Jump to content


Photo

Desktop Icons and Taskbar disappearing


  • This topic is locked This topic is locked
55 replies to this topic

#1 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 29 April 2009 - 09:43 PM

First time posting on any forum. Not the most computer literate person, but not completely lost.
I have a Dell Inspiron 1501. Running Windows XP with SP3.
Starting about a week ago, my computer starts up normally. After a minute, or so, all my desktop icons and taskbar disappear. Explorer.exe is not running in the Process menu. I can still get to my files through the Task Manager. I have tried almost every suggestion I've found online. Nothing has helped. I open up 'Run' through the Task Manager and when I type in Explorer.exe, or Explorer it shows up in the Process window for a second then goes away. I'm running Webroot AntiVirus with Webroot Desktop Firewall. I've also downloaded Malwarebytes.
For a while now I've been getting a RunDLL error message when I start my computer. I forget the exact wording, but it mentioned 'MyWebs" and "M3Plugin". I researched how to fix this and it was suggested to go to MSCONFIG, go to the Startup tab and unselect the M3Plugin option. After doing this is when all my troubles started. I noticed the error message in my HijackThis log, but haven't messed with anything.
Safemode seems to work correctly. I tried starting a new account on my computer and get the same problem.
In the last week there have been two times where everything worked correctly, but went back after restarting.
Another weird thing is that before this happened I had Internet Explorer v7. Now it's telling me I have v6.
I don't know if I have a corrupted file or a hidden virus. My virus program finds nothing. I'm trying to avoid having to re-install Windows XP. This is driving me crazy. Please help. Below is my HijackThis log. Let me know if I've left out any info you need in my description of the issue. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:42 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070110
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [YBrowser] "C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] "C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [ModemOnHold] "C:\Program Files\NetWaiting\netWaiting.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169238566078
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12657 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 02 May 2009 - 09:48 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 03 May 2009 - 09:53 AM

Hello Snacker

Posted Image
It may take some time and couple of attempts to provide you with the right help. Many of today's infections are advanced and install other infections on the computer.
It's almost impossible to remove the entire infection and to check for leftovers in one go. Please be patient.
:)


Please disable SpySweeper as it may hinder the removal of some entries.[/B] You can re-enable it after you're clean.

To disable SpySweeper:

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left click "shields"
  • Click the "Internet Explorer" tab and and uncheck all there.
  • Click the "Windows System" tab and uncheck all there.
  • Click the "Host File" tab and uncheck all there.
  • Click the "Startup Programs" tab and uncheck "Startup Items Shield".

Remember after your system is clean to re-enable Spy Sweeper.


Please download ATF Cleaner. Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please update Malwarebytes' Anti-Malware to the newest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.




Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt, MBAM log and the contents of checkup.txt in your next reply for further review.


Best regards

e-tech

Edited by e-tech, 03 May 2009 - 09:55 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#4 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 04 May 2009 - 08:40 PM

Thank you for the help. For some reason my computer is not allowing me to back up my computer to an external hardrive. Before I run the Combofix.exe I just want to make sure that there is no chance that running this program will cause me to lose any info on my computer.
Thank you

#5 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 05 May 2009 - 12:34 AM

Hello Snacker

We can't guaranty anything, but I've never experienced such thing happens.

Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#6 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 09 May 2009 - 03:43 PM

I apologize for not responding sooner. I've been out of town.
Ok I've done everything suggested (ATF, Security Check) except for running Combofix. Below is my SecurityCheck Log. My Malware and Virus programs have not found anything on the last checks.
I know you said that you can't guarantee anything and that you haven't encountered issues with ComboFix deleting any files, but I am worried to try it. I have found online posts from people who have had ComboFix problems. I trust the advice on this web site, but because my computer is not allowing me to backup my files I am very afraid of losing any info.
Is ComboFix your main suggestion? Any other options?
Was there anything suspicious found in my HijackThis Log?
Thank you for your patience with me. This is the first time in my life I've ever had computer issues like this.


Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
WindowsLiveOneCaresafetyscanner
WebrootAntiViruswithAntiSpyware
WebrootDesktopFirewall
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Spy Sweeper Core
Webroot AntiVirus with AntiSpyware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Webroot Webroot Desktop Firewall wdfsvc.exe
Webroot Webroot Desktop Firewall WDF.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 112 seconds.
`````````End of Log```````````

#7 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 09 May 2009 - 04:02 PM

Hello Snacker

Ok I've done everything suggested (ATF, Security Check) except for running Combofix.

You didn't ran Malwarebytes' Anti-Malware either.

I know you said that you can't guarantee anything and that you haven't encountered issues with ComboFix deleting any files, but I am worried to try it. I have found online posts from people who have had ComboFix problems.

When ComboFix is used by people who are not trained in using it, it's most likely that things will go wrong.

I trust the advice on this web site, but because my computer is not allowing me to backup my files I am very afraid of losing any info.
Is ComboFix your main suggestion?

I can give you some other tools but the risk will maintain the same as using the ComboFix unless we use tools that can't delete anything and only are diagnostic as Security Check.

Is ComboFix your main suggestion?

Yes and I still recommend you to use it.

Was there anything suspicious found in my HijackThis Log?

Yes, some minor spyware issues but I want to take a deeper look.



Please update Malwarebytes' Anti-Malware to the newest version, perform complete scan and post its log in your next reply.


Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note:
In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command.

If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your Desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post the Kaspersky Online Scanner Report in your reply along with the MBAM log.


Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#8 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 08:22 AM

Ok, below is my Malwarebytes Log. Nothing was found.
I also ran the Kaspersky Online Scanner and after a 3 hour scan absolutely nothing was found.
I don't know if this makes a difference, but one thing I didn't mention in my original post is that before I came to this forum I ran a program called 'VundoFix' and nothing was found.
I will run ComboFix when I get home from work tonight and post the log.
Anything else I'm forgetting?
Thank you again


Malwarebytes' Anti-Malware 1.36
Database version: 2118
Windows 5.1.2600 Service Pack 3

5/12/2009 10:26:23 PM
mbam-log-2009-05-12 (22-26-23).txt

Scan type: Quick Scan
Objects scanned: 63290
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 13 May 2009 - 10:21 AM

Sounds great!

Do you still have problems with your computer?

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#10 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 11:30 AM

Same problems. Nothing has changed. Still no desktop icons or task bar.
Should I still run Combo Fix?

#11 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 11:44 AM

Same problems. Nothing has changed. Still no desktop icons or task bar.
Should I still run Combo Fix?


Also, when I run ComboFix I know I'm supposed to deactivate my Spysweeper, but should I also disconnect my wireless connection and or XP firewall?
Thank you

#12 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 13 May 2009 - 11:53 AM

Yes, please run it. No, you don't have to deactivate connection and XP firewall. :)

Just follow the prompts please.

Edited by e-tech, 13 May 2009 - 11:54 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#13 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 01:35 PM

ComboFix Log

Attached Files



#14 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 13 May 2009 - 02:25 PM

Well done. :thumbup:

Please just copy the logs in your next reply. You don't need to upload them. :)

I highly recommend you to remove Viewpoint.

This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.
Foistware may open the door for malware and is sometimes installed without the user's knowledge or permission. Viewpoint is known to be intrusive and there is some possibility that it is now being used by its owners to track your habits.

If you choose to follow my recommendation then please go to Start -> Control Panel, double-click on Add or Remove Programs
Search the list, and uninstall the following programs (if present) by clicking the Remove or Change/Remove button.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Then please find and delete these folders (if present):
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint



Please
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

KILLALL::
FileLook::
c:\program files\FINALE.EXE
c:\program files\ROBOEX32.DLL
c:\program files\FINMID16.DLL
c:\program files\FINMID32.DLL
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.


Please run a scan with Trend Micro Rootkit Buster to make sure the problem is not caused by malware or rootkits.
Download Trend Micro Rootkit Buster from here.
  • Unzip it to your Desktop.
  • Open the extracted folder and doubleclick RootkitBuster.exe
  • Press Scan.
When finished you'll be asked "Do you want to view log file". Press "Yes" and paste the containts of the log in your next reply along with the new ComboFix log.
If any infections found, please choose Delete Selected Items.


Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#15 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 03:02 PM

The first thing I did was go to add.remove programs. I found Viewpoint Media Player and deleted it. Could not find anything in my 'C' drive with Viewpoint in the name.
Per your next suggestion, am I able to open Notepad through the Task Manager? If not, how do I get to Notepad with the issues I'm having?

#16 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 03:25 PM

The first thing I did was go to add.remove programs. I found Viewpoint Media Player and deleted it. Could not find anything in my 'C' drive with Viewpoint in the name.
Per your next suggestion, am I able to open Notepad through the Task Manager? If not, how do I get to Notepad with the issues I'm having?


And... I downloaded Rootkit Buster, but since I can only get to it through task manager I'm not able to unzip it.

#17 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 04:21 PM

I figured out the notepad situation and dragged the CFScript.txt to my ComboFix. Below is the new log.
Now my only question is about unzipping the Rootkit Buster

ComboFix 09-05-13.01 - Jason Gilardi 05/13/2009 17:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.464 [GMT -5:00]
Running from: c:\documents and settings\Jason Gilardi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason Gilardi\Desktop\CFScript.txt
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *enabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
.

((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-10 20:17 . 2009-05-10 20:17 -------- d-----w C:\Webroot
2009-05-10 18:42 . 2009-05-10 18:42 -------- d-----w c:\documents and settings\All Users\Application Data\Dell
2009-05-10 18:12 . 2009-05-10 18:12 -------- d-----w c:\program files\MSSOAP
2009-05-10 18:07 . 2009-05-10 18:09 40346696 ----a-w c:\program files\WebrootSecurityRegSetup_EN.exe
2009-04-22 02:05 . 2009-04-22 02:08 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-21 22:56 . 2009-04-21 22:56 -------- d-----w C:\VundoFix Backups
2009-04-21 03:56 . 2009-04-21 04:11 -------- d-----w c:\program files\Free Window Registry Repair
2009-04-21 02:30 . 2009-04-21 02:30 -------- d-----w c:\documents and settings\Jason Gilardi\Application Data\Malwarebytes
2009-04-21 02:30 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 02:30 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 02:30 . 2009-04-21 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 02:30 . 2009-04-21 02:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 01:38 . 2009-04-21 01:38 -------- d-----w c:\program files\Trend Micro
2009-04-14 22:16 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 22:16 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 22:16 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 22:16 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 22:16 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 22:16 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 22:16 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 22:16 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 22:16 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 22:14 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 22:14 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 14:15 . 2007-01-20 22:30 27008 ----a-w c:\documents and settings\Jason Gilardi\Application Data\wklnhst.dat
2009-05-10 18:11 . 2007-02-07 18:54 -------- d-----w c:\program files\Webroot
2009-05-10 18:09 . 2008-07-31 20:19 108296 ----a-w c:\windows\system32\drivers\pwipf6.sys
2009-04-22 02:02 . 2009-04-21 22:36 84816 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 02:16 . 2007-01-10 07:37 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 21:08 . 2007-01-10 07:45 -------- d-----w c:\program files\Common Files\Real
2009-04-07 20:45 . 2007-01-18 19:20 -------- d-----w c:\program files\iTunes
2009-04-07 20:44 . 2009-04-07 20:44 -------- d-----w c:\program files\iPod
2009-04-07 20:44 . 2007-08-25 01:17 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 18:32 . 2007-07-11 16:33 1563008 ----a-w c:\windows\WRSetup.dll
2009-04-02 19:30 . 2007-02-07 18:54 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 19:30 . 2007-02-07 18:54 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 19:30 . 2008-08-09 19:42 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-24 21:42 . 2007-01-18 16:54 84816 ----a-w c:\documents and settings\Jason Gilardi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 21:26 . 2008-05-05 23:40 -------- d-----w c:\program files\MSBuild
2009-03-24 21:25 . 2009-03-24 21:25 -------- d-----w c:\program files\Reference Assemblies
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 04:59 . 2008-09-09 21:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 04:59 . 2007-11-09 18:16 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-20 08:10 . 2006-03-04 03:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 10:00 81920 ----a-w c:\windows\system32\ieencode.dll
2008-08-29 14:20 . 2008-08-29 14:20 21843080 ----a-w c:\program files\SpySweeperRegSetup.exe
2008-06-30 03:52 . 2008-06-30 03:52 8990072 ----a-w c:\program files\winamp5531_full_emusic-7plus_en-us.exe
2008-01-26 20:21 . 2007-11-28 21:21 15070104 ----a-w c:\program files\sspsetup1_1.exe
2007-10-20 19:46 . 2007-02-26 18:19 14651472 ----a-w c:\program files\sspsetup1_.exe
2007-05-04 02:15 . 2007-05-01 15:44 2232 ----a-w c:\program files\FINALE.INI
2007-05-01 15:44 . 2007-05-01 15:44 624 ----a-w c:\program files\FINMIDI.INI
2007-05-01 15:41 . 2007-05-01 15:41 23531 ----a-w c:\program files\uninstal.log
2007-03-19 15:57 . 2007-03-19 15:57 5546205 ----a-w c:\program files\DVD2iPodFull6[1].01Ekdi.exe
2007-03-07 17:28 . 2007-03-07 17:27 28399752 ----a-w c:\program files\FileFormatConverters.exe
2007-02-12 03:13 . 2007-02-12 03:13 329128 ----a-w c:\program files\ripsetup.exe
2007-01-23 03:42 . 2007-01-23 03:42 5037072 ----a-w c:\program files\spybotsd14.exe
