blinking hourglass and more

Recently my cursor started showing the blinking hourglass next to the pointer. Also, Windows media files stopped working in internet explorer, and my computer has been getting slower. I read elsewhere about people having this problem, but I didn't find anyone with a solution. I followed the instructions for removing spyware on the read me. I turned off system restore, enabled viewing of hidden files, and ran windows in safe mode, disconnected from the internet. I ran adaware, ccleaner, spybot search and destroy, windows anti-spyware, cwshredder, kill2me, avast virus cleaner tool, and hs remove. Adaware caught a coolwebsearch and some "negligible" objects. I ran Adaware again before restarting and coolwebsearch was still there. The blinking cursor stopped while running windows in safe mode, but came back with all the other symptoms when I restarted windows again. Anyway, don't know what else to do, so any help would be greatly appreciated. Thanks.

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Ok, I ran ewido in safe mode, saved the log, then ran hijackthis. Here are the logs.

Inline logs attached!

 

Please attach all logs as attachments to your post!

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

ok. Ran spysweeper, but it looks like the symptoms are still around. Here are the logs.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Spybot S&D

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pres ario&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\ied_s7.cab

C:\x.cab

C:\counter.cab

lockx.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

after deleting objects from hijackthis, only c:/counter.cab remained. Deleted and ran adaware. Cursor problem appears to be fixed, but a coolwebsearch is still found on multiple adaware scans, but not on cwshredder. Also, windows media files still won't play in internet explorer. Here's the Hijack this log from after running adaware, spybot s&d, and ccleaner.

 

I notice that you are running more than one antivirus, this is not recommended as running more than one antivirus will cause conflicts on your computer. Pick one and uninstall the other!

After you complete the above, copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!
After you complete ALL of the above, reboot and let me know how things are running.

 

I uninstalled avast and the remnants of spykiller, and copied saved and merged the fix.reg file. I went to hijackthis and they still appeared in the log, so i deleted them from there, and they were gone, in the next log. Windows media files still wont play, and there are some other random problems that are still occurring. The cursor still blinks, but its more sporadic. I think it may be a home search assistent problem, as hsremover keeps comming up with 8 files, and i had this a while ago, but thought i had gotten rid of it. I'll try the home search assistent removal instructions, and see if it improves.

 

I tried the simple version of removing Hsa and about:blank a few times. The first time, about buster gave a window which said the database was corrupt or missing. I re-downloaded about buster and the missing file. On the next 2 tries, after finishing running about buster, my documents would open automatically. I assume, since windows explorer is supposed to be closed, this is interfering with attempts to remove hsa. I'm not quite sure how to go about the more complicated version, or how to stop my documents from popping up.

 

For the windows media and cursor problem, those will be software issues so I recommend posting those problems in there.

You do not have a HSA infection, this infects your browser, nothing else. The (8) files that are detected is a bug within the utility, this is normal.

 

alright. Thanks for your help.

 

Your Welcome!

 

@ BJ

There is evidence of two different rootkits showing in those logs. You guys may want to consider using Blacklight or Rootkit Revealer to make sure the machine is clean. At the very least, a follow up running of Spy Sweeper . . . . .

Best
PP

 

zarneverfike,

To confirm your clean, run a full sweep with SpySweeper per post #4, then attach the SpySweeper log with a fresh HJT log.

 

ok. ran spysweeper and hjt. here's the logs

 

Please download Rootkit Revealer 1.56

For help with this utility please see the site below...
http://www.sysinternals.com/Utilities/RootkitRevealer.html

After you complete a scan, attach the log to your next post.