Posts by gerbil

After you try Unlocker you can run Avenger anyway... even if you manage with Unlocker paste the whole block into Avenger...

Gee, mudville man, Vundofix played up a bit there - two of the files it turned up on 8/3/2007 it did not attempt to delete...
C:\WINDOWS\system32\laf15.dll
C:\WINDOWS\system32\wvuussr.dll
.. but then they did not show in the next scan..? It could not cope at all with the last lot you added. Delete your copy of Vundofix and dl a new version please.
I do love the honesty in the naming of your new adware pest.

First step, would you please submit c:\windows\system32\hhmjhhm.dll for a scan at http://virusscan.jotti.org/
-use the browse button or paste the pathname.
We shall see if this tool will handle it.. please download:
Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
It runs from the rclick context menu, and that is cool.
Just in case it does not...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop.
Update your AVG-AS. Set
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.

Ready? Delete C:\vundofix.txt, then once more into Safe Mode. Use hijackthis to fix the following entries:

O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - …

Just a note, those two O4 entries, UpdReg and Ecenter are just annoying prompts to register software, they are not malware.

You are not clear yet, Michelle, Vundo detected C:\Windows\system32\vtuvt.dll but could not delete it (did you successfully delete it manually? .. please check..), and one of those entries I asked you earlier to fix has been regenerated. So something else is there.... and it is possibly C:\Windows\system32\xsaxvmot.dll

Delete C:\vundofix.txt
A couple of tools to get now:
This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
CCleaner:
Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
AVG-AS:
GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
- the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Cool. Back into Safe Mode, please.
Use hijackthis to fix these entries:

O2 - BHO: (no name) - {32314B0F-9418-4FB8-92B6-151C58436B58} - C:\Windows\system32\vtuvt.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\xsaxvmot.dll
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\vtuvt.dll,CPP

Delete this file:

C:\Windows\system32\xsaxvmot.dll

Now please rerun Vundofix.
Check the Vundofix log for any entries that could not be deleted - if present rerun Vundofix.
!!!Make sure to restart in Safe Mode!!!
Now run CCleaner from the recycle bin rclick menu using its default …

Glad to help, geo.
Touch that solved button, would you, please?

First off, sc. You gotta enter the service NAME, and you get that from the services manager, it may or may not be correctly given inside the parentheses in the log entry. There are a few ways to kill services...
- hijackthis under misc tools section.
- sc delete "service name"
[Use control panel, admin services; or Start > run, enter services.msc [or dcomcnfg]; - click Services [local] in the left pane, maximise the window and select Extended tab at foot. Search for the specific service, rclick it and select Properties - you can press the Stop button if it is highlighted. Note the file path if there is one.. and note its Service Name. Close.]

Okay, back to the job. Rerun Vundofix in Safe Mode; if it does not detect and delete the C:\WINDOWS\SYSTEM32\hhmjhhm.dll file and its relations then run it again, but modified so:

Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\SYSTEM32\hhmjhhm.dll
C:\WINDOWS\SYSTEM32\mhhjmhh.*

Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES.... and so on.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, …

Michelle, it appears that you do have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Restart your system in Safe Mode. *****!!
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
***If Vundofix reports that it could not delete a file, rerun it until it does.
Good.
=Start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\vtuvt.dll,CPP
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

Delete these files:
C:\Users\michelle\AppData\Local\Temp\hyirqkcq.exe
C:\Windows\system32\vtuvt.dll
C:\Windows\system32\oobefldr.dll
Post …

But is your sys ok, now? Very impt info for us, that....
Delete C:\Qoobox, and combofix.

Ok, I can see that you are having fun trying, so I'll give you a gentle shove in what I think is the right direction: did you get your vundofix from here? It won't hurt to delete your copy n get a fresh one....
http://www.atribune.org/ccount/click.php?id=4
Run it in Safe Mode.
Next use hijackthis to fix this entry:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
Finally go start, run, type cmd and OK. Paste this next line into the window at the prompt, enter it and close.

sc delete cmdService

Say how you get on.... post the vundo log for me, plus a fresh HT scan.
[hxds.dll is a legit M$ file...]

Naturally enough. Defender can't .. never mind. You are in the wrong forum; cart your plaint over to Viruses n Nasties, read and follow the top sticky. Post there.

