Posts by gerbil

You didn't get rid of mcaffee completely....
Use hijackthis to fix these service entries [which will stop them running] and then paste this into the Run text window:

sc delete McDetect.exe McTskshd.exe mcupdmgr.exe

-press OK at each prompt.
It is a friendly thing to do to run ATF cleaner before you run a scan like Panda's, or AVG AS..... we don't then have to rummage through your cookie bin.
Which would make it easier to pick out these:

Spyware:spyware/new.net Not disinfected Windows Registry
Hacktool:Hacktool/Passview.E Not disinfected C:\Documents and Settings\All Users\Documents\viktor shared\vic\Various\downloads\set it ups\pspv.zip[pspv.exe]
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Osk\Local Settings\Temp\win1A.tmp.exe
Potentially unwanted tool:Application/Unbloker Not disinfected C:\Documents and Settings\Vik_2\Desktop\extfix(www.mess.be).zip[extfix.exe]
Potentially unwanted tool:Application/IceCold.A Not disinfected C:\Documents and Settings\Vik_2\Desktop\Msn tools\icecoldreloaded.zip[IceCold ReLoaded.exe]
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\Vik_2\Desktop\Vik\vik\Other\applications\installdrivecleanerstart.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Desktop\Vik\vik\Other\brutus-aet2.zip[BrutusA2.exe]
Hacktool:Hacktool/Passview.T Not disinfected C:\Documents and Settings\Vik_2\Desktop\Vik\vik\Other\Meh\pspv.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 1 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 2 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 3 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 4 for brutus-aet2.zip\BrutusA2.exe
Potentially unwanted tool:Application/Brutus.A Not disinfected C:\Documents and Settings\Vik_2\Local Settings\Temp\Temporary Directory 5 for brutus-aet2.zip\BrutusA2.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-3013760395-2280178743-1550305239-1007\Dc49.exe

Go to add/remove pgms and remove Yazzle by …

flogabbin, you should do these things [in this order] so that someone can help you:
Get ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]

Now run AVG - AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.

Finally, HiJackThis:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Sigh....
To start off, move hijackthis to a new folder in C:\.
Only then, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [uruf] C:\PROGRA~1\COMMON~1\uruf\urufm.exe

Good. Now browse to and delete these files and the outlook and uruf folders:

C:\WINDOWS\system32\winlog.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\outlook
C:\PROGRA~1\COMMON~1\uruf\urufm.exe
C:\PROGRA~1\COMMON~1\uruf

If they prove difficult, try to delete them in safe mode: repeat the whole process there. Or just use this to delete the files after fixing the HT entries:
http://ccollomb.free.fr/unlocker/
Finally, get an antivirus.... the sigh was because you are just begging for this type of hit without it.
AVG FRE, Avast, Avira, AVG AS 7.5, Spywareblaster, ZoneAlarm Free, Kerio; there are others - I use AVG fre[7], AVG AS, Spywareblaster and Zonealarm.

1 reboot puts the same amount of wear on the HDD as 16 hours of average use. Wow!... i didn know that. wasn thinking of the psu tho, more every other lil semiconductor pasted here n there. processors, etc. So where is the hd wear? nothing touches, cept maybe on the rest zone b4 it speeds up... i think...
M$ could be in cahoots with hd manufs cos of that auto reboot on error setting... :) - don't ever go on hols n leave your sys on.

...just from reading a bit on it it does look like you would have to copy the partition to another and change the type so that it can be opened. Try a linux livecd [bootable cd] product to do it.

What is in this: C:\Program Files\?dobe
And please run ComboFix again. Are there any more symptoms, problems outstanding? Are your icons still missing, and explorer still will not run?

