I'm going crazy!! HijackThis attached

You must run ALL the other steps in the READ ME FIRST. Skip System Restore step for now and do the rest. Also do not post HJT logs from safe mode.

 

I have included RecoverFromReboot.exe in the procedures below. I'm not sure what this is for. If you know it is safe (could be related to your ISP, like SBC maybe) then leave it. I find it very stupid to install anything valid in a temp folder so as far as I'm concerned it must not be needed.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\sys016232620751.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\WINDOWS\tempdl\Terp03292005.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200583174216_mcinfo.exe /insfin
O4 - HKLM\..\Run: [sys016232620751] C:\WINDOWS\sys016232620751.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\sys016232620751.exe
C:\WINDOWS\Temp\RecoverFromReboot.exe
C:\WINDOWS\tempdl\Terp03292005.exe
C:\Documents and Settings\Owner\Local Settings\Temp\200583174216_mcinfo.exe <-- delete all file you can in this temp folder.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Try downloading and running this VB script to undo a disabled search assistant:
http://www.kellys-korner-xp.com/regs_edits/noasstundo.vbs

Just download it and then double click on it to run it. You may need to tell your antivirus program to allow it to run. Let me know if that helps the Windows Search problem. If not, please explain exactly what you mean when you say you cannot use the Windows Search function.

I'm not sure what is wrong with your Recycle Bin however there have been certain malware problems that caused the Recycle Bin to not work properly. Your log does not show any of these symptoms though. Let's take a peak anyway. Follow the below steps:

Download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log.

 

Follow the steps below to see if we can fix your Search problem:

1) Click Start, click Run, type %systemroot%\inf, and then click OK.
2) Locate the Srchasst.inf file.
3) Right-click the Srchasst.inf file, and then click Install. This reinstalls the files that Search Companion uses.


Now let's fix a Look2Me infection you have!

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad.

Again, don't run any other files in the L2MFix folder.

Now get a new HJT log and reconnect to the internet.
Post the log from L2MeFix and the new HJT log as attachments.

Let me know how things look now.

 

Okay! Some components of the Look2Me infection are now fixed. Is your recycle bin still giving you trouble? If so, explain what you are using to see the problem.

And I assume your Search Companion issue remains? Have you run a System File Check command (sfc /scannow) yet?

 

Is your copy of Windows valid and licensed to you? If we cannot find any other malware problems at play, you may need to address your remaining problems in the Software Forum.

Now let's look for some more possible hidden malware:

- First run CCleaner before doing the below.

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report.

Also look in your c:\windows\system32 folder and tell me if you see any files that end with the extension .com (do not do anything with them, just tell me what filenames you find). Do the same thing for the c:\windows folder. To make this easier, sort the folder by type a .com file should be list under MS-DOS Application

 

Okay! Ewido fixed a problem! Are you still having problems?

You did not answer one of my questions from my previous message:

I do not see a line in your log indicating that you have authenticated you WinXP OS at Microsoft. It should look something like below:


O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

Without this, you cannot get updates.

 

Okay so it belongs to someone else! But does this friend actually have a valid licensed and registered/activated copy of Windows. If not then that is the problem. You can only validate at Microsoft's Update pages which just recently changed their interface too.

The only other thing I would recommend trying while trying to validate and update Windows is to disable your antivirus and firewall applications before trying and see what happens.

 

I'm not sure that means it is valid. It is not valid until Windows Genuine Advantage is run and has completed. I would suggest one of two things.

1) Either bring this inability to validate the copy of Windows up in the Software Forum
2) Or call Microsoft as implied in the message.


Does your friend have his Windows Registration Key?
I believe a program like Belarc Advisor can even retrieve this from the system and you can then possible check with MS to see if it is valid and who it has been activated by.