Posts by gerbil

here:http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
take care not to break stuff... :)

Sigh. that log is clean now. All i can suggest is that you run a cleaner [disk clean or CCleaner], defrag. Do you use all those yahoo search bars and home page etc? Go into the java panel and set it to update once monthly [or weekly]... The AVG scan only reported tracking cookies, so no spyware there.
I really do not know what the problem can be..

CCleaner
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be …

...i see that the O20 entry persists - with that there the dll will start even in safemode... is that key's data value for AppInit_DLLs being regenerated if you delete it? Go into your registry and delete the value for this key name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Select AppInit_DLLs in the right pane and modify its value to remove hamaham.dll.
I don't know why avenger, killbox couldn't deal, but vundofix should do it?

k. smitfraud - you ran option 2? would like to see the log if you still have it...

Btw, it does not have to be your disk, just the right disk as above.

You can use an OEM or M$ XP install disk to do the repair job, but NOT an OEM Restore disk. The install disk should be the same version.. eg. SP2. Unfortunately you have to download all the windows updates again. By the way, don't go into the Repair an XP installation with Recovery Console option, you need to enter Setup. Your OS should be detected and you would then be given the option to Repair it. If you don't get the Repair option at this stage then a new installation is next, but this means you must reinstall all your 3rd party software again.

Ah. Okay, you don't have all the elements, but you do have siteadvisor.. I don't think much of the idea, but that's just my own opinion. It really is up to you, but uninstalling it and fixing these should clear it, then you would delete any remaing .exe and .dll files and the pgm folders, and finally reinstall siteadvisor if you so wish. Basically i'm saying that without loading siteadvisor on my own machine I cannot tell which processes come with it, and which remain from a mcaffee AV installation [attempt]. IE7 has some issues with it, i think.

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

These are just a few extra entries I felt could go:

O18 - Filter: text/html - (no CLSID) - (no file)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.viewpoint.co.kr/vet_insta...5abels/z5.html

If you have a windows install cd, set your BIOS to boot first from cd and then do a Repair.

couldn't you just start up in the C: volume and then simply delete all the windows OS folders n files in the second volume? That would leave your other stuff untouched, wouldn't it? [I've never tried it... :)]
Last, or other, step would be to cut the last line from your boot.ini file.
I mean, who [an OS] would know?

that is .dmp file that you zipped up. how to read that??

For a start, go CP > add/remove pgms and uninstall MyWebSearch, MyFunProducts, MyWayxxxxxx, etc, and ViewPoint.
Go to pgm files and delete the folders for the above.
Start hijackthis, do a Scan Only and place checkmarks for fixing against the entries listed below, and press Fix Checked.

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...4YYUS_ZZzer000

Good, rescan and post a fresh log.
IF you look at your log you will notice in the Rx entries your homepages: do you use those? cos we can emove them and set one you like...,
-the O2, O3 entries: do you like the yahoo and mcaffee toolbars, the yahoo button? [ My IE pages have two lines of "objects" at the top, which incl the address bar - it's the bare minimum...but if I ever ran IE at full screen i would reduce it to one line only]. Java update is a pest now unless you do it custom way, cos otherwise it gives you a toolbar. niceof em.....
-the O4's: soooo much stuff is starting with your sys. Do you always need Adobe reader to start without you wanting to read anything, or your sound sys, or yahoo msgr, or a bit torrent client, or itunes, quicktime, photo downloader, etc...
These things start at turn on if you let them, and then stay resident in your RAM, chewing your resources n snowing your sys. Some of them could …

Before you run AVG AS it is nice to run a cleaner first to remove the cookies which clutter the AVG log. Anyway, to give us a quick glance at the state of your sys, would you pls do this...
HiJackThis
===hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.

For a start an anivirus pgm isn't really dragging your sys down, is it? Get one. May i suggest AVG FRE or AVIRA? Are you running a firewall? Or a spyware blocker?
But BEFORE you go installing those, please do these things:-
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
===Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and …

both methods remove the startup entries from your puter registry, kid, an that's it.. the software behind the entries remains; all msconfig asks is that you confirm the change on your next restart [asks in a slightly forbidding way.. :)]

hummm... i guessing now with what you have told, but a ps produces a Power Good signal which instructs MB/BIOS that it is okay to start.... i wonder if your ps is not starting to go marginal? You can google for wire colours and voltages if you like to test with a DVM, else plug in a mate's when he's not looking.

jez, i think you neeed to decide between bitdefender and McAffee. Two is one too many. Try uninstalling one.
Next restart HT, do a Scan Only and place checkmarks against all the following, and press Fix Checked..

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\

Some others...: this google WA can be so bad if they have given you a dud proxy -
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
Because you are the current user and you just have a blank IE home page you could fix these MSN home pages:-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
And i do not know what this one does for you, at all:-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

Now download this temp file cleaner from …

Urgh. Okay, you've done the straightfwd stuff. Give us a log now:
HiJackThis
===hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.

