Posts by gerbil

Ripper. That's a good job, tim, log looks clean, too. I assume all is working well now?
If so, re-enable those guards and reinstall SpyBlock and off you go. Cheers

Oh dear..... Please restore from the Recycle bin those files that you deleted [but not the fixes shown to you by Crunchie and Overwhelmed].... this will explain:
Open an explorer window, go Tools, Folder Options, View, and check Hide protected Operating system files, above that select Do not show hidden files and folders, Apply n OK. Close and reopen Explorer.
When those items above are set to show such hidden and superhidden files such files are shown in explorer with pale icons... however I do not know why they would be showing on your desktop...?
To aid yourself in that file restoration task order your Recycle Bin items by Date Deleted.
!!! It could be important that you do this BEFORE YOU TURN OFF YOUR SYSTEM because depending upon what files you have deleted your system may not be able to restart!!!

Heya, Overwhelmed by clicks.. :) we all ask for help from time to time... who could know it all?
SP2 by default plays a click when it blocks a pop-up. To disable that: In IE click on tools, Internet Options, Privacy tab, Settings. Remove the check from "Play a sound when pop-up is blocked", close and OK.
Of course you could go CP, Sounds and Audio Devices, Sounds tab and select No sounds as your scheme which will over-ride the above. Personally, I find that setting just sweet.
Mobile phone too near your sys?
[that log is clean...]

Hello Tim,
perhaps Windows Defender is blocking us - please disable its Realtime Protection....
Open Windows Defender, click Tools, General Settings, Scroll to and uncheck Turn on real-time protection.
Click Save and close Windows Defender.
[Btw, this is the easy way to shutdown Teatimer temporarily....
To disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box].

To avoid the time consumption of running Combofix again let's do this another way:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {6A01B65F-727B-486B-A5C2-2B45A2D12C6B} - C:\WINDOWS\system32\ddabx.dll (file missing)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Really, you should fix those two O15 items also - there is no good reason to have any items in the Trusted Zone.
Good, now we remove this service...:
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close …

Tim, sorry, but I missed something. You have Spybot's Teatimer running and that prevented some of the registry fixes in that last script from being made... could you please turn off teatimer, delete your old CFScript.txt [it is renamed] and then save and run this reworked one [remember, just the text between the lines, not the lines themselves]:
[try it in normal mode first...]
___________________________________________________________________________
Service::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}=-
{2318C2B1-4965-11D4-9B18-009027A5CD4F}=-
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]
____________________________________________________________________________

Hang a mo... I'm checking; that should not have happened.
Okay, would you try doing the same procedure in Safe mode, please? One other point, do you have ONLY ONE copy of Combofix on your sys? Delete any older copies, then it may run correctly in normal mode.

These two keys:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

..if you do not have the Search key, or if these two entries do not have a listed search engine as an entry Hijackthis will put them up in its scan.

How are you getting on with the sys I was helping you fix in the other thread? No access?

:) ... your sys is clean...
Well, I am out of ideas on your problem. Sorry, but I really do not know what to try next... Are ALL your browsers having the same problem re opening sites? If one site will not open in IE, say, will that same site open in any other browser?

That's okay re Vundofix; I asked you to run it because there was a reference to a file in combofix that did not show in the Deleted files list - just making sure.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\cyulyndk.ini
C:\WINDOWS\system32\drivers\efkbbwhbyvsl.sys

Service::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}=-
{2318C2B1-4965-11D4-9B18-009027A5CD4F}=-
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]

__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log plus a fresh hijackthis log.
Say how things are after a restart.

Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
Log:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.

Ha! For a moment there I missed your point completely.... Sys Vol Inf is the directory which holds the restore points in each volume. A volume is commonly referred to as a drive such as, in this case, C:. You are safe....
Yes, I understood that you could delete those files but that they would be recreated. I know nothing about Sympatico but I can assure that your Virgin Telus will create those rb.tmp files... they are for its own use and are not dangerous. You know, if you DID have malware files in your bin and you then emptied it there would be no more malware in there for Telus to rename, would there? But there are normally no actual files in the recycle bin...This may help you understand: - when you delete a file all that is added into the recycle bin is the pathname of the file; the file itself remains exactly where it was on disk but is renamed using a simple algoritm. The file will remain where it was until you empty the recycle bin, then the space it occupies will be listed as available for overwriting and in the fullness of time may actually be overwritten. Until that time your file still exists and can be retrieved with software. Malware fights like crazy to prevent its files being deleted because of that renaming - it can no longer find elements of itself because it won't know the new names. So no malware files …

It is difficult to believe that this lil baby is the source of all your troubles..:
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\yddgxwuw.dll",b
Let's ignore it for the moment and run this first:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Oh, and in cae I forget, when next I ask for a hijackthis log would you please delete your copy of the exe and download the latest version from here:
http://www.majorgeeks.com/download5554.html

You are very welcome.
Cheers.

