gerbil 216 Industrious Poster

Read me adjusted post... ;)
System Restore:
To use a restore point: Start > programs > accessories > system tools > system restore...
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

gerbil 216 Industrious Poster

No, you did nothing wrong, it is just that I for one could not figure out any account-specific causes of your situation... sorry.
A roundabout way out would be to create a new account for yourself and migrate over to it all the files from your old My Documents folder. Before you do that, you could try restoring your sys to a date before the problem was first noticed.
I'm a bit curious, though, it is likely to be some toolbar or other add-on of yours, like Google Desktop, so...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new folder either alongside your program files or on your desktop.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

gerbil 216 Industrious Poster

It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

gerbil 216 Industrious Poster

Looks good to me, feels good to you.... must be okay, then.
Cheers.

gerbil 216 Industrious Poster

Rabbott, I must see the log from FindAWF, the notepad that would have opened when option 2 completed. If you do not still have it rerun Option 2.
Do not do the remaining steps until it is checked because you risk losing your original system and other files.

gerbil 216 Industrious Poster

If the Save Scan button is greyed out at the end of a scan it is likely that under Scanner, Settings you have Automatically generate a report selected [default setting], in which case it will be under Reports tab. I think you may have a little trojan in there?

gerbil 216 Industrious Poster

Hello, Carlos, this should fix your problem..
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [qcazhevk] C:\WINDOWS\system32\qcazhevk.exe
O4 - HKLM\..\Run: [juxkvmlxpw] C:\WINDOWS\system32\juxkvmlxpw.exe
O23 - Service: Print Spooler Service (o1d68erye) - Unknown owner - C:\WINDOWS\system32\juxkvmlxpw.exe

Done?
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to Print Spooler Service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

Browse to and delete these two files:
C:\WINDOWS\system32\qcazhevk.exe
C:\WINDOWS\system32\juxkvmlxpw.exe

And I hope that is all. Post another log with your comments. please.

gerbil 216 Industrious Poster

Hello, chuc,
I must say that I am intrigued by the structure of your Program Files directory...
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________

File::
C:\WINDOWS\system32\drvtih.dll
C:\WINDOWS\system32\iifgddb.dll
C:\WINDOWS\system32\cbxwwtt.dll

gerbil 216 Industrious Poster

Adobe falsh player... you may have heard of it as Macromedia flash player [Macromedia is a division of Adobe, the pdf reader and photoshop people...]. I have flash players installed, one for each browser I use. Having them allows you to see animations, movie clips etc on webpages. They are not necessary, but when you visit a webpage with flash animations on it and you do not have a player your browser will prompt you about getting one. I actually don't know how to block that prompting [it may be an option in the actual popup?]
If you do get a player note that you must visit the website to control its settings, there is no control panel with the player that is accessible from your sys.
I hope this helps a bit.

gerbil 216 Industrious Poster

Thank you, rabbott.... these were the ones bothering me:
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.ini2
-they are vindo files, but perhaps they have gone.
Okay, FindAWF... Now do option 2: dclick the .exe to start the program, select to restore files, into the text file that opens paste all the text between the lines:
_____________________________________________________________
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
"C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon04.exe"
"C:\WINDOWS\system32\bak\hphmon06.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
"C:\Program Files\eBay\eBay Toolbar2\bak\eBayTBDaemon.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\GRISOFT\AVG7\bak\avgcc.exe"
"C:\Program Files\HP\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
"C:\Program Files\ScanSoft\OmniPageSE\bak\opware32.exe"
"C:\Program Files\Trend Micro\Internet Security 2006\bak\pccguide.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe"
_____________________________________________________________

-close the text file and click Yes. Please post the contents of the notepad that opens.

gerbil 216 Industrious Poster

It does not show. what is the popup advertising or saying?

gerbil 216 Industrious Poster

Before we get onto using FindAWF to repair the infected files would you please do this [there are some vundo files hiding in your system snapshot]:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

gerbil 216 Industrious Poster

I don't see any MyWebSearch entries, Smitfraud if it was working would be feeding you popups... May I suggest that you empty all spyware tools' etc bins? eg C:\Qoobox is combofix's bin. Then see what Xoft has to say. Run a cleaner and then an online scan:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

gerbil 216 Industrious Poster

Please run one of these two rootkit scans, both if you wish... and post any positive results. Do not use your computer while it scans.

