[gmomof6]

My computer is "dead"!! Nothing works!! I do not know if my problem is spyware, a virus, or the computer itself but I need help to fix it. Here is what happened:

While looking at web sites that offered free genealogy graphics, a dark-colored page suddenly popped up and filled my screen. It disappeared very quickly but a lot of other small windows popped up then. I was redirected to some other site. And several new strange icons for stuff like gambling casinos, etc. suddenly appeared on my desktop.

I quickly shut them down and ran my anti-virus program (Norton Anti-Virus 2003----kept up-to-date). No virus found. Then I ran Adaware and then Spybot S&D. I made sure each had the latest updates first. They both found spyware which I had them fix. But both also had some files that said they could not fix and Adaware asked if I wanted it to fix the files next time the coputer started up. So I set adaware to start and fix the files on the next start up. Then I shut down and restarted my computer. Adaware found some files and fixed them.

Then I ran Spybot again, and it found more files. So I ran Adaware again and it found more files. Each time they fixed most of the files but some could not be fixed until a new restart. This just kept happening over and over. They would find and fix files but the files reappeared again every time I started my computer.

And every time I started my computer it got worse and I lost more control of it and now all it will do is start up. At first I was able to check email, open my genealogy program etc. A few restarts later, I discovered that almost all my email was GONE (over 7,000 genealogy emails in OE on my computer!!). Next time I started my computer, I could do nothing. Clicking my mouse no longer works....nothing will open. And I cannot not close my copmuter via the "Start" button. I have to shut it off manually.

What can I do???? Thank you for any help!!!

[Advertisements]

Sounds like you have a nasty spyware problem. We can fix that but first need to get your sytem running again.

First try starting your computer in safe mode:
Start Windows, or if it is running, shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

If you successfully boot into safe mode, try system restore to restore your computer to when before the problem began. Start -> All Programs -> Accessories -> System Tools -> System Restore.

[admin]

Sounds like you have a nasty spyware problem. We can fix that but first need to get your sytem running again.

First try starting your computer in safe mode:
Start Windows, or if it is running, shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

If you successfully boot into safe mode, try system restore to restore your computer to when before the problem began. Start -> All Programs -> Accessories -> System Tools -> System Restore.

[gmomof6]

OH, thank you for helping!!

I did what you said and got into Safe Mode but got this message:
"System Restore has been turned off and cannot be turned on in Safe Mode. To turn on system Restore, restart in normal mode and then run System Restore again."

Why would System Restore be turned off???

I can't do this because when i start my computer normally....nothing works. I can't click on or open anything.

What do I do now?

Please be as detailed as possible in your instructions to me. I've never done anything like this before. thanks.

[admin]

Follow the instructions for booting into safemode again, but this time instead of selecting safe mode, select Last Known Good Configuration. Then see if it boots normally.

See Disabling or enabling Windows XP System Restore , someone must have disabled system restore on your system.

[gmomof6]

That worked!! I now have control of my mouse again!!

Here is what I did after my desktop came up. I ran Adaware, then I ran Spybot. I ran each of them in alternation 3 times. Each time the same things kept showing up even though I had them fix those things each time.

The things that show up in Adaware are:
VX2.betterinternet

and in Spybot these always keep reappearing:
Look2Me
VX2/h.Abetterinternet

I can now open my email but the email is still gone!! I can also open my genealogy program (but I forgot to check if the info is in it!!)


What do I do now?

[gmomof6]

oh dear!! I just went back to my own computer and now the "START" button and the clock, etc that are on the bottom of the screen on the right side are all blacked out again!! But I can still use my mouse......I haven't shut my computer off since I did what you had told me to do.

[admin]

Stop with Adaware and Spybot for now.

Download and run CWShredder.
CLICK HERE to download CWShredder.

When finished reboot.

Next, click the Hijack This guide in my signature, reply back and paste the log.

[gmomof6]

I downloaded and ran the CWShredder as you said but now things are worse. When it ran, it said my computer was clean. It didn't find anything. So I rebooted my computer and now there is a strange blue search bar at the top of my screen, about six MORE strange icons on my desktop, and I can't get into my WindowsExplorer again to get to CWShredder because the curser turns to an hourglass when I put it over the "Start" button and I can't click it.

What should I do now?

[admin]

It sure sounds like a CW infection, but I shouldn't have guessed...

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[gmomof6]

Before I continue and make mistakes I'd better ask you about the things that are happening......

When I turned my computer on again to download Hijackthis, my IE browser has now been replaced with a browser called 'allmysearching.com' or something like that. And my mouse will not let me click on anything in the taskbar(I think that is what it is called) along the bottom of my screen.

I was able to download and save Hijackthis, but there were several windows that popped up asking me questions so I thought I'd better check with you about them first since the guide didn't mention any windows popping up or having to make choices.

One says "URGENT SECURITY ALERT" Your browsers security settings are dangerously low.............Do you want Virtual Bouncer to increase your security settings?"

Another one says "Confirmation" Do you want to install and run Tools for IE once you agree to the license terms and privacy policy (http://www.trafficsy.../4467/terms.asp)?

Another one says " PARASITE ALERT" Virtual Bouncer found files that are bein used to track your behavior............do yu want Virtual Bouncer to remove......."


I couldn't get all the words copied but enough to tell you what they are about.

What are these? How should I respond to them?

[admin]

They're just advertising spawned by the spyware on your system. Close the windows, cancel, or just ignore them.

P.S. Hijack This doesn't make any changes to your system, it just helps us identify what we're dealing with.

[gmomof6]

ok i'll run hijackthis and come back with the log......

[gmomof6]

Wow, that was tough!!! It took a long time and many tries of turn my computer on and off before my curser would let me click on anything!!

but finally here is my log:



Logfile of HijackThis v1.97.7
Scan saved at 1:32:16 AM, on 3/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\manage.exe
C:\WINDOWS\System32\keyword.exe
C:\PROGRA~1\rdrante\Boob army.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Window Active\winactive.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\VBouncer\VirtualBouncer.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kwlau70i.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\kwlau70i.slt\prefs.js)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O3 - Toolbar: Bend Body Meow - {CE606D9D-F664-E370-9A31-654FB01F4FB8} - C:\PROGRA~1\EGGSPE~1\eqbuild.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\Run: [platformmode] C:\PROGRA~1\rdrante\Boob army.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1071105773625
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B17AC27-BA35-4843-AD58-E28C597AB0A7}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,216.127.92.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B17AC27-BA35-4843-AD58-E28C597AB0A7}: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,216.127.92.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B17AC27-BA35-4843-AD58-E28C597AB0A7}: NameServer = 216.127.92.38
O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 207.69.188.186,216.127.92.38
O17 - HKLM\System\CS3\Services\Tcpip\..\{0B17AC27-BA35-4843-AD58-E28C597AB0A7}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,216.127.92.38

[admin]

Give me 10-15 minutes and I'll have a reply for you.

[gmomof6]

thank you!