Posts by gerbil

Ok, goman, sre you ready to work?
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ajxgjla.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: (no name) - {694CDA59-0CF1-4164-95B5-F00A6967B8AD} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {723a75d1-4266-4cd4-a64e-d9a56dff5e44} - C:\WINDOWS\system32\agerdnm.dll (file missing)
O2 - BHO: (no name) - {88C91A94-FC53-4313-AF73-3D28EA7195C8} - C:\Program Files\Common Files\rymyd.dll (file missing)
O2 - BHO: (no name) - {9A684959-C5A9-4487-8693-315C7D53DB84} - C:\Program Files\Windows NT\ryfynoxul58441.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O4 - HKLM\..\Run: [xvepxe] C:\WINDOWS\system32\yeaxyg.exe reg_run
O4 - HKLM\..\Run: [win320495967] C:\WINDOWS\win320495967.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [uskqa] C:\WINDOWS\system32\yeaxyg.exe reg_run
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\wkdsp.dll (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\wrapi.dll (file missing)
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online, Inc - (no file)
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe (file missing)

Good. Now go Start, run, type cmd and …

Can you ping, say, google?
In that cmd window of before, type, or paste:
ping www.google.com
You should get a reply within a sec. I'll have to leave it to kylcrow to comment on the ipconfig result cos it means very little to me.

Reading thru this thread it becomes obvious that no-one seems to do a system state backup. Ever. Not bragging here, just a bit of guidance:
I have a partition which is my Data Store; one folder in it is labelled System State Backup. What is in it? Well, you start Microsoft's Backup [in Pro it is there already, in Home you must load it especially from your installation CD] and it is found under Pgms > Accessories> System Tools.
I put a check against System State, browse to my SS Backup folder [the tool fights a bit, for some reason it wants to put nearly 400Mb onto a floppy set, but that's M$ for you...], and back it up. Takes less than 2mins, including verification. A comfy security blanket. It also updates the files in Windows\repair to your currrent state [default, SAM, SECURITY, software, system...].
Somewhere in this forum I have laid out this procedure of replacing those files in your system32\config folder, plus then using the files in your last successful sysem restore point to get back right to that last good configuration before your troubles began.
Note also that those five files are rewritten in system32\config every time you shutdown your sys [or should be], but NOT in Windows\repair. It does not matter that the ones in \repair are slightly out of date because in the end you would copy them from your latest good system restore point.

Nice of you to come back with that, John. thanks.

goman, I cannot see the full log there, and it is a necessity. However in what I can see there are signs that you have run vvundofix successfully. Please follow thse steps in the order given, and when you re-post please start a new thread in this forum. No piggybacking - it confuses things.
HiJackThis:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
AVG - AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
==Start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Goose, this is the only untoward entry in your hijackthis log:

O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j9211037.exe (file missing)

If you go Start, run, type cmd and press OK and then paste these two commands into the window after the prompt and press Enter each time it may do the trick:..

sc stop DNSCacheReader
sc delete DNSCacheReader

Say how it goes on restart... but pretty much that error comes from a glitch in a pgm which was not finished with a removable medium when it was removed or the pgm was abruptly terminated improperly, or was still registering the medium as inserted when the sys was shutdown... I cannot see from your log what that pgm could be though [if it is actually the case]. Sorry.

If you have XP SP2 you cannot uninstall IE6 - it's integral. You pretty much reinstall or repair SP2, or repair just IE6.

Just as well i didn't put money on it.. :). This the key?:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
"DisableSR" = 0
That one? You could check if it is set to zero as I have shown - if is one then set it back to zero [default].

she's a casual lass, obv not concerned about overwriting her lost files...

My turn. Betcha don't got enough space on your sys drive to make a restore point? That little matter will automatically disable System Restore. Well, it could be an answer.... although I imagine it is only a problem for those with multiple partitions, and who have made C: too small...

try running chkdsk on it from your xp installation cd [recovery console...]
chkdsk /p
And then slave it and copy off. Or use a recovery cd to get a copy command going.

If you cannot find that file in the path given, do not worry about it - the service did not restart. Fix this one now:
O4 - HKLM\..\Run: [Uninstall_CToolbar] "C:\WINDOWS\Temp\CTun.exe" "/remove"
If you're still getting spyware detected then please do these things:
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
AVG - AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
Otherwise your log looks good atm.

And if you rclick your cd drive and select properties, do you have an Autoplay tab? No? Then click Start, Run and enter SERVICES.MSC Scroll down to Shell Hardware Detection and make sure this service is Started and set to Automatic.