==Download the latest standalone version of Blacklight from http://www.f-secure.com/blacklight/ Install it, start, accept the agreement and Scan.
==AVG AntiRootkit from http://free.grisoft.com/doc/5390/lng/us/tpl/v5

gerbil 216 Industrious Poster

"(could have swore that i already tried this method : )"... yeah, you did, kinda, but it's all in the wrist action :)
Your first combofix run pointed out some things that I fixed with the second run and then it was free to chase other stuff.
Okay, your hijackthis log is clean [it's so short there is just no room fer malware...] and the combofix log shows nothing else lurking. Is explorer still running? How is your sys, generally?

gerbil 216 Industrious Poster

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post that log plus a fresh hijackthis log.

gerbil 216 Industrious Poster

You have Sony-BMG's rootkit, C:\WINDOWS\CDProxyServ.exe You may want to think about that. Do not try to remove it manually else your CD drive will not work again uless you replace a changed filter driver. Here is a good start: http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453096362
..and this details removal methods: http://www.bleepingcomputer.com/forums/topic34904.html#oncd

FromCP, Add/Remove pgms uninstall these two adwares:
OneStepSearch
WinBudget

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily …

gerbil 216 Industrious Poster

Happy to help. [if you read this, pls tap the solved button, je...]
Cheers.

gerbil 216 Industrious Poster

Nothing stands out in that log as an obvious cause of your problem.
Do you still have MySQL in your sys? Something is trying to run it, there is an Service trying to start:
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) ||| now C:\Program.exe is/was not real, it is just a result of the way XP looks for executable files to run:
You or an app wish to start C:\Program Files\MySQL\dothis.exe - firstly, if XP if was not given a directory in which to commence the search, it looks for C:\Program.exe [with the remainder of the string as parameteres] and so you better not have one of those!, and so on down the chain until it gets to dothis.exe.
You don't have a MySQL directory under program files, hence that entry.
So fix that service:
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Not the cause of the problem though....

gerbil 216 Industrious Poster

"i have driver reinstallation cds; but not sure if they have windows." Me neither, but you are going to need a Windows Setup CD from someone. Borrow a copy that is the same std of upgrade as yours... eg SP2.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console, select the installation, enter the Administrator password. If the administrator password is blank, just press ENTER.
At the command prompt, type chkdsk /r , and then press ENTER.
When chkdsk finishes type exit and then press ENTER to restart your computer.
Did not work? Could be your boot.ini file is corrupted so back into recovery console, but this time instead of chkdsk type fixboot.
Restart.

gerbil 216 Industrious Poster

Hi, steek, first up, please run hijackthis in normal mode if possible when you require a log for checking; in safe mode not all processes are started, we may miss things.
Right.
=Please make a restore point because an infected restore point is better than no restore point at all. We can get rid of it later. An infection can only get out of a restore point if that point is actually used.
Delete your C:\vundofix.txt. It is confusing.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________

File::
C:\install.dat
C:\WINDOWS\system32\iifghij.dll

Folder::
C:\Program Files\wxovqxxx

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F910420-8761-479E-9085-1569ACC42CA1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghij]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

=Now run Vundofix again please [latest vsn is 6.5.0.11]
=Please believe this message/warning from Vundofix:
Java version is 1.5.0.6, Old versions of java are exploitable and should be removed.
Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and …

gerbil 216 Industrious Poster

In a NEW thread, I hope. See that last bloke's post? It got missed cos the thread was marked solved by Raven.

gerbil 216 Industrious Poster

jej, dump all those files from AVG AS quarantine.....[some groups put out clean keygens cos they are proud of their work, but I won't tell you on this site].
"If I delete all copies of explorer.exe and imapi.exe, they get recreated." - that is the windows file protection system at work; it will replace any protected system file that it finds corrupted. imapi.exe is used with CD image recording, it will flick off when you are not doing that.
This one found by Panda will not be deleted by it because it is not considered a virus by it, more spyware [trojan]:
C:\Documents and Settings\Ken\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs3.rar[Crack\phot... - you should remove it yourself. It may be breaking Panda, but I doubt it. Some bad infections will halt scans. Try this one:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

gerbil 216 Industrious Poster

Am pleased I could help you, pj.
Cheers.

gerbil 216 Industrious Poster

Easy. To call up the adjustment window you can rclick the lil time display in the taskbar, or you can Run timedate.cpl. That file is in system32, change it to timedate.cpl.bak. Odds on they won't think of going in there to fix their access.
Unless they read this.

gerbil 216 Industrious Poster

USe hijackthis to fix this installer:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
.. and then try again after uninstalling and deleting all AVG AS components you can find.
No go? Then...
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Panda Online Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

gerbil 216 Industrious Poster

That hijackthis log shows as clean, pj.
There are these files from Combofix that I do not trust.... they could be encoded filenames from a legit pgm, they could be .dat files for malware...
You don't want a new folder in system32 -it is not the place to go putting your own stuff, let pgm installers do that.
So... delete this folder [check it's contents first]:

C:\WINDOWS\SYSTEM32\New Folder

These files were created at the same time as each other; order your system32 files by creation time so to see what files were written at the same time as these. If no others, and a property check shows them as unclaimed, delete them.

