[sheba123]

I transferred FindAWF to the other computer got it into the C:\ drive and and ran it

I got the error message that the NTVDM.exe file had an unexpected error

The FindAWF program seems to be hanging searching for 25K files and a blinking cursor?

I've left it up until I'm sure it's not working or you tell me differently


here's the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:00:14 PM, on 11/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\System32\dwwin.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:/HP/REGION/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HP/REGION/start.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/30...0...mp;m=0&vm=0
O2 - BHO: (no name) - {8c33d0d0-5261-4591-8a52-f8a6371b5553} - C:\WINDOWS\System32\bfc42u.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Startup: AutoPlay.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {666E4D35-E955-11D0-A707-000000521958} - http://ads.dropspam....aab/upgrade.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8349EA6-D911-4E6D-93C4-9DDB9A84C87C}: NameServer = 62.217.54.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC3327B8-2B86-4331-AFD7-5C51EAE90275}: NameServer = 62.217.54.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{E261D78B-D5D0-4514-B3D0-AF709AD230CD}: NameServer = 62.217.54.69
O20 - Winlogon Notify: bfc42u - bfc42u.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

[Advertisements]

Im beginning to think this may be a lost cause,its infected and disabled system files too.


Do you have your Windows CD?

What brand name Computer is this?

[Wizard]

Im beginning to think this may be a lost cause,its infected and disabled system files too.


Do you have your Windows CD?

What brand name Computer is this?

[sheba123]

<sigh>

I was really afraid of this- I'm at work and will be on my way home shortly. I'll ask a few questions before i get there so maybe you can answer them by the time I get home.

1. If we have to completely re-install everything - Can I save some of my files from word, excel, quicken backup, money backup or will doing so re-infect the computer? I have some critical things in there that I really don't want to do over (3 years of accouting for example)

2. If I remember correctly, when I bought this computer I did not get install disks- supposedly it's on a separate partition on the hard drive - Circuit City logic I guess. When I get home I will dig through my piles and see what I have exactly and list it here.

[Wizard]

Well,we have one other option that may or may not work.

It involves uninstalling alot of programs on the PC.

Go back and look at you CureIt log and you will see the beginning list of porgrams that will have to be uninstalled.

Then we have to make some other changes to prevent a few applications from launching.


The choice is yours.

[sheba123]

Hmmm,

It doesn't look too bad - Zone Alarm, McAfee, my printer, nothing major or is there?

If there isn't - I'd like to try to save the patient. If there is - well he gave his nobly in a good cause.

I have an HP Pavilion home PC and here's the kicker - as I suspected I don't have any windows install disks for this machine. My documentation says to call the manufacturer yada yada yada.


Now I did *ahem* "borrow" a set of XP Pro disks from work.

I need to get my guy up and running as soon as possible - I'm now almost two weeks behind on my college courses and I go to an online college. You can't imagine the hoops I have gone through just to try and keep up.


What's going to have the best chance of success?

[Wizard]

OK,lets get started and see what happens.

You may have to grab some files of the cds you have or off your good machine as well to help us along,Im not sure yet.


Lets see if we can just get the machine to boot up in normal mode first.

First,go through the Sysclean log carefully,pick out anything it cleaned that doesnt have a .t extension.

I got so burry eyed trying to read it,I could never cypher if Sysclean actually cleaned anything but the .t files.


Next,Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check in every box under Advanced Options.

For All or Part of the filename:

Type in .t

As you saw in the Sysclean log,there may be files randomly named that are still on the system

Example:

jswbqmvq.t

If you find matches with just the .t extension,you can safely delete those and empty the recycle bin.

Dont delete anything if you are unsure.



Click Start-> Run-> Type in Services.msc and Click OK

Scroll that list and locate this entry

Machine Debug Manager

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled

Click Apply-> OK and Exit the Services Page


Click Start-> Run-> Type in msconfig and Click OK

Click the Startup tab and UNcheck everything in there so none of the applications listed will load at next boot.

Click Apply->Close->Follow the Prompts to Restart


Restart in Normal Mode and attempt to scan with HijackThis.

If Normal Mode works and HijackThis works,post the fresh log back here and lets see what we have.


Once you post,go get the latest Virus Pattern File from Trend for the Sysclean scan.

I will want to use SysClean again later on.

[sheba123]

Well - If I had my taskbar this would be easier

How to get to search assistant through either the run command or bring up the task bar ?

[Wizard]

Hmm,no taskbar?

No desktop either huh?


Ctrl+Alt+Delete should bring up the taskmanager.

Click New Task--> Type in C:\Windows\Explorer.exe

Let me know if the taskbar and desktop appear correctly?

[sheba123]

Genius - Pure Genius

Okay have a taskbar and all my icons - no background - but who's complaining


Give me a little bit to go through all this and I'll be back

[sheba123]

update

The search assistant found 35,862 files with a .t extension

I put it on detail view to make it easier to see which are true file (fonts etc) - I am deleting the first 1862 and it will take 30 minutes according to the computer - Hopefully I will get through this part tonite

After they are deleted i will post what's left if it's not too long for you to double check

PS I told you the sysclean file was REALLY BIG!!! LOL

While I have a moment...thank you for hanging in there with me and walking me through all of this- You can't know how much you are appreciated

[Wizard]

PS I told you the sysclean file was REALLY BIG!!! LOL

[sheba123]

Well, the computer has sent the night happily deleting .t files.

In computer time 1/2 hour means 2 hours and so as soon as that finally finished I ran it for another 12,000 or so files It gave me an ETA of 212 minutes at 11 last night and when Igot up this moring there were 115 minutes left - If nothing goes wrong it should be finished with that batch by tonite when I get back and then I may have another 2-3 hours of deleting then I will run the rest.

I will update you in the PM.

[Wizard]

Days of deletion,lets just hope all this works for you.

[sheba123]

Yup- but now I only have 9,000 more files to go - I just restarted it when I got home just now and that's how many files were left with that extension - so I figure it should finish about 6am- 8am tomorrow morning.

[sheba123]

Okay, I have deleted 22,000 + files and it finished this morning about 6:45am. I will go home and immediately run the rest of your instructions and post what happens.

I was a little concerned that the files I deleted did not go into the recycle bin - there were only 24 .t files. Is that a problem?