Once you have that registry entry changed to "1" you can make use of it:
You can now add environment variables using the set command to set up any of these options also:
Go Start, run, type cmd, and Enter, then paste in these lines [not including the explanations!]:
set allowallpaths = true -Allows access to all files and folders on the computer
set allowremovablemedia = true -Allow files to be copied to removable media, such as a floppy disk
set allowwildcards = true -Enable wildcard support for some commands (such as the del command)
set nocopyprompt = true -Do not prompt when overwriting an existing file
You may or may not want the last. But now Recovery Console will work in your sys with no silly restrictions.

It's nice to win, isn't it?
Cheers, Davo.
PS: get a proper firewall; windows firewall is great at stopping the uninvited from coming in, but once in it happily lets it call home. Kerio or Zonealarm are good ones.

Hmm..... another pest has popped up, and I don't see hijackthis renamed, either - it may be important.
This will remove the pest meantime:
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
If it runs and shows deletions, run it again.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
Good. Now see if you can access the Panda online scan, then also update AVG AS and rerun it.

Ok, eventually you will have to do what jb suggested, because your winlogon.exe is infected both in system32 and in the backup cache.
But first there is still some cleaning to do...
Panda Online Scan:

Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
AVG - AS:

GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Good. Now restart in Safe Mode, start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {36345442-9475-2563-166A-467739208346} - C:\WINDOWS\System32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')

Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file.
Restart in Normal mode.
Change the name hijackthis.exe to imabunny.exe and then do another scan with logfile.
Please post the AVG, Panda and HT logs.
(Do you have an OEM or microsoft installation CD, or can you borrow one?)

To restart your …

You don't have a microsoft installation cd? Google UBCD, or get this one which gives you a recovery console on a bootable cd, or ...
Because you may not be in possession of an Xp install CD, here's a boot disc with a recovery console on it; the console runs from the cd so you don't need an xp cd or any files from your C drive. I know it works. All you need is an image burner like Nero 6, CD Writer...
Tips... unzip the file to get the iso and then BURN THE IMAGE. Do not use Data CD or any other mode cos all you will get is a copy of the iso [which you have already...and your new CD will not be bootable]; if you look at the files on your new cd and see .iso mentioned anywhere, start over. If you use Nero 6 then the defaults for image burning are fine, skip the silly advice that you may find on the web. You merely select Burn an Image, browse to and select the .iso and press Burn. That is all it takes. Burn it to a CD-RW if you wish; there is no need to close/finalise the CD whether it is a RW or R. Multisession works fine. If you use a CD-RW then hold the burn speed lowish, say 4x.
http://www.webtree.ca/windowsxp/Tools/bootdiscs/xp_rec_con.zip
To use copy in Recovery console unrestrictedly, add this value to your registry now:

regedit HKEY_LOCAL_MACHINE\Software\Microsoft\Windows …

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.

Good-oh. Get rid of the panda button by fixing this entry with HT. Log is otherwise clean...
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)

Cheers.

Hi, Angel, clean log, but either AVG AV or Trend must go - you definitely should only run one resident AV service, and because you have the Trend suite, to get rid of AVG is my advice...

Oh, you can do the hosts thing before you remove NAV or AVG....

Ri-ight. Start hijackthis, and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {E2B8CF8C-E0B0-4A16-8500-30C04EC8CD00} - C:\WINDOWS\system32\jkhff.dll (file missing)
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Windows Network Log Manage - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSInfo\Network.exe

Go Start, run, and into the text window type or paste this command, and press OK:

sc delete Windows Network Log Manage

Now browse to and delete these FILES:
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\Network.exe -yep, serious here,it is a trojan...
...and this folder:
C:\PROGRA~1\Crawler

Good, tell us what your sys is like now...
Btw, did you run Vundofix or some other vundo removal tool previously? cos it looks like a trace there.... file is missing... jkhff.dll (file missing).
Never hurts to check... do this:
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4

Your log is clean, but if you don't have at least a half-Gig of RAm I can see that all those autostart entries [the O4's..] would bog your sys.
Let's look at a couple....
igfxtray.exe - this puts an icon in your sys tray and monitors it by hanging about in RAM; it gives you tray access to changing some Intel integrated graphics driver properties. Now how often do you do that?
hkcmd.exe - this gives you special hotkey access to the same thing as the above! Did you ever use those hotkeys?
HDAudPropShortcut.exe - you should leave this one; apart from giving you a few extra controls in the control panel sounds window it "may" also improve the sound chip output quality.
SOUNDMAN.EXE - puts a Realtek icon in your sys tray to give you quick access to sound diagnostics. You use it a lot, right?
ALCWZRD.EXE - detects new sound devices [I'm not talking new speakers plugged in the rear panel jacks here...] and starts an install wizard for drivers... Yeah.
ALCMTR.EXE - monitors your soundcard. But you've got ears, right? You'd know if it stopped...?
And on it goes. Look, you check all those other things too and see which ones you really wish to have running. Using HT to fix those entries just stops them starting - the processes themselves are still there and can be started manually, or turned back to autostart again. Even java updates can …

Cool, glad to be of help.
May I suggest you get Spywareblaster, and one of either Zonealarm or Kerio firewalls?

