It is possibly not much help, but Perhaps you have a corrupted IE add-on such as a toolbar etc.. I suggest you use msconfig startup section to temporarily stop unnecessary IE related items from starting. A process of elimination.... Go start > run, type msconfig -and enter. Uncheck all unnecessary items [you can recheck them later if ok], and restart. Tell us what happens...
Heya, sleepy, would you do these things for me, please? First off, hijackthis is running from an unsafe [for your sys] location. Please delete it and dl a new copy: ==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe -install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe. -in that folder start HijackThis by dclicking the .exe; next press the Open Misc Tools button and then the Generate Startup List log, and yes. Post that log. ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way. Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again. ==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan? -select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan. Post the log it produces here with that startup list.
I use emule... i have not seen any fake mp3 files there. Limewire put up plenty. Delete all your combofix, SMF files and tools and backups -next time you need them :) they will have been updated. And just check that a new restore point is made. Cheers, it's been fun.
ok, thanks, growler... it read the keys okay. I was trying to check whether these entries from a Smitfraudfix log were still there: smitfraudfix: HKLM\SYSTEM\CCS\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229 HKLM\SYSTEM\CCS\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229 HKLM\SYSTEM\CS3\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229 HKLM\SYSTEM\CS3\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229
..if they were i would have helped you delete them, but it appears they are gone. So I think you should be clean to go... come back if anything pops up again. I assume you have suffered no redirections since when you mentioned surfing was okay?
Growler, Panda came up clean [it did break a legitimate file in Smitfraudfix, so that won't run any more..], but there are a few reg entries in your sys that I would like to see - this batch file will write them to a file, c:\rq.txt. Could you please post it? To run the batch file simply copy the text between the lines to a notepad and save it to your desktop as serverlist.bat Just dclick the icon to run it - you will see a black window flash and that will be it done. _________________________________________________________ reg query HKLM\SYSTEM\CurrentControlSet\Services\{20689ED6-9A8C-480D-8D42-438F6CEA161D} /s > c:\rq.txt reg query HKLM\SYSTEM\CurrentControlSet\Services\{29210358-60B4-47B9-8EA9-3D2642170A7D} /s >> c:\rq.txt reg query HKLM\SYSTEM\ControlSet003\Services\{20689ED6-9A8C-480D-8D42-438F6CEA161D} /s >> c:\rq.txt reg query HKLM\SYSTEM\ControlSet003\Services\{29210358-60B4-47B9-8EA9-3D2642170A7D} /s >> c:\rq.txt _________________________________________________________ ...if i've made an error in the pathnames the file will most likely be empty; no harm will be done, but just tell me, ok? If you are not getting redirected now they are doing no harm in there....if they still exist.
AVG works for me -it's where I have ended up.... it has not let me down, is unobtrusive, it is easy on resources and the downloads go thru every day faultlessly. No need for me to look at others right now.
There should only be one desktop.htt in each user's Application Data\Microsoft\Internet Explorer folder. Delete it, because it will be regenerated. And restart; log off/on should work also... other users may have to do the same with their file.
You have a worm which can allow remote control of your computer; your secure information is at risk. I take it you still have access via task manager's File>Run? Then I'll start you off with a fix, but hopefully someone-else will come in to pick up the trail. ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way. Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again. ==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it. Start AVG a-s 7.5; -under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan. -click Apply all actions and then save the log file. Post the log file along with a fresh hijackthis log, please..
