Posts by gerbil

To clear up confusion about what i meant with those links before, i am going to repost a scrap and add one word:-

"Now, Smitfraud... it's easiest to go with a specialised tool, so download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.

This NEXT link has a download for the latest update file for Adaware....
http://www.download.com/Ad-Aware-SE-...l?tag=lst-0-10
Unzip it and paste the update into the Adaware folder so that it overwrites the old one."

Yeah. Travel well.

before you charge gladly out, run the BlBeta by f-secure again., then the panda online scan immed once you do connect :- http://www.pandasoftware.com/products/activescan?
Then run this scan:- http://www.kaspersky.com/virusscanner
Then go here http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx and get RKR and run it [following the instructions absolutely!!, which is why the link is at the bottom of the page - read it!], if it comes up clean you can breathe again.
Finally dl a new Spybot and run it again. Some trojans deliberately detect Spybot and break it. Please do not use the laptop for sensitive webwork like online banking until you have copied off text files, pictures if you are game, and then reinstalled windows witha full format. It may well still be compromised until you do.

jusched - remove this by unchecking the box in Java, update via control panel.
issch & isuspm - not needed
igfxtray & igfxpers - not needed
googledesktop - this one's up to you... it's just a text searcher for words in webpages, files, emails etc... do you use it?
realsched - update manager for Real player. not needed.
ypager - not needed
dsagent - not needed
AOLLaunch - you use AIM messenger service, so you may need this, but test that premise by checking it.

The ones i have ignored are fine - you need them running from start.
The ones i have noted above you can uncheck. By this i mean do not delete them as files, they are needed whenever you start the partic service manually.

Right... : msicfapp - did u misspell this? mscifapp is needed, don't uncheck it.
Similarly with WXCSLDR2 - should be WZCSLDR2, which IS needed for your wireless. Leave it.

paste a printscreen into your word editor, crop it and post it that way.

steve, if you're trying to boot off a LAN, then the falsh image aint in your puter, it's in the server your puter tries to boot from, ie at your place of work. You will not be able to touch it. Unless you are booting from a LAN at work, change your boot order to HDD first.
An GWA, well, it's up to you. Anyway, i'm glad that worked to get you back on the net. Cheers.

yep, ok... i notice you got some advice re IRQL assignments also. If you ever find a way to change them with XP please let me know. M$ swear that you cannot. Btw, my major drivers/hardware each have their own IRQL, from 1 up to 23. Interesting, huh? Something to do with BIOS, and the types of cards etc you are using. But sharing IRQL's should not lead to conflicts with PCI cards.

wha...!!?? the download of defs.zip is the ONLY dl on that linked page i gave you.... Button is right underneath Adaware Personal definitions.... file...heading.
i gave you that link cos some trojans block u from connecting to lavasoft.

reformatted, but you give no details really.. if windows is in it's own partition did you give it plenty of room, incl for its page file? 5GB min for home, pro needs a lil more. dunno really, but it sounds like heat or free space.

haha!! yeah, sometimes brute force is the real trick. Ok, but you chaps are my labrats! I need you to test out my solutions; i yearn for finesse, the light and deft touch that soothes and solves..... sigh....
Installing a new opsys only does a very rapid disk check.... try chkdsk sometime.

lots of third party software give syou the opp to modify the startup list without seeing that M$ mesage.... an example is AVG Antispyware 7.5, another is CCleaner, a neat little cleaner you can configure to just do your regular housekeeping by cleaning out temp files, or much more stuff like registry cleaning.

heh... check the box n hit OK.
Selective mode just means it's going to use your selections. Normal mode, which you can reenter just by going to msconfig again and into the general tab..etc... will put you back where you originally were, if you so wish, with all those startups rechecked. [M$ has lotsa messages like that to confuse or scare folk]

Sorry, with that last post i was just giving some examples of things that you do not really need to autostart. HijackThis can be used to remove some things by fixing, but until you know what is safe to remove via that path it is best not to try it unassisted.
Dell sold the puter with software installed? Yep? well they put that R0 entry there. So next time you run HT, just put a check beside that entry,
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
and press FIX.
No, don't try running those things.... they do already. Just review which ones you wish to autostart as i said above. Good luck.

wolffie, that link i referred to earlier has the latest personal definitions file for Adaware. Just download it [it is defs.zip] to your desktop or a scratch folder, unzip it to the same folder and then paste the resulting defs.ref file into the Lavasoft\Adaware program files folder, replacing the existing one.