Oh boy..... I dunno what to say about that... the index file bit.... but what the heck, they are rewritten as needed. Glad you're firing again. Cleaning is good, and CCleaner is a good cleaner...
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]

shrooms, combofix has listed a lot of bad files as having been installed, but i must assume they are no longer there because it would most certainly have deleted those particular ones... i mean, it should have... Let's check.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
___________________________________________________
Files to delete:
C:\WINNT\SYSTEM32\dlh9jkd1q6.exe
C:\WINNT\SYSTEM32\dlh9jkd1q2.exe
C:\WINNT\rau001978.exe
C:\Documents and Settings\Administrator\Application Data\.rdr.ini
C:\syskvcl.exe
C:\WINNT\SYSTEM32\winpfz32.sys
C:\WINNT\_MSRSTRT.EXE
C:\Program Files\?dobe
C:\WINNT\SYSTEM32\shieldScreensaver_pc.scr
C:\Program Files\FOLDER.HTT
C:\Program Files\DESKTOP.INI
___________________________________________________
Paste all the text between the lines into Avenger. Show me the log.
Update AVG AS and run it, post the log.
Run hijackthis in normal mode, post the log.

HAL would be umm... bemused if dropped onto another mobo...

TCP is a protocol that guarantees the accuracy of interchanged data [accuracy is verified by two-way checks], whereas UDP is unchecked - you ask for, you get a data transmission in reply. Once a UDP page is transmitted to you there is not necessarily any more traffic betweeen the two sites. So IE should go quiet.
Go back to that same site and get Process Explorer; set it up with two panels, in the lower panel show DLL's. If you then lclick Iexplore.exe you will get a list of DLL's involved with it - they should all be microsoft signed, plus maybe a Sun java one and ones from any site blocker you may run, and toolbars or browser helpers . See if you can see any duds. The only other thing i can suggest is that you temporarily at least remove your toolbars/helpers. Yahoo, acrobat, bit comet. You could remove the installshield updater also - totally unnecessary to have it. These two:
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
These two are RAM wasters also:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
...and this one - you can start it when you need to know if the sun is shining.. :) :
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe

Say how you get on, please.
One other thing - I dunno if …

And on that note, i went out of my depth.. :)
All i can see is that you established a connection [do you have a mail account with your IP?], and that then a webpage loaded and your connection just sat there idly with the page displayed. I see no more iexplore traffic. That is not much use to you, I'm afraid. Does Task manager show even after the page loads Iexplore.exe at 98% CPU time? Beats me.
HELP!

Go to this page: http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
and dl TCPView. Install it, run and see what address IE is contacting [if it is using TCP]

==Download Lspfix.exe from http://cexx.org/lspfix.htm -start it by dclicking the .exe, and press Finish.
Post another hjt log.

aw, heck, i forgot to put an entry in for fixing.. never mind, we'll get it this time.
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-leave it for the moment.
Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
Run vundofix again and add these pathnames into the text box:

C:\WINNT\system32\mprsvc.dll
C:\WINNT\system32\cvsrpm.*

Now start hijackthis again and do a Scan Only and check these for fixing if they exist:

O2 - BHO: (no name) - {42BF9090-1DC2-458E-9861-981136481B73} - C:\WINNT\System32\qopmj.dll (file missing)
O2 - BHO: (no name) - {691caa4d-7edb-4243-9a40-c683c6131456} - C:\WINNT\system32\mprsvc.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINNT\System32\tmp29.tmp.dll
O4 - Startup: TA_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
O20 - Winlogon Notify: mprsvc - C:\WINNT\SYSTEM32\mprsvc.dll

Now for combofix: -- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Good. Start Avenger; select "Input script manually" and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:

_____________________________________
Files to delete:
C:\WINNT\SYSTEM32\dwdsregt.exe
_____________________________________

...and …

guessing.. could be a hidden partition... in which case search won't find it. Try diskmanagement.. go run, diskmgmt.msc, and see if it shows up. If it does rclick it, explore, and you will then see it in folder view in explorer and you can then play inside it.

Yep. This is where you get to do a windows Repair..... grab your installation cd, change your one-time boot to cdrom [F11 at boot?] and go past Recovery Console to Repair section in Setup. You won't lose your data, but your apps will possibly need reinstallation.

