Posts by gerbil

Heya, floba... no , don't worry about ATF cleaner, ccleaner does a similar job for our purposes.
You did not quite get the hijackthis instructions right, the new folder and name change are important items; adding [1] may not do the job. Your log shows clean, and it may be because of the unchanged name... try again,please.
Skip pressing the info button - that's all it is, a bit of info to explain things for you.
Did you run AVG AS? ..it would be nice to see the log.
And the exact error code would be handy to have... in your first posting it does not seem quite right.
And finally, dl and run Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

So, please, we'd like to see an AVG log, combofix log, and finally make a new hijackthislog [with the .exe renamed!]
And the error code in full...

I'm sorry, I seem to have not posted the complete fix - a few! lines are missing from my cutnpaste job. I've reworked it below, added other things also....

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2A185D27-0FCB-40EB-9D0C-C86216D69F6C} - (no file)
O2 - BHO: (no name) - {58EB7FC1-BDB7-4625-BC8D-9F19289836A2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\wvuropm.dll (file missing)
O2 - BHO: (no name) - {917FE5AA-0AE4-4F93-90D9-61B134D9BB75} - (no file)
O2 - BHO: (no name) - {AEE0215F-E5E6-41E1-9DBF-119B7707228F} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\klflggko.dll (file missing)

O23 - Service: Abel - Unknown owner - C:\Documents and Settings\Vik_2\Desktop\New Folder\Cain\Abel.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
Good. Using Hijackthis to fix those service entries will stop them running; now go Start, Run, and then paste this line into the Run text window:

sc delete Abel McDetect.exe McTskshd.exe mcupdmgr.exe

-press OK at each prompt. If it does not run properly then you will have to …

They are service handlers, they group services, and so depending upon what you have running you will see several svchosts running.

AVG AS 7.5 [free] is manual update only after 30days.. and is manual scan only [resident shield is disabled]... which anyway is what i want.

You may check this for yourself, but I think the maximum size that windows setup will allow for a FAT32 partition is 32GB. Either use the NTFS system, or make a sensible size for the windows partition of about 8 -10GB, and a second, third partition for data. OR you could format it with a third party software.... windows setup will then cope with it even if larger than 32GB..

"a" grub.... yeah, malware is what I meant, not GRUB the loader...:). Good going - any idea what it was?
Yep, AVG AS becomes a manual scan only tool, not a guard, if you don't pay. But that does me cos I don't trawl for trouble. And yes, I rather like the way XP tidies itself up when idle- it notes what you do with prefetch files etc, and then puts the most-used bits close to the edge, or whatever, to make them more accessible. It uses layout.ini in prefetch folder - ppl who delete the prefetch contents lose that advantage. But xp builds the file again.

http://support.microsoft.com/kb/281980
I'm not sure that I could put it any better.

Turf out ALL the yahoo gear - toolbars, buttons, search, desktop - uninstall it all. junk. more than that, it's slowing junk. Google too. They have a great search engine website - what else does she need from them?
My opinion, only. And follow up on that resident AV issue. One only, ever.

jb, did you find that grub trying to maul your winlogon.exe, or was it something else?
AVG 7 is a great AV, I rarely do AS scans - only when i suspect something is amiss..., Spywareblaster is a good blocker, and either ZA or Kerio as walls.
jb... how much wear would a daily AS scan do to your HD? - more, i suspect, than a boot..? wondering....

You didn't get rid of mcaffee completely....
Use hijackthis to fix these service entries [which will stop them running] and then paste this into the Run text window:

sc delete McDetect.exe McTskshd.exe mcupdmgr.exe

-press OK at each prompt.
It is a friendly thing to do to run ATF cleaner before you run a scan like Panda's, or AVG AS..... we don't then have to rummage through your cookie bin.
Which would make it easier to pick out these:

Spyware:spyware/new.net Not disinfected Windows Registry
Hacktool:Hacktool/Passview.E Not disinfected C:\Documents and Settings\All Users\Documents\viktor shared\vic\Various\downloads\set it ups\pspv.zip[pspv.exe]
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Osk\Local Settings\Temp\win1A.tmp.exe
Potentially unwanted tool:Application/Unbloker Not disinfected C:\Documents and Settings\Vik_2\Desktop\extfix(www.mess.be).zip[extfix.exe]
Potentially unwanted tool:Application/IceCold.A Not disinfected C:\Documents and Settings\Vik_2\Desktop\Msn tools\icecoldreloaded.zip[IceCold ReLoaded.exe]
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\Vik_2\Desktop\Vik\vik\Other\applications\installdrivecleanerstart.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Desktop\Vik\vik\Other\brutus-aet2.zip[BrutusA2.exe]
Hacktool:Hacktool/Passview.T Not disinfected C:\Documents and Settings\Vik_2\Desktop\Vik\vik\Other\Meh\pspv.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 1 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 2 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 3 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 4 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 5 for brutus-aet2.zip\BrutusA2.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-3013760395-2280178743-1550305239-1007\Dc49.exe

Go to add/remove pgms and remove Yazzle by …

This is the place to post it....

What is this to you?
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} - http://www.thepaymentcentre.com/build/vxiewer.cab
Actually, why bother answering?, just remove it: start hijackthis, select Scan Only, place a checkmark against the entry, and then press Fix Checked.
Tell us what happens next...

Pleased if I helped, Azriel. Cheers.
Huuzefad, it would be helpful to know the first parameter in that error msg ie the first term inside the brackets before the first comma... something like 0x000000F4 (0x00000001, .....) for example.

flogabbin, you should do these things [in this order] so that someone can help you:
Get ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]

Now run AVG - AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.

Finally, HiJackThis:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Did you actually do this bit?
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {f7d40011-29bb-43eb-9c97-875ce89e9e36} - C:\WINNT\system32\hp100.tmp
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYUS

No? Well, add these to the list, and fix them all now:

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O21 - SSODL: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - C:\WINNT\system32\mzoeut.dll

Now run the clean option with smitfraudfix:-
- Disconnect from the net
- Check that a Restore point has been made.
- Go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log.
You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall …

Well, if no formatting has been done this is possibly the most straightforward app to run.
Dload it [rest2514.exe] to a floppy using ANOTHER machine, unzip it to the same floppy, and then run restoration.exe from the floppy.
Advantage of that is there is no installation, so no writing to HD at all. Be inventive in use of search parameters otherwise she's gonna get flooded with old temp inet files....
http://www.snapfiles.com/get/restoration.html
Anything with more power pretty much requires installation...
Another neat n simple job is PCI Inspector's File recovery, but it requires installation, with possibility of overwriting.....

Sigh....
To start off, move hijackthis to a new folder in C:\.
Only then, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [uruf] C:\PROGRA~1\COMMON~1\uruf\urufm.exe

Good. Now browse to and delete these files and the outlook and uruf folders:

C:\WINDOWS\system32\winlog.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\outlook
C:\PROGRA~1\COMMON~1\uruf\urufm.exe
C:\PROGRA~1\COMMON~1\uruf

If they prove difficult, try to delete them in safe mode: repeat the whole process there. Or just use this to delete the files after fixing the HT entries:
http://ccollomb.free.fr/unlocker/
Finally, get an antivirus.... the sigh was because you are just begging for this type of hit without it.
AVG FRE, Avast, Avira, AVG AS 7.5, Spywareblaster, ZoneAlarm Free, Kerio; there are others - I use AVG fre[7], AVG AS, Spywareblaster and Zonealarm.

you may be in trouble.... you could try running sfc with your install cd. Because you ran a keygen it does not have to be a virus etc, just a malicious pgm.... often they give you an ad loading trojan. You could try re-installing your shell:
regsvr32 /s /i shell32.dll
but who knows what problems you have really? Sorry...

some groups are proud of their keygens, and they are clean. others i think are paid by developers to make keygens to teach ppl a lesson. you can test em b4 you run them, you know. and you can sandbox them also.

