Posts by gerbil

You don't have this path on your sys?
C:\Documents and Settings\All Users\Application Data\
Gee... yours is well customised, then.
Your log is clean, and if there are no popups, well, may we say no problem exists now? To clean out Norton remnants [there is still a service trying to run..] do this:
Go start, run, type cmd and press Enter. Paste in these two lines pressing Enter after each, then close the window:

sc stop Norton AntiVirus Server
sc delete Norton AntiVirus Server

Do that even if you decide to reinstall Norton, in which case you must remove AVG Free.
.. I wonder if that was halting Panda's scan..? Do a search using "panda" as the search string in C:\ and delete the 4? components you find. If you retry the site then it may well work.

did you follow what i said to serunson... sort of as a clarification/query. Cos if i change mine to open i can get what you get.... anyway, my method works for me.

Ayenima, you will have to guide me here... I assume because you used Kaspersky that panda is still not running? Combofix removed a winpop folder, and otherwise shows nothing; K picked up 4 contents of Norton's Quarantine folder - you should delete those from here:
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\
-plus a Smitfraudfix process [3 times] which is not a problem - you may delete Sm.zip, Sm.exe.
Mirar should be gone, are there any popups still occurring? Is your sys back to normal?
Show me a fresh hijackthis log, if you will.

You can't overload a sys by feeding it work - every single task is prioritized and carried out in order. Stuff just slows down. I often have music, live data feeds and surfing going on; a typical virus scan is more work than those things put together. But more work means more heat in the chip - the processor. Often under a fast virus scan you should hear your fans speed up; yep, i'm thinking overheating here. Get the dust out for a start. A vacuum cleaner on blow and a good, long bristled soft brush does the job. You may even have to remove the fan from the processor [if it has one mounted directly] to get at the fins underneath; just don't release the processor!

Hi, cdg.... you survived, huh? Good practice though, cos you missed one very important lil piece of the instructions... Work through this and we'll catch it up.
==Run the clean option with smitfraudfix:-
- Check that a Restore point has been made.
- Go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Restart in safe mode.
==Good-oh, now for the bit you missed: "-under Scanner/ Settings please set Recommended actions to Quarantine," it IS important, that bit, cos otherwise all AVG does is look and report. So....
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to QUARANTINE!!!!!, and run the complete system scan.
-save the log file. Post the log file, and that Smitfraudfix log.
Heh.... and no, I don't know of such a utility....

Ah, Ayenima, the fun of it all...yeah. Sometimes you win through by plugging away with the same tools; each time they run they get a little bit further.
Let's try this path:
==Run CCleaner, than try a run of AVG AS, Fast system scan. Then try Panda again, it should take no more than an hour for a typical sys, but what is that anyway?
If it fails again try this site for ComboFix [the earlier site you used does not seem to have the latest detections incorporated...]
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Panda still will not run? Then go to this site for an excellent alternative scanner: http://www.kaspersky.com/virusscanner
Unfortunately with this one if it finds a virus or trojan it will just list it.
Come back with how you get on...

Just a tidy up...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

- and then you should be okay, po-e. No need to post another log, but get a proper firewall: zonealarm, kerio or comodo. Free if you wish.
Glad you're fine again. Hit the solved button. Cheers, g.

Godz, in this bit of my post:
"==Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the complete system scan.
-save the log file."
this bit was extremely important: "-under Scanner/ Settings please set Recommended actions to Quarantine"
You MUST do that, and rerun the AVG complete system scan. Post the log.

A nice read, DMR. Thanks.

Don't just try - do it. You have some real pests still at large in your sys. A dialler, a hack tool.... plus adware, spyware.

We can always try, but no promises - it depends just how clever the controller is. Ever heard of backups, btw? I have a second HD dedicated to them. But no preaching. Let's get into it....
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
==For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?

==Please download VundoFix.exe to your desktop …

Ni-ice..

No, serunson, re the empty folders bit - that cannot be correct cos my "folders" setting works for alll my folders, and they all have contents. If instead I set the default method to command prompt then cmd.exe opens in that folder. My "file folders" are set to open witha photographic application only[it must have set a default when installed], and that is not how they open.
Btw, the solution to that other, original problem is to have the operation as explore, not open, then you lclick explore and set as default. You may have open set in folder actions to open in a new window?