Hello, Gary... you could just do this, use hijackthis to fix the following entry and then delete its file:

O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll

..But I would like to see if Combofix is set up to deal with it properly - there are a lot of reg keys and files that depend from the above BHO and which would remain, but neutralised. So, if you are willing, pls do this next after the above fix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Thanks.

Every instance of an open webpage will have at least one connection, to secure sites there could be several; a couple running for your system [internal], multitab browsers such as firefox, opera will have at least one per tab. And so on.
But a hundred or so? Wow... typically I would have maybe 8-10 open.. but I aint the world's keenest browser.

Cool. I think.. . Did vundofix produce a log? I'd like to see it.
Moving on, if your sys will [gulp]... you should fix these two also, Hamada, with hijackthis:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Finally, get this cleanup tool, and do the onliine scan after:
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Panda Online Scan:
==Please do an online scan at panda:- …

Uh-oh. What does it do when you try to restart? Not a blue screen.... I hope?

EDIT!!
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\fgjlm.*

Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.

I asked you to do that special run because ComboFix shows these files as created in the previous month, and I did not see Vundofix as having removed them:
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.bak1

Ladies n gennermen, the prize fer the mos vundo files I ever did see goes to Hamada!! [..loud applause, whistles...].
An not to begrudge it, that is a long list of detections by ComboFix.... you, cautious? Anyway, you were sposed to run ComboFix...
Right. Your taskmanager shows things have cooled down somewhat, now let's get some more outta there. But first, you see that line where I say to change the name of hijackthis.exe [HiJackThis_v2.exe]to imabunny.exe? I meant it. Please do it before you post the next hijackthis log, otherwise we may be wasting our time here.
Add/remove pgms, remove MyWebSearch and similar. Then delete that folder in pgm files folder.
Use hijackthis to remove these entries: start it, then select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {E188373D-F47C-4B0C-BE35-FAD41E3360AD} - C:\WINDOWS\system32\mljgf.dll (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe" /m=2 /w
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing)

Good. Post …

I'll just pop this i here cos I don't think jb does malware fixes.... if you do, jb, my apologies....
Hamada, you're loaded; this will get the fix started...
Open a windows explorer folder, > tools > folder options > view, and
-press Show hidden files and folders
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Check the log, if Vundofix could not delete some files, run the fix again.
Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your …

Looking at your processes, windows defender and Spyware Doctor are blowing you outta the water, CPU time-wise. And what is winlogon doing using so much time? - it should be quiescent. Zero time, just barely showing..

This should help, Thierry:
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

O17 - HKLM\System\CCS\Services\Tcpip\..\{14E70BBD-5523-4502-AC1D-8B54F65C179E}: NameServer = 85.255.113.150,85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E53DCD3-7317-4A3D-9647-53E0F3636E52}: NameServer = 85.255.113.150,85.255.112.233
…

Cool... :)
There is still this entry there, but it is not a bad one, so I leave it up to you...you may be using it for your DNS lookups.. instead of defaults. Cheers.
O17 - HKLM\System\CS2\Services\Tcpip\..\{1130C533-380E-47B7-92EA-F52F97B8E5A7}: NameServer = 208.67.220.220,208.67.222.222

==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Start hijack this, scan only and fix these entries:

O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\OWNER~1.THE\LOCALS~1\Temp\_uninstop.exe /u
O17 - HKLM\System\CCS\Services\Tcpip\..\{1130C533-380E-47B7-92EA-F52F97B8E5A7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E59BD02-C9E7-4417-AF6A-6AC1C6F24BAA}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{708E4F73-0BD1-418C-A1AA-3DEB07216E08}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{C66CC589-9402-4597-9ED2-8610592ED56C}: NameServer = 85.255.115.60,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1130C533-380E-47B7-92EA-F52F97B8E5A7}: NameServer =

You misunderstood me - a repair installation will keep 3rd party applications and files intact, reinstalling will not.

Do the sfc /scannow command first, it checks and replaces any corrupted protected windows components, and takes maybe 10mins...and it is looking like your shell or rundll32 is broken. Next option is a windows repair - with that as opposed to a reinstall you keep all your 3rd party applications and files intact.
Say how you get on.

