Posts by gerbil

I am adding this section now to save you time because of lag in post/reply.
If that Vundofix refinement works after the Combofix run some of this may be redundant, but perform the whole anyway:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {08A4D98A-864E-4BA2-998D-9C58EE7556C2} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {31657B86-01E9-43C8-A0C5-F02BE201455c} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {68218620-3D65-43F6-AD47-D38D84B5412A} - C:\WINDOWS\system32\ljjkheb.dll
O2 - BHO: (no name) - {9E7FA759-B446-4E57-AF42-A97A948B6CB3} - C:\WINDOWS\system32\henclvoc.dll
O2 - BHO: (no name) - {9F0AD5E8-002F-4666-8F74-B5457C89FDD0} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {A8CE4D48-E68D-4FE4-89FE-300731C77148} - C:\WINDOWS\system32\nxmjexch.dll
O2 - BHO: (no name) - {B064D7DD-F68F-4D03-9C37-C86C2D72D4B7} - C:\WINDOWS\system32\nnsqqmqc.dll (file missing)
O2 - BHO: (no name) - {C3415EC8-E19C-4147-A819-604490CEF483} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {E5D48306-2B38-4D8C-B74C-8C4F420E02F2} - C:\WINDOWS\system32\henclvoc.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\gewhpgsa.dll",sitypnow
O20 - Winlogon Notify: ljjkheb - C:\WINDOWS\SYSTEM32\ljjkheb.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O22 - SharedTaskScheduler: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)

==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\system32\henclvoc.dll
C:\WINDOWS\system32\nxmjexch.dll
C:\WINDOWS\system32\ljjkheb.dll
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\gewhpgsa.dll

>In killbox, go File menu, …

Cool. Now run the clean option with smitfraudfix:-
- Check that a Restore point has been made.
- Restart your computer in Safe Mode.
- Start Smitfraudfix as before and select #2 - Clean [type 2 and Enter].
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Restart in normal Windows and post here the text file which will appear on your screen, along with a new HT log.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file].

Let's force the issue with those undeletable files. This is to check for any hidden support files:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick …

Ah... computers... esp those running windows.. lotsa free time comes in handy, and yes, you do learn stuff, some of which you really should not need to know.
Cheers and good luck.

Hi, I am sure you will be glad to know that one of your bits of malware is a backdoor worm.
For a start go to CP, add/remove pgms and uninstall AskBar Search Assistant.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Toolbar …

Someone's just gotta have one.... I think Gates' has gotten XP into 2 of 3 homes! Home has to be in 1 of 3?
Anyway, when you do find one you could try a Repair if Setup recognises the installation....

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]

==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.

Hello, tarn... a simple fix... it's a couple of hosts file entries in your registry...so:
Start hijackthis, -select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O1 - Hosts: 63.236.0.238 www.facebook.com
O1 - Hosts: 63.236.0.238 facebook.com

You probably picked something up from browsing facebook, may I suggest a spyware scan?
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

no, your HD will not boot in another machine because drivers, chipset specs, HAL would be all for the other motherboard, vid card and other peripherals.. you will have to reinstall the OS. If you have the key then any version of XP which matches your original installation that the key was for should do... eg OEM, full retail etc... borrow a CD.
Obviously the config directory files in your Restore CD are meant soley for your emachine - same reason.

Jamlpr, please delete C:\vundofix.txt and run vundofix again!! until all files have been deleted. It may take a couple more passes. When all files that it detects have been deleted then you are finished with vundofix.

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
In the meantime fix these two with hijackthis, we'll get to all the others later.

O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

Post vundofix, smitfraud log and a fresh hijackthis scan log also.

Could you post a fresh hijackthis log also, please, with your comments?
Oh, and in CCLeaner, if you are going to keep it, and may I suggest that you do... go Cleaner button, Apps tab, under FF pls check Cookies at least.. other choices are up to you...

These are the relevant entries in that AVG listing:
C:\Documents and Settings\All Users\Application Data\Trans Cake Up Flap\Plan Help.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\Documents and Settings\Mr. Demo\Application Data\mapimaildart\deqfawec.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B7CDFF46-974E-4A52-8F10-62341E9042F5}\RP157\A0022469.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B7CDFF46-974E-4A52-8F10-62341E9042F5}\RP182\A0025459.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).

IN AVG AS empty the quarantine bin.
System Restore Points Clearance:
==You SHOULD clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

Hi, jamlpr, that link is up - I suspect your hosts file may be blocking you, some malware make undesirable entries...
There are tools to fix it, try this:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click Restore MS Hosts File button.
Some security applications, possibly also various malware, will lock your Hosts file [as a protection]. If HostsXpert is unable to restore your file check for applications which may have incidentally locked it. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools,Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[ but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window.

attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS

-and then of course you can edit it manually [you may have to run the above command first]
A sample hosts file [mine]:-

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should …

You say you've hit it with AV... but what about AS? The log is LOADED, and you have two resident AV services - that is not good, one is all you can run. Remove one now. You have a redirector, vundo, bunch of trojan/spywares...
Help? Okay...
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

O17 - HKLM\System\CCS\Services\Tcpip\..\{14F6B734-BA66-426F-89D0-0FDE45917491}: NameServer = 85.255.116.40,

Hello, Aneesah, looks like we got there!! You are looking clean to go.
Please keep in mind that you were infected by a backdoor trojan that may have allowed someone access to you computer.. whether they did or not is unknown.. I suggest you change passwords, esp if you use inet banking... email also....
One last thing to complete the job - Empty your recycle bin please.
Because you are clean now is the time to get SP2... it's a big dl [get the IT professional file from M$ and install yourself, don't follow the update auto installation path]. Or borrow a CD from a friend of the same type as your installation but which has SP2 on it .. eg OEM, or full retail version.
You must do it, cos without it you are a sitting duck. When you have it, or even now, get Spywareblaster... it's free. Delete combofix, vundofix, keep AVG AS... CCleaner.
Cheers.

Hmmm, that rather looks like a Lop infection there - it's pretty pesky adware. These two entries point it out:

O4 - HKLM\..\Run: [axis web cake second] C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\USER PURE.exe
O4 - HKCU\..\Run: [MediaProxy] C:\DOCUME~1\MR7D46~1.DEM\APPLIC~1\MAPIMA~1\INTERNET ARMY MFCD.exe

Best to use the proper tool, and then follow up with a clean and general adware/spyware scan.
==Download NoLop from the link on this page; follow the instructions given. Post the report C:\NoLop.log.
http://www.thespykiller.co.uk/index.php?action=tpmod;dl=item16
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
That lot should do …

Use the XP boot file, it works. And Xp will install onto any partition [on any drive, disk], which is why setup asks where you wish to install it. Why did you panic and back out? these things are removable..
Just a point... L:? - it is obviously not a primary partition so you will not be able to mark it as active, therefore you will need to keep the boot files on some primary partition.. eg, C: and so you will not be able to format C: later.
If you were to do a fresh installation of XP on C: it would not overwrite any data files.

I'm only posting here cos Crunchie oughta be in bed asleep atm...
Give Vundifix a chance.. if it freezes restart it, try a few times, checking to see if you get a report. If it reports files and is unable to delete any, rerun it until it does.
And if you must do another AV scan, don't get AVG AV cos you already have a resident AV service - they will conflict. Instead may I suggest Panda Online Scan?
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here. I'm backing out now before the master returns...

Oh dear...
Please delete the directory C:\qoobox and its contents.
Inside AVG AS remove all quarantined objects.
Let's stop these two services and remove them using same procedure as before:
O23 - Service: CHXPRTU - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe (file missing)
O23 - Service: PJ - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific services CHXPRTU and PJ - in each case rclick them, select properties. Write down the exact Service Names. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now.... and repeat for the other service name.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mqxiaaaa]

__________________________________________________________

Start Killbox [note the different pathname loading method this time for multiple filenames],
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\wksvr.exe
C:\WINDOWS\system32\ypmgewoo.dll
…

Congratulations, Aneesah, you have a rootkit: c:\WINDOWS\system32\drivers\runtime2.sys, but we can fix that now we know it is there.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2]

[-HKLM\SYSTEM\CurrentControlSet\Services\runtime2]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startdrv" = -
__________________________________________________________

==Fix these two with hijackthis:

O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)

==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Paste this pathname into the textbox Full Path of File to Delete:

C:\WINDOWS\SYSTEM32\iplaipl.dll

Select "Delete on reboot", "Unregister dll before deleting", click the "all files" button.
Click the red and white X button, click Yes …

If you are using Pro you can enable Taskmanager via group policy - run gpedit.msc and work down the tree thus:
User Configuration, Administrative Templates, System, Ctrl+Alt+Del Options.....
Else if you have Home [or as well Pro ] run this script:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showtm.reg, as type "all files", to your desktop; dclick it to run...
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"= -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"= -
__________________________________________________________

If TM works now, try to open explorer.exe or iexplore.exe with it.
On the net?
First, clean:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Next scan for malware:
==Pandasoftware ActiveScan using IE only from http://www.pandasoftware.com/products/activescan? -link is at right above the padlock: free online virus scan; just follow through the pages, supply a "valid" email address...
…

Oh dear...
pately, please do not post in another's thread, you risk getting little or no attention, and it is just plain confusing at times.

Algis, sorry about that earlier post "I must see those vundofix and combofix logs!! Please!" - things do, of course, go mostly at the pace you decide normally, it was that intervening log of pately's that threw me - suddenly I was seeing a different computer.... anyway my impatient-sounding post was because of that and me doing other work.
I shall remind you of this later, now is not the time to update your Java but please now do go into CP > add/remove pgms and remove all the oldest versions of Java, keep only the latest [which is out of date!].

I note that Vundofix failed to run correctly... Combofix detected and cleaned some vundo files. Please delete C:\vundofix.txt and your copy of vundofix.exe.
Combofix also struggled. I just tested it on my pc - it took less than 3 minutes to complete, but my sys is clean.... Please delete combofix.txt and combofix.exe.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip -unzip it to your desktop.
You must be in an Administrator-privileged account to run this procedure...
Okay, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Mqjehc] C:\Program Files\Ydvq\Pyywyd.exe
…

I must see those vundofix and combofix logs!! Please!

Ha! See, my faith was justified - we can go with that, although you have a double extension .exe.exe, which does not matter for our purposes.
[C:\Program Files\Trend Micro\analysethis.exe\analysethis.exe.exe]
The log name remains hijackthis as it should, but importantly the filename which it runs from has been changed. Wheeee...!!
I'm busy with something else atm, can you hold on for Crunchie? You do have scads of problems in there...

Errrk!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post

that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your

desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Post the contents of C:\vundofix.txt, C:\Combofix.txt plus a new HijackThis log.

Sure. Go Start, run, paste in this line and press Enter:
C:\Program Files\Trend Micro\analysethis
In the window that opens locate HijackThis.exe and rclick, choose Rename, make sure you put in analysethis.exe instead, and Enter. Done.

Hello, Aneesah.. :)
..you must have been waiting. You can see from the AVG log that you had both a backdoor trojan and another trojan, plus a rootkit agent - theyhave been placed in quarantine. Delete all those quarantined entries in AVG AS.
Some more work:
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not …

Ah. that means I think that you had a sys problem, and that a report was made. In itself it is not a bad entry. The problem usually is of the form "this pgm is not responding..." when you try to shut down a pgm that has stalled or something..., and what happens then is a dump report is made for you to send to M$. A waste of time, probably. You can stop that from occurring unde My Computer, Properties.

Nope!! ... :)
Rename hijackthis.exe to analysethis.exe so you see this:
C:\Program Files\Trend Micro\analysethis\analysethis.exe
NOT this:
C:\Program Files\Trend Micro\analysethis\HijackThis.exe
You'll get there...!
The reason we request this is cos some malware detect Hijackthis starting and remove their registry entries and shutdown for the duration...
One more try, I have faith in you.

AV services are to catch viruses. Trojans generally fall under the heading Spyware. So go to AVG site n get their AS! That should solve your problem.
First clean:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Then cure:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Pssstt... cindy.. if you're still about rename hijackthis!! and post the whole log before he sees that short one... we don't want to test him too much!
Shhh... but what you've done is rename/create a new folder! Change hijackthis.exe to analysethis.exe, then delete the "duplicate" folder C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
You should then be left with C:\Program Files\Trend Micro\analysethis\analysethis.exe.
Cheers.

If you have real concerns then these tools should confirm or allay them:
First, clean:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Next, run one of these two, both if you must...
:==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.

==RKR from http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -read that page, dl the file at foot, start it and Scan.

And finally scan for malware with one of thse two:
==Pandasoftware ActiveScan using IE only from http://www.pandasoftware.com/products/activescan? -link is at right above the padlock: free online virus scan; just follow through the pages, supply a "valid" email address... To reduce the number of detections run either CCleaner or ATF cleaner first [to remove cookies].

==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

Imran, you should run a good AntiSpyware to fix those things; try this, clean and then scan:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
==delete your copy of hijackthis and follow these instructions for a new copy and proper installation:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and …

Kilegoty, nothing shows bad on that log... but if you have real doubts then try this: [panda will clean any viruses it finds but only points out spyware... please clean up first]:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Oh dear... I missed that you had Nod running with Zonelabs.... [or are you using it as an on-demand scanner only?]. Two resident AV services will conflict, sometimes badly....
Anyway, glad you got sorted. Sigh....

Hello again, sai... please temporarily turn off Teatimer in Spybot S&D, and do this fix before you start with the Vundo dl and fix...
Reg keys/batch file text
==Please copy ALL the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree.... ; if instead it opens in notepad, rclick fixkey.reg and use Open with, registry editor.
____________________________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"= -
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bgp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nihotu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qzur]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]

______________________________________________________________________________

Hello, sai... quite a list of deletions there... And yes, I noticed those files virto, command.exe and iexplorer.dll.dbt in there...
It is breaking my brain, going thru that list.... please delete C:\combofix.txt.
I do not know what your sys-addon is... - if you did not install this then remove it.
Go CP > add/remove pgms, remove [if they exist]:
sys-addon
insider
.... and then follow thru with the rest of this procedure:
Use hijackthis as before to fix these entries:

O2 - BHO: sys-addon - {4CF7C596-C8FF-41d5-88A5-0F1A1A92DDE1} - C:\Program Files\sys-addon\sys-addon.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {D9219BCC-A3AE-4D40-91A8-D66F88479630} - C:\WINDOWS\System32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [Cisz] "C:\Documents and Settings\Owner\My Documents\??curity\n?tepad.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\System32\pmnlk.dll (file missing)

Delete these files and folders:
C:\Program Files\sys-addon\sys-addon.dll
C:\Program Files\sys-addon\
C:\Program Files\insider\insider.exe
C:\Program Files\insider\
If these prove difficult to delete then either do it from safe mode or use this excellent tool:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that …

Hello, sai..
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service (cmdService), rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Delete the file:
C:\WINDOWS\IA\command.exe

==Is this your work? O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\virto.html
No? Then use hijackthis to fix it: Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\virto.html

Now delete the file: C:\Program Files\Common Files\virto.html

ComboFix:
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
=I see that you once had a vundo infection.... please change the name of hijackthis.exe to imabunny.exe and make …

Your log shows as clean... but this information and reg file may fix your problem..
Home - http://www.dougknox.com/ [so you know who you are dealing with... :)]
Links - http://www.dougknox.com/xp/xp_fixes.html
The link you want - http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
Dl that file, unzip it and run it; it restores default shortcut and other links in your sys.
Say how you get on...

A bit of trouble in there; because IE will not run for online scans yet try this -
Services:
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service (VAPSV), rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
Next delete this file: C:\WINDOWS\system32\vapsvc.exe
Copy these two files into your sys and run them in order:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..] [Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can …

Well, yes.. that is what I tried to tell you, shyam... from what you have said C: is your Active partition, and contains your boot files... Lessee.. when you ran setup it would have gone to C: if that is your only Primary partition [it HAS to...], then written boot sector file and copied in Ntldr, Ntdetect.com, and after asking you about where to install XP [E:..] would have written the bootloader file boot.ini in C:.
If you format C: [somehow] your sys will not run.
Go explorer, folder options, view, uncheck Hide protected opsys files. Then check C:\ for those files above... if they are there then do not try to format C:.
If you go CP > computer mgmnt > disk mgmnt you will be able to see which partition is Active: that will be your boot partition [or system volume...] - say which it is..

.

Hello, pr lady.... win32.dll would have to be some third party software, not windows... do a search for it in explorer and check its properties. Then rename it to win32.dll.old
Nothing looks bad on that log, but pls try this [if IE will let you do it...]:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
=delete you copy of hijackthis and..
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer …

You have both AVG AV and an AOL AV service - one must go to avoid problems.

Try downloading another copy... extract ALL the files to your desktop or a scratch directory.... double-click smitfraudfix.cmd - it should run, I just did a fresh dl and tested it for you.

Do persevere, hbk... , but gee, it's time consuming trying to get on top of this stuff.
Butters, that log shows clean... if you are still having a problem with Spyware Doctor jamming on weirdontheweb then ensure C:\Program Files\WeirdOnTheWeb is removed.... AVG AS or Lavasoft's Adaware may detect and clean any remnants, but run this cleaner first:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
OR///
==Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up …

Possibly..
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button.
Post both the logs here.

...and this one [its result will add to the showkey file produced by the command in the above post..]:
reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop" /s >> C:\showkey.txt

Actually, I'm not sure why I am following this path, because it is possible that you also had a Smitfraud infection of some sort which changed settings, and there is a superb detection/fix tool for that:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

justlookin, while Chaky is working on that, run this line as you did the other and post the new C:\showkey.txt ...:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies /s > C:\showkey.txt

Hello, shyam... a bit of confusion in my mind?.... this is how I see things: the way you have partitioned your disk and your saying C: is the primary partition suggests you have one primary and one extended partition [the latter with logical drives].. Only a primary partition may be marked Active, so C: is thus your boot partition with Ntldr, Ntdetect.com and boot.ini; your OS is resident in E: - boot.ini points to E:
There is no way Windows will let you format the boot partition C: because it would lose its boot files.
Now I may be wrong.. please confirm from Computer management /Disk management which partition is marked active....
If I am correct about your disk structure and you use a third party format tool your sys will be unbootable unless you run Windows Setup > Repair...

Ah, jb, i was a babe in the woods back then, still am, check my signature... I would now min suggest a panda scan which would have thrown it up, or Kaspersky... but was put off by the hijackthis report showing file missing....
One day, when I know it all, everything there is to know, I'll light a lil candle and have a quiet celebration...

Umm, hbk, net2phone is ok as an entry generally cos it is a VOIP service, but he's off it cos the files are missing so those two were just put up as fixes for a cleanup... you found the dodgy one, that .exe entry... but a couple of those O2's have CLSID's which don't check out, so they could well have come from malware which may still be resident somewhere else, hence the namechange for hijackthis... [some malwares, esp some Vundo versions, spot hijackthis starting up and immediately hide any registry entries and terminate their runs for the duration - so cunning...]
I mean by that, they were malware entrieswhich still could have installed components. I use imabunny cos way back someone apologised for being so silly as to have picked up vundo that i used that name as a friendly taunt.... she went with it with a return joke n I have simply stuck with it... if they name it SpyShooter or somesuch I may not recognise and would then have to check it out...