Posts by gerbil

Well, dammit, caper, you beat me this time.
... :)

What happens if you use Firefox or Opera? Being serious here...

Ok, fooling around with someone else's problem the other day I noticed that when I locked web content on desktop it changed my shadowed icon labels to backgrounded just like yours. This is my last shot: Rclick your desktop, choose Arrange icons by, uncheck Lock web items on desktop [that is, if it is checked... :), ].

To check for web content, rclick on desktop, go properties, desktop, customise desktop, web, and check if any sites etc are listed.

Yeah... FF is a "copy" of Opera - they adopted many of Opera's features. I switched to using FF for daniweb cos it was faster than Opera for me. Now that I use hosts to block all the ads on the pages though... the difference is not there. May switch back... go Opera!, you unknown king of browsers, you.

Aw heck, then it must be my settings, thanks Crunchie... an there are so many possibilities for playing with them in FF. Sigh. Looking in the error console it sees a lot of html errors in some pages in daniweb; doen't seem to be able to ignore them all... must be a setting for that somewhere..?

Interestingly, Opera pulls it all in...

Okay. Do you have any active web content on your desktop? Try removing that...

Crunchie, FF is not rendering this thread fully - I cannot see what you posted about in his Combofix log... there are gaps. ... it could be my FF settings, I do not know. Could you mention this to the backroom boys pls?

Go start, run, paste in this:
control sysdm.cpl,,3
-press Performance settings, and check Use drop shadows for icon labels on desktop, apply n ok.

Be a little careful!
This msconfig.exe is in the wrong place: C:\WINDOWS\system32\msconfig .exe
-it should be in C:\windows\pchealth\helpctr\binaries\, so I suggest you check its owner. If it is not from Microsoft, delete it.
C:\WINDOWS\system32\temp.000.... I would delete this, system32 is not the place for temp files.
Delete this file: C:\WINDOWS\system32\SSQRQ.DLL.del
Nircmd is from combofix.
C:\WINDOWS\system32\MFC71.dll - this file is legitimate!!
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdgwqudt] -fix this with hijackthis... start it, place a check against this entry:-
O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\
...and press Fix Checked.

ssqrq.dll removal does not seem to have been handled correctly... this file [with .del extension] exists: C:\WINDOWS\system32\SSQRQ.DLL.del
So may I suggest:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\qrqss.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could …

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..Run: [Microsoft Update Machine] bheqtp.exe
O4 - HKLM..RunServices: [Microsoft Windows Update x86] firefox.exe
O4 - HKCU..Run: [Microsoft Update Machine] bheqtp.exe

Good, now find these two files and delete them [they will be in system32 ]
bheqtp.exe
firefox.exe [this one is nothing to do with your beloved ff!]
Say how things are.

It would not hurt to do this procedure...[ it would be an alternative to the above...]
-Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1
-click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
-GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Legit... stops ppl using cheats in Punkbuster online games.
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe

Except for this...!!
O20 - Winlogon Notify: abc32reg - C:\Documents and Settings\All Users\Documents\Settings\abc32.dll

Post C:\vundofix.txt also...

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.

Say how you get on.

Then try it with hhctrl.ocx.... same thing, a new copy should immediately appear. [this file is C:\windows\system32\hhctrl.ocx].
I am shooting in the dark here, these are the processes that handle most help files. But it could be something wrong with your keyboard drivers with the effect that the F1 key is virtually depressed all the time! I doubt it though, sounds too weird.
I don't know of a virus that does this, but if you can manage it an online scan should clear that aspect... run the ATF cleaner first.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Dee, got to C:\Windows and do a search for hh.exe; rename it to hh.exe.old. Then open any help file, eg windows media player, firefox... just hit F1 in some pgm [if you do it with just your desktop displayed then windows help centre should open]... and see if you get a new hh.exe opening in that search results window... Windows file protection system should copy in a new one from cache, even without prompting it by hitting F1 as above [if you see a new copy appear ignore hitting the F1 button].
Then try it with hhctrl.ocx.... same thing, a new copy should immediately appear.