2007-01-21 00:32 . 2007-01-21 00:31 6653000 ----a-w c:\program files\winamp532_full_emusic-7plus.exe
2000-08-22 21:53 . 2000-08-04 19:38 50176 ------r c:\program files\ReadMe.wri
2000-08-22 20:57 . 2000-08-04 19:38 5263414 ----a-w c:\program files\FINALE.EXE
2000-08-22 19:47 . 2000-08-04 19:38 86076 ----a-w c:\program files\FINMIDI.DLL
2000-08-21 16:18 . 2000-08-04 19:38 1318912 ----a-w c:\program files\FINRES32.DLL
2000-08-21 15:54 . 2000-08-04 19:38 1354752 ----a-w c:\program files\Gear32pd.dll
2000-08-10 15:55 . 2000-08-04 19:38 530692 ----a-w c:\program files\finale.hlp
2000-08-10 15:24 . 2000-08-04 19:38 53512 ----a-w c:\program files\Maestro Font Default.ftm
2000-08-02 16:02 . 2000-08-04 19:38 11330 ----a-w c:\program files\Finale.cnt
2000-07-08 22:19 . 2000-06-29 16:39 51956 ----a-w c:\program files\Jazz Font Default.FTM
2000-07-08 22:11 . 2000-07-07 20:09 570 ----a-w c:\program files\default.htm
2000-07-08 21:42 . 2000-05-15 15:51 57403 ----a-w c:\program files\SmartScoreDefault.mus
2000-07-08 21:41 . 2000-05-15 15:51 40782 ----a-w c:\program files\EncoreDefault.mus
2000-07-07 14:57 . 2000-05-15 15:51 26633 ----a-w c:\program files\TIPS.TXT
2000-07-05 15:13 . 2000-05-15 15:51 32564 ----a-w c:\program files\instrument.txt
1999-09-20 19:01 . 2000-05-15 15:51 594 ----a-w c:\program files\pagesizes.txt
1998-10-27 17:08 . 1999-09-13 21:53 317952 ----a-w c:\program files\ROBOEX32.DLL
1998-06-03 21:28 . 2000-01-10 17:25 30928 ----a-w c:\program files\FINMID16.DLL
1998-06-02 00:51 . 2000-01-10 17:25 12800 ----a-w c:\program files\FINMID32.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\FINALE.EXE ---
Company: !DOESN'T APPER TO EXIST IN FILE! ERROR: 1813
File Description: !DOESN'T APPER TO EXIST IN FILE! ERROR: 1813
File Version: !DOESN'T APPER TO EXIST IN FILE! ERROR: 1813
Product Name: !DOESN'T APPER TO EXIST IN FILE! ERROR: 1813
Copyright: !DOESN'T APPER TO EXIST IN FILE! ERROR: 1813
Original Filename: !DOESN'T APPER TO EXIST IN FILE! ERROR: 1813
File size: 5263414
Created time: 2000-08-04 19:38
Modified time: 2000-08-22 20:57
MD5: 3697C0F01FB21FB00C9E4C31A5979575
SHA1: E9BC75E11DDE381AC44B0929201FC91FAF214A70


--- c:\program files\FINMID16.DLL ---
Company: Coda Music Technology, Inc.
File Description: Finale MIDI Module
File Version: 98
Product Name: Finale for Windows
Copyright: Copyright 1987-1998 Coda Music Technology, Inc.
Original Filename: FINMID16.DLL
File size: 30928
Created time: 2000-01-10 17:25
Modified time: 1998-06-03 21:28
MD5: 63A2769D15E5F349A3C062EE39EC8E19
SHA1: 8602ACBE5876746C01E707E3F48E0C7637AD5C59


--- c:\program files\FINMID32.DLL ---
Company: Coda Music Technology, Inc.
File Description: Finale MIDI Module
File Version: 98
Product Name: Finale for Windows
Copyright: Copyright 1987-1998 Coda Music Technology, Inc.
Original Filename: FINMID32.DLL
File size: 12800
Created time: 2000-01-10 17:25
Modified time: 1998-06-02 00:51
MD5: B8721819A47C3E0BA5E3F46DB62662B5
SHA1: FD44C5850E4007D5DF96B0FA4C8AF5503B3046A0


--- c:\program files\ROBOEX32.DLL ---
Company: Blue Sky Software Corporation.
File Description: RoboHELP Extensions for WinHelp
File Version: 7.00.142
Product Name: RoboHELP Classic
Copyright: Copyright 1997-1998 Blue Sky Software Corp.
Original Filename: ROBOEX32.DLL
File size: 317952
Created time: 1999-09-13 21:53
Modified time: 1998-10-27 17:08
MD5: E20CCD8C640A0DBABA12FE7031B9A721
SHA1: 677D5DE4E592AF284024871E7A73522D44FC9B7C


((((((((((((((((((((((((((((( SnapShot@2009-05-13_19.22.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-13 22:06 . 2009-05-13 22:06 16384 c:\windows\temp\Perflib_Perfdata_238.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 18:26 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"WatchDog"="c:\program files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2006-09-22 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-10 169984]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-23 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-9-6 49254]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-20 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/31/2008 3:19 PM 108296]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [5/10/2009 1:12 PM 1181040]
S2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe --> c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [?]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [6/20/2008 6:43 PM 880100]
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://att.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jason Gilardi\Application Data\Mozilla\Firefox\Profiles\ycxjekjs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\Yahoo!\YOP\SSDK02.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\DataViz\DvzIncMsgr.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Palm\Hotsync.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-05-13 17:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 22:14
ComboFix2.txt 2009-05-13 19:24

Pre-Run: 33,762,181,120 bytes free
Post-Run: 33,816,141,824 bytes free

278 --- E O F --- 2009-05-13 14:16

#18 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 13 May 2009 - 05:32 PM

I figured it out by unzipping it in Safe Mode

Below is my RootKit Log


+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.52.0.1013
+----------------------------------------------------


--== Dump Hidden MBR and Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

Edited by Snacker, 13 May 2009 - 05:35 PM.


#19 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 14 May 2009 - 12:27 AM

Great! You've done a great work!

Now please go to VirusTotal, and upload the following files for analysis:
c:\program files\FINALE.EXE
Post the VirusTotal results in your reply.


Download this file and save it to your computer. Double-click the .vbs file. You will be prompted when the script is done.