For a start you have a vundo infection...
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINNT\System32\wreqpihw.dll
C:\WINNT\System32\whipqerw.*

Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\System32\fcccbba.dll (file missing)
O2 - BHO: (no name) - {6FE1E89A-0D0C-4701-B2F3-5B682B263E70} - C:\WINNT\System32\jdaqowwc.dll (file missing)
O2 - BHO: 0 - {C29735EF-12F3-4F5D-C586-966CBCFD6984} - C:\Program Files\ComPlus Applications\quda.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [setup] rundll32.exe …

Try this. If it is possible to open the recovery partition to the i386 folder....
-Open an Explorer window, search for msoe50.inf -the default location for this file is in the C:\Windows\Inf folder.
-Right click the Msoe50.inf file, and then click Install.
-in the window that opens browse to the I386 folder in the recovery partition, click Open, and then click OK.
The Outlook Express files are installed.

-search for wab50.inf -the default location for this file is in the C:\Windows\Inf folder.
-Right-click the Wab50.inf file, and then click Install.
-in the window that opens browse to the I386 folder in the recovery partition, click Open, and then click OK.
The Outlook Express address book is installed.
May work. Should.... I've just modified the instructions slightly cos normally you get the files off a cd. But all it wants is the location of em.
Say how you go.

24/7. You must be rich. Semiconductors age as current runs through them... of course switching things on/off every 10 minutes is not good either cos thermal shock is another wearntear factor. There is a good medium somewhere in there; my pc takes way under a minute to boot up and I find I can utilise that time in any number of ways. And if I'm going to be away for more than, say, an hour, off it goes. And I have all standby schemes enabled! Up to you.

nelly, point your vundofix at that O4 file vundofixer put up. Paste the pathname in the window [add more files..]

i would be very suspicous of your power supply. It issues a PS Good signal to BIOS which triggers bios execution and so on. If it then cannnot handle the load of assorted operations it will cut the signal. Everything just stops. No warning.

Hi, duckers, a few things to be rid of, but i cannot see the normal signs of update.exe....
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:

_____________________________________
Files to delete:
C:\WINDOWS\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
_____________________________________

...and click Done, and finally the green light.
Follow promps to reboot your machine.
The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
Please post that log file.
Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking …

hi, nitehealer, i see the hosts file entry is gone, but whatever put it there did not show up. Are you still having problems with sites not loading at usual speeds? All sites, or are only some affected? And is IE your only browser?

Okay, you only have one partition, c:, with both OS's on it, so don't disturb it. Thing to do is to logon with the SP2 OS that you wish to keep, identify the SP1 Windows folder and just delete it. Then you must modify your boot.ini file to remove the loading point for that OS :-
Press Windows-PauseBreak; or open System properties; or Start,Run, sysdm.cpl; > Advanced tab, Startup n Recovery Settings button, and Edit. Delete the line in notepad that refers to your SP1 OS, and Save.
Should be done. If you are not sure about editing the boot.ini file post it here with a remark identifying the SP2 OS.

Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press
Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Start Hijackthis, do a Scan Only and place checkmarks against the following, and then press Fix Checked:

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Okay, please run HT again and repost with the fixwareout log.

oh, okay, cool. give us those logs tho if you did have one in system32.

Greeneyes, if you have restarted then you would have a new desktop.htt, and it should be a good one. Try changing your screen resolution or background picture, apply, and then change back again [that is from M$!!].
But seriously, I could be concerned about the desktop.htt you had in system32. If the changing your desktop bit does not work then I suggest you start a new thread over in Viruses n Nasties forum with these two logs:
==download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.
==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log also in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

No. Run vundofix again... I am not certain that it completed.
Good. Now move onto the easy one. MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch Bar, MyWeb Search and Search Assistant.
You must be in an Administrator-privileged account to run this procedure...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
-unzip it to your desktop, leave it for the moment.
Start Sonic the hedgehog :) and press Scan Only, and place checkmarks against the following for fixing, and press Fix Checked.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MSNToolBandBHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\msntb.dll
O2 - BHO: (no name) - {A05DA7E0-383C-4E99-A72A-742050A152A2} - C:\WINDOWS\system32\tuvwwur.dll (file missing)
O4 - HKCU\..\Run: [Aopr] "C:\PROGRA~1\COMMON~1\SKS~1\chkntfs.exe" -vt yazb
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll

Now start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\SYSTEM32\winghy32.dll
C:\WINDOWS\system32\msntb.dll
C:\PROGRA~1\COMMON~1\SKS~1\chkntfs.exe

_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

Please …

Just after you do a scan and it finds something... you only get the option then.

momrocks, start a new thread with it.. attract some more attention.

