Posts by gerbil

Not really; if you have no problems you don't need specialised detection/cleaning tools on your sys. Plus they get updated very frequently to counter new threats, further some worry your
AV. Just stay clean behind a good firewall with a resident AV and you should be okay. Spywareblaster is very useful for blocking known bad sites. It's free.. have a look if you do not already have it..

Jus thow did you reformat the HD? With what tool?

Yes, they do. Vundo is one obvious one that shuts its processes, removes its keys, when it sees hijackthis start. But sometimes we can tell if Vundo is active by other traces and so ask for the cleaning tool to be run without confirming the files and keys are there - that is just to save time. If we only mildly suspect the proper way would be to ask for a new scan with a changed filename for hijackthis.
Imabunny? well, someone once mentioned that they'd been silly and dl'd a pest - it went into my text from then.

Urk... see if this helps:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option.
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
[when this is over you will need to do a Windows Repair to get your registry files sorted out...]

Okay, Steven, I'll pick it up for you because Crunchie is taking a break. I just hope it is not too long a one... he does the best work.
Btw, hijackthis must be run in Normal mode when producing a scan for us.
Please delete C:\vundofix.txt. Rename hijackthis .exe to imabunny.exe.
Get Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
==Get CCleaner and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
==GET AVG antispyware 7.5
Install it and UPDATE it.

Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click …

Okayyy... first off, you seem to have two XP OS's on you C: drive...? You are booting into the first, windows.0, but I wager there is a Windows.1...?
Imesh. Do you like it? I leave that up to you.... remove via add/rmv pgms in control panel.... there is a O2 entry also...
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll

Right. Fix these with hijackthis:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [mpcsr] C:\WINDOWS.0\system32\mpcsr.exe
O4 - HKLM\..\Run: [mpcsrv] C:\WINDOWS.0\system32\mpcsrv.exe

Delete these files:

C:\WINDOWS.0\system32\mpcsr.exe
C:\WINDOWS.0\system32\mpcsrv.exe

Unlocker 1.8.5 [-just in case you need it.]

==This one is a general purpose deleter, Unlocker 1.8.5:
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

Now:

==Get CCleaner and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.

Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.

[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, …

Nice Vundofix run there, Sol, that's just how it is meant to be used. If you look through CCleaner you will see options to tick to clear Firefox's cookies......
Fix these with hijackthis, taking notice of my notes...

O2 - BHO: (no name) - {0BD7FBFB-8C79-4C91-AFC9-2B00244FABB5} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
- if you do not want the HP View toolbar in IE fix both these:
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

This next is Symantec firewall, but you have Zonelabs, and you don't want both, so try this: fix the O23 entry, and then run the cmd below to delete it.
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Okay. Go Start, run, paste this in and enter it:

sc delete SNDSrvc

Post another log. I see nothing to slow boot, though. Is AVG AS doing a scan at startup? You do not want Defender, AVG AS and Adaware all active. I do not run an active AS, just keep Adaware and AVG AS updated and available for one-off scans... rarely need em, tho.

Interesting log. Makes it tough to read, considering that the dodgy entries could well be typos... :)

O4 - HKLM\..\Run [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\justched.exe"
-is that "t" in justsched.exe a typo?

Okay, movin on. Alwil + AVG AV's. One MUST go. Now.
MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant.
Use hijackthis to fix these; then delete the MyWebSearch folder in pgm files.

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\RunOnce [MyWebSearch bar uninstall] rundll32 C:\Progra~1\Uninst~1.DLL,0 -3
O8 - Extra Context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
C:\Progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

Check that justched thing.

==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Okay, …

annamarie, just fix any Rx entries in the hijackthis scan log the refer to HP or AOL [or indeed to any that you don't like or want there..], and check O14 for entries that will automatically reset your default browser homepage to HP etc. Fix those too.

good point, josch. it's certainly a rare one. Actually, they're all unwelcome.

Hello. OneStep is something you "agreed" to dl, prob on the back of some free tool..
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - Startup: Sonic CinePlayer Quick Launch.lnk.disabled
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk.disabled
O23 - Service: OneStep Search Service - Unknown owner - C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service (file missing)

Good. Go Start, run, paste in this and press enter:

sc delete "OneStep Search Service"

Do a hijackthis scan only and check that O23 entry is missing; if still there then:
==Go Start, run, type services.msc -and press Enter. Maximise the window and select Extended tab at foot, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

Now delete this: C:\Program Files\OneStepSearch\onestep.exe
..and the folder.

