Yep I have checked and it is set in normal startup?

Evidently you have a missing file or a corrupted one from your infection, let's try a different direction for now.



http://www.kaspersky.com/virusscanner

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
o Scan Options:
- Scan Archives
- Scan Mail Bases
* Click OK
* Now under select a target to scan:
o Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.

Thank you for another reply.

I have gone to the link you posted but when I click on the scan button nothing happens??

I don't seem to be able to open hyperlinks or right click and open new browser windows since I got this infection?

I am afraid your computer is in serious trouble.

From safe mode delete these please:

C:\WINDOWS\temp\~427324.tmp -> File
C:\WINDOWS\temp\~430777.tmp -> File


Then...


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix © Swandog46 from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

Hi once again thank you for your continued help.

Unfortunately the two files you have asked me to delete in safe mode I am unable to do. I have tried it both under my user name and as administrator.

Do you really think this situation is savable?

I will have to do a system restore otherwise and do not want to loose my files. I think I can transfer my pictures and word documents to an MMC card then save them elsewhere on another PC. The main problem seems to be with Excel files, these open then immediately close?

If I move files like this do you think I will transfer the virus?

This is not good, I suggest you start saving as much as you can and hopefully nothing will be transfered to saved files.

Let's try since you were able to do it from normal mode an Ewido scan but this time from safe mode as well as an adaware SE scan from safe mode.

Safe mode:

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Post the Ewido log if you can and the Adaware SE log if possible.

Also see if you can download and install firefox browser.

Why don't you download Firefox browser and use it thru this fix and maybe that will help.

Firefox download page:---www.mozilla.org/products/firefox/

I have managed to Winzip and move most of my files to a mass storage device.

I have also managed to run in Safe Mode both Ewido Anti-Malware and Ad-Aware SE and save reports. I tried to delete what ever it found but as you can see from the reports this wasn't always possible.

I have also downloaded and installed Mozilla Firefox. On opening this I told it not to import anything from Internet Explorer just in case?

Reports below, Ewido first:-

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d o n : 1 0 : 1 5 : 0 7 , 1 4 / 0 1 / 2 0 0 6

+ R e p o r t - C h e c k s u m : 4 D 9 6 D C 9 E



+ S c a n r e s u l t :



H K L M \ S O F T W A R E \ B T I E I N - > S p y w a r e . W e b S e a r c h : E r r o r d u r i n g c l e a n i n g

H K L M \ S O F T W A R E \ B T I E I N \ B T I E I N - > S p y w a r e . W e b S e a r c h : E r r o r d u r i n g c l e a n i n g

H K L M \ S O F T W A R E \ B T I E I N \ B T I E I N \ t a s k c a c h e - > S p y w a r e . W e b S e a r c h : E r r o r d u r i n g c l e a n i n g

H K L M \ S O F T W A R E \ C l a s s e s \ W T o o l s B . R e s P r o t o c o l - > S p y w a r e . W e b S e a r c h : E r r o r d u r i n g c l e a n i n g

C : \ D o c u m e n t s a n d S e t t i n g s \ J a m e s W r i g h t \ C o o k i e s \ j a m e s w r i g h t @ a d t e c h [ 2 ] . t x t - > S p y w a r e . C o o k i e . A d t e c h : C l e a n e d w i t h b a c k u p

C : \ D o c u m e n t s a n d S e t t i n g s \ J a m e s W r i g h t \ C o o k i e s \ j a m e s w r i g h t @ s t a t c o u n t e r [ 1 ] . t x t - > S p y w a r e . C o o k i e . S t a t c o u n t e r : C l e a n e d w i t h b a c k u p

C : \ D o c u m e n t s a n d S e t t i n g s \ J a m e s W r i g h t \ C o o k i e s \ j a m e s w r i g h t @ t r a d e d o u b l e r [ 1 ] . t x t - > S p y w a r e . C o o k i e . T r a d e d o u b l e r : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ t e m p \ ~ 4 2 7 3 2 4 . t m p - > S p y w a r e . W i n t o o l s : E r r o r d u r i n g c l e a n i n g

C : \ W I N D O W S \ t e m p \ ~ 4 3 0 7 7 7 . t m p - > S p y w a r e . W i n t o o l s : E r r o r d u r i n g c l e a n i n g


: : R e p o r t E n d



Ad-Aware SE Build 1.06r1
Logfile Created on:14 January 2006 10:16:02
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R85 04.01.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
IBIS Toolbar(TAC index:5):4 total references
MRU List(TAC index:0):20 total references
Tracking Cookie(TAC index:3):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R85 04.01.2006
Internal build : 97
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 576531 Bytes
Total size : 1734492 Bytes
Signature data size : 1699958 Bytes
Reference data size : 34022 Bytes
Signatures total : 48158
CSI Fingerprints total : 1298
CSI data size : 37770 Bytes
Target categories : 15
Target families : 813


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:75 %
Total physical memory:522224 kb
Available physical memory:387672 kb
Total page file size:1275872 kb
Available on page file:1201796 kb
Total virtual memory:2097024 kb
Available virtual memory:2046348 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Run scan as background process (Low CPU usage)
Set : Scan registry for all users instead of current user only
Set : Use permanent archive caching
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Disable manual quarantine if auto-quarantine is selected
Set : Reanalyze results after scanning before displaying results lists
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Create log file for removal operations
Set : Include alternate data stream details in log file
Set : Snap windows to desktop borders
Set : Use gridlines in results lists
Set : Create and save WebUpdate log file
Set : Dump details about unhandled exceptions to disk
Set : Play sound at scan completion if scan locates critical objects


14-01-2006 10:16:02 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\James Wright\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\James Wright\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplicatio n
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows\currentversion\app lets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows\currentversion\app lets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows\currentversion\exp lorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows\currentversion\exp lorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows\currentversion\exp lorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows\currentversion\exp lorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\realnetworks\realplayer\6.0\preferen ces
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\realnetworks\realplayer\6.0\preferen ces
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-284587905-346832259-4021508746-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 128
ThreadCreationTime : 14-01-2006 09:29:11
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 176
ThreadCreationTime : 14-01-2006 09:29:22
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\SYSTEM32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 200
ThreadCreationTime : 14-01-2006 09:29:26
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 244
ThreadCreationTime : 14-01-2006 09:29:35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 256
ThreadCreationTime : 14-01-2006 09:29:35
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 420
ThreadCreationTime : 14-01-2006 09:29:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 460
ThreadCreationTime : 14-01-2006 09:29:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 668
ThreadCreationTime : 14-01-2006 09:30:02
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:9 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1668
ThreadCreationTime : 14-01-2006 10:15:46
BasePriority : Idle
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\btiein

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 21


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : james wright@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:james wright@tradedoubler.com/
Expires : 04-01-2026 20:29:36
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : james wright@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:james wright@adtech.de/
Expires : 07-01-2016 20:25:06
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : james wright@statcounter[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:james wright@statcounter.com/
Expires : 08-01-2011 22:03:52
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 24



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 24




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment : You will need to restart your computer and rescan in order to complete the removal of this item.
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_tbpssvc

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_wintools svc

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\enum\root\legacy_wintoolssvc

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 27

10:25:53 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:51.329
Objects scanned:95614
Objects identified:7
Objects ignored:0
New critical objects:7

Reanalyzing scan result
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
No objects have been removed from the result list.


THANK YOU for your help.

I have used the Mozilla browser and that seems to have stopped my internet problems at least.

Posts #8 and #14


Try to do those now since firefox has been installed.