even safe mode isn't working

I am looking for assistance with an associate's computer. He is running Windows XPProfessional.

Not understanding squat about different drives and partitions, I'llmerely mention that in "my computer" there are c: d: and f: hard disk drives.

As far as I know he has been having trouble for quite some time, but I only became invovled yesterday. He was getting porn and gambling pop-ups, things were running slow, etc.

Yesterday he started getting a pop-up window from Norton saying his machine is infected with w32.desktophijack

I went to the Symantec website and followed the directions there (1) disable sys restore, update virus defs, run a scan and remove certain items from the registry- specific to your problem. None of the items they listed were in the registry, except the last, which I deleted.

That didn't change anything. A later reboot also revealed the presence of Trojan.stwoyle. (according to a Norton pop-up). I repeated the same procedure at the symantec website, but this time none of the registry changes associated with that particualr virus/worm/trojan/whatever were in the registry at all.

I ran Spybot a few times, each time different problems were popping up, and they could not always be fixed.

Eventually things got so bad that at start up there, things were just running and there was no way to click on anything. WIndows from Norton will popup with the same message about the w32.destophijack virus and I click on them and they don't go away, they just keep coming. (Infecting the winiet.dll file)

At present I can only do anything in safe mode and I must log on as amdinistrator. If I log on as the user (he only has one user on this machine), in safe mode, I get to the normal deskstop screen but I can't click on anything and if I hover over the taskbar on the bottom, I get an hourglass.

In administrator safe mode (with networking) I installed and ran all the programs advised on this website (first running online scans- that took over an hour- on bitdefender and ravantivirus)- Bitdefender listed "trojan.wininethook.a" and "trojandownlader.delf.h" as unfixable and a few others that it deleted. ravantivirus revealed a wealth of email attachments that were infected (i saved the list), but didn't do anything about it. I then ran stinger, whci didn;t tell me anything, disconnected from the internet and ran ad-aware, spybot, and the others.

Ad-Aware, Spybot and ther others all find no problems.

Still, the same problems continue Boot up to normal mode now doesn't even get past the welcome screen. There are an array of pop-ups from Norton. And boot to safe mode only wokrs if I go to administrator. We have a tech guy coming tomorrow (maybe), but for reasons I won't go into, I'm not confident in that being a resolution.

What next?

 

We need to get him booted into normal mode for a HijackThis log. Try this at the Welcome Screen hit CTRL+ALT+DEL twice, a log on box will display. Try to log on as administrator. User ID is administrator and Password is whatever ever his admin password is.

 

No can do as even ctrl+alt+del is non responsive once windows starts in normal mode.

But to get around that I downloaded Tweak UI from Microsoft and set it to start as Admin automatically. That worked and I can get to windows in normal mode just fine as admin. Everything seems OK when logged in as Admin, except:

Windows Messenger pops up at start up. OK no big deal. But when I close the window and try to shut down the service by right clicking in the system tray, it tells me it can't close because other apps like Outlook or Explorer are running. But they aren't- nothing is running0- so I don't know why it won't close. Anyway, the point is that a few minutes later, I invariably get an error messgae related to msmsgs.exe and then it closes.

I have no idea whether this is related, but I though I'd mention it.

Anyway, as per implied request, here is my HijackThis! log...
thanks in advance!

-ps- Oh Yeah one more thing. An uninstall of a trial version F-Secure had been in progress and I completed that. I think you can see some residue from that in the log.

 

First you do not have HijackThis installed as suggested. Please install HJT to somewhere safe like C:\HJT, C:\HijackThis, C:\Program Files\HJT, or C:\Program Files\HijackThis.

Download
- Pocket Killbox

Next Remove the following from Trusted Zones in Internet Explorer:

Next have HJT fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE open Windows Explorer navigate to and DELETE the following folders.

Reboot post a new HJT log.