2007-11-03 16:52 119,040 --a------ C:\WINDOWS\SYSTEM32\xhcjgyos.dat
2007-11-03 16:52 41,728 --a------ C:\WINDOWS\SYSTEM32\stpwqrbu.dat
2007-11-03 16:52 35,072 --a------ C:\WINDOWS\SYSTEM32\lwszozol.dat

That done, you should be all okay again. Glad it worked for you.
Cheers.

gerbil 216 Industrious Poster

...and say what it feels like also...?

gerbil 216 Industrious Poster

Okay, let's see what we can do. A gamer's machine..... sigh... lotsa weird drivers and files.
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.

==Please …

gerbil 216 Industrious Poster

I don't have the removal tool but you can probably get it yourself and run it... the trojan has very likely set values in your hosts file which are blocking you from some anti-malware sites. Solution is to remove those entries, ie. reset your hosts file.
You can do this manually or with this tool:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click Restore MS Hosts File button.
Some security applications, possibly also various malware, will lock your Hosts file [as a protection]. If HostsXpert is unable to restore your file check for applications which may have incidentally locked it. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools, Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[ but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window and try the Restore button again.

attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS

Manually: the hosts file is at C:\windows\system32\drivers\etc\hosts. Run the command above then drag the hosts file onto a notepad to open it. Delete all extra entries so that your file has only this entry :
127.0.0.1 localhost
Save it, then try the removal tool URL again.

gerbil 216 Industrious Poster

We-ell... if it's all working SMF probably cleaned the adware out.
The hosts file is a redirection file for URLs that exist in the listing.... in your case if you type any of those URLs into your browser it is redirected back to your machine [127.0.0.1]; that file would have been written in there by one of your spyware guard services.
So yep, you could be okay...
Be safe.

gerbil 216 Industrious Poster

Hi, pj, it does appear that this one, Obfustat.UVE, is gone. SDFix would have spotted it.
It is important to make your hijackthis logs in normal mode because some processes are not started in safe mode -we may miss a few bugs.
Okay, start hijackthis, safe or normal mode, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {82AF5D76-845D-4DA8-8097-99924D9A65AA} - c:\windows\system32\atimiaabw.dll (file missing)
O2 - BHO: (no name) - {FB981D1D-E4CF-46DA-AD94-A0078F76E48D} - C:\WINDOWS\system32\pndx5016b.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O20 - Winlogon Notify: xkgjfifo - atimiaabw.dll (file missing)

Good. Now browse to this file and delete it:
C:\WINDOWS\system32\pndx5016b.dll

Normally I would send you to the website for this file, it is from a chap [Doug Knox] with a formidable reputation... but I got it for you, it is to repair your links:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"

[HKEY_CLASSES_ROOT\.lnk\ShellEx]

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

gerbil 216 Industrious Poster

Looks okay, except that I do not know this one:
O4 - HKLM\..\Run: [Recorder.exe] [INSTALLDIR]Recorder.exe
...check the file's properties if you don't know it.

gerbil 216 Industrious Poster

scubette, if you post on a solved thread you are liable to get missed. No charge to start a new one... :)
Anyway, what are we talking, LCD display? If so, in a darkened room when it goes black can you see faintly the displayed image? If so, it's the LCD backlight failing, or its power supply. Totally black and it could be the main power supply in the display, or a driver chip overheating. Whatever, it is a service call.

gerbil 216 Industrious Poster

Cool post. And it got cut off. No, don't fix them, from what I can see they would have been put there by a spyware guard or blocker service you are running - they are ads servers and otherwise undesirable sites just from quickly running my eye over a selection..

gerbil 216 Industrious Poster

Hello, pjf, this should restore your desktop icon functions.

Copy these downloads into the pc. They fit on a floppy.

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.

gerbil 216 Industrious Poster

Hello, nd..
I see in this SMF log [an option 1 scan pass] -Scan done at 8:46:25.52, Fri 11/02/2007
...these entries:
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\bxsbang.dll FOUND !
C:\WINDOWS\movctrlswd.dll FOUND !
C:\WINDOWS\ocgrep.dll FOUND !

