I'm having Serious Computer Problems

Help, I’m in some serious trouble. I currently own a Dell Dimension 8400 computer running Windows XP Home edition. I’ve been battling spyware & viruses for about a week now. It all started with the pest trap spyware virus and it went downhill from there.
I can’t operate most of the functions of the computer right now. My internet access doesn’t work, I can’t start up Control panel, System Restore, Internet explorer, Webroot AntiSpyware for MSN and Norton Anti-Virus among other things. Not only that, my computer seems to “restart” every three (3) seconds, in Normal & Safe Modes. It refreshes the screen as if it’s starting up for the first time every three (3) seconds. The only way I can run an application is if its an icon on my desktop. Clicking on Start-Run locks up the system & I end up rebooting. Running Task Manager and clicking on “New Task” has limited success. Even this will lock up the machine.

I printed out CHASLANG’s “Read & run me first before asking for support” directions and downloaded all of the necessary software. I couldn’t run CCleaner at all. I ended up running the following programs in this exact order:
SpyBot-Search & Destroy (Locked up during removal process)
Microsoft AntiSpyware
SpyBot-Search & Destroy
Ad-Aware SE

For all of the programs, I couldn’t run the update features on my computer because of no Internet access. I haven’t run HijackThis just yet, hoping to perform that task this evening.

Microsoft AntiSpyware kicked out a Trojan virus, couldn’t get which type of virus it was. SpyBot kicked out three Spywares the first time out and the two HKEY’s, which disabled my AntiVirus & Spyware programs at startup. The second time I ran SpyBot, the HKEY’s were removed.

Here are the specs on my computer:
Windows XP Home w/SP2
40 MG hard drive
1GB RAM
Pentium 4, 3GHz

If I need to list more info, let me know…

I do no online banking or buying with my computer, so there’s no credit card info on my machine.

I have all of the documentation and disks from Dell when I bought the computer about 18 months ago. Please help.

 

Correct. No Internet access at home. I had to do everything from work. I had WebRoot SpySweeper for MSN, but that stopped working also. I'll try to download Spy Sweeper & try again. Let you know tomorrow...

 

Here we go. I failed to mention I disconnected my Internet cable after I realized I wasn't going to get onto the Internet at all. The computer still cycles as if restarting every three (3) seconds. Having to manually restart numerous times, I received two Not Responding messages for the following programs: "DVD Launcher" and "Dummy Mixer Callback Window".

I installed & ran Spy Sweeper and was able to delete the spyware program named "PNPNetwork" and two quarantined programs by the same name.

I installed & ran HijackThis (finally) and produced the following log file. I am however having trouble uploading the attachment to the posting. The software is not giving me a reason as to why. What should I do?

 

Finally got to upload my HijackThis file. This time it worked.

 

Hey Chaslang. Thanks for the help so far. I've seen a little improvement so far. Attached is the log from the Spysweeper that I ran the night prior.

I ran RootKitRevealer in Normal mode last night with mixed results. I was able to install & run the program, but I couldn't produce a scan log from the program. I ran the program twice and it locked up on me both times. What I have in the log is simply the output data the program produced. The program kicked out one (1) folder, the rest I believe are files. I hope the data is useful. I just couldn't kick out a scan log from the program.

Please let me know if I should try RootKitRevealer again.

When I started up last night, Microsoft AntiSpyware indicated that a change was attempted in revising my Start page from "dell.myway.com" to "about:blank" and denied it.

By the way, I tried running Spysweeper in normal mode and the computer kept locking up and I end up having to reboot. The only way I could get the program to run was in safe mode.

 

First off, here is my HJT log as run in normal mode.

I ran the Read me first procedure this weekend in order to see if all of the programs will run this time. I still have no internet access at home, so none of the programs were updated.

(Safe Mode)
CCleaner: Still won't run
Microsoft Malicious: Ran, nothing came up.
Ad-Aware SE: Freezes while scanning browser cache during "Started tracking cookie scan" (Attached log)
Spybot: Locked up twice, couldn't obtain log. Registry keys which disabled Norton Internet security & Norton Anti-Virus re-appeared.
CW Shredder: Couldn't run
Kill2ME: Ran in normal mode. Stated "Look 2 Me" virus was detected.

Downloaded BitDefender & Panda Titanium from websites since I couldn't do the online scan.
(Normal mode)
BitDefender: Wouldn't load properly
Panda Titanium: Required me to uninstall Norton before installation. Couldn't load Panda.

I'm going to run Webroot SpySweeper tonight in normal mode. So far, I can only get it to operate in Safe Mode.

 

BitDefender & Panda have been uninstalled on my computer.

I tried running Spy Sweeper for about three hours last night. I couldn't get the program to run in Normal mode. It seems that every time the program is about to appear on screen, it stopped itself and closed out. I get as far as the white background and title bar only, then it closes out. I could only get the program to run in Safe mode and even then, I couldn't generate a report log.

I did run my computer in safe mode with command prompt and delete all of my cookies and Temporary Internet Files.

