Posts by gerbil

Would you rename hijackthis.exe to.. umm... imabunny.exe , please?

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Hmm. start hijackthis, open Misc Tools section, check the topmost box "list minor sections" and press Generate Startuplist log. Pls post that.

Sarah, if you do find a way pls let us know..?

Dig, just use the hijackthis procedure above to fix those log entries. As for the batch file, copy that text to a notepad, press save, choose desktop and name the file as above, choose file types as "all files".

.

Fine, johhny. Tap the solved button, pls....

Cheers, Thierry, glad it went well for you.
Punch that solved button, please?

Ah. Fixwareout should have removed its run key from registry automatically. Because it did not remove a couple of registry entries it looks like FWO broke a bit. Please delete the C:\Fixwareout folder and contents, then dl a fresh copy from the link above and run it. That will replace and then remove problem entries. Post its log please.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - http://dl.tvunetworks.com/TVUAx.cab
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Plus\rtemehd.html

Good. Now navigate to and delete this file and its folder:
C:\Program Files\Windows Plus\rtemehd.html

Come back with how things seem.

First things first - with resident AV pgms more is DEFINITELY not better. You must remove, now, one of either Norton or Avast AV's.
Good. For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?
Now move it from your desktop to a folder in your c: root. C:\

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Now dl and run these two:
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's …

This should help, Thierry:
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

O17 - HKLM\System\CCS\Services\Tcpip\..\{14E70BBD-5523-4502-AC1D-8B54F65C179E}: NameServer = 85.255.113.150,85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E53DCD3-7317-4A3D-9647-53E0F3636E52}: NameServer = 85.255.113.150,85.255.112.233
…

You did fix that R0 entry, right? Well, I don't know - blingo is not listed as malicious, only as a BHO and toolbar item, so removing those items should kill it.
No entry in add/remove pgms, or in your pgm files [check the subfolder Common Files also] ? Big Fish...?

If it is the same as with XP you cannot remove it, you can only stop it. It is a windows component. Icon is on the left. Upgrade over the top of it.

You could fix these two....
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
..and that's it. Done.

Nope. Googling didn help either. All I could find tht could be of any help is to either restore to a previous date [not good, sometimes] or just go down the list of pgms in that key I gave you, click on culprits and then delete any entry which looks like NoModify or NoRemove [or set those values to zero].
Note that some pgms are listed by those long alphanumeric codes...
Tedious. But that's it. Have you Norton AV?

I think that was my best and only shot, sarah...
[the cough was actually cos I was expecting a list, I didn at the time realise the header was half the post]

Cool... :)
There is still this entry there, but it is not a bad one, so I leave it up to you...you may be using it for your DNS lookups.. instead of defaults. Cheers.
O17 - HKLM\System\CS2\Services\Tcpip\..\{1130C533-380E-47B7-92EA-F52F97B8E5A7}: NameServer = 208.67.220.220,208.67.222.222

Great, dig. Now fix these:

O2 - BHO: (no name) - {443F6C86-801E-8BBC-4B1B-8E8DBC5780B6} - C:\WINDOWS\system32\ach.dll (file missing)
O2 - BHO: (no name) - {4800A481-4D72-4E98-9C16-8B0B5F5DCD57} - C:\WINDOWS\system32\iuhbihcf.dll (file missing)
O2 - BHO: (no name) - {B5370682-1348-4A83-A260-E299153FE051} - C:\WINDOWS\system32\awvvw.dll (file missing)
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - (no file)
O20 - Winlogon Notify: awvvw - C:\WINDOWS\system32\awvvw.dll (file missing)
O20 - Winlogon Notify: qomnkll - qomnkll.dll (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll (file missing)
O20 - Winlogon Notify: wineqx32 - wineqx32.dll (file missing)

Good. Now navigate to and delete this file [do it in safe mode if needs be..]:
C:\WINDOWS\svchost.exe
And that should be it.. to be more sure you could try this online scan at Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Right. Wallpaper [desktop background] - we need to see the contents of a couple of your registry keys; it's probably easiest if you run this small batch file to export them:
Save the text between the lines to your desktop …

==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Start hijack this, scan only and fix these entries:

O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\OWNER~1.THE\LOCALS~1\Temp\_uninstop.exe /u
O17 - HKLM\System\CCS\Services\Tcpip\..\{1130C533-380E-47B7-92EA-F52F97B8E5A7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E59BD02-C9E7-4417-AF6A-6AC1C6F24BAA}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{708E4F73-0BD1-418C-A1AA-3DEB07216E08}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{C66CC589-9402-4597-9ED2-8610592ED56C}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1130C533-380E-47B7-92EA-F52F97B8E5A7}: NameServer =

Um. nothing.. frog, maybe.. Anyway...
I may be barking up the wrong tree, but perhaps if you navigate to this key in your registry [go Start, run, type regedit and press OK]:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
-then rclick on uninstall in left pane, choose permissions and ensure that the administrator [you, perhaps] at least has Full Control. That should do it.
That fix would apply if most of your add/remove pgms entries were like you describe.... maybe a bit of malware changed it.

db, tht log shows as good. Others may be canny on reasons for SP2 installation failures, I can only suggest you search the M$ site for help.
Good luck... btw, they have an excellent help site - reach it through the windows update site etc..

If you were to run a hijackthis log and check the O4 entries doubtless you would find an entry something like this....
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
Am I right? Good, check that entry and press Fix Checked...

HiJackThis:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-select Scan Only, place checkmarks against the entry and then press Fix Checked.

A C4 error is encountered when the driver verifier finds a bad driver. Hence its name. Go Start, run, type verifier.exe and restart.
What to do then? Urp. You could look at this page- http://support.microsoft.com/?kbid=244617&sd=RMVP

Files move when files/folders are on the same partition, they copy to files/folders on different partitions. To force the move rclick and select move when u drag.

Luke, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blingo.com/?src=hp
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Help - {01E07129-B123-4782-93F2-F8719D489F9F} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: Support - {1AF7EF0F-C3D5-438F-A97E-921A49D3D95B} - http://www.comcastsupport.com/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {520E9540-EAE3-4B93-914D-451EEA4046E7} - http://www.comcast.net/ (file missing) (HKCU)

Good. Blingone?

ComboFix took care of those files in the first batch that you could not fix. These are still showing up in your HT log - fix them:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94

and these:
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab

System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Now for a JAVA Update:
==Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.1 is current....
Could I also see that Fixwareout log please?
Come back with how you get on...

Please retain only ONE resident AV - that is important. Remove the others now.
Good. For a start you have/had a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?
Now move it from your desktop to a folder in the C: root.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...sbcydsl/*http:
O4 - HKLM\..\Run: [bwtwhehq.exe] C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe

Then delete this file:
C:\Documents and Settings\All Users\Application Data\bwtwhehq.exe

Get CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. …

Oh, that is sneaky and so neat... all they have done is reverse the order of a standard hosts file entry - it looks like it could be right.... :), but breaks your access.
First off, please move HijackThis from your desktop to a folder alongside your pgm files folder. Change its name to imabunny.exe.
Then fix these with hijackthis by starting it, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {36ADA89D-2440-4DC4-820A-3A05E8630935} - C:\Program Files\Video ActiveX Access\iesplg.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Windows Updater Servc] C:\WINDOWS\system32\xpuupdate.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

Delete these files:

C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\WINDOWS\system32\xpuupdate.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\Video ActiveX Access\iesmin.exe

Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network …

...polite cough....

Pat, post that in the Vista forum. We're all dinosaurs in here. I get the feeling that the HT copy that you have does not like your Vista - a lot of running process information is missing from your log.. but in what i can see there are no problems.

A startup entry like that has to be in registry. get another one like Registryfix, let it do a free scan; if it finds it it will not fix it, but you've got its number though for a manual fix.
Unless... I don't have siteadvisor.. but is there a chance that the later vsn needs the earlier, and is calling from itself?

A week or two old? That is a warranty job. You are paying for it, so get some value.

Looks fine, Shane. Just fix this entry:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Cheers.

Luke, toss us a hijackthis log, will you?
HiJackThis:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Get yourself a cheap registry cleaner - any half-decent one will recognise an entry that points to a file that no longer exists. And they don't come cheaper than CCleaner...
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
What you are specifically looking for is under Issues button.