OOPS!! Big oops!. The Panda scan is online ...gulp... can you start internet explorer via Task Manager? File, New task, type Iexplore.exe and enter. Sorry... Or else start in safe mode with networking and try it from there.
Have you got an XP SP2 installation CD? It would pay to run
sfc /scannow

hmm... nothing there. Combofix has actually deleted a file by Thunder Networking Tech - it is the genuine file, not a bit of malware. But i don't know what it does, apart from being a BHO -browser helper- so you may not miss it. The key which started it is still there; you can go into registry and remove it if you wish:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects;
{0005A87D-D626-4B3A-84F9-1D9571695F55}=C:\WINDOWS\system32\xunleibho_v8.dll []
You could try a Panda scan while we think on your symptoms.... do a fresh CCleaner run first:
Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

From what you say I do not think it is a spyware problem.. 99% sys idle is good.

Download the file from here, unzip it to the same folder and dclick the file linkfile_fix.reg; answer yes to merge it with your registry.
http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
- This may solve your problem, it certainly will not make things worse.
[when you dclick the unzipped file it may just open in notepad - I have altered my settings so that this is the case, no unintended application of .reg files to my registry that way. Anyway if this is the case for you simply rclick the file, choose open with, and registry editor....]

A nice read, DMR. Thanks.

Well, that is good, you don't want it found :)
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [mgea1908] RUNDLL32.EXE w002763f.dll,n 006a19020000000a002763f
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...aseInstall.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Done? good, now go start, run, type: cmd -and press Enter, paste these two lines into the window pressing Enter after each, and close the window:

sc stop cmdService
sc delete cmdService

Come back with a fresh HT log and your comments....

Hello, Tygrrlyli... because you have the Norton suite you should enable that. You must have a resident antivirus running at all times, but only one, simply because they can interfere badly with each other. Your Norton suite should give you capable AV, AS, and a firewall.
But I still see AVG Free AV in your hijackthis log - did you make the log before you uninstalled AVG Free?
One other point, because your Norton suite has a firewall included, running Zonealarm as well is only going to slow down your net connection speeds. You should uninstall Zonealarm.
Your log shows clean, by the way. Sort out those protection issues above and you should be fine.

Panda is picking up a couple of toolbars [adware ones] plus a CLSID left over from Kazaa. I see no trace of the toolbars in your log. Perhaps you deleted some of their files without going via the add/remove pgms path if it was available? -only traces left? Anyway, Adaware is hot; AVG AS [anti-spyware service] is what you should have got , not AVG Free [a resident AV service]
You MUST remove one of either Norton or AVG Free, not just disable.

Hi, miss, would you run these tools please and post also another hijackthis log. But first please install Hijackthis to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce …

===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now produce a fresh log and post …

Not much is ever assinine witha puter, tigerlily [spelt it like that cos it's easier than doing a letter by letter job with your's].
Your log is clean. With a suspected vundo issue though it pays to rename hijackthis to something else because some variants detect it running and stop themselves to become invisible. You may wish to do so and repeat the HT scan.. up to you.
BIG point. Remove either AVG AV or Norton -they will interfere grossly.

A couple of things to deal with, Denis, and you should be clean. First, did you add this to your trusted zone?
O15 - Trusted Zone: *.westlaw.com
If not, add it to the list of things to fix with Hijackthis.. which is pretty short.
Fix this entry with Hijackthis:

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinlndt.exe CHD003

Done? Then browse to and delete this file:
C:\WINDOWS\system32\owinlndt.exe
Check that it stays gone after a restart.
Because of the infections you had, please would you run Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Open your registry with regedit, navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
In the right pane if you have a valuename
DisableTaskMgr with a value of 1 [one], either modify the value to 0 [zero], or merely lclick DisableTaskMgr and delete it.
Close the registry window.

Hmm..... another pest has popped up, and I don't see hijackthis renamed, either - it may be important.
This will remove the pest meantime:
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
If it runs and shows deletions, run it again.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
Good. Now see if you can access the Panda online scan, then also update AVG AS and rerun it.

Ok, eventually you will have to do what jb suggested, because your winlogon.exe is infected both in system32 and in the backup cache.
But first there is still some cleaning to do...
Panda Online Scan:

Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
AVG - AS:

GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Good. Now restart in Safe Mode, start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {36345442-9475-2563-166A-467739208346} - C:\WINDOWS\System32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')

Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file.
Restart in Normal mode.
Change the name hijackthis.exe to imabunny.exe and then do another scan with logfile.
Please post the AVG, Panda and HT logs.
(Do you have an OEM or microsoft installation CD, or can you borrow one?)

