Windows Activation Issues

[SilentService]

I've started to follow your diagnostic procedures but have run into issues.

Here is my status:

Running original XP on original machine with zero activation issues since 2004.

On booting up received a Windows Product Activation message saying "This copy of Windows must be activated with Microsoft before use". Got the same message if trying to boot to Safe with Networking but able to boot okay into Safe Mode. Ran Anti-Malware a few times and got no problems reported.

(I'll admit here I followed a few threads for possible fixes but here is the current situation)

In Safe Mode the keyboard will not work.

Here is the DDS file.

The Attach file wouldn't write to the USB drive, saving it was full. This is not the case but wonder if there could be problems. The USB scanned clean in this laptop I am using.

DDS (Ver_2012-11-20.01) - NTFS_x86 MINIMAL

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2

Run by Administrator at 19:41:23 on 2013-02-24

.

============== Running Processes ================

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\system32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://att.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: CtxIEInterceptorBHO Class: {2C4631FF-5CC8-4EBC-A0DF-34C92291759E} - c:\program files\citrix\ica client\IEInterceptor.dll

BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120623155722.dll

BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll

BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll

TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll

TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"

mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\redirector.exe" /startup

mRun: [iSW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache

mRunOnce: [KB955759] rundll32.exe apphelp.dll,ShimFlushCache

mRunOnce: [516A1B33-ECB4-4A30-8240-EA8E05D8F35D] cmd.exe /C start /D "c:\docume~1\admini~1.000\locals~1\Temp" /B 516A1B33-ECB4-4A30-8240-EA8E05D8F35D.exe -activeimages -postboot

mRunOnce: [8449D223-DDFF-408B-9A7E-563034A3BB5E] cmd.exe /C start /D "c:\docume~1\admini~1.000\locals~1\Temp" /B 8449D223-DDFF-408B-9A7E-563034A3BB5E.exe -activeimages -postboot

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\athome~1.lnk - c:\program files\athomeconnect\AtHomeConnect.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\elsbla~1.lnk - c:\program files\earthlink\spamblocker\ELSBLaunch.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab

DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-170-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38051.8542013889

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-170-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll

AppInit_DLLs= c:\progra~1\citrix\icacli~1\RSHook.dll

SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

.

=============== File Associations ===============

.

FileExt: .jse: JSEFile=NOTEPAD.EXE %1

FileExt: .wsf: WSFFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2013-02-24 23:34:10 -------- d-----w- c:\program files\stinger

2013-02-24 23:34:05 -------- d-----w- c:\documents and settings\administrator.d9tf3g41.000\local settings\application data\Temp

2013-02-24 23:28:43 -------- d-----w- c:\documents and settings\administrator.d9tf3g41.000\application data\iolo

2013-02-24 21:36:00 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro

2013-02-24 16:56:44 -------- d-----w- c:\documents and settings\administrator.d9tf3g41.000\application data\Intuit

2013-02-23 21:44:34 -------- d-----w- C:\New Folder

2013-02-22 05:01:15 -------- d-----w- c:\documents and settings\administrator.d9tf3g41.000\local settings\application data\Adobe

2013-02-22 03:51:18 81920 ------w- c:\windows\system32\ieencode.dll

2013-02-21 03:01:37 -------- d-----w- C:\DDS 20 Feb 13

2013-02-21 01:49:12 -------- d-sha-r- C:\cmdcons

2013-02-21 01:46:44 98816 ----a-w- c:\windows\sed.exe

2013-02-21 01:46:44 256000 ----a-w- c:\windows\PEV.exe

2013-02-21 01:46:44 208896 ----a-w- c:\windows\MBR.exe

2013-02-21 00:34:07 6991832 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{590d0033-8659-4998-b034-285e145acaaf}\mpengine.dll

2013-02-20 02:09:03 -------- d-----w- c:\documents and settings\administrator.d9tf3g41.000\application data\Malwarebytes

