Posts by gerbil

Ryun, those logs look good to me. [the Panda virus detection is okay, it has just picked up a normal file in combofix].
You may delete combofix, its extracted files, C:\qoobox and combofix.txt.
So everything is fine now?

Desktop\My Documents has no My... folders under it? Oh. I'm not sure how you can have that.... well, it is something I have never explored, deleting those links. I don't see why you could not, though; they are considered a bit "special" by Windows...
In C:\ Local Drive under D&S\Admin, or Dad, or Me you will see a lot of folders repeated... the items in those folders pertain to each user and yes, some are duplicated because each user is meant to have access to some same stuff - it is how some things are shared, or not. eg, if you click Me\Desktop you will see a list of the icons which appear on your desktop such as Age of Empires or Chicken Shoot, if you click Dad\Desktop you will see some diffrent icons listed, like Lawn Bowls or Things to do with Wood...
Under Application Data for each user you would have program folders - these contain files and settings for each user. And so it goes. Don't play too blindly with these.. or a lot of the others, llike Local Settings...

"which file should all files be stored under?
Directly in the c drive or in the my documents in c drive? or... in the users file?"
Personal choice rules here. I know some people who have EVERYTHING stored in My Documents. I know one person who has EVERYTHING stored in Outlook Express... I prefer to have a more extensive directory structure where related files are stored, using My Docs for temporary stuff only.

My Documents in Explorer is a list of shortcuts which give quick access to files actually held in [eg] C:\Documents and Settings\User [or Admin, or...]\My Documents\My.....
So there is no actual duplication of files. As an example and to illustrate what I mean by that, rclick on My Documents\My Pictures in Explorer, > Properties and read Location. See where the file actually is?
When you go on the web it is safer to go on as a User - that way access to registry is limited. Really the only time you need to be logged on as an admin is when you wish to alter your setup... to install some pgms, fiddle with the OS, or run some certain pgms which involve checking/changing registry settings or reading\modifying system stuff.

If you remove User accounts you won't destroy the files belonging to them; if you are just going to run as an administrator you will have access to everything.
If in the future you decide to create a new user account [even with the original name] for yourself you will not have access from that new user account to the My Documents files that were under that orig user name [or any other] -you will have to take ownership of them.
If you run as an administrator stuff you download from the web [unintentionally] will have access to everything.
Clear?

Copy these downloads into the pc. They fit on a floppy.

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report …

Ryun, we need to look a little deeper then. Clean, then try the first, and then if your IE [it must be IE] will allow it, the second scan also.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... …

Nice. It looks all clear from my side of things.
Cheers, Kestrel.

This should help:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

==Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no …

Hello, ryun.
Delete this file:
C:\WINNT\System32\lgbpd.exe - if it is running just stop it in TM and then try to delete it again.
Good. Uninstall MyWebSearch via Add/Remove pgms.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINNT\System32\lgbpd.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...4YYUS_ZZzer000
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after

installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.5 is current....
And let's hope that is it. Say how things are...

Borrow a cd... OEM or full licence, they will both types have a Recovery Console on them. And this is one problem where windows cannot fix itself simply because it cannot start.
You can also download a variety of bootable cd iso's which you can burn an image of, and use them to access your boot.ini file.
Good luck.... this problem does not call for either a reinstallation or a new computer. It is quite straightforward to fix if you have the tool, a bootable cd.

Jode, bootmgr is Vista, right? You might try the piggyback again but format using Windows XP, not Vista. Reason is that format clears the file tables, writes in the file system structure and the MBR for that partition. If you do a normal format that partition's disc structure is also checked for errors, whereas with a quick format it is not checked. These are both high level formattings. Neither of them are data erasures!
Are you certain you got the boot order correct? Try F11 during startup POST. Start the Recovery Console from your XP cd, format [quick or normal, no mater here] and fixboot.

The only way past your problem is to not try to boot your OS. It just will not start. You must use a bootable cd .. eg, your Xp installation cd is one such... there are others... and manually edit C:\boot.ini as I stated above.
If you boot with an XP installation cd Recovery Console is about your first choice available to you. Enter it and use the bootcfg command. Change the boot order by pressing F11 during startup and selecting your optical drive, eg CD/DVD, so that you may boot from the cd.