On my sys i have a partition dedicated to temporary files.... so there are Downloads and Scratch Pad folders amongst all Windows's temp files. Smitfraudfix and Adaware update would have gone to Downloads and have been extracted to Scratch Pad, and then dealt with... i find it clean that way. In my E: drive where all my 3rd party applications are located i have a folder Cleaning Services which is where a lot of these temporary AV, anti trojan services go. Temporary? yep, u always get the latest version.

Placing the smitfraudfix folder inside Adaware would not have done any harm - it would just ignore it. But no, i said for the smitfraudfix folder to go on your desktop [ or another place will do]. Move it out of Adaware.. [when you unzip or otherwise extract stuff, you get to choose where you want it to go...]
So now redo the Adaware thing. Download that .zip, unzip it and paste it into the ProgramFiles\Lavasoft\Adaware folder.

Disconnect from the net. Check that a Restore point has been made. Run CCleaner. Go to Safe Mode.
Fascinating stuff... Spybot must be removing some Smitfraud files - …

Sorry, a bit of laziness crept in, and hopefulness with it i guess. Anyway, this is not the cause of your problem; simply your java virtual machine is outdated. So go to control panel > java > update tab and force it to update now. Vsn 09 is the latest, i believe. Once the update installs, still in control panel > remove pgms, remove any earlier instances of java.
A lot of the processes you have running are for tray icon display or automatic update checking for software like players that you really only need to update every few months... they can be safely removed either via their own options when you rclick on them, or by fixing them with HT. Another way is to view your list of applications programmed to run at startup.
-this one gives u an analog devices tray icon : C:\Program Files\Analog Devices\Core\smax4pnp.exe
-this one scedules updates for installshield, a pgm installer..: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
-this one is a tray icon for jukebox: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
..and there is a whole lot more. you have Jukebox, realplayer, analog devices
How often do you connect your PDA to your PC? the linker is running all the time.. : C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE ...you can start it manually when needed. Like a lot of this stuff.
These two are unnecessary.. :C:\Program Files\QuickTime\qttask.exe and C:\Program Files\Common Files\Real\Update_OB\realsched.exe
You say you like AIM, and that is fine, but you also have AOL's …

one other thing, use java app via CP to update your java machine, then uninstall the older version.

k, i'll jump in. firstly, the log's clean. full, but clean. Do you really need all that media stuff running from startup? I am not a great audio fan - i struggle on with WMP9 [vsn 10 has extras i do not wish to use]. But you have a lot - i guess it should not conflict, but...
AOL. You can use it as an isp without having to run their software, unless you like the baggage that comes with it. It is slowing you down, chewing resources.
CPU at 38% and constant??? What were you running at the time? A WWIII simulation? If mine is loaded with its startups but is just sitting there, no dl's running or data streaming etc, no music playing, well, it shows 0%.
If you need help you will have to show an apps screen from TM when you have that 38% CPU usage, plus a processes screen. With the latter, go to view tab, column select and tick page faults, CPU, CPU time, mem usage, user name.
Glance at networking while pc is web-inactive - graph should be at zero.
Mouse is jerky? i guess it just has trouble getting an interrupt squeezed in. Music too? The whole PC pauses? Ok, it's no use troubleshooting drivers or reinstalling them yet... just come back with that stuff i asked for. Your computer is not breaking, it's just some process taking all its resources for a while. You might, while …

Then rerun Adaware in safe mode, and once back in normal windows mode try this scan online:- http://www.pandasoftware.com/products/activescan? Give them some details, and follow the scan buttons.
Run HT again and post the log, plus the Panda log.

Btw, if i run a network analyser i see that i get approx two hits per minute from sites willing to share problems... they are always searching, searching for unguarded computers ie no firewall set up. Until you tire of it and stop it reporting such stuff, ZA will alert you also.