I would like to see that vundofix log, please. No matter that you doubled the pasting, but keep in mind that deletion of text is always an option.. :) Explanation of the SSRem.reg file: This was an "automatic" way for you to remove a registry value, and meant merely to save you entering the registry and doing it manually as I had listed above in that post. More clearly: ..save the text between the lines as SSRem.reg to a scratch folder [copy the text to a notepad and Save as SSRem.reg - select Save as type "All files"] , dclick it and agree to merge it with registry; else if it then just opens in notepad then rclick the filename, select Open with, and Registry editor. _________________________________ Windows Registry Editor Version 5.00
SSRem.reg is just a name i made up that had some meaning, for SoundService Removal. The .reg extension is recognised as a registry editor file type, meaning that execution will merge that instruction in the text with the registry. Any name will do as long as the extension is .reg -eg sosweet.reg
Interesting. Although you do not have all the usual signs of it, you do have what appears to be a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4 Double-click VundoFix.exe to start it, click the Scan for Vundo button. When the scan completes click the Remove Vundo button. You will receive a prompt asking if you want to remove the files - click YES Your desktop will then go blank as the process of removing Vundo starts. When completed it will prompt that it will restart your computer - click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Post the contents of C:\vundofix.txt plus a new HijackThis log.
and hope like hell that the power stays on, or .... Anyway, nothing will fry, it is just that if something is working fine, then why try to fix it? With attending risks. Up to you.
Well, if one product found something, scanning with another will not hurt. Please run this online scan: http://www.pandasoftware.com/products/activescan? -select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan. Post the log it produces here - and if it looks like i'm bouncing you around a bit it is because i cannot see what wrote in those DNS entries, and why they were hidden. Are you still being redirected?
i meant the stock of floppies - instead of tossing them they put them in your build at no charge. Unless you specify one, i guess.... But it is there, and I use it occasionally... jb is right too, loading raid drivers is simpler with a floppy drive on board.
Error loading c:\WINNT\System31\ypyovicr.dll . It says this DLL could not be found. -this comes from a registry entry pointing to a malware file which is not there. When you install XP SP2 that reg entry will be gone too. Win backup is on your XP-sp2 disk - just insert it to play, not boot from it, go to additional tasks, browse to find ntbackup.msi, dclick it and it will install. But do what dcc suggests, copy off important DATA files to a backup medium and then wipe or do a full format of your hd, and install away. Zonelabs free works fine with sp2 - i use it, never a problem. There are others. A great virus scan is Panda's online version. Actually installing a new OS will write in a new registry and that coupled witha format will make any virus files remnant so broken that they could not be salvaged by anything. Likewise any genuine apps. May i give a hint? put XP into its own partition, say 8GB, and all your data and 3rd party apps in other partitions...
anand, very simply, a boot disk passes a little bit of code to BIOS so that BIOS gives control over to the OS that is on the boot disk...it may be DOS, Recovery Console [very limited OS unless tweaked], Linux, even XP as caperjack pointed out. It does not have to be a disk, or floppies, it can be an external hd or a thumb drive.. If you would like one now is certainly the time to make it when your sys is working fine. Here is a canned speech I gave someone else... Because you may not be in possession of an Xp install CD, here's a boot disc with a recovery console on it; the console runs from the cd so you don't need an xp cd or any files from your C drive. I know it works. All you need is an image burner like Nero 6, CD Writer... Tips... unzip the file to get the iso and then BURN THE IMAGE. Do not use Data CD or any other mode cos all you will get is a copy of the iso [which you have already...and your new CD will not be bootable]; if you look at the files on your new cd and see .iso mentioned anywhere, start over. If you use Nero 6 then the defaults for image burning are fine, skip the silly advice that you may find on the web. Burn it to a CD-RW if you wish; there is …
anbullet, upgrading your BIOS code is not something to be taken lightly - if the flash goes wrong your sys may not start at next reboot. Pretty much, your current BIOS code would be well capable of handling your devices - only if you were considering a major device upgrade that was outside the capabilities of your current BIOS would you bother upgrading it.
Well, i hope you salvaged your desktop. If desktop related files are deleted that can be the result... Safe mode entry - it can take a couple of tries using F8 -most continually tap the key during POST [with some keyboards that have dual function F keys you must remember to hit the f-lock key !!] Now smifraudfix has turned up four DNS settings that seem to be hidden from hijackthis. I could give you a registry script to remove them, but I cannot see what has written them in... I want to find that. »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229 HKLM\SYSTEM\CCS\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229 HKLM\SYSTEM\CS3\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229 HKLM\SYSTEM\CS3\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229 [the others in the log are your net host]
==Run a BitDefender online scan: http://www.bitdefender.com/scan8/ie.html - and post the results, please. And you need to move hijackthis to a more secure [for backups] location - a folder in the C:\ root would be fine. While you are at it, rename hijackthis.exe to grumpy.exe and post a new log. Please. [and weekends off are fine by me... timeliness bothers me not]
floppy drives.... my current sys.. when i got it built i said no floppy, please. But the builders said we put one in anyway cos we had them, no charge to you. Floppies are never gonna die..... whatever happened to rubbish bins for junk?
i am only guessing here, but it would be one of your startup pgms looking to use a drive that it is configured to expect to be there, but which is in fact not. Could be this one: O4 - HKCU\..\Run: [Creative Detector] H:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R .work your way thru the list of startups [O4 entries] and check which ones use drive media, and are they setup correctly. Some could be removed with no problems to you.
hi, fish, nope, it should not be in that folder as it runs only from c:\windows\system32. msdtc.exe version 2001.12.4414.258, 8192 bytes on disc is my copy. I think you can delete it safely.
k. well, you could dl that file to a floppy n copy it in during safe mode. If you don't show us what you've got, not much we can do to help. Some of the best AV scans are online also. Don't be afraid of giving Panda a virus, or copping one from them. If you think you have one then it is hard to beat going online to their site only, and doing their online scan. [you'd have windows firewall on, of course, as a bare minimum, a better one would halt outgoing gear, such as Zonealarm.] ==Try an online scan at panda:- http://www.pandasoftware.com/products/activescan? -select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan. Post the log it produces here.
one other thing... if u can start it in safe mode with networking dl hijackthis n post a log. Someone will peruse it. HiJackThis ===download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe -install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe. -in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis. -Click the Scan and Save a Logfile button. Post the log here.
Very likely it is a problem with the loading of one driver. You could try Last Known Good Configuration [get into the Windows advanced Setup menu using F8 during POST]. If that soes not work then try to start in safe mode. If it starts there, then compare the boot log [an option in adv setup] from your failed start to the safe mode start - you may be able to identify the problem driver. Other than that you can try system resore [ an option given during loading of win Adv. Setup]
Hi, thank you for the log[ i c you ran combofix 3 times..?] Fix this entry with hijackthis: O4 - HKCU\..\Run: [Zrq] "C:\Documents and Settings\fish\My Documents\M?crosoft\m?dtc.exe"
Now to remove the file - you must be careful. The ? in m?dtc.exe stands for a random letter, but not "s" because there is a legitimate file in C:\Windows\system32 called msdtc.exe. Simply search in C:\windows\system32 for dtc.exe - any file turned up which is not msdtc.exe is invalid. Delete it.
And then I think you will be clean.... After doing the above, how is everything?
Kristy, let's try something else to get IE running... this is to check that the processes IE uses are correctly registered in your well, registry.. :). I wanted the CD or the i386 folder to check that the process libraries [dll's] were not broken, but we'll do this first. Go Start, run, and paste in the first line below and press Enter. Wait as each dll is registered - it will display a window indicating the file ran successfully [or failed - don't worry about that..], after which you click OK.
You may as well get this done before you post that combofix log: Start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis. -Select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
Well i hope it is fixed.:), cos all i can find is that it is an error message, possibly generated by an installer....[ that is why i got you to remove MyWay [apart from which it is a pest], and asked about ZA [it could be that some remnant is playing up after uninstallation..]]; or by a full temp inet file folder, which CC cleaned out. So - basically, I don't know... but if it is gone, well, that has to be good. Cheers, g.
Nothing shows as bad in that log. Panda Platinum has its firewall running, it should automatically shut down windows firewall... did you ever have and uninstall zonealarm firewall?
"It's strange because I have AVG antivirus/spyware protecting me, but it's happened again. Is AVG not doing its job? What is a good piece of software to actually stop my browser from catching... dodgy software" The world is a complex place - if one piece of software could do that there would be no others in the game. But you have a problem, cos you have two resident AV services [norton-symantec and avg] - they spend so much CPU time checking each other's databases n operations that it's almost no wonder they don't check the real world. Seriously, they interfere - you MUST remove one. Done that? Good, now: Combofix ===Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe ...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe -- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply. A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Now delete that copy of hijackthis and install a fresh copy in a folder alongside program files - this is for your sys's security. Rename it to tuna.exe and produce a fresh log. Someone will go over them for you.
If you wish to clean it up then, seriously, you should reinstall windows. Do you have the installation CD? Or is it one that came with a System Recovery folder on the HD? Perhaps that is accessed by F10, or Alt-F10, or somesuch keycode during POST...Recovery would take it back to the as-new status. Small tip. Adobe reader -unless you use it professionally to produce pdf's, get Foxit -it's free also, but farnaway better. Smaller. Update Java and install SP2.
I'm wondering if those GLB...tmp processes are anything to do with your searchbar. I see that you still have MyWay Searchassistant there, courtesy DELL. We can get rid of it first off.. First see if it is listed in Add/remove pgms list - remove it if able, then..
Go start > run, paste: MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt. Next delete the MyWay files/folder in Program Files [use myway as a search string...]. You could also use myway as a search string in regedit and delete all references... BUT BE CAREFUL in there!! - you can skip this step.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
But that may not solve your problem with GLB...tmp - you could try running ComboFix -it will remove a range of malware but it gives us a snapshot of recent file additions and some startup entries in the registry.
Gee, looking thru that smitfraudfix log - it's just like we fixed nothing! The key value that script should have removed is even back. Run the SMF clean as per instructions below and post that log. [If SMF option 2 is run without a SM detection it removes your desktop...]
Now run the clean option with smitfraudfix:- - Disconnect from the net - Check that a Restore point has been made. - Go into safe mode. - Start Smitfraudfix as before and press 2, Enter. You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection]. The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter". Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log. [You may also have to restore your desktop background... If so, go Start >run, type regedit and <enter>. Navigate to this key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
char, you can expect any scanner like adaware to take up a bit of puter power... they do intensive n fast searching, string matching and so on... you can slow them down by cutting their priority?.. but then they run longer, so what's the gain. But spywareblaster??!! it just sits in the background sort of like a hosts file opposite, as a blocker - i wouldn't expect to see its process unless i was tracking it. It shouldn use anything over time, realistically.
Growler, if u opened the extracted folder and dclicked smitfraudfix.cmd a cmd window should have opened with a disclaimer, followed by a window with options. Remove that copy and dl a fresh one... although zipped archives seem to know if they are corrupted... That is all i can advise. How is the sys?
Interesting that those hid from hijackthis... there are a couple of registry entries that could be fixed, but they point to files which are missing... do this to see if it comes up with traces also of the same worm: ==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract the content (a folder named SmitfraudFix) to your Desktop. - Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
When you are finished reboot to normal Windows mode and send that Smitfraud log in....plus a fresh ht log.
Copy the text between the stars to a notepad; save it as Grfix.reg to your desktop or to a scratch folder, dclick it and go Yes to merge it with your registry [you may have to follow thru Open with... if it opens with notepad when you dclick it].
**************************************************************************** Windows Registry Editor Version 5.00
Darn tricky. Just so we can see changes made to files recently pls run this [it also detects and removes certain malware.] ==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe ...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe -- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply. A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. You might also rename hijackthis.exe to searcher.exe cos some malware detects it and stops running so as to hide.
