Posts by gerbil

...just from reading a bit on it it does look like you would have to copy the partition to another and change the type so that it can be opened. Try a linux livecd [bootable cd] product to do it.

Yer, well you can back up the bits of registry that you intend to fiddle with [export the keys in question... then just a dclick of the exported files shoots em straight back in.. assuming, of course, that your machine restarts.. :)]
Or get Alcohol 52% and create some images of those cd's, mount em and no time lost while the laser gathers bits.

Okay, that may not sound like much help, but....
svchost is just running processes, it's a handler -you would see several of em going like the clappers. Log is clean, cept for all the mcafee stuff.

Good lord! You've got every mcafee process and service known to science running there. I think if you examine the fine print you will find that it all protects your sys by bogging it down so slowww that any virus will die of old age before it can replicate.

WAK!! Before you run AV, AS scans it is just a friendly n sensible thing to clean the junk out first. Most of those AVG entries were from stuff in the recycle bin!
Either this cleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option.
..or this one:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a …

It rather looks like we are going to have to give things a gentle nudge - you are still infected. I want you to download a tool to remove these files. But first:
Please delete the VundoFix log file and Combofix log file plus their bug bins..
-What is inside this folder? C:\PASS27S -if you do not know it then leave it in the folders to delete list, otherwise REMOVE it from there.
-and this folder? C:\Program Files\hjk -if you do not know it......
-What is this file associated with? C:\WINDOWS\system32\69750AB7E9.sys -check its properties. If you do NOT know it then leave it in the list....it is in the wrong place even if valid....
Okay...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\khecbx.dll
C:\WINDOWS\ljiiij.dll
C:\WINDOWS\effgde.dll
C:\WINDOWS\hgghec.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\pmnoon.dll
C:\WINDOWS\jkjjji.dll
C:\WINDOWS\fcyvvs.dll
C:\WINDOWS\cbxvtq.dll
C:\WINDOWS\awwxwu.dll
C:\WINDOWS\tutrpp.dll
C:\WINDOWS\ddbywu.dll
C:\WINDOWS\cbxxyy.dll
C:\WINDOWS\xxxwts.dll
C:\WINDOWS\khebya.dll
C:\WINDOWS\ljigff.dll
C:\WINDOWS\ljkigf.dll
C:\WINDOWS\khifcd.dll
C:\WINDOWS\jkjgfe.dll
C:\WINDOWS\khecdc.dll
C:\WINDOWS\vtuuus.dll
C:\WINDOWS\system32\69750AB7E9.sys

Folders to delete:
C:\PASS27S
C:\Program Files\hjk

_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
…

What is in this: C:\Program Files\?dobe
And please run ComboFix again. Are there any more symptoms, problems outstanding? Are your icons still missing, and explorer still will not run?

I see nothing else wrong at this level. Is everything working properly now? If so empy your AVG quarantine bin.... if not, we need to know some symptoms.

Nope, all credit to you, NoDrives = 0 is the solution.
I cannot help but think that that setting is over-riding something else.... but I am leaving the issue as it is. Actually, I am using it to hide my current page file. Neat. Thank you.

There's more! When I added that NoDrivesAbsent = 1 I still had the other DWORD NoDrives in the key, set = 0. Got to thinking about it, deleted the NoDrivesAbsent Dword, left NoDrives = 0 there, and that does it, alone. Other DWORD is redundant.... which all, nanosani, fits in nicely with the intent of that binary drive nomination scheme.
I just gotta stop fiddling with these things....

run HiJackThis
===download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Then take a copy of your problem from your post above and start a new thread in Viruses n Nasties forum. Post the log there.

==Download Lspfix.exe from http://cexx.org/lspfix.htm -start it by dclicking the .exe, and press Finish.
Start hijackthis, do a Scan Only and place a checkmark beside this entry below, and press Fix Checked.
O20 - Winlogon Notify: winfda32 - winfda32.dll (file missing)
Post another hjt log.

