Posts by gerbil

Re messenger, no, they are different prgrams, your MSN messenger will not be affected.
And thanks for the showkey info - now I must find what other keys hijackthis looks at when searching for BHOs. A bit of homework for me.
Well, are you all clean now, everything working satisfactorily?

==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

O4 - HKLM\..\Run: [bolenja] bolenja.exe
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.190
O20 - AppInit_DLLs: kus109.dat

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Oh dear. Looking back, I see that I wanted to remove some other keys that were not in the hijackthis log so I bundled that O3 entry that refuses to go in with them.
This will show me the contents of the "parent" key:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________
That done, start hijackthis, place a check against this item and press Fix Checked...
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
..and say if it goes. :)
That other key that we removed is from Windows Live Messenger, an instant messenger service that is the update of MSN messenger. It includes voice, video as well as text messaging.

Those Addons are fine; the radialpoint one is your BHO popup blocker, pkR.dll.
This one we removed: [live messenger, no file]:{7E853D72-626A-48EC-A868-BA8D5E23E045} with fixkey.bat
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file) is the MyGlobalSearch entry, and I don't know why it will not go. Combofix did not find any files associated with it. Did we try fixing it with hijackthis also?
Anyway, it is merely a null registry entry that is not calling any file so it can do no harm if it is left - it points to nothing.

You just reported on the BHO I meant. It is used by MyGlobalSearch, and that may or may not show in the Manage Addons window.

Yep, do that re fixkey.bat... same procedure as before.
I have noted your not finding that service.
If the BHO at O3 with no file still pops in hijackthis you will have to find it via IE, Tools, Manage Add-ons and disable it in there. Make sure in that window that you select Addons that have been used by IE.

=Cyberlink DVD Solution which you have is for watching, editing and burning DVD's. I don't have it so I do not know what capabilities the toolbar has, but I can tell that yours is broken. To get it to work you would have to reinstall DVD Solution again, anyway.
=SDFix backs up your registry before it makes changes when you run it. You are finished with it, you can delete those files.
=The Showkey log - please edit out anything you regard as sensitive before you post the log because it is publicly available. Really, to be totally secure, you could do the search instead of posting it. I was going to do a text search in notepad for that string FVDPUEQIOGXC from the Combofix log entry *Newly Created Service* - FVDPUEQIOGXC. I wanted to know if that service was associated with Telus, and using an encrypted name. In notepad, Find is under the edit tab. If that string is there just post the relevent key's data starting from the HKEY\ line above. Not being familiar with Telus' product I just wanted to check. Nothing shows in your log.
Yeah, you do the search and just post the result... safer and easier... :)

ERUNT is a registry backup tool used by SDFix. Those files are okay.
I see that you have CyberLink DVD Solution. That uses a process called Powerbar.exe, and I seem to remember that Combofix has always had trouble with that one.
Anyway, that key is broken in your sys because it should show in hijackthis log as an O3 entry. We can remove it; if you wish to have the DVD Solution toolbar you will have to reinstall it.
*Newly Created Service* - FVDPUEQIOGXC : is that to do with Telus?? Does it show in a hijackthis log as an O23 entry?
If you wish to search registry for it, services are located under key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
If you would like me to look, do this next:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s >>C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

Zip up that file and attach it via Go Advanced button.
Now to try to remove those recalcitrant items run this as Fixkey.bat:

_________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]
_________________________________________________

Pablo, yes.. you should run it again because nothing in the script was deleted. Delete your copy of Combofix, dl a fresh one and try again.
[this is actually a normal way of starting a program, for instance you can drag a .jpg onto photshop.exe and it will open with it]
If it should fail again try it with this modified script:
_______________________________________________________________

Killall::

File::
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\iifgf.dll
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
________________________________________________________

and if it still fails, attempt with either script in Safe mode.

It worked, but it looks like you have active myglobalsearch files in there somewhere which put those keys back up. This will find them:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

".... you did only copy the text and not the lines, and you did not have notepad format wordwrapped checked?" In that I was asking you what you did, not telling you; unchecked is the way to go because punctuation [line returns] will get added if there is wordwrapping, and that interferes.
Anyway.
"The second O2 is MyGlobalSearch toolbar... and should have been removed by running fixkey.reg." - when I posted that I was actually referring to the Panda scan entry which should have been removed, not the one in the hijackthis log [that is a different key]. I could have phrased it better...ok, properly :):-
Panda log:- Potentially unwanted tool:application/myglobalsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404}
Hijack O2:- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}
-you do not see that actual key in full in the HT log, but the above is it. Note the same CLSID, {37B85....}.
However what I have done is confuse the syntax of this registry editor with that of regedit.exe. I don't often do that. This new file will work.... I have added the extra keys to remove what you are seeing in the HT log also.

__________________________________________________________
Windows Registry Editor Version 5.00

[-HKEY_USER\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]

[-HKEY_CLASSES_ROOT\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37B85A29-692B-4205-9CAD-2626E4993404}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
__________________________________________________________

Sigh... I have given you a bit of a run around the block. Too much to remember. Have I answered everything?
I ask for an ATF run …

Ah. No rootkits after all. The first O2 entry is benign, it is to do with Windows LiveMessenger...? The second O2 is MyGlobalSearch toolbar... and should have been removed by running fixkey.reg.
I do not understand why that fix did not work.... you did only copy the text and not the lines, and you did not have notepad format wordwrapped checked? You could run it again, it does no harm.

WAK!! 3 rootkits?
Yes, delete fixkey.reg. Reinstalling Telus will not stop it making those files - it is just how it works. Ignore them.

Pablo, if you have saved CFScript.txt [note the spelling..] onto your desktop where combofix is, I see, then you just drag the icon onto the Combofix icon. You should immediately see it start working. Drag the icon, not the file itself. Try it again, if it still fails we shall have to try something else.

__________________________________________________________
Windows Registry Editor Version 5.00

[-HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]
[-HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]
[-HKCR\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
__________________________________________________________

Ok, noted that re Myway and MyGlobalSearch - you only had remnants in your directory as shown by the Panda scan.
What the above does is invoke the registry editor; more specifically, running it has removed those keys listed. If you check back, three of them were from the Panda sca [ Myway and MyGolbalSearch entries, plus a dilaer], the other two you put in from the AVG scan. If they were still there they are gone now.
I think you might be clean. How are things now?

It looks like Panda broke your mIRC - you may have to reinstall that.
Is that the BearShare installer in C:\Downloads? C:\Downloads\BSINSTALL.exe - if so, it is okay.
If MyGlobalSearch is listed in Add/Rmv pgms, uninstall it.
=I see that you have MyWay Search Assistant. You can get rid of it... first see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
This next will clean up the bad entries that Panda found in your registry:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[-HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]
[-HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]
[-HKCR\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
__________________________________________________________

Please say how things are after a restart.

Ripper. That's a good job, tim, log looks clean, too. I assume all is working well now?
If so, re-enable those guards and reinstall SpyBlock and off you go. Cheers

Hello Tim,
perhaps Windows Defender is blocking us - please disable its Realtime Protection....
Open Windows Defender, click Tools, General Settings, Scroll to and uncheck Turn on real-time protection.
Click Save and close Windows Defender.
[Btw, this is the easy way to shutdown Teatimer temporarily....
To disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box].

To avoid the time consumption of running Combofix again let's do this another way:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {6A01B65F-727B-486B-A5C2-2B45A2D12C6B} - C:\WINDOWS\system32\ddabx.dll (file missing)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Really, you should fix those two O15 items also - there is no good reason to have any items in the Trusted Zone.
Good, now we remove this service...:
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close …

Tim, sorry, but I missed something. You have Spybot's Teatimer running and that prevented some of the registry fixes in that last script from being made... could you please turn off teatimer, delete your old CFScript.txt [it is renamed] and then save and run this reworked one [remember, just the text between the lines, not the lines themselves]:
[try it in normal mode first...]
___________________________________________________________________________
Service::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}=-
{2318C2B1-4965-11D4-9B18-009027A5CD4F}=-
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]
____________________________________________________________________________

Hang a mo... I'm checking; that should not have happened.
Okay, would you try doing the same procedure in Safe mode, please? One other point, do you have ONLY ONE copy of Combofix on your sys? Delete any older copies, then it may run correctly in normal mode.

That's okay re Vundofix; I asked you to run it because there was a reference to a file in combofix that did not show in the Deleted files list - just making sure.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\cyulyndk.ini
C:\WINDOWS\system32\drivers\efkbbwhbyvsl.sys

Service::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}=-
{2318C2B1-4965-11D4-9B18-009027A5CD4F}=-
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]

__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log plus a fresh hijackthis log.
Say how things are after a restart.

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.

Ha! For a moment there I missed your point completely.... Sys Vol Inf is the directory which holds the restore points in each volume. A volume is commonly referred to as a drive such as, in this case, C:. You are safe....
Yes, I understood that you could delete those files but that they would be recreated. I know nothing about Sympatico but I can assure that your Virgin Telus will create those rb.tmp files... they are for its own use and are not dangerous. You know, if you DID have malware files in your bin and you then emptied it there would be no more malware in there for Telus to rename, would there? But there are normally no actual files in the recycle bin...This may help you understand: - when you delete a file all that is added into the recycle bin is the pathname of the file; the file itself remains exactly where it was on disk but is renamed using a simple algoritm. The file will remain where it was until you empty the recycle bin, then the space it occupies will be listed as available for overwriting and in the fullness of time may actually be overwritten. Until that time your file still exists and can be retrieved with software. Malware fights like crazy to prevent its files being deleted because of that renaming - it can no longer find elements of itself because it won't know the new names. So no malware files …

It is difficult to believe that this lil baby is the source of all your troubles..:
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\yddgxwuw.dll",b
Let's ignore it for the moment and run this first:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Oh, and in cae I forget, when next I ask for a hijackthis log would you please delete your copy of the exe and download the latest version from here:
http://www.majorgeeks.com/download5554.html

In AVG you can click on "remove finally"; then, to ensure that no other points are infected but undiscovered you clear all your restore points and make a fresh one by the method I detailed.
Telus, I think, makes those rb/rb4.tmp files for its own purposes.... I proposed testing that by your disconnecting from the net and then disabling Telus [usually this is possible from a service's control panel - there should be no need to uninstall it. With Telus temporarily disabled you shouuld be able to delete those files in the recycle bin, but Telus will recreate them once restarted. [this is my ... what..? best guess... yeah... test it, they are no harm in the bin].

That's okay... this will clear all of them... btw, did you check out Telus and those rb.tmp files like I mentioned?
==You SHOULD clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

do you recognise the entries in the quarantine? You could list them here.. but if they are merely cookies you could just empty the bin safely.

Okay, that one [tcpsvs.exe] is legitimate, so leave it there. Let's remove that key though...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O20 - AppInit_DLLs: tcpsvcs.dll
..and that is all. Those rb.tmp and rb4.tmp I think may be associated with your AV/AS service, Telus. If you wish to test that go offline, disable TELUS andthen delete them. If they stay gone then that is the reason, they are files used by Telus..... Don't foget to reactivate Telus before you connect again. It will regenerate them.
AVG should have saved a report if it found something.. check under the Reports tab...?

Hi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.

Hello, Warrior... that Hijackthis log looks truncated.. I know it is run in safe mode, but even so...
There are a lot of things to fix, those that Overwhelmed pointed out and a lot more. If we fix those and remove a couple of files could you post another log, and we'll see where we go from there.
Orrite, start hijackthis again, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\drivers\spool.exe C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\windows\system32\userinit.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {897fe88e-1dd2-11b2-92c5-9c93f4e93ae8} - C:\WINDOWS\pohwfgje.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - …

Your vundofix is out of date, btw.... 6707 is current.

Anna, can you dl that combofix file? If you cannot with your sys, dl it with another machine [a friend's, at work...] and copy it in. It is 1.5M so too big for a floppy, fine for a thumb drive.
You could try this first....
delete these files:
C:\WINDOWS\SYSTEM32\mdelk.exe
C:\WINDOWS\SYSTEM32\wintems.exe
and delete this folder and its contents:
C:\WINDOWS\SYSTEM32\DRIVERS\down
...and then try a dl of combofix.

Hello, Anna, could you dl and run this please:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Beauty. It's nice to win, isn't it?
{work that Solved button - I can't...}

Protection. If you have even a half decent firewall [like Window's version] getting infected by malware comes down to it simply being invited in. Therein lie the problems: your gullibility, innocence, impatience and yes, your trust in others. Websites are infected or carry infected objects knowingly or unknowingly, friends and others have systems which permit them to send you infected objects, you don't suspect that a pretty picture or animation could do any harm... and for those people who trawl the more risque or basic instinct sites, well, they just have lowered ideas of worth, self or otherwise [imo, not nec this site's.. :)].
Ok, you clicked on it, it's not being blocked and so it is coming in...
"Over the years, get the occasional trigger from virus software killing a bug" ...yep, luckily your software caught a known one, or recognised a pattern, a style of attack. But AV, AS etc is not always in front of the game, actually, mostly it is behind by a step or more. The sole compensation is that a new attack is almost by definition a rare attack. Your best defence is to layer your defences behind the firewall: a reputable and updated AV [there is no best AV ...], an updated AS lying in reserve, a process blocker, and possibly either a registry sentinel or simply not web-crawling while an administrator.
If you have a two-way firewall [like most are] you may get told if something like adware is …

That looks fine to me. Getting back to the original problem, steve, how is your internet access now with all your browsers?

