Posts by gerbil

You can post the .com file inside an archive... eg .zip.
That way, execution involves definite steps by the individual, not just a single click.

I'm sayin nothin, boss....

Well, wireshark is a packet capture tool, and that's what it does. If you are trying to learn the gist of captures then one suggestion is to turn off all but one traffic source application. Next is to construct useful display filters so you see only the traffic you are interested in; once you have that set then to reduce the capture file size you can set a capture filter that accords with what you wish to display. eg... you could ignore a running bit torrent download and concentrate on email packets, say. Take note, too, of the colouring rules - they identify the type of packet.
Packets are not very human-friendly, in general.... you are seeing computer chit-chat.

Wireshark. Every byte. Every connection. Every IP.

These two keys are read before winlogon starts. To learn how to use them you can read up on M$ support or technet about service order loading and control, and the Session Mgr.
1. BootExecute HKLM\System\CurrentControlSet\Control\Session Manager
2. Services HKLM\System\CurrentControlSet\Services
It's a pretty sensitive time in the order of things; if you load too early you'll get some error because of the loading, starting of services.

Hi. It's not a good idea at all to attempt to install an AV service on an infected computer... its files may get damaged before it has a chance to protect itself. You need to attempt a couple of online scans first... eSet, Kaspersky etc. If you cannot get online with the sys then a downloadable Kaspersky scanner might help. All free; choose from:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -the downloadable virus scanner tool is on this page, also.
==Eset Online Scanner using IE only: http://www.eset.com/online-scanner
==Pandasoftware ActiveScan using IE or Firefox from http://www.pandasecurity.com/activescan/index/
==Bitdefender Online Scan using IE only: http://www.bitdefender.com/scanner/online/free.html
- post the results, please.
Finish up with this scan:
==Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also …

Yeah. OP is not giving much detail - we don't know if it is slow coming to logon screen, or after. Big difference regards third party apps.. most won't load until userinit.exe runs.
As far as boot scans by AVs, Avast can be set to do one, but it is obvious, with an info screen; it runs before winlogon.exe.

I don't bother with oc, just read about it; that does seem like a large oc, though, from the standard 2.7GHz? Try backing that off [that's the first rule on a badly performing oc job, isn't it?]. Does it game ok? Check your memory with Memtest86+ [the bluescreens suggest a possible problem].
But sometimes installations just seem to go bad, little bits of sysfile corruption that slow things down. If just a few weeks into it, I'd consider a reinstallation. I know it's a pest, a time waster, but sometimes it works. A last resort, though.

Here's a boot disc with a recovery console on it; the console runs from the cd so you don't need an xp cd or any files from your C drive. I know it works. All you need is an image burner like Nero 6, CD Writer...
Tips... unzip the file to get the iso and then BURN THE IMAGE. Do not use Data CD or any other mode cos all you will get is a copy of the iso [which you have already...and your new CD will not be bootable]; if you look at the files on your new cd and see .iso mentioned anywhere, start over. You merely select Burn an Image, browse to and select the .iso and press Burn. That is all it takes. Burn it to a CD-RW if you wish; there is no need to close/finalise the CD whether it is a RW or R. Multisession works fine. If you use a CD-RW then hold the burn speed lowish, say 4x.

http://www.thecomputerparamedic.com/files/rc.iso
http://www.webtree.ca/windowsxp/tools/bootdiscs/xp_rec_con.zip

Run chkdsk to perform a simple check of the drive. If there are any errors reported you must then do chkdsk /p to attempt to recover them, and follow with chkdsk to see if it is fixed. If not, try /p again, and so on [chkdsk with no parameter will not fix a thing]. You can just run chkdsk /p immediately if you wish.

Holi, eh? What colour did you end up?
I think I tried to guide you in my first post to save data files only and reinstall your OS and applications, for otherwise it can be an adventure discovering the damage Sality has done. Having chosen to attempt a cure you should have used the Kaspersky cleaner at least. The problem with Sality is that when it infects a file it writes its own [encrypted] code at the entry point it uses and attempts to save the original code it is replacing; unfortunately it does a bad job of the latter and so removal/curing software will find the file to be irrecoverable. Once the sys is cleaned you can replace them yourself, of course, but that may be a task neverending. And... was it completely cleaned...?
Backing up the registry? I would not be without ERUNT; it does not entirely supplant System Restore but in most cases is all that is needed. Use the option also in the Windows Backup task to occasionally do a System State backup.