Heya, lou, for a start could you please move hijackthis.exe off your desktop to a new folder on C:\ please?
Only then start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [py] C:\WINDOWS\system32\py.exe
O4 - HKLM\..\Run: [dnbeiiycm] C:\WINDOWS\system32\dnbeiiycm.exe
O4 - HKLM\..\Run: [saarcsnczoe] C:\WINDOWS\system32\saarcsnczoe.exe
O4 - HKLM\..\Run: [quyujoytjjn] C:\WINDOWS\system32\quyujoytjjn.exe
O23 - Service: Print Spooler Service (o4ey1avocybuwyy) - Unknown owner - C:\WINDOWS\system32\py.exe

Good. Now browse to and delete these files; if they will not die then try it from Safe Mode..:

C:\WINDOWS\system32\py.exe
C:\WINDOWS\system32\dnbeiiycm.exe
C:\WINDOWS\system32\saarcsnczoe.exe
C:\WINDOWS\system32\quyujoytjjn.exe

Go start, run, type cmd and enter; paste this next line into the black window after the command prompt and press enter:

sc delete o4ey1avocybuwyy

Fine, close the window; please post a fresh log with your comments on how things are....

Heya, CC... did you mean to mark the thread solved already?
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\winsystem.exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\winsystem.exe

Good. Now browse to this file and delete it: C:\WINDOWS\system32\winsystem.exe
Report back with an update on your problem.

Haha.. you def would not want winlogon.exe replaced cos win file prot runs inside that! I can only think that a trojan or virus with just one job in mind is resident, it fails and stops until next reboot. O20 is where you would hope to see that launch type being reported, naturally with windows I bet there are many other winlogon launch methods. I can only suggest doing a couple of online scans, an eg is Panda Online Scan:[what follows is a set piece...]
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Give it a shot....

I see that you have MyWay Search Assistant [there, courtesy DELL]. We can get rid of it first off..
First see if it is listed in Add/remove pgms list - remove it if able, then..
Go start > run, paste: MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
You could also use myway as a search string in regedit and delete all references... BUT BE CAREFUL in there!! - you can skip this step though, removing the files makes the reg entries redundant.

Next, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

Report back with comments, please.

Those logs are clean. Remove AVG7 if you are keeping mcafee. Disable [turn OFF] teatimer while you attempt one more combofix run [and then turn teatimer back on if you wish!].
Teatimer setting is under Mode, advanced mode, tools, resident... -restart for the change to be made.
Apart from that, I am at a loss. What are your symptoms now?

I guess they are not the system files that are included in the protected list, otherwise the file protection sys would have kicked in and replaced em with originals.... Could it be a driver? I'd have thought an untrusted source would have buckley's of doing that unless some permissions were altered. Don't know. Sorry. sfc may sort it out, but that would mean that the cache files were wrong also...

You know, AVG AS should detect and remove New.net, or Newdotnet. Check my last post on page 1 of this thread to ensure you have correct AVG settings.
I know nothing about that error msg.... some incompatibility with windows, but.... heck, i've trialled that combofix version no probs. NT has created a virtual DOS machine to handle some part of the pgm that is in DOS, but has encountered some sort of error. Dunno.

...so clean it squeaks, jb. You could fix that O2 entry with no file, but it was never a problem BHO -it's a common enough CLSID.
Were/are there any symptoms bothering you?

I changed my previous post...pls read the new one.. the name of that file caught me off guard, but i checked to make sure and altered the post. And yes, it is a good idea to dl another copy of combofix....
I note that you ran AVG AS - you must ensure that on the scanner page, settings tab, that How to Act is set to Quarantine; if run with default setting it detects but does not remove spyware!

combofix found the so-called "uninstaller" for newdotnet which is an adware pest: it is a redirector, it certainly is not an uninstaller.
I suspect it may be what put those O1 host file entries there... browse to c:\windows\NDNuninstall6_38.exe and delete it, but i suspect combofix already did.
I see nothing else, but it disturbs me that combofix would not run - some trojans can break it. But that is all - I see nothing in your new log.
A combofix log is normally saved in the root of your system drive, eg at C:\ComboFix.txt.

Could you show me what log combofix has made so far, please? And I really need you to do the other part of my last post to you regarding hijackthis, all of it.
Did you try to fix those O1 host entries or not, cos they are still there..?

It looks like a good job done. You could fix that yahoo R3 entry, and that's about it.
Cheers.