Between scans did you make any alterations to the partitions on your HD? All primary partitions [and perhaps one extended partition] are recorded in the MBR; AVG will detect alterations....
If you did, tell it to accept the change.

Ah. Repeat business. For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please?

Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.

reworked that post. Greeneyes, i just rechecked your earlier posts.... the only files to delete are actual desktop.htt files, not Desktop folders, nor desktop files with any other extension, such as desktop.ini. If you deleted any of those you could restore them from your bin. There is a Desktop folder in system32\config\systemprofile which is valid.. and a desktop.ini in system32, but both are probably empty; and others. So it may not be necessary to do what I posted earlier [and which I have just edited out if you did see it.. :)], but it won't hurt. Could you be more precise with that script error please?

reworking post...

Gee, greeneyes, I do apologise.... somehow your repost feel thru a crack in the floorboards - I missed it. Lessee... any desktop.htt file you can find WITH Folder Options setting "Hide protected operating system files" CHECKED is an imposter! To see the real one, your's... you MUST uncheck that setting. Your real one, the only real one, is at C:\Documents & Settings\greeneyes\Application Data\Microsoft\Internet Explorer\desktop.htt
Typically, each user on a sys will have his own under his own Application Data branch. How you, with only one account, can see two admin files is beyond me..
Example: I am a user with admin privileges, there is also a non-privileged user account on my machine - if I search I will find only two files, one under my settings, one under the other account:-
C:\Documents and Settings\XXX\Application Data\Microsoft\Internet Explorer\desktop.htt
C:\Documents and Settings\YYY\Application Data\Microsoft\Internet Explorer\desktop.htt
That desktop.htt should definitely not be in system32. Delete that one for sure [you may have to do it in Safe mode if it won't delete in normal mode..]
But this is all just information... :) - delete ANY desktop.htt file you can find. XP will recreate the real one in the right place. Only one per user account.

ok, thanks, growler... it read the keys okay. I was trying to check whether these entries from a Smitfraudfix log were still there:
smitfraudfix:
HKLM\SYSTEM\CCS\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229
HKLM\SYSTEM\CCS\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229
HKLM\SYSTEM\CS3\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229
HKLM\SYSTEM\CS3\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229

..if they were i would have helped you delete them, but it appears they are gone. So I think you should be clean to go... come back if anything pops up again. I assume you have suffered no redirections since when you mentioned surfing was okay?

c:\rq.txt? It should hang around, it's only a text file....that is the one i want...

Growler, Panda came up clean [it did break a legitimate file in Smitfraudfix, so that won't run any more..], but there are a few reg entries in your sys that I would like to see - this batch file will write them to a file, c:\rq.txt. Could you please post it?
To run the batch file simply copy the text between the lines to a notepad and save it to your desktop as serverlist.bat
Just dclick the icon to run it - you will see a black window flash and that will be it done.
_________________________________________________________
reg query HKLM\SYSTEM\CurrentControlSet\Services\{20689ED6-9A8C-480D-8D42-438F6CEA161D} /s > c:\rq.txt
reg query HKLM\SYSTEM\CurrentControlSet\Services\{29210358-60B4-47B9-8EA9-3D2642170A7D} /s >> c:\rq.txt
reg query HKLM\SYSTEM\ControlSet003\Services\{20689ED6-9A8C-480D-8D42-438F6CEA161D} /s >> c:\rq.txt
reg query HKLM\SYSTEM\ControlSet003\Services\{29210358-60B4-47B9-8EA9-3D2642170A7D} /s >> c:\rq.txt
_________________________________________________________
...if i've made an error in the pathnames the file will most likely be empty; no harm will be done, but just tell me, ok? If you are not getting redirected now they are doing no harm in there....if they still exist.

There should only be one desktop.htt in each user's Application Data\Microsoft\Internet Explorer folder. Delete it, because it will be regenerated. And restart; log off/on should work also... other users may have to do the same with their file.