Please reboot your computer and let me know if icons and task bar are back now.


If not then I suggest you use the CHKDSK and System File Checker (SFC) utilities in XP.

CHKDSK is a disk error checking utility that verifies the logical integrity of a file system. As you use your hard drive, it can develop bad sectors which slow down hard disk performance and make data writing difficult. Chkdsk scans the hard drive and will check the files and folders for file system errors, lost clusters, lost chains, and bad sectors. When encountering logical inconsistencies in file system data, it will perform the necessary actions to repair the file system data.

Chkdsk scans the disk structures and disk surface for possible errors and inconsistencies in separate phases. During the first few phases, it checks the FAT or NTFS for lost clusters, cross-linked files and inconsistent directories. When these steps are completed, it asks you whether you want to run a full scan, during which it actually reads every single sector to prove that it is readable.

CHKDSK can be run from the Recovery Console (correct way), the command prompt or through the Windows GUI.
To run chkdsk from the Recovery Console see these instructions.
To run chkdsk from the Win XP GUI see these instructions.
To run chkdsk from the command prompt see these instructions.
For command SYNTAX information see here.

The problem with running CHKDSK from Win XP is that it will not check files that are being used by Windows. Using CHKDSK in the Recovery Console with the /r switch is a way to resolve this.

There are additional instructions to run CHKDSK from the Recovery Console here and here.

Then run the the System File Checker (SFC) to scan all protected files to verify their versions. If SFC discovers that a critical system file has been damaged, altered or missing, it restores the correct version of the file from the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.

To use System File Checker:
Go to Start > Run and type: sfc /scannow

Make sure that you include a space between the c and /. This command will initiate the Windows File Protection service to scan all protected files, verify their integrity, and replace any problem files.

Let me know how it went. :)


Best regards

e-tech

Edited by e-tech, 14 May 2009 - 12:29 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#20 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 May 2009 - 08:12 AM

Thank you.
I don't think 'Finale' is what is causing my issues. 'Finale' is a program that I uploaded from a cd a couple of years ago. It's a program designed to help you arrange musical notes. I'm using it because I'm a musician and I'm thinking of writing a music instructional book. If you think this may be causing any issues I will delete the program and try the other things you suggested as well.

Edited by Snacker, 14 May 2009 - 08:12 AM.


#21 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 14 May 2009 - 08:15 AM

If you are familiar with the file then you don't have to do anything with it. That upload of the file was part of my investigations process.
Please go on to the next step. :)

Edited by e-tech, 14 May 2009 - 08:15 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#22 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 May 2009 - 11:01 AM

I did your first option(.vbsfile) and that didn't fix it. I'm going to try the CHKDSK option.
You provided a few options on running this program. Do you suggest the Recovery Mode option first? Do I need to be in SafeMode to do this?
Any chance of losing any files by running this program, or the SFC?

#23 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 14 May 2009 - 11:51 AM

Hello Snacker

Do you suggest the Recovery Mode option first?

Yes, it's a good idea to do that.

Do I need to be in SafeMode to do this?

No, please read these instructions
http://www.bleepingc...utorial117.html

Any chance of losing any files by running this program, or the SFC?

The risk is minimal. It can't get worst then it's now.

Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#24 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 14 May 2009 - 06:38 PM

I put in my XP cd to install Recovery Mode and was told that my computer has a newer version on it than the cd. The cd that came with my computer has SP2 on it. It told me I could continue and reinstall the info on the cd. Wouldn't this be like reinstalling XP? Again, my computer is not letting me backup to my hard drive and I'm worried about doing this. Any suggestions? Should I try skipping to the System File Checker Option, or will I run into the same issue?

Edited by Snacker, 14 May 2009 - 08:21 PM.


#25 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 15 May 2009 - 12:00 AM

Hello Snacker

Wouldn't this be like reinstalling XP?

No, it wouldn't.

Please move on to the System File Checker (SFC). Let's see if it helps.

If not, then we got to do at a Windows Repair, but let's try SFC first.

Best regards

e-tech

Edited by e-tech, 16 May 2009 - 01:34 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#26 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 16 May 2009 - 08:48 PM

I ran the SFC with my XP disc and it didn't help.

I noticed that if I go to MSCONFIG and start the computer in Diagnostic Setup my desktop icons and taskbar appear. Also, explorer.exe is listed in the process menu. When I restart in Normal Startup I get the same issues back again.

This all first started happening because I was getting a Rundll error message. As you know I went to the Startup tab in MSCONFIG and unchecked M3Plugin. After that is when I lost my icons. As soon as this happened I went back to the startup tab and noticed that M3Pluging was rechecked. I just looked at it again and noticed M3Plugin isn't listed anymore in the startup tab. I don't know if that's good or bad. Just keeping you updated.
