Posts by gerbil

CPU usage only 24%? Errr, what's it doing, launching a space shuttle? Lessee, as I type, playing some music, mine is 5%. No music, bout 1%... Check your network traffic while it is [you consider] idle. Course, that does not catch all malware being active, cos some are smart enough to shut themselves down while you are not active on the net.

Great stuff, hit the solved button when you think it is..
Cheers.

==Please copy the text between the lines to a notepad and save as showkey.bat, as type "all files" to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes" >C:\showkey.txt
__________________________________________________________

Cries quietly....

Something has locked your Hosts file, possibly an application, possibly the pest. Unlock hosts exists in Zonealarm, firewall, advanced, or Spybot.
In Spybot, click Tools,Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[ but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window.

attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS

Now try HostsXpert.

Glad it worked for you.
Cheers.

Sorry, I really thought combofix would grab this one....
Okay, fix these:

O4 - HKLM\..\Run: [{D1-19-9E-EE-ZN}] C:\windows\system32\lpdsrngk.exe CHD003
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Good, delete this file:
C:\windows\system32\lpdsrngk.exe

If it plays tough, use this:
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

svchost.exe handles processes called from dll's by services you are running - the number of svchost's showing in TM at any particular time varies according to the services you have running.
The actual file - yes, there should only be a copy in system32 and one in I386 [sometimes in the latter the files are compressed inside cab files]
Yep, the first part was just cleaning out idle reg keys.
Fix this one also:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Delete Combofix and C:\Qoobox, C:\combofix.txt. Because it found a vundo infection you could try a quick scan with Vundofix; change the name of hijackthis.exe to imabunny.exe:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any found …

Reg keys/batch file text - this will do the trick instead of cmd.
==Please copy the text between the lines to a notepad and save as rmvkey.bat, as type "all files", to your desktop; dclick it to run.
__________________________________________________________
Windows Registry Editor Version 5.00

[-hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]
__________________________________________________________

...and yes, go ahead and delete that file also..
Further, you should run this also:
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan. Post any positive result.

I can't see what AVG has quarantined, but you should be on safe ground emptying the bin.
Please change the name of hijackthis.exe to imabunny.exe.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {424819DB-DA6B-DD99-1C10-FB8DB150809D} - C:\WINDOWS\system32\njpst.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
...and EVERY O15 entry!!

Good.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Um, Vista... right.....
First off pls check the properties of this file: C:\WINDOWS\SMINST\launcher.exe
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Next, pls rename hijackthis.exe to imabunny.exe and produce a fresh log.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)

Go Start, run, type cmd -press Enter, paste into the window at the prompt the following line, press Enter and close the window:

sc delete maya70docserver

Okay, now for the real pest....
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And either:
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan. [this is quicker...]
or...
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through.... [this is slower..]
Post the kaspersky scan result, plus C:\Combofix.txt and a fresh hijackthis scan.

Did McAfee tell you what file the virus is in?
First do a cleanup.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Restart in Safe mode with Networking and try this online virus scan....
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

I see you have Dell's MyWay and SearchAssistant. If you would like to be free of them....
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].

ur using a linux boot loader. Where's jb when you need him?

Ok. go Start, run, type:
cmd -and press Enter. Paste in this line and enter it; close the window:

reg delete "hkcr\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}" /f

And delete this file:

C:\Documents and Settings\Alvaro Morales\Configuración local\Datos de programa\Wildtangent\Cdacache\00\00\0C.dat
...and that should be all. Say how things are...

If the Safe mode with Networking option does not allow you to use links etc then it would have to be a deepseated piece of malware that is being problematic, or else a corruption of your sys..

A naked XP!! You were a sitting duck for this!! It is just FOOLHARDY to not have SP2. So now you've got worms.
=Rename the Hijackthis.exe to imabunny.exe.
=Please download HostsXpert v4 from: http://www.funkytoad.com/content/view/13/31/ and extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit HostsXpert.

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Okay, please run HT again and repost with the fixwareout and combofix logs.