Nope. Nothing shows in either log [although I have no idea what you have used this for :O16 - DPF: {00000000-0000-0000-0000-100000000003}

Time for a broader brush...

==Download this temp file cleaner --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.

Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.

Close ATF.

==GET AVG antispyware 7.5

-Install it and UPDATE it.

Start AVG a-s 7.5;

-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.

-press Apply all Actions and Save the log file. Post the log file.

Dee, I have to assume that you tried to fix this entry :
O18 - Filter hijack: text/html - (no CLSID) - (no file)
- it remains. I am wondering what put it there in the first place; this may reveal something...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post that plus a fresh hijackthis log, please, Dee.

Ok, Dee, ignore the Smitfraudfix result
Uninstall RXToolbar.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {C69D7DEB-1320-4956-A208-9251086B2AA8} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O4 - HKLM\..\Run: [NI.USYP_0001_N85M2606] "C:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe" -nag
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)

Good, now delete this file:
C:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe
..and this folder:
C:\Program Files\RXToolBar\
Fine, please post another hijackthis log [with wordwrap unchecked.... see under Format tab]
And say how things are, please.

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
Post a fresh hijakthis scan from Normal mode as well, please, dee. [in notepad, under Format, uncheck Wordwrap..]

Hello, Jud,
those autoplay files which you found are fine, thank you...
The log is clean, but there is one final point, did you install VNC Server deliberately?
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
If you did, fine, you are clean to go.

And some more of the fix:...
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

Uninstall SecurityCenter
Uninstall Web Buying
Uninstall 180Solutions - Search assistant

infos.exe : Search your entire system for this file and delete all instances found.
autos.exe : Search your entire system for this file and delete all instances found.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\epswad3.exe
C:\WINDOWS\pss\autos.exe
C:\WINDOWS\pss\infos.exe
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\tsitra1000106.exe
c:\program files\180solutions\sais.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Web Buying\v1.8.5\webbuying.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\T0CHD001.exe

Folder::
c:\program files\180solutions
C:\Program Files\SecCenter
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow …

...there is more coming for this fix; working on it now....

Nice, Jud, that cleaned a lot of things....
Now, you have Norton and AVG AV services both running - this is bad. They will interfere, the consequences are unpredictable but one of them is usually poorer performance, they can be worse than that though. Remove one, now. Keeping Norton as an on-demand scanner is fine, but you would have to disable AVG beforehand. In my opinion I would uninstall one totally and if circumstances call for it use one of the many excellent online scanners which run from an Active-X control or similar downloaded pgm file. There are advantages to following this course... an online scanner will not be infected, for example... onboard AVs can be.
Okay, done it?... Good.
Before we fix some reg entries I need you to find out what this entry refers to:
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user') .... AutoPlay.exe is most likely benign, I have no way of knowing because it could be a file from many softwares; I suggest you check its properties to see who owns it [it willl be in system32]

Right. Now start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Pqtyvoqd\vhnmqejv.dll (file missing)
O2 - BHO: (no name) - {35083c24-b3c9-4f4c-bd5e-32ba2c991598} - C:\WINDOWS\system32\eqvlesn.dll (file missing)
O2 - BHO: (no name) - {3740006C-EB7D-4149-82B3-E4EA699FFEBB} - \
O2 - BHO: …

Hello, Jud...
Let's start with this cos it's quite a load of problems you have there...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
[ I could wonder how much of this comes from hanging round in sites like brdatahost / easycrack.net...?]

Can't help on the bookmarks aspect, I'm afraid; this gives you a chance to review stuff... :)
Cheers.