This is my very last shot on that service. Note that in this procedure the name may be abbreviated from Windows Overlay Components.
Go Start, run, regedit, navigate to HKLM\System\CurrentControlSet\, expand the Services key. Look down until you find the correct key representing Windows Overlay Components, lclick it, confirm in right pane if needs be. Go file, export, and follow through. Good. Now with the subkey still highlighted delete it [and its subkeys].
If it will not let you, rclick the key, permissions, grant the admin full permissions, and then delete it.
Phew.
=Please delete the folder C:\VundoFix Backups
=Go to add/remove pgms and remove any program that has Oin or Yazzle in its name, plus SurfSidekick and Deluxe Communications. Delete their folders from C:\Program files and from C:\Program files\Common Files.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #2 - Search [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
A text file will appear which lists infected files (if present). It will also create …

You misunderstood me - a repair installation will keep 3rd party applications and files intact, reinstalling will not.

Ah, thanks, cdg, it's so long since AVG AS picked up anything in my sys that I am starting to forget how it works with its log and actions! So you did have it set to quarantine, but because you did not press Apply all Actions it did not reflect that in the log.
Missed this bit - you should do this before you repeat those scans.
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.

Sooo many people miss the advice to set recommended actions to Quarantine.... and yeah, if you don't, all AVG does is look.
Okay. Crack tools.... some you have are infected, others are just detected as infected but are non-harmful. I think some software manufs deliberately put out bad cracks, keygens, other groups do it for profit -they sell the adware space.... a few are proud of what they do and are genuinely clean. If you must use them, scan them first, then run them in a sandboxed environment.
You may wish to remove from quarantine some of those - I am not advising cos pretty much if AVG put them in there, they're bad.
D:\Program Files\Tweak-XP Pro 4\tweak-xp.exe : restore this one from quarantine.... and delete the remainder.

Now search for these files, folders and delete them:

c:\windows\system32\1024
c:\windows\system32\cache32_rtneg
c:\windows\EliteSideBar
E:\ION bu
D:\My Documents\My Zinio Library
D:\My Documents\work - you may wish to check contents of this one first, but it did have malware in it...
And delete all of these too [paying attention to notes on last few]:

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Chris\Cookies\chris@888[2].txt
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\abasa5jrp.ini
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\hochkaod3.ini
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\u6f6uftuc.ini
Adware:Adware/WUpd Not disinfected D:\My Documents\My Downloads\Files\Download Studio\wsi=30231.html
Virus:Malware Generic Not disinfected D:\My Documents\My Downloads\Files\DSclock\Calendarscope.v.2.6.rar[crack\calendarscope_2_6.exe]
Virus:Malware Generic Not disinfected D:\My Documents\My Downloads\Files\DSclock\Calendarscope_v2[1].6.rar[calendarscope_2_6.exe]
Virus:Malware Generic Not disinfected D:\My Documents\My Downloads\Files\DSclock\Calendarscope_v2[1].6.Warezpost.net.rar[Calendarscope_v2.6.Warezpost.net\calendarscope_2_6.exe]
Virus:Malware Generic Not …

Hmmm, fish, this is what you wrote last time:
"Hello there.Once again my browser has been hijacked by pop-ups. It's strange because I have AVG antivirus/spyware protecting me, but it's happened again. Is AVG not doing its job? What is a good piece of software to actually stop my browser from catching... dodgy software"
....and you left me hanging.

Fix these, delete the files. You may have to do the latter in safe mode.

O2 - BHO: (no name) - {45677555-FD71-48B2-9102-02B3A5D246BC} - C:\WINDOWS\system32\reginix86a.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\fish\svchost.exe

Cheers. Bad is not AVG, bad is the places you go. But you catch em fresh - one of those was only first detected yesterday.

Do the sfc /scannow command first, it checks and replaces any corrupted protected windows components, and takes maybe 10mins...and it is looking like your shell or rundll32 is broken. Next option is a windows repair - with that as opposed to a reinstall you keep all your 3rd party applications and files intact.
Say how you get on.

Groan!! I must be losing it.... I tell you to get the exact name and miss one lil word... service. My apologies... In this:
"Now got Start, all pgms, admin tools, services; scroll to Windows Overlay Components, rclick it and press Stop if available. You may need to go to Properties and disable it first, but I doubt it is running.
Write down the exact name. Now close Services, and in cmd window type:
sc delete exact name -don't be silly now!!"
Rewriting it: rclick Windows Overlay Components, open properties, and write down the exact SERVICE name. Sigh... it should have one there.. that is the name to use in the sc command.So:
sc delete exact service name.