Looks like something has blocked CombFix. Ok, delete your copy.
Please rename hijackthis.exe to imabunny.exe, start it, press Misc Tools, press the List minor sections button and Generate Startup List log. Post that.
Now for a shot in the dark:
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES. Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
[oh, and that smitfraudfix run, it does not pay to run Option 2 when there is no detection - the pgm likes to break stuff, if it cannot find a bug it turns on your desktop and breaks that! You were lucky with that second pass...]

good-oh.
Btw, because you had a vundo infection would you mind renaming hijackthis.exe to imabunny.exe and posting a fresh log? Some vundo's hide from hijackthis - they detect it starting and stop their own processes.., and vundofix has to run a few times to learn or be pointed at the more clever ones...

Give combofix a couple of chances more.
Then delete your copy of hijackthis and..:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

You may laugh at this, but I could not see the issues with your first log; the last shows clean also. It can be like that sometimes. I do see that you are still running Nod32 as well as Symantec AV - now that is trouble; two resident AV services will interfere, checking each others signatures.....your sys will struggle. Remove one. And good work, self help is satisfying.

Yes, shred it. And then run the clean option with smitfraudfix:-
- Disconnect from the net
- Check that a Restore point has been made.
- Go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log.
You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.Try ComboFix again.

You have MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant.
You also have SpywareBot - it has a less than good reputation. Remove it, I think.
Remove also any pgm that looks like SpywareQuake.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {f7d40011-29bb-43eb-9c97-875ce89e9e36} - C:\WINNT\system32\hp100.tmp
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm238YYUS

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

When you are finished reboot to normal Windows mode and send that Smitfraud log in,plus a fresh hijackthis log.

A few things there; let's work through them.
Does this work for you? No adware at all?

R3 - URLSearchHook: Share Accelerator Toolbar - {f5c93451-2609-4723-a053-5c19516be1a8} - C:\Program Files\Share_Accelerator\tbShar.dll
O3 - Toolbar: Share Accelerator Toolbar - {f5c93451-2609-4723-a053-5c19516be1a8} - C:\Program Files\Share_Accelerator\tbShar.dll

if you do not want it remove it via add/remove pgms.
Now, by fixing I mean starting hijackthis and pressing Scan Only, and then placing checkmarks against all unwanted entries, and finally pressing Fix Checked...

These look interesting... why do you have them? They are redirectors when you mistype a URL.... I'd definitely fix them:

O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es

Do you have a website with ads or something like that? I leave it up to you cos I do not know:

O1 - Hosts: 66.98.136.25 pagead2.googlesyndication.com

These must be fixed:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll

So. Make your choices and fix the items.
Now go to control panel, add remove pgms and remove anything that mentions ads, adz or Oin.

Get Combofix:
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable …

Snatch, she has two resident AV services running. That is not at all for the good, cos they interfere terribly - you must remove one of them AVG7 or Avast.. you choose. I certainly would not load up another one.... Apart from that she is clean.
I would hope that just one AS service would suffice - they do not interfere but they both run so there goes more RAM and CPU time.... AVG AS or Defender - I suggest one should go. I can see CounterSpy sitting in there also. I run AVG AS on demand only, about once every couple of months is all I can bear....Spywareblaster fends off a lot.
128 MB of RAM is okay for XP, 512MB is naturally better, but it costs. You could do a lot to help by removing all those autostart entries - they stay resident and chew up valuable ram space. Some just waste connection time.
eg:
Google and Yahoo toolbars, browser helpers and desk-search - does she need them? Google runs very nicely from its website... I see there is also a google updater service running....
O4 - HKLM\..\Run: [CARPService] carpserv.exe : this one lets you hear the modem squeal.... and does nothing else.
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime : this checks for quicktime updates. Every logon.....??!
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe : ditto for HP software.
OFFICE, yeah she's a student, and …

A decent start - AVG pointed out the rootkit, avenger removed it.
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Restart your pc in safe mode -
To restart your computer in Safe Mode: press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.
Start hijackthis, do a Scan Only, and place checkmarks against the following for fixing:

O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\mljkigf.dll (file missing)
O2 - BHO: (no name) - {41296711-6B37-413E-8417-CF1FB0AEFB33} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\eponfetp.dll
O2 - BHO: (no name) - {B1C23631-67FE-4DCD-9A53-10E75D2EC349} - C:\WINDOWS\system32\xixpifqy.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\xfpbmdmu.dll
O2 - BHO: (no name) - {f0d4931b-365c-4f6f-981f-f5fbd5f7fd9c} - C:\WINDOWS\system32\boott3g.dll (file missing)
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ycoiohch.dll",realset
O20 - Winlogon Notify: mljkigf - mljkigf.dll (file missing)

Next start Vundofix again, and click the Scan for Vundo button.
When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\system32\eponfetp.dll …

1 reboot puts the same amount of wear on the HDD as 16 hours of average use. Wow!... i didn know that. wasn thinking of the psu tho, more every other lil semiconductor pasted here n there. processors, etc. So where is the hd wear? nothing touches, cept maybe on the rest zone b4 it speeds up... i think...
M$ could be in cahoots with hd manufs cos of that auto reboot on error setting... :) - don't ever go on hols n leave your sys on.

Two rootkits in one day!! [am dealing with another poster also...] -Mcafee is trying, it found a rootkit, rustock-[B?].
Rustock-B rootkit removal:
==Download rustbfix.exe from http://www.uploads.ejvindh.net/rustbfix.exe
-save it to your desktop, dclick on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will be asked to reboot the computer, perhaps twice. The procedure may be slow, but is automatic.
Afterwards 2 logfiles will open C:\avenger.txt , C:\rustbfix\pelog.txt). Post these logfiles plus a new HijackThis log.
Rclick the tray icon for mcafee virus shield and select Exit. Run the smitfraudfix tool as above, then turn mcafee back on.
Lastly, run Combofix:
==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply along with the others.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Ah! A nice, shiny rootkit to play with.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\yflpclwl.dll",realset

Good, now start Avenger, select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\yflpclwl.dll
_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click …

That pgm? Smitfraudfix full of trojans? Mcafee must have gone off its trolley - I was getting you to run it because in part it checks to see if you have particular types of rootkits. I would happily vouch for that site, that pgm.. you shoulda kept AVG.... turn Mcafee off to dl from that link. Run it and turn Mcafee back on. I would not give you a dodgy link or pgm to run... maybe the run will pick Mcafee up as a fraud... :)

Azriel, just add to your posts, pls don't start a new thread on the same topic.... it makes us chase the thread over several windows....
A big, important point to make: you must run ONLY ONE resident AV - you have both AVG and Mcafee, so one of them must go.
Next point is the location of hijackthis - delete that copy and unzip a fresh copy to a new folder alongside your program files.
If you do not do that and things go bad, be it on your own head.
-select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

I see no other problems....so:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

When you are finished reboot to normal Windows mode and send that Smitfraud log in....

Well I see nothing there now. How's it from your point of view? Do you have a connection to the net now?
If not:
-is IE opening? Did those two R1 entries in the hijackthis log return?
-next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
If it is:
-be happy.

You have an annoying little trojan, a worm... please delete hijackthis from the folder where it is and follow this:
==download a fresh copy of hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe;
-select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKCU\..\Run: [svcshare] D:\WINDOWS\system32\drivers\spoclsv.exe

Browse to this file and delete it: D:\WINDOWS\system32\drivers\spoclsv.exe
Find D:\setup.exe and delete it.
Get ATF Cleaner:
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
Now please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here, plus a fresh hijack this log..

Get ATF Cleaner:
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
Now run AVG AS in safe mode.
Get HiJackThis, and be sure to run it in Normal mode:
===download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here along with the AVG log. Then we may be able to help.

Okeydoke.. that's gotta be good. Just check that C:\program files\?dobe folder tho, it is trying to look like Adobe....
Cheers.

Is it not inbuilt? I just go start > log off > switch user panel > select user n that's it. Can it be faster than that? Why? No files, applications from the old user are closed.... it is available if you have this value in registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
DWORD :AllowMultipleTSSessions = 1
I think you can do a hotkey...... yeah.. Winky+L ... but you still have to go via the login panel, and why not? Gotta select a user somehow.