Posts by gerbil

Mary C., some more work from the Panda log:

==You must clear all your system restore points because some have been infected.... you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
=Uninstall Viewpoint
=If you do not use it, delete this from your desktop:
c:\documents and settings\mary catherine\desktop\complete incredimail installation.lnk
=Delete these folders:
C:\Program Files\Trend Micro\HijackThis\backups
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Mary Catherine\Local Settings\Application Data\Wildtangent

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF65677A-8977-48CA-916A-DFF81B037DF3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{556DDE35-E955-11D0-A707-000000521958}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205ff73b-ca67-11d5-99dd-444553540006}]

Update MBAM and run it, post that log plus a fresh hijackthis log.

Heya, steiner.. a draw in hockey is fine.. you live again. But now to work, Mary C.:
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

Rootkit::
c:\windows\system32\drivers\lvuvc.hs

File::
c:\windows\SYSTEM32\tmpED0D3.FOT
c:\windows\SYSTEM32\tmpB31D3.FOT
c:\windows\SYSTEM32\tmp4EFC3.FOT
c:\windows\SYSTEM32\tmp080D3.FOT
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\msdownld.tmp
c:\windows\SYSTEM32\rufozobo.dll
c:\windows\SYSTEM32\wegabalu.dll
c:\windows\SYSTEM32\nogorike.dll
c:\windows\SYSTEM32\hulahake.dll
c:\windows\SYSTEM32\fonebipi.dll
c:\windows\SYSTEM32\figepevo.dll
c:\windows\SYSTEM32\jifojuse.dll
c:\windows\SYSTEM32\zipavagi.dll
c:\windows\system32\5jDxbYE0.exe
c:\windows\system32\571PnxT3.exe
C:\WINDOWS\system32\yojonaso.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Folder::
C:\!KillBox
C:\VundoFix Backups

Registry::
[HKUS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKUS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Hello, steiner... are you at home for the evening now? Can you get Panda to complete? Meanwhile, we will have one last shot with Avenger, and then try something else.
FIRSTLY:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to C:\
[it must be C:\fixkey.reg]. Make sure you include the blank line at the bottom.

Windows Registry Editor Version 5.00

[HKUS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKUS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKCU\Software\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-

[HKCU\SOFTWARE\Microsoft\Windows\Current Version\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-

[-HKCU\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}]

[-HKCR\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}]

SECONDLY:
Avenger.
You must be in an Administrator-privileged account to run this procedure...
-start it;
-copy the txt in the box below and paste into the Script Input box as one block:-

Files to delete:
C:\WINDOWS\system32\zobubabe.dll
c:\windows\system32\ritibiji.dll
c:\windows\system32\kedohugu.dll
c:\windows\system32\gedarehi.dll

Registry keys to delete:
HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | CPMdf6daeaf
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | C:\WINDOWS\system32\zobubabe.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\ritibiji.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\kedohugu.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\gedarehi.dll
HKLM\Software\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad | {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\Current Version\Explorer\SharedTaskScheduler | {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

Programs to launch on reboot: 
C:\fixkey.reg

Okay, now delete your copy of Combofix and dl a fresh one, run it:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
-rename Combofix.exe on your desktop to SteinerCF.exe
- to run it dclick the …

I don't really keep up with the legal aspects of M$'s sales.... but I think it is only grudgingly that they let you have a copy of the software when you buy it. Even then you don't actually own it. The agreement says somewhere that you may make a single copy to preserve the integrity of the original..? Having it available for general download would not fit with that less than generous attitude.
Borrow a cd. Good opp to meet your neighbour. Take cookies.

My fault... I put a key deletion in the wrong part of my post... :(. This will sort it out.
FIRSTLY:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop.
Make sure you include the blank line at the bottom.
Dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKUS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKUS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[-HKCR\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}]

Okay, that will simply flash a balck window as it runs....
Now please make and post a hijackthis log.
Regards Panda.. it is my experience that only bad infections can interfere with its running, but try it again because it may have broken part of it before it was broken itself. I will check back here within two hours for the HT log.

