Posts by gerbil

..you didn click that Firefox/mozilla button in ATF cleaner, did you? - it would have cleaned out all those cookies which AVG found.... you always run a cleaner before scans like that. Anyway, with explorer working again can i have any Avenger log that you may have, please? I'd really like to see it... before you delete any files it backed up.
Are all your links - icons, start menu etc working okay, now? AVG came back clean, so I think you are safe now. You can run sfc in normal mode... note that space in there... paste this into the run textbox... :)
sfc /scannow

..remove the startup entry, then delete it in safe mode.

Nothing else to do that I can see. Avenger warns if it cannot find a file - it assumes the script is wrong. So it is gone.
Hope you cleared sys res as i said...
Cheers, g.

Cheers, cobra, glad to be of help.
g.

Mezza, I'm off to bed now... when AVG has finished its run... do you have the install cd for 2000?...you may have to do this from safe mode cos we need command.exe, so go into safe mode with command prompt, and type:
sfc /scannow - and insert the cd. Press enter as often as it takes...
This may cure the explorer/link problem... but I think a few registry entries have been corrupted. Tomorrow...

Avenger put up the error because ComoFix got two of the files previously. I cannot see yet that it got this one, so please try Avenger again, but only enter this pathname into the script box...

C:\WINNT\system32\ggoyadys.dll

Next, download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

...we are getting there, the HT log is clean...

Be cool, VundoFix did its job in those runs, even with that msg. Now to fish out some others. But first, you can open Task Manager with CtrlAlt Del; with any tab other than Networking you can use File > New task to get a run box. Type explorer into that. Dija get windows explorer opening? Can i have that vundo log now?
Anyway, Combofix: I'd like you to run this just so that I can see a bit of what went on in your sys; It may find a few malware issues also.

===Download this file
...or from here
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Back to hijackthis...rescan [Scan Only] and place checkmarks against the following if they exist, and press Fix Checked.

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\aseaptlg.dll
O2 - BHO: (no name) - {2F68DBD1-057A-49FF-943C-5EB7E98FFF88} - C:\WINNT\system32\ddmslvtr.dl
O2 - BHO: (no name) - {604A0F9C-F7E8-4CC1-9F07-4C81E1CE1200} - C:\WINNT\system32\jkklj.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\aruqsfky.dll (file missing)
O2 - BHO: (no name) - {9D7EF71F-92F4-4E1E-93DE-E21436E4C815} - C:\WINNT\system32\pmnmlml.dll (file missing)
O2 - BHO: (no name) …

Fix these:
O1 - Hosts: 209.190.85.230 maplesea.com
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)

Now, if you go Start, run and type:
control -does that give you the control panel in some form?
What about from start > control panel? does that work?
Now, if you go run:
explorer -does that give you access to your folders?
Do the other links to pgms from the start menu work?

I cannot leave you swinging in the breeze like this..... but be WARNED!! Windows 98 came out before I was born - I know nothing about it; I don't think I am suggesting below that you kill some vital components, but I can't be located if I have!! The dll's and exe's are a bit different to those i am used to seeing.... gulp.
Firstly, and so very important considering what I have just said:
==download a fresh copy of hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then remove the Hijackthis.exe you have on your desktop -reason being that HT makes backups into its folder, n we don't want to lose those, do we? On the desktop they would be so vulnerable.....
Start it, do a Scan Only, and then place checkmarks against all of the following, and press Fix Checked, and stand way back.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AOL Toolbar - …

REPOST!!!! -ignore the one above.

"""I was able to do everything except
""select “Input script manually” and then click the magnifying glass icon. Paste into the box this line:- C:\avenger\backup.zip""
I could not find the option in the AVG program??"""