In Add/remove pgms uninstall MessengerPlus3. If you really want it then afterwards reinstall the software but WITHOUT the added "sponsor" - it's LOP adware.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Startup: Filtrar.lnk = C:\Archivos de programa\Filtrar\Regpsvc.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe" /WinStart

Good, now delete this file:
C:\Archivos de programa\Filtrar\Regpsvc.exe

To get a handle on the virus Mcafee reported would you please:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

dragonflei... that fixwareout log is fine, pity about the pandascan... Do you have another browser, like Firefox or Opera? It would be nice to know if they work with links.
Btw, you could just delete that Winantispyware file, and any others you see.
Try to enter Safe mode and see if System Restore works from there - you are given the option just before actual safe mode starts. No? Then inside Safe mode is LKG [last known good config..] but I doubt that will solve things.
You could run System File Checker because it does sound like some of your sys files are corrupted - you go Start, run and type:
sfc /scannow -and press Enter.
If it turns out to be file and registry corruption then I cannot think of another option but to run Windows Repair via Setup if you have the installation CD. You won't lose your data files or software applications and their settings, but if possible via Safe Mode you should copy out your really important files..

Ok, then this should pick it up:[instructions are on the web page]. Please post the text file.
http://www.silentrunners.org/sr_scriptuse.html

I love fooling round in the dark. Lessee, try this:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon …

Sure it's a virus? Test your ActiveX support here:
http://pcpitstop.com/testax.asp -you gota use IE for this, FF n Opera don't use ActiveX.
If that is not it...
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. ]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Panda removes viruses it finds, but only points out instances of spyware, but that is good enough.
Delete this file:
C:\Program Files\MSN Messenger\riched20.dll
- you should not need this, but here it is anyway: Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

Now to delete this CLSID: you can either navigate to it in your registry and delete the subkey [CLSID entry]:
hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
-or you can run this: Go Start, run, type cmd -and press OK. Paste this line into the window at the prompt and press Enter:

reg delete "hkcr\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}" /f

Close the window. Say how your sys is after a restart....

Vundofix: this is a very important line in the instructions:
!! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!
Note that the scan found six other files but made no attempt to delete them.
Pls rerun Vundofix in Safe mode, twice or more will not hurt; if it still makes no attempt we shall try something else.

..the combofix run in normal mode was fine. Delete C:\Qoobox.
Vundofix: this is a very important line in the instructions:
!! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!
Note that the scan found C:\WINDOWS\efffge.dll but made no attempt to delete it.
Pls rerun Vundofix, twice will not hurt; if it still makes no attempt we shall try something else. Hang on, let's try to cripple these first...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2a5e79a8-fccf-43fc-b80f-99515372731e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\mljjijj.dll
O20 - Winlogon Notify: lzextat - lzextat.dll (file missing)

Good, now try to delete c:\windows\system32\mljjijj.dll
-this may help: Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Okay, now run Vundofix.....

.

AVG7 does me. Lessee... doesn't hog resources, reliable and quick updating...

t appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!

= dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Post the contents of C:\vundofix.txt, …

It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!

= dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

=Start hijackthis, select Scan Only, …

MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm027YYUS

And then as for the Mcafee problem, all I can suggest is uninstalling/reinstalling.

Gerardo, you still have AVG7 running along with Norton. You MUST remove AVG7 cos two AV services can be very detrimental to performance. Apart from that nothing bad shows in that log - pls try this scan after cleaning...
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs]
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Paul, it is sufficient to just visit some sites for an unwelcome dl. Or do a mouse-over on a [hidden] link, dl a picture with hidden content.... anything really. I don't know the specifics of your particular pest.
Glad you are running again. Get Spywareblaster; it's free, and updated will block thousands of bad sites, sites you just would not wish to visit unless you want real problems [i'm not talking censorship here, just safety..]

ello, gerardo, first off you gotta get rid of one of those resident AV's; since you are paying for Norton I suggest you fire AVG7. Now.
MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm414YYAR
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

If you do not want Tosh to be your main web page fix these two entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

Good, say what happens.

Okey-doke. Good stuff.

Ah, ok. That file, C:\ygbwmcti.bat is in what is called the root of the C: drive, is all - the main directory if you like, not in a folder..... It's just called the root of C:
Glad things seem smooth now.

