Try downloading another copy... extract ALL the files to your desktop or a scratch directory.... double-click smitfraudfix.cmd - it should run, I just did a fresh dl and tested it for you.
Do persevere, hbk... , but gee, it's time consuming trying to get on top of this stuff. Butters, that log shows clean... if you are still having a problem with Spyware Doctor jamming on weirdontheweb then ensure C:\Program Files\WeirdOnTheWeb is removed.... AVG AS or Lavasoft's Adaware may detect and clean any remnants, but run this cleaner first: ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..] ==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free -Install it and UPDATE it. Start AVG a-s 7.5; -under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan. -press Apply all Actions and Save the log file. Post the log file. OR/// ==Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/ - install it. Update it. Explore what settings you can change in it [via the cogwheel icon up …
Possibly.. ==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract the content (a folder named SmitfraudFix) to your Desktop. - Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!! ==download hijackthis: http://www.majorgeeks.com/download5554.html -install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe -in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis. -click the Scan and Save a Logfile button. Post both the logs here.
Umm, hbk, net2phone is ok as an entry generally cos it is a VOIP service, but he's off it cos the files are missing so those two were just put up as fixes for a cleanup... you found the dodgy one, that .exe entry... but a couple of those O2's have CLSID's which don't check out, so they could well have come from malware which may still be resident somewhere else, hence the namechange for hijackthis... [some malwares, esp some Vundo versions, spot hijackthis starting up and immediately hide any registry entries and terminate their runs for the duration - so cunning...] I mean by that, they were malware entrieswhich still could have installed components. I use imabunny cos way back someone apologised for being so silly as to have picked up vundo that i used that name as a friendly taunt.... she went with it with a return joke n I have simply stuck with it... if they name it SpyShooter or somesuch I may not recognise and would then have to check it out...
hbk wished you to fix certain entries with hijackthis... Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {EEB97AC3-B47A-A0D9-7438-BAA93FEB5B93} - (no file) O2 - BHO: (no name) - {F2566B36-A3DC-ED7B-8045-FD1D84354597} - (no file) O4 - HKLM\..\Run: [system32KLGK Agent] C:\WINDOWS\system32KLGK.exe O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing) O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
Good, now delete this file: C:\WINDOWS\system32KLGK.exe Finally, because of a couple of traces you have in that log I would like you to rename hijackthis.exe to imabunny.exe [important step] and then make another log for us to look at. Weirdontheweb? I assume you removed it via CP > add/remove pgms?
Beauty! Thanks, jb. If i'd fully absorbed his boot.ini detail Ida known we were dealing with WINNT in minesz's case [slight twinge of shame....], but now I know the scheme of things.
"It fitted in my bin" Yep, okay, it's just that I have shrunken my bins to a pretty small size - if I don't want stuff, I mostly don't want it hanging around somewhere else.... mostly.. :) And your WINNT = my WINDOWS[0] ... I was not sure what it would be named, I have seen both. Skip the info in the last post to you [#10] re partitions and formatting - that was just a recap of a method to use when installing a fresh OS to avoid your problem in the first place; if your sys is working now all is fine. Cheers.
mistyped in prev post.. meant msi.dll vsn 3.1.4000.4039. nothing here helps? It applies to 3.1 which they mention at bottom.... http://support.microsoft.com/kb/555175
Surely [re]making any partition forces the rewrite of the MBR? It holds partition information.... as an example if you delete the boot partition which is active, then then MBR must record the new active partition when it is created to pass to BIOS... perhaps I should have said "modify"... But please don't test me on LINUX, jb.... all I know is that it exists.... so I cannot comment on that aspect of your post.
By the way, if you do not use some third party software to wipe your HD before an installation then during Setup you must remove the old OS [boot] partition and then remake and fast-format it. Remaking the boot partition [C:] rewrites the master boot record for the disk, and creates a new partition boot sector and master file table in C: so all file info is lost. Result is the old OS is toast.