Before shutting down last night, I ran HijackThis last night and produced the following log last night.

I will HijackThis fix the SysInternals lines tonight and anything else that comes up today...

BTW, this is the only website I'm taking advice from. I think the website is excellent.

 

I opened up Add/Remove Programs and Bit Defender is not listed there, same goes for Panda. The Bit Defender icon on my screen is gone and the folder on my "C" drive is deleted. I missed this sub folder.

Just let me know what to do. Between the constant "rebooting" and the locking up, I'm getting tired of sitting in front of my computer for hours at night....

 

I've been having trouble using the "Start" button in normal mode. Every time I position the cursor on the taskbar, the cursor turns into an hourglass. The machine usually locks up on me when I do clock on the start button.

Is it possible that I can perform the services.msc step in safe mode sucessfully?

 

I think I'm SCREWED !!

I tried this last night in both Normal and Safe modes and nothing happened. The program just didn't run. So, I tried this...

This actually worked, right up until the part where I double click on Services. It was here where the program closed out. This happened both in Normal and Safe Modes.

I was able to get onto some of the other directories in the Computer Management screen, especially in the Event Viewer sub-directory.

Just to recep, I can't open Internet Explorer, Windows Explorer, Norton Anti-Virus, Spy Sweeper (Normal Mode only), no Internet access, and I lock up every time I click on start-run-browse. The only way I can get text into the run window is when I type it into some other text program like notepad.

I hope you have other ideas to try out.

 

OK, here we go...

I started up the machine and opened up the Command Prompt. I was at the proper directory as you stated, nice work. I typed in the commands

"sc stop..."
"sc delete..."

for all five (5) items listed in response #21 of this thread. Each time, the machine told me that the executable file wasn't running. I deleted all of the files.

I connected to C:\Documents and Settings\Tony\Local Settings\Temp directory listed and ran the "attrib -r -h -s *.exe" command with no problem.
However, when I performed the same function in the C:\Documents and Settings\Administrator\Local Settings\Temp directory, I received a "File not found" message. Typing in exit locked up my computer, so I had to reboot.

I ran thru the entire process again and on the second pass, I was able to delete all executable files within the C:\Documents and Settings\Administrator\Local Settings\Temp directory.

I opened up HijackThis and checked the O23 line. The Panda line was missing. Attached is the log for that process titled Hijackthislog1.log.

Opening the "Open the Misc Tools" section, I was able to kill "C:\Docume~1\Tony\Locals~1\Temp\symlcsv1.exe". I took a few tries, but I was able to kill it. Scanning HJT, I was able to fix the R0 and O4 lines. All of the other o23 lines weren't there.

Exited HJT and rebooted into Safe Mode. I couldn't open Windows Explorer, so I had to run the Command window and perform the following steps from there. The following directories were not found:

C:\Program Files\Common files\Panda Software
C:\Progra~1\Softwin\Bitdef~1

I deleted all of the following files:
symlcsv1.exe
BDCGN.exe
KOHWCBWYH.EXE
KPFFTKF.EXE
YIKJIEVI.EXE

There was a TON of crap in these Temp directories. In fact, there were 2958 files totaling 665 MB of info and 168 Directories. Most of the stuff was .txt, .dmp, and tmp files. Those deleted easily. There were about 160 directories all labeled "WER****.dir00" which I tried to delete, but kept reappearing when I reran a directory inquiry. So I dumped as much as I could and kept going.

I opened up the C:\Windows\Prefetch directory and cleared that out.

I uninstalled and then re-installed CCleaner and this time it works. The only problem now is when I click the button to run the cleaner, something shuts the program down. This happened about 5 or 6 times.

Resetting the Web Settings was tough. I was able to clear out the files and cookies. But when I went to change my home page to Major Geeks.com, the machine wouldn't stand for that and it locked up on me. So, I'm stuck with dell.com or msn.com for now. While rebooting, Task Manager spit out an "End Program" message for RUNDLL32.exe that I had never received before.

One more thing, with Task Manager open and the Processes tab selected, whenever the screen "cycles" or "refreshes" (the background image stays but the task bar and all my icons disappear and then reappear), I notice that a file named "DWWIN.EXE" appears and then disappears.

I rebooted into Normal Mode and ran HJT. Attached is the log titled "HijackThislog2.log"

My machine runs a little quicker now, but I still can't open Windows Explorer, Internet Explorer, Norton AntiVirus, Spy Sweeper (Normal Mode only) and the screen still cycles on & off.

 

When I try to open Windows Explorer and Internet Explorer, either by double clicking on the icon or by typing the command line into Task Manager, basically the hourglass icon flickers on (for 1-2 seconds) and then disappears.

I just noticed on the second HJT log that the follwing line reappeared:

C:\Documents and Settings\Tony\Local Settings\Temp\symlcsv1.exe

I'm going to repeat the process in deleting this line before I start on the other stuff.