Heh!, no, you would not. That is in the program Avenger which was to be downloaded from the swandog link -it is a comprehensive process removal tool which also searches the registry for associated entries. Here are the instructions again [written with more clarity]:
_______________________________________________________________
You must be in an Administrator-privileged account to run this procedure...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box this line:-

C:\WINDOWS.0\msmpls.exe

...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

Please post that log file.
____________________________________________________________

--or did you do that Avenger fix already? -if you did then post the log from that earlier run!!
No matter if you repeat the Avenger run afterwards, but i cannot see the file now, and AVG did not get it....
A couple of other things... if ever you need HT …

Heh!, no, you would not. That is in the program Avenger which was to be downloaded from the swandog link -it is a comprehensive process removal tool which also searches the registry for associated entries. Here are the instructions again:
You must be in an Administrator-privileged account to run this procedure...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box this line:-

C:\WINDOWS.0\msmpls.exe

...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

Please post that log file.

Svchost.exe. Yep, very normal. Svchost handles services from dll's that are running on your machine - it groups them and their processes and runs each group under one svchost process.

From our points of view - no! From its viewpoint? hah!, it's just doing its job as it knows it.
===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
Reboot into safe mode with command prompt. Type:
services.msc -and press Enter. In the services window find Power Manager, rclick the line, go properties, and in that window select Stop, set the startup type to Disabled, Apply and Ok.
Still in safe mode, run hijackthis Scan only and repeat the fix from my previous post.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Make now a fresh hijackthis log and post it, along with the contents of the file Report.txt here.
[If you ran Spyware Doctor that should have removed the associated trojan.]
Could you please also reply to my icon questions in the previous post, and let me know …

Good-oh, glad to hear it. Resident AV's mesh closely and deeply with your OS; there are bound to be conflicts, not least as they investigate each other's virus signatures!
Cheers, g.

It is fairly important to get VundoFix to clean up your infection - there are a lot of vundo files in there... I have added some lines to the instructions - follow these instead [if you see that warning again just close it and continue]; try to run vundo a few times, repeat the scan after it appears successful.
[Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4]
Double-click VundoFix.exe to start it, click the Scan for Vundo button.

****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINNT\system32\pmnmlml.dll
C:\WINNT\system32\lmlmnmp.*

Click the Add Files button, and next the Remove Vundo button.****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

I don't like to be pedantic but for your next posts, especially those with logs, please turn OFF wordwrap in notepad. Also the full hijackthis header is necessary [with version].
First off, and very important it is, you must decide which resident AV you wish to keep and uninstall the other. They conflict badly, and you may find it necessary to uninstall both, restart and install one. A resident and an on-demand scanner is not a problem.
Start HT and do a scan only, put checkmarks against these two entries and press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.netscape.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Update your java from its panel, then uninstall all older versions via control panel add/remove pgms function.
The buffer overrun? See how you get on once this is done - it is caused when poor scripting allows too many characters to be fed via a variable into that variable's buffer - the excess characters run into the next script lines and disrupt them. Some trojans test this way for weaknesses, but i don't see any there. You may have recently installed a shonky pgm....
[see, Joe? I left the viewpoint alone cos it's not the issue here.. :) ]

==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files. Remove the Beta.
For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?

Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it, and click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will shutdown your computer - click OK.
Restart your computer and post the contents of C:\vundofix.txt plus a new HijackThis log run from imabunny.exe [or whatever..] this way:-
== start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.

Btw, so if you must one day reinstall XP now is the time to partition so that the XP OS lives in its own volume [about 8GB is good for home, give pro 10GB], apps in another, data in a third... Move out from the OS volume into data all the temp files, OE stores, My Docs.... This way the OS can stretch out and get comfortable, relatively undisturbed by additions and deletions. XP rearranges itself so that the bits it uses most are more convenient to access. Creepy. The payoff? Well, if you reinstall XP only the OS and the Apps volumes get broken; your data is undisturbed. Apps away from the OS? yep, cos you are always changing them...