Actually, serunson, what is the difference between "folder" and "file folder" in that list of file types? I have my various lclick settings [rclick options] for general folders under "folders", and am happy wiht the way things work. I do not know what file folders are... d:(

godz, how much trouble would it be for you to format and reinstall? You have two backdoor hacks in there allowing remorte control of your computer - read up on these:
msnntlp.exe & csrrs.exe -Google them. But that is not all you have... spammers and infostealers. We possibly can clean it if you wish, fix some registry entries too, if you have a lot of precious stuff in there.

Hi, Ayenima, that took care of a lot. Please do these things:
Delete the files held in AVG quarantine.
Delete C:\VundoFix Backups
Fix these with hijackthis:

O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Now do a search for any files in your C: drive with "mirar" as a search string, delete any you find [be sensible about that..]
System Restore Points Clearance:
==Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Run CCleaner again, and as a final check please do the Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Umm... wow! cdg...
First, if the files in your cache are not corrupted sfc will not prompt you if it has to copy any over into other protected areas - it only prompts if it needs to copy from cd into the cache.
Now. Panda showed up some problems, and although it points out spyware unfortunately that scan only disinfects viruses. But now we know.
Some advice : cracks could reasonably be called that cos they are cracks which let in malware/viruses, and you collected plenty that way. Cracks... well you cannot ever know what is in them unless you submit em for a scan first. Some groups are proud of their cracks and they are clean as, others load them maliciously, others do it for profit -they are paid for the spyware content. Same with code generators - you fire em up... only the programmer knows what happens next. Risky game.
I have attached the list of real problems..... but nothing we cannot clean. Do these things in this order:
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the …

imaking, that is a decent selection, although you do not need to keep hijackthis - it is a scanning tool, not a fixer. Spywareblaster is free. I cannot comment on Mcafee cos I have not recently checked AV trials. I use both AVG and Adaware on rare occasions, maybe once every 2, 3 months I will do a full scan.
There is no need to keep ATF because CCleaner is more comprehensive for housekeeping, we use ATF because it hits all the right spots for malware cleaning purposes and is quick and easy.
You can have too many guard pgms, you will end up slowing your sys. But get a proper firewall! Zonealarm, Kerio or Comodo - all can be free.
To find the corrupted songs? -look to my post above re splitting your folder in half, testing, split in half again, testing... and so on. It is the quickest way.
If you keep both AVG and Adaware installed but not running, well, that's fine, there is no load on your sys. That's how I have em.

I think I would remove this one also, but it is your choice, Den....
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
It has an adware reputation. After fixing it with hijackthis delete the .exe, I think you will find in system32.. eg:
C:\windows\system32\p2pnetworking.exe
I use emule, it's sweet, but with all those p2p pgms you need to be careful. What you think you see is not what you get sometimes.
Cheers.

Well, that is good, you don't want it found :)
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [mgea1908] RUNDLL32.EXE w002763f.dll,n 006a19020000000a002763f
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...aseInstall.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Done? good, now go start, run, type: cmd -and press Enter, paste these two lines into the window pressing Enter after each, and close the window:

sc stop cmdService
sc delete cmdService

Come back with a fresh HT log and your comments....

Jay, when it finally does boot up, run checkdisk. Go Start, run, type: chkdsk /f -and Enter. Answer Y to the window, shutdown and restart. Come back with what happens.

Hi, Ayenima, I'm not taking offence at anything...
Could you please delete ComboFix.exe that you downloaded = C:\Documents and Settings\Larry\Desktop\ComboFix.exe, plus C:\Combofix.txt and the C:\Qoobox folder.
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Instead of running a fix with the Smitfraud tool, merely go Start, run, type cmd and press Enter, then paste this line into the window after the prompt and press Enter:

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0" /f

Close the window.
==Start AVG AS and do a complete system scan [ensure recommended action is set to Quarantine as I mentioned before]. Save the log.

Start Avenger, select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\Program Files\Windows NT\mewofyn83122.dll
C:\Program Files\Internet Explorer\rteremejyfs.html
C:\WINDOWS\system32\xxyvsrr.dll

Folders to delete:
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win
C:\WINDOWS\system32\B4
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B1
C:\Temp\iee
C:\Temp
_____________________________________
...and click Done, and finally the …

Use a good cleaner before you run scans. I really like CCleaner cos it can be easily modified to include any file that you wish to clean regularly, plus it automatically configures itself to give you cleaning options for most of the common pgms. Here:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
If you use cmd.exe [or explorer if it will] to rename your music folder it should stop iTunes reading it....
Start, run, cmd; ren music noise -should …

Hi, Ayenima, let's continue... since something is interfering with your desktop this next pgm should root out other, like processes:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
If you have not run AVG AS yet hold off for a moment until I see this log.