Good-oh, that was a randomly generated identifier. Before you try to install SP2 again let's try to clean up fully.
Now, Smitfraud... it's easiest to go with a specialised tool, so download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
This link has a download for the latest update file for Adaware....
http://www.download.com/Ad-Aware-SE-Personal-Definition-File/3000-8022_4-10603995.html?tag=lst-0-10
Unzip it and paste the update into the Adaware folder so that it overwrites the old one. This procedure will bypass the download block that some trojan has placed on Adaware.
Okay. Shut down the net, and in an explorer window, folder options, view, "Hide protected operating system files" box must be unticked, and "show hidden files and folders" selected. [ i always leave this latter setting in place, but NOT the former]. Run CCleaner.
Go to Safe Mode and perform a full Adaware scan and remove all the problems it finds. . If it finds anything, scan and clean again, and so on until it comes up emptyhanded.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear, which lists infected files (if present). Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
Try SpyBot again after updating it. If it runs fully, then try this scan online:- http://www.pandasoftware.com/products/activescan? Give them some details, and follow the scan buttons.
…

ah, poto, then i suspect your HD is dying... you could run chkdsk from recovery console with your [or any] XP install CD... There are lots of instruction sets on th web for doing this, but this site is fairly clear and complete... http://www.schrockinnovations.com/chkdsk.php
You may be prompted to run chkdsk /F as well.

a decent firewall? cannot believe i left you relying on windows firewall with this problem!! the W firewall is great right up until you get a problem with a hijacker or callout trojan, then it's just rubbish. i am sorry for that! go here and get the free firewall, i use it and think it is fine [it's the last one...]
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Download it, shut off the net, turn of windows firewall in security centre and then install ZA and restart. Then run Fixwareout again and do the network connections check and DNS flush, and keep it off the net. Meanwhile i shall check your latest logs and get back.
[with that firewall, when you eventually do try to go on the net it will ask you for permissions for everything that needs to go outside - be very wary of most things, think about what you are allowing to contact other servers. the firewall will give you info on what is happening]

..the pxe error code. There is a problem with your network interface card [nic]. First check in BIOS that it is set to boot from HDD first > FDD > LAN[pxw?] last. IF that doesn't fix it then update your BIOS, failing that it is prob a new NIC card....
Bit of info:
PXE-E05
EEPROM checksum error
This message is displayed if the NIC EEPROM contents have been corrupted. This can happen if the system is reset or powered down when the NIC EEPROM is being reprogrammed. If this message is displayed, the configured bootstrap type (Int I8h, I9h, PnP/BEV) has been lost and a default bootstrap type is selected. The default bootstrap type will be set to PnP/BEV if the system supports the PnP/BBS runtime functions. If the PnP/BBS runtime functions are not supported, Int I8h is the default bootstrap.
This poss makes more sense:-...
PXE-E05: The LAN adapter's configuration is corrupted or has not been initialized. The Boot Agent cannot continue.
The adapter's EEPROM is corrupted. The Boot Agent determined that the adapter EEPROM checksum is incorrect. The agent will return control to the BIOS and not attempt to remote boot. Try to update the flash image. If this does not solve the problem, contact your system administrator or Intel Customer Support.
You should be able to find a driver file that creates a bootable floppy to upgrade the nic boot manager. Try tosh, intel..
And the S3 …

do you actually have a problem, or is this just a checkup?anyway, it looks clean to me, and you're welcome. But update that sun java...09 is current. Use yours to download the update, uninstall then install the latest. Set update to check monthly, but not to install by itself cos it never uninstalls the old. Actually, installing the new and then uninstalling the old seems to work just as well. I dunno...
One point, i think that may be the first O11 entry i have seen. International*. what's it do for you?

Ccleaner and regular use... just leave checked the temp folder, temp inet folders, cookies, history if you wish.... whatever, and the app cleans em out in one click. or so. and its one of the few reg cleaners you don't have to pay for.... efficacy? well i have found that all proprietary reg cleaners find some different stuff each.... so nothing's perfect.

oh, yeah... baciami does break spybot etc... so it could have been stopping sp2 going in...

cor wolffie.. there is going to be a lot of reinstalling of software after this.... but we want to save data.
Baciami is a hijacker. Try downloading AVG Antispyware 7.5, installing and updating. Then, under Scanner > Settings set recommended action to Quarantine. Run a full system scan.
From http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe download fixwareout and save it to desktop.
From an explorer window > tools > folder options > view, set show all hidden files and folders.

Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Okay, in normal mode run HT again and repost. SP2 installation …

Uh-oh... :) Right, before you run that there are a couple of housekeeping things i insist/would like you to run first.... and maybe once you do you won't need help, and as a bonus you'll know more n feel good.

I would like you to download CCleaner from http://www.ccleaner.com/ and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's just a neater thing.
Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything]. Put an icon on your desktop for regular use.
Next go here to get Spybot S&D :- http://www.safer-networking.org/en/download/ Update it.
Finally choose a dl site from here to get hijackthis: http://www.spywareinfo.com/~merijn/programs.php#hijackthis

Okay, with the net off...
- run Ccleaner from the recycle bin rclick menu [if you set up CCleaner as i suggested, rclicking the bin icon should give you the run Ccleaner option...]
- Do a full Adaware scan and remove all the problems it finds.
- Run SpyBot S D. Create the registry backup, then check for problems. Select and fix problems.
By now you're probably clean... at least from milder bugs.... if not then it's time for Hijackthis. Please …

this site may help, esp 2nd page.
http://www.pcmech.com/show/bios/81/
btw, you cannot use someone else's key even if it is legit and is accepted during activation, unless they no longer want it. M$ product activation would knock them over within a month [it checks...]

ok, enter safe mode if you can via pressing F8 key immediately after POST runs and before the drive detection screen blacks outt.... check the startup folder contents for all users and delete any entry you do not recognise.
If that does not work run CHKDSK /r from your XP install CD.

you may well be right. if you've formatted then it all comes down to hardware and BIOS. Download a windows system setup floppy from http://freepctech.com/pc/002/files010.shtml and see what you can do.

go into the BIOS at startup [delete key?] and enable extended memory checking... just see how much of your RAM is working.

as its name implies, svchost is a process that handles multiple services - these services are grouped into each of several host processes, so you may see 5 or 6 svchost processes running. in task manager you can see which partic host is running hot.. and that is all. you need more software to go deeper to see which service is causing the problem - just stopping that partic svchost can cause all sorts of mayhem. So go to sysinternals [don't be surprised to see it is now part of M$] and get ProcessExplorer. Unzip it into its own folder and run it by dclicking the exe. Read the webpage, the help file and then go to it and find the bad service. it may be corrupted or just locked in a loop cos it cannot complete. Stop it and see what happens. tell us what you find. Please.

wolffie, just a bit of info, don't try to force XP to start in safe mode via msconfig in normal mode.... if at the moment there is a problem with safe mode atarting, then you will never be able to get back to normal mode cos you'll be caught in a loop....This is just in case someone suggests it...

anyway, if you come back with the process that is using cpu time, someone may have an idea..... printer queue, bad drivers/software, virus.... plenty to choose from.

when the CPU runs at full steam it eats a lot of amps and gets hot, hence the fan at high speed. Now, i promise you we won't be getting the screwdrives n spanners out. Instead, open task manager and see which process is taking up the CPU time [ignore sys idle process..for our purposes it basically is just that - what the cpu does when nothing else is happening]. You could post it here and wait, or better still go to sysinternals site [which has been totally taken over by M$ now, but no matter.. yet..] http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and download process explorer 1.5 ; unzip it to its own folder. Read the help file and that web page. Now start PE by dclicking the .exe. Go to View and tick Show Lower Pane, then expand Lower Pane View and select DLLs. Find that greedy process [it will have a higher CPU number, which jumps a bit as in task manager] in the left hand tree view [you may have to expand sections...], click on the process or "sub" process and you will get a list of .dlls it is using. Now the tedious bit - google any which are not owned by M$ or some other reputable company. And that's easy. Just lclick on any dll and you'll see where it is, rclick and you can check its properties... or open a google window of it. Wow! huh? Enough to keep you busy... Tell us what you find.

wolffie, if for the timebeing you cannot get into safe mode run thru those fixes in post #9 in normal mode. You just gotta get rid of those proxies for a start!

This is what happens when you just delete a virus file that is a requirement of a process remanent in the autostart menu, or which is the target of a key still in registry.... just looking at the autostart menu may tell you, but i doubt it. You could do a manual search of the registry for its keys, or run CCLEaner which will remove any orphaned keys, or run HiJackThis which should reveal any autostart programs etc that use it. Post a log here; someone will run an eye over it.

sorry about the broken posts, but i am working on other stuff... you'll be fine if you read em right thru before you do anything. lemme know how you go... And those IP's ARE BAD!!! I checked em out.