ARRRGGHHhhhh.... .! Nope. That's fine. I quite understand. Really. Yep, I do. S'okay. True... .... :)
Actually if trojans get into explorer n winlogon you are never really sure if you get them out... a reinstall is the safest, surest option. It was going to be my next suggestion if the stuff in the last post didn work. Honest... Now, drivers n codecs for sightnsound - from the makers of your mobo should be a cd with drivers for your video and sound cards [sound is prob on-board the mobo]; you need to load those cos otherwise you have only XP defaults. No cd? Then knowing the make/model of your sound chipset [Run msinfo32 , check components..] go online to the manuf and get the latest drivers/codecs and install those. You can check what you actually have by going Run devmgmt.msc and checking for audio and video codecs. Dclick or rclick the audio n vid codec entries to expand them; update or check their properties, whether they are available.
Sigh...

I would have thought that if you opened C: you would have \program files and \WINDOWS folders, plus \Docs n Setts, [as well as others....]. These are the ones u use as your OS. So open H:\ and just delete H:\Windows [it won't fit in the bin..] and H:\Program Files folders. Check thru docs for files that you may wish to keep. I wouldn let Norton do anything.. If you are concerned post a pic of your explorer window with a bit of tree expansion...C:\ and H:\ .Or two pics...

What did you do to remove the file referred to in this entry?

O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Anyway, restart hijackthis, do a Scan Only and place a checkmark against that entry, and press Fix Checked.
C:\WINDOWS\svchost.exe should not have been on your sys.... it is a baddie. The real one is in C:\WINDOWS\system32\ .
Rclick on a blank space on your desktop [heh!..that should be easy... :)], go properties, desktop, customise desktop, web, and delete any entries shown there. In the general tab does selecting any checkboxes work? Can you place a new icon for any pgm or file on your desktop, and does it then work? eg if from anexplorer window you lclick and drag a filename onto the desktop do you get an icon? and will it open the file?
==Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and …

If you are still concerned about things being hidden you could run either or both of these scans to detect rootkits. Trojans equipped to copy keystrokes made into forms or read your password and address caches and suchlike are the real problem, but I saw no traces of those. These scans are designed to uncover technologies used sometimes to hide these.
==Download the latest trial version of Blacklight beta from http://www.f-secure.com/blacklight/ [get it from the top, GUI mode button]
Dclick the .exe [they change the name occasionally when they update it so I am not giving it here...], to start it, click Run, agree to the terms and Scan. Post the results if positive.

==Another one: http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -link is at foot of page. Copy the .exe into the same folder as above, dlick the .exe and press Scan. Do NOT use your mouse or keyboard while it runs.
If either of those come out with positive results please post them.
[the idea of pass phrases is so that brute-forcing of passwords won't work. Brute-forcing involves throwing a dictionary at password hashes to see if any single, plain words are used, like myxomatosis ... :) . If as well you toss into your phrase numbers and non-spoken characters like $ for s, # for h etc you are well ahead in that game.]

..there is a setting in your profile re notifications..

First, please check to see if you have any of these files on your sys:
C:\WINDOWS\csrss.exe
C:\int_rem.bat
C:\WINDOWS\9129837.exe
C:\abcdefg.bat
C:\WINDOWS\new_drv.sys
c:\sample.exe

This next requires a dl, but at least you can fit it onto a floppy - it's to check for rootkits.
==Download the latest trial version of Blacklight beta from http://www.f-secure.com/blacklight/ [get it from the top, GUI mode button]
Copy the .exe [they change the name occasionally when they update it so I am not giving it here...], into your pc to C:\, dclick it to start, click Run, agree to the terms and Scan. Post the results if positive.
Something is hiding, it would seem. May as well use another rootkit detector, this dl will fit onto the same floppy:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -link is at foot of page. Copy the .exe into the same folder as above, dlick the .exe and press Scan. Do NOT use your mouse or keyboard while it runs.

If the rootkit scans were negative please do this to check some MS files, [IE ones are not included in this]... you need an XP install cd, either MS or OEM will do; go Start > run, type:
sfc /scannow -and Enter. Insert the cd, press enter as often as it takes.