In AVG you can click on "remove finally"; then, to ensure that no other points are infected but undiscovered you clear all your restore points and make a fresh one by the method I detailed.
Telus, I think, makes those rb/rb4.tmp files for its own purposes.... I proposed testing that by your disconnecting from the net and then disabling Telus [usually this is possible from a service's control panel - there should be no need to uninstall it. With Telus temporarily disabled you shouuld be able to delete those files in the recycle bin, but Telus will recreate them once restarted. [this is my ... what..? best guess... yeah... test it, they are no harm in the bin].

That's okay... this will clear all of them... btw, did you check out Telus and those rb.tmp files like I mentioned?
==You SHOULD clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

do you recognise the entries in the quarantine? You could list them here.. but if they are merely cookies you could just empty the bin safely.

Okay, that one [tcpsvs.exe] is legitimate, so leave it there. Let's remove that key though...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O20 - AppInit_DLLs: tcpsvcs.dll
..and that is all. Those rb.tmp and rb4.tmp I think may be associated with your AV/AS service, Telus. If you wish to test that go offline, disable TELUS andthen delete them. If they stay gone then that is the reason, they are files used by Telus..... Don't foget to reactivate Telus before you connect again. It will regenerate them.
AVG should have saved a report if it found something.. check under the Reports tab...?

Hi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.

As far as I can tell you are clean to go, Anna.
Good luck out there.

I would love to help but I am not Vista-aware.... nevertheless, check out the top sticky and post a hijackthis log.

Cindy, after following zelkea's instructions the log you give is clean.
If you wish you could remove MyWay as it is basically an adware search bar. This is the best way to do that:
=I see that you have MyWay Search Assistant. You can get rid of it if you wish...
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].

Overwhelmed, that is a log from Deckard's System Scanner [without its header].. hence the emulation heading for the hijackthis section.
XPmase, your amchine has a vundo infection, amongs others. We should try to clean that first.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may …

Spamming?
You should mention that one of the really useful aspects of CCleaner is that it is easily configurable by a user so that it will delete on demand the contents of just about any file you care to empty. Like Zonealarm's log files which just grow [well, they used to].... or others... Alcohol, any pgm that makes backups or logs of its actions without limiting their size or number.

G'day, Anna.... don't worry too much, I am sure there are compensations that go with blondeness....
F:\Autorun.inf - yes, delete it, no autorun file should be on a hard drive.
C:\WINDOWS\AM_D8.PRF - this one is valid... it's part of a website content filter you have on your machine to keep you safe from we nasty types out here. If you delete it you may never get out amongst us again.
Does safe mode work now?

Hello, Warrior... that Hijackthis log looks truncated.. I know it is run in safe mode, but even so...
There are a lot of things to fix, those that Overwhelmed pointed out and a lot more. If we fix those and remove a couple of files could you post another log, and we'll see where we go from there.
Orrite, start hijackthis again, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\drivers\spool.exe C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\windows\system32\userinit.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {897fe88e-1dd2-11b2-92c5-9c93f4e93ae8} - C:\WINDOWS\pohwfgje.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - …

Tricky. Just in case... try to run this after another clean with CCleaner:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
-this would eliminate one area of thought, at the least.
Something else you should consider, because of the great number of common usage between browsers of many dlls is to run System File Checker...
Go Start, run, sfc /scannow
Insert your XP SP2 cd...

Oh, it looks like a post I "made" didn't make it to the board...
Anyway, I'm running out off ideas, jstorm. Try uninstalling your google toolbar, fix any remaining google entries in a new hijackthis scan; then under internet options check under Manage Add-ons for any entries you do not know, remove them... unfortunately, that would only affect IE and not FF or Netscape... ok, I know little of netscape's browser...

Nice work, Anna... that certainly worked magic.
There are still a couple of things to fix before you put your feet up, though.
What is on your F: drive? Is it/was it a plugged-in USB stick? From Combofix....:
F:\Autorun.inf . . . . failed to delete. If this is a hard drive then I suggest you try to delete this file manually. If a USB drive [thumbdrive...] than it could be okay to leave it be.
What is this file associated with [check its properties..] C:\WINDOWS\AM_D8.PRF
Now, the last thing is to fix your Safe Mode registry keys, otherwise you cannot enter Safe mode. Download the zip file I have pinned here, unzip it and dclick the .reg file to run it... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Then see if you can enter safe mode via F8 key.

Hang on there, Anna!!! We got to fix stuff yet!!

Your vundofix is out of date, btw.... 6707 is current.

Anna, can you dl that combofix file? If you cannot with your sys, dl it with another machine [a friend's, at work...] and copy it in. It is 1.5M so too big for a floppy, fine for a thumb drive.
You could try this first....
delete these files:
C:\WINDOWS\SYSTEM32\mdelk.exe
C:\WINDOWS\SYSTEM32\wintems.exe
and delete this folder and its contents:
C:\WINDOWS\SYSTEM32\DRIVERS\down
...and then try a dl of combofix.

