Inactive Google redirects, command prompt closes but scans show nothing

[Broni]

OK, we're getting somewhere.

How is redirection and other issues at this moment?


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  dtscsi.sys
  sptd.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

======================================================================

Delete broni.exe file, download fresh Combofix file and rename it to broni1.exe.
See, if it'll run in any mode.

 

[DGW]

I still get redirections at random times. Command prompt does not open.
I noticed that after a reboot, I get a "Data Execution Prevention" error. Generic Host Process for Win32 Services is closed by Windows. Not sure if it's related.

broni1.exe doesn't work in normal and safe mode. Same error messages as before (REG.exe and xcacls).

 

[Broni]

Yeah, definitely, something is still out there.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\drivers\sptd.sys
- C:\WINDOWS\system32\drivers\dtscsi.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[DGW]

I can't seem to send the file to virustotal. I tried both SSL and no SSL

0 bytes size received / Se ha recibido un archivo vacio

 

[Broni]

Copy both files to some other location, like your desktop and try to upload them again.

 

[DGW]

Cannot copy: It is being used by another person or program.

 

[Broni]

We need to disable CD Emulation programs...

• Please download DeFogger and save to your desktop.
• Double-click on the DeFogger icon to start the tool.
• When application window appears, click on the Disable button to disable your CD Emulation drivers
• When it prompts you whether or not you want to continue, please click on the Yes button to continue
• When the program has completed you will see a Finished! message.
• Click on the OK button to exit the program.
• If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

When done, see if you can upload the files, either form their original location, or, if you can copy/paste to another location and upload from there.

 

[DGW]

File sptd.sys received on 2010.08.02 04:39:48 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
AhnLab-V3 2010.08.01.00 2010.07.31 -
AntiVir 8.2.4.32 2010.08.01 -
Antiy-AVL 2.0.3.7 2010.08.02 -
Authentium 5.2.0.5 2010.08.02 -
Avast 4.8.1351.0 2010.08.02 -
Avast5 5.0.332.0 2010.08.02 -
AVG 9.0.0.851 2010.08.01 -
BitDefender 7.2 2010.08.02 -
CAT-QuickHeal 11.00 2010.08.02 -
ClamAV 0.96.0.3-git 2010.08.01 -
Comodo 5615 2010.08.02 -
DrWeb 5.0.2.03300 2010.08.02 -
Emsisoft 5.0.0.34 2010.07.30 -
eSafe 7.0.17.0 2010.08.01 -
eTrust-Vet 36.1.7753 2010.07.31 -
F-Prot 4.6.1.107 2010.08.02 -
F-Secure 9.0.15370.0 2010.08.02 -
Fortinet 4.1.143.0 2010.08.01 -
GData 21 2010.08.02 -
Ikarus T3.1.1.84.0 2010.08.02 -
Jiangmin 13.0.900 2010.08.01 -
Kaspersky 7.0.0.125 2010.08.02 -
McAfee 5.400.0.1158 2010.08.02 -
McAfee-GW-Edition 2010.1 2010.08.01 -
Microsoft 1.6004 2010.08.01 -
NOD32 5332 2010.08.02 -
Norman 6.05.11 2010.08.01 -
nProtect 2010-08-01.01 2010.08.01 -
Panda 10.0.2.7 2010.08.01 -
PCTools 7.0.3.5 2010.08.02 -
Prevx 3.0 2010.08.02 -
Rising 22.59.00.01 2010.08.02 -
Sophos 4.56.0 2010.08.02 -
Sunbelt 6672 2010.08.02 -
Symantec 20101.1.1.7 2010.08.02 -
TheHacker 6.5.2.1.328 2010.07.30 -
TrendMicro 9.120.0.1004 2010.08.02 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.02 -
VBA32 3.12.12.7 2010.07.30 -
ViRobot 2010.7.31.3965 2010.08.02 -
VirusBuster 5.0.27.0 2010.08.01 -
Additional information
File size: 642560 bytes
MD5...: b1a17b3c9dab68fed86906b74251f7d8
SHA1..: 6f601ebbd0db7afa691f42d3c0c0de018f61d799
SHA256: 3593454f34fd3f8fc151bd45ec0cfd5b1f9f923d53ed1aac956d8aafc146cb07
ssdeep: 12288:zWTOpW/2jcz6ocEqGSrF/lunpwpckfgQiwDuL/BzS9g5Hc2PZ:zWCpW/Nz
6lxqCpckfHi9/BzCgZB

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8713a
timedatestamp.....: 0x4391a4df (Sat Dec 03 13:59:59 2005)
machinetype.......: 0x14c (I386)

