Posts by gerbil

Hello, this may help.
We need to remove this service:
O23 - Service: Integrated Windows Authentication - Unknown owner - C:\Program Files\Common Files\System\MSIWA32.exe
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service [Integrated Windows Authentication], rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

And then delete this file:
C:\Program Files\Common Files\System\MSIWA32.exe

If things are now back to normal update to SP2.

Oh, and if your OS still does not validate may I suggest you work through the detail of this article?
http://www.pchell.com/support/windowsgenuineadvantage.shtml
Start with "I have a legal copyof..., but...", run the M$ diagnostic and then so on...

Hello, annemarie, if you still cannot get your drives to open except from the address bar then use this registry fix from Doug Knox [he has a great reputation...]. It will restore some reg entries that may have been altered.http://www.dougknox.com/xp/fileassoc/xp_drive_association_fix.zip
Unzip the file, dclick the .reg to run it... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

What do you mean by totally reset?
Go Start, run devmgmt.msc
Is USB Controllers an entry in the tree?
Expand USB Controllers. Are there any red crosses, or yellow exclamation marks?
Dclick each controller, check its status, ensure that each device is enabled. Try trouble shooting button. Update drivers ....make sure they are signed [by M$].
Somewhere in that lot you should find the problem.

Top post in Viruses n Nasties forum gives you what you are loooking? for...:)

Mmmm, lessee, Rezert. Has IE improved since Combofix removed Relevant Knowledge/Marketscore Accelerator [it's a fake, more spyware, a tracker, and comes with an ad downloader]?.
Firefox... yep, reinstalling it is always an option to fix things.
That drive image.. When it starts explorer.exe pulls real volume information from the actual physical drives [it checks all storage devices it is aware of ], but the mounted volume image information is from mountpoints2 in registry.. I hesitate to get you to just delete those drive images from there [you could, but I aint taking "credit" for any damage!..] - my preferred option would be for you to try to reinstall your drive image software and see if you can remove the image from there.
USB being ignored still - could be a driver issue or registry corruption; you could fix either or both with your SP2 installation CD [copy in the USB driver files, the reg entries would require a Windows Repair from Setup].
To copy in/update drivers go via device manager/USB controllers, all of 'em /Update driver; you could take resources from your CD or Windows update... See how that goes before you run a Repair.

Looks good now. How are things? If you don't want AskSBar uninstall the pgm [ it came in with some other software cos you didn uncheck its installation request box..].

Hello, Rezert, let's run these fixes first.
==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe....
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "rlls.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Delete C:\windows\system32\rlls.dll
Next...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post another hijackthis log also.

If you are going to google stuff, you should read the actual information in each post/site and not go on hte headings in the google search page info. You have Yahoo stuff, SSDK02.exe is actually a piece of Norton software that provides a security status to the Yahoo processes.
If you want to test this, try uninstalling Yahoo and see where that YOP\SSDK02.exe goes.
Hth.

Interesting. What have you, or had you, up on internet explorer that caused the sys to allocate 52M of VM to it? I have a moderately complex webpage in IE and it only has 12M of VM granted to it.
Superantispyware is a very good anti-malware tool - if you don't need to find or fix malware you probably do not need it running though.
Anyway, how much RAM do you have, how much VM have you allocated on your HD [as the page file], and how long has your sys been running since last startup?
Norton has had a lot of page faults, nearly 3 million [page fault is the name given to the interrupt when the sys cannot find what it wants in RAM and has to dive into the page file [the extra memory on the HD that the sys grants to a process] to retrieve it]. I assume that svchost.exe with 2 mill page faults is associated with it - we would have to run another pgm to test that.
Try going offline and uninstalling Norton, see how things go. Temporarily at least, you could dl and run AVG AV [free] from that site I gave above.
It may also be that that svchost.exe instance with the outstanding number of page faults is handling a process which is very active and it is that which is actually causing Norton to work overtime.

Oh Geez!! LOL!! Hahahahahahaha... now I feel an ass too. Arrgh. Next time you have a bath take the keyboard in with you, get rid of the coffeee n cake crumbs....
Oh dear.... I'm gunna see if I cn get a moderator to delete this whole thread.... to save us both some embarassment!

.

Then try it with hhctrl.ocx.... same thing, a new copy should immediately appear. [this file is C:\windows\system32\hhctrl.ocx].
I am shooting in the dark here, these are the processes that handle most help files. But it could be something wrong with your keyboard drivers with the effect that the F1 key is virtually depressed all the time! I doubt it though, sounds too weird.
I don't know of a virus that does this, but if you can manage it an online scan should clear that aspect... run the ATF cleaner first.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Dee, got to C:\Windows and do a search for hh.exe; rename it to hh.exe.old. Then open any help file, eg windows media player, firefox... just hit F1 in some pgm [if you do it with just your desktop displayed then windows help centre should open]... and see if you get a new hh.exe opening in that search results window... Windows file protection system should copy in a new one from cache, even without prompting it by hitting F1 as above [if you see a new copy appear ignore hitting the F1 button].
Then try it with hhctrl.ocx.... same thing, a new copy should immediately appear.

Hello, Sarah, a first point: I notice that you have no active AV service running, and possibly no firewall [if you do have it running, fine - it is not possible to see Window's firewall].
May I recommend you get one of these if you do not wish to turn on Norton ...
AVG FRE, Avast, Avira...
this: Spywareblaster...
and one of these: ZoneAlarm Free, Kerio, Comodo.

AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html

Use hijackthis to fix this entry [it is orphaned] :
O2 - BHO: {3a279af5-d1bb-f71b-5b44-44bbbc8874ae} - {ea4788cb-bb44-44b5-b17f-bb1d5fa972a3} - C:\WINDOWS\system32\blvvauxm.dll (file missing)
-apart from that your log is clean.
Now, your VM problem. Something is growing, it is possibly one of your drivers going feral and starting to eat memory. For a start open Task Manager, Processes tab, then click view tab, select columns and check these:
CPU usage, memory usage, peak mem usage, page faults, user name, VM size, paged pool. nonpaged pool and handle count. Now take a screenshot of that TM page and another 30mins later. Post em. Someone may have a clue.....

Nope. Nothing shows in either log [although I have no idea what you have used this for :O16 - DPF: {00000000-0000-0000-0000-100000000003}

Time for a broader brush...

==Download this temp file cleaner --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.

Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.

Close ATF.

==GET AVG antispyware 7.5

-Install it and UPDATE it.

Start AVG a-s 7.5;

-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.

-press Apply all Actions and Save the log file. Post the log file.

Dee, I have to assume that you tried to fix this entry :
O18 - Filter hijack: text/html - (no CLSID) - (no file)
- it remains. I am wondering what put it there in the first place; this may reveal something...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post that plus a fresh hijackthis log, please, Dee.

Ok, Dee, ignore the Smitfraudfix result
Uninstall RXToolbar.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {C69D7DEB-1320-4956-A208-9251086B2AA8} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O4 - HKLM\..\Run: [NI.USYP_0001_N85M2606] "C:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe" -nag
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)

Good, now delete this file:
C:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe
..and this folder:
C:\Program Files\RXToolBar\
Fine, please post another hijackthis log [with wordwrap unchecked.... see under Format tab]
And say how things are, please.

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
Post a fresh hijakthis scan from Normal mode as well, please, dee. [in notepad, under Format, uncheck Wordwrap..]

The adaware line....? You do not have Lavasoft's Adaware pgm...? I'm sorry, can you be more specific, cos to me your log is clean?

Hello, sam...
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the …

Hello, Dad... this should do the trick:

• Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1
  
  
  • click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
  • Next click Firefox (if you have that browser..) at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
  • Close ATF.
• GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
• Install it and UPDATE it.
  
  
  • Start AVG a-s 7.5;
  • under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
  • press Apply all Actions and Save the log file. Post the log file.
• Uninstall ALOT toolbar.

• Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

  O2 - BHO: (no name) - {40B4F935-46F3-6605-A13B-6FE336E1F999} - C:\WINDOWS\system32\sflph.dll (file missing)
  O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
  O2 - BHO: (no name) - {606B1D8D-A619-82BA-1260-8A8DB022D098} - C:\WINDOWS\system32\yamkilx.dll (file missing)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
  O4 - HKLM..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
  O4 - HKLM..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
  O4 - HKLM..\Run: [SfKg6w] C:\WINDOWS\yuuio.exe
  O4 - HKCU..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background

Good. Delete any of these that remain:

C:\WINDOWS\system32\nfomon\nfomon.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\WINDOWS\yuuio.exe
C:\Program Files\WinUpdater\
C:\Program Files\alot\

• Finally: Java update!!! This is …

Hiya, Comodore....
AVs... I don't know too much about how AV services work, but I do know that if you have an active AV service installed and started then it works in the background full time. In fulfilling that role they scan any process which starts and any files that are opened. Then of course they also have an on-demand function - with that you can scan all or sections of your puter so even if files, executables etc are not being used they can be checked.
But the point of this is that if a further active AV service's processes are running [in the background], its files are being used etc, so they will be checked by the first service, and vice versa. So even if you are not using one active AV to run a demand scan it is still active. And conflicting. Active/resident AVs integrate themselves very deeply into your OS whereas an online scanner does not; you can use the latter as on-demand scanners.
Hope this helps...

Just a note... It is the hosts file which is blocking your browser from some sites. If you wish to clear your hosts file manually [C:\Windows\system32\drivers\etc\hosts] you may not be able to save the changed/corrected file. This is because some security applications, possibly also various malware, will lock your Hosts file ...
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window and try to save the file again.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
..but Hoster will do all this for you if you wish.

It's Saturday, and I'm going out; this is rushed, but should help [playing a bit blind, here...], do these things in this order:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click the top button Make Writable if it is available
-click Restore MS Hosts File button.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis .exe to imabunny.exe
-in that folder start …

Hello, Jud,
those autoplay files which you found are fine, thank you...
The log is clean, but there is one final point, did you install VNC Server deliberately?
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
If you did, fine, you are clean to go.

Swap power supplies. May help, may not.

"i m trying to make a windows xp cd, i want to know if there is anyway to copy the windows xp in my computer into a cd or IOS so i can use it to install windows xp in an other computer"
Definitely not is the answer. You will not get the right drivers, chipset settings, the registry will be wrong, and very likely so will be hal.dll [the XP cd has a selection of several varieties, one is chosen during setup that matches the motherboard properties..]
And so on....
Just borrow an XP SP2 cd, copy it and use your key. Simple.

And some more of the fix:...
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

Uninstall SecurityCenter
Uninstall Web Buying
Uninstall 180Solutions - Search assistant

infos.exe : Search your entire system for this file and delete all instances found.
autos.exe : Search your entire system for this file and delete all instances found.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\epswad3.exe
C:\WINDOWS\pss\autos.exe
C:\WINDOWS\pss\infos.exe
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\tsitra1000106.exe
c:\program files\180solutions\sais.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\T0CHD001.exe

Folder::
c:\program files\180solutions
C:\Program Files\SecCenter
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow …

...there is more coming for this fix; working on it now....

Nice, Jud, that cleaned a lot of things....
Now, you have Norton and AVG AV services both running - this is bad. They will interfere, the consequences are unpredictable but one of them is usually poorer performance, they can be worse than that though. Remove one, now. Keeping Norton as an on-demand scanner is fine, but you would have to disable AVG beforehand. In my opinion I would uninstall one totally and if circumstances call for it use one of the many excellent online scanners which run from an Active-X control or similar downloaded pgm file. There are advantages to following this course... an online scanner will not be infected, for example... onboard AVs can be.
Okay, done it?... Good.
Before we fix some reg entries I need you to find out what this entry refers to:
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user') .... AutoPlay.exe is most likely benign, I have no way of knowing because it could be a file from many softwares; I suggest you check its properties to see who owns it [it willl be in system32]

Right. Now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Pqtyvoqd\vhnmqejv.dll (file missing)
O2 - BHO: (no name) - {35083c24-b3c9-4f4c-bd5e-32ba2c991598} - C:\WINDOWS\system32\eqvlesn.dll (file missing)
O2 - BHO: (no name) - {3740006C-EB7D-4149-82B3-E4EA699FFEBB} - \
O2 - BHO: …

Hello, Jud...
Let's start with this cos it's quite a load of problems you have there...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
[ I could wonder how much of this comes from hanging round in sites like brdatahost / easycrack.net...?]