First off, those reg keys. If, as I suspect, one or more of them contain a huge list of hexadecimal code as data entries then I think it is safe to delete them - malware can load that data into memory. They are not registered/conforming CLSIDs anyway, merely invented.
klmd.sys has been subverted by the TDSS rootkit family on other systems, so many systems that I cannot ascertain by search what is its function.. it is not on my XP-SP3 sys. For the time being, rename it to system32/drivers/0000klmd.sys.bak.
catchme is a part of combofix; combofix jamming is a cause for alarm, it is being targeted. Try updating malwarebytes and scanning with it, see if it can catch any newly exposed files, then attempt combofix again.
If a CLSID refuses to delete then rclick it, go Permissions and take control, then whack it.
"Many thanks again for all you efforts. I was almost on the verge of a disk reformat."... apart from that, it is always nice to wring the neck of some malware. Writers are pouring effort into it, a lot of money is involved now. And thanks to you for hanging on, for fighting; it is frustrating but understandable when some folks give up and reformat... we learn little from that, but there are some utterly destructive viruses that leave no option - their aim is malicious damage, the aim of this stuff is theft and control.
Mind-boggling stuff:
0x20E Non-fatal A …

Gee, that was a journey. Did driver verifier pick up the modification to Volsnap.sys?
If you have not already done so, run
combofix /uninstall
...then dl a fresh copy from http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or http://subs.geekstogo.com/ComboFix.exe
Close down your AV and firewall as before, and run Combofix just the once.
Sorry, but it is very late here, beddy-byes for me.

Fin, could you wander into registry and delete those two CLSIDS manually, please?
You could export them to your desktop first, and post them, if you would.
Next do a search for all instances of {B4502AD1-AF97-EC66-7D66-304FFAC0F1DB}, export the subkeys and post them also? Tah.

And a couple of other things you could do.. GMER originally put up a blue screen error of PFN_LST_CORRUPT... now that would have been caused by a driver [the rootkit?] accessing the page frame list incorrectly or trying to lock its physical memory range so that it stayed resident [exactly what error occurred would be indicated by the parameters given with the error code]. Run Driver Verifier with these settings:
Go Start, Run, and enter:
verifier
Ensure 'Create Standard Setting' is selected, hit next;
Click on 'Automatically select all drivers installed on this computer' and hit Finish;
Reboot.
And chatting with PP, it might be an idea to try TDSSKiller because of the prevalence recently of that rootkit type:
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt <==paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press Continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.

Thing is, fin, I have no way to trap these things on your sys... memory management will not place the pages at the same physical addresses each time they run. The launching process is not evident.
!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

==============================================
>Stealth

Unknown page with executable code
Address: 0x86F243CC
Size: 3124

Unknown page with executable code
Address: 0x86F2328A
Size: 3446

Unknown page with executable code
Address: 0x86F29143
Size: 3773

Try downloading and running GMER again:
==Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html ...or the exe from http://www.gmer.net/download.php - it will have some obscure name.
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs.
-dclick the .exe to start it; wait for the intial scan to complete [a few seconds]. Press the Copy button, open Notepad and paste into it.
-Then, if you did NOT get a warning at startup about rootkit activity, uncheck all drives but your systemdrive in the drives section; click the Scan button and wait for the scan to finish (do not use your computer during the scan); again press the Copy button, paste also into that Notepad.
-please post that log.

You could try to find the name of that hidden driver; its presence may be concealed by the driver loading and executing some code as a system thread, and then removing itself; that way its details [name etc] cannot be read. I wonder....you could try to show it up - you can make a change in reg to show hidden drivers in Dev Mgr [remains until you reverse it], or a change to the environment inside a cmd shell [dies with the closing of that shell].
1)System Properties, paste in as an environment variable name:
devmngr_show_nonpresent_devices ; value of 1. [that adds it into Session Manager key in reg].
Or 2) In a cmd window enter:
set devmngr_show_nonpresent_devices=1 -then start Dev Mgr from inside that shell with..
devmgmt.msc
Inside Dev Mgr under View tab check Show hidden devices. Hidden [deliberately] or non-loaded [no device present on sys] drivers are shown greyed out. I doubt if it will reveal anything though.
When you find a suspect driver investigate it thoroughly - you don't want to delete a crypted firewall or SCSI driver.
You could delete C:\Qoobox and contents.