-but I don't see a log from option 2 [a cleaning pass] which would have deleted them.
SMF is a tool which should not be run multiple times - if set to clean and it finds no infection it breaks your desktop.
I think that last SMF log you posted could be the result of your setting some spyware guard with one of your tools which sets entries in your hosts file to block bad sites... in this case thousands of them. SMF could not handle it.
-anyway the log is incomplete.
Please remove that spyware hosts file guard and run SMF option 1 again and post the log, only that log.

gerbil 216 Industrious Poster

"LOL - the Mercedes forums are full of stuff about those two parts!"
Oh Boy!! that tickles me!! hehe....
Moby Dick. You read that to stay awake. Oh dear...

gerbil 216 Industrious Poster

Typical reg errors are broken links - say you delete a file you had worked on, it is likely the pgm had a link to it; it will be broken - that's an error, but it only shows in your pgm as a recent document in an wasy access table. It will be gone too from the Most Recently Used table.. that's another reg error. But those things get cycled out as other files are referenced, so they self-heal over time.
I have Adaware too, but rarely use it [on demand only, like AVG AS].. Consider.

gerbil 216 Industrious Poster

Think of the registry as... oh... a cellar of salt, a salt shaker... when you clean it you remove your 30 grains... the registry is huge and a few null [not bad...] entries won't slow windows accessing it much.
Defragmenting your HD may help.... I gotta tell you, XP prefers to be in a partition by itself with no data files coming and going - it stretches itself out, gets comfortable by organising itself to make the bits you use most more accessible. With data chunks getting written n erased around it, XP files get broken up.. disorganised.
30 reg errors is really very few.
Get Spywareblaster and turn off active AS. I scan with AVG AS maybe once every couple months -it's always disappointed. Bu.ut... if you go to the dodgy spots where the weakwilled hang out, you'll get pests. Some things you only have to mouse-over, some sites will infect you if you just enter them, dclicking unknown links n objects makes it easy for em. Don't set your IE security lower than medium and you should be ok.

gerbil 216 Industrious Poster

Fair enough..... it is used a lot for hidden page content.... don't you know, it's mostly advertising.

gerbil 216 Industrious Poster

Hiya, caperjack.... yeah, they can be a pest, I will admit, especially if you're using the copy function. Amazing how often the selection you want ends on one of those critters.
I use FF also, look under tools, options, content tab, javascript check box [not java...], but you knew where it was, didn't you?... too late, I posted already.
Newspapers are a conspiracy to get us interested in stuff that normally would not bother us - this is a big world, they try desperately to make it like it 's all just down the road a bit. I just cannot get involved in a bus falling off a cliff in Nicaragua....
Books? there is another world in books....

gerbil 216 Industrious Poster

thrum, you should have a file C:\combofix(2).txt or similar..... that would be the later run, you posted the first run log again...:)

gerbil 216 Industrious Poster

thrum, let's clean up your log entries first; start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Good. Now to remove this service:
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

Okay. Note that I have modified the Vundofix run instructions. Please delete C:\Vundofix.txt:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window this pathname:

gerbil 216 Industrious Poster

Another vundo popped up:
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll

gerbil 216 Industrious Poster

There is always a way. Or two....
1] don't mouse-over them - they are pretty obvious to see. Usually.
2]because they use javascript, disable that in your browser. But you might miss it.
That is about it. Try not to use your pointer as a reading aid, books n newspapers don't have em.... if the mouse-over is very brief they should not respond.

gerbil 216 Industrious Poster

I can see a vundo file ramaining in the combofix log. I know vundofix can remove it - perhaps you should dl a fresh copy and try again. We cannnot just delete it because it would have files waiting to recreate it, and those do not show themselves.

gerbil 216 Industrious Poster

Oops!... sorry, Serunson, for poking my nose in... I am a pest, after all... a slightly more cuddly rat, really.
These are smitfrauds, or at least are coverd by the tool-
O3 - Toolbar: IE Custom Tools, O22 - SharedTaskScheduler: celtiberi

gerbil 216 Industrious Poster

Hello, salty,
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

You may find this page interesting:
http://www.bigblueball.com/forums/aim-support/20430-skimming-aim-5-5-what-remove.html

Please post C:\rapport.txt and a fresh hijackthis log.

gerbil 216 Industrious Poster

Hi, Suspishio, thrum tagged onto another thread and I asked him to post anew; I already had made up my reply so I'm just going to paste it here - hope you don't mind..?
Beauty, thrum ... this saves a lot of confusion, and you don't want me confused, now do you?
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

=ComboFix:- [normal mode is fine] - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - …