Posts by gerbil

Mmmm.. some pests block access to the CP; I guess they think that makes them safer. Dunno.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowControlPanel"=dword:00000002

__________________________________________________________

Say how it goes; your log is clean, just a null entry to fix:
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fi\msntb.dll (file missing)

Cheers, Asmodeus, and thanks.
The threads do form a useful resource....
[an interesting juxtaposition of cultures in your name...]

Did you miss this one or did it come back?:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
Fix it also; post that SMF log too....

You can do all this in safe mode:
Run Smitfraudfix option2.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.myway.com/
O2 - BHO: MSVPS System - {64DE95E5-0A25-4DD9-A472-97BC1D419101} - C:\WINDOWS\movctrlswd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {2106BEDE-F5E8-4DE8-A081-A7E5EAD1529B} - (no file)

Good. Delete this file [SMF should have done it already..]:
C:\WINDOWS\movctrlswd.dll
Next delete the MyWay files/folder in Program Files.

Post that log, and a fresh hijackthis log from normal mode.

Thrum, if you would post that in a new thread, please, I will start on it. I see your infections.

You must uninstall one of either your Avast or Trend AV scanners - two AV services running will conflict with unforeseen consequences. Remove one. Now. I will not post again until I see that you have done so.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run.
The key, if you wish to import it again [by dclicking the reg file] is saved at C:\showkey.reg
__________________________________________________________
reg export "HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\ authorizedapplications\list" > C:\showkey.reg
reg delete "HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\ authorizedapplications\list" /va /f
__________________________________________________________

Next, you should go Start, run and paste in:
sfc /scannow -and OK. You will need to insert your installation CD.

Ok, I got the bit I wanted from the page HTML source...

:)... I wasn actually going to cry.... some things are just too remote.
The ? marks in those folder names would be replacements for letters, actually an S in this case..
Log is clean. Now before YOU get burnt, get an AV and a firewall.
A list for you to choose from:
AVG FRE, Avast, Avira, AVG AS 7.5, Spywareblaster, ZoneAlarm Free, Kerio, Comodo

AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html

Cheers.

I'd certainly remove OC because it has an active AV portion which will not work with K. I use a [free] non-active AS and am happy with that, although I rarely scan with it.
FF is good; where I am able it is my main browser.

.

I am confused... this is what happens when you piggyback on someone else's thread.
Are you saying you have a winupdate.exe problem? That is a worm file, AS such as AVG AS will fix it.
I cannot read this part of your SDFix log: Authorized Application Key Export - stop smilies, maybe add a couple of spaces to the keynames and repost that section.
- I don't know why winlogon.exe would want web access thru your firewall, unless it has been hijacked.... while connected to the web check in task manager that winlogon is using zero CPU time.
Remove one of your two AV services - you must have only one running cos they often interfere badly.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
Post again with that info plus a log …

Dl these files onto a thumbdrive [the first will fit on a floppy]:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post the contents of C:\vundofix.txt, C:\combofix.txt plus a new HijackThis log.

JJ is your pet name for Windows?
Fix these entries with hijackthis:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [Tcjaxr] C:\JJ\?ppPatch\s?chost.exe
O4 - HKCU\..\Run: [Ggkkntdd] C:\JJ\system32\s?stem32\d?dplay.exe

Good. Now delete these files:
C:\JJ\?ppPatch\s?chost.exe
C:\JJ\system32\s?stem32\d?dplay.exe

... and these folders:
C:\JJ\?ppPatch
C:\JJ\system32\s?stem32

... and post a new hijackthis log. Put up the SAS log if you nave it.

Yurecnik.exe darn near qualifies as the rarest pgm in existence. That is an outdated version of hijackthis...
==download hijackthis: http://www.majorgeeks.com/download5554.html
I see nothing that could be redirecting you... have you checked your hosts file?
This pgm will do that and more for you:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Hello, jen...
no, it just means we go outside n play occasionally.
Lessee, a nice, light and clean installation you have there. Be even nicer with FF instead of IE7.
Slowness.... right, I see you have One-care loaded up with Kaspersky AV. If you switch off One-Care's AV scanner/guard [can you do that?] things may go better. One care less. You cannot run two resident or active AV services together, there is no way of knowing how they will interact; it's usually badly.
I don't use an active AS, and I don't get caught either.. I do use Spywareblaster which is CPU load-free cos it sets the registry up to block certain software from entering or running.

Systems not booting past mups.sys are legend. Reasons/guesses/solutions given are many and varied... lots of blame is placed on hardware items, BIOS.. nothing escapes. I don't know.
No reason why it could not be software based though. I would be running system file checker with my installation disk as a first step [Run, sfc /scannow], very straightforward to do.
Then I think I would try running [chkdsk C: / F] -painless also.
Finally I guess a Windows Repair using Setup.....

Ah, okay.... One of those is not being seen? Partition count starts at 1; eg C is often the first partition on most sys and is partition (1).

What happened? I see a log which you ran before removeing some items and the smitfraudfix run [one run suffices].. and then I see alog with so many entries missing? Did you mean to remove all those toolbars and browse helpers, autostart entries too?

I have not seen that partition(2) tag before.... are you sure there is no partition before C on your HD? It does not matter; A, B are reserved for floppy drives, but you can put H etc before C if you wish, letter ordering is not impt.
Check in CP, Admin tools, computer mgmt > disk mgmt. See there also that C is your system drive, tagged as such [if u rclick C the line Mark parition as Active will be greyed out..]
Right, the log. It's good.

As safe mode loads the files and drivers etc for a reduced operating system it reels off their names as it reads them in from HD - that black screen of rapidly scrolling text is normal. It then stops at an administrator accounts only login screen.
C:\Windows\system32\mups.sys is where it stops scrolling; if you see it,it has been loaded. If you don't get from there to the black safe mode screen followed by the login screen, then I don't have any advice on that.
Where is that partition(2) bit coming from?

I don't know why these are hidden on your machine, it is not normal. This should reverse that situation:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixatt.bat, as type "all files", to your desktop; dclick it to run...

__________________________________________________________
attrib -r -h C:\WINDOWS\winhelp.exe
attrib -r -h C:\WINDOWS\winhlp32.exe
attrib -r -h C:\WINDOWS\wininit.ini
attrib -r -h C:\WINDOWS\winnt.bmp
attrib -r -h C:\WINDOWS\winnt256.bmp
attrib -h C:\WINDOWS\WinSxS
attrib -r -h C:\WINDOWS\WMSysPr9.prx
attrib -r -h C:\WINDOWS\WORDPAD.INI
attrib -r -h C:\WINDOWS\WRUninstall.dll
attrib -r -h C:\WINDOWS\Zapotec.bmp
attrib -r -h C:\WINDOWS\_default.pif
attrib -r -h C:\WINDOWS\{00000004-00000000-00000001-00001102-00000004-10031102}.CDF
attrib -r -h C:\WINDOWS\WindowsUpdate.log
__________________________________________________________

Hello, Bec,
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide

Hmmm... if you had gone to the stickies you would have picked up the link to the most recent version:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Ok, if you delete these two files you should be in the clear:

C:\WINDOWS\system32\locate.com -I am sure this one is part of an adware system, you can check the properties of your copy to be sure.
C:\WINDOWS\system32\tnsjhryq.dll

If the last fights deletion, do it from safe mode.

Valo, would you start hijackthis, Misc Tools , ADS spy > scan and post the log pls.

Those recovery discs. You must be sure you are clean before making them, with all sys files correct. [should you not make them when fresh outta the box?].
Run CCleaner, then this:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
You really should try to run that system file checker though - it replaces any non-std files it finds. Which is why you need that SP2 installation CD. Absolutely no pale-faced kids nearby? Cannot borrow one from a friendly tech? The shop?
[sfc /scannow]
AVG Free. It's what I use, It has been faultless.

Course, you do realise that IE7 is just a poor copy of some of the functionality of Firefox, but incorporating many of the faults of earlier IEs.
FF is a copy of Opera.
And with me not using IE7 I am not too sure if much of that is relevant.

You could try this, it won't break anything:
Go to Start > Run and then cutnpaste the following 2 lines, one then the other; you need to press OK after each DLL file is re-registered.
---- LINE 1
regsvr32 urlmon.dll mshtml.dll shdocvw.dll browseui.dll jscript.dll vbscript.dll scrrun.dll msxml.dll actxprxy.dll softpub.dll wintrust.dll dssenh.dll

---- LINE 2
regsvr32 rsaenh.dll gpkcsp.dll sccbase.dll slbcsp.dll cryptdlg.dll oleaut32.dll ole32.dll shell32.dll msjava.dll hlink.dll Schannel.dll Rsabase.dll initpki.dll

Do not worry if some of these do not run or are not found. It simply means that particular dll does not apply to your version or system configuration.

C:\WINDOWS\system32\9C4E99AAAD.sys
C:\WINDOWS\system32\ADAA994E9C.sys
I don't know what those two are, the names are a hash. You could check properties.
C:\WINDOWS\system32\accwizl.exe - this one is probably bad.
Only good pgms are being launched by those keys in the SDFix log. You should post a hijackthis log [see stickies] with your explanation of problem.

Possibly.... :)
Try to borrow someone's XP installation disk... ud need an SP2 one. You could burn a copy too.

Oh, yes, there is more. Run these next and we'll see where to go from there:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply witha fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Quite an armoury you ran. Love to see the Vundofix log you have.... but it did not finish its job - the trick is to run it a few times, as it cleans it "learns". You look to see that it has deleted all that it found, if not you plug it in again. But if it comes up with the same log result a couple of runs in a row then it is stuck. Post the log [btw, that log is additive...]
I've always wanted to visit NB... well actually, if I ever got that far I'd probably beeline for Newfoundland, maybe Nova Scotia.. St John, eh? I unny ever get to the west side, for skiing....

Hello, rocker.
You see where it says this:
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
-pretty much means nothing to worry about. Funnily enough, all those locked objects are legit... d:) ...er, your sys is clean.
There are other scans, but Kaspersky is on fire.
Rest easy.

That file you outlined in the screenshot is quite ok, it's an M$ file for Terminal Services - you may or may not ever require it; it allows other computers to connect to yours etc for shares etc. As in a [local] network... and if you deleted it Windows would immediately replace it with a copy - it is protected.
I see nothing wrong in that last log... do you still have sounds? If you wish to look deeper, firstly:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
..then scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Bill, this is your problem:
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Next, go hunt for C:\Windows\system32\perfs.exe and delete it.
Say what happens.

Good. You MUST do the rest... okay, the Dell MyWay bit is your choice, of course..
Well, actually, all of it is, but your sys is infected.

Hello again, lofti. It all looks good now; just tidy up by fixing these two entries with hijackthis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

This is very important though [as pointed out by HBK...]:
==Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.3 is current....
Do that and you should be free to roam safely again.
Cheers, g.

DeOnna, we deleted that Ehome bak folder with that lil batch file I sent you - that's why I was surprised that FindAWF put it up again.....it is why you could not find it.
Next problem: this entry can be fixed with hijackthis :
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
I would consider uninstalling all that Yahoo stuff - you have heaps of it, it adds on to IE and sometimes those addons cause problems. If it solves your error, fine, if not, feel free to reload it.
Uninstall from Add/Remove pgms, then check your hijackthis log for yahoo entries and fix all that remain[easy way to scan is wordsearch the notepad log].
Then if you still have the problem remove thse two:
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.11/ttinst.cab
-they are not intrinsically bad, but you may go better without them.... or not.
Finally, or firstly, go Start, run and paste in:
sfc /scannow ..and OK. You will likely need your installation CD.

You almost hit on the solution there yourself : you must use only ONE active AV because they conflict with unforeseeable consequences. Time to choose - AVG or Norman. Uninstall one.
Always keep your firewall up.....ALWAYS.
That is an outdated hijackthis version...

Hello, Vman.
For a start you must choose between Norton and AVG AV's - they conflict, and have unforeseeable effects - uninstall one of them.
I see that you have MyWay Search Assistant [there, courtesy DELL]. You can get rid of it if you wish...
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
For when I next request a log would you please change the name of hijackthis.exe to imabunny.exe - this is important because you have a trace of a vundo infection.
=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB
O20 - Winlogon Notify: sstqp - sstqp.dll (file missing)
O23 - Service: Windows Update Manager (WUM) - Unknown owner - C:\WINDOWS\winfire.exe (file missing)

Good. Now to remove that service:
Go Start, type this line into the run text box and press Enter:
sc delete WUM
Now we can get onto the …

I do like the look of that run, Lofti. Could I have a fresh hijackthis log to check and to tidy things up with, please?

C:\WINDOWS\EHOME\BAK -yep, I was surprised that that one showed up in the last FindAWF list....
Now go play with your visitors.
Cheers.

G'day,Lofti,
a couple of your Folder Options settings have been changed: in an Explorer window go Tools, Folder Options, View and
-select Show hidden files and folders,
-uncheck Hide extensions for known file types,
Apply n OK.
Good. Now rename C:\WINDOWS\SYSTEM32\windrv.sbak.sys to windrv.sys -it appears safe.
That Combofix log does not look right, and I see why - all my fault, a spelling [syntax, really] error in that text file I gave you. Delete it [it has a time stamp added now].
Here is the corrected one, save it as CFScript.txt alongside Combofix as before and drag it onto it:
If Combofix does not run correctly and produce a log you will need to dl a fresh copy.
__________________________________________________________
File::
C:\WINDOWS\SYSTEM32\onhubpoy.dll
C:\WINDOWS\SYSTEM32\pkdbuhby.dll
C:\WINDOWS\SYSTEM32\mfifmgfc.dll
C:\WINDOWS\SYSTEM32\gtnkrroc.dll
C:\WINDOWS\SYSTEM32\rgpkrjxi.dll
C:\WINDOWS\SYSTEM32\hddfkcbv.dll
C:\WINDOWS\SYSTEM32\orgwjmte.dll
C:\WINDOWS\SYSTEM32\pmnnopn.dll
C:\WINDOWS\browser.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"580eaae6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkdbuhby]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________

My apologies.....

Hi, lofti [k, that's the last play on your name, I promise], you have a tough pest there, and a part of it changes its name whenever your sys is restarted so if you have turned off your machine since you last posted some of this may not work, but we can rerun later.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -ie a folder or your desktop.
__________________________________________________________
Files::
C:\WINDOWS\SYSTEM32\onhubpoy.dll
C:\WINDOWS\SYSTEM32\pkdbuhby.dll
C:\WINDOWS\SYSTEM32\mfifmgfc.dll
C:\WINDOWS\SYSTEM32\gtnkrroc.dll
C:\WINDOWS\SYSTEM32\rgpkrjxi.dll
C:\WINDOWS\SYSTEM32\hddfkcbv.dll
C:\WINDOWS\SYSTEM32\orgwjmte.dll
C:\WINDOWS\SYSTEM32\pmnnopn.dll
C:\WINDOWS\browser.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"580eaae6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pkdbuhby]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icons if on your desktop, or the filenames if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Please browse to :
C:\WINDOWS\SYSTEM32\windrv.sys -rename it to windrv.sbak.
Go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination.
All done? Post the combofix log with a fresh hijackthis scan log plus the virus scan result.

Mmm.. that is nice, ablrider.
Unfortunately, lofti's malware is protected and tougher. I'll work on it tonight, loft, in about 5hrs or so.

Yep, it's clear now, thanks. The repair is on top of an installation that would have long ago required activation, so..... grief it looks like.
You need a bootable thumbdrive with AV etc

That looks like a clean log, DeOnna. To tidy up you could fix this entry with hijackthis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

You can simply delete these folders manually [ I filled in where the replacement chars were]:

C:\PROGRAm files\MSNMESsenger\BAK
C:\PROGRAm files\PICASA2\BAK
C:\WINDOWS\EHOME\BAK
C:\PROGRAm files\YAHOO!\MESSENger\BAK

And that should be it. Is the sys working well now?
[feed em well, they expect it]

Sorry, DeOnna, I should have mentioned that, yes, all you would see is a brief flick of a black window. It did its job [if you did, trying it more than once would not have hurt].
So now all the good files are copied back into their original directories, replacing the infected copies. This next step deletes the copy folders:
-option 3, FindAWF: start the program again, select to remove bak folders, into the text file that opens paste all the text between the lines:
_____________________________________________________________
C:\Program Files\HP DigitalMedia Archive\bak
C:\Program Files\REGSHAVE\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\CREATOR\bak
C:\WINDOWS\SMINST\bak
C:\Program Files\Grisoft\AVG Free\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Yahoo!\Search Protection\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Snapfish\Snapfish PhotoShow\data\Xtras\bak
_____________________________________________________________

-close the text file and click Yes. Please post the contents of the notepad that opens.
Then, if and only if these two sections of the report are empty...:

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

...go ahead and run option 4 next -this will reset your restricted and trusted sites in IE, tools, internet options, security. If you have added trusted sites you will have to re-enter them afterward [for an extra level of security I keep the https box checked here]. That is up to your judgement.
If you use SpywareBlaster, IE-SpyAd, Spybot etc you will need to re-enable their …

Grinning here... that't the final edit. Run it.
And it's bedtime for me now.

Nope, it is failing on those two again. So we'll try it the brute force way.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixawf.bat, as type "all files", to your desktop; dclick it to run.
__________________________________________________________
if exist "C:\WINDOWS\ehome\ehtray.exe" del /q "C:\WINDOWS\ehome\ehtray.exe"
copy "C:\WINDOWS\ehome\bak\ehtray.exe" "C:\WINDOWS\ehome"
if exist "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe" del /q "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
copy "C:\WINDOWS\ehome\bak\ehtray.exe" "C:\WINDOWS\$NtUninstallKB908246$"
del /q "C:\WINDOWS\ehome\bak\ehtray.exe"

if exist "C:\Program Files\Picasa2\PicasaMediaDetector.exe" del /q "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
copy "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe" "C:\Program Files\Picasa2"
del /q "C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
__________________________________________________________

Finally run option 1 again so that I may check the replacements.