Hijack This Log...

[Satyagraha]

I'm not going to lie, I know exactly what caused this problem (because I just reformatted yesterday) and will not encounter it again. Hopefully, this will be a very easy fix.

I keep getting pop-ups when not on the internet, or browsing, etc. It's a problem I had months ago and was helped very quickly. I hope the same is true.

Logfile of HijackThis v1.99.1
Scan saved at 7:15:48 AM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Games\Steam\Steam.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\SpywareQuake.com\spyware-quake.exe
C:\Program Files\SpywareQuake.com\spyware-quake.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - HKCU\..\RunOnce: [SantaCruzCpl] C:\Program Files\Turtle Beach\Santa Cruz\Control Panel\SantaCruzCpl.exe /restore
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B5ACAA-2AAF-4EA1-B926-09B0EE176328}: NameServer = 71.243.0.12 68.237.161.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please download the trial version of Ewido anti-malware from here:
http://www.ewido.net/en/download/

• Install Ewido anti-malware.
• When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
• When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
• The program will prompt you to update. Click the Ok button.
• The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update Button.
• Click on Start.
• The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Clean out your Temporary Internet files.

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

• Click on Scanner
• Click on Settings
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
Ewido log
Panda log
Hijackthis log

[Satyagraha]

Thanks very much for the help, Bob. Here are the requested logs, though the problem file was removed after I ran CleanUp!.

As an unrelated question, hopefully simple to someone of your computer expertise, how would I make it so that the "Log Off" and "Switch User" buttons are available from the Start menu? As of reformatting, I only have the three "Shut Down" options. I'm using Windows XP Professional, if that helps you. Either way, my main problem seems to be fixed, so thank you very much.




SmitFraudFix v2.55

Scan done at 22:15:27.43, Wed 06/07/2006
Run from C:\Program Files\Anti-Viral Programs\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="acheweed"

[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\system32\acvgxw.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\system32\acvgxw.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\acvgxw.dll Deleted
Problem while deleting C:\WINDOWS\system32\dcomcfg.exe
Problem while deleting C:\WINDOWS\system32\hp???.tmp
Problem while deleting C:\WINDOWS\system32\hp????.tmp
Problem while deleting C:\WINDOWS\system32\ld????.tmp
C:\WINDOWS\system32\ot.ico Deleted
Problem while deleting C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\system32\simpole.tlb Deleted
Problem while deleting C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\Chris\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Security Toolbar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\acvgxw.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

»»»»»»»»»»»»»»»»»»»»»»»» End


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:54:58 PM, 6/7/2006
+ Report-Checksum: DD717F54

+ Scan result:

:mozilla.6:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\sdwcbx1y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup
C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-861567501-436374069-1343024091-1003\Dc1.txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-861567501-436374069-1343024091-1003\Dc2.txt -> TrackingCookie.Doubleclick : Cleaned with backup


::Report End


Incident Status Location

Adware:adware/emediacodec Not disinfected Windows Registry
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\cookies.txt[.zedo.com/]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-32558680-7f7baacb.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-32558680-7f7baacb.zip[Beyond.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Chris\Cookies\chris@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Chris\Cookies\chris@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Cookies\chris@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris\Cookies\chris@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\0uldjrwl.default\Cache\633285D9d01[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Anti-Viral Programs\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Anti-Viral Programs\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Spyware/Conducent-Timesink Not disinfected C:\WINDOWS\VcpDLL.dll

Logfile of HijackThis v1.99.1
Scan saved at 11:38:55 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1149623509\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1149623509\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1149623509\ee\AOLServiceHost.exe
C:\Games\Music\LimeWire\LimeWire.exe
C:\Program Files\Anti-Viral Programs\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B5ACAA-2AAF-4EA1-B926-09B0EE176328}: NameServer = 71.243.0.12 68.237.161.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

[tetonbob]

Quote:

As an unrelated question, hopefully simple to someone of your computer expertise, how would I make it so that the "Log Off" and "Switch User" buttons are available from the Start menu?

Start>Control Panel>User Accounts>Change the way Users Log on and off>Check both boxes, Use the Welcome Screen, and Use Fast User Switching.


---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp (file missing)

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\WINDOWS\VcpDLL.dll

If it resists deletion, boot to safe mode, and delete it from there.

