Posted 17 August 2005 - 10:30 AM
Ok, we're here. Thank you -- whoever you are.
The original agent was a script. I unwisely said it was ok to run it before I got skeptical about the address.
Desktop instantly got plastered with porn.
Trying to launch nearly anything at all caused browser to open to specific911.com
WHAT I HAVE DONE SO FAR:
Rebooted to Safe Mode, Command Prompt Only.
CD to WINNT
Search for and delete all references to specific911
Checked Run, RunOnce, RunServices and RunServicesOnce, nothing found.
Rebooted to Safe Mode
Ran Ad-Aware, removed all new critical objects.
Ran HijackThis, no maleware found. Three prevention policies removed.
Disconnected Internet pipe, rebooted normally.
Problem still existed, but this time browser first tried to DNS "Dimattic.com"
Reran HijackThis, found winsys.hta - deleted it.
Reran Ad-Aware, nothing found.
Rebooted normally, opened browser and hit Stop right away. Changed start page to about:blank. Reconnected pipe and rebooted. No more incidents of hijack.
Deleted nasty desktop items, cleaned up favorites, checked for bogus toolbars - none found.
Start-Run produces error message: "The Internet Shortcut cannot be run because failed to run." (That's a blank there between 'because' and 'failed').
Right clicking a "special" desktop icon (i.e. computer, network, explorer) and selecting Properties produces error message: "Cannot find the file 'rundll32.exe' (or one of it's components). Make sure the path and filename are correct and all required libraries are available." Rundll is in it's usual location, the path looks good to me and I can't imagine what libraries it's talking about. Depends shows no external dependencies apart from the usual (which btw are all there).
Double clicking a folder shortcut on the desktop opens a default instance of Windows Explorer, not the target of the shortcut.
From Conrol Panel, Add Remove programs, cannot switch to "Add or Remove Windows Components".
Reinstalled Internet Explorer SP1, reinstalled all patches. Problem still exists.
So, that's just about the whole story in a nutshell. I don't think there are any other lingering problems, but it's only been a day or two. I haven't noticed anything else. I *have* used most of the software that I consider "critical" and found it in working order. I would much rather fix these issues than wipe the whole thing out and reload everything. It takes a couple weeks to get everything tweaked right.
I do run a web site also. It's served by IIS 5. I use PHP 4.3.9 and MySQL 4.1.7. None of it's functionality was affected.
TIA for any advice or solutions.