Memory violations usually result when a process you have running tries to dive into protected memory where the kernel is working. Instant BSOD because the OS is programmed that way to protect its operations. You either have a poorly scripted pgm or a virus. Or something else. A driver not matching some hardware.eg your video.
Google the error code, all of it to begin with, and reducing the length by cutting off a hex group each time until you get useful hits.

Nanosani!! WE DID IT!!!! THANK YOU!!!
DWORD NoDrives was rather the opposite of what I desired. But i created a DWORD NoDrivesAbsent, Value =1, and Yahoo!! There now are all my secondary SATA drives in Explorer! Thank you for pointing me in the right direction.
Wheeeee... so happy now.

Oh boy..... I dunno what to say about that... the index file bit.... but what the heck, they are rewritten as needed. Glad you're firing again. Cleaning is good, and CCleaner is a good cleaner...
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]

shrooms, combofix has listed a lot of bad files as having been installed, but i must assume they are no longer there because it would most certainly have deleted those particular ones... i mean, it should have... Let's check.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
___________________________________________________
Files to delete:
C:\WINNT\SYSTEM32\dlh9jkd1q6.exe
C:\WINNT\SYSTEM32\dlh9jkd1q2.exe
C:\WINNT\rau001978.exe
C:\Documents and Settings\Administrator\Application Data\.rdr.ini
C:\syskvcl.exe
C:\WINNT\SYSTEM32\winpfz32.sys
C:\WINNT\_MSRSTRT.EXE
C:\Program Files\?dobe
C:\WINNT\SYSTEM32\shieldScreensaver_pc.scr
C:\Program Files\FOLDER.HTT
C:\Program Files\DESKTOP.INI
___________________________________________________
Paste all the text between the lines into Avenger. Show me the log.
Update AVG AS and run it, post the log.
Run hijackthis in normal mode, post the log.

yes, jb, it has four mounted [ie, drive letters assigned] partitions on it atm, and all are usable... one is my page file.

Heya, nanosani....I tried the Expl address bar method - it works, thanks. I had not thought of it because I usually have that address bar hidden. Atm I have the whole drive imaged in a folder on the primary SATA which naturally works also, so I can see them all. They just cannot be placed into the root....
That was an interesting article you linked, unfortunately that DWORD was for hiding drives, but it's pointing in the right direction - something in registry perhaps is blocking those partitions. I have noticed that explorer auto-hides any drive that has a drive letter out of order.. eg C, D, P, E, F - the P drive will be hidden, at least on my sys. I used that method to hide my page file before I got the second SATA.
Where did you find that DWORD? I have reserved a couple of drive letters for imaging on my primary drive, and because all of its space is not allocated yet.. [just what do ppl put on 500GB jumbos??!!?]... I wonder if that drive mounting gap could be...?

HAL would be umm... bemused if dropped onto another mobo...

Looks clean now!! Hey, would you do something for me please? Run regedit and navigate to this key and select it [lclick on Windows in left pane], then rclick AppInit_DLLs in right pane, select Modify binary data, and then type into a notepad what is shown in the window? .Press cancel, n close regedit. I see that the entry is null, but just wonder why HT picks it up....
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
I would give you a script, but i'd like to see the binary data...

TCP is a protocol that guarantees the accuracy of interchanged data [accuracy is verified by two-way checks], whereas UDP is unchecked - you ask for, you get a data transmission in reply. Once a UDP page is transmitted to you there is not necessarily any more traffic betweeen the two sites. So IE should go quiet.
Go back to that same site and get Process Explorer; set it up with two panels, in the lower panel show DLL's. If you then lclick Iexplore.exe you will get a list of DLL's involved with it - they should all be microsoft signed, plus maybe a Sun java one and ones from any site blocker you may run, and toolbars or browser helpers . See if you can see any duds. The only other thing i can suggest is that you temporarily at least remove your toolbars/helpers. Yahoo, acrobat, bit comet. You could remove the installshield updater also - totally unnecessary to have it. These two:
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
These two are RAM wasters also:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
...and this one - you can start it when you need to know if the sun is shining.. :) :
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe

Say how you get on, please.
One other thing - I dunno if …

I really need that vundofix log... cannot make use of/ don't want to suggest actions from the combofix log until i see it. It is proper to run Vundofix until it successfully deletes all files it finds, and its log is additive [cumulative].

they are both WD, boot is 160GB, secondary? is 120GB, so no size issues [anyway]. SATA do not have drivers as such, it is all down to the chipset design. The second hard drive is basically a backup and page drive and once a pgm has it targeted it just uses it normally, no problems; if I want a file from it and it is listed in a pgm's MRU it just grabs it, backup works with it with no interference from me; what irks me is the convoluted way I myself have to follow to access it. And why windows is dumb like this!

That NEC recovery cd will probably be of the type that erases your HD and reinstalls windows plus any other bundled applications, leaving you with an as-new computer... you would lose your data. I'm thinking HD failure here because it would not run. You could burn a bootable cd that allows you to copy off any data files you can salvage. But first I would try to check the HD with windows recovery console by running chkdsk /p. Recovery Console is a mini version of Windows Setup.This iso is one I have used [am plugging in some text I wrote for someone else on this subject]:
Because you may not be in possession of an Xp install CD, here's a boot disc with a recovery console on it; the console runs from the cd so you don't need an xp cd or any files from your C drive. I know it works. All you need is an image burner like Nero 6, CD Writer...
Tips... unzip the file to get the iso and then BURN THE IMAGE. Do not use Data CD or any other mode cos all you will get is a copy of the iso [which you have already...and your new CD will not be bootable]; if you look at the files on your new cd and see .iso mentioned anywhere, start over. If you use Nero 6 then the defaults for image burning are fine, skip the silly advice that you may find on the …

And on that note, i went out of my depth.. :)
All i can see is that you established a connection [do you have a mail account with your IP?], and that then a webpage loaded and your connection just sat there idly with the page displayed. I see no more iexplore traffic. That is not much use to you, I'm afraid. Does Task manager show even after the page loads Iexplore.exe at 98% CPU time? Beats me.
HELP!

Go to this page: http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
and dl TCPView. Install it, run and see what address IE is contacting [if it is using TCP]

==Download Lspfix.exe from http://cexx.org/lspfix.htm -start it by dclicking the .exe, and press Finish.
Post another hjt log.

vundofix still will not run?

I'm on a posting roll.... :)
Why does Firefox [the clean mozilla versio] make my pc emit a highpitched buzz when it is loading? The noise is from the mobo, not the sys speaker ... FF alone does it, no other app; when loading of data is over it shuts up. What gives? Add more silicone to something to dampen it? But to what? Does anyone else have this problem? And b4 ppl get funny, my processor is clamped and under a huge dedicated fan, so I doubt that it's actually jumping in its bed.
Ideas?

Now it is my turn to beg, plead ignorance..:) this one has me beaten, and i am tired of googling for a solution.
I recently added a second SATA hd [my boot disk is also SATA, there are no IDE drives on my sys apart from my DVD combo on IDE secondary]. Anyway, my sys knows SATA.... so I plugged in the drive to SATA 02, connected power and turned on, went directly to disk management console and initialised the new drive and next dropped a couple of primary partitions onto it. They are listed as healthy, hardware manager, device manager see the new drive with no errors and enabled. But does Explorer know about it? Oh no, it refuses to list the drive or partitions as present. I could force them into it only by going back to disk management console and rclicking a partition [they are not Hidden..] and selecting Explore. Bingo. Now you see that one in Explorer. Or if you do it to another partition it pops up in a new Explorer window, but never is more than one available in any one Explorer window.
So I can use them... I can copy onto them, out of them, but not between them.... , one is even my working page file. But if I close the explorer window that partition is unavailable to me [but working in background with whatever process may be using a partition.. eg, playing music, or saving to at end of …

aw, heck, i forgot to put an entry in for fixing.. never mind, we'll get it this time.
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-leave it for the moment.
Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
Run vundofix again and add these pathnames into the text box:

