Iexplore Hack help!

Please follow our standard cleaning procedures as best as you can with the problems you are having. These are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments. Note anything that you cannot do and also the results of things you can do, and tell us when you come back.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

Are you saying you were able to run ALL steps of the READ ME with no problems?

You forgot that the below is supposed to be disabled (per the HJT instructions):

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

 

How are you getting here?

Do you know what was disabled before?
Can you boot in safe mode?

 

See if you have an option like safe mode with command prompt!

Also try another user account if possible.

Do you have a bootable Windows XP CD for your system?

I see several bad things in your HJT log that we can fix. And I question another. Do you know what the below is:

O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll

 

These PC manufactures should be shot for not shipping CDs with the PCs.

If you can get to a Safe Mode with command prompt option we should be able to delete the files causing problems at the command prompt level. Also if you can get your hands on a Windows XP SP2 boot CD we can fix them to from the Recovery Console. You do not want to do a Repair/Install unless absolutely necessary.

You have more problems then the one line I questioned. Here are items that I would fix if we can get to it:

F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20002\services.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O21 - SSODL: IEFilter - {F93EB1E5-D999-4C3D-958D-85DE304F94E3} - C:\WINDOWS\system32\IEFilter.dll

Then I would delete the following files:
C:\WINDOWS\inet20002\services.exe (possibly the whole inet20002 folder)
C:\WINDOWS\SYSTEM32\VESWinlogon.dll <--- but not 100% sure it is bad
C:\WINDOWS\system32\IEFilter.dll

 

With Recovery Console we can get to a command prompt and delete the bad files I mentioned. Then I suspect that you PC may boot okay. Unless there is something else that was hiding in your Startups that I could not see because msconfig was masking it. We will see. You have to know your Administrator password to do this. If you never set one, it is probably blank, meaning you would just hit the Enter key when asked.

Here is how Recover Console works:

Put the Windows CD in the CD drive and reboot the computer. Hopefully it your PC is configure to boot from CD first otherwise you have to change the boot order in your BIOS.

-You should get a "press any key to boot from CD" message, so you should do that.
- It will load a bunch of files and eventually give you a menu where you can select the "Recovery Console" by pressing R
-You'll see your Windows Installation like "C:\Windows", type the number 1 and press enter.
- Administrator password is next: is probably blank so just press enter, unless you set one in which case enter it.
-With all that done you'll end up with a C:\Windows> prompt

Once you can get to this point I will give you some steps to delete the bad files.

 

Okay! From the command prompt here is what you should do. Enter the below commands each follow by the enter key. Keep track of whether you receive any error messages.

cd c:\windows\inet20002
attrib -r -h -s services.exe
del services.exe

cd c:\windows\SYSTEM32
attrib -r -h -s VESWinlogon.dll
del VESWinlogon.dll

attrib -r -h -s IEFilter.dll
del IEFilter.dll

Now remove the CD and see if you can boot normally.

 

Another thing they may prove useful to do is to capture the output of the LISTSVC command from the command prompt. This will give a list of services that can be enabled or disable from running at startup. I want to see this just incase something bad is in the list.

 

You must have typed something wrong. You must not have any spaces between the minus signs and the letters. But there must be a space inbetween each parameter. Here is an example where I'm exagerating the spacing to make it obvious:

Code:

attrib	-r -h -s	IEFilter.dll 

Also do a dir to look for the files. Like
dir IEFilter.dll
dir VESWinlogon.dll
dir c:\windows\inet20002 <--- this should show everything in this folder

Yes!

 

dir will not show the files if they are hidden or system files. That is why I was using the attrib -r -s -h command first. It disables the read-only, hidden, and system attribute.

dir /AS IEFilter.dll will show it if it is a system file.
dir /AH IEFilter.dll will show it if it is a hidden file.

Same goes for the other file.

 

If you just type dir /? and attrib /? what do you see? Is it a list of valid arguments or do you still get an error message.

 

The below link lists all exceptable commands:

Description of the Windows XP Recovery Console

 

Okay! And aren't the ones I listed valid?

 

Just try the following (the * represents a wild card to match anything). Make sure you are in the C:\windows\system32 folder first:

attrib IE*.*
attrib VES*.*

What result does this yield.

 

That's not what I meant. I wanted to know if the
attrib IE*.*
attrib VES*.*
commands gave you any info on the files. Or did they not see the files either?

 

I sure wish we could figure out what the root problem is. From the command prompt do the below:

cd c:\
attrib -r -h -s boot.ini <--- hope you do not get an error again
type boot.ini

tell me the output you get from the type boot.ini command. I want to see the contents of that file.

We may be next looking at the below option which is not as catastrophic as a format install but it will require some reinstallation of any third party software that was put onto your system after initial Windows Installation. This options reverts you back to the level of the boot disk. Read the below over. It may be the only alternative (then comes format)

http://www.michaelstevenstech.com/XPrepairinstall.htm

Do you have your Windows XP activation key code? You will probably need it to reactivate windows.

Pay special attention to Step 3 of XP Repair Install because this is important and you (as stated) do not want this option. Read the whole thing over before doing anything.

 

Let me see if I understand exactly what happens.

1) When you boot up, you do get to the login screen showing the users without any problem?
2) You click a user and enter the password and then immediately return back to the login screen? Is this correct?

 

Are you sure about this line being exactly as written:

default=multi<0>disk<0>partition<1>\Windows

I would expect more like:

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

 

Exactly at what point in this message thread did you do a repair install.

 

How many user profiles are there? Have you tried them all?
Does safe mode without networking or safe mode with networking work any differently now?
How about Safe mode with command prompt?

[Edit: forgot you said only one user account. But in safe mode is there yours and the Administrator account?]

 

Please answer message # 40.

Did you disable System Restore at the beginning of the the cleanup steps? If not, maybe we can use a restore point.

 

I repeat my question:

I'm also still waiting for the output from the listsvc command I requested in message # 20.

Also, first tell me did you or did you not disable System Restore per the tutorial?

It would appear that this does not matter anyway as System Restore cannot be run via the command prompt of the Recovery Console.

Had you installed an updates/patches recently on this PC?

 

You're welcome. I was speaking with Adrynalyne (another Mod here) who is very familar with MS Windows issues like this. He had suggested a something to try. If you do want to pursue this further let me know.