Posts by gerbil

dukane seemed interested in M$'s method #2. Which is the same as the B PE method..... and if you have the XP cd already, then... done.

Yep. Here in the last line of this block is the correct entry for userinit.exe:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ GEORGE-6JXTPIR4
DefaultUserName REG_SZ George
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

Unfortunately the key that your MBAM keeps finding and removing "...CurrentVersion\Winlogon\Userinit" is not there, meaning that it has not re-occurred since last removed.
I think that there is another file being referenced in that trojan Userinit key, it is a rootkit and so is hidden. Possibly.
Please:
==Download [with IE only!!] the latest standalone version of Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - Start it, accept the agreement and Scan.
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Yep. Here in the last line of this block is the correct entry for userinit.exe:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ GEORGE-6JXTPIR4
DefaultUserName REG_SZ George
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

Unfortunately the key that your MBAM keeps finding and removing "...CurrentVersion\Winlogon\Userinit" is not there, meaning that it has not re-occurred since last removed.
Do you have a file: \Windows\system32\ntos.exe?

That code is for Generic Potentially Unwanted Pgm, an as-yet unidentifed malicious software..
Can you connect to one of these sites now, with TDSSServ disabled?
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
If you can not connect and dl that file, then try this instead:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next …

Nice, Sham. Nothing bad shows in your hijackthis log, so I am going on guesswork from your description of the problem plus the nature of the pest that is currently causing a lot of problems. Let McAfee remove that program related to TDSSServ. I should mention that TDSServ is a rootkit; it is being used to hide some malware.
With TDSSServ disabled, please run a fresh hijackthis scan, post the log.

Sham, right now please do this and report back on what you find:
Go to Start [All Pgms] > Administrative Tools > Computer Management > Device Manager > View > Show Hidden Devices.
-expand “Non-plug and Play Drivers” ,
-search for TDSSServ
-right click on it, and select Disable [do not Uninstall!!]

This will get the Winlogon key for us:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s >>C:\showkey.txt
start C:\showkey.txt
pause

Post the notepad that opens.

Re the Shift-Delete of those objects.. that is okay, perfect girl. I admit to mildly panicking when I saw that abbreviated hijackthis log from your previous post with most of the entries missing!
Now, if you ran this tool that I referred to earlier:
"==Download NoLop from the link on this page; some information is shown under the Proper Use button, press Search and Destroy to run the scan. Post the report C:\NoLop.log.
http://thespykiller.co.uk/index.php?action=tpmod;dl"
..you would still have this log: report C:\NoLop.log
If you have not already run it, please do so. Then make a fresh hijackthis log, post it plus the NoLop report.

Cheers, whoost.
Firewalls.. there's always another one: Online Armour V2 free from http://www.tallemu.com
Highly rated, more than ZA, I believe.

Userinit is normally a value [name] in the Winlogon key, and not a subkey of Winlogon. It's data entry would be C:\Windows\system32\userinit.exe
Could you export and post that Winlogon key please [before you rerun MBAM]?

Okay, ranger.. did you not have the rootkit, TDSS? It would have complicated the solution..., but not all cases of ISpyNow involve it. It would show here if present:
Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
-expand “Non-plug and Play Drivers” and click the plus icon to open those drivers.
-search for TDSSServ
-right click on it, and select Disable [do not Uninstall!!]
But if deleting files worked, you don't have it.
Cheers.

Sure. I use Comodo Firewall Pro [it's free... they get their money from certifying secure sites].. but it will drive the casual puter user nuts. It is very comprehensive, possibly the best; you can spend hours working out its capabilities, and it is not set n ferget. But it is very good.
ZoneAlarm is good, and not demanding at all.
I can only speak from personal experience... I am not a reviewer; these are things I use/have used.

No, that should be all, whoost. Play safe out there... :)
Basically, there should be no need to have anything in the internet trusted zone because that bypasses certificate checking. Safe sites are safe by definition, so no need to have them in there.

This was the other report I wished to see, the one now saved at C:\NoLop.log
Could you please post that?

pg, this may be important.
Please start hijackthis, press the View the List of Backups button.
In the new Backups window make sure that you place a checkmark in EVERY box, then press the Restore button.
Close hijckthis.
Next, open your Recycle Bin and restore all that you have deleted.
Good, now start Hijackthis again and run a fresh scan, post that new log.