OOPS!! Big oops!. The Panda scan is online ...gulp... can you start internet explorer via Task Manager? File, New task, type Iexplore.exe and enter. Sorry... Or else start in safe mode with networking and try it from there.
Have you got an XP SP2 installation CD? It would pay to run
sfc /scannow

hmm... nothing there. Combofix has actually deleted a file by Thunder Networking Tech - it is the genuine file, not a bit of malware. But i don't know what it does, apart from being a BHO -browser helper- so you may not miss it. The key which started it is still there; you can go into registry and remove it if you wish:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects;
{0005A87D-D626-4B3A-84F9-1D9571695F55}=C:\WINDOWS\system32\xunleibho_v8.dll []
You could try a Panda scan while we think on your symptoms.... do a fresh CCleaner run first:
Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

From what you say I do not think it is a spyware problem.. 99% sys idle is good.

Now, this depends a bit upon you. You can "remove" W messenger or simply prevent it from starting - up to you.
Go CP, add/remove pgms > set pgm access, defaults - hit custom button, make your selections [ie press use my current messenger [which of course can be none if you have not one set up].
To "remove" messenger, >add/remove w components, uncheck messenger. If you use Outlook Express, which does use messenger if available, use this link to remove messenger :
http://www.dougknox.com/xp/tips/xp_messenger_remove.htm
Note: messenger does not get deleted by these methods; I don't know if that is possible. But it won't start.

Vundo certainly was busy in your sys! Just because it is easy, please delete c:\vundofix.txt and run it again.... to be sure.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {9DD2677F-8D63-4F31-9157-896095B728DD} - C:\WINDOWS\system32\awvvs.dll (file missing)
O2 - BHO: (no name) - {B00FF85D-54E8-4F2C-8455-6067D369271E} - C:\Program Files\Internet Explorer\hokem43855.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll (file missing)
O20 - Winlogon Notify: ljjjkhh - ljjjkhh.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Delete this file:
C:\Program Files\Internet Explorer\hokem43855.dll
-you may have to do it in safe mode after a restart.
Good. Now got Start, all pgms, admin tools, services; scroll to Windows Overlay Components, rclick it and press Stop if available. You may need to go to Properties and disable it first, but I doubt it is running.
Write down the exact name. Now close Services, and in cmd window type:
sc delete exact name -don't be silly now!!

CCleaner:

==Get CCleaner from here - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.

Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open …

Fix this one with hijackthis:
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)

Autostarts - you don't have many but Norton/Symantec. Leave the NVidia stuff if you are a gamer. You do not need to autostart Adobe Reader ....fix this one:
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Actually, dump bloated Adobe Reader n get Foxit, or another sim wee fast reader, same features [Adobe builds to 100+MB on disc, Foxit only 5MB...]
I use AVG AV, slick as.

Download the file from here, unzip it to the same folder and dclick the file linkfile_fix.reg; answer yes to merge it with your registry.
http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
- This may solve your problem, it certainly will not make things worse.
[when you dclick the unzipped file it may just open in notepad - I have altered my settings so that this is the case, no unintended application of .reg files to my registry that way. Anyway if this is the case for you simply rclick the file, choose open with, and registry editor....]

We will tackle this lot another way later...
sc stop Windows Overlay Components
sc delete Windows Overlay Components

Anyway, the name change did its work, so...:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Hi, nerd, a few things to do.
First, we cannot work with hijackthis where it is - it's risky for you. Delete it from there and extract a new copy, install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
Done that? Good, now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (file missing)
O4 - HKLM\..\Run: [Microsoft Domain Controller] C:\WINDOWS\system32\mstc.exe
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\OWNER~1.UPP\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Owner.UPPERPLAYGROUND\Local Settings\Temp\thinksnet.exe
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)

Browse to and delete these files:
C:\WINDOWS\system32\mstc.exe
C:\DOCUME~1\OWNER~1.UPP\LOCALS~1\Temp\thinksnet.exe
C:\Documents and Settings\Owner.UPPERPLAYGROUND\Local Settings\Temp\thinksnet.exe
-the last two are the same, just different ways of presenting the path....

Now go Start, run, type cmd -and press Enter, paste in these lines pressing enter after each:

sc stop DomainService
sc delete DomainService
sc stop Windows Overlay Components
sc delete Windows Overlay Components

Close the window.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the …