Also, in the original Rundll error message it also mentioned MyWebs. I had heard this could cause computer problems and noticed my HijackThis log had it listed. Is there anything I should do about that?
What is my next step?
Again, I really appreciate the time your taking to help me with this.

#27 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 17 May 2009 - 01:04 AM

You are welcome. :)

We've removed MyWebs because it's MyWebSearch plugin which is spyware.

The next step will be Windows Repair.

Please read this part first
http://michaelsteven...pairinstall.htm

It is extremely important that you backup important data that is not available from other media sources. This backup should be located on a separate hard drive, CD, DVD, network storage, etc. that will not be affected by the repair install.

1. Boot the computer using the XP CD.

2. When you see the "Welcome To Setup" screen, you will see the options below This portion of the Setup program prepares Microsoft Windows XP to run on your computer:

3. Press Enter to start the Windows Setup. do not choose "To repair a Windows XP installation using the Recovery Console, press R", (you do not want to load Recovery Console). I repeat, do not choose "To repair a Windows XP installation using the Recovery Console, press R".

4. Accept the License Agreement and Windows will search for existing Windows installations.

5. Select the XP installation you want to repair from the list and press R to start the repair.

6. Setup will copy the necessary files to the hard drive and reboot. Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.


Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#28 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 17 May 2009 - 05:09 PM

As you know the NTBackup utility wasn't working for me so I opened my external hard drive and copied my files over. Hopefully that'll work and I've backed up everything I need.
As far as the Repair Install, after looking at the article you sent a link to, I copied the WPA.DBL and WPA.BAK files. I was not able to put them on a cd so I put them on my ext. hard drive. I hope that is ok. The only thing I am not understanding is the following paragraph. Do I have to do this before the Repair Install:

"Backup copies of your registry files (in the %systemroot%\Repair folder) are also replaced after the in-place upgrade is complete. Copy these registry backups to another location before you perform an in-place upgrade/Repair Install. You may need to use them after the in-place upgrade is complete."

Not sure how to do this

And do I need to run the Files And Settings Transfer wizard? If so, when?

#29 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 18 May 2009 - 12:29 AM

Hello snacker

Good questions. :)

The only thing I am not understanding is the following paragraph. Do I have to do this before the Repair Install:

"Backup copies of your registry files (in the %systemroot%\Repair folder) are also replaced after the in-place upgrade is complete. Copy these registry backups to another location before you perform an in-place upgrade/Repair Install. You may need to use them after the in-place upgrade is complete."

Not sure how to do this

Yes, these actions needs to be performed before initiating the Repair Install.
%systemroot%\Repair folder is on your computer called C:\WINDOWS\Repair
Please copy it to the another location, on your external hard drive.


And do I need to run the Files And Settings Transfer wizard? If so, when?

It's up to you and you need to transfer the files before the Repair Install.

Just ask if you have any question. :)

Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#30 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 May 2009 - 08:25 AM

Ok, so I copied the 'Repair' folder to my Ext. hard drive.
I guess I don't need to use the FTW if I've already copied my backup files to my ext. hard drive, correct?
I think I'm ready to go.
What happens if I get the same message of "My computer has a newer version of windows than the cd"? Before I do this should I delete SP3, or just go for it and see what happens?
Last question, how do I boot from the cd?
Thank you

#31 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 18 May 2009 - 08:38 AM

Ok, so I copied the 'Repair' folder to my Ext. hard drive.
I guess I don't need to use the FTW if I've already copied my backup files to my ext. hard drive, correct?

Yes.

What happens if I get the same message of "My computer has a newer version of windows than the cd"? Before I do this should I delete SP3, or just go for it and see what happens?

Please just continue and see what happens. If it happens then please write exactly what it says in your next reply.

Last question, how do I boot from the cd?

Just put the cd in and reboot. Your computer should boot from the cd automatically. If your computer won't boot from the cd then you may need to change the boot order in the system BIOS. But let's see first if it can do that.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#32 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 May 2009 - 08:44 AM

One step I forgot to do yet was to delete the Undo_guimode.txt file.
When I type in cmd it brings up the black screen and says C:\\documents and settings\jasongilardi>
Do I type in the following after this?
del /a /f c:\windows\system32\undo_guimode.txt.
Because on the provided screen shot it shows c:\\windows\system32...
I can't get it to just show the C:\\ prompt

I tried opening the System32 folder and could't find the Undo_guimode text in there. I thought I could just manually delete it that way.

#33 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 18 May 2009 - 08:49 AM