Hello, Salman, I hope things have calmed down considerably over there.
Your surfing... I have a problem in that your system has a net filter placed on it on your account [your log-in], and I do not think that I should advise you about removing it.
Moving on.. your version of hijackthis is superceded, so please delete it and follow these instructions:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Yep... should only take 1/2hour or so... doing a fresh installation beside the old.

You're welcome, sickofit.

Mmm... they were all quarantined by Combofix... and MBAM found them in there. I think you are clear to go, what is your opinion?
Go Start, run:
combofix /u
This will uninstall combofix and its files and quarantine folder.

Sweet. How are things now?
Run this: Go Start, paste in:
combofix /u
-this will uninstall combofix and remove quarantined files.
Post a final hijackthis log.

==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

The first is a system file, the others pests.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

I really cannot answer that question for you, in depth. Yes, of course it is better, that is why they designed it, but it costs more [a lil bit], and you will require as you say a new mb. A quick search will explain the differences in as much detail as you care for. It comes down to what you use your sys for, and if you , just you, will notice the difference. You would for gaming and CAD work, but never for everyday home pc work like networking, mailing, home accounting, or even for your average picture retouching work.
Comes down to money, and perhaps some sort of pride or satisfaction.
2GB is a fair jump from 1/2GB... and if you have a fast cpu you may notice the difference - your cpu will spend a lot more time doing nothing. I doubt that you are, or want to be, a full blooded gamer so just think a bit about why you are doing it.

They may actually have the same name as you. You would not normally know their address details. Email them, say Hi.. we share the same name, tell me about yourself..... Well... nigerians fool ppl into giving them bank account details.

Looks good, sickofit.
Try MBAM now. Remember to update it first, and run the Quick Scan.

You're welcome, oos.

Looks good, oos. Is it working well for you?

Fine, sham. Something is hidden from us... first please try this rootkit removal tool:
==Download [with IE only!!] the latest standalone version of Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - Start it, accept the agreement and Scan.
And perhaps this virus scan [it involves a "huge" 35MB download, I understand if you may not wish to do it...]:
==Run [with IE only!!] the Online Scanner at http://support.f-secure.com/enu/home/ols.shtml
Post the results. If they fail to run then:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post also a fresh hijackthis log run last.

Thanks, crunchie.
pg, could I see this please :"Post the report C:\NoLop.log." NoLop appears to have not worked.
Uninstall those pgms as Crunchie suggests, then:

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
O4 - HKLM\..\Run: [bone thunk axis copy] C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
O4 - HKCU\..\Run: [Sect Real] C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1\Gplantitype.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

Good. Now delete these files:
C:\Windows\system32\blank.htm
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe
C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1\Gplantitype.exe
- this last is C:\Docs & Settings\Perfect Girl\Application Data\IDLE01~1\Gplantitype.exe

Delete these folders:
C:\DOCUME~1\PERFEC~1\APPLIC~1\IDLE01~1 - I do not know the long form of IDLE01~1
C:\Documents and Settings\All Users\Application Data\Roam Program Comp About
C:\Documents and Settings\All Users\Application Data\pure coal bone thunk

Don't you love the names Lop constructs? "pure coal bone thunk"
I would have thought that NoLop would have removed those, which is …

Crunchie, Avast flicks up a warning about a trojan -Swizzor from the removal tool site which is linked on that page you just gave. It is in the tool itself... Avast picked it up as Opera did a pre-download of the removal tool while I was reading on the site.
This from F-Secure:
TrojanDownloader.Win32.Swizzor is a small program that can end up on a user's system when he is browsing the Web. The program downloads and installs a LOP.COM-related plugin that acts as spyware/adware and provides customized search capabilities.
As downloading and installation occurs without a notification to the user and without the user's approval, we added detection for the downloader as a trojan.
To remove the downloader, it's enough to delete its file from the hard drive.