Good-oh, jim.
M$ error from your last post: The instruction at "0x745f2780" reference memory at "0x00000000". The memory could not be 'read'. Notice that it refers to svchost.exe; the latter info is taken from the error log.
Your reported error: The instruction at Ox7c91b1fa referenced memory at 0x00000010. Note that a different instruction location and different memory address is involved; it is not the same cause as that of M$. You need to look back throught you error logs to find which process/service caused the error. It will still be there in the log - check back through Administrative tools > Event Viewer, Applications. I doubt very much that your error was svchost.exe related, you would have mentioned other symptoms..... Would like to know what you find...
That was not the MBAM log I hoped to see; I wanted to see the one with the detections and fixes applied. But no matter now.

It is Hillsborough County Public Schools.. do you or staff have anything to do with this?

These are my crossword puzzles.
Ok, to continue.. I would like to see the MBAM log... the one with Successfully deleted and Delete on reboot, which instruction you would have followed, of course.
tdssserv.sys is a rootkit, MBAM found and should have deleted it...

Hello, Steiner.. let's repeat that exercise with some additions. It won't hurt that we include the old info as well, just in case. Seeing "not found" is as nice as "successfully deleted".
Avenger may not be finding some of those keys because it ran my lil script first which would have deleted them.. some actions were repeated in it.
FIRSTLY:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to C:\
[it must be C:\fixkey.reg]. Make sure you include the blank line at the bottom.

Windows Registry Editor Version 5.00

[HKUS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKUS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

SECONDLY:
Avenger.
You must be in an Administrator-privileged account to run this procedure...
-start it;
-copy the txt in the box below and paste into the Script Input box as one block:-

Files to delete:
C:\WINDOWS\system32\vovugesi.dll
c:\windows\system32\pofusido.dll
C:\WINDOWS\system32\yojonaso.dll
C:\WINDOWS\system32\zobubabe.dll
c:\windows\system32\ritibiji.dll
c:\windows\system32\kedohugu.dll
C:\WINDOWS\system32\libodame.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{607ebaea-4e2c-45fa-b527-3b36834d84f5}
HKCR\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | CPMdf6daeaf
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | dc5e9d33
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | mazayefoha
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | C:\WINDOWS\system32\zobubabe.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\ritibiji.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\kedohugu.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\pofusido.dll"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad | {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\SharedTaskScheduler | {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

Programs to launch on reboot: 
C:\fixkey.reg

...and click Execute.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

Please post that log file, …

and a fresh Hijackthis log also, run last. And we shall see. You realise that you have quite a toughie there..?

Hello, steiner.. okay, we can work around that. But we need Avenger. Do not be concerned as it shuts down and restarts your computer a coupole of times when we run it.
For the following be sure that your notepad format is set as wordwrap=unchecked.
FIRSTLY:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to C:\
[it must be C:\fixkey.reg]. Make sure you include the blank line at the bottom.

Windows Registry Editor Version 5.00

[HKUS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKUS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"mazayefoha"=-

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]
"C:\WINDOWS\system32\zobubabe.dll"=-
"c:\windows\system32\ritibiji.dll"=-
"c:\windows\system32\kedohugu.dll"=-

SECONDLY:
Now let's see what we can do with Avenger.
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and start it;
-copy the txt in the box below and paste into the Script Input box as one block:-

Files to delete:
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\attrib.exe
c:\windows\system32\kedohugu.dll
C:\WINDOWS\system32\vovugesi.dll
C:\WINDOWS\system32\yojonaso.dll
c:\windows\system32\ritibiji.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{607ebaea-4e2c-45fa-b527-3b36834d84f5}

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | CPMdf6daeaf
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | dc5e9d33
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | mazayefoha
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | C:\WINDOWS\system32\zobubabe.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\ritibiji.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs | c:\windows\system32\kedohugu.dll

Programs to launch on reboot: 
C:\fixkey.reg

...and click Execute.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

Please post that log file.

One other thing you could check: Oreans32 - this is legitimate game-file protection software, but has also been subverted by hackers. Are any of your games currently broken since the running of SAS? Reinstalling the game would replace those files eg C:\windows\system32\drivers\oreans32.sys

I will check through that lot... meanwhile.. did a fresh copy of Combofix [renamed] not run?
And I need to be clear on something.. from when you ran MBAM earlier the log shows all "No Action Taken" results against each entry - I would like to be sure that you did press REMOVE SELECTED button?
If not, relaunch Malwarebytes' Anti-Malware, then UPDATE it.
* select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and !!!CLICK Remove Selected.!!!
* When completed, a log will open in Notepad. Post it.