( 12 sections )
name viradd virsiz rawdsiz ntrpy md5
.edata 0x1000 0x16e20 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x18000 0x7b92 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.text 0x20000 0x453d9 0x45400 7.99 20e3b147cd9a10fb76c632dbb4bd5bf8
.textx 0x66000 0xd20 0xe00 6.19 25e4a7693dbee7ea543d33aff2bda8ab
.data 0x67000 0x4100 0xa00 3.76 d2673121a71e3ab4f546476de70b5b9a
INIT 0x6c000 0x1c6f1 0x1c800 7.97 9a46832c1d1e135d8f52f3bea8bc6d55
.edata 0x89000 0xa48b 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x94000 0xb28 0xc00 5.31 0570e4469e6e8881dfaf94c766910b52
.const 0x95000 0x34200 0x34200 6.06 52841c1c219385b34359465b7d375edd
.rsrc 0xca000 0x390 0x400 3.01 14584c6464b5b3cb16e687c4fb8b8038
.sptd0 0xcb000 0x23fa 0x2400 7.20 3eb19e1183147abb71db41d5f1c289df
.reloc 0xce000 0x1a14 0x1c00 6.52 30d720131b44399dcbe1a45685b0ba50

( 3 imports )
> ntoskrnl.exe: IoAllocateErrorLogEntry, RtlCompareMemory, strncmp, IoAllocateMdl, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, MmUserProbeAddress, KeLeaveCriticalRegion, KeEnterCriticalRegion, PsGetCurrentProcessId, MmMapLockedPagesSpecifyCache, IoFreeMdl, ProbeForWrite, ProbeForRead, ExGetPreviousMode, MmUnmapIoSpace, KeDelayExecutionThread, MmMapIoSpace, _stricmp, RtlUnicodeStringToAnsiString, RtlInitUnicodeString, ObReferenceObjectByHandle, KeInitializeSemaphore, KeWaitForMultipleObjects, KeClearEvent, KeSetEvent, IofCompleteRequest, IofCallDriver, ObfReferenceObject, _allmul, _aulldiv, PsGetVersion, MmGetSystemRoutineAddress, ObfDereferenceObject, KeQuerySystemTime, RtlFreeAnsiString, strstr, ExFreePoolWithTag, RtlQueryRegistryValues, KeInitializeEvent, KeInitializeMutex, _wcsnicmp, MmLockPagableDataSection, IoGetCurrentProcess, IoWriteErrorLogEntry, ExfInterlockedInsertTailList, ZwOpenKey, ZwCreateKey, ZwQueryValueKey, ZwEnumerateValueKey, ZwEnumerateKey, ZwSetValueKey, ZwDeleteValueKey, ZwDeleteKey, RtlEqualUnicodeString, memmove, RtlFreeUnicodeString, RtlUpcaseUnicodeString, ExAllocatePoolWithTagPriority, KeWaitForSingleObject, KeSetEventBoostPriority, _alldiv, swprintf, IoDeleteDevice, IoCreateDevice, IoInvalidateDeviceState, wcsstr, IoBuildSynchronousFsdRequest, RtlWriteRegistryValue, RtlDeleteRegistryValue, IoDriverObjectType, MmUnlockPages, MmSizeOfMdl, IoFreeIrp, MmHighestUserAddress, KeResetEvent, IoBuildDeviceIoControlRequest, IoReleaseCancelSpinLock, IoAcquireCancelSpinLock, ZwQuerySymbolicLinkObject, ZwOpenSymbolicLinkObject, KeReleaseSemaphore, IoAllocateIrp, MmBuildMdlForNonPagedPool, IoGetDeviceObjectPointer, ExfInterlockedRemoveHeadList, IoRegisterShutdownNotification, IoFileObjectType, _wcsicmp, RtlInitAnsiString, RtlAnsiStringToUnicodeString, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, _except_handler3, MmProbeAndLockPages, MmIsAddressValid, KeGetCurrentThread, strncpy, _allshr, sprintf
> HAL.dll: KfLowerIrql, KeStallExecutionProcessor, KfRaiseIrql, KeRaiseIrqlToDpcLevel, KeGetCurrentIrql, READ_PORT_UCHAR, KfReleaseSpinLock, KfAcquireSpinLock
> SPTD0461.SYS: ScsiPortInitialize

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
sigcheck:
publisher....: Duplex Secure Ltd.
copyright....: Copyright (C) 2004-2005
product......: SCSI Pass Through Direct
description..: SCSI Pass Through Direct Host
original name: sptd.sys
internal name: SPTD.SYS
file version.: 1.24.0.0 built by: WinDDK
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

 

[Broni]

Did it allow you to upload from the original location AFTER running Defogger?

 

[DGW]

Yes, and the second file is being scanned at the moment. Again from the system32 folder

 

[Broni]

OK.........

