Posts by gerbil - Page 3

You're doing fine. This should solve the redirection problem:
Use hijackthis to fix these two entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Delete this file:
C:\WINDOWS\privacy_danger\index.htm

To make things a bit easier, instead of using explorer [it is only a UI] use Task Manager instead.... even without your explorer running you can start it with Ctrl-Alt-Del. Then go Files > New Task[Run] and paste in:
H:\Help\HiJackThis.exe
To delete that file, run instead:
cmd
..and paste into the cmd window:
del /f C:\WINDOWS\privacy_danger\index.htm
Now try with a freshly dl'd copy of MBAM [or Run from the dl site]. Only if that will not work then do this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-Important! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

I understand, weasel, so let's work for the moment with what you have: please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll
O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll

Now delete these files... if they put up a fight I can give you a tool to do it with, else you can delete them from Safe Mode.

C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\wnslvxtf.dll
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\system32\WIKI.DLL -this one may be in the windows folder if not here.

The deleter...Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

Once those files are gone try again to run MBAM and the new version of hijackthis. If they still cannot run from the dl'd files, Run them from the dl site instead [Hijackthis will give you a warning about running from a temp folder, but proceed anyway].
Good luck.

I aint finished yet! When you visit the Windows Update site it uses an ActiveX to detect this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired].
Try deleting the RebootRequired key itself.
I just did and it seems to work. Without a reboot I could not use the update site to check for more updates... I deleted that RebootRequired key and it allowed me in without a restart. I took another dl and it regenerated that key.

And because you saw this msg :
"No boot sector on hard disk - No bootable devices - press F1 to retry, F2 to go to options" - you were not actually booting from the cd. DBAN obviously wiped the disk but left the MBR intact, so the code from that has been loaded, but then it cannot locate the boot sector on the hdd... cos you wiped it. Anyway.. that is wot it is telling you. Reset your boot order using the F8 key at startup [F2?, or whatever key combo BIOS tells you to use] to set your cd as first boot device.

Hi. For the moment I will just assume that it is a problem only with an exe file link. Run this [key is an export from my machine]:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

Modification for your situation: you can copy that file to a floppy or thumbdrive and run it from there....

"two errors should not throw stop errors againts his screen".... two installations? No, they should not... I wuz jus pointing out that he had two... some folks don't realize that they have em, wasting a lot of disk space.

No intrusion at all.... Spybot 1.6 is the latest version, just go to the homepage...
http://www.spybot.info/index2.html
and dl from a mirror close to yourself. When you install consider carefully the options for the types of protection you want from it. But you can change your options later from the menus.
How can you not trust your sys to software from a bloke who, in the licence agreement, dedicates the app to the most wonderful girl in the world..?

Anne, this should do the trick. I have included some links as a way of acknowledging the author of the fix.
Home - http://www.dougknox.com/
Links - http://www.dougknox.com/xp/xp_fixes.html
The link - http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"

[HKEY_CLASSES_ROOT\.lnk\ShellEx]

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"

[HKEY_CLASSES_ROOT\lnkfile]
@="Shortcut"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""

[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
@="Shortcut"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered]

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\ProgID]
@="lnkfile"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex]

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex\MayChangeDefaultMenu]

Symantec/S32ENIL.dll .. is there any chance you typed that incorrectly, arthas? It should be the name of a dll that exists in that Symantec S32 directory under program Files. Anyway, i notice that you are running Avast from Alwill Software, so that Symantec error is a leftover from an incomplete uninstallation of Symantec. To fix that you should go to Symantec's website for the removal tool for the edition of their AV that you were using. For your immediate problem you can do this....
==Navigate to this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
-in the right pane rclick VDD and delete it.
-in the Edit menu point to New and then select Multi-string Value.
-type VDD in the Value Name box, press ENTER.
-exit Regedit.

The Symantec tool will clear out all ? remnants though....
[with Avast installed I am surprised you do not have this entry for VDD at that key:
C:\Program Files\Alwil Software\Avast4\aswMonVd.dll ... but anyway..]
That is an incomplete SDFix log. Try running it again.

Hang amo. Just stepping thru your videos. I cannot see your IDE? drive shown as detected?

It doesn't get much better than this:
http://www.dslreports.com/faq/15804

Modify boot.ini by going CP, System, Advanced tab, Startup and Recovery Settings button, Edit - boot.ini will open in Notepad. Modify it and Save.
But yeah, we could get into a lil problem with a mixed IDE and Sata disk set if trying to make the Sata drive contain both System and Boot partion. BIOS will see that IDE Active Disk 1 partition and get lost - you will get an error msg.
It may be that you will have to make C: Active as the System partition after all. The original boot.ini in C: would be already correct.
Can I go to bed now, please? It's 1:30 am here... :(

Do you have Adaware 2007? Then Allow. Lsdelete.exe is a file in system32 from Adaware.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute" ="autocheck autochk * lsdelete"
....is in my sys. I have no problem with it.

peater, this is not a site that supports cracks.. that is just how it is. But if you have a problem with your sys, take the time to make a new thread outlining it. No point getting cranked up over a blind thread... many out there end up like that for whatever reason.

Good-oh, tsahi.... if you're happy, I'm happy.
Cheers.

Outlook.exe is the email client for M Office. RightFax is a third party extension to Outlook that invokes outlook's email client capabilities. You have RightFax as a startup, it is going to call outlook.exe so that it can run. DCOM and Terminal Services are naturally going to be invoked as handlers.
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\FaxCtrl.exe
You have an "IT" dept? What do they do? I could be free for a good price....
I'm glad your AS n AV services didn pick it up... but your IT oughta be on top of your softwares.
[Jus being cheeky. I'm allowed that...]

Boom-boom.

That little 32MB partition was probably some sort of recovery image for the original computer. Dump it.
60GB? Put the OS into a 10GB partition, apps in another, maybe 5GB, data in a third making up the remainder. All NTFS.

You might check this key to see if there is an entry Disable Taskmgr or similar...:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
if there is you have two choices: either delete the entry name Disable Taskmgr, or change its data value to 0 [zero].
If you are running XP Pro you could just tackle it via gpedit.msc.

I'll take a shot in the dark, tammy. Please do these things in this order.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for …

Hello, ryun.
Delete this file:
C:\WINNT\System32\lgbpd.exe - if it is running just stop it in TM and then try to delete it again.
Good. Uninstall MyWebSearch via Add/Remove pgms.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINNT\System32\lgbpd.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...4YYUS_ZZzer000
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after

installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.5 is current....
And let's hope that is it. Say how things are...

Heya, cynikal... we'll get there....
In a standard windows installation Windows Explorer [explorer.exe] is the user's point of contact with the OS, it is the shell, the outside casing if you like, of your OS and everything else runs inside or around it; it [or a modified replacement] is always running when logon is completed. You can stop it if you wish but then you lose being able to easily interact with the OS... your running programs will continue running, you can start new ones etc but not in the normal way.
When you dclick My Computer you are opening a graphical interface, a window to Explorer. Another window is the taskbar, still another is the desktop. There are other ways of opening a window, and you can open many such windows to it at a time, but there is only one explorer.exe running, ever. These windows provide you with a simple and useful way to manipulate your files, including programs, which all exist and operate independantly of explorer.exe. Where am I going with this...? ...listening to Thea Gilmore's Contessa and enjoying it.... okay, just one of those independant programs is Internet Explorer [iexplore.exe] which is actually more than just a web browser, but here we are not concerned with it at all.... since we normally use Windows Explorer to see our files or operate the OS it is that which we must adjust to control that view; Folder Options is one such control.. and you get to …

It looks like Panda broke your mIRC - you may have to reinstall that.
Is that the BearShare installer in C:\Downloads? C:\Downloads\BSINSTALL.exe - if so, it is okay.
If MyGlobalSearch is listed in Add/Rmv pgms, uninstall it.
=I see that you have MyWay Search Assistant. You can get rid of it... first see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].
This next will clean up the bad entries that Panda found in your registry:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[-HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38}]
[-HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37B85A21-692B-4205-9CAD-2626E4993404]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]
[-HKCR\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
__________________________________________________________

Please say how things are after a restart.

Hi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.