To restart your …

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.

Good-oh. Get rid of the panda button by fixing this entry with HT. Log is otherwise clean...
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)

Cheers.

Oh, you can do the hosts thing before you remove NAV or AVG....

Davo, if you look at your log you see a looong list of O1 entries - they have been put there by your malware to block you from contacting those sites eg when AVG AV tries to contact home it gets redirected inside your sys, to your sys. So nothing happens and AVG won't update and so will not run. Run hostsxpert, it will remove those entries, and then you should try AVG again; if it will still not run you will be free now to go back to the AVG site and get a fresh copy. Just break what you have by deleting some of the AVG pgm files and then install over the top. If you have windows firewall running when you go to those two sites you will be safe.
Say how you go.

Step 1: Remove either Symantec or AVG AV - very important.
Step 2: Get HostsXpert from www.funkytoad.com, start it, press Restore MS hosts file button.
Do your scans and post another HT log.

Good-oh. Complement your protection with Spywareblaster, it works in the background via registry entries, update it monthly when the M$ updates come thru. I use that update as a jog to check manually for all updates such as java..

Good-oh, Flo. But try that panda online scan first -it is very good. Just run CCleaner before you do it to remove cookies and other net trash it will pick up.
If it finds viruses or malware feel free to post its log.
Cheers.

"then either cmd.exe or the environment path handling is corrupted" -- command shell was what i was trying to think of... told you I wasn't an expert..:)

That's how I wanted hijackthis, floba, thanks. And it shows no errors. I think you have a problem with your OS. It may have been caused by a virus which got past your AV at the time, or some read/write error.
If you are getting comspec errors then either cmd.exe or the environment path handling is corrupted. I'm no way an expert but i don't think there should be any instructions in that part of your memory...
It would be nice to see a combofix log, but failing that I can only suggest you try this:
Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here. If that shows no errors then I would try a system file repair using your installation CD - you go Start, Run, and type:
sfc /scannow -and OK.
And if no-one else comes up with ideas and you still get those errors then perhaps a windows Repair is called for, which is fairly pain-free cos it leaves all your applications and files untouched.
You could even try reinstalling Office. Just a hunch.

:)
Okay, that last log looks good. You did a good cleanup job. Pity about AVG [most other anti virus or antispyware scans are the same] and the tools, but some of those "hack" pgms use valid processes which are identified as viruses etc ... and they clean [break!] them.
No other problems? Cool.

Heya, floba... no , don't worry about ATF cleaner, ccleaner does a similar job for our purposes.
You did not quite get the hijackthis instructions right, the new folder and name change are important items; adding [1] may not do the job. Your log shows clean, and it may be because of the unchanged name... try again,please.
Skip pressing the info button - that's all it is, a bit of info to explain things for you.
Did you run AVG AS? ..it would be nice to see the log.
And the exact error code would be handy to have... in your first posting it does not seem quite right.
And finally, dl and run Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

So, please, we'd like to see an AVG log, combofix log, and finally make a new hijackthislog [with the .exe renamed!]
And the error code in full...

I'm sorry, I seem to have not posted the complete fix - a few! lines are missing from my cutnpaste job. I've reworked it below, added other things also....

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {2A185D27-0FCB-40EB-9D0C-C86216D69F6C} - (no file)
O2 - BHO: (no name) - {58EB7FC1-BDB7-4625-BC8D-9F19289836A2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\wvuropm.dll (file missing)
O2 - BHO: (no name) - {917FE5AA-0AE4-4F93-90D9-61B134D9BB75} - (no file)
O2 - BHO: (no name) - {AEE0215F-E5E6-41E1-9DBF-119B7707228F} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\klflggko.dll (file missing)

O23 - Service: Abel - Unknown owner - C:\Documents and Settings\Vik_2\Desktop\New Folder\Cain\Abel.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
Good. Using Hijackthis to fix those service entries will stop them running; now go Start, Run, and then paste this line into the Run text window:

sc delete Abel McDetect.exe McTskshd.exe mcupdmgr.exe

-press OK at each prompt. If it does not run properly then you will have to …

http://support.microsoft.com/kb/281980
I'm not sure that I could put it any better.