Heh!, sorry, it was actually kb.net's instructions, not Dortz's that I wanted you to follow, but you got it right anyway... :) Okay, your current boot.ini file is correct, your earlier version tells me that you actually installed your second OS onto the same partition as the first. Now you wish to lose the first installation to which you do not have the admin password - all you need to do is delete the WINDOWS folder [it will not fit in your bin]; the folder you are using will be designated as WINDOW[0]. Am I correct? Creation dates will tell.... To be rid of that [0] in WINDOWS[0] would be nigh impossible, I think, cos it would be deeply embedded in registry entries. WINDOWS[0] will be using your original Program Files folder, but some of your document folders may be duplicated so copy out of the old into the new and remove the old. You should be able to work out which is which from creation dates etc, if not from the contents.
Can you not copy this and other missing files from the CD i386 folder? c:/windows/system32/msiexec.exe And you could always rename msiexec.old to msiexec.exe... mine is vsn 3.1.4000.1823. mis.dll vsn is 3.1.4000.4039
Go back to that repair store, tell them that they loaded your pc from an XP CD that is more up-to-date than yours, and reasonably demand that they burn you a copy of the CD they used. For no charge, or pretty much just the cost of a CD blank. Then you can use it to do a Windows Repair [via Setup, not Recovery console]
Grab your installation CD, go Start, run, type or paste in: sfc /scannow -and press Enter. Follow the instructions, when finished the window will just close, no fanfare. Actually, I don't know if that will copy in those files because they may not be listed as protected [but it won't hurt to try it]. If it does not you could then just copy those files off your CD [in i386 folder] into system32. msi.dll has been updated recently. Windows update will pick that up though if you request it [the update website] to scan your system.
minesz, follow dortz' instructions to th Edit button and put up a copy of the notepad that opens, cos what you folks are discussing is clear as mud. Pretty much.
Iexplore won't run, huh? Okay, cos you have an active desktop I would remove that [O24], remove all the Google BHO's [uninstall google desktop and fix the google O2's and O3]]. I'm just guessing tht one of your browser addons has killed your browser and hence your active desktop. Clean up these entries while you are at it:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - blank (file missing) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm824DOUS O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Actually, of all your O2 and O3 entries, this is the only one I would keep: O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
It's late, I'm going to just try a guess... Copy this download into the pc. It fits on a floppy. Or use Safe mode with Networking to go directly.
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\ ==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes. - On the Windows Advanced Options Menu, select Safe Mode and press Enter. - When the Boot Menu appears again, select Microsoft Windows XP and press Enter. - Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password. ==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup. You will be prompted to press any key to Reboot - the pc will then restart. The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.
windows will automatically replace protected system files from its cache. If you doubt a file, check its properties, if you still doubt it, submit a copy to that scanner address I gave you above...
system32\wscntfy.exe: vsn 5.1.2600.2180 size 13.5kb. There will be another copy in system32\dllcache [this is normally hidden] There can NOT be multiple copies of it in system32.
Ignore wscntfy and svchost, they are fine. Svchost generaly has multiple instances running as it handles threads from different applications. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
LSPFIX: ==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe.... On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "tmwsock.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish. Delete these files : C:\WINDOWS\system32\tmwsock.dll
Combofix: ==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log plus a fresh hijackthis scan …
Try this scanning site: http://virusscan.jotti.org/ - either paste into the box the pathname of each file [eg C:\windows\system32\wscntfy.exe] or browse to them. Post the results. ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. ] ==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan? -select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan. Post the log it produces here. Post a hijackthis log: ==download hijackthis: http://www.majorgeeks.com/download5554.html -install it to a new folder alongside your program files and then -in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis. -click the Scan and Save a Logfile button.
They look fine... on the way out the pings went quite directly to the target sites via various carriers, and that is fine. Google got bounced about a bit on the way back to you, but no problem there -it's how the web works, packets find the more direct and non-loaded path. You're fine. Cheers.
Cool!. I c nothing else that could upset your sys in those startup entries. The icon... dunno, it may just be your ISP's way of showing you a broken search. The icon came with your ISP's software.If you wish to fool around a bit to check no unwanted redirection is occurring try tracing a connection to a local website, one in your town. Go Start, run, type cmd -press Enter. Type in: tracert www.google.com -press Enter. You'll get a list of providers which the connection goes thru. Now to google it would have several junctions to go by..... hence try a local website. [don't include the http:// bit] Anyway, if you are happy, hit the solved button. Cheers.