The site exists still, but that file has been removed. If you can borrow an XP disk from someone you would find the Recovery Console on that... and it is naturally a bootable disk. And then, when you finally get your sys running, install the Recovery Console to your hard drive. Follow these steps [copied shamelessly from M$]:
1. Insert the Windows XP CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
You will then have the Recovery Console as a boot option.

Hello, James... u can post screenshots, you know [printscreen, then Accessories, Paint, paste into it], but I get the picture from your description.
You are seeing the optical drive in Disk Mgmnt cos you have a cd in the drive, hence the CDFS partition -that is of no concern. What is interesting is that the cd drive is shown above the problem hard drive in the first list - in my experience, no matter the drive letter assigned, it should appear at the bottom ie. after the hard drives.
I notice the Photo Album drive has no drive letter assigned. But it is shown as Active?!!
Active means that the PA drive is being used to provide the booting files for Windows; here is a bit of backgrounding for you:

When you first set up the partition(s) on a disk a boot sector will be written for each volume; one, which will be on a primary partition, and one only, must be marked as Active, unless this is a slave or data disk in which case none are marked Active. There will be only one boot sector per volume [volume = drive, if you wish.. eg c:, or d:]. The disk's master boot record will be written at the same time. Only one of these per disk.
XP can be placed in any partition, including logical, by itself.
When it commences loading the OS, BIOS searches for the Master Boot Record on the master …

Jim, when you ran MBAM did you clilck the Remove Selected button? Cos everywhere I am seeing "No action taken." If you did not, then please rerun MBAM, post the log.

Please, yes, do a full scan with SAS. Sorry for not mentioning that. Then delete Combofix and get a fresh copy, change its name as before.
If still Combofix does not run:
-post the SAS log with a fresh HT scan [first please rename hijackthis.exe to somesod.exe]
-Download Avenger from http://swandog46.geekstogo.com/avenger.zip -unzip to your desktop.
And then wait... but please do not turn your pooter off, otherwise we may have to deal with freshly spawned unknown files.

Hello, Steiner... I have noted your problem with running Combofix. Some recent trojans are detecting it or its components and blocking them. Or breaking them. Because of the startup entries that your malware has created it also will be no of use trying to run Combofix in Safe mode as it is. But we need it, so try these steps in order until it runs correctly... it is obvious when it does. You will see various items appear which indicate its progress.
Firstly, just in case, you should delete your copy of Combofix and dl a fresh version. Then...
1. On your desktop rename Combofix.exe to MyCF.exe [just rclick the icon and choose rename], see if that will run. If not:
2. Download and UPDATE SuperAntiSpyware [free ed will do for now] from http://www.superantispyware.com/download.html -when it completes try MyCF [combofix] again.
Post the one, or both, logs.

==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. Choose carefully at the installation checkboxes, I set them to only open from the recycle bin. It's neater that way, but won't suit your purpose.
[you can then run CCleaner from the recycle bin rclick menu using its default settings if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
[Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]

This is an easily customisable tool via its .ini files - you can use them to point it at any object you like. I forget what options to run it are available on installation, but you could use the …

I don't use an mp3 player but I would have thought that there would be some proprietary software loaded onto it to control files on the chip, and I would think that formatting it would risk losing that.
If reformatting to FAT32 is what you want then you have to allow this under the device's policies. Easiest way is to rclick that drive in explorer, go Properties > Hardware tab, make SURE you highlight the correct device in the list, and click the Properties button.
Select Policies tab in the new window, select Optimise for quick removal.
That should give you FAT32 option under the rclick Format option in the drive's Properties.
You may end up with a fancy thumb drive. Say how you get on.

He's running Home.... so no GPEdit to play with.... :(

And present the log from this task, please...?
So firstly:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

There appears to be a file which is hidden and regenerating those files and keys we attempt to remove. Another file has popped up - C:\WINDOWS\system32\zipavagi.dll, and there are more keys... Anyway, congratulations, you seem to have picked up quite a new-on-the-block infection. This next tool will probe a little more deeply:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post another HT scan run after Combofix, please.

