Lost Message re: Spyware, Homepage Hijack

I posted an extremely long message on Friday morning (6:00am) and it has not shown up. No doubt I screwed something up but I sure hope it is retrievable somehow since it took 45 min to write all the details of my situation. I had been up all night trying to fix the problem and my brain was mush by that time but I also had never posted here before so didn't know what I was doing either. Can anyone help or do I need to retype the #$@( thing?

 

Thanks, I was hoping for a miracle but expected that it was lost. I have followed all the steps but I'll save the details and extra info for my next message that I'll create offline. Good idea.

 

Spyware, Homepage Hijack Can't Fix

I have spent 2 days trying to cleanup an infected Acer laptop running Windows XP SP1 (had installed SP2 but had major network problems and had to get it uninstalled). The homepage is hijacked to a website in Germany (I think) and it keeps getting infected with viruses, worms, trojans. It disables many functions and won't allow changes. I went through all the steps in the "Do Not Post Until You Have Read This" message and the details follow.

Getting Prepared

1 System Restore Disabled
2 Had to boot in Safe mode in order to be able to type anything in the Run slot. Did not find any of the 3 services.
3 View already set up to see hidden files and extensions.
4 Had to download the Tools on another computer, burn a CD and then copy them onto the laptop because laptop will not allow any downloads. Managed to finally get them all installed and updated etc. after much struggling.

Scanning & Cleaning

1a Had a real difficult time running Trend's Housecall even in Safe mode but finally got it to scan. It found and cleaned Worm_Rbot.AOA and allowed me to manually delete Worm.Sdbot.AKJ
1b Ran Symantec Security Check which found the trojan Adware.istbar. I manually removed a similar (but not exact) file that their instructions mentioned (the exact file name was not there). Then went into Regedit and removed references to it and to the file P6.exe from the infection that Housecall found.
1c Ran McAfee Stinger and found nothing.

2 Ran CCleaner okay.

3a Ran Ad-Aware & removed anything it found & ran VX2 Plug-in and it said computer was clean.
3b Ran Spybot with patch & removed all it found and then immunized.

4a Ran CWShredder and removed CoolWeb Search Trojan - CWS.smartsearch.2 and also an 'iffy' file called wiainst.exe when asked just to be sure.
4b Ran Kill2me
4c Ran about:Buster
4d Ran HSRemove

One of the above reported that it needed to run again using a printstring to start since something was trying to prevent it from running. I said yes run with printstring.

Prior to trying all of the above steps, I had also run a cleaner app called A1Clean and also downloaded and ran a tool to remove MSN Messenger. Don't know if that really worked but the icon is no longer in the systray.

I then crossed my fingers and rebooted in normal mode and swore a blue streak when IE immediately opened on bootup and went to the same damn webpage. I have two days into cleaning this #*%&@!^ laptop and am pulling out my hair. Please help.
Thanks.

 

The only things in the systray that I couldn't disable were the 'ATI icon' that allows you to set your screen attributes and the 'INCD icon' for sending files directly to the CD burner and the icon for 'safely remove hardware'. I disabled Norton AV but the icon is still in the tray with a red X on it. Attached is my logfile.

 

I should have mentioned that I had also disconnected my network cable before I ran Hijack This. I am not using the infected laptop for posting (I burned a CD of the logfile) because it won't allow me to type anything in the TO: slot. I can click on a person already in my address box but not type a fresh name. I am posting all these messages from a clean computer.

 

Went through all the steps and now the computer no longer boots to the German Web Site so that is progress. I still can't type anything in the To: slot in Outlook Express, nor type anything in the Run: slot, nor type anything in the slot for naming your disc when you Burn a CD so something must still be preventing me from doing this. I can't see anything else wrong but I don't know for sure. When I opened IE it went properly to the home page I had specified so that is okay. I am attaching a new log so maybe you can see something else. Thanks.

