8-Step assistance; Computer up & running again

[hk2009]

I’m back seeking assistance for another computer. I recently got excellent help from Bobbye cleaning up my current computer. The process went so well that I felt confident to try fixing my old computer which stopped working in November. First, I got some advice on the Windows OS forum last week to get the computer to run (it wouldn’t go to the Windows load screen – was stuck in a loop on a black screen followed by “Boot Failure: System Halted”). Resetting the defaults in the Bios Utility got it cycle to the logo page and onto the Windows log on. So, it’s running and now it’s time to get rid of all of the viruses and malware.

The computer is old but I want to keep as a second/backup. It’s a 2002 Gateway with Intel Pentium 4 2.53 GHz; 512MB RAM; 80GB UATA100 7200RPM; Windows XP – HE.

Although there wasn’t a specific issue/instance that caused the computer to stop working (that I know of), it was running slow, and there were other issues that still continue.

I have removed programs that are no longer used (just found some file remnants that I will delete through Explore), ran TFC, removed Norton360 and installed Avira instead, installed Comodo and Firefox, reset cookies for all browsers, and removed 4 items from the startup (although I know there are many more that will go).

Afterward, I completed the 8-steps V/M and now see that there are 3 trojans, ad/spyware and other possible concerns that need to be addressed. I also have these two problems:

• Cannot access Google.com (I can access other countries, i.e. google.co.in, ~.com.hk, etc., but not the US site). And, I cannot access any Google site associated with U.S. Google like gmail. This also affects using Firefox since they utilize the US Google site.
• Internet Properties home page “default” has been hijacked by an offensive website (thebestse.com). I’m able to type in my own selection, which remains in place but I’d like the offensive site gone and removed from where ever it’s hiding.

Prior to today, and for several years now, I have been unable to access IE. However, after completing the 8-steps, it is now opening and functioning. I also have SBC Yahoo, which until today was the only browser I could get to work. There are several adware/spyware issues being flagged by Avira associated with SBC Trueswitch. Once the Google USA issue is fixed and I can fully access it from Firefox I will remove all of the SBC Yahoo programs. Until then, I’m afraid to do anything with the various Yahoo programs.

(Bobbye - if you're available to help I'd appreciate working with you again. If not, I welcome other assistance!)

 

[Bobbye]

Thank you- you made my day! Must have 'trained' you right because you have the AV log right here! We have some work to do- for one thing, your host files have been hijacked.

I'm going to start you off tonight but will have to finish tomorrow because it's late.

Please reopen HijackThis to 'do system scan only'.
Check each of the following if present. Note: don't click on Fix Checked until you completed the list:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.176.190 search.msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 69.93.33.155 www.google.com
O1 - Hosts: 69.93.33.155 google.com
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O1 - Hosts: 69.93.33.155 yahoo.com
O1 - Hosts: 69.93.33.155 www.yahoo.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [system32.dll] C:\WINNT\system\systeminit.exe
O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O19 - User stylesheet: C:\WINNT\sstyle.css (file missing)
O20 - AppInit_DLLs: WIKI.DLL

Close all Windows except HijackThis and click on 'Fix Checked'

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis and attach new log and Combofix report.

 

[Bobbye]

I've asked touch to take you through the cleaning as I will be off this sections for a while.

 

[hk2009]

Touch – thanks for helping out.

I completed the HJT step then went on to ComboFix…and that’s when I got into trouble!

I followed the ComboFix directions exactly (I even read through the tutorial on bleepingcomputer.com beforehand to ensure I executed it properly) but after the autoscan got to step 50, rather than finishing and preparing the log, the desktop closed, a blue screen opened full of writing – too much to copy but including,

“technical problem”, “catchme.sys – address F89B0ABB base at F89AE000, datestamp 49d3495d.”,
“Begin dumping of physical memory, dumping physical memory to disk”.​

Also, not sure if there was a screen beforehand but I also wrote down,
“deleting files: WINNT\ mailswitch.ocx, ~\patch.exe, ~\system32\ (couldn’t get rest of records).

Afterwards, the system went to restart. When Windows reopened an error warning came up: “The system has recovered from a serious error.” Besides the obvious problems, my Internet connection had also been disabled (I’m still working on reconnecting and am presently using my other computer for the Internet).