---------------------------------------------------------------------------------------------

We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code.

Updating Java:

• Go to Start > Control Panel double-click on the Software icon > add/remove programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
• Select it and click Remove.
• Then Download and install the newest version from here:
  http://www.java.com/en/download/manual.jsp
  
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
  • Downloaded Applications
  • Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies.

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear

To ensure we got it all, please run this online scan:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------


Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Let me know how it's running, and if you encounter any problems.

[Satyagraha]

Quote:

Originally Posted by tetonbob

Start>Control Panel>User Accounts>Change the way Users Log on and off>Check both boxes, Use the Welcome Screen, and Use Fast User Switching.

These boxes were both already checked. I found that I can switch users by pressing the Windows key + L, so this isn't an urgent or serious problem to spend time on.


Here are the log files you requested from Kaspersky, SmitFraudFix and HJT.


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, June 08, 2006 3:16:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/06/2006
Kaspersky Anti-Virus database records: 199106
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 42507
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:39:18

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{B17676BF-4761-40FE-9E84-AA27A743F74B}\RP3\A0001076.exe Infected: Trojan-Dropper.Win32.Agent.zc skipped
C:\System Volume Information\_restore{B17676BF-4761-40FE-9E84-AA27A743F74B}\RP4\A0002174.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\System Volume Information\_restore{B17676BF-4761-40FE-9E84-AA27A743F74B}\RP4\A0003194.dll Infected: not-virus:Hoax.Win32.Renos.dj skipped
C:\WINDOWS\system32\regperf.exe Infected: Trojan-Downloader.Win32.Zlob.ro skipped

Scan process completed.



SmitFraudFix v2.55

Scan done at 3:22:26.09, Thu 06/08/2006
Run from C:\Program Files\Anti-Viral Programs\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\regperf.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chris\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of HijackThis v1.99.1
Scan saved at 3:23:07 AM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Games\Steam\Steam.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Anti-Viral Programs\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Games\Steam\Steam.exe" -silent
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B5ACAA-2AAF-4EA1-B926-09B0EE176328}: NameServer = 71.243.0.12 68.237.161.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS


The system seems to be working fine, with no trace of malware that is noticable, at this point. What you have suggested has worked perfectly. For reference, to the HJT log, AOL is not needed (barring AIM, I'm not sure if these are two separate entities or what) so you can advise me to remove those also, if it would be beneficial to my system.

[tetonbob]

OK, as I suspected, a file was left behind by SmitfraudFix, due to the fact that Option 2 was run in normal mode, rather than safe mode as directed. This meant the file was in use, and it resisted deletion.

Please do this:

• Double click on HijackThis.exe to run it.
• Click on Open the Misc Tools section
• click the button labelled "Delete A File on Reboot..."
• In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINDOWS\system32\regperf.exe
• When you have selected the file, Click the "Open" Button
• Click yes at the next prompt and your system will reboot.

Then, check to make sure that file is no longer present. Make sure you can view Hidden and System files:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------

The only AOL-related in your recent log is for AIM. Those running processes showing earlier seem to be common files related to several AOL apps.

Also, you might find that someone in our Windows XP forum might have a trick or two to remedy the fast user switching issue. Or perhaps uncheck them, reboot, and check them again. Windows is a funny creature at times.

You may want to have a read here and see if any of that applies.

One you are certain C:\WINDOWS\system32\regperf.exe is gone, your logs are clean. Please take heed of the following:

Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Satyagraha]

Thank you very much.

As for not booting in safe mode, I attempted to do so three times but during the launch of Windows the computer went through a list of a good number of C:\ system32 files, and remained stuck on the same one each time I rebooted and attempted to do so. So, I ran it in Normal Mode.

Thanks again for your quick and detailed help.

[tetonbob]

Hi Satyagraha -

Thanks for that explanation....it may perhaps indicate some system file corruption or driver issues if you still cannot boot into safe mode after the cleaning.

If it still does not boot into Safe mode...will it boot into Safe Mode with Networking?

If it doesn't boot into any Safe Mode...do you have a Windows XP installation CD?

If you do, Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

Other than that......you may be better off asking in the XP forum if none of the above apply or change anything....and as you appear happy with the machine's performance otherwise, I'll move this to resolved after I hear back from you one more time.