Customer's Hijack This logfile (pulling my hair out)

Customer's computer, massive problems. Haven't kept it up to date with Windows Updates (only has SP1), and is a spyware factory as of now. I know she's infested with My Search Toolbar, My Web Search (Popular Screensavers), Trojan.Thun (which apparently changed Windows Firewall permissions--I can't even see the firewall under services.msc and Task Manager won't work) and naturally, the infamous CoolWebSearch garbage that is the bane of all us repair folks. It also had SpySherrif, which I believe I finally killed by removing the [bleep] "winstall.exe" file from it's folder, removing the SpySherrif folder and all registry crap with Registrar Lite. CoolWebShredder gets shut down every time I try to use (Safe or Normal mode), and this goofy thing continually shows up on the Desktop:

"System Stopped System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed."




As a matter of fact, it's so bad that I can't even run Hijack This from normal mode and give you a log. The program "encounters a serious problem" and closes with no log made. I'll give you one from Safe Mode: (it's all I can give for now).

Any suggestions are appreciated. At this point, I've run AdAware, Sysclean, XCleaner, cleared all temp files and System Restore, MS Antispyware, all to no avail.



Edit by chaslang: Unrequested inline log removed

 

I'm not the person you are looking for. But for spyware like that i went to

Microsoft Anti Spyware Beta

Go there and download the beta if you can. It is the best i've used except HiJackThis, but that is for advanced. Let us know if it works.


Edit: Well jeez. i think you already tried this one. lol. Sorry must of skipped them words. Good luck then.

 

Thanks chaslang. Here's what I've done since the last post:

1. After running DelDomains.inf (a suggestion from elsewhere), Hijack This would indeed run, but alas, no reference to svchost.exe in the list! However, there WAS a reference to "winupdate67410503(1).exe", which I deleted, along with Network Security Service (appxv.exe) thingy.

2. Booted into Safe Mode, found the "svchost.exe" in Windows\System (NOT 32) and deleted it. Also found that winupdate67410503(1).exe file and deleted it, too.

3. Decided to manually search for "appxv.exe" in the Registry with Registrar Lite, found four items which were removed.

4. Temporary files were all clean, as I'd done so earlier with EZPCFIX on my Ultimate Boot CD for Windows disk (I double-checked these).

5. If you'll note in the HJT file, there's still a 023 file referring to a 11Fßä#·ºÄÖ`I file which, just by checking off and fixing, does not go away. There's about 12 files that I find in Registrar Lite referring to these, but they're in the "Enum" folder, so I didn't want to delete those before I posted here.
6. CoolWebShredder actually began to run in Normal mode, but about 3/4 through being finished the computer instantly shutdown and rebooted. Something trying to "protect" itself I imagine.
7. When I try to access Task Manager, I receive this error: 'Task Manager has been disabled by your Administrator."
8. When I try to activate Windows Firewall, I get this error: "An error occurred while Internet Connection Sharing was being enabled. The specified service does not exist as an installed service."

The HJT file is attached.

 

Sorry for not following directions previously chaslang, but here's what I've done since your last posts.

1. Did both items 1 and 2 (Regedit to get Task Manager back, is now ok, and deleted the short named version of the Network Security Service (NSS) with Hijack This.
2. Had a look at the page regarding spyware/virus removal you told me to look at, and basically everything had been done previously in the following order:

1. X Cleaner (removed several spyware items)
2. HJT 1.99.1 was run and removed lots o'garbage, which kept coming back.
3. All temp files were cleared and System Restore turned off.
4. Trend Micro's Sysclean=0 items infected.
5. Adaware SE found 122 ADS items, all related to CWS. Subsequent scan showed 0 items. Normal scan found 36 items, subsequent scan 15 more, subsequent scan 0.
6. MS Antispyware = 6 items: Dosh (Remote Access Trojan), Trojan.Thun, WinFirewall, Mediatickets (lots of Trusted Zone garbage), PopUp Screensaver, CoolWebSearch, and something else called Kryptonic. Subsequent scan=0. And this wouldn't run, but only in Safe Mode. This is the point where I first posted about this issue.


3. Ran all of the extra programs, in both Safe and Normal mode, and in both "Owner" and "Administrator" accounts, and found interesting results, but still no fix.

a)About Buster-would find about 20 items and remove those every scan (damn thing has to be replicating). The first scan showed several .dat files in the Windows and System32 folders.
b)Kill2Me--did not find anything in any scan.
c)CoolWebShredder--ran properly, but found zilch.
d)HSRemove--in every scan, found 8 items which were removed (replication again).

4. Other problems: when I downloaded your zipped files, kept getting a "files corrupted" error when trying to examine or open. Had to DL those on a clean machine and move over with a thumb drive. And the Windows Firewall is still toast. I imagine once I have a clean enough machine to install SP2, that will take care of itself.

So there you have it; she's returning over and over again, but I stumped at this point. I still have that goofy "System Stopped" appearing on the desktop.



The latest HJT is attached. I don't think it will tell you anything.

 

Greetings again Chas,

Well, puter does seem to be clean, but one final problem. I cannot change the Desktop at all. When I go to Properties on the Desktop, under Display Properties and the tab Themes, I now have a white background, and the tab is permanently set on "Modified Theme" which I can't change (always reverts back to this). On the Desktop tab, the Background item is grayed out, and I can't select a different background. The item at the very bottom of the backgrounds to select is "desktop", so I searched for "desktop.html" and deleted the item. That got rid of the "System Stopped" garbage on the desktop, but that item still shows in the items to select. I also attempted to go to "Customize Desktop" and "Web" to delete the item, but "My Current Home Page" is permanenty selected, and the "Delete" button is grayed out. Some registry stuff is afoul I believe, but where I don't know.

BTW, uninstalled Spysweeper and MS Antispyware, but the new HJT was no different.

Thanks again.

 

One other thing, Screen Saver is set to Windows XP, 85 minutes. After changing it always reverts to that.

 

This post can now be closed. Customer elected to do a clean install of Windows. Thanks for your help, chaslang.