 

[DGW]

File dtscsi.sys received on 2010.08.02 04:47:22 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/42 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
AhnLab-V3 2010.08.01.00 2010.07.31 -
AntiVir 8.2.4.32 2010.08.01 -
Antiy-AVL 2.0.3.7 2010.08.02 -
Authentium 5.2.0.5 2010.08.02 -
Avast 4.8.1351.0 2010.08.02 -
Avast5 5.0.332.0 2010.08.02 -
AVG 9.0.0.851 2010.08.01 -
BitDefender 7.2 2010.08.02 -
CAT-QuickHeal 11.00 2010.08.02 -
ClamAV 0.96.0.3-git 2010.08.01 -
Comodo 5615 2010.08.02 -
DrWeb 5.0.2.03300 2010.08.02 -
Emsisoft 5.0.0.34 2010.07.30 -
eSafe 7.0.17.0 2010.08.01 -
eTrust-Vet 36.1.7753 2010.07.31 -
F-Prot 4.6.1.107 2010.08.02 -
F-Secure 9.0.15370.0 2010.08.02 -
Fortinet 4.1.143.0 2010.08.01 -
GData 21 2010.08.02 -
Ikarus T3.1.1.84.0 2010.08.02 -
Jiangmin 13.0.900 2010.08.01 -
Kaspersky 7.0.0.125 2010.08.02 -
McAfee 5.400.0.1158 2010.08.02 -
McAfee-GW-Edition 2010.1 2010.08.01 -
Microsoft 1.6004 2010.08.01 -
NOD32 5332 2010.08.02 -
Norman 6.05.11 2010.08.01 -
nProtect 2010-08-01.01 2010.08.01 -
Panda 10.0.2.7 2010.08.01 -
PCTools 7.0.3.5 2010.08.02 -
Prevx 3.0 2010.08.02 -
Rising 22.59.00.01 2010.08.02 -
Sophos 4.56.0 2010.08.02 -
Sunbelt 6672 2010.08.02 -
SUPERAntiSpyware 4.40.0.1006 2010.08.01 -
Symantec 20101.1.1.7 2010.08.02 -
TheHacker 6.5.2.1.328 2010.07.30 -
TrendMicro 9.120.0.1004 2010.08.02 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.02 -
VBA32 3.12.12.7 2010.07.30 -
ViRobot 2010.7.31.3965 2010.08.02 -
VirusBuster 5.0.27.0 2010.08.01 -
Additional information
File size: 223128 bytes
MD5...: 12aca694b50ea53563c1e7c99e7bb27d
SHA1..: 8644d61130ffd002472459264fa05ac7ed0057de
SHA256: bec67abf6b1fbe3c0246076fa99a39e78855bda76cede5be61e00ff0ea9fab98
ssdeep: 3072:Cepe6WKWxGkmIBWVWVNOmuhHKRsWmBZKDhXYrRfycEOTQgM:C1fh3VNOr7z
BOhXaxyHwQj

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x233ce
timedatestamp.....: 0x439ae748 (Sat Dec 10 14:33:44 2005)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x697 0x800 4.98 bd9bb68308801644132cbb0c020c1c7d
.edata 0x2000 0xd566 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x10000 0x2736 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x13000 0x1c58 0x1c00 7.36 52d7672305ee487b7b59576a9bf99b9c
INIT 0x15000 0xfa4e 0xfc00 7.94 d4e876946d2f5085109424fe0ed1f16b
.const 0x25000 0x20800 0x20800 4.92 6dc3021357be94e457c3565c3508177c
.rsrc 0x46000 0x328 0x400 2.70 6c03d2733415528572b9a0e7fe977bc8
.dt0c 0x47000 0x8b2 0xa00 6.44 f6b32913e1d37ae50e5ff428fe1f9c86
.reloc 0x48000 0x1400 0x1400 7.16 8ce5cb7aa87c007105aeb707bf0c571e

( 3 imports )
> ntoskrnl.exe: KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, _allmul, RtlCompareMemory, memset, memcpy, RtlAnsiStringToUnicodeString, RtlInitAnsiString, sprintf, RtlCopyUnicodeString, KeSetTimer, memmove, KeInsertQueueDpc, _allshr, RtlEqualUnicodeString, _allrem, KeInitializeTimer, KeSetImportanceDpc, KeInitializeDpc, KeInitializeMutex, swprintf, _wcsnicmp, _alldiv, RtlInitUnicodeString, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, _except_handler3, KeInitializeEvent, KeSetEvent, KeWaitForSingleObject, KeReleaseMutex, MmLockPagableDataSection
> HAL.dll: KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql
> SCSIPORT.SYS: ScsiPortFreeDeviceBase, ScsiPortGetDeviceBase, ScsiPortNotification, ScsiPortInitialize

( 1 exports )
A0DB34FC6FE35D429A28ADDE5467D4D7

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: DT Soft Ltd.
copyright....: Copyright (C) 2000-2005
product......: DAEMON Tools
description..: SCSI miniport
original name:
internal name:
file version.: 4.03.0.0 built by: WinDDK
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

packers (Kaspersky): PE_Patch

 

[Broni]

OK. Now with CD emulation disabled, see, if you can run broni1.exe from either mode.
If you'll get any error, please write it down and post full text of that error.