Spywareblaster is a worthwhile extra protection against spyware, simply because it blocks known malware sites. I update monthly when windows updates come in - it serves as a handy reminder.
iTunes. hmmm. I know nothing about how it works, but I would think that when you start it it would scan your music library to load title information. It is looking likely that your library is corrupted somehow and that is preventing iTunes from completing that task, so freezing itself, and your pc - that has gotta be poor pgmming.
I would rename your music folder - if that proves difficult try doing it with cmd.exe, or you could change the extensions of all your music files with
ren *.mp3 *.ppp, whatever...
And if it won't do that in normal mode, try safe mode.
2000 titles? I would then copy out half of em using explorer, and try iTunes with the other half, and continue narrowing it down like that.. 1/2, 1/4... until I tired of it, and then just toss out the corrupted portion.
That may help you, it may well not. Cheers.

Hello, Tygrrlyli... because you have the Norton suite you should enable that. You must have a resident antivirus running at all times, but only one, simply because they can interfere badly with each other. Your Norton suite should give you capable AV, AS, and a firewall.
But I still see AVG Free AV in your hijackthis log - did you make the log before you uninstalled AVG Free?
One other point, because your Norton suite has a firewall included, running Zonealarm as well is only going to slow down your net connection speeds. You should uninstall Zonealarm.
Your log shows clean, by the way. Sort out those protection issues above and you should be fine.

You're doing fine.
That O20? vundofix deleted its file.
Okay, couple more things to fix [incl one I missed putting in cos I was at the time wondering if it was a vundo file..]
Fix these and then restart your sys:

O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html

Do a scan and note if the second entry comes back. Let me know.
The last one - I do not know if this is something to do with the Beta version you are using or not, I would have thought it would not reappear if you deleted the file. Please check the file has not reappeared, and let me know.
Actually, it would not hurt to load this file into Vundofix as you did the previous one and let it look at it:
C:\WINDOWS\system32\bxvymww.dll -show mw the result.

I do not see any resident antivirus service in your sys. Please go into safe mode and run AVG AS -under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
And next, with Windows firewall activated at least, go to one of these sites and get an AV!! Now.
AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira …

Aww.. Ida liked to have seen the combofix log... but glad you're okay now.

Those logs are now clean, imaking. I would uninstall Itunes [you would not lose any data/music files doing that], and reinstall it. Come back with how you get on?
Sometimes when a scan is running it can encounter a file which somehow breaks the scan, even though it may at the time fix the problem. You restart it, and see nothing.... don't ask me how that works.. :)

I assume imsubtle is hijackthis? Cool. :) I'm not so subtle.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
==Okay, this time we'll point VundoFix at the remaing vundo pest: Start Vundofix,
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\system32\opnmlmm.dll

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt
==Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - …

That's ok, still a lot of work to do. Run vundofix again please, and post only the vundofix log.

Post the contents of C:\vundofix.txt. Plus a fresh hijackthis log. And we've barely started on the fix...

Looks clean. Remove this old Mcaffee item by fixing it with HT: O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)

"And I followed a few of the links in one of the stickies, but as slow as this compuer is..I really don't feel like downloading and installing 20 different programs just to find out which one will make a log of what nasty trojans/viruses/etc stuff is on my computer."
If you don't give us a scan, we are blind, and we won't help. So. Your choice. You have run AVG AS [hope you set recommended actions to Quarantine], next do this:
HiJackThis:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here. Plus that AVG AS scan log if you kept it.

Holy Cow!! What a selection!
First things first, so please do these things in this order:
For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please? And move it to a new folder, say alongside your pgm files folder.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Read the log - if any files it found were not deleted re-run Vundofix until they are all deletion attempts are successful.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only …

Panda is picking up a couple of toolbars [adware ones] plus a CLSID left over from Kazaa. I see no trace of the toolbars in your log. Perhaps you deleted some of their files without going via the add/remove pgms path if it was available? -only traces left? Anyway, Adaware is hot; AVG AS [anti-spyware service] is what you should have got , not AVG Free [a resident AV service]
You MUST remove one of either Norton or AVG Free, not just disable.