I’d like to say that I kept my wits about me and calmly posted a reply message, sat back patiently awaiting help but, alas, no! Instead, I went into panic mode and became a rogue warrior (or rogue technician, as the case may be) trying to fix the problem myself. So, this is what happened next; I used the restore point and reset the computer back to the previous night. That worked – ComboFix gone, Internet connections restored, everything functioning, but a couple of files were still on the system so I deleted them through Explore (two files attached to ComboFix). Sadly, I kept going…since the restore point was before the HJT step I redid the Fix Checked process, then I set a new restore point (I did not remove previous restore points, just set up a new one). Next, I started all over with ComboFix – from download to running the program – but the exact same thing happened all over. This time system restore would not work so I uninstalled ComboFix (per Bobbye’s direction on another post). It successfully removed the program and residual files (as best I can tell) but the Internet connection is still not working. Now, trying to redeem myself, I finally turn back to this post to confess what I’ve done and seek proper guidance.

I copied the error log from eventvwr for the two incidents and ran a new HJT scan hoping it would offer some insight to the problems that occurred.

System Error Log directly following the Combofix crash (identical error data for both incidents)
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 7/21/2009
Time: 4:40:25 PM
User: N/A
Computer: HOMEOFFICE
Description:
Error code 00000050, parameter1 fee7101c, parameter2 00000000, parameter3 f89c8abb, parameter4 00000000.

Also worth mentioning, I did disable Avira, Comodo, and automatic updates before running the program. On the first run I also disabled the Internet connetion, per Bobbye’s instructions, but because it prompted me to reconnect in order to complete the installation of the Microsoft Recovery Console, I kept it enabled the second time. Avira and Comodo are new to me, having just installed them before starting my 8-step process. I read the guide on how to disable them and was able to do so successfully (but they do auto-enable themselves upon reboot/start-up). I am willing to uninstall them to get this to work, if necessary. I also have an old anti-spyware from SBC Yahoo but I haven’t used it for over a year and it only scans when I prompt it manually. However, I wonder if there is something I did not do correctly in disabling these programs that may have caused ComboFix not to run or if it is simply due to viruses.

With all that said I am now calmly and patiently awaiting your assistance.

 

[Bobbye]

For Error #1003, Source: System Error, desc. Error code 00000050

Resolving a corrupted NTFS volume problem: Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition.


Start> Run> type in Chkdk /f/r> OK> Reboot to run.
(Note space after k before first / It needs to be there)
Let the process finish. system will reboot when through.

I will PM touch again for the malware help. Do not use system restore.

 

[hk2009]

Successfully completed of chkdsk.

I'm still not able to re-establish Internet connection. Problem is with my Belkin Wireless Adapter. All options to connect are greyed out. Is it okay to uninstall and reinstall at this point?

Also, today after running chkdsk I went to Control Panel>Add/Remove Programs (to see about Belkin) but no programs would load/display on screen. The add/remove opened but never populated - just remained empty. I rebooted again but it didn't help. Any ideas on what to do about this?

 

[Bobbye]

Problem is with my Belkin Wireless Adapter.

Is there a particular reason you think the router is the issue? Try resetting the router. Go to the Belkin site for instructions. http://www.belkin.com/support/article/?lid=en&pid=F5D5231-4&aid=1564&scid=220

 

[hk2009]

Bobbye - thanks for checking in on my thread - I know you are trying to get off the forum while you further your own training. Much appreciated!

It's not the router - as I get an Internet connection with my other computer. I suspected the wireless network adapter since all connection/add buttons on it were grayed out where they previously were active (before the problem I encountered with ComboFix).
I went ahead and unistalled the device then re-installed it. That fixed the connection/problem and I am now able to successfully connect to the Internet. The issue with the control panel is also resolved.

So it appears I'm back to where I started, with posted logs, awaiting assistance from Touch or another malware expert.

 

[hk2009]

Closing Thread

Thanks Techspot for the help you've given me previously and thus far.
Since the TS malware helpers are currently busy and unavailable I'm closing this thread to get help elsewhere.
Love this site and will continue to be a part of it.
No replies are needed to the original post.