Oh, why not fix some more while you are at it?
Open Control Panel, add/remove pgms and uninstall IPwindows.
When you finally run hijackthis, first off do a Scan Only, and place checkmarks against all of the following [if they still exist] and then press Fix Checked:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{345B6728-0BB1-1033-0823-040412200001}] "C:\Program Files\Common Files\{345B6728-0BB1-1033-0823-040412200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [{345B6728-0BB0-1033-0823-040412200001}] "C:\Program Files\Common Files\{345B6728-0BB0-1033-0823-040412200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: Fresh Start Banking button - {FEEE29A4-ECCD-4db8-8AFA-5DABD414E48F} - C:\WINDOWS\Downloaded Program Files\AxFreshStartBanking.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01E58797-1368-4D27-B564-33755494B9AF} (AutoFillInstallerControl Class) - http://www.freshstartbanking.com/cab...artBanking.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

Now do a new Scan and save logfile. Post the log along with those others....

yeah, chaky, it may as well run on here now... happy to leave it up to the bosses..

sblanton.... sorry, but i cannot help laughing!! That is a superb example of a hosts file to block most AS, AV, online scanner and cleaner sites!! I dunno quite where to start cos you have a load of problems there, so we'll clear a bit of space first..[you should have followed ALL my advice and taken this log over to viruses n spyware forums and started a new thread- no matter now]
Anyway..... do these things in this order.

Please download the MsnVirRem pgm from this page [heh! they can't block em all...]: http://www.thespykiller.co.uk/index.php?action=tpmod;dl=item9
* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy" *Your computer will now be scanned for Infected Files*
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue. * A Message should popup from MsnVirRem; if not, double click the program again and it will finish. Please Post the contents of C:\msnvirrem.log.

Next: ComboFix.
===Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that …

.

umm..lessee... so many things to check... chkdsk.. try that - it will want to run on reboot - let it. It's the only way it can check the system drive [C: usually]. Go start > run, type
chkdsk C: /f and answer Y.

Oops. Please do these things in this order [but post all the logs only when you finish...]

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]

Is this the anti-spyware pgm you ran? If so, I'd like to see the log... otherwise:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

== Get hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.

Actually, I suggest you start a new thread …

a dearth of info there, jez. for a start you could try diskcleanup and defrag from accessories > system tools [i'm just guessing that you may be running out of disk space - if you are, remove some unused stuff, or the junk ].

yep. What it does is check the protected files in windows for correctness - if it finds errors or mismatches it copies in a new file from the cd if it needs to. Finished, it closes. No fanfare.
Did you note my post on links? You can script in HTML how a link should work, but you can force IE and other browsers to behave how you wish by rclick context menu and other default behaviour options.... Now how is copynpaste going?

Yep. Okay, it will be a process or thread that explorer is handling, and a third party one at that, most likely, that has allowed the buffer overrun. [pretty much, a variable that was accepting input tried to pass on to its buffer more info than it could handle -the overflow "characters" disrupt following script, but there are other scenarios.].
Hackers love this method as a point of entry to your sys, they search for vulnerable processes - there is a v good chance that you have malware running already.
Seriously now, try what i posted earlier. It may be a poorly written app you have just loaded... but it may be a trojan etc trying to modify explorer... via a poorly written app.

first hardware check to make is power down at the wall, open up, brush [softly] with a vacuum cleaner nozzle in there too; when it's clean enough [esp the big chips' heatsinks...] unseat every little thing and replug. Cards, cables, RAM blocks, the lot. Even unlock, lift, and relock the processor if you wish. Don't take it right out to marvel at how well you can comb your hair with the pins.

What i hoped would be understood is that Microsoft Updates is just gee-gaws for M$ apps. They are not [generally] vital ... they certainly are not fixes for security issues. Those are in Windows Updates. So you don't need MU running constantly.
Further, as far as WU goes, in your security centre make the setting to Notify you when they are available. Don't panic about this, M$ will notify you every time you turn your sys onto the net until you dl or cancel them.

You should not have a C:\explorer.exe file - it normally resides in C:\Windows\.
To enable us to help you get hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.
Better still, post it over in the viruses n spyware forum, cos that's where it should go.

If you do not use M$ apps like office etc then restrict your updating to Windows updates only - this results in you getting security updates only.
If you are interested in this then go programs > microsoft update, when the web page loads hit options and make your selection there.
Anyway, the idea of the checkboxes in updates is for you to make selections. Be wise tho.

Nope. For a fresh copy of say, xp home, installed on a certain make and model computer with certain hardware with certain drivers with certain HD configuration and fully formatted with no other apps or files and no changes to any settings then just possibly you could compare the registries... but i wouldn't bother personally. It's a big file, and you only need to know a few regions - viruses, trojans etc operate in selected areas. Throw in a few other areas that affect your settings and performance, but which often you can alter via the GUI.. an that's it.
Hijackthis targets those areas of the registry invaded commonly by malware and also lists running processes and those on autostart [which may have stopped by the time you run HT..] generally the entries returned are those of special interest. You get to know many both genuine and dodgy ones, others you check.

i hope you tried to run sfc /scannow.... note the space? sfc is the file [a process..], scannow is a parameter that controls the process's operation.