That rather looks like a Lop infection there - it's pretty pesky adware. These two entries point it out:

O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\Bend exit.exe
O4 - HKLM\..\Run: [bone thunk axis copy] C:\Documents and Settings\All Users\Application Data\pure coal bone thunk\Idol bore.exe

Best to use the proper tool, and then follow up with a clean and general adware/spyware scan.
==Download NoLop by Derek from the link on this page; some information is shown under the Proper Use button, press Search and Destroy to run the scan. Post the report C:\NoLop.log.
http://thespykiller.co.uk/index.php?action=tpmod;dl
Next clean with:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
And finally run another hijackthis scan and post that log also, please.

My head is spinning from thread hijacks, moving posts.... wheee.. :)
Oos, glad you had some malware for Smitfraudfix to work on... it gets dissatisfied if it cannot find any to fix when requested to do so by choice #2, and busts your desktop as revenge. I targetted a specific infection with that tool, namely this one: C:\WINDOWS\system32\avt.dll . I see that you had it.
Run a fresh hijackthis scan please, and post it.

Ok. How annoying. You have a version of ISpyNow which is protected by a rootkit, it is very likely TDSS. So a few things we can try before you have to go walking with a flashdrive in your hot lil hand, to find a friendly type who will let you dl Combofix. We need it. Make sure to load the dl addy into the flashdrive... But first:
There is always another online scan: http://www.f-secure.com/security_center/
If it won't run, then:
==Download [currently it will not dl correctly with Opera; use IE] the latest standalone version of Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - Start it, accept the agreement and Scan.

Else if we assume that it is TDSS, go into C:\WINDOWS\system32 and rename every file commencing with the letters TDSS to XXXTDSS. Here is a typical selection.. you may have some or none or similar others :

c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSScshc.dll
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSojtp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSurev.dll
c:\windows\system32\TDSSwhke.log
c:\windows\system32\TDSSxnyq.dll
You may find some in c:\windows\system32\drivers\...
eg: c:\windows\system32\drivers\TDSSrfpc.sys

Try to run MBAM now [rename mbam.exe to mybm.exe first]. And then try to dl Combofix...
As crunchie said, you could delete any TDSS... files in system32 if you so wished. TDSS is a play on TSDDD, which is a valid displaydriver.

Nice!
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
C:\WINDOWS\system32\drivers\TDSSrfpc.sys
c:\windows\000002_.tmp

Driver::
TDSSrfpc

Service::
TDSSSERV

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
And could you now try to install and run MBAM, please? Update and run the Quick scan.

K, as I thought, there was a rootkit attached to that spyware, which hid it.
I must stop for 20 mins, will get back to you within the half hour.

We can ignore that. Nice to have it installed though, in any case. Does not take up much disk space. But the installation cd carries it, and is not too inconvenient.

Sickofit, can you try to access a Combofix dl site from Safe Mode with Networking? If successful, run Combofix from Safe mode.
You could try these scans, one should do, again from safe mode:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

Restart your sys in Safe Mode, delete that file C:\WINDOWS\system32\mst120.dll, and then run Combofix while still in Safe Mode.

Sickofit,
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
If by some chance Combofix will not run try renaming the combofix.exe to mycomfx.exe, and dclicking it.

whoost, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll

Delete C:\WINDOWS\system32\mst120.dll
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Practice your reflexes on the Pause/Break button to see if you can capture that blue screen. Enter key to continue..

Please post that Hijackthis log, you have more than Ispynow on the machine, I think. Delete the copy of MBAM installer [mbam-setup.exe] from your machine, load in a fresh copy from your flashdrive, rename the MBAM installer to mybam-setup.exe, run it. It should work. Then:
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Hello, Sickofit, your hijackthis log is clean. Regarding ISpyNow, did you track down any of those files I listed?
Your problem is more than ISpyNow if the MBAM installer is blocked. If you have not already done so, please stop mbam-setup.exe from running. Download a fresh copy of the installer, rename it to mybam-setup.exe and see if it will run - it should.
Just so you do not have to chase about for instructions on MBAM:
=Dclick that file, mybam-setup.exe, to install the application,
-uncheck the Udate and Start options, then click Finish.
Start MBAM via the icon, immediately Update it.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
[Darn thread hijackers... :)]