Lesson One. Do not use msconfig safeboot option when you have malware on board. If the malware has damaged the registry Safemode key your sys will not be able to enter Safe mode, it will reboot. And you won't be able to undo the Safeboot option.... but you know that now...
Msconfig Safeboot option modifies your boot.ini file. Use a bootable tool like Recovery Console to repair it with the bootcfg command, or slave the drive and edit it manually, or use a bootalbe tool which will allow you to access the C: root to edit boot.ini manually.
The edit is pretty obvious; in this sample boot.ini:
[boot loader]
timeout=4
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

-you would simply delete the safeboot switch on the line where it occurs and save boot.ini.
Lesson Two: Don't believe all you read on websites.

Oops, wrong thread!!

A good place to start would be:
Clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
==Download the file from this location, http://www.f-secure.com/tools/f-look2me.zip ; then as an administrator, unzip it and run the .exe. Reboot.
Scan for viruses..
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Scan for spyware:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
If everything appears to …

Ah, good to hear it's working so far. I may get back to Banff another year, dunno, been twice, it's a looong way and there are lotsa other places to try out in the world too.
Cheers, imperious. Tap that solved button if you are satisfied.

It is very early on in the loading that the Windows logo screen [with loading bar] is presented. BIOS has read the MBR code and transferred it into memory; that code then scans the partition table for an active partition and the code in that partition's first sector, the boot sector, is read into memory [overwriting the MBR code]. It is the boot sector that contains the particular code enabling the file structure [of the format type] in the boot partition to be read..; and it reads in ntldr. Ntldr reads boot.ini and so finds the partition where the OS is located. Basic hardware configurations are loaded and then that Windows logo is displayed. The next step is to read in kernel files and the SYSTEM reg hive to see which drivers should be loaded [if you pressed F8 and chose Safe Mode at this point a different reg key is used which specifies a reduced set of drivers].
It rather looks like ntldr is experiencing a fatal error at about this point, totally failing to load these items. Obviously the C: root file structure is intact, but it seems like the remaining file tables are being corrupted - this could explain the inability to load HAL or the drivers, or even to locate the reg hive, and also why the drive cannot be read in another sys as a slave. The MBR and boot sector are okay.
Try chkdsk repair option. If the file table is bad …

I do hope it is. If you get strange shutdowns with absolutely no warning then it can be temperature related as I said before.... Cripes, Calgary?... just open the window.. :) How's the snow up at Banff? I was there last season...
Good luck. Lessee, no worm traces left, no viruses, good, clean sys files.. should work. Unless.....

Sometimes sfc is really processor-intensive [it is on my sys, the fan screams], and your CPU can overheat - the first thing you know about that is that the puter just shuts off. Power off at the wall [pull the plug], open the case and get to work on the CPU heatsink fins and fan with a soft, longbristled brush and a vacuum cleaner nozzle. Get rid of the dust... I bet tehere is heaps if you have not done this before..

I just added to my post above...all you see happen is that black cmd window flash. Run sfc /scannow again and see if it works from the cd.

Good-oh... I hid it well, didn't I.. :)
Same trick, run this batchfile.... it will add a registry entry [or modify the one you have] so that it points to your CD/DVD drive. sfc /scannow should then find the I386 folder on the cd.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as modSetup.bat, as type "all files", to your desktop; dclick it to run.

______________________________________________
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup /v SourcePath /t REG_SZ /d D:\ /f
______________________________________________

The way things work is that because you did an online update to SP2 you have \I386 in c:\windows\ServicePackFiles -this is where the most up-to-date files are stored in your sys [some from Windows Updates]. For some reason sfc is not working with those and is asking for the cd.... this reg mod directs it to the \I386 folder on the cd. Try running sfc /scannow again.