Try to submit that file again, if you cannot link to the site then just delete it. Run CCleaner as it comes from the box.
Then I suggest you do a Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here, plus a fresh HT log.

Hi, miss, would you run these tools please and post also another hijackthis log. But first please install Hijackthis to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce …

Some downloads, sites etc are just plain dodgy. I use Spywareblaster as a blocker, but apart from that you have AV, AS and a firewall. None are perfect. Sensible browsing is very important. You can survive on the web quite nicely with windows firewall as your only protection if all you do is visit your bank's website...
Just think about what you are clicking on, but there are the odd sites that will give you a problem if you just mouse-over a link. It's interesting out there.

===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now produce a fresh log and post …

Please move hijackthis from its current location - I suggest you install it into a folder alongside program files.
Next go to add/remove pgms and remove Get Torrent. Delete its pgm folder.
Then start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\Get-Torrent\TorrentManager.dll (file missing)
O4 - HKLM\..\Run: [Service Host] C:\DOCUME~1\Sunny\LOCALS~1\Temp\svchost.exe

Please got to this webpage http://virusscan.jotti.org/ and submit this file for a scan [just click the browse button on the page... and follow thru]. Post the result.
C:\DOCUME~1\Sunny\LOCALS~1\Temp\svchost.exe
When you have done that browse to the file and delete it.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is …

Not much is ever assinine witha puter, tigerlily [spelt it like that cos it's easier than doing a letter by letter job with your's].
Your log is clean. With a suspected vundo issue though it pays to rename hijackthis to something else because some variants detect it running and stop themselves to become invisible. You may wish to do so and repeat the HT scan.. up to you.
BIG point. Remove either AVG AV or Norton -they will interfere grossly.

Panda is safe to download, cdg. It enjoys a good reputation. Quite a number of valid tools and scanners are interpreted as suspicious because of their capabilities, but that is how they have to be. But it is wise to check each case.
Oh, by the way, I am proudly? IE7 ignorant. Totally. IE6 works for me, when I use it. Go, FF n Opera.

Looks good, goman. Btw, where did you get Vundofix from? Here:?
http://www.atribune.org/ccount/click.php?id=4
-it is just that it pays to get the latest and best - he updates it continuously. If in doubt, get it from there and run it.
Apart from that point, I think it is safe to turn you out into the world again.
Cheers, g.

Start hijackthis, -select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

To speed up your sys you might review all those autostarts with msconfig [they show as O4 entries here].

cdg, for you as user the internet start page setting is blank:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
So set a new one as home page. There are no obvious problems in your log, when I see problems such as you describe the first thing I suspect are OS problems. If you have your M$ or OEM installation CD I suggest you run this to check the integrity of some system files:
Go start, run, type or paste:
sfc /scannow -and press Enter. Insert the CD, be available to press Enter, maybe many times as it runs. When completed it just closes, no fanfare.
If you still have problems, do these in this order and call back:
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Goose, would you run these two scans please, in this order?
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
...or this new one: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

A couple of things to deal with, Denis, and you should be clean. First, did you add this to your trusted zone?
O15 - Trusted Zone: *.westlaw.com
If not, add it to the list of things to fix with Hijackthis.. which is pretty short.
Fix this entry with Hijackthis:

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinlndt.exe CHD003

Done? Then browse to and delete this file:
C:\WINDOWS\system32\owinlndt.exe
Check that it stays gone after a restart.
Because of the infections you had, please would you run Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Ignoring all the cd commands, pretty much you say this command does not work?:
copy c:\windows\repair\system c:\windows\system32\config\system
-and the system file exists in \repair? If it does, oh dear, it should copy, it should not have any attributes set to prevent that.; if it does not exist, oh dear. You could then try copying all the others and then attempting a restart of Windows...
The only difference between your method and the one I follow is that I copy out the 5 \config folder files to a tmp folder, delete them in \config and then use that command above, or a form of it...
-in effect, no difference. So I don't know, sorry.
I guess you could try [in RC]:
attrib -s -r -h c:\windows\repair\system
and so on for any other files...

Open your registry with regedit, navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
In the right pane if you have a valuename
DisableTaskMgr with a value of 1 [one], either modify the value to 0 [zero], or merely lclick DisableTaskMgr and delete it.
Close the registry window.