Tinahakina, rclick ur desktop in a clear space [not on an icon etc], properties, desktop, customise desktop, web; select and delete those pages there....

hello, kained, please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [mpeg heck log link] C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck\setup jugs.exe
O4 - HKLM\..\Run: [bib bat meet link] C:\Documents and Settings\All Users\Application Data\film start link joy\Joy wait ping.exe
O4 - HKCU\..\Run: [AudioMeet] C:\DOCUME~1\Dave\APPLIC~1\NAMETI~1\1one.exe

==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner.]
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here, along with a fresh hijackthis scan plus your comments.

tinahakina, if you just do the following it should help. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [p73O3nW] ifmdle.exe
O4 - HKLM\..\Run: [Winzip Taskmngr] C:\update.exe
O4 - Startup: PowerReg Scheduler V3.exe

Then delete these files:
C:\update.exe
Delete this directory:
C:\Program Files\powerreg

In addition you could run ComboFix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post that log plus a fresh hijackthis log with your comments also.

Paul, use hijackthis to fix this entry:
O4 - HKLM\..\Run: [ebftegwy] C:\ygbwmcti.bat
-then go into C: root and delete the file.
-the remainder of your log shows clean.

==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Just make sure your other windows directory has these files first...

Yep, it's okay to fix those O2's and the kernelfaultcheck entry.
The HP lightscribe thing is so you can write graphics to your [special] CD labels...

AVG AS should clean most trojans. Run CCleaner before you scan so that it does not list your cookies etc....
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

"My computer is working ok"... oh no, it's not. Either your CD is dirty.... or your RAM is unhappy.. replug/swap it, try again.

That last log shows you have turned off ZoneLabs! You need it. Me, and this is because of the way I operate on the web.. I'd turn off AVG A-s, Adaware, and Spyware Terminator, but you may wish to keep one of them running, more just slows things down.
This is entirely up to you, it's NOT malware, but you could remove Viewpoint.... personally, I'd kick out all the google stuff too. They've got a website ready when you need em, I reckon.

Orrite, do that, remove all those files that AVG quarantined.
=If everything is now working okay you should clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
=Because I cannot see your sys I do not know if you have duplicated My Documents folders - log into the unwanted windows OS and if there are files in its My Docs that you want copy them out to an std directory eg.. C:\Othersysfiles\ so that you can later access them -this is just in case.
Then if happy, simply log into the Windows that you wish to keep and go CP, System, Advanced, Startup n recovery Settings, press Edit. A notepad with your boot.ini files will open - be careful with it, if you make errors in it and hit save you may face problems..... if you like just post it here for guidance.
Keen to try it yourself? Okay, it will look something like this:

[boot loader]
timeout=20
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

-the idea is …

Mmm.. search only for retadpu.
..and the rest of the procedure? No logs?

Hi, Paul... you got AVenger right... but not this bit:
"C:\Program Files\Trend Micro\imabunny.exe\HijackThis.exe"
..I would like to see:
"C:\Program Files\Trend Micro\Hijackthis\imabunny.exe"
[Interesting that you added an extension to a folder name, but I spose a folder does not care that much what it is called... ].
An I know how this will turn out, too - I'll put you through this hoop n nothing more will show up. But we should check. How is the sys , btw?

I'm sorry, Dan, but I for one just do not have the time to scan a file like that. And Windows 98 is way before my time......
Dan, grab these:
Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]

…

Paul, you are still not renaming hijackthis!! Browse to the folder, select the hijackthis.exe and rename it to... anything... your favourite food..imabunny.exe, friedonion.exe... the reason I suggest imabunny is cos it sticks out like a sore thumb. You call it TrojanNemesis.exe and I'm going to wonder just what that is...!?
And the Avenger thing - you must paste in ALL the script between the lines, incl "Files to Delete:" - that is an instruction without which Avenger will not run correctly>

Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block ALL the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\system32\qnagxqrr.dll
_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
...give it another shot..? Post the new Avenger log and a HT log run last of all.. Thanks.

Hey, that's nice.... could I see the AVG log, pls?