Looks clean.
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]

I can be the bearer of indifferent news. Log's clean, although for us to be more certain you shoulda renamed hijackthis.exe as imabunny.exe before you ran it, not the txt file... you could fix this item for a legit item you deleted. [AVG7 is the virus hunter, btw, AVG 7.5 is AS.. :)]

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Good. Now you may like all these next things, but you should review and fix them as RAM and time wasters:

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?5ffe694025554ba6bb515f7d43cfcd79
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: …

Then you need a proper firewall.. Zonealarm, Kerio, or Comodo. Then nothing gets out unless you let it.
Every time you start tho Windows will hunt for a DNS and also try for a time check, plus if yours is dynamic, get an IP address and sort coding for login to your ISP.

Hello, Sol. Because I do not know when you started trying to remove your pests, I would like to start from scratch, so please delete your copies of ComboFix, C:\combofix.txt, Vundofix, C:\vundofix.txt.
Great. You still have a bit of Symantec running - could you try to uninstall it? If it will not go we can deal with that later, cos it may take a removal tool from Norton to do the job.

It appears that you have a vundo infection, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Update AVG-AS
Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

=Restart your system in Safe Mode.
=Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, …

Look, that's a pretty filthy sys there.... has/had vundo, got a couple worms/backdoor hacks, miscellaneous others - what have you got against a format, installation?
Anyway, let's see what this does:
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important!!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Check the Vundofix log for any entries that could not be deleted - if present rerun Vundofix.

And now this:
- dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your …

Ah, I don't have a solution for the pirate bit, but I think they exist.... you won't get one in this forum tho. Did you get an "XP" CD with your sys?
I don't know if you get blocked if u dl the KB version of SP2 below and try to install it in safe mode, instead of via Windows Updates. Or if you slipstream it onto your CD [if you have one..]
http://www.microsoft.com/downloads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
and...
http://www.winsupersite.com/showcase/windowsxp_sp2_slipstream.asp
Heck, M$ should be happy for you to have it... cuts down bug dispersal to others.
Cheers.

Good ole AVG. Ok, passed a keener eye over the log and it appears clean now.
Cheers.

First, a note.... in my first post to you i asked for this to be fixed and the file deleted, but you responded that you could not find the file - that's because it changes name witha sys restart! Not to worry though, ComboFix removed it [but does not say that it has, which I find annoying.. it just does it; the clue is in the logs].
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\aryowyvi.dll",forkonce
Moving on..
Looks good now. Btw, that O17 entry, Internet Specialties West ISWEST-BLK-1 (NET-207-178-128-0-1) 207.178.128.0
...is your webhoster.. you have a webpage up.
Cheers.

Michelle, I missed this one... was staring me in the face from your first log, but I knew combofix would remove it. Then of course I noted you were running Vista so combofix was not an option, and I forgot to put it in for fixing. It is still there, pls fix it, but note that its name will have changed!! So make a fresh hijackthis scan, look for [systemoptimizer]:

in first log:
O4 - HKCU\..\Run: [SystemOptimizer] rundll32.exe "C:\Users\michelle\AppData\Local\Temp\hrcybfat.dll",forkonce
...it became:
O4 - HKCU\..\Run: [SystemOptimizer] rundll32.exe "C:\Users\michelle\AppData\Local\Temp\xfmaawuu.dll",forkonce

So find it, fix it ..and delete this:

C:\Users\michelle\AppData\Local\Temp\whatever its new name is.dll

Sigh...

Paul, I really do need to see the actual logs from these tools, not your synopsis, even if the results are null. An dyou must do these things in the order I request - it is no use giving me a hijackthis log run before the tools/fixes are applied because I cannot measure the results. Fresh means fresh, run last [in normal mode, btw]. According to the last ht log you still have not renamed hijackthis.exe as I requested in my first post, and that last HT log was run b4 Combofix.So I am blinded. You must do what I ask in the order that I put, otherwise we get nowhere, n get frustrated. Pretty much here we are dealing with a pest that has self-protection elements - we have to identify the protectors and remove them b4 we can deal with the active elements. Sometimes the protectors change name between restarts of your sys, which makes it all a lil harder.
So pls, rename hijackthis.exe, and post a fresh log, plus that Avenger txt.

Hi, Green, get this pgm, Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
Dclick the exe to install it, uncheck the updater and assistant boxes.. It runs from the rclick context menu, and that is cool.

Use hijackthis to fix these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0D869297-5FF8-4C78-BDAB-3B1296DFE157} - (no file)
O2 - BHO: (no name) - {B259868D-C0B3-4E76-841F-D61577945E06} - (no file)
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O20 - Winlogon Notify: ljjkhif - C:\WINDOWS\
O20 - Winlogon Notify: ssqrsrr - ssqrsrr.dll (file missing)
O20 - Winlogon Notify: vtutq - C:\WINDOWS\
O21 - SSODL: vpEkvGc - {C4393263-6E93-98C9-2A52-1B36ABB29C03} - (no file)

Good. Now browse to C:\Program Files\ISM and delete every file in that folder, with Unlocker if necessary, and then delete the folder ISM.
Post another hijackthis log with your comments, pls.

Michelle, that O2 entry, O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\[xsaxvmot.dll] does not show up... to find the file itself manually would be tough cos it appears to be from a new family of pests - it changes its name upon every boot. AVG seems to have got it.
Fix that O13 - Gopher Prefix: entry, and remove all entries from AVG's quarantine- the infections tab.
Otherwise, your log shows clean. Come back when you have a more definitive idea of the problem.
Who uses Gopher now..?

mudman, I am not sure why your hijackthis picks up those two O22 entries but be assured that they are okay and necessary. In my machine they exist [but are not displayed by HT], meaning they start before windows just as yours do. I can only guess at the reason for their non-appearance in some logs - could it be that I have no browser homepages set?... I don't know. Leave em be. No browseui.dll running, no browser functions.
The O10 entry... it's there because you sometimes connect to a network printer? You can remove it if you wish with LSPFix from Cexx. If you try it... you see that expert box, I know what I'm doing? well, you had better.... if you remove all entries you face repair/installation. If you only have a local printer..ie connected directly to your pc, you don't need it.
Okay, delete vundofix, combofix, qoobox, avenger...and their logs. Most tools are updated regularly to keep pace.
And that looks like it. Cheers.

just try n update windows installer 3.0

Could I pls see C:\vundofix.txt?
And did you actually fix all these entries with hijackthis as I posted previously? Please fix them... [there is one new one in there..]
But first:
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop.
Now please fix these entries with hijackthis:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O1 - Hosts: 60.12.193.37 ie.search.msn.com
O2 - BHO: (no name) - {00D0E786-A9E4-4EC5-82BA-E4E57D285B83} - (no file)
O2 - BHO: (no name) - {6FE7EF0F-070B-407C-A487-C5219F1BD767} - (no file)
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\qnagxqrr.dll",sitypnow
O20 - Winlogon Notify: ddayv - C:\WINDOWS\
O20 - Winlogon Notify: efcbbcc - C:\WINDOWS\
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll (file missing)
O20 - Winlogon Notify: winoac32 - winoac32.dll (file missing)

Good. Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\system32\qnagxqrr.dll
_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at …

Could I pls see C:\vundofix.txt?

It's a more managable sys you've supplied him. He should rarely have to defrag C: cos now windows can stretch out, unbothered relatively, and it will reorganise itself into an arrangement of its files so that the most used are close n handy for loading; it has the space to put its sys restore files out of the way. One thing I didn mention was to set its virtual memory to a size bout 1 1/2 times the RAM size. Gulp. Should be okay tho on default
So in your next email to him, you cn tell him to go ..
Control panel, system, Advanced, Performance settings, Advanced, Virtual Mem Change, select C:, press Custom size, make initial size 1 1/2 times RAM, max size the same or twice RAM, Set, Apply, OK .. n out..
Stay well.

After you try Unlocker you can run Avenger anyway... even if you manage with Unlocker paste the whole block into Avenger...

Gee, mudville man, Vundofix played up a bit there - two of the files it turned up on 8/3/2007 it did not attempt to delete...
C:\WINDOWS\system32\laf15.dll
C:\WINDOWS\system32\wvuussr.dll
.. but then they did not show in the next scan..? It could not cope at all with the last lot you added. Delete your copy of Vundofix and dl a new version please.
I do love the honesty in the naming of your new adware pest.

First step, would you please submit c:\windows\system32\hhmjhhm.dll for a scan at http://virusscan.jotti.org/
-use the browse button or paste the pathname.
We shall see if this tool will handle it.. please download:
Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
It runs from the rclick context menu, and that is cool.
Just in case it does not...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop.
Update your AVG-AS. Set
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.

Ready? Delete C:\vundofix.txt, then once more into Safe Mode. Use hijackthis to fix the following entries:

O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - …

Just a note, those two O4 entries, UpdReg and Ecenter are just annoying prompts to register software, they are not malware.

You are not clear yet, Michelle, Vundo detected C:\Windows\system32\vtuvt.dll but could not delete it (did you successfully delete it manually? .. please check..), and one of those entries I asked you earlier to fix has been regenerated. So something else is there.... and it is possibly C:\Windows\system32\xsaxvmot.dll

Delete C:\vundofix.txt
A couple of tools to get now:
This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
CCleaner:
Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
AVG-AS:
GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
- the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Cool. Back into Safe Mode, please.
Use hijackthis to fix these entries:

O2 - BHO: (no name) - {32314B0F-9418-4FB8-92B6-151C58436B58} - C:\Windows\system32\vtuvt.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\xsaxvmot.dll
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\vtuvt.dll,CPP

Delete this file:

C:\Windows\system32\xsaxvmot.dll

Now please rerun Vundofix.
Check the Vundofix log for any entries that could not be deleted - if present rerun Vundofix.
!!!Make sure to restart in Safe Mode!!!
Now run CCleaner from the recycle bin rclick menu using its default …

Glad to help, geo.
Touch that solved button, would you, please?

First off, sc. You gotta enter the service NAME, and you get that from the services manager, it may or may not be correctly given inside the parentheses in the log entry. There are a few ways to kill services...
- hijackthis under misc tools section.
- sc delete "service name"
[Use control panel, admin services; or Start > run, enter services.msc [or dcomcnfg]; - click Services [local] in the left pane, maximise the window and select Extended tab at foot. Search for the specific service, rclick it and select Properties - you can press the Stop button if it is highlighted. Note the file path if there is one.. and note its Service Name. Close.]

Okay, back to the job. Rerun Vundofix in Safe Mode; if it does not detect and delete the C:\WINDOWS\SYSTEM32\hhmjhhm.dll file and its relations then run it again, but modified so:

Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\SYSTEM32\hhmjhhm.dll
C:\WINDOWS\SYSTEM32\mhhjmhh.*

Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES.... and so on.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, …

Muffin, you did not rename hijackthis.exe as requested..... please do so for the nest scan.
Meantime, start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O1 - Hosts: 60.12.193.37 ie.search.msn.com
O2 - BHO: (no name) - {00D0E786-A9E4-4EC5-82BA-E4E57D285B83} - (no
file)
O2 - BHO: (no name) - {6FE7EF0F-070B-407C-A487-C5219F1BD767} - (no file)
O20 - Winlogon Notify: ddayv - C:\WINDOWS\
O20 - Winlogon Notify: efcbbcc - C:\WINDOWS\
O20 - Winlogon Notify: vtutt - C:\WINDOWS\system32\vtutt.dll (file
missing)
O20 - Winlogon Notify: winoac32 - winoac32.dll (file missing)

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post that log plus a fresh hijackthis scan. I would also like to see that vundo report, even if it is null.

Michelle, it appears that you do have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Restart your system in Safe Mode. *****!!
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
***If Vundofix reports that it could not delete a file, rerun it until it does.
Good.
=Start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\vtuvt.dll,CPP
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

Delete these files:
C:\Users\michelle\AppData\Local\Temp\hyirqkcq.exe
C:\Windows\system32\vtuvt.dll
C:\Windows\system32\oobefldr.dll
Post …

One problem you have that is easy to solve: remove one of you resident AV scanners, now. Very impt to have only one.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {A7943DD3-94EA-42BD-A322-6151C67CA8E2} - C:\WINDOWS\system32\vnytcfjm.dll (file missing)
O2 - BHO: (no name) - {BF0B9CDC-FFA7-432F-A49A-A771D7B4FD1a} - C:\WINDOWS\system32\vnytcfjm.dll (file missing)

It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

But is your sys ok, now? Very impt info for us, that....
Delete C:\Qoobox, and combofix.

If one of em was perfect, it would be the only one out there. And pretty soon it would no longer be perfect.
You listening, Mr Gates?
Cheers.

I have no idea how AV approaches scans of packed files.. CABs, RARs, ZIPs etc. But I would guess that it has to unpack em first, and so I am next guessing that your Windows Installer is a bit broken? Guessing.... SVI pword protected? Weird. Some things like Daemon tools you gotta tell your AV not to touch, cos it will break em for you.

One drive... one partition/volume for most folks, not meaning one disk, there. OK.. so if you only have a C: drive then that is not the problem. I mentioned it cos I had one particular update fail continually, and the M$ advice was to rename Catroot2, but it made no difference - the prob turned out that the update could not hack the default pgm files directory being in a drive other thatn systemdrive - I had it in D:, while the OS was in C:. A quick swap, update went in, and reset.

Last first... yeah, but I avoid the crocodile dundee excesses.. :)
My docs path... it's really up to you how you deal with it, whether you regard/treat the stuff you put in there as valuable or not; I have chosen to make it a storage for gear that is much reviewed/changed, and temporary.
For example, whimsical clips, pics etc sent by correspondents that one may keep for a couple weeks to show someone else, but are not the stuff you would treasure; notes I contrive on set topics in this forum; Quick, Regular access stuff....
The stuff I really want to keep is in other volumes [partitions] from where I can easily back it up without including temp junk. eg music I dl and decide to keep while I compile it, albums etc I am currently listening to, pics I am photoshopping, accounting records etc..... That is just the way I do it - do it the way which is valid for you. So no, it's not dumb.
I use emule for dl's.. they go to a folder inside Downloads directory.... reviewed and tossed or passed into another [music] directory for keeping. Rips from CDs go to the music directory again.... I don't use My Music.
That My Documents directory under Desktop is just a link structure - it only contains links to where you are actually storing My Documents... the links will only have one pathname in em, so you cannot confuse em.
…

That R0 entry... that is the homepage that you set up, right? Cos it is html, and would be pulling in a web page...? It works for you?

You might want to use hijackthis to fix these two entries. The first is a random downloader pest which will tie up your web connection.

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/dn/files/pCast....94_signed.cab

Cheers.

Ok, I can see that you are having fun trying, so I'll give you a gentle shove in what I think is the right direction: did you get your vundofix from here? It won't hurt to delete your copy n get a fresh one....
http://www.atribune.org/ccount/click.php?id=4
Run it in Safe Mode.
Next use hijackthis to fix this entry:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
Finally go start, run, type cmd and OK. Paste this next line into the window at the prompt, enter it and close.

sc delete cmdService

Say how you get on.... post the vundo log for me, plus a fresh HT scan.
[hxds.dll is a legit M$ file...]

By any small chance do you have the default program files directory on a drive other than the systemdrive?

Naturally enough. Defender can't .. never mind. You are in the wrong forum; cart your plaint over to Viruses n Nasties, read and follow the top sticky. Post there.

Ok, I can look kindly on a cry for aid... goggle for logonstudio... there you will find free software, a fantastic selection of artful and wild images, and all the help you need. With a bit of thinking you will be able to take a logon image without the logon window and use it for a background. Seamless and professional.
Logonstudio is not the only site, goggle "customise XP logon", learn to build your own.
Alternatively, for a desktop background alone, find a suitable image that somewhat matches your display's pixel resolution in image size and dimension ratio eg mine is 1280 x 1024 pixels but even 1280 x 960 would do... save the image as a bitmap .bmp. Next go control panel, display, desktop, browse to your image and select it, apply n out. There!
Use nothing that your mother would not approve... :)

Heidi, I get confused by Owner, User, Power User.... I only understand User and Admin....heh... I guess the Owner is just the bloke who entered his name during setup; he starts off as an Admin privileged ac, but can derate that to User as long as there is at least one Admin ac loaded.
So it's not Albert? We can go with Harold. When Harold is up n running, he should only be of User status, and use Run As if he needs to temporarily run as an Admin, or switch user if it is a more involved job. I mean, he got way blown outta the water before by junk, and it still applies that you fly higher if you are logged in as an Admin. Being a user does limit what trojans etc can do....
If Harold is going to be the only user, leave those other profiles alone [- these: "So under "c:/documents&settings" we have "All Users", "Default User""]. Unless he has secret- squirrel stuff anyone else could then use his login.. It is possible to fix things so that if a new account is made then all those changes I suggest are automatically applied, but it's not worth my effort [meaning I haven't done it for my machine - I can whip up those changes in minutes manually]. Default user defines where new directories will be made if another account is created, all users handles shares. Leave em be.
MSN, Moviemaker.....WMP.... Dunno bout …