Hello, annmarie.
Running sfc /scannow with your CD inserted will NOT damage any of your files - all it does is employ Windows file protection system to ensure that your sys files are genuine and not corrupted; if any copy in the cache is damaged it will simply copy that file in from the cd.
Your hijackthis log is clean. The message you get suggests to me that it is a HD problem, it could be just that some data is hard to read.. so after you have run sfc and if all is still not well, then:
Go start, run, type cmd and press enter; in the window that opens type chkdsk /f and enter.
If you still have problems then they could stem from a faulty master boot record on your HD; if you ONLY have ONE OS on your sys then insert your cd and boot from it [restart your pc... you may need to change boot order in CMOS, else invoke a one-time boot selection menu, F11, I think..?], choose to repair using Recovery Console, select your OS and enter the Admin password [blank, probably...]. Type fixmbr and press enter.
Exit closes you out of RC.

Before you rush off, jack, what is this entry:
O20 - AppInit_DLLs: WIKI.DLL
The file, wiki.dll means nothing to me...? May I suggest you submit for examination?
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination:
It is probably in system32\ or even Windows\ ... Actually, the path should be given in this subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs ..... path for wiki.dll...?
Checking around a bit, I suggest you fix it with hijackthis [scan, check that O20 line's box, press Fix] and post a fresh log run after a restart.

Good-oh, bobby.
Did you try the msconfig route to Safe mode that I suggested?
Oh, yeah, before I forget... keygens. I am not a preacher, but if you wanna run them, run them in a sandbox - rclick em, select Run as, make sure the Protect box is checked... that will limit the damage they can cause if they are baddies. If your AV, AS etc is on the ball they should light up if they are bad the moment you select them, or open the directory they are in.
Good luck out there.

Firewall first. Windows firewall is okay, sorta - it's half a firewall... like a door with a knob only on the inside. It hides you on the net, you are invisible to any unsolicited contacts. But if you somehow have something bad which wants to go out and solicit, eg adware, spyware, or a backdoor hack calling home to get instructions on what to do with your pc and its info, then windows firewall lets it out and accepts its contacts with no advice to you; think of that door being left open..... Not good. Get one of those 3 I suggested - they bother you with popups for a while as you teach them what is okay but they give you control. Of course, a good bit of nasty stuff will try to turn them off.... but what is perfect? Until you get a decent one keep windows version running at all times.
Something that does it all. There are lotsa packages out there that give you a full suite of protection... AV plus AS plus firewall, but you must buy them. Which is fine, of course. It all swings on commerce; there would be almost no spyware, adware, trojans etc if someone was not getting paid to write it; still be hacks, though, cos they are about theft, mostly.
What you get depends on what you do, your surfing, your gullibility... if you go to sites n click on files like photos etc without checking the …

Can't help on the bookmarks aspect, I'm afraid; this gives you a chance to review stuff... :)
Cheers.

Ah, be happy with that result.
And a happy new year to you, too.
Cheers. [tap that solved button, if you will]

Hello, Wendell.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk846YYES
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

Good. Now search for and delete these files:
TrustSoftAntiSpyware.exe
TrustSoftAntiSpywareSetup[1].exe
restart_as.exe

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the …

nate, I am a little concerned by these detections:
Possible Virus. Not disinfected C:\Program Files\MSN\MSNCoreFiles\Setup\msnunin.exe
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\msnunin.exe
Possible Virus. Not disinfected F:\Program Files\InstallShield Installation Information\{52A5F706-2FCC-4C14-9E9A-345C2DCB25E9}\Setup.exe

First, lets get rid of all your restore points and make a fresh one....
==You SHOULD clear all your system restore points because some have been infected.... Panda may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

Good. Now fire up AVG AV, update it and run a FULL system scan. Post the result if it finds anything... there is a possibility that you will have to delete those files above and dl fresh copies.
Parite A, B are just two parts of a file infector virus. It doesn't do anything except spread itself via networks......afaik. It does cause explorer.exe to remain running so that it can spread into any and all .exe and .scr files on your sys [and any networks]

...of course, using a restore point from before the infection occurred will give you back those registry entries...

