Posts by gerbil

Wha..?
What happened?

oops, and a fresh hijackthis log too...

Okay, i'll have to let you off on this one- C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe :)
May I assume this is your work also [sched task]?- 2007-08-30 14:30:01 C:\WINDOWS\Tasks\F&I Log Backup.job - C:\PROGRA~1\F&ILOG~2\FANDIL~1.EXE

Note that these two sys files are missing...
C:\WINDOWS\system32\chkdsk.exe not present
C:\WINDOWS\system32\ntoskrnl.exe -you must have a 3rd party one?

Use hijackthis to fix this entry:
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - (no file)
- the remainder of the HT log was clean.
The reasons for updates not working are many.... mine do work, and so I tend not to get too interested in its ways. Sorry, I know they can be fickle for some.
Play in the registry with these if you wish....
Two bad keys, unless you like MyWebSearch:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

These three keys point nowhere?:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\axent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]

Not required:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

Cheers, glad you're flying again. [delete all vundofix and combofix files....]

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in safe mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

Now for ComboFix: to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan …

Can you start in safe mode? Windows may have been updating a timezone file for its datetime service... but that should have gone ahead unless you did an abrupt or hard shutdown like a plug pull.

Hi, Michael, let's try to see what you have.
Because you had a vundo infection please rename hijackthis.exe to imabunny.exe - this is important.
I should not doubt Norton's expertise, but...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [ScrSvrHK] C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe

Delete this file:
C:\Program Files\ScrSvr Hot Key\Scrn Svr Hot Key.exe

==Download this …

Hi.. need much more info than that. So... what file did AVG say the trojan was in?
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log …

Hello, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe

==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Now please rerun hijackthis, but in Normal mode!! And stay in this thread, thank you. [your other thread was actually more informative]

Good stuff. Please rerun CCLeaner, then do this:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.

==Please copy the text between the lines to a notepad [no wordwrap] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" /s >C:\showkey.txt
__________________________________________________________
Then, very importantly...:
== get one of these free firewalls: ZoneAlarm Free, Kerio, Comodo
== get ONE of these free, resident AVs: AVG FRE, Avast, Avira

AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html

Post the panda log, showkey.txt, and say how things are....

Yellow, new thread buttons are at top and bottom of virus thread page.

Yep, search for and delete system32.exe, and/or stop Spybot putting it up.
gopher is a network file transfer protocol in the same way that http is.... it still exists, but was overtaken in popularity by www years ago. The setting is there so that IE can recognise it - I dunno why HT is throwing yours up... run this:
==Please copy the text between the lines to a notepad and save as showkey.bat, as type "all files" to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes" >C:\showkey.txt
__________________________________________________________

windows will automatically replace protected system files from its cache.
If you doubt a file, check its properties, if you still doubt it, submit a copy to that scanner address I gave you above...

abhi, hello.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

C:\Program Files\Messenger\mezepod22011.exe
O2 - BHO: (no name) - {4518BD6B-451A-4877-B42D-8D9AE5DC5257} - C:\WINDOWS\system32\vturs.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\flayqwwd.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\opnllml.dll
O4 - HKLM\..\Run: [{F8-86-60-0F-ZN}] C:\Documents and Settings\ABHILASH\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [mezepod] C:\Program Files\Messenger\mezepod22011.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\ABHILASH\Local Settings\Temp\thinksnet.exe
O20 - Winlogon Notify: opnllml - C:\WINDOWS\SYSTEM32\opnllml.dll

that sounds terribly tricky..... is it black as it runs BIOS?

There are many of em, but the ones you want are listed in your HT log...
Most of them are necessary. If you don't have OFFICE and wish to stop ctfmon you must uncheck Language Bar in your Taskbar properties [rclick it].
I think realsched will reload next time you use the player - check the options in it.
Leave the others alone to prevent... um... issues..
nerocheck tests for conflicting software running, pctspk is your modem, syntp... is for your touchpad..

empty keys, you mean? don't worry about them... just looka t the overall size of the registry and see how insignificant a couple of null entries are. But cannot delete ANYTHING from reg? Post the keys [export them..]

system32\wscntfy.exe: vsn 5.1.2600.2180 size 13.5kb.
There will be another copy in system32\dllcache [this is normally hidden]
There can NOT be multiple copies of it in system32.