You may have dropped through the cracks here, billy. So.... while crunchie is having a cup of tea:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [cjkkkjzipnm] E:\WINDOWS\system32\cjkkkjzipnm.exe
O4 - HKLM\..\RunServices: [cjkkkjzipnm] E:\WINDOWS\system32\cjkkkjzipnm.exe

Good. Delete these files:
E:\WINDOWS\system32\cjkkkjzipnm.exe
E:\WINDOWS\system32\cjkkkjzipnm.exe

Now if you are gaming you don't need all those toolbars and browser helpers, do you [they sit in memory...]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - E:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LXCFCATS] rundll32 E:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
...and you don't need anything in the trusted zone [why bypass all your normal site safety settings?]
O15 - Trusted Zone: *.line6.net

A Bagle worm. Cool. G'day, bobby, Mcafee is one AV service it shuts down, AVG is another. You should be able to load one of them now.
Bagle uses a rootkit; if you were to start your PC in Safe mode and scan from there the rootkit would not be activated and so the files etc that it protects would be visible. To start in Safe mode go Start, run msconfig, under Boot.ini check Safeboot and allow your sys to restart. However Panda should have cleaned your sys properly already; rerun it in safe mode if you wish [Safe mode with Networking...]
Good. Now for that safe mode issue if it reoccurs. It could be a sys file that is corrupted - I doubt it but it is the easiest thing to test. Run sfc /scannow and load your your same-spec installation cd.
Not fixed? There are a lot of registry entries concerned with booting specifically into safe mode, lists of drivers to load and so on. If these are damaged the easiest way to repair them is probably to run Windows Repair using your installation cd. Boot from the cd, ignore the repair with Recovery console option and instead choose Setup, select your installation and go from there.
Say how you get on... n happy new year!

Looks okay to me, rabbott.
Personally, I would not have file sharing pgms as startup entries, rather I would start them on demand. As they are it means your connection capability can be eaten up by ppl uploading silently from you, and you may or may not appreciate that... if not, fix these two:
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
Do all those elements of your active desktop still work? Fix the ones that do not [O24 entries].
And that is all. Good luck out there.

DeOnna, for some reason [not your fault, it's the trojan...] that operation did not fully work, so please repeat option2 with the same block of entries [repeated below]
[We are trying to copy the original files back into their proper locations, overwriting the affected files.]
So:
-option 2, FindAWF: dclick the .exe to start the program, select to restore files, into the text file that opens paste all the text between the lines:
_____________________________________________________________
"C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
"C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Snapfish\Snapfish PhotoShow\data\Xtras\bak\mssysmgr.exe"
_____________________________________________________________

-close the text file and click Yes. Please post the contents of the notepad that opens.

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily …

AVG7 does me. Lessee... doesn't hog resources, reliable and quick updating...

hello, kained, please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [mpeg heck log link] C:\Documents and Settings\All Users\Application Data\Joy coal mpeg heck\setup jugs.exe
O4 - HKLM\..\Run: [bib bat meet link] C:\Documents and Settings\All Users\Application Data\film start link joy\Joy wait ping.exe
O4 - HKCU\..\Run: [AudioMeet] C:\DOCUME~1\Dave\APPLIC~1\NAMETI~1\1one.exe

==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner.]
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here, along with a fresh hijackthis scan plus your comments.

First, go to add/remove pgms and uninstall MyWebSearch, then delete the pgm folder of that name.
This is your main problem :
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
And then there is this, a pest:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm021YYGB
-fix both with hijackthis, then delete the file C:\WINDOWS\Temp\startdrv.exe [you may have to do it in safe mode....]
Alternatively you could download Unlocker to delete it...
If it returns you could try Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Kristy, when this cleanup is over you should do a backup of your system state cos a couple of files are missing [google for how...], note that this is not the same as a system restore!!
More work: go to add/remove pgms and remove this pgm, then into C:\program files and delete its folder:

 IpWins

Good, now please fix these with hijackthis in normal mode:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [SetupVentureAfrica.exe] C:\DOCUME~1\Kristy\Desktop\SETUPV~1.EXE /r
O4 - Startup: .protected
O4 - Global Startup: .protected
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {FFC0A381-8145-4CFD-A768-A2259776C179} (PTV xVectorMap Plugin 3.1) - [url]http://xvectormap.ptv.de/xvectormap/PTVxVectorMap31.cab[/url]

Now please do these runs in this order:
Combofix
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
..or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if …

What i hoped would be understood is that Microsoft Updates is just gee-gaws for M$ apps. They are not [generally] vital ... they certainly are not fixes for security issues. Those are in Windows Updates. So you don't need MU running constantly.
Further, as far as WU goes, in your security centre make the setting to Notify you when they are available. Don't panic about this, M$ will notify you every time you turn your sys onto the net until you dl or cancel them.