AVG broke? -that can happen. Uninstall it and reload, update; if you did not keep the original installer somewhere to reuse just dl a new copy. Kristy, navigate to this file and delete it: C:\Documents and settings\Kristy\My documents\Scurit....?\ATTRIB....?.exe If that works then delete the folder Scurit..? Could not do it? Then download this program Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it. Then just rclick on ATTRIB....exe and select Unlocker from the menu, delete and Ok. Still could not do it? Then save the text below as a batch file: copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop. Restart in Safe mode and dclick the icon to run it. It will list to a text file in your C:\ root folder, C:\krquery.txt - post me that file please. If you need to use this method I have made the cmd screen pause [hit any key..] so that you can read if it carries out the delete command successfully - tell me if..
************************************************************** reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v TTRIB~1 > c: krquery.txt cd My Documents del /F SCURIT~1\TTRIB~1.EXE del SCURIT~1 pause ************************************************************** Do you have in your puter an i386 folder somewhere? It could be C:\i386, or you may have a hidden partition D:\ [to see if that exists start Disk Management: go run, diskmgmt.msc -and Enter. Tell me what …
Thank you very much for the detailed feedback; about the best i've received [some folks you have to pick up n shake to get responses...]. I don't see any problems left, fixes seem to have gone smoothly so if you are happy delete the avenger backup folder and the vundo text, and the tools... no sense keeping what will be out of date in a month or so. Thanks for the info on Partizan. How's the sys working now? Remember to update Java from control panel entry; then use add/remove pgms to delete all old versions.
That was a bit of a brief comment, perhaps, but I have been thru your log, and see nothing. The internet redirection showing in your first log is fixed - please give me a better idea of the symptoms.
Copy to notepad and save the lines between the stars as a file named wclkrem.reg to your desktop or C:\. Dclick it and answer Yes to merge it with your registry [it removes an entry to a malware file]. *********************************************** Windows Registry Editor Version 5.00
*********************************************** Okay then.. moving on.... A point to make - I have included in the block of files to delete with Avenger one called partizan.exe: I can say that it is very doubtful..., but if you wish delete it from that list and instead go in to system32 and rename it to partizan.xbak [the x tells you it is an exe, right? if you need it back for a legit pgm..]
I don't know if you still have Vundofix [yours was the latest...] so here is the addy anyway. [Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4 ] Double-click VundoFix.exe to start it, click the Scan for Vundo button. *****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:
Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES Your desktop will then go blank as the process of removing Vundo starts. When completed it will prompt that it will restart …
i am out, totally out, of mouse batteries. It took me 5 minutes to navigate here with the keyboard!! So i'm off to bed; tomorrow I shall look at those logs. What is inside folder C:\3B54105..... or similar? Most of those "not found" files in the Avenger log you just posted were deleted in the #38 run - that's fine. What is the file in the middle of tht list above- C:|Docs and SETS\...\KRISTY\....TTRIB~1.exe ?? I think that is a problem to us... I'll work on it.
Please rename hijackthis.exe to imabunny.exe, start it, do a Scan only and place checkmarks against the following for fixing, and press Fix Checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R3 - URLSearchHook: (no name) - - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {69DC2C3D-BE96-4FEF-9878-E037F4090FB3} - C:\WINDOWS\system32\tjffrcyb.dll O2 - BHO: (no name) - {721E3FFB-25B3-4CF7-A5DF-53D14BAE4183} - C:\WINDOWS\system32\vtsqr.dll (file missing) O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - (no file) O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xsapvtde.dll",realset O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\-Raven-\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O20 - Winlogon Notify: winclk32 - winclk32.dll (file missing)
Post a new HijackThis log. While I enjoy scanning your combofix log. Cynical swine. -actually, these are my "crossword puzzles"
-could I see your old vundofix log also, please... combofix shows some files as once being there.. i cannot tell if they are still there without your log.