But first, you could go to control panel and remove MyWebSearch, then reboot into Safe Mode and run HiJackThis from there with NO other apps running, and NO net connection open..and fix these entries:-
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-37C9A5676A7} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
Next thing... i notice you use a proxy, but do you recognise these two IP's??
85.255.115.94
85.255.112.24
I have a feeling that they are bad.... perhaps you could use another puter to post your next scan? I mean, don't go on the web with your infected one.
...I'm still checking stuff.... i think somehow you have had some bad proxy addresses written into your puter, and that R1 entry is directing your puter to use them. so fix these also [STILL IN SAFE MODE]:-
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431A58-FADC-49D9-8463-E5C900990C0C}: NameServer = 85.255.115.94,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1A7B83-A243-4946-8A6A-D8C7AA654F48}: NameServer = 85.255.115.94,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
Finally, please reboot into normal windows again, rescan and repost.

Some trojans etc do there level best to prevent antispy software running, or downloading updates, or block security websites, or all of the above. Please, from normal windows mode and with NO other windows/apps open, run another HT and post the log.

heh heh... i'm going to just guess that you did not reboot before re-running hijackthis to post the fresh log... but no matter, things are looking cleaner. Quite clean, actually. Do not try to fix those O23 Avast entries that say file missing- I can see above that the files actually are there, so these are just misinterpretations by HT.
Do you need a java virtual machine [SUN JVM]? I don't see it there.... but you do not absolutely have to have it... it makes some things on websites run, some games need it, amongst other more important things [well, impt if you run java programs..:)...]
You do not say what process is trying to start internet explorer... any URL it is trying to contact should be visible on the lower margin. I could suspect that it is one of the AOL services that you run - i just do not know it because i do not have access to it. I see no 3rd party firewall, so i assume that you run with Windows firewall. It's a good basic firewall that makes you invisible on the net, but lets anything inside your PC call out without restriction or notification.. A good free alternative is ZoneAlarm - you initially have to check and allow processes to call out if they need, but when you first allow iexplorer to connect it should tell you where it is calling.
Anyway, for a start, fix that toolbar item,
R0 …

forgot something... is there any big reason why you don't run xp sp2?

hello wolffie.... for a start you have a vundo infection... these online scans are not all-seeing...
I would like you to download CCleaner from http://www.ccleaner.com/ and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's just a neater thing.
The silver bullet: download vundofix from this site:-
http://www.atribune.org/content/view/24/2/
This [an 85 kB file] is the latest version. Read the instructions on that webpage. Make these preparations [which may not strictly be necessary, but stopping vundo from copying/blocking is wise.]
-disconnect from the net.
-in a windows explorer folder > tools>folder options>view, and untick "hide protected operating system files"
-run CCleaner
-reboot to safe mode and run vundofix. If it recognises virus files then remove them.
-reboot to normal windows mode and move HiJackThis to a new folder alongside your program files. Run HT again and post a new log and then we'll fix some more mundane stuff.
Btw, your inet explorer could stand an updating, even if you stay with IE6.

This one is spyware... fix it.
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll

This one is innocuous spyware from realtek. it does no harm, but it's up to you...
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

These next 3 slow down your startup time, and are not necessary... if it comes back just rename realsched.exe to realsched.exe.old
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

This one is no good at all. Fix it.
O4 - HKLM\..\Run: [hjwgstcnxscz] C:\WINDOWS\System32\aqyjnzxc.exe

--Do you run multiple monitors from your puter? if not, fix this next one... it could be causing your display to jump and split.
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

-Do you use this? if not, remove via control panel...
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk572YYUS

-Your java machine [SUN java] appears to be broken... have you uninstalled it intentionally? Fix these two entries also... uninstall it via control panel, and then if you wish to have it, download the updated version from the SUN website.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

The trusted zone... TRUST NOBODY!!! fix these 3...
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://www.neopets.com
O15 …

jeni..this safe mode thing sounds bad... Others here may have an idea... but anyway... safe mode only allows administrators to use it... either the default system administrator or users with administrator privileges. So the next screen after your blank black with safe mode inscribed in the corners should be a blue login screen.... i dunno, but if no admin accounts then maybe no blue login screen? Please tell me your machine has an administrator account still?