Ignore wscntfy and svchost, they are fine. Svchost generaly has multiple instances running as it handles threads from different applications.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - Startup: MagicDisc.lnk.disabled
O4 - Startup: TA_Start.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: http://www.rr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://www.help.rr.com/Foundrysdccom...ad/tgctlar.cab
O22 - SharedTaskScheduler: depreciable - {716002db-288c-4bf0-80cd-a467e78d8b55} - C:\WINDOWS\system32\dxovx.dll (file missing)

LSPFIX:
==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe....
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "tmwsock.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Delete these files :
C:\WINDOWS\system32\tmwsock.dll

Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log plus a fresh hijackthis scan …

Force of habit made me put C: instead of I:, but I'm sure you were on top of that one.
Nothing shows in that log... so now I can only guess. Does TM show CPU usage climbing on any particular process just b4 freeeze? Does it freeze when you use the sys in safe mode [you can start the explorer shell there instad of the cmd.exe shell which normally runs by going Start, run, explorer.exe]...
If this is a recent phenomenon I would consider uninstalling recently added software, it may even be a driver... always worth restoring to a prior date [you can revert if not fixed].
Sorry, I'm out. But pls post when you find the solution.

Use hijackthis to fix this entry:

O4 - HKLM\..\RunServices: [firef0x log] firef0x.ex

Delete this file:
C:\WINDOWS\system32\firef0x.exe
-you may need this:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Say how things are...

Show hidden files and folders in folder options, CP; your hosts file is at windows\system32\drivers\etc\hosts
You may need to run this to see it:
Start, run, paste in this and press enter:
attrib -s -r -h %windir%\system32\drivers\etc\hosts
You can also view it with hijackthis, misc tools, hosts file manager...

S'orrite... :)

Please delete these files:
C:\WINNT\system32\svbhost.exe
C:\zjvjavz3.sys
-you may do it in safe mode if they won't delete, else use this:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
If you have the icons for those items but cllicking them does not work then dl this file, unzip it and dclick linkfile_fix.reg to run.
Please delete these files:
C:\WINNT\system32\svbhost.exe
C:\zjvjavz3.sys
-you may do it in safe mode if they won't delete, else use this:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
If you have the icons for those items but cllicking them does not work then dl this file, unzip it and dclick linkfile_fix.reg to run.
http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip

Please run this to follow up.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
You may as well do this also: Reg keys/batch file text
==Please copy the text between the lines to a notepad and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
__________________________________________________________

Hello, Azriel.
You must remove either AVG7 or Symantec AV -simply, two resident AV services will conflict.
Realistically, more than one Antisyware service running will just slow your sys down; you have Spyware Doctor, Spybot, AVG AS, Defender......
But the log is clean to me. Loaded, but clean.

Try this scanning site: http://virusscan.jotti.org/ - either paste into the box the pathname of each file [eg C:\windows\system32\wscntfy.exe] or browse to them. Post the results.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. ]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Post a hijackthis log:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button.

The first one I find interesting [the O14 entry]- do you use this site? If you are happy with it, drop it from the fix list:

O14 - IERESET.INF: START_PAGE_URL=www.naver.com
O16 - DPF: {325AB8C2-1609-4040-948F-697D52D4CF2B} -
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum455.txt

Start hijackthis, select Scan Only, place checkmarks against all the entries listed above that still exist, and then press Fix Checked.
Good, now delete this file:
C:\WINDOWS\system32\hrum455.txt
If it plays hard, delete it in safe mode or use this:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
With this tool you can either unlock a file and delete it normally, or use delete from the drop down menu.
Say how your sys is...

Only old traces of malware in that log. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {A84033D9-A008-461C-A9D6-7E7250B7912C} - (no file)
O2 - BHO: (no name) - {C4F9A2C4-4D8B-4A69-AE10-C35D3B313C01} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - (no file)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O20 - Winlogon Notify: ddcaa - C:\WINDOWS\System32\ddcaa.dll (file missing)
O20 - Winlogon Notify: iifeecd - iifeecd.dll (file missing)
O20 - Winlogon Notify: tustq - C:\WINDOWS\System32\tustq.dll (file missing)

These next are dependant upon you; the two O9's link you to a webpage that connects you to an MSN Alexis search engine - your choice, you may use it, I don't know. It's not a problem.
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

These downloads will fit on a couple of floppies, or a thumdrive... copy into the pc.
I can see that you had a vundo infection, and I do not know how you removed it... so we may as well check this. Please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click …

Just fix that R0 entry n you should be ok, ignore the batch file.. Good work on the web page removal from your desktop.

:0
Fix this entry with hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2

Reg keys/batch file text
==Please copy the text between the lines to a notepad and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" >C:\showkey.txt
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" >>C:\showkey.txt
__________________________________________________________
..make sure notepad format wordwrap is not checked.

Mmm... I'm afraid I cannot help with the MSN messenger issue- I disabled mine and am totally unfamiliar with it. I imagine it has a message cache somewhere under your user settings [in docs n setts]. I am sure there would be config settings also to determine whether it autostarts or prompts you about uread msgs in the cache.
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
-this reg entry starts it at Windows start after you log in.

You MUST uninstall either AVG or Norton resident AV services. Now. They interfere with each other. [To remove Norton you should use the cleanup tool from their website.]
Done that? Good, now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {68B716B5-A06F-4738-B07C-DE1244B3E0ED} - (no file)
O2 - BHO: (no name) - {EAB14E04-B709-4C3B-AFE0-501B55E43AE6} - (no file)
O2 - BHO: (no name) - {F762FB4D-4539-4FEC-B3D6-8D5F332DC67A} - (no file)
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINNT\System32\mmsvc32.exe
O4 - HKLM\..\Run: [Spools Service Controller] C:\WINNT\System32\spools.exe
O20 - Winlogon Notify: ljjkhhe - ljjkhhe.dll (file missing)
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)

Go start, run, type cmd -press Enter; paste this line into the window after the prompt, press Enter and close the window:

sc delete mshexdefx

Delete these files:
C:\WINNT\System32\mmsvc32.exe
C:\WINNT\System32\spools.exe
-if they play tough either do it in Safe mode or use this tool:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Restart your computer …

Uninstall BearShare.
Right, pls fix these with hijackthis:

O2 - BHO: (no name) - {242D5BFE-64E9-4A48-8056-F691B44FD931} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\tbu02553\MediaBar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\tbu02553\MediaBar.dll
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
O9 - Extra button: Go to Blink - {95F6242A-62E4-4756-892F-F5D5D399CA25} - C:\Program Files\Blink\home.js
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.ocx
O20 - Winlogon Notify: wvurqoo - wvurqoo.dll (file missing)

Good. Now to check a couple of services were deleted: Blink Service & DomainService ...
Go Start, run, type services.msc -and press Enter. Maximise the window and select Extended tab at foot, scroll to the specific service and if it exists, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

SDFix:
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.

oops, and pls post the fixwareout log also... and we DEFINITELY have more to fix. Back in a while...
But be proud! Cos you have shot straight to the top of my Vundo infections and Combofix deletions leader boards... hehehe... I tell you, once we finish this cleanup your sys will weigh maybe half what it did.

That is a clean log. But you MUST decide between Avast or AVG for a resident AV - you may run only ONE resident AV service. Uninstall the other.
Is everything else okay [after you uninstall one AV and restart..]?

They look fine... on the way out the pings went quite directly to the target sites via various carriers, and that is fine. Google got bounced about a bit on the way back to you, but no problem there -it's how the web works, packets find the more direct and non-loaded path. You're fine.
Cheers.