 

I worked on my computer this weekend and made some progress. In addressing the Reset Web Settings, I uninstalled Spy Sweeper and received an error message as follows "Access Violation at address 7C80AC9B. Read of address 80040119". Despite the error message, SpySweeper disappeared from by Add/Remove screen. Rebooting and Resetting Web Settings finally worked.

I ran "sfc /scannow" and the computer checked the entire computer. However, at the end of the run the computer locks up and I receive no error messages or report. It simply stops responding. I performed this step four (4) times with the same results every time.

I ran GetRunKey125 this weekend and produced a text file attached below.

There were a few things I noticed this weekend. When my computer locks up, DRWTSN32.EXE is what's locking it up. While the computer screen cycles as if it's rebooting every time, explorer.exe, dwwin.exe appear & disappear from the Task Manager. DRWTSN.exe appears sporadically and then disappears without locking up the machine. When I run an executable file, DRWTSC32.exe shows up and stays on, in some cases more that one DRWTSN32.exe program is running at the same time. When I delete the program, most of the time the program I'm trying to run continues to operate. Rebooting isn't required. I did find that every time the screen cycles, a directory is created in my "Ducuments and settings\tony\local settings\temp" directory which consists of a ".tmp", *.dmp* and "DRWTSN32.EXE.dtmp file is created. I didn't note the size of the files created, but over time this creates quite a large volume of data in this directory.

I ran CCleaner and found what was causing the program to close down. Thru the process of elimination, something in the "Temporary Internet Files" section of the program causes the machine to shut down. I was able to clean out everything else from within the checked boxes except this one. When I ran this one solo, the program shut down every time. There are about 1527 files in this section which I haven't been able to purge.

I manually tried to go into my "C:\documents and settings\tony\local settings\temp" directory and manually delete everything located within the directory. One program I couldn't dump was "~DF6209.tmp" I kept getting a message stating "The process cannot access the file because it is being used by another process." The file is 32.7 kb.

In looking thru my notes from when I first started having problems, I remember not being able to start Windows because of windows not finding my "wininet.dll" file. I found the file on my hard drive ( i think in the I386 directory) and copied it to my Windows\system 32 folder. That got the machine running again.

Even though I can't open my Internet Explorer program, I found that I now can get updates thru some of my programs like Ad-Aware SE.

I hope this info turns out to be useful in figuring out what's got my computer going crazy. I also attached the latest HijackThis log. It was the last thing I did yesterday.

 

I used HijackThis to delete all of the recommended line items shown in posting #27.

I obtained a copy of wininet.dll from www.dll-files.com and copied it to my I386 & windows\system32 sub-directories. I've so far noticed no difference. Should the DLL file be installed somehow or is its presence in the directories enough?

I'm having difficulty uninstalling the Symantec products at this time. I did unplug the cable modem from the machine before uninstalling the products. LiveUpdate seems to be giving me some problems. It doesn't want to uninstall for some reason. NAV deleted with minimal effort and I'm saving Internet Security for last. So far, no change in the way the computer behaves. I just keep thinking there's a virus in the machine that's making my life miserable.

Do you have any other suggestions I can try?

 

I have a copy of my Dr Watson error log, one of many produced by my machine. I was wondering if this will help in figuring out what's wrong with my computer. If not, should I post this in the Software section? The log actually as the same Application Exception occuring 51 times. I just copied the first report and posted it here. The original log is actually over 5 MB.

I'm also attaching the manifest document tht was found with the error log.

 

And then, there was light....

I finally got the machine up and running. YAHOO !!!

I took your advice and went to the Software section for info. I searched for more info on Dr Watson and came across a posting which suggested that a possible fix for Dr Watson was to change the setting for

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Classic View State

from 0 to 1.

Well, I tried that and no luck. Since I couldn't get onto Windows Explorer and I am unable to see my hidden files, I decided that I would change the setting on a folder in the Explorer directory

"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStart Panel"

from 0 to 1, thinking that when I use the command prompt, I will be able to see the hidden files. Well, when I rebooted, the computer operated normally. I re-installed NAV2006 and ran the program. It found a Trojan virus, Trojan.DesktopHijack.B in two (2) places . Attached is the quarantined log.

I'm going to run the Read Me before asking for support procedure.

I will post all of the logs, along with a HijackThis log tomorrow night.

For now, I'm one F'in happy camper !!

 

OK, I ran thru the Read me bebefore posting procedure and I ran into some minor issues. Attached are my logs produced from this process. Hijackthis log is coming next.

I haven't yet disabled my system restore points. I don't think I'm clean enough to do so. Please inform.

 

Here's the HijackThis log.

By the way, I have multiple user logon's on my machine. Should I repeat the entire Read me before posting procedure for everybody's logon?

 

Here are my latest logs as requested. I ran the SmitRem first, then the Run me first before asking. One program found one element and it was deleted. Everything looks good though. I'll let you be the judge of that though.

 

Here are the last two (2) logs...

 

Thank you very much for all your help. I'm telling you, I found this website purely by accident, but I'm glad I used it!