Davo, if you look at your log you see a looong list of O1 entries - they have been put there by your malware to block you from contacting those sites eg when AVG AV tries to contact home it gets redirected inside your sys, to your sys. So nothing happens and AVG won't update and so will not run. Run hostsxpert, it will remove those entries, and then you should try AVG again; if it will still not run you will be free now to go back to the AVG site and get a fresh copy. Just break what you have by deleting some of the AVG pgm files and then install over the top. If you have windows firewall running when you go to those two sites you will be safe.
Say how you go.

Yep, it cert did! Just this one thing to remove using HT fix instruction above:

O2 - BHO: (no name) - {A0AC4A36-E6EC-404D-B8E1-277AA52E35D5} - C:\WINDOWS\system32\geedd.dll (file missing)

I see that you have a lot of M$ home and search pages - you can remove those also if you do not want them [the 3 R1's and the R0 entries].
And otherwise it is all clean; how do things seem to you now?

Step 1: Remove either Symantec or AVG AV - very important.
Step 2: Get HostsXpert from www.funkytoad.com, start it, press Restore MS hosts file button.
Do your scans and post another HT log.

For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?

Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\kxexavaj.dll",realset

Now browse to and delete this file:
C:\WINDOWS\system32\kxexavaj.dll
Post the contents of C:\vundofix.txt plus a new HijackThis log.

We are different people... so it is hard to comment. Certainly you have an adware entry:
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" -you could fix that one with HT, and then delete the file and folder. Fix this one also:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
And you have what I could describe as pestware - yahoo and sweetim. It's not malignant, it's merely your choice.

there is the chance that the bootscreen app you employed has damaged your ntoskernel... borrow an xp cd to run the sfc. did your amendment to boot.ini take? You may need to uninstall the modifying software if it did not. But M$ is alway re-issuing it inside KB articles... you should be able to get one from windows update site. kernel32.dll is what you need.

that cmd would block the check until you revoke it, but you should find why your sys is not shutting down correctly... is an application causing it?

Okay. Get that notepad back again, then delete this bit:
/KERNEL=kernel1.exe
-and save the file. This removes that reference to kernel1.exe from your boot.ini file. Should be ok to go then.
jb's idea should work also if you have used some software to modify a protected file...

Normally, I'd help. But I see no resident AV, no evidence of an AV online scanner having been run, no firewall [perhaps u use Windows firewall?], no evidence of an AS scanner, or even an online scanning service... what I do see is a load of adware and trojan traces. Get some protection and cleaning tools first.

Good-oh. Complement your protection with Spywareblaster, it works in the background via registry entries, update it monthly when the M$ updates come thru. I use that update as a jog to check manually for all updates such as java..

Please post a copy of your boot.ini file : go cp, system, advanced tab, startup n recovery settings, press edit -okay, post that notepad that opens.

If you have FAT32 and do an improper shutdown windows will want to do a disc check.. there is no need to do it - windows is just programmed to assume that in the case of FAT32 it was a HD error that caused the failure. Skip it.
But anyway, to answer your question... [and it will be 10 secs as default...], go Start, run, type cmd and OK. Now type [or paste] this:
chkntfs /t:1
-and press enter, then close the cmd window.
Yeah, I know it is chkntfs and not chkfat.... but there is no such command. Does not have to be 1 sec... you just wanted that. Strangely, if you have an NTFS setup windows doesn't want to do a check - it's possibly arrogant enough to assume that the user screwed up. :)

What? another one who's lost control of add/remove? with photoshop? by any chance do you have a 64bit processor? anyway..
I may be barking up the wrong tree, but perhaps if you navigate to this key in your registry [go Start, run, type regedit and press OK]:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
-then rclick on uninstall in left pane, choose permissions and ensure that the administrator [you, perhaps] at least has Full Control. That should do it.

I may be barking up the wrong tree, but perhaps if you navigate to this key in your registry [go Start, run, type regedit and press OK]:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
-then rclick on uninstall in left pane, choose permissions and ensure that the administrator [you, perhaps] at least has Full Control. That should do it.