Give me the results of those two, and change the name of hijackthis.exe to bunny.exe, and run it, post a new log.
I must warn you …

Sigh, almost forgot this bit... such a diverse list of pests you have there.... this one is to remove a spy...
You must be in an Administrator-privileged account to run this procedure...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box this line:-

C:\WINDOWS.0\msmpls.exe

...and click Done, and finally the green light.
Follow promps to reboot your machine. Avenger creates a log file that should open with the results of its actions. The file is be located at C:\avenger.txt
Avenger also backs up all the files, etc., that you asked it to delete, and have zipped them to C:\avenger\backup.zip.
Please post the log file also. Now a good cleanup:-
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply …

ha!... no, there is only one XP.... although i would bet that once there was also a C:\windows\..... Anyway, to clean...
Open control panel, go to add/remove pgms and uninstall pgms with names like the following:
My Web Search, My Way ....., Search Assistant - My Way.... pgms with names like that.

Next start hijackthis, press Scan Only, and place checkmarks against all the following entries, and press Fix Checked.

C:\WINDOWS.0\system32\OS32check\services.exe
C:\WINDOWS.0\msmpls.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [Hide-The-IP] "C:\PROGRA~1\HIDETH~1\HIDETH~1.EXE" /startup
O4 - HKLM\..\Run: [OSVCheckTask] C:\WINDOWS.0\system32\OS32check\services.exe
O4 - HKLM\..\Run: [SymLnch] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\LnchStub.exe
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [SpyZooka] C:\Program Files\SpyZooka\SpyZookaLdr.exe
O4 - HKCU\..\Run: [SpyOnThisScanner] "C:\Program Files\SpyOnThis v2.0\SpyOnThis.exe" -m
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Christopher\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O15 - Trusted Zone: *.moove.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://www.mirarsearch.com (HKLM)
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) -

Ripper!. Your log is clean. Info security? Well, your banking and so forth is heavily encrypted so even tho they could see the traffic they would not have been able to read your passwords, or any other secure traffic at all once it went into encrypted level. You did not have any backdoor trojans that I saw [some of which do enable hackers to monitor your files and even keyboard strokes...] so i think you're pretty safe there. My opinion only!! I don't give money back guarantees! Anyway, it never hurts to change a password once in a blue moon. Pass phrases [if your bank sites permit them...] are even better. You know, um... my friend has 2 carz... for eg...even without spaces if needs be, so myfriendhas2carz.
On another note, dump Netscape as well as IE as far as poss, use Opera and/or Firefox. They are just better browsers. Sadly, some sites still insist on IE......

As far as browsing goes, one of the messages you gave refers to your browser security settings - they are set too high, perhaps? Open an IE window, go tools, inet options, security tab, and press Default Level. [else instead of Default level go Custom level, and in the next window set to medium and press Reset.]
Then press the Privacy tab [next to security] and move the slider to medium, Apply and Ok.
I think now you should be able to get to Mozilla.com [DON'T get firefox from any other site!!]

There is a special file, hosts [no extension] that provides a shortcut or redirection service for your browser when you enter a URL , you know, the http://daniwe.... Your browser checks the hosts file for entries before it goes on the web [to a DNS server], to get the URL's IP which it then uses to go to the site. The hosts file can thus also be used to block sites by giving the address a local or internal address [internal to your pc], one of which is 127.0.0.1; there are others. So a bug can put google or antispyware sites in the hosts, give them the local address in which case they just don't open, or give them another IP entirely to a site where they want you to go.
So I wish you to check that file.
To show Special MS Files
===Either go Control panel > folder options OR in an explorer window > tools>folder options; then view tab, and
-press Show hidden files and folders, Apply and Ok.
C:\windows\system32\drivers\etc\hosts is it. If you lclick etc in the left pane tree you will see hosts listed in the right pane. Drag hosts into a notepad. It should be as above in previous post.
And Oops! they've updated hoster since i last checked; sorry about that! It is now HostsXpert, and it's even better.
If your hosts file is not like the one above then dl HostsXpert …

:)

Heh!... so you didn like IE7 that much, huh?
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
From an explorer window > tools > folder options > view, set to show all hidden files and folders.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Next, start hijackthis, do a Scan Only, and place checkmarks against the following entries, and press Fix Checked.

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll (file missing)
…

yes, that would work - still from an admin acc, though, right? I wonder.. if that drive was made with xp pro would slaving it in an xp home [with admin privs] allow you to copy off? Cos xp home has a pretty lazy system of ownership n privileges... to put it bluntly, there is no file security. It's for a home, right? .. so everyone is cool n no secrets? Answered my own q, i think... it could not, cos it doesn't have the file security sys in place. Dunno. Anyone?

that etc after drivers\ above is real, not me being lazy... :)
Check this too:
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
And if it does come to doing a windows REPAIR you won't lose your files...

Check your hosts file for a start; it should look something like this unless you have added sites..... this is mine, an it's the default:-
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
_______________________________________________

..to see this go c:\windows\system32\drivers\etc. Open a notepad and drag hosts from the right pane into it. If there are entries below the localhost one that you do not recognise or did not put there, then you need to reset the hosts file.
=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.
==Download this …

xp pro? and you are not an administrator? then you cannot change permissions unless you are the owner of that file or folder. Try safe mode and the system administrator [you need the password, and it is by default blank ie Enter...]
==To restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode with Command Prompt and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
And then follow this procedure... :)
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Passworded out of there too? Then you need a linux boot disc, you run linux from the cd and it takes no notice of permissions and such stuff. Get a free cd from ubuntu.

Download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here. Someone will sort it for you.

well, the HT log comes up in notepad. Just click format tab and uncheck wordwrap. CtrlA, CtrlC, into the postbox and CtrlV. Ought to work.

dyu mean internet explorer, or windows explorer? were you trying to open from desktop icons? can u open IE from the start menu [if it is there]?

...may i inquire as to why \windows is shown as \windows.0 ? Do you have two XP operating systems in your C:\ partition by any chance? Be nice to know that b4 we proceed; there is a swag of bugs in there.. :).
To answer that question easily, do this: go start > run, type sysdm.cpl and Enter. Press Advanced tab, bottom Settings button[startup and recovery..], and then Edit. Post the contents of the notepad that opens.

Meant to add, but forgot: you REALLY SHOULD update your windows to SP2 via the windows update service. It is for your security.... if you have trouble with download speeds then i think M$ will send you a cd for a couple of $....

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm

I think this one which has persisted after that fix we tried is a vundo beast. Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it, and click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will shutdown your computer - click OK.
Restart your computer and post the contents of C:\vundofix.txt
Rename Hijackthis.exe to bunny.exe and post a new HijackThis log. [dclick bunny.exe to start it...]

...for unravelling that log format you owe me a beer. Go into safe mode cos I would like you to check if you still have this file:
C:\Windows\system32\csrss.exe
[Either go Control panel > folder options OR in an explorer window > tools>folder options; then view tab, and
-press Show hidden files and folders]..
If you do have it, and I'm pretty sure you must cos not a lot would happen without it being there so DON'T touch it, then the file:
C:\Windows\csrss.exe - is an imposter. It may be tricky to get rid of, it may not. Since you have hijackthis please start it and press Open the Misc tools Section, and then Delete a file on reboot. In the window that opens paste:
C:\Windows\csrss.exe
and press Open, and Yes.
Your pc will restart.
One more thing - since you have AVG FRE, why not run its email scanner?
Anyway, please post another hijackthis log, but this time with more of an eye to the formatting... :)
[your post is amazing! the script flows right off my page!]

Hi. I'm going to assume that you have not run any tools yet; we'll fix a few things but then I will want you to post a new log - that one is missing its head...
First off, go into control panel, add/remove pgms, and uninstall Ipwins.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it. First off, make a quick check on your hosts file : go Tools, click Hosts File - in the notepad that opens the default is a hashed example followed by a valid hosts redirection line, 127.0.0.1 localhost
If there are no other such lines in the file then skip the Hoster instruction block below.