Heck, you did it again!! I just changed that setting to how you said! We gotta stop meeting like this!!
I also cut the cache from default 200MB to 10MB. Not having used Opera for several months, and having just updated it totally I got all the defaults; I'll get around to checking them all one day. I did already move the cache away from XP to another volume, though; no way do I want caches disturbing XP.
Btw, Crunchie, it was interesting that Vundofix could not delete C:\WINDOWS\system32\pmnmnnm.dll even when it was pointed right at it. Did you notice that Unlocker failed also?

Every time I revisit a thread I get the old cached copy... have to hit the refresh button, and sometimes I forget and get confused by what I see.... FF doesn't cache like that. I have fooled with my FF but I still cannot get it to read that post with the looong list of Posxxx.tmp deletions.
If I make an entry in a thread Opera puts up the refreshed page immediately, but if I load another page [thread] that I have been to before a bit earlier I get a cached [and sometimes out of date] copy.

I was offline, came back on just a bit too late for the glory. Missed one, did I, crunchie? Well, durn. Mighta picked it up on the next run... you gotta make em work at it to teach em a lesson about getting infected in the first place.... :)
I'm getting tired of the Opera caching... may go back to FF. Caching speeds Opera up, but is no help on this job.
BTW, Overwhelmed... that script fix includes a fix for the two registry entries that you point out from Hijackthis...

Aw, heck, ni just worked this up...
Killall::

File::
C:\WINDOWS\~GLC0000.TMP
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\ejtkbemq.junk
C:\WINDOWS\system32\rxqmhuct.junk
C:\WINDOWS\system32\chbcmnky.junk
C:\WINDOWS\system32\qxpcdpaj.junk
C:\WINDOWS\system32\qbeebqpx.dll
C:\WINDOWS\system32\dbqcvrqi.dll

RenV::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bd2081d7-a797-464a-86e7-52f781095074}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD4F7F5-D0B4-4C08-B4F7-8783975F95E6}]
:)

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
E:\WINDOWS\system32\rqtwa.bak1
E:\WINDOWS\system32\rqtwa.bak2
E:\WINDOWS\system32\rqtwa.ini2

_________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Anna, that looks like a good cleaning by Panda... I suspected the Bagle worm from your symptoms..
=Be VERY wary of this [from eZula?]:
Possible Virus. Not disinfected F:\Incoming\Portable GIMP2.2.10 Beta 1 (Multilingual)-portable_gimp_2.2.10_beta1_multilingual.zip[PortableGIMP/gimp/lib/gimp/2.0/plug-ins/webbrowser.exe]
=C:\Program Files\Sciagniete\Cdvd.exe - to me this does not like the Cliprex mp3 player...? Is it? Panda gives several different warnings for it at the top of the report. Seems doubtful to me, my advice would be to uninstall it via Add/remove pgms.
=I see that you have MyWay Search Assistant [there, courtesy DELL]. You can get rid of it if you wish...
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.htmlR3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - …

Congratulations of a sort are due - that is the first I have seen where Unlocker has failed.
Try running Vundofix this way...=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\system32\mnnmnmp.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Follow with this.. we will get a chance to see other new files that were created with Vundo.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A …

There is something very "fake" about that second "system" directory.... Windows would not allow it as a name if another exists, the 8.3 abbreviation SSTEM~1 is wrong, and could not exist either because system has 8 characters or less. Perhaps somehow some characters are hidden. Anyway, it is time to clear out outerinfo.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
..and post a fresh Hijackthis log also, please.
[the prefetch entry for logonui.exe is fine]

Mmm... McAfee finds, but .....
Try this:
Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
[you may now be able to dl hijackthis...try, post a log if you can].

I do wonder if it is not something like this program checker trying to run but failing? I understand it calls home to check processes running to see if they are legit?
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
Fix it with hijackthis....

A delay is not a problem for me, Pablo.
Let's try to delete manually the file that Vundofix could not..
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Now first off start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

Now go in and rclick these files and use Unlocker....
C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\mrofinu72.exe
Restart your machine, delete C:\vundofix.txt, dl a fresh copy of Vundofix and run it.
Post another Hijackthis log.

Hi again... logonui.exe normally resides in system32. There should be no such directory E:\WINDOWS\SSTEM~1 [it is a corruption of some sort, malware?] - and that abbreviation is wrong for system32, it refers to some directory [or file!!] named sstem+whatever. So check in your system32 for logonui.exe; if it exists happily delete the E:\WINDOWS\SSTEM~1\logonui.exe

Delete the file..:
E:\WINDOWS\SSTEM~1\logonui.exe
-fixing the entry as advised above only removes the registry key which starts the process, you then delete the file if it is bad, as this one is.
Glad you are up and running again.

FF is a copy of Opera... try Opera. I do not use IE7 but perhaps a reinstallation of IE7 is called for. Or revert to IE6.
http://www.opera.com/download/