No, it cannot be used by a virus to attack your computer, unless the virus wrote a file in there [NOT a .pf file] and then called it from some other location. If a virus process or a trojan once ran then xp would create a prefetch file for it so that next time it was run it would load more quickly! Heh. But the .pf file on its own is benign. If you feel uncomfortable about it you can just delete that file.....

SP1, eh? No wonder she got whacked.... well, it makes it much more likely, much more.
Oh boy... where to start? Download these pgms onto a CDRW for her machine:

==Download this temp file cleaner from [url]http://www.atribune.org/ccount/click.php?id=1[/url]  
==Download Avenger from  [url]http://swandog46.geekstogo.com/avenger.zip[/url]
==Download this file to your desktop:  [url]http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe[/url]
            ...or from here: [url]http://download.bleepingcomputer.com/sUBs/ComboFix.exe[/url]

Okay. You must be in an Administrator-privileged account to run this procedure...
Save ATF Cleaner to the desktop or a cleaning folder somewhere, dclick the .exe to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox (if you have that browser..) at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Avenger: unzip it to her desktop, leave it for the moment.
ComboFix - copy the .exe to her desktop or to a cleaning folder.

Now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2C0E4C15-89D6-46C0-9BB3-1B2E0A103CD1} - C:\WINDOWS\SYSTEM32\driverk.dll
O2 - BHO: 0 - {4F41BCCA-8B1A-4A27-5282-3AF0868D7CD5} - C:\Program Files\MSN\quzase.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: (no name) - {968469a0-d61e-492e-86be-6cdbf4a8db35} - C:\WINDOWS\system32\LOGCHT.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 …

Try googling "jquery.corner" - you will find that it is legitimate. It is used to shape window/object corners! The [1] would possibly indicate a duplicate.. the .js is just javascript.

Like I said, the number depends entirely upon what you have running at any time - I now have five also, but I'm not currently streaming data.... so.
Biggie, if you are really keen get ProcessExplorer, run it and you can then see what each instance of svchost is actually handling. And no, they do not have to be system processes only; any third party application which provides its own dll's will have them running under a svchost handler.

Good-oh, Flo. But try that panda online scan first -it is very good. Just run CCleaner before you do it to remove cookies and other net trash it will pick up.
If it finds viruses or malware feel free to post its log.
Cheers.

Hi lethal, I see that you got rid of a few problem files already, such as C:\temp\svchost.exe etc. A few more things to tidy up...
First, you need to make a choice about your resident AV: you cannot keep both AVG and Norton on the machine cos they will conflict very badly. I know you paid for Norton, but personally I'd run AVG. Well, I do, actually. And it's not as if your Norton would be wasting any differently if it was not installed - the subscription will run out one day anyway.. :)
Done that? Now move your Hijackthis from your desktop to a folder alongside program files folder. Good. Fix these with hijackthis:

this one is a problem:
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
these next are time and RAM wasters:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WeatherBug\Weather.exe (HKCU)
-of course, you may like that temperature thing, but the temp is measured where exactly??

Now delete these:
C:\PROGRA~1\AWS\WeatherBug\Weather.exe
C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
If the last one proves difficult, delete it in safe mode.
And that should be it. A good job.

"then either cmd.exe or the environment path handling is corrupted" -- command shell was what i was trying to think of... told you I wasn't an expert..:)

That's how I wanted hijackthis, floba, thanks. And it shows no errors. I think you have a problem with your OS. It may have been caused by a virus which got past your AV at the time, or some read/write error.
If you are getting comspec errors then either cmd.exe or the environment path handling is corrupted. I'm no way an expert but i don't think there should be any instructions in that part of your memory...
It would be nice to see a combofix log, but failing that I can only suggest you try this:
Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here. If that shows no errors then I would try a system file repair using your installation CD - you go Start, Run, and type:
sfc /scannow -and OK.
And if no-one else comes up with ideas and you still get those errors then perhaps a windows Repair is called for, which is fairly pain-free cos it leaves all your applications and files untouched.
You could even try reinstalling Office. Just a hunch.

:)
Okay, that last log looks good. You did a good cleanup job. Pity about AVG [most other anti virus or antispyware scans are the same] and the tools, but some of those "hack" pgms use valid processes which are identified as viruses etc ... and they clean [break!] them.
No other problems? Cool.

It really depends upon what libraries have been called, biggie. [the .dll things :)].Svchost's run those services that are being used from those various libraries... I have a data streamer and firefox running atm, plus a bunch of hidden autostarts that are [very, I deem] necessary, and six hosts are looking after them. Twelve, huh? Check your autostart list.... msconfig.... or AVG AS tools, or...

it's working on it, hb, it's working on it.. only a matter of time, now, then - PFFFTTssss!
And yep, word is that M$ destroyed defender.