2013-02-19 00:49:07 -------- d-sh--w- c:\documents and settings\administrator.d9tf3g41.000\PrivacIE

2013-02-19 00:48:21 -------- d-----w- c:\documents and settings\administrator.d9tf3g41.000\application data\SUPERAntiSpyware.com

2013-02-19 00:36:29 -------- d-sh--w- c:\documents and settings\administrator.d9tf3g41.000\IETldCache

2013-02-09 01:40:49 -------- d-----w- c:\program files\AtHomeConnect

2013-02-09 01:35:52 -------- d-----w- c:\program files\HRBlock2012

.

==================== Find3M ====================

.

2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-17 06:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax

2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll

2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll

2012-12-26 20:16:28 43520 ------w- c:\windows\system32\licmgr10.dll

2012-12-26 20:16:28 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-12-26 15:12:06 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys

2012-12-26 15:09:06 171976 ----a-w- c:\windows\system32\mfevtps.exe

2012-12-26 15:08:44 91200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2012-12-26 15:08:06 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2012-12-26 15:07:54 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2012-12-26 15:06:54 565416 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2012-12-26 15:06:04 84464 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2012-12-26 15:05:52 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2012-12-26 15:05:22 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2012-12-26 15:05:02 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2012-12-26 15:04:34 132976 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2012-12-24 06:40:59 385024 ------w- c:\windows\system32\html.iec

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-07 04:57:56 41176 ----a-w- c:\windows\system32\iolobtdfg.exe

2012-12-07 04:57:48 23128 ----a-w- c:\windows\system32\smrgdf.exe

2012-12-07 04:42:54 2097032 ----a-w- c:\windows\system32\Incinerator32.dll

.

============= FINISH: 19:44:01.93 ===============</orphaned></orphaned>

Edited February 25, 2013 by Maurice Naggar
highlights added

[Maurice Naggar]

Hello SilentS,

Questions for you:

You indicate a problem of keyboard not working in Safe mode? If this is a desktop-type system, did you recheck all cable connections to insure they are properly & snugly in-place ?

Does the keyboard "work" in other modes of Windows, such as Safe Mode with Networking?

If you do not have a working keyboard, this current case may be incurable here and you will need to go elsewhere.

Or even take it to a repair shop.

You have apparently used other tools. Why do you think (or do you) this is "malware" related?

Glitches in "windows activation" issues are often times caused by non-malware factors.

To the best of my limited memory, we do not have experts on Windows Genuine issues.

Those type issues are better addressed at Microsoft venues such as

MS WGA forums http://social.microsoft.com/Forums/sr-Latn-CS/genuinewindows7/threads

http://social.microsoft.com/Forums/sr-Latn-CS/category/genuine

Do you have a recent backup of this system, a system image backup, from before this "glitch" ?

Seeing that this has Zone Alarm, since that can be a factor in possibly "blocking" some legitimate things from communicating back and forth, I might suggest you fully Uninstall Zone Alarm, Reboot, and turn on the Windows firewall.

Question: What Iolo programs and utilities did you use? Iolo has an extremely poor reputation, and is known to have stolen MalwareBytes intellectual property, plus their utilities may well have "glitched" some legitimate services.

Again, you cannot go far if you are having a keyboard issue.

[SilentService]

Hi Maurice and thanks for the feedback.

This problem first surfaced at system boot up on Monday 18 Jan and after running McAfee Virus Scan Plus and Malware Antibytes with nothing showing up I decided maybe it was an activation issue after all. Was a bit suspicious as I could log in with Safe but no other mode. When I chose the activation via Internet option and it asked me to type in the Certificate of Authenticity it would take all digits except the 5 th in the second of five 5 digits fields. I am naturally suspicious so started researching on line possible virus or malware issues. Didn't come across your site until later in the week and followed the guidance of running DDS but didn't know how to get the files off. Didn't realize if I boot in Safe Mode with USB flash drive plugged in it will recognize it.