!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

This entry is a worry. And I don't know what to do about it. Do IceSword or RKRevealer show anything? You might try posting that piece plus the Hooks section and serf_conf log over at Sysinternals Malware board - it's …

A group of students in USA used the uni lab facilities of one of their professor fathers to analyse hamburger chain beef patties. 5 - 18% muscle tissue [what you would call meat, normally], plus connective tissue [tendons, ligaments], much organ tissue [you could hope for just liver heart lungs kidleys etc], fat, water and some parasite cysts. Colours and fillers [grain based], of course.
Here in Aust. the two big US chains ran for a while ads showing prime beef yearlings in paddocks. As if. You get 12yold cow remains in hamburger.
You get what you pay for. You don't pay much.

Been watching Howl's Moving Castle by Miyazaki.... a sublime anime, as are all by him... Anyway...
The serf_conf log... it originates from libserf, a language, it allows the client to make HTTP requests. I don't know if the config log that iexplore built is where it's been or where it's going, the former I guess. I'm out of my depth.
Something is directing IE, and it is still hidden. You might try another rootkit scan or three, one I like is Rootkit Unhooker [they had a very public and enduring slanging match with GMER & other AR software authors, but now are involved with M$...check Help About.. :)]. Get it, and any other you like from here: http://www.antirootkit.com/software/index.htm
I suggest...
R Unhooker -from this site is an earlier version than one I have... you need the author's site, or http://www.rootkit.com/newsread.php?newsid=902
R Revealer.
IceSword.
R Unhooker... as with IceSword, check each tab; RU scans run automatically except for Files & Hooks. Look for unknown hooks. Generally a rootkit's presence will be well indicated. Don't be surpised by SPTD software you may have throwing up alerts eg Alcohol.

The ACMRU key records Most Recent Used uses of the Search Assistant [eg, you search for a file with Search in Explorer, the detail is recorded there. But it does not have to be user searches that get entered there, as shown by this one: iexplore.exe http;//clickport.org /ac.php?aid=5&cid=direct2
There may be four subkeys:
- 5001: terms used for Internet Search Assistant
- 5603: terms used for files and folders search
- 5604: terms used in a word search
- 5647: terms used in the other computers or people search
The actual entries there are of no harm, merely system record keeping. You can delete them safely [the 001..003 names]. But you might wonder from where that one originated. I cannot raise the site, nor the findclean.org site. Google is of no help, except it turns up this page:http://www.threatexpert.com/report.aspx?md5=927f2c1b6c8d732a7ba55a5969393ed3 with another connection attempt to clickport.org amongst other suspect sites.
This instance of iexplore: iexplore.exe SC0DEF:3016 CREDAT:79873 -those codes show that it is a child process of an iexplore.exe frame process with a PID of 3016 in this case, the code defines their relationshp so that they know each other.
It is IE8 at play. Process Explorer will give you the actual command line which opened iexplore.exe.
Keep hunting... there is something there, and it is bad.

Cookies are benign; on their own they can do nothing, they record a few details only for the site mentioned in their name to shortcut procedures, direct preferences. It disappoints me that an AV scan even bothers to mention them. But, as Judy suggested, modify your browser settings to accept cookies only from the page visited. That way you won't get cookies from advertisements on the page unless you visit their sites.
A great and free cleaner is CCleaner.

Okay, to stop people loading this thread with ads for commercial software, this will do the job of unhooking anything and deleting it:
Unlocker. It is free.

Cool. Now because "when I did the cmd user thing shows my windows registration number as admin and Helen as guest".... you, logging in as Helen, can never create an admin account because Helen is a Guest. So log in as your "windows registration number" when you start your computer. You will then be an admin. And then do the account creation steps in the cmd window:
net user sooky /add
net localgroup administrators sooky /add
-and sooky is then an administrator! To get sooky to show in explorer etc logoff and logon as sooky. The new sooky account is created at that moment.
Then, logged on as sooky [an admin] try removing AVG again.

Glad you sorted that out, and I know you managed it two years ago... :)
Anyway, another method to keep in mind is Darik's Boot n Nuke - you load it to a floppy or USB flashdrive, or burn the iso. Because it makes a bootable medium from which you then restart your sys it doesn't care what OS is on the hdd. It just wipes it.
Cheers.