Ah, be happy with that result.
And a happy new year to you, too.
Cheers. [tap that solved button, if you will]

Hello, Wendell.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk846YYES
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

Good. Now search for and delete these files:
TrustSoftAntiSpyware.exe
TrustSoftAntiSpywareSetup[1].exe
restart_as.exe

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the …

nate, I am a little concerned by these detections:
Possible Virus. Not disinfected C:\Program Files\MSN\MSNCoreFiles\Setup\msnunin.exe
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\msnunin.exe
Possible Virus. Not disinfected F:\Program Files\InstallShield Installation Information\{52A5F706-2FCC-4C14-9E9A-345C2DCB25E9}\Setup.exe

First, lets get rid of all your restore points and make a fresh one....
==You SHOULD clear all your system restore points because some have been infected.... Panda may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

Good. Now fire up AVG AV, update it and run a FULL system scan. Post the result if it finds anything... there is a possibility that you will have to delete those files above and dl fresh copies.
Parite A, B are just two parts of a file infector virus. It doesn't do anything except spread itself via networks......afaik. It does cause explorer.exe to remain running so that it can spread into any and all .exe and .scr files on your sys [and any networks]

...of course, using a restore point from before the infection occurred will give you back those registry entries...

Hello, nate.
I don't see an AV service...?
That vundo log shows that it could NOT delete a file: tuvvstq.dll
Rerun Vundofix a couple more times; if it still cannot remove it then let's try this:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Navigate to that file, C:\WINDOWS\system32\tuvvstq.dll and remove it, then run Vundofix again.
Fix these entries with hijackthis if they remain...

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Now clean and scan:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here plus that vundofix log again.

Since you …

A Bagle worm. Cool. G'day, bobby, Mcafee is one AV service it shuts down, AVG is another. You should be able to load one of them now.
Bagle uses a rootkit; if you were to start your PC in Safe mode and scan from there the rootkit would not be activated and so the files etc that it protects would be visible. To start in Safe mode go Start, run msconfig, under Boot.ini check Safeboot and allow your sys to restart. However Panda should have cleaned your sys properly already; rerun it in safe mode if you wish [Safe mode with Networking...]
Good. Now for that safe mode issue if it reoccurs. It could be a sys file that is corrupted - I doubt it but it is the easiest thing to test. Run sfc /scannow and load your your same-spec installation cd.
Not fixed? There are a lot of registry entries concerned with booting specifically into safe mode, lists of drivers to load and so on. If these are damaged the easiest way to repair them is probably to run Windows Repair using your installation cd. Boot from the cd, ignore the repair with Recovery console option and instead choose Setup, select your installation and go from there.
Say how you get on... n happy new year!

Hi, bobby, the beauty of running an online scan is that you do not have any files loaded which could become corrupted - you load an ActiveX which runs the scan, plus a signatures file. So do this:
Clean first to reduce the log clutter... here is one:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here plus that HT log....

:).. if you open Applications tab in CCleaner, you will see a Mozilla/FF section for cleaning files there...

Some Spyware tools modify those settings, Kyle, when you run them.

G'day, Kyle. Sorry but I forgot to post this:
ComboFix appears to be down for an indeterminate period - it's all up to the writer.
C:\WINDOWS\system32\cemetrix.dll - a problem file. Delete it.
This is a game file:HGStart9USA.exe - it got "disinfected", so your game may not work... a Far Eastern one?
I'd delete your hijackthis backups to get rid of warnings.
To get rid of this pair: Adware:adware/popper Not disinfected Windows Registry, Adware:adware/commad Not disinfected Windows Registry you will need to run eithe Adaware or AVG AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Yes, I am afraid so - you have restored to a point before Photoshop created its registry entries, the registry files you loaded in the restore point don't know about Photoshop. Just reinstall over the top of the old installation.

Looks like Combofix has a bug in the date check... just have to wait for it to be fixed.
I tested it, tried my earlier copy and it uninstalled itself, dld the latest [with FF] and it uninstalled itself okay [it should not have done that...] with no effect on FF.