Okay, here: save this text between the lines as URLPrefixes.reg in a notepad on your desktop, dclick it to run it. And that will remove that entry [the script removes the entire subkey and then recreates it with the correct values] _______________________________________________________________________ Windows Registry Editor Version 5.00
That entry in registry I asked for is to be cleaned up - every time you enter a URL you go via that site to the site you wished for... I think that's how it works. So... because it has no name I would have to delete all the keys entries n recreate the valid ones, but it would be simpler for you to go to that key n do it manually: Go Start, run, type regedit -and press Enter. Navigate to this key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes and lclick Prefixes. In the right pane select the entry [in the lefthand column] with no name and delete it. If you cannot select the "no name" entry delete the data on the right column. Close the window. If it sounds difficult I can whip up a script for you.
That looks clean. I don't know what happened to efffge.dll; I think we may assume that Vundofix removed it. Vundofix does occasionally appear to get a little upset by its task, but it does the job nevertheless. I am afraid that the unread messages part is invisible to me - something you configured, perhaps? Or is it a result of malware, an ad? If so... ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs] ==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it. Start AVG a-s 7.5; -under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan. -press Apply all Actions and Save the log file. Post the log file.
==Please copy the text between the lines to a notepad and save as showkey.bat, as type "all files" to your desktop; dclick it to run, then post the file C:\showkey.txt __________________________________________________________ reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes" >C:\showkey.txt __________________________________________________________
Good, delete this file: C:\windows\system32\lpdsrngk.exe
If it plays tough, use this: ==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/ Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
I can't see what AVG has quarantined, but you should be on safe ground emptying the bin. Please change the name of hijackthis.exe to imabunny.exe. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {424819DB-DA6B-DD99-1C10-FB8DB150809D} - C:\WINDOWS\system32\njpst.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) ...and EVERY O15 entry!!
Good. ==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan. A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Panda removes viruses it finds, but only points out instances of spyware, but that is good enough. Delete this file: C:\Program Files\MSN Messenger\riched20.dll - you should not need this, but here it is anyway: Unlocker 1.8.5 ==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/ Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Now to delete this CLSID: you can either navigate to it in your registry and delete the subkey [CLSID entry]: hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239} -or you can run this: Go Start, run, type cmd -and press OK. Paste this line into the window at the prompt and press Enter:
..the combofix run in normal mode was fine. Delete C:\Qoobox. Vundofix: this is a very important line in the instructions: !! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !! Note that the scan found C:\WINDOWS\efffge.dll but made no attempt to delete it. Pls rerun Vundofix, twice will not hurt; if it still makes no attempt we shall try something else. Hang on, let's try to cripple these first... Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {2a5e79a8-fccf-43fc-b80f-99515372731e} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O20 - AppInit_DLLs: c:\windows\system32\mljjijj.dll O20 - Winlogon Notify: lzextat - lzextat.dll (file missing)
Good, now try to delete c:\windows\system32\mljjijj.dll -this may help: Unlocker 1.8.5 ==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/ Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool. Okay, now run Vundofix.....
t appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important. ==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4 ==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe =Restart your system in Safe Mode. Double-click VundoFix.exe to start it. Click the Scan for Vundo button. When the scan completes click the Remove Vundo button. You will receive a prompt asking if you want to remove the files - click YES Your desktop will then go blank as the process of removing Vundo starts. When completed it will prompt that it will restart your computer - click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. !! Check the Vundofix log for any entries that were not deleted - if present rerun Vundofix !!
= dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply. A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Gerardo, you still have AVG7 running along with Norton. You MUST remove AVG7 cos two AV services can be very detrimental to performance. Apart from that nothing bad shows in that log - pls try this scan after cleaning... ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs] ==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan? -select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan. Post the log it produces here.
ello, gerardo, first off you gotta get rid of one of those resident AV's; since you are paying for Norton I suggest you fire AVG7. Now. MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing) O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm414YYAR O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing) O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
If you do not want Tosh to be your main web page fix these two entries: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
hello, kained, please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [mpeg heck log link] C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck\setup jugs.exe O4 - HKLM\..\Run: [bib bat meet link] C:\Documents and Settings\All Users\Application Data\film start link joy\Joy wait ping.exe O4 - HKCU\..\Run: [AudioMeet] C:\DOCUME~1\Dave\APPLIC~1\NAMETI~1\1one.exe
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner.] ==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan? -select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan. Post the log it produces here, along with a fresh hijackthis scan plus your comments.
Not really; if you have no problems you don't need specialised detection/cleaning tools on your sys. Plus they get updated very frequently to counter new threats, further some worry your AV. Just stay clean behind a good firewall with a resident AV and you should be okay. Spywareblaster is very useful for blocking known bad sites. It's free.. have a look if you do not already have it..
Yes, they do. Vundo is one obvious one that shuts its processes, removes its keys, when it sees hijackthis start. But sometimes we can tell if Vundo is active by other traces and so ask for the cleaning tool to be run without confirming the files and keys are there - that is just to save time. If we only mildly suspect the proper way would be to ask for a new scan with a changed filename for hijackthis. Imabunny? well, someone once mentioned that they'd been silly and dl'd a pest - it went into my text from then.
Okay, Steven, I'll pick it up for you because Crunchie is taking a break. I just hope it is not too long a one... he does the best work. Btw, hijackthis must be run in Normal mode when producing a scan for us. Please delete C:\vundofix.txt. Rename hijackthis .exe to imabunny.exe. Get Unlocker 1.8.5 ==This one is a general purpose deleter, Unlocker 1.8.5 Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool. ==Get CCleaner and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way. ==GET AVG antispyware 7.5 Install it and UPDATE it.
Restart your system in Safe Mode. Double-click VundoFix.exe to start it. Click the Scan for Vundo button. When the scan completes click the Remove Vundo button. You will receive a prompt asking if you want to remove the files - click YES Your desktop will then go blank as the process of removing Vundo starts. When completed it will prompt that it will restart your computer - click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click …
Michelle, I missed this one... was staring me in the face from your first log, but I knew combofix would remove it. Then of course I noted you were running Vista so combofix was not an option, and I forgot to put it in for fixing. It is still there, pls fix it, but note that its name will have changed!! So make a fresh hijackthis scan, look for [systemoptimizer]:
in first log: O4 - HKCU\..\Run: [SystemOptimizer] rundll32.exe "C:\Users\michelle\AppData\Local\Temp\hrcybfat.dll",forkonce ...it became: O4 - HKCU\..\Run: [SystemOptimizer] rundll32.exe "C:\Users\michelle\AppData\Local\Temp\xfmaawuu.dll",forkonce
So find it, fix it ..and delete this:
C:\Users\michelle\AppData\Local\Temp\whatever its new name is.dll
Michelle, that O2 entry, O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\[xsaxvmot.dll] does not show up... to find the file itself manually would be tough cos it appears to be from a new family of pests - it changes its name upon every boot. AVG seems to have got it. Fix that O13 - Gopher Prefix: entry, and remove all entries from AVG's quarantine- the infections tab. Otherwise, your log shows clean. Come back when you have a more definitive idea of the problem. Who uses Gopher now..?
mudman, I am not sure why your hijackthis picks up those two O22 entries but be assured that they are okay and necessary. In my machine they exist [but are not displayed by HT], meaning they start before windows just as yours do. I can only guess at the reason for their non-appearance in some logs - could it be that I have no browser homepages set?... I don't know. Leave em be. No browseui.dll running, no browser functions. The O10 entry... it's there because you sometimes connect to a network printer? You can remove it if you wish with LSPFix from Cexx. If you try it... you see that expert box, I know what I'm doing? well, you had better.... if you remove all entries you face repair/installation. If you only have a local printer..ie connected directly to your pc, you don't need it. Okay, delete vundofix, combofix, qoobox, avenger...and their logs. Most tools are updated regularly to keep pace. And that looks like it. Cheers.