It's an easier way to do it.

Please launch the Windows search tool, click the Start > Search > All Files or Folders.
In the More advanced options find the Search hidden files and folders and select it if it's not selected.

Please search Undo_guimode.txt on your computer and delete it (if present).

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#34 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 May 2009 - 11:21 AM

I searched for Undo_guimode.txt and couldn't find it.
Is this a good or bad thing? Why wouldn't it be on my computer?

#35 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 18 May 2009 - 11:32 AM

It looks like Undo_guimode.txt file is not on your system. This file often appears on systems in which the manufacturer has preinstalled XP and is created by the wizard that runs when the user first starts Windows XP operating system.

I can't tell why it isn't on your computer.

Please proceed with the repair process.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#36 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 May 2009 - 09:02 PM

I spent an hour doing the repair install. After it was complete my computer restarted. The icons and taskbar stayed on longer than they have in a long time, then... they went away again. All my files were safe.
How did this not fix it? I'm sure you could imagine how crazy this is making me.
Is the next step a clean install?!! What if that doesn't fix it? Any more options before I try a clean install?
What's confusing me is why the icons and taskbar stay on in Safe Mode or Diagnostic Setup, but not in normal setup.
What is causing this?

Edited by Snacker, 18 May 2009 - 10:27 PM.


#37 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 19 May 2009 - 03:04 AM

Hello Snacker

I can imagine how irritating this can be for you. I fully understand you.
This looks like an explorer issue and I'm still investigating what's causing this.

Please run Notepad and paste the following text into a new file:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
Save the file to the Desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the Desktop and double-click on fix.reg, and click Yes to merge it with the registry.
Right-click and delete fix.reg when it's done.

Please reboot and tell me if they are back now.

Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#38 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 May 2009 - 08:16 AM

That didn't work.
Explorer.exe is still not running in the Processes menu
Do you need another HiJack This Log?

Edited by Snacker, 19 May 2009 - 08:32 AM.


#39 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 May 2009 - 08:25 AM

I just tried Rebooting again.
After the Icons went away I got this Exploer.exe Application Error message
"The Instruction at "0x7c801af1" referenced memory at "0x7c801af1" The Memory could not be written.
Press OK to terminate
Cancel to debug."

I pressed Ok
This message has popped up from time to time i the last few weeks. Not everytime I boot up

Edited by Snacker, 19 May 2009 - 08:35 AM.


#40 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 19 May 2009 - 09:15 AM

Ok, Snacker.

Something is crashing your Explorer. Let's find out what it is.


Since you stated that it works fine in Safe Mode, then some startup program in Normal Mode is probably causing it.

Let's find out which one it is.

Navigate to Start --> Run, and type in the following command:

MSConfig

Press OK.

Click the Startup tab.

Click Disable All which should uncheck everything. Click OK, then restart your computer. See if your icons and taskbar appears now. If they do, then one of those startup programs is responsible.

Now comes the tedious part. Using MSConfig, enable each program, then restart your computer (one at a time), and if they dissapears again, then you'll know which program is responsible. After you know that, tell me which one, re-enable all of the startup programs with MSConfig, and we'll see what we can do about the odd man out.

Best regards

e-tech

Edited by e-tech, 19 May 2009 - 09:15 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#41 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 May 2009 - 12:19 PM

I unchecked everything and my computer started up normally with the icons and taskbar.
I'm still in the process of enabling everything individually. So far, the program IPMON32 is the one that when enabled is not allowing the icons and taskbar to appear. I googled this program. It says it's a safe program that doesn't need to run at startup. It said this program comes with Verizon DSL service which I've never had.
Still checking the rest of the start up programs, but wanted to give you a heads up about this.

I also noticed that one of the start up options is America Online. I haven't used AOL in years and I don't think ever on this computer. I went to add/remove programs and AOL was not listed.

#42 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 19 May 2009 - 12:48 PM

Sounds great!!! :wave:

Looks like we are close to solve the problem and you even got a brand new and repaired system. :D

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#43 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 May 2009 - 12:58 PM

It's definitely IPMON32. I just unchecked everything again except that program and the icons and taskbar went away.
What do we do now.
How about the AOL program?

Also, starting a couple of days ago, when I reboot the first screen now comes up asking if I want to start in Windows XP or the recovery console. It stays up for about 30 seconds unless I press any key. I've never seen this before. Just making sure this isn't something bad.

#44 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 19 May 2009 - 01:59 PM

Hello Snacker