Crazy, I run AVG FRE [AS], Zonealarm, Spywareblaster. That's it. And had only one case of spyware about two years ago, never a virus. Course, if you dredge the sewers you're gonna come up with a rat in your hand sooner or later. No AV is perfect. AS? I have Adaware and AVG 7.5, run them maybe monthly. Surfing wisely is a must. Hijack this? dl it only when you need it... same with other special tools.
Get a few more opinions.

if your mum only goes to reputable sites... banks, etc, then all she needs is windows firewall, no AV, no AS. But who knows what mums get up to when the door is closed.

go to this link and get TCPView. Install it into its own folder cos you may find it worth keeping along with like troubleshooting gear.
Start it by dclicking the .exe. Now have a look and see what is using your connection.
http://www.microsoft.com/technet/sysinternals/networkingutilities.mspx [a source of very good stuff]
By the way, why do you have hp as a home address? Personally i would fix/remove all your R1 and R0 entries [with hijackthis]... but you may think otherwise.
-I do not think that your problem is spyware based, rather that an autostart pgm is trying to download updates. Or something like that.
For example you have a time synch auto start. XP with defaults already does that for you every time you connect to the web, or at least once per week.
So i would remove those R's, and run TCPView. Come back with what you find.

into your BIOS [delete key on boot], advanced settings i think, and disallow autorestart on error. Then you will be able to read the error screen at leisure. Tell us.

desktop.htt pretty much controls the size and position of your desktop and the wallpaper you have on it, plus it includes a little activeX control to allow you to reshape it..... IE7 is a little bit incompatible with the old profile you may have had already.
Since this file is automatically generated by windows, the best fix is to delete the old one[s] and let windows create a new one. To do this open an explorer window and go to tools > folder options > view, and uncheck hide protected opsys files. Apply and ok. Then do a search in your sys drive [usually c: ] for desktop.htt. It will be in Docs and Settings\User\Application Data\Microsoft\Internet Explorer.
Delete them [it, whatever...]. Close the explorer window, rclick your desktop and click Refresh, and then go back and RECHECK that box. you really don't want those special files exposed all the time!!

are you using IE7 ?

ignore the cookies that panda turned up... you can clean those out before/after with CCLeaner, anyway. Further, if they have had a chance to dl from the net trojans may well have new files in the windows temp folder. Google the other bad stuf and find removal methods.
Those worms. Welchia exploits bad M$ code, it even deliberately downloads some from M$; you have no protection until you get SP2 in. And kaspersky online is the same scan as the trial, but the trial could run faster cos it's all inside your pc.
If spybot gets frozen you still have problems in there, and it must be protected by rootkits or something because there are no traces of it in your HT scans. Meantime go here and download Winpfind and post the log.
http://www.bleepingcomputer.com/files/winpfind.php

ok, stix..... time to run the clean option with smitfraudfix.
- Disconnect from the net
- Check that a Restore point has been made.
- Now go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.

===You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].

The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log.
You will also have to restore your desktop background...

Sorry i was slow in replying... the weeekend got in the way.

Twoyorkie... are you sorted now? i got a bit confused by the threads in here.... glad to have been of help, anyway.

Samashahdi.... HKLM is hivekey local machine... u gotta open up those folders.... now i also meant for you to open current version [by clicking on it] , and not to merely expand it by clicking the plusbox. Sorry though, in my original post i put a space in the dataword registeredowner. Try searching for that... and BE CAREFUL IN THERE!!!

i know this is a slight diversion from quickbasic45 topic at hand, but someone opened the door with a ref to qbasic71 running on dos with xp. so, if u were to download qb71 and unzip it, u would see a shortcut which will sit nicely on your xp desktop. it opens the blue qb programming window directly, no faults. the link to qb71? normally i would not like to give someone else's links, but heck, he posts here. name is Nazgand. (a "Rings" fan??). find him by googling qb71 windows xp. go for his last link 29 may. hope this helps someone....