=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and Extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.

Close killbox for the mo.
Next, start hijackthis, do a Scan Only and place checkmarks against these entries that still exist, and press Fix Checked.

O4 - HKLM\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe …

Lessee... I do not see an AVG firewall running although the service starter is there at O23...? Try uninstalling AVG and Bitdefender, then with windows firewall still running follow these instructions to remove any Mcaffee files remaining:
http://forums.mcafeehelp.com/viewtopic.php?t=42709&start=0&postdays=0&postorder=asc&highlight=
If you are still concerned about a virus, next go online and do a scan at Pandasoftware....
First download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Next do the online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
If you only go the those two sites you should be safe with no AV... Post the log panda produces here if it finds anything.
Reinstall Bitdefender and AVG after a restart.
Looks a bit of a severe solution, I know.... but I can only guess that some AV remnants are fouling things up.

Very likely so. It could also have something to so with the distribution method, in that it is a bundled software with the likes of AOL etc which can irk ppl, but of course the choice is there upon installation whether to include it or not . In the bundling aspect it is not alone, both google and yahoo toolbars get packaged nowadays. Plus of course, the baddies. I can understand your frustration, it must be a tough mkt to crack.
Cheers, g.

Joe, i don't recall saying that Viewpoint was adware, or spyware, or calling it anything, really. I know that it is not, and I also knew that it was not the trojan version of that .exe when I called it because AVG would have thrown it out. I merely suggested that a correspondent remove "your" genuine toolbar in an attempt to speed up his browser [that it was in the same sentence as My WebSearch is just a coincidence, no more than a literary convenience. Browser add-ons such as toolbars take resources; frankly speaking, I cannot understand people cluttering their browser windows with any extraneous lines, even google or yahoo toolbars - these things can be started manually if needed. .
I do not know his pc vital statistics, so I feel vindicated in suggesting its removal; posters are their own people- he can reinstall it at will. I would like to point out this line of his [and I give it in its full context,I am not shrinking from the fact, here..] "my unwanted internet explorer items disappeared but the program is still running the same".
I am pleased that you are proud of your work, everyone should be. Me, I'm just fooling in the dusk trying to help someone, I'll try many things as they occur to me. And who is to say that a corrupted toolbar or other browser add-on is not hindering his browser? I did ask him about the yahoo bar also. Not …

I actually do not know how you removed IE from XP SP2: it is integral. If you worked via CP > windows components, then that only stops it running, but does not remove it; likewise rechecking that box does not reinstall it. The only way I know how to do it is via windows Repair installation option in windows Setup on the XP SP2 install cd. That is, I know that way works, for sure.... but you must then reinstall all windows updates. But I have used windows .inf files to repair Outlook Express and I see no reason why you cannot try the same with IE - I'd like you to give it a shot....and tell me how you get on. Simply open C:\windows\inf, rclick ie.inf and select Install - you will receive prompts [insert XP SP2 cd etc.].
This next will not actually repair IE, but there may be a "related" problem which is stopping it displaying, and you should try this before the previous method because it will not result in your having to reinstall any other components such as updates: you could run system file checker with that install cd - go Start > run, type:
sfc /scannow - and insert your cd when requested.
Please let me know how you get on..

just copynpaste it in the clear from the notepad log, don't hide it in an attachment.
[but just so you know, attaching files is in Go Advanced tab. Don't use it for the log, tho.]

good-oh. when yer fully done electrocuting yourself lemme know how you got on.... :)

well, that did not show anything. I think you shall have to give the room more clues, a bit more info on the exact nature of the problem.
[you have broken cydoor, which is annoying adware trash, so don't expect your kazaa to run anymore... :)]

it's windows. dunno, luck of the draw... often an OS can get interrupted by some glitch while it's doing a vital task.... I personally do not like online updating of software - i prefer to download the files and install manually if it is an option.... Was that a windows security update restart that killed your sys?
Come back with how you get on...