Fun times, kyle. Guess you could try this scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
..And this [it shows some useful stuff]:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Ah... I see now what I missed... I gave you some extra work because of it - sorry about that, chuc.
I missed that the last Combofix run deleted ssttr.dll, but it did leave its run keys. The first Vundofix run removed those keys but because the file was gone did not report that it had done so...
The second Vundofix run was unnecessary. Your HT is a clean log. Almost polished, really.
Cheers, and thankyou.

There are bad files there; try running Vundofix this way:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\rttss.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Read me adjusted post... ;)
System Restore:
To use a restore point: Start > programs > accessories > system tools > system restore...
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

No, you did nothing wrong, it is just that I for one could not figure out any account-specific causes of your situation... sorry.
A roundabout way out would be to create a new account for yourself and migrate over to it all the files from your old My Documents folder. Before you do that, you could try restoring your sys to a date before the problem was first noticed.
I'm a bit curious, though, it is likely to be some toolbar or other add-on of yours, like Google Desktop, so...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new folder either alongside your program files or on your desktop.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

Hello, chuc,
I must say that I am intrigued by the structure of your Program Files directory...
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________

File::
C:\WINDOWS\system32\drvtih.dll
C:\WINDOWS\system32\iifgddb.dll
C:\WINDOWS\system32\cbxwwtt.dll

…

jej, dump all those files from AVG AS quarantine.....[some groups put out clean keygens cos they are proud of their work, but I won't tell you on this site].
"If I delete all copies of explorer.exe and imapi.exe, they get recreated." - that is the windows file protection system at work; it will replace any protected system file that it finds corrupted. imapi.exe is used with CD image recording, it will flick off when you are not doing that.
This one found by Panda will not be deleted by it because it is not considered a virus by it, more spyware [trojan]:
C:\Documents and Settings\Ken\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs3.rar[Crack\phot... - you should remove it yourself. It may be breaking Panda, but I doubt it. Some bad infections will halt scans. Try this one:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

USe hijackthis to fix this installer:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
.. and then try again after uninstalling and deleting all AVG AS components you can find.
No go? Then...
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Panda Online Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

That hijackthis log shows as clean, pj.
There are these files from Combofix that I do not trust.... they could be encoded filenames from a legit pgm, they could be .dat files for malware...
You don't want a new folder in system32 -it is not the place to go putting your own stuff, let pgm installers do that.
So... delete this folder [check it's contents first]:

C:\WINDOWS\SYSTEM32\New Folder

These files were created at the same time as each other; order your system32 files by creation time so to see what files were written at the same time as these. If no others, and a property check shows them as unclaimed, delete them.

2007-11-03 16:52 119,040 --a------ C:\WINDOWS\SYSTEM32\xhcjgyos.dat
2007-11-03 16:52 41,728 --a------ C:\WINDOWS\SYSTEM32\stpwqrbu.dat
2007-11-03 16:52 35,072 --a------ C:\WINDOWS\SYSTEM32\lwszozol.dat

That done, you should be all okay again. Glad it worked for you.
Cheers.

Hi, pj, it does appear that this one, Obfustat.UVE, is gone. SDFix would have spotted it.
It is important to make your hijackthis logs in normal mode because some processes are not started in safe mode -we may miss a few bugs.
Okay, start hijackthis, safe or normal mode, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {82AF5D76-845D-4DA8-8097-99924D9A65AA} - c:\windows\system32\atimiaabw.dll (file missing)
O2 - BHO: (no name) - {FB981D1D-E4CF-46DA-AD94-A0078F76E48D} - C:\WINDOWS\system32\pndx5016b.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O20 - Winlogon Notify: xkgjfifo - atimiaabw.dll (file missing)

Good. Now browse to this file and delete it:
C:\WINDOWS\system32\pndx5016b.dll

Normally I would send you to the website for this file, it is from a chap [Doug Knox] with a formidable reputation... but I got it for you, it is to repair your links:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"

[HKEY_CLASSES_ROOT\.lnk\ShellEx]

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"