[iamgrim]

Steps Done as per Post 3#

CWShredder had an error as per last time & shut down

Aboutbuster log

Scanned at: 5:08:11 PM on: 11/05/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Cleanup was succesful

Adaware ran all the way through & came up with 32 Negligible Objects when I tried to delete them Adaware froze and could only be ended via Task Manager

Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 5:47:25 PM, on 11/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Telstra Big Pond
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I will try and delete the files (Windows Explorer is still playing up and may not allow me....

[Advertisements]

Cannot delete files in Windows Explorer, comes up with same Windows Explorer message as previous, I have Win 98 Startup Disk here could I boot into DOS & delete them that way, if so do you know the command/syntax I would use, I'm a tad rusty on the old DOS commands ...........Scrub that the file system is formatted NTFS, the disk can't read the HDD.

Edited by iamgrim, 11 May 2005 - 05:19 AM.

[iamgrim]

Cannot delete files in Windows Explorer, comes up with same Windows Explorer message as previous, I have Win 98 Startup Disk here could I boot into DOS & delete them that way, if so do you know the command/syntax I would use, I'm a tad rusty on the old DOS commands ...........Scrub that the file system is formatted NTFS, the disk can't read the HDD.

Edited by iamgrim, 11 May 2005 - 05:19 AM.

[Michelle]

Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit (if you haven't downloaded it yet(.
*Save it to your desktop.
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\Web\desktop.html
C:\WINDOWS\wldr.dll

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

Post a new HiJackThis log.

[iamgrim]

I explored to the folders in question after reboot and it looks like Killbox got rid of wldr.dll but not desktop.html

Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 6:18:55 AM, on 12/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Telstra Big Pond
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Cheers

[Michelle]

I'll have to think about it because your log still looks fine.

[iamgrim]

I moved the HDD into another PC and deleted the file located at C:\WINDOWS\Web\desktop.html, also got rid of that 'Cracking' folder you talked about earlier. Put it back in the PC it came from, Windows Explorer /Dr Watson error still coming up.

[Michelle]

Download: StartDreck from: http://www.niksoft.a.../startdreck.htm

• Extract the file into c:\startdreck.
• Navigate to c:\startdreck and double-click on Startdreck.exe
• When the program opens click on the Config button.
• Then click on the unmark all button.
• Put checkmarks in the following checkboxes:
• Under Registry put a checkmark in the Run Keys checkbox.
• Under System/Drivers put a check in the Running Proccess checkbox.
• Press the OK button.
• Press the Save button.

Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Open the StartDrek.log, copy and paste the results of that log here.

[iamgrim]

StartDrek Log

StartDreck (build 2.1.7 public stable) - 2005-05-12 @ 16:53:24 (GMT +10:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Latcham at LATCHAMS

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
»RunOnce
»Local Machine
»Run
*{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}=C:\program files\Telstra\Signup\tbpt.exe
*WheelMouse=Amoumain.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*SoundMan=SOUNDMAN.EXE
*pccguide.exe="C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
*NeroCheck=C:\WINDOWS\system32\NeroCheck.exe
*CloneCDTray="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
*CloneCDElbyCDFL="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+584=\SystemRoot\System32\smss.exe
+632=\??\C:\WINDOWS\system32\csrss.exe
+656=\??\C:\WINDOWS\system32\winlogon.exe
+700=C:\WINDOWS\system32\services.exe
+712=C:\WINDOWS\system32\lsass.exe
+884=C:\WINDOWS\system32\svchost.exe
+964=C:\WINDOWS\system32\svchost.exe
+1000=C:\WINDOWS\System32\svchost.exe
+1060=C:\WINDOWS\System32\svchost.exe
+1144=C:\WINDOWS\System32\svchost.exe
+1464=C:\WINDOWS\system32\spoolsv.exe
+1664=C:\Program Files\ewido\security suite\ewidoctrl.exe
+1684=C:\program files\Telstra\Signup\tbpt.exe
+1692=C:\Program Files\Mouse\Amoumain.exe
+1700=C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
+1716=C:\WINDOWS\SOUNDMAN.EXE
+1724=C:\Program Files\ewido\security suite\ewidoguard.exe
+1732=C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
+1768=C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
+1948=C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
+184=C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
+676=C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
+2272=C:\WINDOWS\System32\alg.exe
+2512=C:\WINDOWS\explorer.exe
+3672=C:\Startdreck\StartDreck.exe
»Application specific

[Michelle]

Do you happen to have the XP disk?

[iamgrim]

Yep

[Michelle]

Ok, good! Because your log is clean and the programs aren't turning up anything that causes the Dr Wat error message... So I think the next step is a repair install. And if that doesn't work, eek, I'll have to think about that one!

http://www.geekstogo...ws_XP-t138.html

[iamgrim]

This is getting beyond a joke, now the XP disk is coming up with hundreds of install errors "Setup cannot copy this file that file blah blah blah" To retry press enter, to skip press ESC, I have 2 totally different disks, different keys and everything here and both are doing the same thing, F#CK!!!!!!!!!!!!!!! Now I'm getting p@ssed off !!!!!!!!!!!!!!!!!!!!!!!

Thanks for all your help Bananafanafo but I think I'll find a tall building and drop this PC off it

[iamgrim]

Hi again,

Repair didn't go according to plan (see last post) so did a format and reinstall(where the XP CD went through perfectly???) loaded up Windows & SP2(could this be the problem?), same problem exists, no access to Desktop, explorer.exe error then Dr Watson error and this causes system to freeze up until Dr Watson is ended in Task Manager. There is quite a bit of stuff on a second partition, backup of Data, files etc could something on here be affecting this or ......any ideas?

[Michelle]

SP2 can cause problems, but I've never heard of it causing those kinds. have you tried uninstalling SP2 and just going to Service Pack 1a to see if it helps anything?

Whew and re-format and re-install and you're still having problems with that?? YUCK! It's definitely not a malware problem then but definitely something on your computer isn't playing well with something else. This, however, is out of my league because I only deal with malware.

Would you like me to have this topic moved to the XP forum? There is a staff member over there by the name of gerryf who is awesome and should be able to help you with this problem!

[iamgrim]

Yes please, thanks again for your help....