Ah, this bit... if you run this batch file [follow the instructions] I will be able to see some relevant registry entries on your machine.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt which will open on your desktop.
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

Imperious, if you have a folder c:\windows\ServicePackFiles\I386 about 450MB in size, more or less, then you must have done an [online?] update to SP2? In that case there should be a registry entry pointing to that folder and Windows File Protection should be able to access it.
The command sfc [system file checker] is part of Windows File Protection - WFP automatically replaces any protected system files that are corrupted, altered or deleted, sfc additionally will copy into the protected file cache a fresh copy of such bad files from a cd or other folder, eg c:\windows\ServicePackFiles\I386 [if it is not empty? Tell me].
Could you please run that batch file for me so I can see stuff?

Heh.... some key gen. Not much is for free these days. You gotta realise, some folks don't like cracks and gens for their pgms being put about on the net so they make their own which are designed to cause you some trouble, other crack n gen makers are paid to put ad trojans in their lil pgms... either way, if you get a bad one you pay; problems are time, time is money.
Right, run these:
Clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
and scan:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
and again:
==Please use IE to do an online scan at panda:-

I actually cannot guess what you have done... is svchost.exe running... can you see instances of it in task manager/processes? I actually don't know if windows can even start without it, and I don't know how you could interfere with it via gpedit.... but...

Okay...
=What is the name of your optical [eg, CD, DVD] drive in Explorer? Is it D:\
Open that CD and find the path to the I386 folder... it is likely in the root of the drive, eg D:\I386 -tell me.
=Do you have this folder [you may have to show hidden files to see it]?:
c:\windows\ServicePackFiles\ServicePackCache
=Could I have a look at the contents of this reg key....
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

If you have to buy your local puter shop should burn you one for just a couple dollars. It's not as if you are wanting the licence, which is where the real fee is.

Imperious, you are running SP2 now so that SP1 cd will not work. Do you think you could borrow a XP SP2 cd from someone?

Imperious, could you check the properties of this file for its owner details, please... see if you recognise it. If unknown, delete it-
C:\CF19715.exe
Please go Start, run, type or paste in
sfc /scannow
-insert your XP SP2 cd, press Enter as required. This will replace any system files damaged by the Alcra worm you had.

Imperious, could you run these scans to check for malware, please? First clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Okay, post those two logs, please, plus a fresh hijackthis log.

AVG AS saw nothing, I see nothing more now... is your problem still there? [grey task bar, sound failing etc.] Is another window still taking focus and activating over the top of the one you meant to be using?

G'day, imperious,
Really this should have been posted over at Viruses n Nasties, but what the heck, you're here, I'm here...
Please do not do a Windows Repair, it's not really called for.
Let's fix your Hosts File:

• download HostsXpert from http://www.funkytoad.com/content/view/13/31/
  
  
  • click the top button Make Writable if it is available
  • click Restore MS Hosts File button.
• Now that that is done you should be able to go to Norton/symantec site - get the uninstaller tool for the AV you had and run it because you have active components still in your sys [you may run only ONE active AV service - they interfere.. Of course, you may wish to ditch Avast - your decision]

Use hijackthis to fix these two [benign] entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Startup: services.lnk = ?

Good. Now I do not see what modified your hosts file so would you please:
Clean..

• Download this temp file cleaner from [url]http://www.atribune.org/ccount/click.php?id=1[/url] --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
  Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
  Close ATF.
  Scan..
• GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
  
  
  • Install it and UPDATE it.
• Start AVG a-s …

I guess if it was a problem on my machine I would use Process Monitor to log events, and the moment an IE window opened I would stop the logging and filter it so that only IE related events showed. You should be able to see in the log what called IE, reg entries used etc. Be prepared for some log scrolling, quite a lot happens for such a seemingly insignificant event like opening a browser window. Get PM from Sysinternals... okay, from technet...
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Pls don't post the log tho, even in zipped form... unless someone else is willing to read it?

Cynikal, whenever you have a window open which shows your drives and files/folders you should have in the top toolbar Files, Edit... Tools. Anyway, you found the same Folder Options in CP, and that is fine. Combofix does turn it off, a lot of folks like to see them but it depends upon what you do with your sys. In retrospect you personally should probably leave it off. If you look in explorer at C:\Windows you will now see a lot of blue folders - they are some examples of hidden folders, and there are a lot of others now showing below which are not coloured blue. Most likely you will rarely need to involve yourself directly with them; perhaps you should reset that option to not show them. And me? - I know some generalities, a few details.... I know it is not even 1%.. :)

Heya, cynikal... we'll get there....
In a standard windows installation Windows Explorer [explorer.exe] is the user's point of contact with the OS, it is the shell, the outside casing if you like, of your OS and everything else runs inside or around it; it [or a modified replacement] is always running when logon is completed. You can stop it if you wish but then you lose being able to easily interact with the OS... your running programs will continue running, you can start new ones etc but not in the normal way.
When you dclick My Computer you are opening a graphical interface, a window to Explorer. Another window is the taskbar, still another is the desktop. There are other ways of opening a window, and you can open many such windows to it at a time, but there is only one explorer.exe running, ever. These windows provide you with a simple and useful way to manipulate your files, including programs, which all exist and operate independantly of explorer.exe. Where am I going with this...? ...listening to Thea Gilmore's Contessa and enjoying it.... okay, just one of those independant programs is Internet Explorer [iexplore.exe] which is actually more than just a web browser, but here we are not concerned with it at all.... since we normally use Windows Explorer to see our files or operate the OS it is that which we must adjust to control that view; Folder Options is one such control.. and you get to …

Hi again. Just open an Explorer window [eg to your C: drive] and go Tools, Folder options, View tab.. I like to see my hidden files and folders and also all file extensions.

Nice, Paul... And no apologies needed, it all proceeds at your pace [with a few delays thrown in by us..]. Glad your sys is sorted, but you have to mark it solved, we cannot. Only you know when you are satisfied, you see?
Cheers.

Good-oh. Well, if you are happy with it, fine, but feel free to post another ht log or a combofix run.
Cheers.

You are not serious, are you? CCleaner is a great tool, but it cleans what it is pointed at, pretty much usually basic temp and logging files. And your registry if you so wish. It was not pointed at and would not remove your mailing worm, your backdoor trojans, your ad trojans... now that you have got it working it is no longer yours, it can be controlled when on the net. Hackers have full access to it.
It is all up to you. But I do feel sorry for any friends your cousin contacts by email etc.

=Combofix... for you, very simply go start, run...
ComboFix /u
[if you have not already deleted combofix.exe...]
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and reset System Restore. But you will have to delete C:\Combofix folder [Nircmd.exe should be in that folder]...., and in Explorer folder options, view settings, uncheck Hide extensions for known file types - most important!
Optionally, or if you have already removed combofix.exe, just delete C:\Qoobox, C:\Documents and Settings\user\Desktop\ComboFix.exe, C:\combofix.txt and C:\Combofix. Ajust Explorer folder options, view settings, to hide Protected operating system files.
=GMER... navigate to C:\WINDOWS\gmer_uninstall.cmd and dclick it; then delete that file and gmer.ini, and also gmer.exe from the folder where you extracted it to. And gmer.zip. :)
=Delete hijackthis.exe. You may wish to keep its .txt files [logs] for comparison purposes.
Easy. Yeah. Complex stuff, computer software... the way it spreads itself about.

Concerning those two file deletions that I requested, culley, it is merely that I saw the registry keys listing them so naturally requested the files be deleted also, but one of your antimalware services seems to have already removed them.
You could go Start, run, and enter cmd
Then paste into the cmd window
attrib -s -a -h "C:\Documents and Settings\William J. Cullen\Local Settings\Temp\~$RD3499.tmp"
Close the cmd window. You could then see who owns that file by navigating to it in Explorer, but basically it would not hurt to delete it. Temp files are temporary, a software can only rely on their being there while it is running and certainly not after a restart... it should no longer be necessary.
One last, important thing, UPDATE your JAVA!!
Am pleased everything is fine, now.
Cheers.

Grrr... fun with registry editor. I don't know why it could not delete that entry if you could do it manually. It is a strange place... the Find function does not always find what is plainly there, either.
That Panda scan looks clean enough to me, cynikal. I cannot pinpoint those empty savenow and abox registry entries for you.
I am afraid also that I am cutting my work here for a while, not taking on any more new queries/threads until I don't know when, so I may not be able to help further. I will be tidying up outstanding issues for a few days, but if you have further problems may I suggest you post anew with those, make a new thread?
It's been fun, and I hope I have helped....
Cheers.

G'day, odb.
That all seems to have worked well. You might search your sys and delete any of these files you come across:

C:\WINDOWS\Temp\kdwrg.ren
C:\WINDOWS\system32\bolenja.exe
C:\WINDOWS\system32\kus109.dat
C:\WINDOWS\system32\kdwrg.exe

How are things now?

No, that procedure I gave will only remove the things I specified, plus SDFix will remove listed malware and reset some system registry keys commonly altered by malware, including restoring your CP. There are risks involved with running any software, but SDFix makes a registry backup [but not of your files] before it starts detecting, cleaning and restoring. So when I say "No, that..." it is with that proviso in mind.
Anyway, you really do not want this on your sys - mgrs.exe ... it is a backdoor.
And are you someone with no backup system for your data files? Tsk tsk. Get SyncBack, backing up just does not get any easier.

Actually, cynikal, this is a better plan to check that key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}:
Go back to that key in registry, rclick on it, go permissions and see if you [also sys admin] have full control and read permission over it; if not then give yourself full control and read permission [the boxes would be checked, just click on the checks to remove them]; apply n ok. Then you should be able to delete it. See if it comes back [you may have to close/open the reg window].
It may have just been a case that the only protection that key has is those permissions being denied to you. If so, no need to run gmer.

Hey, go ahead and delete it... see what happens - nothing bad, I am sure it will not delete else if it does it will be regenerated quite soon after.
Then or now please run gmer.
Btw, 2 numbers is a world of difference - those things are unique name tags.

Hi there. Let's see if this helps...
Uninstall 811 Toolbar via CP, Add/Remove pgms.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

-you have obviously removed the 811 toolbar so I have included the website searchpages for fixing also..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.811.com/saecs.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.811.com/saecs.html
R3 - URLSearchHook: 811 Toolbar - {9198CEC1-4DD8-95E7-1053-F5AAFDBBE0FB} - C:\Program Files\811 Toolbar\toolbar.dll (file missing)
O3 - Toolbar: 811 Toolbar - {9198CEC1-4DD8-95E7-1053-F5AAFDBBE0FB} - C:\Program Files\811 Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [fktixyfq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fktixyfq.dll"
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Good.
Delete this folder:
C:\Program Files\811 Toolbar
Delete these files:
C:\Documents and Settings\All Users\Application Data\fktixyfq.dll
C:\Windows\system32\mgrs.exe

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several …

Hi again.
All we did wasstop the toolbar for live messenger displaying [it was corrupted?] - you can put it back on from Messenger options, I believe, or by reinstalling Live Messenger. But the pgm should still be working.
The two Panda entries..
Adware:adware/savenow Not disinfected Windows Registry and...
Adware:adware/abox Not disinfected Windows Registry ... are empty registry entries, they point to no files nor have they process identifiers [CLSIDs like {37B85A21-692B-4205-9CAD-2626E4993404} for eg]; they are merely a couple of empty labels and can do no harm. Unfortunately Panda is not waying where they are and AVG AS did not pick them up, so I cannot remove them for you.
If you are comfortable playing in registry you could search for [using the Find function] and delete them, but if they were in my machine I would not bother devoting the time to that, registry is loaded with such empty entries. Sometimes a good reg cleaner will find a few and remove them, another reg cleaner may well overlook them. They are safe.
If they were active a panda entry would look like this:
Adware:adware/abox Not disinfected C:\WINDOWS\LOGON.EXE
This one....
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Something we cannot see is protecting it. So:
==Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs including those in the system tray (bottom righthand …

That did the trick, Paul. Logs are both clean.
Any other problems we can help with?