Hello, nate.
I don't see an AV service...?
That vundo log shows that it could NOT delete a file: tuvvstq.dll
Rerun Vundofix a couple more times; if it still cannot remove it then let's try this:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Navigate to that file, C:\WINDOWS\system32\tuvvstq.dll and remove it, then run Vundofix again.
Fix these entries with hijackthis if they remain...

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Now clean and scan:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here plus that vundofix log again.

Since you …

Heidi, me ol mate. I use AVG AV Free, never a problem with it. Sticking with the flag, I keep AVG AS [free version also] roughly updated and ready for when I may wish to scan for spyware etc [on demand only].
http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Make sure you get this: Spywareblaster , and a good firewall - one of these: ZoneAlarm Free, Kerio, Comodo

Norton and Dell? Now that should comprehensively bog your sys down...
Happy new year for when it comes...

A Bagle worm. Cool. G'day, bobby, Mcafee is one AV service it shuts down, AVG is another. You should be able to load one of them now.
Bagle uses a rootkit; if you were to start your PC in Safe mode and scan from there the rootkit would not be activated and so the files etc that it protects would be visible. To start in Safe mode go Start, run msconfig, under Boot.ini check Safeboot and allow your sys to restart. However Panda should have cleaned your sys properly already; rerun it in safe mode if you wish [Safe mode with Networking...]
Good. Now for that safe mode issue if it reoccurs. It could be a sys file that is corrupted - I doubt it but it is the easiest thing to test. Run sfc /scannow and load your your same-spec installation cd.
Not fixed? There are a lot of registry entries concerned with booting specifically into safe mode, lists of drivers to load and so on. If these are damaged the easiest way to repair them is probably to run Windows Repair using your installation cd. Boot from the cd, ignore the repair with Recovery console option and instead choose Setup, select your installation and go from there.
Say how you get on... n happy new year!

3Mbps, and you use an accelerator! I have 128Kbps, and can wait for it to happen. Consider your position, and try uninstalling that accelerator.
A web accelerator is just a rather large cache of webpages commonly accessed by users of that accelerator. They don't always work well.
Your log shows clean, btw.

Hi, bobby, the beauty of running an online scan is that you do not have any files loaded which could become corrupted - you load an ActiveX which runs the scan, plus a signatures file. So do this:
Clean first to reduce the log clutter... here is one:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here plus that HT log....

Okay, bedtime for me, too. Hope someone-else has some fresh ideas...
hang on, active-X warnings are in a single, pale yellow line across the top of the IE window if your settings are as I suggested, not in popup boxes. It says to click here for options.

Well, this is just a web page, you don't need to be running downloaded pgms [active-Xs] to view it... you will need them for this check though... just to sort out if it is a bit of malware doing all this..
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Are your controls actually resetting away from how you set them earlier?

Okay. Fix all those R0 and R1 entries; go to IE tools, IE options, general and select Use Blank.
And now I am beaten for the moment.... get fixwareout on that other pc as you said you would...
The attrib command was only to allow you to Save any alterations to your host file that you wished to make; running it certainly would not do any harm, it just ensures the file is visible and writeable.

Anyway, for Alexa to run you would have to be using the toolbar or button...
Try checking your hosts file manually - it is at C;\windows\system32\drivers\etc - you drag hosts into a notepad... apart from a description of how it works it should only have one working entry, thus:
127.0.0.1 localhost
-delete any others.
To Save you probably will have to Run this command first:
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS