Posts by gerbil

Sarah, a few more dll's to register, same procedure as before, name it fix2.bat''' and yes, it just closes silently. This includes a few more for IE plus OE..Restart. Or you may prefer to follow my last suggestion here, the IEFix route...
______________________________
regsvr32 mshtml.dll /s
regsvr32 comctl32.dll /i /s
regsvr32 inetcpl.cpl /i /s
regsvr32 mshtml.dll /i /s
regsvr32 hmmapi.dll /s
regsvr32 wininet.dll /i /s
regsvr32 digest.dll /i /s
regsvr32 wab32.dll /s
regsvr32 wabimp.dll /s
regsvr32 wabfind.dll /s
regsvr32 oemiglib.dll /s
regsvr32 directdb.dll /s
regsvr32 msoe.dll /s
regsvr32 oeimport.dll /s
regsvr32 vgx.dll /s
regsvr32 RSAENH.DLL /s
regsvr32 CRYPTDLG.DLL /s
regsvr32 ole32.dll
regsvr32 shell32.dll
regsvr32 msjava.dll
regsvr32 Schannel.dll
exit
_______________________________

If still IE and explorer will not run, then you could try this. Navigate to C:\windows\inf\ie.inf, rclick on that file [ie.inf], select install, and insert your XP CD. Follow instructions.
Can't navigate with explorer? Then go Start, run, and enter:
%windir%/inf -and locate ie.inf in that window....
As a final alternative... use the MVPS pgm, IEFix from:
http://windowsxp.mvps.org/IEFIX.htm -which includes dll registration as well as the ie.inf installation. You still need your CD. It's a small zip dl, and thinking about it, it is possibly the easiest path to take.. :)
Say how it goes...

And if that lot does not get you running then I am afraid you face doing a Repair Installation from your XP disk - that would not hurt any of your files or even require you to reload your applications.
You boot from your installation disk, and bypass Repair using Recovery Console by pressing Enter to enter Setup... identify your installation to repair and off it goes.
Safe mode allowed CCleaner to run... I wonder if a driver could be interfering somehow..? That is beyond my knowledge..
My bedtime.... say how you get on.

You could save this to a floppy, or to your desktop. If it will not run by dclicking then run it from task manager by inputting its pathname. Now it should be valid... but it's too long for me to check em all. The way regsvr works is that if it does not recognise a name it just ignores it.
==Please copy the text between the lines to a notepad and save as fixexplorer.bat, as type "all files", to your desktop; dclick it to run it.
___________________________
regsvr32 comcat.dll /s
regsvr32 CSSEQCHK.DLL /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browsewm.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
rem regsvr32 mshtml.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
rem regsvr32 comctl32.dll /i /s
rem regsvr32 inetcpl.cpl /i /s
rem regsvr32 mshtml.dll /i /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
rem regsvr32 proctexe.ocx mshta.exe /register /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
rem regsvr32 triedit.dll /s
rem regsvr32 dhtmled.ocx /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
…

OK. In that same right pane you should see:
Userinit = C:\windows\system32\userinit.exe,
Did sfc run okay? It just closes its lil window when it is finished, no fanfare.
If it did then there is a whole list of .dll files which probably need registering by a batch file - I'm trying to find an uptodate list... These dll's are the processes explorer.exe calls whn it runs.
By the way, have you tried restoring to an earlier date?

Are you familiar with looking inside registry? I'd like you to check this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
In the right pane there should be an entry:
Shell = explorer.exe

Sarah, what happens if you open task manager, file tab, run... and type:
explorer.exe -and press ok? Does an explorer window open?
No, skip that, of course it will.. cos firefox runs in it, HT etc... but OE does not... thinking..
Just at this moment all I can suggest is that you get windows to check the integrity of its protected system files by running the file checker; you need your installation disk... go start, run, type:
sfc /scannow -and press ok.

Sarah, start hijackthis and then select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\RunOnce: [McWebDownlMgr] C:\DOCUME~1\SARAHS~1\LOCALS~1\Temp\McDMTemp007 (8)\DwnldMgr.exe /runkey
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)

==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then …

Please do this so that we are not blind:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Goose, Chompdog..[?]... it is quite difficult to help on this one... but if you put a CD in your drive and on any restarts do not get that message, then some pgm has a small corruption in it to cause it to be still seeking a disk even when you think it is not running. It pretty much has to be one of your installed pgms conflicting with something new in your PC.. and the finger seems to be pointing at some update M$ has delivered. A corruption? -well, M$ would say it was their fault for not working with their OS..! You would need to check a complete list of your autostarting pgms that use disk input to find the culprit.
Personally, I'd check any HP stuff right off, cos over time I have built up the impression that there is a "conflict" between HP n M$.... not fighting.. just different ideas about how things should be done. I don't mean to uninstall any HP gear, just check and stop any autostarts.
Say how you get on.

If you install another firewall it will turn of windows firewall automatically. Nothing to stop you checking though - you should only have one.
Log is clean... You could fix this waster...
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

But you are running Vista - this is not the forum for it and I am Vista ignorant [well, at least beyond the point of knowing that I do not want it on my machine...]
Cheers.

Hello Kevin, you ran this scan in safe mode... it does not show us everything that is going on. Use normal mode.
Go to add/remove pgms and remove these :
NewDotNet
RXToolBar
Need2Find

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in safe mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows.
Change the name of hijackthis.exe to imabunny.exe and make a fresh scan. Please post that plus C:\rapport.txt
[[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]]

And I just noticed that this …

You NEED a firewall. windows is ok, but a proper one would be Zonealarm, Kerio or Comodo.... check em out.

Hi, Jeannie, yes, the four drawers is pretty close to the idea.
The Temp partition. Pretty much we will create in the temp partition the requisite folders/files that windows normally uses, and other pgms too, and then we will tell Windows about them by changing, for example, environmental variables and some registry settings. And windows will happily use the new folders/files as its own.
Applications.... yes, Paint, AV, AS, Outlook Express, infact any pgm that you install apart from windows... we just change a single setting and that will make hat partition the default location for any pgm you install.
Images..... most games insist on running from a CD when you play them. That is slow, tedious [you gotta find n then insert the CD...], damaging to the CD surface from accidental scratching.... So if I play a game often I use certain software [Alcohol 52% does me] to create an "image" of that CD on my HD [images are special copies that contain exactly what is on the CD and not just the information in its files..]; you install the game as per normal; to play all you do is click the image to "mount" it as a new drive.. the Alcohol software presents it to the OS as a CD drive, and it runs. And there is no waiting while an actual CD drive spins up... cos its on the HD. You can do it with most everything that is to be found on a …

Azriel, you MUST remove one of your resident AV services. One is all you may run, cos they interfere.

It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {632457D9-D717-461F-939C-863AB12659D9} - C:\WINNT\system32\ljhgg.dll (file missing)
O4 - HKCU\..\Run: [cprocsvc] C:\WINNT\system32\crunner\cproc.exe
O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/7d4d...ba63443_35.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://glamour-shop.com/backdoor/chm//x.chm::/ope n.exe
O20 - Winlogon Notify: ljhgg - C:\WINNT\system32\ljhgg.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\dn8001lme.dll (file missing)
O20 - Winlogon Notify: winyzn32 - winyzn32.dll (file missing)

==Either: go Control panel > folder options OR: in an explorer window > tools>folder options;
-then …

Use hijackthis to fix these two entries to clean up. That's it...:)

O2 - BHO: (no name) - ¸?497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - ˆ?49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

There are no malware issues showing in that log. Slowness could be from the large number of processes evidently running - I suggest you look seriously at the items in your startup list -many are reflected in those O4 entries, and cut those which are of no use, or which can be started only as you need them. Any item which starts often stays resident in memory.. eg, updaters remain to monitor the time and date....
Defragmented lately?
Cheers.

Nothing shows as bad in that log. Use hijackthis to clean up by fixing these two entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)

Cheers.

Me? No. It was late so I did not complete. Run ComboFix because it will remove files associated with that trojan, and add these few entries for fixing just to tidy up...

O2 - BHO: H - {4F862FBA-1E2B-4072-9EA8-1FD3FECB86A1} - somato.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)

Say how you get on.

First, go to add/remove pgms and uninstall MyWebSearch, then delete the pgm folder of that name.
This is your main problem :
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
And then there is this, a pest:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYGB
-fix both with hijackthis, then delete the file C:\WINDOWS\Temp\startdrv.exe [you may have to do it in safe mode....]
Alternatively you could download Unlocker to delete it...
If it returns you could try Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Hi, Jeannie.... here are my suggestions considering your drive capacity and overall convenience, plus reliability through creation of a better environment for the windows OS. That last comes from installing Windows into its own partition and then removing all the temporary files to another partition, where their continual creation, deletion etc will not interfere with the OS. Windows likes to stretch out and arrange itself so that the bits you and it use most often are grouped and fast to reach - it does that automatically, and is more stable if the temp files, temporary internet files, cookies, histories, outlook express mail folders and so on are elsewhere. Currently a fully updated XPSP2 with a full driver cache [handy] and several restore points solidly occupies 4GB [well, mine does; it depends a bit on the software you install because that affects registry size] - you will need to include 1 1/2 times the size of your RAM for virtual memory [128MB > 200MB, 1/2 GB > 800MB...], plus room for several Restore points; All in I think 8GB is the minimum, pretty much, for that Windows partition. It leaves plenty of free space for it to arrange itself. If you do not wish to relocate the plethora of temporary files you should give it 2GB more, say 10GB. Mine is in 8GB.
Next you need a partition for the temporary stuff - emails from eg Outlook Express, temp inet files, cookies, firefox and opera caches and so on, …

Cool. I think.. . Did vundofix produce a log? I'd like to see it.
Moving on, if your sys will [gulp]... you should fix these two also, Hamada, with hijackthis:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Finally, get this cleanup tool, and do the onliine scan after:
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Panda Online Scan:
==Please do an online scan at panda:- …

Uh-oh. What does it do when you try to restart? Not a blue screen.... I hope?

EDIT!!
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\fgjlm.*

Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.

I asked you to do that special run because ComboFix shows these files as created in the previous month, and I did not see Vundofix as having removed them:
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.bak1

You don't get to be a squillionaire by being nice. You can smile, but not be nice. M$ has burnt you. Call em. And get Mozilla firefox or Opera. Anyway.

Ladies n gennermen, the prize fer the mos vundo files I ever did see goes to Hamada!! [..loud applause, whistles...].
An not to begrudge it, that is a long list of detections by ComboFix.... you, cautious? Anyway, you were sposed to run ComboFix...
Right. Your taskmanager shows things have cooled down somewhat, now let's get some more outta there. But first, you see that line where I say to change the name of hijackthis.exe [HiJackThis_v2.exe]to imabunny.exe? I meant it. Please do it before you post the next hijackthis log, otherwise we may be wasting our time here.
Add/remove pgms, remove MyWebSearch and similar. Then delete that folder in pgm files folder.
Use hijackthis to remove these entries: start it, then select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {E188373D-F47C-4B0C-BE35-FAD41E3360AD} - C:\WINDOWS\system32\mljgf.dll (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe" /m=2 /w
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing)

Good. Post …

Heidi, if you would still like suggestions for reinstallation, pls post your HD size and whether you have only one HD....

I'll just pop this i here cos I don't think jb does malware fixes.... if you do, jb, my apologies....
Hamada, you're loaded; this will get the fix started...
Open a windows explorer folder, > tools > folder options > view, and
-press Show hidden files and folders
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Check the log, if Vundofix could not delete some files, run the fix again.
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your …

Looking at your processes, windows defender and Spyware Doctor are blowing you outta the water, CPU time-wise. And what is winlogon doing using so much time? - it should be quiescent. Zero time, just barely showing..

Go into a darkened room, check your black screen for your displayed page... if faintly there, and it responds normally to your manipulations, then it is your fluoro backlight dying, or its HV ps. Service call.

If you used your installation cd you could attempt a windows Repair [ignore the option to "repair using Recovery Console", just Enter to go past that into setup where it detects your OS and then suggests a Repair if possible]. That would give you the chance to pull off the music etc....
I was going to tell you - you had a rootkit-protected trojan [amongst others] which allowed others to totally control your pc... so in the end a reinstallation of XP is always the best option there. I gotta go to town right now, I or someone will give you a guide later today.

Aero, you should have only two copies of that file. svchost.exe lives in and runs from system32\; the copy in i386 is the backup copy used by windows file protection system. Delete the duplicate in system32.
If you run system file checker it will examine the file in system32 and if it is corrupted, copy in the one in i386; if that is corrupted it will take fresh copies from the XP cd...
Start, run:
sfc /scannow

Glad it worked, Jeannie. I keep AVG AS... after 30 days it falls back to being an on-demand scanner, but that is fine with me - I update it occasionally for those moments when I wish it to check an individual file, and I do a complete scan every couple of months. Get spywareblaster to complete your protection suite - it's a free site guard which blocks many malware-loaded sites.
Cheers...

Assuming that it is the first, 39MB partition that you wish to lose, why not use a partition manager to merge it with C:? Windows may complain when you disturb its immediate environment [it knows where it lives and its immediate neighbours], but that is easily fixed by trashing a key - it will build a new one. As an example only, Paragon Partition Manager would do it for you.

I can only assume that Fixwareout is restarting itself at restart of your sys because it has not completed properly - it should remove its automatic restart...So:
Delete the folder C:\fixwareout
Delete the downloaded file Fixwareout.exe
Please copy the text between the lines to a notepad and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "AutoRestartShell" >>C:\showkey.txt
reg query "hklm\software\microsoft\windows\currentversion\runonceex" >> C:\showkey.txt
reg query "hklm\software\microsoft\windows\currentversion\runonceex\0001" >>C:\showkey.txt
__________________________________________________________

Did you sort out the SP2 upgrade?

Skip running fixwareout - log is fine from that aspect.. the O17 entry represents the DNS server that your ISP uses, and I should have been sharper on that, but at least the second run showed that a couple of trojan registry entries had been removed.
AVG found infections in several restore points, but those have all been removed now by that procedure of turning restore off/on.
Time to gve up on Panda, I think, for the time being. Try the two scans below and post any positive results. Do not use your computer while it scans.

But first, check for and delete :
C:\\WINDOWS\9129837.exe
C:\\WINDOWS\hide_evr2.sys

==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
If Kaspersky completes try another AVG AS scan.

[[Pretty much it is possible to invest too much time cleaning a machine. I'm keeping in mind that you are on dialup, but we should manage it. If you do decide to go with a clean start then we can show you pgms to write patterns on your HD to destroy all info, then guide you through reinstallation, sorting out a decent setup with multiple partitions if you so desire.
"I read somewhere that you can't reformat the drive windows boots from...." - no, you cannot, but you can …

Hehe.... er... thank you for that backgrounding ... :) [du wanna find the secret stuff?]
Just for a start could I see your boot.ini file? Go control panel > system, advanced tab, start up and recovery settings. Hit the edit button and post that notepad that opens.

That's good, Jeannie.
I see you renamed acovcnt.exe to acovcnt.xbak.exe; this leaves that file listed as an executable, albeit with a name that may not be recognised. The idea is to rename to acovcnt.xbak [the x tells you it is an exe...]
Okay, now you should delete these files:

C:\QooBox\
The hijackthis folder and contents.
Tools VundoFix, ComboFix, Smitfraudfix [because they are updated continually...]

Decide which AntiSpyware service you wish to keep installed, one should be sufficient, two will just slow your system.
Good luck out there...

Oh... I was not looking for this... and I missed it! Please fix this entry with hijackthis, but do NOT delete the file!!
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\System32\shdocvw.dll

Oh, heidi... Right. For a start, hijackthis is only a reporting tool, it does not repair anything unless set to do so. The first group of files, the .com ones, are MSDOS files for when XP runs DOS in an emulation environment. But they should have an old date, maybe 2004? If it is recent then there is a trojan which attacks .com files in system32, and it runs under the name of d.exe :) - could be your variant, may not be. AVG AS should have found it, combofix may.
Your Fixwareout run failed, I see that it did not list one TCPip entry - it is targeted by some malware. Delete your tool, and get a fresh copy and try it:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start ...
Empty the AVG quarantine bin: select all and delete. Oh, you did.
Get hold of and runCombofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
AVG AS - I am …

Yay!! we're winning!
Ok, tooth, fix these with hijackthis:

O2 - BHO: (no name) - {0DC0F06C-36FC-4F8B-9D3C-3B909FB20C36} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\yayvtuv.dll (file missing)
O2 - BHO: (no name) - {B6233DC2-3260-44F9-B71B-C2EF82FC5A02} - C:\WINDOWS\system32\pmnli.dll (file missing)

Good. Now run this cleaner: CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Follow with this: Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a …

Nothing bad in that list, Luke. So atm I do not know.. sorry.

Use hijackthis to fix these entries: Start it, press Scan Only, and place checkmarks against these entries, press Fix Checked:

O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\yayvtuv.dll
O2 - BHO: (no name) - {B6233DC2-3260-44F9-B71B-C2EF82FC5A02} - C:\WINDOWS\system32\pmnli.dll
O2 - BHO: (no name) - {EE84B30A-B461-4F6B-99ED-3E3C6EFAAEE1} - C:\WINDOWS\system32\sstqo.dll (file missing)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll (file missing)
O20 - Winlogon Notify: yayvtuv - C:\WINDOWS\SYSTEM32\yayvtuv.dll

Okay, run VundoFix again... check that it deletes all that it finds, if it does not, run it a third time but modify the scan as follows:
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\SYSTEM32\yayvtuv.dll
C:\WINDOWS\SYSTEM32\vutvyay.*
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\ilnmp.*

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
==Change the name of this file to acovcnt.xbak and see what complains:
C:\WINDOWS\system32\acovcnt.exe
==Please search for these in your system, delete them if you find them:
C:\WINDOWS\system32\tuwgilbu.exe
C:\WINDOWS\system32\yayvtuv.dll
-this is a good lil deleter if you need one; when you install it, it lives inside your rclick menu - handy and tough.
http://ccollomb.free.fr/unlocker/
Post the vundofix and a fresh hijackthis log pls.

Thank you for that, Lisa. Looks like you're clean to go and play again.
By the way, you do realise that you have two windows installations in C:\ ? Windows and Windows.1? You could safely remove the unused one.
Cheers.

What is this file? [C:\WINDOWS\system32\acovcnt.exe ]
Please post any info from its properties.. I cannot find who owns it.
Have you run VundoFix lately? There are some files in there that I am suspicious of... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Hi, heidi. Infection possibility while using AVG site: not likely, as long as you have Windows firewall ON.
And yikes! is right..... what a log. When this is over you are going to install an AV and a proper firewall, aren't you...? Right after you update to SP2... on dialup tho I think I would contact M$ and get the CD - it is only a $ or two to cover their basic costs. If you don't do those things their is every chance you will remain a regular visitor here.

Right, for now fix these entries with hijackthis:

O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing

Delete these files:
C:\WINDOWS\System32\qmhoepkf.exe
C:\WINDOWS\System32\lanmanwrk.exe

Run these lines:
sc delete MSDisk
sc delete MSWindows

System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
==Run CCleaner again.
Do a Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the …

Lisa, please delete the smitfraudfix folder in C:\ and the zip file, dl a new copy and start it in normal mode as before, but this time run the check, ie enter 1 [not 2], cos I would like to see the log...
Also rename hijackthis.exe to hiscan.exe and post a fresh log pls.
Delete c:\qoobox folder and contents.

Hello, tooth. This should help.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in safe mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

Next is Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your …

What a brazen come-on!! :)
K... a couple of things there, let's move em out.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press Show hidden files and folders.
Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe[/url] - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. (space after ipconfig). Type Exit.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Microsoft security update service …

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in safe mode.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #2 [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Reboot into normal Windows.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, …