If you are that concerned about swap file usage you can remove it altogether. I think Windows even then still manages to do some disk swap work, somehow, but that is something I would have to check with a monitor. Windows allots RAM according to program design/inbuilt memory demands, the commit charge, but then actively manages memory for the immediate demand. Doing things that way, it has to keep a fair chunk up its sleeve for unexpected memory demands. Some interrupts cannot be ignored/postponed. With only TM running mine keeps about 50MB in reserve [apart from Available mem], but that jumps to 100MB as soon as I open an app. I also use a separate disk for the swap file. It is on timed shutdown if no activity... I hear it wind up again occasionally, but if I have high mem demand stuff running it stays full on. Windows will run happily on 1/2GB, but some apps may cause it to give you a Running low on Virtual Memory warning. [Btw, you will often see on the web that VM is the swap file. No it aint. With memory management VM is considered to be ALL memory - it is called virtual because running processes are not actually getting the memory they asked for. Roughly speaking].

DOS age? Then you would just love PhotoRec. Best of luck.

"Now my assumption in my layman's terms is that the entry in the FAT still shows the correct size entries for each .jpg" ... what does Explorer show - are they credible file sizes? I ask because:
"It is also clear the available space on this drive increased quite a lot after the crash and chkdsk recovery"
You mention the FAT, but is the disk FAT or NTFS format?
I don't know what sort of software, apart from a selection of malwares, or crash, would rewrite thousands of jpg files and cause other disk errors. Corrupt a few, yes, depending upon your disk caching and what files were open at the time. And thumbnails, once created, are separate entities from the file itself.. if the viewing pgm can not present some thumbnails then it is likely that the file itself is null.
Look, try this software... it bypasses the MFT and tries to find file types you specify via their headers, but won't find fragmented files.
http://www.cgsecurity.org/wiki/TestDisk_Download
Unpack it, start PhotoRec from the exe itself in the win folder - READ the instructions in each winow!!
-Select the disk, then Intel,
- in the next window go to File Opt, pressing s will toggle all or none, so uncheck all boxes and then select jpg by pressing x, then b to save. Acknowledge the OK, then Quit.
-select the partition to search in, select Search,
-Other,
-Whole,
…

Hello, sham... you have some dodgy registry keys which were used once to unregister your shell32.dll, possibly so as to modify it, so let's fix those and see where we can go from there. Unfortunately at the moment I do not know what software is behind it.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)

Then go Start, and paste into the Run box:
sfc /scannow -you will require your installation cd.
When done, try an online scan such as Kaspersky.
http://www.kaspersky.com/virusscanner
Will MBAM update and run now?

Without another sys to load programs from, I can only suggest that you search Docs & Settings for files with these names :

nah_jpde.exe
runhh6110411.exe
learn32.dll
mscscc.dll
rehh
vigrs
Ina
comm3
fsh1

..and delete them. Once [if] you find some then note the file modification time [there is a column in Explorer that shows it] and work your way through each folder in D & S, ordering them by File Mod time to locate others with the same time as those you found. Tedious, I know. Restart, and see if they have stayed deleted.
Please post back with a list of those you found and deleted/

Hello, Graham...
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
Post another hijackthis log with your comments.

Task Manager. Urk. The figure at the foot of the PF Usage chart is in MB, all other figures are in KB, and the conversion factor is 1024.
PF Usage is a misnomer in Task Manager. But the figure at the foot of the Page File Usage monitor is the Commit Charge, which is actually the sum of RAM in use + Page file being used.
Commit Charge [KB] = curent total memory usage [of both RAM + PF][KB]. It is just the amount of virtual memory the OS has committed to the running programs.
Limit CC = Most of installed RAM + Page File size. Most of RAM? XP always keeps a variable amount of RAM in reserve. If you disable your page file you will see that CC Limit is less than Total Phys MEM [RAM] by about 50KB or so, the reserve. This rises rapidly as you have more processes running, probably because the OS calculates that there is a bigger chance of an emergency memory call occurring.
At bottom of TM you see that PF Usage number repeated as Commit Charge [Total]. The second figure there is Commit Charge Limit, now in MB ...[x 1024 to get KB].
So when you say you have 490992KB of RAM, and your "PF Usage" is 503800KB you can see that you are only using a tiny bit of your Page File. Of course, XP is not going to be using all of your RAM …