For a start would you please do these things?
==Start Hijackthis again and do a Scan Only. Place a checkmark against this entry for fixing, and press Fix Checked:

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll

==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and …

uninstall AIM and get an update. That msg indicates a programming flaw - only bad scripting allows buffer overruns on user input.

To save myself a lot of typing time i'll just put this in. you may have tried it; you don't say what you HAVE tried... to save everyone thinking you could post what you did...
.....if you have the XP install cd then in that run window type
sfc /scannow
and load the cd. Be prepared to hit enter quite a few times. Come back with the result...

Ah. Well, that was my last shot. I don't think Silent Runners would help. All that is left is to clean up a few folders and traces:
Delete this file : E:\WINDOWS\system32\lnnmp.bak2
Delete this folder : E:\VundoFix Backups
Empty your AVG quarantine folder. Delete vundofix and vundobegone. Run this script to remove this registry key value [or go in and delete it manually..]
-copy all the text below the line as one block to notepad, Save as vnd.reg with type set as All files, to your desktop or to a scratch folder; then dclick the filename and allow it to merge with the registry...
_______________________________________________________________________________
Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{182B90A3-F372-438A-800C-6814B4DE417B}"=-

Hello, rumbleman.... still some vundo traces in there. Hmmm..... Vundofix just would not shift them. I know this tool will get more of it:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Save the file to your desktop, and CLOSE ALL running programs including IE [or other browsers]. Dclick Virtumundobegone to start it and follow the prompts. If you get a BSOD just reboot...
Please post the VBG.txt log from your desktop.

yeah, midi, i got confused with the course of events in his initial post.... his disk 1 actually has xp on the second partition, E:; I thought I read that it was on the first partition...[E:, before he combined c and d...] Arrgh... never mind... thanks... :), sorted me out.

And lighten the load by going to CP > add/remove pgms and uninstalling any Viewpoint entries that you see. Next, still in safe mode, with HT do a scan Only and check the following for fixing, and press Fix Checked:
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

See how you go...

AVG Fre works for me. Others swear by avast home edition. You choose.

Thanks, dragon... we'll delete that one in a moment, but first I would like you to check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now I am going to give you a choice of temp file and cache cleaners: ATF Cleaner is fast, quick to set and does a very good job;it's a couple of clicks to clean, but no review possible of what is going out with the bathwater. CCleaner gives you more options, has a free reg cleaner and is fast if you wish to not review files to be cleaned.
ATF Cleaner
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
CCleaner
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle …

Crazy, I run AVG FRE [AS], Zonealarm, Spywareblaster. That's it. And had only one case of spyware about two years ago, never a virus. Course, if you dredge the sewers you're gonna come up with a rat in your hand sooner or later. No AV is perfect. AS? I have Adaware and AVG 7.5, run them maybe monthly. Surfing wisely is a must. Hijack this? dl it only when you need it... same with other special tools.
Get a few more opinions.

Hello, 'lover..
Would you please do this for me if you have not already- submit this file for evaluation?
Open one of these links, click browse/choose, find the file below then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

C:\WINDOWS\Temp\kdsbb.ren 63383 08/04/2004

Cool. Post the result. [log looks clean, but when you come back with that info we'll tidy up]

....and cos I already had it typed out and saved... :)

Dragonlover, I don't think Crunchie will mind me picking up this thread cos he is going out for a couple of days. ==First thing, I know you already ran fixwareout before you made your first post [that piggyback one]; if you still have the original log file [report.txt] rename it to reportA.txt; then please do a search in your systemdrive C: for files with a .ren extension. Do this before the next step!
==As Crunchie requested, I would like you to repeat the fixwareout scan, please, cos I would like to see the log it makes.
More to be going on with: start hijackthis again, Scan Only, place checkmarks against all the following entries and then press Fix Checked.

O17 - HKLM\System\CCS\Services\Tcpip\..\{453ED1B8-DC41-47C4-B0CA-479DE5BD95E6}: NameServer = 85.255.116.108,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.108 85.255.112.93

Rerun hijackthis and post all the log files [reportA.txt, report.txt and the HTlog...plus if you found any .ren files]

Hi, dcc, I'm starting to see quite a few comments regarding media suitable for the various burners in the mkt. It's a bit disturbing. Quality does count with burners....of course. Pays to check reviews before purchasing, it seems.
And me? I gotta get a life... :)

.

Post pulled by gerbil.

Hmm... on the other hand it could be that we missed something and it took a while to fully regenerate itself, perhaps by calling for a download. It does sound like a spyware/trojan issue.... May I suggest that you download this file: http://www.techsupportforum.com/sectools/combofix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And rename hijackthis.exe to rumble.exe and post a fresh log also. We just gotta try a bit harder sometimes...

Ahah! So E: is not the first partition on your second HD! I was going on you having C: on disk0, and E:, F: on disk1, with the second OS on E:. Obv you have D:, E:, F: on disk1. Good-oh, I misread your info...
Thanks for the feedback.