For a start, you have look-to-me adware.... so go here http://www.f-secure.com/tools/f-look2me.zip and dl f-look2me and as an administrator, unzip it and run the .exe. Reboot.
I would like you to download CCleaner from http://www.ccleaner.com/ and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's just a neater thing.
Now go to grisoft.com to update from Ewido 4 to AVG antispyware 7.5. Uninstall Ewido then install AVG A-S 7.5. Update it.
Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it.
When it finishes updating files go get this free beta [blbeta.exe] from http://www.f-secure.com/blacklight/ and install it also.
Finally go here to get Spybot S&D :- http://www.safer-networking.org/en/download/ Update it.
You have a couple of other trojans in there also, so memorise these instructions... or copy em to notepad. Or just use Opera...
Ok, you're done with the net. Shut it down. Disconnect...
Rclick your recycle bin and run CCleaner. [or go to its folder and dclick ccleaner.exe] You will lose a lot of handy stuff like histories etc... but there is a job to do...
Now go into safe mode [Restart, F8 and select Safe Mode and Enter.... You'll get a dark desktop with icons etc...]
Note: Close all open windows, and DO NOT USE …

.. course, i could well be wrong, but i'm trying... :) Anyway... GWA is a bandwidth waster.. at your expense. When you visit a page, GWA downloads to you all the stuff linked from that page and hides it while you read the first page. If you click a link, well, GWA probably already has that new content cached on your machine. The linked pages you don't click on are a waste of dl time and units. Still more, GWA ignores the javascript that may come with a button click [cos it cannot read or interpret the written instructions in the javascript code - a "do you really want to do this" looks no different to "press enter to confirm" to a puter... so you can get some bad stuff happening.

Hi steve, you did not specifically set up a proxy, but you have google web accelerator on your machine. The way it works is that your net connections go thru one of its servers which stores pages that you visit frequently, updates them if needs be, and makes them available to you so that your connection is more local and faster than a connection to the actual website - you get the pages from google even though you are connected to that remote website. Problem is, for you, you are showing a connection to a busted gooogle server [or proxy]. Google web accel has left you with a permanent link to a dud proxy when you first installed it. You could get a new proxy by uninstalling GWA and reinstalling it. But i think i would just leave it uninstalled. Anyway, it only speeds up loading of webpages you have visited plus a few it thinks you may visit - it doesn't speed up new sites, data downloads or mp3's etc.
So, try uninstalling GWA from control panel; there is no need to use HT to fix anything... tell me how it goes?

go off to sysinternals and get a couple of apps. Since SMTP uses TCP, port 25 u can watch it with TDIMon, track it with TCPView both to the process handling it inside your PC and the remote addresses which will be identified. Then use ProcessExplorer to get the keys used, files, and DLLs loaded by the process. Go silly.
[ I suggest you set up a folder called ... umm... Monitors in your apps drive, then subfolders named for the 3 apps from sysinternals i have mentioned above, and unzip them into their own folders...]

it's a cunning worm. first off, it stops most common Av applications and cleaners. so yep, if they cannot run, they sure won't find it!. It blocks any windows with .exe in the name, plus task manager and regedit. It also stops you via HOSTS file entries from contacting a lot [hundreds] of AV and online scanning sites. Cute.... oh, an it blocks a handful of porn sites too...
Xoft have a free scan that is not blocked... http://paretologic.com/xoftspy/lp/17/

Or try the removal tool from here. READ the instructions on the webpage! If you want to run this one you will have to change the .exe's name from remover.exe to... i dunno....swish.exe? [the string "remove" is blocked by the worm]
http://wirusy.antivirenkit.pl/en/szczepionki/Brontok.html
Note that I have not run this tool myself, so i don't make any warranty that it works, or will not do damage itself. Just the fact that the .exe contains a string which is blocked by the latest worm version bothers me a bit.... I cannot really recommend it, but if you get desperate...

From another clean PC u can read what you are up against here.... ttp://www.f-secure.com/v-descs/brontok_n.shtml
or try the removal method from this site... http://antivirus.about.com/od/virusdescriptions/a/rontokbro.htm
Once you are clean and pc is functioning, clear old restore points [by turning sys restore off then on again], and make a new restore point. Delete files on any thumb-drives you have used.
Come back …