Ah, a proprietary trap. If you have many such files, you need Nero. If you only wish to use a few at a time, just rclick each and extract to somewhere with WINRAR, or similar. Bulk extraction of a group of files with WINRAR may not extract all files, but may be worth a try. WINRAR is no longer free. Nero uses a compression algoritm [if you left it set so], hence the need for a decompressor like WINRAR. I have not bothered checking exactly which algorithm is used... there are likely free decompressors available which will handle the job. Like 7zip, which I found very good as a general pgm to keep for such zipping/unzipping, but in the end chose WINRAR because it is slightly more comprehensive.
Okay.. I just created some Nero backups, test installed 7zip, and applied it to extracting first one file, then a batch of files, and it succeeded on both counts beautifully. Get 7zip.
The yards I went for you.:)

So it's not password protected .. did you actually Move the My Documents folder on the old installation, or is this a copy of it you are try ing to access? From a cmd window can you do a dir on that S: drive, see the files?
Can you do this to take Ownership?: Because you have XP Home, restart in Safe mode [you must in order to get the Security tab on folders to appear], log on with an account that has administrative rights. Rclick a folder on the drive, select properties, > security tab, > advanced tab, click owner, click edit, click your user name in the list [or Administrator] and check Replace owner on subcontainers and object, and Ok. Answer Yes to the question regarding replacing permissions.

I value your opinion on that, caper, so I can't see myself throwing away a good XP licence. Bill has a problem. Realistically, though, considering the extent of most peoples' use of a computer M$ should not expect to continually sell new, more powerful platforms; always some will be quite happy with what they have. Just as it is in the nature of others to over-extend by creeping specification.

XP-SP3. I use it, it does everything that I require of it. Now in that I do not see a reason for change. Security? I just don't get hit, but then, I don't trawl the darker corners of the web. Change to Vista? Not going to happen. W7? Why?

Try using the Recovery Console on your installation cd. To enter it, start setup as usual but then choose the R option. If your hdd is faulty then it will not proceed far because the Recovery Console requires windows on the drive to be recognizable.
It may of course be the motherboard at fault, ie. the drive interface [which is the Southbridge if an Intel-based machine]. And unfixable save by the manufacturer. Simplest check of that is to plug in a different hdd and see if Setup can proceed.
So...If your machine is actually still bootable then do this [this procedure will burn a diagnostic program onto a cd which in turn may be used to boot your machine and check the hd] :
You'll need access to a computer with Internet connectivity and a CD burner, plus a blank CD-R or CD-RW.
Then go to this link: http://support.thetechguys.com/Uploads/%7Bb4d5f239-78d9-4bd8-8e7a-2de1983b4d7d%7D/DiagCD23.exe
Either Run the file download or Save diagcd23.exe to your computer and dclick it to run. The procedure is quite automatic: you will be asked to insert a blank CD for burning the file.
Once the disk is created, put it in your broken machine, then restart it. It should boot from the CD and then give you the opportunity to run a Long HDD (hard disk) test. The utility supports a wide range of disk manufacturers.
Say how you get on.

Old thread, Brian, but my ISP will assign a new dynamic IP if I use my router to disconnect/connect. It's the behaviour I would I expect.

Good-oh. Be guided by my post; it will be painless and stress-free, with very little risk to your system, and require no actual venturing into registry on your part. It encapsulates all the fixes mentioned by others, and more.
I could add that if you have trouble pasting the logs i requested then use the Go Advanced button and attach the two files. No copying, pasting required. See? I try for you... :)

I like living in a country where Google works.

Abu, a long shot... when Setup was running it may not have detected correctly the power management scheme of your mb. Go into system32, rclick on HAL.DLL, choose Properties > Version tab. Highlight [lclick] Internal name... what does it list for your actual hal?
Make sure that you have the correct video card/adapter drivers.

"What will i do ???"
I don't know.... but i do know what M$ will do if you succeed. You will confront an activation problem. But heck, if your company is only going to be around for 30 days, go right ahead.

Set is looking for a defined variable; "drive" is not defined in the command shell environment. You will have to create your variablename first, so at the head of your batchfile put this line:
set varname=drive
And it should then accept the set drive=x: lines.
Oh, and be careful of spaces - any after the = are part of the name.
You do realise that this will not be permanent? Your newly created variable "drive" will only exist in the current shell environment - you close it and it is gone.