C:\WINNT\system32\mprsvc.dll
C:\WINNT\system32\cvsrpm.*

Now start hijackthis again and do a Scan Only and check these for fixing if they exist:

O2 - BHO: (no name) - {42BF9090-1DC2-458E-9861-981136481B73} - C:\WINNT\System32\qopmj.dll (file missing)
O2 - BHO: (no name) - {691caa4d-7edb-4243-9a40-c683c6131456} - C:\WINNT\system32\mprsvc.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINNT\System32\tmp29.tmp.dll
O4 - Startup: TA_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
O20 - Winlogon Notify: mprsvc - C:\WINNT\SYSTEM32\mprsvc.dll

Now for combofix: -- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Good. Start Avenger; select "Input script manually" and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:

_____________________________________
Files to delete:
C:\WINNT\SYSTEM32\dwdsregt.exe
_____________________________________

...and …

guessing.. could be a hidden partition... in which case search won't find it. Try diskmanagement.. go run, diskmgmt.msc, and see if it shows up. If it does rclick it, explore, and you will then see it in folder view in explorer and you can then play inside it.

Yep. This is where you get to do a windows Repair..... grab your installation cd, change your one-time boot to cdrom [F11 at boot?] and go past Recovery Console to Repair section in Setup. You won't lose your data, but your apps will possibly need reinstallation.

For a start you have a vundo infection...
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINNT\System32\wreqpihw.dll
C:\WINNT\System32\whipqerw.*

Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\System32\fcccbba.dll (file missing)
O2 - BHO: (no name) - {6FE1E89A-0D0C-4701-B2F3-5B682B263E70} - C:\WINNT\System32\jdaqowwc.dll (file missing)
O2 - BHO: 0 - {C29735EF-12F3-4F5D-C586-966CBCFD6984} - C:\Program Files\ComPlus Applications\quda.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [setup] rundll32.exe …

Run vudofix before combofix; post the vundofix log and a fresh hijackthis log if combofix will not run.... it does not hurt to try it a couple of times, or three, either. Same with vundofix if it sticks.

or download a copy of DOS, load it onto a bootable floppy and then use copy, xcopy...

Ah. Let me enlarge upon my guidances even more. The entries that I have given you are not actual programs, or processes, rather they are particular references in your registry which are instructing windows to start each actual process upon startup of Windows. Deleting these entries merely removes the start instruction, the process itself is untouched and remains available for you to start via a desktop icon or from Start > programs list, or by other means... think of an athlete in the blocks - you would be taking away the starter's gun, but the athlete would still be there ready to go when you umm... push him. Here I give you a complete entry instead of the window's shorthand:
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe becomes:
O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe -that is an instruction in a certain area of your registry to start that process upon boot, independantly of who is the user. This next one is for you as the user, not necessarily for any other user:
O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -once again, removing this registry entry only removes the auto startup instruction. You can still put an icon up on your desktop to start it manually [if you do not uninstall it via add/remove pgms].
To stop a process from autostarting you have to either remove these entries or change them so they are not read, which amounts to the same thing. You can rewrite them to registry manually, or simply …

Try this. If it is possible to open the recovery partition to the i386 folder....
-Open an Explorer window, search for msoe50.inf -the default location for this file is in the C:\Windows\Inf folder.
-Right click the Msoe50.inf file, and then click Install.
-in the window that opens browse to the I386 folder in the recovery partition, click Open, and then click OK.
The Outlook Express files are installed.

-search for wab50.inf -the default location for this file is in the C:\Windows\Inf folder.
-Right-click the Wab50.inf file, and then click Install.
-in the window that opens browse to the I386 folder in the recovery partition, click Open, and then click OK.
The Outlook Express address book is installed.
May work. Should.... I've just modified the instructions slightly cos normally you get the files off a cd. But all it wants is the location of em.
Say how you go.