 

I wonder if it might be related to an Acer Utility that puts an icon in the systray called launch manager. I believe it allows you to use 4 quick buttons to immediately access e-mail, IE, and 2 user defined buttons. Its the only thing that seems likely. I also get an error message when shutting down saying hidden fax window is not responding. Now I know he has a Dell multifunction printer/fax/scanner at his house and so maybe it is looking for that since I don't have it here and maybe that is why the computer won't complete the shutdown process. I have to use the power button to shut it down. I have now tried typing in his word processing program and can't type anything there either. Do you think the viruses disabled his laptop keyboard somehow. Its like its not getting the message. Since it is the built-in keyboard it can't be a keyboard connection issue.

 

I don't need to type to get the logs. I just need to click on stuff. I have a mouse attached because I hate glide pads. I have then been burning a CD of the log and bringing it over to my clean computer and sending it off from here.

 

I just disconnected my mouse and rebooted the laptop and neither the built-in keyboard or the built-in glide pad works. That file that I deleted using CWShredder that it said might be bad but it couldn't tell was called wiainst.exe. Do you think that had something to do with losing the function of the internal keyboard and glidepad?

 

$&%^&# I just got a pop up Virus Alert from Norton saying it had detected and removed the W32.Spybot.Worm from the laptop. That is one that I was getting when I first started this procedure. The object name is C:\Windows\system32\TFTP3464
Arrrrggghhhhh!!!

 

Further to my last message last night, I booted into safe mode on the laptop today just to check that out and sure enough, I can type just fine in safe mode. I just have no control of the built-in keyboard or glide pad in normal mode. Something still has control of this laptop.

 

Wiainst is gone out of the recycle bin because the last step of a previous message instructed the recycle bin to be emptied. I have also gone in earlier today and deleted all the zero byte tftp files from Windows\System32. I am pretty sure that deleting wiainst.exe is not causing my keyboard/mouse problem because I can type just fine in safe mode. So something is active when I am in normal mode that disables the keyboard & glide pad.

 

Sorry for the delay getting back to you but I didn't get a notification that you replied so I've been waiting for you. I'll do what you outlined and get back to you right away. Thanks.

 

Here is the new Hijack This log called Startuplist. I also ran MSConfig and it says I am set for Normal Startup. Thanks.

 

It is the built-in keyboard and the built-in glide pad that don't work. The computer is an Acer TravelMate 650. I have attached a Microsoft USB mouse and that works. I have not tried attaching a keyboard and don't want to have to do that in order for this to work now. I don't know if this is related but I'm also having major problems shutting down and always have to resort to powering off manually. I hope we can make that stop too. Task Manager still doesn't function either.

 

There were some Windows Updates put on almost the same time as the virus/worm came in. Could that have caused a problem and just the bad timing is making it look virus related? I'm grasping at straws here.

 

I don't see any reference to the built-in glide pad but I don't know what should be there.

 

I think I know what it was. I found WinZip installed on the Laptop and removed it tonight. I might have done that after I ran the startuplist log. Sorry, I totally forgot since I did it automatically. That would have been a trial version and its gone now so who knows how long it was on there. Probably a long time. Its not needed on XP so when I see it I usually uninstall it. Duh! It was probably that.

 

No I was just saying that WinZip might have been the trial software you had me looking for.

The keyboard and glide pad are still not functioning. I don't have a keyboard that will connect to the laptop so I'll have to get one from the office tomorrow and try it. I'll let you know what I find out.

 

I picked up a USB keyboard and plugged it into the laptop and just like the USB mouse the USB keyboard works. Just the internal laptop keyboard and touch pad don't work. Should I delete the keyboard and mouse and then reboot to let windows try to re-install them?

 

Ive seen this before, It turned out the user had removed some startup item with HJT and it wouldnt work. I installed the backups and everything worked fine from there.

 

I don't think this can be it because the keyboard and mouse had kicked out long before I ran Hijack This. That is why I had to post everything using another computer. I couldn't type anything on the laptop.

 

Oh ok, I would try to reinstall any drivers for it. Also, removing it and letting windows reinstall wouldnt hurt as it dont work already.

 

Well I tried uninstalling the devices and then letting windows reinstall them and it didn't help. They still don't work.

 

Sorry if this is a dumb question but you could tell me what things would load during normal startup that would not have loaded when I am in safe mode? Wouldn't it have to be one of these that is causing the problem?