I think you have a case of Installer bloat there. My Installer folder is just 125MB.
There is a M$ tool to show up orphaned Installer files [those not registered] for you to delete; perhaps you could give it a try?
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
Run :
msizap.exe G
"And if messing with the registry to switch back to DMA"... try the BIOS selection first. And you do not need to directly edit your registry - use Device Manager to set your IDE drives to DMA if available. Look under IDE ATA controllersproperties.
A site for you: http://winhlp.com/node/10
What was using java?

The simplest way to fix this is, if you do indeed hook up your drive as you say, to go in and edit your boot.ini file so as to remove the /safeboot parameter from the line where it occurs [it may be /safeboot:minimal]... just delete it from the end of the line. Save the edited file over the original, and job is done. Well, that bit, anyway. There is a reason the the safeboot parameter did not work, and that is that the safe boot key in registry was altered by your malware. There are fixes for that. Ask here if you need a resolution.

Windows Memory mgmnt has it under its control. If you are looking at Task Manager, Available physical memory, and wondering why it is so big, possibly more than half your installed RAM, be assured that Windows and the processes running under it are using all the RAM they need. Available is memory that contains recently used processes and their data, ready for restart without an I/O operation to disk. Aw heck... read it here: http://support.microsoft.com/kb/312628
The Total commit Charge is the amount of memory actually being used at that moment, and it includes paged memory. You can't force Windows to use more RAM and not the page file because if you make too small a one, or none at all, Windows will quietly make one and not tell you about it.
As far as L2 cache goes, how much of it is used is up to your HAL. You know from your CPU spec sheet how much there is in the processor chip, you can see how much windows knows about from this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"SecondLevelDataCache"=dword:00000000
That is a decimal dataword, zero implies 256KB.... you can set what your CPU has, in decimal KB. HAL might have it wrong.
Mine was not detected?, was originally set to minimum, so I set it to 6144. The sys seems happy; whether it made a difference, I don't know... I mean, cache size does make a difference [http://www.tomshardware.com/reviews/cache-size-matter,1709-2.html]. Certainly other software …

Virut. Ah. You may have already taken the best option, then. A format and reinstall. Note that a format does not remove files, just loses them; the new OS will not see them. And vv.
Cheers, Nathan. Sometimes you do have to just give up.

Just for the time being, Nathan, I am going to ignore one of the detections..... I may get spanked for it.
Anyway.... use GMER to delete all these entries [you must run it in Normal Mode]:
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvkbftebfvmevcvttv.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACtmuhcepbrnaesbrvv.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\TEMP\141078336mxx.dll

Delete all these files. This should do it in one hit. Paste this as ONE BLOCK into a cmd window at the prompt:

(del /f /a %systemroot%\system32\drivers\UACd.sys
del /f /a %systemroot%\system32\drivers\UACppjwbfoauuwvxxwmi.sys
del /f /a %systemroot%\system32\drivers\UACppjwbfoauuwvxxwmi.sys
del /f /a %systemroot%\system32\UACvkbftebfvmevcvttv.dll
del /f /a %systemroot%\system32\UACtmuhcepbrnaesbrvv.dat
del /f /a C:\WINDOWS\TEMP\141078336mxx.dll
del /f /a C:\Documents and Settings\Chris\reader_s.exe)

Then use hijackthis to fix these entries :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'Default user')

Say how you get on...

Norton/ symantec. The latest product seems to be performing better in the mix. Anyway, trot along to this page and get the correct removal tool for your version of Norton - use it to completely clean out your old AV.
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
THEN, install your new AV. Mcafee? Ummm....
You may then need to uninstall and reinstall any third party firewall.
Your ping going thru but not any browser traffic points to the AV. An AV acts as a proxy for your browser, handling all TCP traffic. Ping.exe is ignored.

That sorted things out, and revealed more.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\010112010146118114.dat
c:\program files\Common Files\yhawisedi.com
c:\program files\Common Files\tawym.scr
c:\program files\Common Files\woziwas.bin
c:\program files\Common Files\mipaxigaky.ban
c:\program files\Common Files\ykulu.bat
c:\program files\Common Files\vaqin.lib
c:\program files\Common Files\himalavid.lib
c:\program files\Common Files\comer.exe
c:\program files\Common Files\uhejata.vbs
c:\program files\Common Files\ibutixare.vbs
c:\program files\Common Files\wyjo.scr
c:\program files\Common Files\sijuv.db
c:\program files\Common Files\cijaw.dll
c:\program files\Common Files\coqeqisu._sy

Folder::
c:\documents and settings\All Users\Application Data\97999836
c:\documents and settings\All Users\Application Data\17989844

Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{55F992BA-1D26-E5AF-0907C8AEF5A56624}]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Run hijackthis after, and post that log ALSO with your comments, please Matty.

Okay, when you type in a URL, say http://www.bestsitetobe.com, the web does not recognise that as a valid machine address, so it is converted to one, an IP address, say 234.34.121.005 which is linked to a machine or server somewhere in the world. To do that conversion a DNS server gets involved - those servers maintain URL <> IP address lists. Your ISP assigns you to one or two of them, and those DNS servers will have their IP addresses loaded into your router at log-on to your ISP. A DNS hijack then is when malware loads in its own DNS servers... you enter a URL, their DNS servers put in a selected IP address, which may not be the correct one. Get rid of those two.

Please do not use Rapidshare for posting logs. Post them here.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [13930784] C:\Documents and Settings\All Users\Application Data\13930784\13930784.exe
O4 - HKLM\..\Run: [93940776] C:\Documents and Settings\All Users\Application Data\93940776\93940776.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted …

Good-oh, glad you are clean. But believe me on the RECYCLER/Recycle Bin thing... they are parts of the whole. You could have deleted those S-...com files manually from RECYCLERs, and run CCleaner to clear the temp files. And it appears that I have told you how to hide files and make em undeletable by normal methods. The end of that secret.

Why did you pick that service, Jim? And isn't it a vista service, anyway?
Have you tried making a new account on the puter to see if the svchost error occurs inside it? I note that error listed in SDFix...

Sure. I use Comodo Firewall Pro [it's free... they get their money from certifying secure sites].. but it will drive the casual puter user nuts. It is very comprehensive, possibly the best; you can spend hours working out its capabilities, and it is not set n ferget. But it is very good.
ZoneAlarm is good, and not demanding at all.
I can only speak from personal experience... I am not a reviewer; these are things I use/have used.

Gog, it is just this entry that I was wondering about
BITS: hxxp://auj+|Cv+@J:NGD_DQ{zcxLJS@]6A
which is a URL for the background intelligent transfer service, and really http://auj+|Cv+@J:NGD_DQ{zcxLJS@]6A
This is the username: auj+|Cv+@J
and all is at this key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
I cannot advise you on what to do with it. If you were to export that key and post it here it would be confusing cos a lot of it would be in hex ascii representation....
It could be legit.. it is the sort of jargon a machine would come up with....
Help!!

System Restore is limited in the amount of system file repair it can do .
If you have different icons in explorer then your shell32.dll has likely been modified along with some other changes to make the File Protection System ignore it. To restore that file you would have to copy in a fresh file both to system32 and the dllcache, plus fix any reg mods.
If WFPS has been modified then my guess is that sfc would not fix that issue, it certainly would not fix WFPS. And shell32.dll is not the only source of icons for explorer, which itself contains icons.
You could of course slave the drive and copy in replacements to system32 and dllcache, cos shell32.dll is used all the time [under winlogon.exe]. But that would not repair WFPS.
The other changes I have not a clue about, except that if the Start button has been modded then explorer.exe itself has been changed... so I am thinking that you will need to do a lot of careful, time-consuming excisions and replacements [once you track them all down], else a Windows Repair.
With the latter you won't lose any data or personal settings, you may need to reinstall a few apps, or none if you are lucky, you will have to dl all the Windows Security Updates again. It'a a price to pay....
This link will give you an idea of what is involved to mod that Start button alone, but …

Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:

Killall::

File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00

Hello weasel... Okay, thanks...lessee, do you have this file by any chance?:
C:\Windows\System32\Drivers\tdssserv.sys
-delete it. There may be others like this:
C:\Windows\System32\tdsss?.dll ..where the ? represents other letters.
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=You must restart your computer in Safe Mode:
- Log in by using the Administrator account.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.