24/7. You must be rich. Semiconductors age as current runs through them... of course switching things on/off every 10 minutes is not good either cos thermal shock is another wearntear factor. There is a good medium somewhere in there; my pc takes way under a minute to boot up and I find I can utilise that time in any number of ways. And if I'm going to be away for more than, say, an hour, off it goes. And I have all standby schemes enabled! Up to you.

I understand, tiffini. A lot of those processes in your list are needed, some are vital; the ones I listed can be removed if you so wish; to make the process a little clearer we'll go through them this way.... Note that when I say "fix them" I mean to place a checkmark against each particular entry in the Hijackthis scan report and then to press Fix Checked when you have finished. Hijackthis will then remove those entries from the startup catalog. But google toolbar etc can be removed via add/remove pgms, the java updater can be stopped via the java panel in control panel... I'll regroup everything so that the guide flows a little better.

The google toolbar, it probably came with some other software you installed and you missed de-selecting the toolbar. You can uninstall it from add/remove pgms.

Java. Like a lot of updaters the Java one works well if your pc happens to be connected when the schedule rolls around...so I set this one to manual update [via control panel, java], and just remember to do it every month... the windows update icon appearing is a good reminder to me. I can see that yours is not working anyway, so update now, manually, and delete all old versions in add/remove pgms, and then change the updater.

Now this next bunch I mean you to include in the fix list if you don't want them to run automatically; review each item, and place a …

Hello, equate, you've got a vundo infestation, but we can deal with that....
For a start would you please delete your copy of HJT and put this one into its place...
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
Cool. Now please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\efffgd.dll
C:\WINDOWS\dgfffe.*

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Now Combofix
==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log …

I think this one is a baddie.. suggest you fix it with hijackthis:
O4 - HKLM\..\Run: [film once ooze face] C:\Documents and Settings\All Users\Application Data\pollsupportfilmonce\Sendcomp.exe
...and now delete the file, C:\Documents and Settings\All Users\Application Data\pollsupportfilmonce\Sendcomp.exe
Get rid of this service, it is/was a fake..
O23 - Service: Ntfessmnch - Symantec Corporation - (no file)
To do that go Start, run and enter
services.msc
Find Ntfessmnch, rclick it and select properties, if the Stop button is highlighted click it, and press Apply and OK.
Now go Start, run and enter
sc delete Ntfessmnch
[you can paste that into the run box....]
Orrite. Just to check, please run Combofix.
===Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And please post a fresh HJT log also.

Hi, kerplosion... you are not the only one who takes a break... and yep, you're still infected according to that last HJT log. Time to get serious.
I need a Combofix log...
===Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And a fresh HJT log too please.

Heya, tiff, do you like the microsoft home pages? if you do not want them then fix these:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
How about the google toolbar, it probably came with some other software you installed and missed de-selecting the toolbar. You can uninstall it from add/remove pgms.... and then fix these if they remain:
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
Java. Set this one to manual update [via control panel, java], and just remember to do it every month... the windows update icon appearing is a good reminder to me. I can see that yours is not working anyway, so update now, manually, and delete all old versions in add/remove pgms.
How often do you connect your camera? do it manually..
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
How often do you tweak your intel graphics? do it manually...
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
This one checks for HP software updates evry start up. Manually, once every couple months would do, really?
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
Do you use …

While in Safe mode start chkdsk with parameter /f ... If that reports no errors then run sfc /scannow with your XP installation CD in the drive.

Post a few details... drive types, IDE or Sata, for eg.

XP [ as you can see!] is not fussy about being on the C: partition, or about being on the first partition, but [like all OS's ?] must be on a primary partition. That's it. So check the pgms which are trying to run at startup.

Hi, chris, use HT to delete these entries n then you will be good... :)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

...either register your soundblaster card or remove this reminder..
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

that won't work, karen, we need some detail. post your error, some symptoms and an HT log. Help us help you.

.