infected or not infected?

More background info than you'll need

Following the advice give in the above thread I have what I consider to be an interesting situation.

Toshiba Laptop 700MHz, 256Mb
12Gb partioned HD - 6 + 6 - surfaces errors on both partions that scandisk has isolated
now running a mixed language version of Win98SE (Finglish?)

Basic problems -
unable to connect to the net via DSL (no idea whether dial-up works as there is no way to test)
Right from windows boot up there is one of those nice little windows error messages "explorer: this program has performed an illegal operation and will be shut down" details >> "explorer caused an invalid page fault in module <unknown> at 0000.100015cf."

The machine has definitely been infected by all sorts of nasties due to no windows updates being installed and no AV or firewall protection (not my fault, but if I don't clean up partner's daughter's mess it is!!!!)

I did have net access for a short time during which I was able to install NIS2005 trial, removing 5 infections and subsequently run a couple of online scans which gave no further infections. It would appear the decision to attempt to install NIS2005FIN was a very bad one (again, not my decision but my problem!!!) as I am unable to uninstall or reinstall due to problems with ascompbr.dll (I'll google that once I'm done here) and the net connection has gone completely (obviously working fine for this machine).

I've transferred various AV and spyware apps by CD, different apps have reportedly fixed a decreasing number of problems (none of them removing the 2 basic problems mentioned above) but noadware reported finding w32.lovgate-ad that no other app had found. I've run at least 3 apps that should fix it (Symantec removal tool, Xsoftspy and stinger) but all 3 have failed to find it, let alone remove it. Is it actually there?

I'm trying to avoid formatting for now and I'm not in the mood for manually playing in the registry. Any insights or suggestions?

 

update -
googled the .dll, went to the symantec site, downloaded a tool called SymNRT which succesfully uninstalled all NIS stuff and the laptop is now back online.

Now to update the various apps I have installed and to try the various online scans - am I actually getting somewhere?

 

this is really beginning to annoy me (shows my patience level as I've been at this for over a week now!) updated and ran multiple apps, not solving the explorer problem but everything else seeming okay (apart from the mass of duplicate files, many of which have been removed due to clearing temp files etc.), before heading for the online scans I decided to update and run noadware before deleting it. The good news, it no long reports w32.lovgate as being present, the bad news, it has now "found" the w32.noala.b worm, backdoor.gwghost, and backdoor.darksky.c along with identifying two applications that nothing else has warned about (bearshare and kazaa) as being critical threats.

I've just run AVG (yet again) and it found nothing (yet again) and am now moving on to online scans.

 

latest update -
I've run the kazaa spyware removal tool
I've followed the "Read Me First" instructions to the letter
Trend Housecall - clean
Symantec virus - clean
Symantec threats - doesn't like AVG but otherwise secure
into safe mode
CCleaner - 45.5Mb removed
Ad-aware - clean
Spyboot - immunized against 2006 thingies
92 problems in 3 categories -
Fun Web, Fun Web Products, My Web Search
fixed
2nd scan - clean
CWShredder - cws.aff.toolband found and removed
Kill2Me - ran okay
about:buster - ran okay

explorer problem still exists in both safe and normal modes

decided to run noadware again
6 instances of bearshare in
HKEY_CLASSES_ROOT\magnet\DefaultIcon
H_C_R\m\shell
H_C_R\m\s\open
H_C_R\m\s\o\command
HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET
H_L_M\S\M\Handlers

w32.noala.b@MM
H_L_M\software\microsoft\windows\currentversion\run:CriticalUpdate

Kazaa
H_L_M\SOFTWARE\MAGNET:Location

Backdoor.GWGhost
H_L_M\Software\Microsoft\Windows\CurrentVersion\Run:ScanRegistry
Backdoor.Darksky.C
H_L_M\S\M\W\CV\Run:TaskMonitor

and an added bonus
w32.Mydoom.AX@mm
C:\WINDOWS\java.exe

I've downloaded HJT and will run it after reading the "how to" stuff

Now started to run through the alternative scans
Bitdefender has deleted msxmidi.exe and a .dll, a .scr and an .exe related to FWP

(I have run noadware on this machine and all it's found are a handful of non-critical cookies)

 

HJT log file attached a couple of questionable entries I think but given everything that's been run I guess I should be looking elsewhere to solve the explorer problem?

 

or maybe not .........

when I tried to log out after making the previous post from the laptop IE "locked" I didn't get the pop-up, the window turned grey, the ad box at the top right was flashing "you are a winner, click here to claim your prize" (I didn't) but was able to close the window. Laptop is now off.

 

finally had enough format c: !!!!
if that doesn't help then the g/f can buy a new hd

 

er . . yes . . .
I had a few beers, was getting several more invalid page faults and did the deed. Apologies for wasting your time.

I should have done that a week ago.
WinME now installed, it took a while to find the correct ethernet driver but now busilly downloading other drivers and updates, I feel like I'm actually accomplishing something now.

We'll probably buy a new HD for it this weekend anyway as even more physical problems were found during ME installation.

 

An interesting aside, the only e-mail I received today was to inform me of your post (I use netscape), I read it and immediately got infected by exploit.bloodhound.6 - NAV has deleted one instance and quarantined the other.

Laptop is now functioning happily.

 

Laptop now has full windows updates, NIS2005, CCleaner, Spyware Blaster, Ad-aware and Spybot S&D installed and fully up to date. I've also printed out an instruction sheet to run them all regularly and also to run them all immediately if there are any infection alerts or noticable problems.

I wouldn't be surprised if, in the next few weeks that the HDD dies or that some of the above are disabled/deleted so that some of the junk that was removed can be installed again. No mucking around next time (if there is a next time), it takes one day to format the drive and reinstall everything which is a lot less hassle than spending a week or more of frustration trying to solve the problems bit by bit.

One interesting issue, NAV has been run twice and reported nothing but in the trusted zone (only just worked out what it is as it's in Finnish) w32.sober.O@mm appears! Any idea how that is possible?

 

no way to edit?

Ignore the last bit, got that totally wrong as I don't understand Finnish and the new features in NIS.