD5: 33e7208f4e7ab990a6e897ea1361c56a

Located: HK_LM:Run, DDCM
command: "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
file: C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
size: 122880
MD5: 919c57bce361166560f852f1629d9595

Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 106549
MD5: 6d21f9202a24b36e7cb10e8ed9f9de37

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\System32\hkcmd.exe
file: C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: 318b39089ff44d57368eff1ec81bdefd

Located: HK_LM:Run, hpsysdrv
command: c:\windows\system\hpsysdrv.exe
file: c:\windows\system\hpsysdrv.exe
size: 52736
MD5: 06a1ecb63df139ec639e084d4ab3c9d7

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\System32\igfxtray.exe
file: C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: c0ca97b06360872117e472eba3d25242

Located: HK_LM:Run, KBD
command: C:\HP\KBD\KBD.EXE
file: C:\HP\KBD\KBD.EXE
size: 61440
MD5: f60d7ba291b9812ae9a77cf95689818e

Located: HK_LM:Run, NAV Agent
command: c:\PROGRA~1\NORTON~1\navapw32.exe
file: c:\PROGRA~1\NORTON~1\navapw32.exe
size: 75384
MD5: 89edb06c1ea1a7f4a513ff1dbecbf73b

Located: HK_LM:Run, NAV CfgWiz
command: c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
file: c:\PROGRA~1\NORTON~1\Cfgwiz.exe
size: 407160
MD5: 971d80cee5e7b948372bfb57a79f6c55

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 364544
MD5: fa537c72dc6d4f74b3d8a87f7cfbb6ac

Located: HK_LM:Run, PS2
command: C:\WINDOWS\system32\ps2.exe
file: C:\WINDOWS\system32\ps2.exe
size: 81920
MD5: b413db7b177b6e87c191b052d43eb706

Located: HK_LM:Run, Recguard
command: C:\WINDOWS\SMINST\RECGUARD.EXE
file: C:\WINDOWS\SMINST\RECGUARD.EXE
size: 212992
MD5: d892b4e7dec77e7087bcab3e6d673f4c

Located: HK_LM:Run, StorageGuard
command: "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
file: C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
size: 155648
MD5: 33d18d25af83df302a6e66ab781c4ccf

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1077277
MD5: 10a98fa310d1b6664f999378efd031ba



--- Browser helper object list ---


--- ActiveX list ---


--- Process list ---
Spybot - Search && Destroy process list report, 10/28/2009 8:11:23 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 252 (1556) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 324 (1556) C:\windows\system\hpsysdrv.exe
PID: 420 ( 4) \SystemRoot\System32\smss.exe
PID: 444 (1556) C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
PID: 464 (1556) C:\HP\KBD\KBD.EXE
PID: 468 ( 420) csrss.exe
PID: 492 ( 420) \??\C:\WINDOWS\system32\winlogon.exe
PID: 536 ( 492) C:\WINDOWS\system32\services.exe
PID: 548 ( 492) C:\WINDOWS\system32\lsass.exe
PID: 744 ( 536) C:\WINDOWS\system32\svchost.exe
PID: 768 ( 536) C:\WINDOWS\System32\svchost.exe
PID: 836 (1556) C:\WINDOWS\system32\dla\tfswctrl.exe
PID: 844 ( 536) svchost.exe
PID: 856 ( 536) svchost.exe
PID: 904 (1556) C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
PID: 956 ( 536) C:\WINDOWS\system32\spoolsv.exe
PID: 1024 (1556) C:\WINDOWS\System32\hkcmd.exe
PID: 1028 (1556) C:\WINDOWS\System32\igfxtray.exe
PID: 1092 ( 536) alg.exe
PID: 1132 ( 536) c:\Program Files\Norton AntiVirus\navapsvc.exe
PID: 1464 ( 492) C:\WINDOWS\System32\taskmgr.exe
PID: 1484 (1556) C:\PROGRA~1\NORTON~1\navapw32.exe
PID: 1556 (1492) C:\WINDOWS\Explorer.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 10/28/2009 8:11:24 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://srch-us6.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://srch-us6.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://us6.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://us6.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://srch-us6.hpwis.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\First Home Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://srch-us6.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://srch-us6.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://us6.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://us6.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://srch-us6.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://srch-us6.hpwis.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://srch-us6.hpwis.com/

--- Winsock Layered Service Provider list ---

skate1968

I ran this and it gave a warning message

"dds-bootcd is designed to run in a Hiren PE environment. If for any reason...."

so i decided to hold off on running it.

Right now i'm going to start backing up some of my data files

thanks much again for your help, Ried.

I await your advice. It appears that i'm now able to download stuff from the net.

Ried

If you have accessed the system with the boot cd I had you download and make, then you are in the Hiren PE environment. That version of dds is designed to run there - please do so.

Let me explain that while you are booted, and accessing your system via the bootcd, you are in a 'virtual environment'. You can access files, etc to copy and backup, but none of the registry hives are actually loaded, which is required for any other tool to be able to give me an accurate view of what's going on. This version of dds will be able to look at the registry keys and report. ;)

Don't forget to give me the original Spybot report - it may give me a clue as to what it did, and what in particular it took out, that left your machine unbootable. With that info, hopefully I can get you back in.

skate1968

Hi Ried,

It appears that you've only read the last of the three messages that i posted. I posted three because i thought they should be broken in different sections. Sorry, i should have just put it all in one post.

I if you look at my first post dated 10-28 you'll see that not all things went as i expected. I did post up the spybot report. I don't believe that i used the Hirin boot disk to get on. Please, if you don't mind, go back and reread. I'll then await your advice.

again, thanks very much!

Ried

Yes, it's best you don't post and re-post in succession. I'm coming in to the notification and thinking, and composing a repy, then you go and post more that i'm unaware of.

So - you performed a non destructive recovery and have booted up the computer without the boot cd, correct?

If so, then follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.