Cool!. I c nothing else that could upset your sys in those startup entries. The icon... dunno, it may just be your ISP's way of showing you a broken search. The icon came with your ISP's software.If you wish to fool around a bit to check no unwanted redirection is occurring try tracing a connection to a local website, one in your town.
Go Start, run, type cmd -press Enter. Type in:
tracert www.google.com -press Enter. You'll get a list of providers which the connection goes thru. Now to google it would have several junctions to go by..... hence try a local website. [don't include the http:// bit]
Anyway, if you are happy, hit the solved button.
Cheers.

Haha!! you beat me to it... ignore my script then.... :) What are things like now?

Okay, here: save this text between the lines as URLPrefixes.reg in a notepad on your desktop, dclick it to run it. And that will remove that entry [the script removes the entire subkey and then recreates it with the correct values]
_______________________________________________________________________
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

_______________________________________________________________________

[you may have to rclick the icon and select Open with> registry editor for it to run....]

That entry in registry I asked for is to be cleaned up - every time you enter a URL you go via that site to the site you wished for... I think that's how it works.
So... because it has no name I would have to delete all the keys entries n recreate the valid ones, but it would be simpler for you to go to that key n do it manually:
Go Start, run, type regedit -and press Enter.
Navigate to this key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes and lclick Prefixes.
In the right pane select the entry [in the lefthand column] with no name and delete it. If you cannot select the "no name" entry delete the data on the right column. Close the window.
If it sounds difficult I can whip up a script for you.

That Panda detection is for a file in the hijackthis backups folder -it exists so that you can reverse fixes made with hijackthis. You may safely delete it.
If you have trouble deleting any other files, I suggest you get Unlocker 1.8.5.
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Avenger is a tool that will deal with folder deletion, but if you empty them of files they go easily.

Yes.

That looks clean. I don't know what happened to efffge.dll; I think we may assume that Vundofix removed it. Vundofix does occasionally appear to get a little upset by its task, but it does the job nevertheless.
I am afraid that the unread messages part is invisible to me - something you configured, perhaps? Or is it a result of malware, an ad?
If so...
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Bloody hell! What a mess!
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.134 85.255.112.104
O21 - SSODL: wmpenv - {76765F30-4AD5-4C93-AC60-5E39E3C75958} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {C83B7B5F-4943-4B86-8FE8-AB6FDBF47F2D} - C:\WINDOWS\wmpconf.dll
O23 - Service: Blink Service - Unknown owner - C:\Program Files\Blink\blink.exe" …

Please stop.. :)
I'm going to work on the one in the other thread, cos it has a header...

This is your main pest: C:\WINNT\svchost.exe
But I see that you have MyWay Search Assistant. We can get rid of it first off..
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

F3 - REG:win.ini: load=C:\WINNT\svchost.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)

Good, now delete the file C:\WINNT\svchost.exe
-if it plays tough you can do it via hijackthis options [Misc Tools section], or in safe mode, or use this:
==This one is a general purpose …

It does look like you removed CreateToolbar via Add/Rmv pgms.... your problem would be cos of the Run key which sets the uninstaller to work on restart, but if it did it left the key in registry. Remove it:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Uninstall_CToolbar] "C:\Windows\Temp\CTun.exe" "/remove"

Now delete the file:
C:\Windows\Temp\CTun.exe
-it's possibly already gone...
Actually, would you please rename hijackthis.exe to imabunny.exe [this is important] and make a fresh hijackthis scan for us?
[that O2 entry is bugging me]

==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
To actually give a guide to remove any undesirable entries while not able to see your log would be.. um.. quite complex.

Actually, I would like to see that vundofix log [C:\vundofix.txt] if you still have it cos I noticed that combofix picked up several vundo files.. just for my information..

Chkdsk from command prompt? Try running it from Recovery Console instead; you will need an XP installation disk, anybody's will do..
If it won't run, drive is toast.
When the new drive is installed you could try slaving the old drive to see what happens.