Well, if one product found something, scanning with another will not hurt. Please run this online scan: http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here - and if it looks like i'm bouncing you around a bit it is because i cannot see what wrote in those DNS entries, and why they were hidden. Are you still being redirected?

Well, i hope you salvaged your desktop. If desktop related files are deleted that can be the result... Safe mode entry - it can take a couple of tries using F8 -most continually tap the key during POST [with some keyboards that have dual function F keys you must remember to hit the f-lock key !!]
Now smifraudfix has turned up four DNS settings that seem to be hidden from hijackthis. I could give you a registry script to remove them, but I cannot see what has written them in... I want to find that.
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229
HKLM\SYSTEM\CCS\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229
HKLM\SYSTEM\CS3\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: DhcpNameServer=85.255.116.104,85.255.112.229
HKLM\SYSTEM\CS3\Services\Tcpip\..\{29210358-60B4-47B9-8EA9-3D2642170A7D}: DhcpNameServer=85.255.116.104,85.255.112.229
[the others in the log are your net host]

==Run a BitDefender online scan: http://www.bitdefender.com/scan8/ie.html - and post the results, please.
And you need to move hijackthis to a more secure [for backups] location - a folder in the C:\ root would be fine. While you are at it, rename hijackthis.exe to grumpy.exe and post a new log. Please. [and weekends off are fine by me... timeliness bothers me not]

Gee, looking thru that smitfraudfix log - it's just like we fixed nothing! The key value that script should have removed is even back. Run the SMF clean as per instructions below and post that log. [If SMF option 2 is run without a SM detection it removes your desktop...]

Now run the clean option with smitfraudfix:-
- Disconnect from the net
- Check that a Restore point has been made.
- Go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log.
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]

Growler, if u opened the extracted folder and dclicked smitfraudfix.cmd a cmd window should have opened with a disclaimer, followed by a window with options. Remove that copy and dl a fresh one... although zipped archives seem to know if they are corrupted... That is all i can advise.
How is the sys?

Interesting that those hid from hijackthis... there are a couple of registry entries that could be fixed, but they point to files which are missing... do this to see if it comes up with traces also of the same worm:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

When you are finished reboot to normal Windows mode and send that Smitfraud log in....plus a fresh ht log.

Copy the text between the stars to a notepad; save it as Grfix.reg to your desktop or to a scratch folder, dclick it and go Yes to merge it with your registry [you may have to follow thru Open with... if it opens with notepad when you dclick it].

****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=-

***************************************************************************
Do a search for this file: kdayj.exe -delete it if you find it.

Darn tricky. Just so we can see changes made to files recently pls run this [it also detects and removes certain malware.]
==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
You might also rename hijackthis.exe to searcher.exe cos some malware detects it and stops running so as to hide.

Thank you very much for the detailed feedback; about the best i've received [some folks you have to pick up n shake to get responses...]. I don't see any problems left, fixes seem to have gone smoothly so if you are happy delete the avenger backup folder and the vundo text, and the tools... no sense keeping what will be out of date in a month or so.
Thanks for the info on Partizan.
How's the sys working now?
Remember to update Java from control panel entry; then use add/remove pgms to delete all old versions.

That was a bit of a brief comment, perhaps, but I have been thru your log, and see nothing. The internet redirection showing in your first log is fixed - please give me a better idea of the symptoms.

Copy to notepad and save the lines between the stars as a file named wclkrem.reg to your desktop or C:\. Dclick it and answer Yes to merge it with your registry [it removes an entry to a malware file].
***********************************************
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winclk32]

***********************************************
Okay then.. moving on.... A point to make - I have included in the block of files to delete with Avenger one called partizan.exe: I can say that it is very doubtful..., but if you wish delete it from that list and instead go in to system32 and rename it to partizan.xbak [the x tells you it is an exe, right? if you need it back for a legit pgm..]

I don't know if you still have Vundofix [yours was the latest...] so here is the addy anyway.
[Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4 ]
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\SYSTEM32\vtsqo.dll
C:\WINNT\system32\oqstv.*

Click the Add Files button, and next the Remove Vundo button.*****

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart …

After a restart?

..and do a search for this file, pls [it is referenced in reg..]
winclk32.dll - i suspect it is/was in system32 - if you find it give me the path.