Hello, Anna, could you dl and run this please:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Beauty. It's nice to win, isn't it?
{work that Solved button - I can't...}

Protection. If you have even a half decent firewall [like Window's version] getting infected by malware comes down to it simply being invited in. Therein lie the problems: your gullibility, innocence, impatience and yes, your trust in others. Websites are infected or carry infected objects knowingly or unknowingly, friends and others have systems which permit them to send you infected objects, you don't suspect that a pretty picture or animation could do any harm... and for those people who trawl the more risque or basic instinct sites, well, they just have lowered ideas of worth, self or otherwise [imo, not nec this site's.. :)].
Ok, you clicked on it, it's not being blocked and so it is coming in...
"Over the years, get the occasional trigger from virus software killing a bug" ...yep, luckily your software caught a known one, or recognised a pattern, a style of attack. But AV, AS etc is not always in front of the game, actually, mostly it is behind by a step or more. The sole compensation is that a new attack is almost by definition a rare attack. Your best defence is to layer your defences behind the firewall: a reputable and updated AV [there is no best AV ...], an updated AS lying in reserve, a process blocker, and possibly either a registry sentinel or simply not web-crawling while an administrator.
If you have a two-way firewall [like most are] you may get told if something like adware is …

That looks fine to me. Getting back to the original problem, steve, how is your internet access now with all your browsers?

Heck, you did it again!! I just changed that setting to how you said! We gotta stop meeting like this!!
I also cut the cache from default 200MB to 10MB. Not having used Opera for several months, and having just updated it totally I got all the defaults; I'll get around to checking them all one day. I did already move the cache away from XP to another volume, though; no way do I want caches disturbing XP.
Btw, Crunchie, it was interesting that Vundofix could not delete C:\WINDOWS\system32\pmnmnnm.dll even when it was pointed right at it. Did you notice that Unlocker failed also?

Every time I revisit a thread I get the old cached copy... have to hit the refresh button, and sometimes I forget and get confused by what I see.... FF doesn't cache like that. I have fooled with my FF but I still cannot get it to read that post with the looong list of Posxxx.tmp deletions.
If I make an entry in a thread Opera puts up the refreshed page immediately, but if I load another page [thread] that I have been to before a bit earlier I get a cached [and sometimes out of date] copy.

I was offline, came back on just a bit too late for the glory. Missed one, did I, crunchie? Well, durn. Mighta picked it up on the next run... you gotta make em work at it to teach em a lesson about getting infected in the first place.... :)
I'm getting tired of the Opera caching... may go back to FF. Caching speeds Opera up, but is no help on this job.
BTW, Overwhelmed... that script fix includes a fix for the two registry entries that you point out from Hijackthis...

Aw, heck, ni just worked this up...
Killall::

File::
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll

RenV::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
:)

:)... You americans love repetition... wouldna done it otherwise.

Try this page:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
E:\WINDOWS\system32\rqtwa.bak1
E:\WINDOWS\system32\rqtwa.bak2
E:\WINDOWS\system32\rqtwa.ini2

_________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Anna, that looks like a good cleaning by Panda... I suspected the Bagle worm from your symptoms..
=Be VERY wary of this [from eZula?]:
Possible Virus. Not disinfected F:\Incoming\Portable GIMP2.2.10 Beta 1 (Multilingual)-portable_gimp_2.2.10_beta1_multilingual.zip[PortableGIMP/gimp/lib/gimp/2.0/plug-ins/webbrowser.exe]
=C:\Program Files\Sciagniete\Cdvd.exe - to me this does not like the Cliprex mp3 player...? Is it? Panda gives several different warnings for it at the top of the report. Seems doubtful to me, my advice would be to uninstall it via Add/remove pgms.
=I see that you have MyWay Search Assistant [there, courtesy DELL]. You can get rid of it if you wish...
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.htmlR3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - …

Congratulations of a sort are due - that is the first I have seen where Unlocker has failed.
Try running Vundofix this way...=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\mnnmnmp.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Follow with this.. we will get a chance to see other new files that were created with Vundo.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A …

It is a quite difficult thing to clean and keep clean an unprotected XP [no SP2].
As far as your problem goes I am a bit blind. You could try this:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Very likely so if you do not have any firewall.
Now you need to delete this one..
C:\Program Files\Common Files\System\MSIWA32.exe
Did you clean and run Panda online scan?

There is something very "fake" about that second "system" directory.... Windows would not allow it as a name if another exists, the 8.3 abbreviation SSTEM~1 is wrong, and could not exist either because system has 8 characters or less. Perhaps somehow some characters are hidden. Anyway, it is time to clear out outerinfo.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
..and post a fresh Hijackthis log also, please.
[the prefetch entry for logonui.exe is fine]

Mmm... McAfee finds, but .....
Try this:
Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
[you may now be able to dl hijackthis...try, post a log if you can].

Hello, suzanne, posting a log here like that is just fine.
Lessee.. you have AVG Free and Symantec AV services running; you must remove one, and now. They may interfere badly with unforseeable results. If you wish to remove Symantec you may require the removal tool from their website.
Good. Now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

And that is all I see. [if you don't want hp as your default site for the internet you could fix all those R0 and R1 entries also, leaving the bluelight one if you so wish.... up to you]
History.. open an IE window, go Tools, Internet options, General tab and see if a useful Days to keep number is set. Yes? Then navigate to the History folder for your IE under C:\DOCUME~1\Your Profile\LOCALS~1\History\History.IE5
Any entries?