Actually, see if a whole set, rKill-exehelper-Combo will run in either mode.
If rKill will get stuck, or it'll give you an error, post full error message, skip rkill, proceed with exehelper and Combo.

Bu Combo, I mean broni1.exe

 

[DGW]

No luck again. I'm going off to bed and have work all day tomorrow so I won't be able to continue this until tomorrow night. Hopefully something works. Thanks for everything so far.

Running rkill, I believe I see a few DOS windows open and disappear really fast.
Windows popup message title: C:\rkill.log
Big red x with the message: Windows cannot find 'C:\rkill.log'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Exehelper had popups open and close. I was not able to interact with the program. This was in the log:
exeHelper by Raktor
Build 20100414
Run at 01:07:09 on 08/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

broni1.exe I get 3 popups (running it first and running it after rkill-exehelper)
Freeware implementation of REG.EXE (this error pops up twice)
Freeware implementation of REG.EXE has encountered a problem and needs to close. We are sorry for the inconvenience.
The data report if I wanted to send to Microsoft has Error signature: AppName: swreg.exe AppVer: 3.0.0.0 ModName: kernel32.dll ModVer: 5.1.2600.5781 Offset: 00012afb

Freeware implementation of XCACLS
Freeware implementation of XCACLS has encountered a problem and needs to close. We are sorry for the inconvenience.
The data report if I wanted to send to Microsoft has: Error signature: AppName: swxcacls.cfxxe AppVer: 1.0.1.1 ModName: kernel32.dll ModVer: 5.1.2600.5781 Offset: 00012afb

 

[Broni]

If you're still there...
If not, then try this tomorrow.

Go Start>Run, copy and paste following (including quotes):

"%userprofile%\desktop\broni1.exe" /KillAll

 

[Broni]

Continuing your "homework" for tomorrow...

If the above won't work, I suspect, you may have some system files issues.

Using SystemLook, you already have...

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  swreg.exe
  REG.EXE
  cmd.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=======================================================================

Go Start>Run ("Start Search" in Vista/7), type in:
sfc /scannow
Click OK (hold CTRL, and SHIFT, hit Enter in Vista/7).
Have Windows CD/DVD handy (with Vista/7, most likely, you won't need it).
If System File Checker (sfc) will find any errors, it may ask you for the CD/DVD (rarely in Vista/7 case).

 

[DGW]

The "%userprofile%\desktop\broni1.exe" /KillAll didn't work.

Attached is the SystemLook.

I did the sfc and then tried "%userprofile%\desktop\broni1.exe" /KillAll with a brand new copy of broni1.exe and got the same errors as usual.

 

[Broni]

When you ran "sfc" have it ever asked for Windows CD?


Copy swreg.exe file from C:\32788R22FWJFW folder and paste it to C:\WINDOWS\system32 folder.
Try running broni1.exe again.

 

[DGW]

When sfc was running, it did say it might ask for my windows CD. I left it running and I came back and noticed sfc was finished running, so I assume it didnt need the windows cd?

Copied swreg to my system32 (didn't replace anything) and broni1 still didnt work. Tried in safe mode, but got the same errors.

 

[Broni]

Which browser is getting redirected>


1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[DGW]

IE for sure. With Firefox, when I do a search, it crashes my browser..so I suspect it's related.

SecurityCheck would not run. I double click and nothing happens. TFC worked and I will nwo start the Kaspersky scan

 

[DGW]

Going to the Kaspersky link I get a 405 Not Allowed nginx/0.8.15.

I tried going directly to http://www.kaspersky.com/ and I see the text of the webpage, but no images. Sort of like a stripped down html, but I can't seem to find the scan from the main page both in IE and Firefox.

 

[Broni]

It looks to me, we may end up with Windows repair installation.
Do you have Windows XP CD?

Try....

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMPORTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[DGW]

Similar thing. I go to the website with no images (red Xs). It's like javascript is turned off?

I do have a windows xp disc.

 

[Broni]

OK, I believe your computer is still infected, but I also believe, your Windows installation is corrupted.
I suggest, you run Windows repair installation.
Be aware, that repair installation not necessary will fix Windows corruption and a clean install may be needed.

Repair manual: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/