It is a desktop with plug in and not USB keyboard and the keyboard works fine until the Safe Mode boot process gets to a file that ends in Drivers\agp.440.sys. At this point the keyboard stops responding and the "Caps Lock" light etc goes off so think software is causing this.

I could download programs from my laptop to CD, put on the desktop of the desktop and run so did what you would probably tell me not to and ran things like Combi Fix, Rootkit Remover, Stinger in hopes of getting to a point where I could at least get online and get help by following the expert guidance and posting logs. From the McAfee Community site I found RootkitRemover and ran it. The log tells me:

Malware Found-->ZeroAccess trojan detected!!!

-->Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer

-->Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll (will be deleted after restart)

-->Register key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer

-->Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll (will be cleaned after restart)

ZeroAccess trojan was cleaned successfully!

Error Loading Service

Please ensure to run this tool as administrator

Press any key to exit.

So this is why I think it is Malware but when I try to boot in Normal Mode or Safe Mode with Networking I get the Activation Window and then when going to Safe Mode the same results show up again.

Happy to start from scratch if I can get a attach.txt file off with USB.

Help!

[SilentService]

My apologies for missing some questions:

Tried to do a Restore to a point 2 days before the issue appeared.

I have System Mechanic Pro on the machine.

[Maurice Naggar]

As to Zero Access you noted above

Backdoor trojan warning:ZeroAccess / Sirefef

This system has some serious backdoor trojans. ZeroAccess / Sirefef

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft...rds-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

as to System Mechanic

I have personnaly helped a number of Windows users {for windows update issues as well as some other areas} and can tell you that System Mechanic is known to be over agressive and remove perfectly fine windows services from the system's start-service list such that your system is dinged and effectively hurt.

I would urge you to see if you could undo what System Mechanic "fixed".

And to uninstall System Mechanic. Do not use it OR any other registry tweaker / cleaner / fixer-upper of any sort, by whatever name.

My bet is that IF you managed to get into the services.msc management console, that you would find the windows installer service as not listed or as missing or perhaps disabled.

[SilentService]

The computer is over 8 years old and due for a replacement in any case. My goal then will be to strip off data safely without infecting my laptop or new computer. I appreciate advice on how to do this and should have hard drive to USB adapter which I can use to operate the drive outside the existing computer if that is the best route.

(I am of course stubborn and would love to kill as much as possible of what is infecting the desktop.)

[Maurice Naggar]

Copy to offline media all your personal files, documents, etc.

You can do that from Windows Explorer. You can also do that while in the Recovery Console ....if needed.

IF you have the Windows XP operating system CD, you can boot from it and use the Recovery Console {a limited Command prompt environment}.

References for Recovery Console:

Description of the Windows XP Recovery Console - Article ID 314058

http://support.microsoft.com/kb/314058

If you do not have the XP CD, you can burn one to CD using the following tool

Artellos ARCDC Automated Recovery CD Creator

http://www.bleepingc...opic375491.html

Please download ARCDC from Artellos.com.

• Double click ARCDC.exe
  
• Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  
• You will be prompted with a Terms of Use by Microsoft, please accept.
  
• You will see a few dos screens flash by, this is normal.
  
• Next you will be able to choose to add extra files. Select the Default Files.
  
• The last window will allow you to burn the disk using BurnCDCC
  

Your ISO is located on your desktop.

I suggest a clean (new) Windows XP Install:

Before you do that, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

{IF without the XP o.s. CD, check with your computer-maker's support website on the procedure to do a factory restore from the hidden partition on your HDD. Be aware this process sets the computer back to Day 1 as it came out of the factory.}

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

Remember that when you do this you will need to have the installers for all your software, along with all the information for configuring your system, such as license keys and passwords.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOP

Also Clean Install Windows by Michael Stevens, MS-MVP

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.