Need next steps!

Hi everyone, I got hit with a nasty trojan (I think) last night. Basically, it seemed like IE blocked a pop-up and then the browser windows (2) just closed and I got a Windows Explorer error dialog box asking if I wanted to send the report to Microsoft. At first I didn't think anything of it but then every time I clicked send or don't send it seemed Windows Explorer would restart and I'd get the error anew. After restarts nothing happened until suddenly I got a bunch of pop-ups (which cleared up the Windows Explorer errors) and the desktop told me I had spyware and possible viruses so I knew that I'd been hit with something nasty.

This morning I got up and purchased TM PC-Cillan and installed it. It seemed to detect nothing in particular which was disappointing since my desktop was still trying to sell me stuff. In desparation I went and bought a copy off the pctools.com website of Spyware Doctor and it found 150+ infections -- I cleaned them and everything seemed hunky dory. After a reboot, the annoying red exclamation mark that was appearing (from PSGuard I assume) came back. I posted on the PCTools site asking how to get rid of this and then all hell broke loose again.

Now the Windows Explorer crashes were back and I was getting more infections. PC-Cillin's firewall was up (Windows was not -- I'm running WinXP Pro w/ SP2 fully updated) and Spyware Doctor's immunization and guard programs were running so I cannot explain what happened.

I happened upon Major Geeks in the middle of all this and tried the suggestions on the stickied post on how to deal with malware and spyware. I ran everything as described in the list that I could, rather, that my computer which was crashing hard (BSODs) intermittently would allow me to. I am not sure how I got to this point... SpybotSD runs on reboots now and can only find "logs" which it sometimes can or can't remove. I've run everything else in that stickied post backwards and forwards inbetween reboots from crashes and nothing is fixing the problem. I know that the problem is not hardware related necessarily as the little red exclamation mark from PSguard still perks up on startup everytime.

So my situation is this:

1. Running WinXP Pro, SP2
2. Computer starts up with Explorer crashing and asking to send an error report to Microsoft. I say yes or no it makes no difference, Explorer restarts and crashes again immediately.
3. Occasionally Explorer crashes and Dr Watson shows up and that's the end, no more interaction with the OS and I have to reset.
4. Occasionally I get hard BSODs. The error messages vary, kernal_inpage_stack_errors to something like "unknown_hard_error".
5. These crashes are preventing the longer scans by BitDefender et al. from totally completing. However, BitDefender and the like do catch infections and weird files from C: before they go kaput with the computer.
6. I have not run HijackThis as you guys asked me not to.
7. Safe Mode doesn't really help, the Explorer crashes persist.
8. Microsoft's automate error reply says its a trojan and the Malicious Tool comes up empty handed.

My suspicions and observations:

1. Am I in a unique position of being the first to experience a new improved trojan or other malware? I doubt this but who knows.
2. Not 100% positive that the Explorer crashes are related to the malware but the behavior is linked to their first appearance and they persist.
3. Each time a utility scanned and found infections they were different. At first it was Puper, then Dropper.Joiner, then Downloader, then Smitfraud-C. etc. Now, nothing shows up on scans, PC-Cillin, Spyware Doctor, SpybotSD (only finds logs after reboot), AdAware SE (nothing), etc.

Like most people I need that computer running and I am going to attempt removal of critical data (burning to CD) tomorrow morning after getting some sleep. I would appreciate any help. I foresee a HijackThis suggestion coming but that will have to wait til morning. Last question, assuming I successfully migrate the critical data off the machine will a Windows reinstall fix things? Yes, it's come to that... though with my luck it probably wouldn't do anything other than waste my time.

Wow, this is long but so was my day... Thanks.

 

Hi, thanks for the quick response. Here's the log file.

 

Ok, followed the steps you posted to the best of my ability. Here are the notes...

Done, no problems.

Did not find this program in the Add/Remove Menu. Went to next step.

No problem, done.

Done, no problem.

Did not find. Rechecked hidden files and such, no luck. Went to other files next.

Not sure why you posted WINDOWS and windows directories but intell32 was wiped, oleext.dll had to be removed using the method for q1667187. oleext32.dll, wppp.html, uninstIU.exe were not found so I skipped. Again, I double checked that hidden files and extensions and such were all visible. No go.

Done.

Here it is attached...

By the way, THANKS!!!!

 

Meant to add that the crashing of Explorer disappeared sometime after rebooting in Safe Mode and deleting some of those dll/exe files. MUCH MUCH easier to get things done now.

 

Ok, deleted that one line. HJT log attached.

Everything has been running super great since yesterday after doing all that stuff. I've just been a bit gunshy about doing too much on the Internet though. I'm still not sure how I acquired that lovely trojan malware. I never installed or loaded any program from any site. Is it possible just to get this crap from visiting a site? Or was I "hacked"?

Anyways, my wife and I want to thank you chaslong (and majorgeeks.com) for all the assistance. You rock!

 

I have Stardock software installed but have never had problems with it. It's Stardock Central and I used it primarily to get access to all the games they were distributing. Do you think it is safe to remove the entry with HJT?

As for the steps in the "Protect yourself from malware!" link my wife and I had done virtually all of those things before we were victimized the other night.

If I haven't already made it clear -- thanks very very much.