It's definitely IPMON32. I just unchecked everything again except that program and the icons and taskbar went away.
What do we do now.

IPMON32 on your computer belongs to Visual Networks and it's placed in c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe. Just disable it at the startup. You can remove it if you are not using it.

How about the AOL program?

You can find it here C:\Program Files\America Online 9.0

The please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

Now please close all open windows except HJT and press "Fix checked".


Also, starting a couple of days ago, when I reboot the first screen now comes up asking if I want to start in Windows XP or the recovery console. It stays up for about 30 seconds unless I press any key. I've never seen this before. Just making sure this isn't something bad.

I guess that your are talking about this window.
Posted Image

It's because you got the Recovery Console. It's good to have on your computer and can be used to help fix problems that are preventing your Windows installation from properly booting up into Windows.


I can see that you have some left overs from the Norton.
Please download AppRemover to your Desktop. Double-click AppRemover.exe.
Click Next>>. Select the security product that you are not using anymore and want to remove and click Next>>.
By clicking Next>> again, AppRemover will start the uninstall process. This may take a few minutes.
Once completed you may be prompted to restart your system. Please do so.


It's time for some housekeeping.
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u

Posted Image


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:


Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.


As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.

However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Make sure your programs are up to date. Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewa...nti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)


Best regards

e-tech

Edited by e-tech, 19 May 2009 - 02:03 PM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#45 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 May 2009 - 02:41 PM

I'll go ahead and do all the above suggestions.
I can't thank you enough for all your help!! :thumbsup: :D
Do you suggest going back to SP3, or staying with SP2?
I hope you won't close this case just yet incase I run into a couple more questions

#46 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 May 2009 - 02:56 PM

I did APPRemover and it didn't find any Norton Products.
Also, would you advise upgrading to IE 7?

#47 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 20 May 2009 - 12:16 AM

Hello Snacker

Please use the Norton Removal Tool to remove the Nortons left overs.
You can find it here.

I strongly recommend you updating to Windows XP SP3. It is now available via Windows Update or as a standalone installation here: http://www.microsoft...;displaylang=en

Please upgrade to Internet Explorer 7 or 8.

Please navigate to http://windowsupdate.microsoft.com and download all the "Critical Updates" for Windows. These will patch many of the security holes through which attackers can gain access to your computer. Your current versions appear to be outdated.

Best regards

e-tech

Edited by e-tech, 20 May 2009 - 12:19 AM.

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#48 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 May 2009 - 08:54 AM

I downloaded the critical updates.
I will download Sp3.
I've read a few reviews about issues with IE8 messing with computers. Do you feel I'm safe to do that?

I went to the link you provided to remove Norton. It asks which version I have. I found my original cd and it's Norton 2002. I can't remember if I ever upgraded it while I had it. The oldest option it gives me for removal is Norton 2003. I ran a computer search for Norton and nothing came up. Which option should I choose?

#49 e-tech

e-tech

    e-tech

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,891 posts

Posted 20 May 2009 - 10:25 AM

Hello Snacker

Great!!!

I downloaded the critical updates.
I will download Sp3.
I've read a few reviews about issues with IE8 messing with computers. Do you feel I'm safe to do that?

Yes, you can. You can always remove it from Add or Remove programs if you experience any problems and install IE7, but I don't think it will be necessary.

I went to the link you provided to remove Norton. It asks which version I have. I found my original cd and it's Norton 2002. I can't remember if I ever upgraded it while I had it. The oldest option it gives me for removal is Norton 2003. I ran a computer search for Norton and nothing came up. Which option should I choose?


Please try first with Norton 2003 and move on. I think that it must be either 2003 or 2004/2005 version.

Best regards

e-tech

My fight is dedicated to the children with autism - please support and help these kids.

Our greatest glory is not in never falling but in rising every time we fall.
- Confucius


#50 Snacker

Snacker

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 25 May 2009 - 12:08 PM

I've now done all your suggestions and downloaded all the security updates including SP3. Everything seems to be back to normal.
The only problem I've encountered is when I tried your suggestion of going to 'Run' and typing in ComboFix /u I got an error message then a blue screen popped up. I found a picture online that had the same blue screen message and I've attached it. Once this blue screen came up I hard rebooted my computer and everything seemed fine again. Just making sure there's no serious issues from it.
Thank you
Attached File  Blue_Screen.jpg   64.12KB   19 downloads




Member of UNITE
Support SpywareInfo Forum - click the button