Heh.. you could run a script FROM that account: http://www.dougknox.com/security/scripts_desc/regtools.htm . It will require a restart.
Or you could load that User's hive [their NTUser.dat file] with regedit from YOUR account and edit the policy in this key:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Simplest is to give that ac temporary Admin rights.

Mm... not quite the result that I had hoped for. And I was not concerned about Windowblinds, I just wished to confirm that it was the real deal I was seeing .. :)
Okay, try again with this:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
O2 - BHO: (no name) - {607ebaea-4e2c-45fa-b527-3b36834d84f5} - C:\WINDOWS\system32\libodame.dll (file missing)
O4 - HKLM\..\Run: [mazayefoha] Rundll32.exe "C:\WINDOWS\system32\yojonaso.dll",s
O20 - AppInit_DLLs: C:\WINDOWS\system32\zobubabe.dll

Good. Now start Killbox again, select and copy to clipboard these two files and then press File > Paste from Clipboard.

C:\WINDOWS\system32\yojonaso.dll
C:\WINDOWS\system32\zobubabe.dll

Next go File > Logs > Current Items Log; a notepad will open - save it on your desktop and post the contents with your next reply.
If either or both files are shown in that log, select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
Okay, rescan with hijackthis and see if these two entries show up:

O4 - HKLM\..\Run: [mazayefoha] Rundll32.exe "C:\WINDOWS\system32\yojonaso.dll",s
O20 …

Addressing your other queries.. do not format any partition on that data drive... it will make file recovery a little more tedious.
Does the drive show in Disk Management [via Admin Tools, Comp Mgmnt] ? There should be no need to initialise the drive. Does Disk Management show that as an option?

Hello, james. Your hardware setup is fine. Your problem is that Explorer is not looking at the drive root when it starts, so as to catalogue the root directories.
Can applications access the drive and related files? Possibly not if you have not used them since the reinstallation...
If you open an Explorer window [dclick My Computer] and type the drive letter.. eg. D:\ into the Address Bar does it open in that directory? And can you then move throught the folders therein?
If that does not work can you open the drive via Internet Explorer [type D:\ into the address bar.... etc]?

iexplore.exe is internet explorer. It appears when you use that browser and also when malware uses it to go on the web for ads or instructions.. whatever.
Your MBAM log shows No Action Taken on all found items - may we assume that you did follow through the instructions, and Fix them?
-You have Weatherbug - the free version is adware; remove it if you wish via Add/Remove Pgms in CP.
-I see that you have MyWay Search Assistant [there, courtesy DELL]. You can get rid of it if you wish... First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].

You have malware that has appeared since your first HT scan, possibly virtumundo, but first:
-Do you use Windowblinds? [file is C:\windows\system32\websys.dll]
-You have what seems to be a Google Desktop component : do you use that? [directory\file is C:\PROGRAM FIles\Google\GOOGLE~3\GOEC62~1.DLL, with the ~ taking the place of other characters]

==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\system32\yojonaso.dll
C:\WINDOWS\system32\libodame.dll
c:\windows\system32\pokitiwi.dll
C:\WINDOWS\system32\zobubabe.dll

-in killbox, go File menu, choose Paste from clipboard.

Jim, it is not a memory problem, it is a problem with a program trying to access reserved memory. In other words, it is caused by some sloppy software, and sloppy software is occasionally found in malware. So firstly:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
...an then:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

If none of those OS load options works then it means that you machine cannot recognise your hdd, otherwise I think you would see a different message? Use BIOS setup to check that your hdd is correctly represented in the boot order.

Two firewalls is one too many. ZoneAlarm ensures that Windows Firewall is off, Comodo does not care - it probably knows stuff. Anyway, more than one is simply an unnecessary drain on your system.
Comodo should be plenty of firewall for any user, plus it has a system defence included. It is by far the most comprehensive, customisable, complex, best firewall of the three.

Good luck with that. Have you ever separated the heatsink/CPU? Could be that there is a temporary heating issue when the chip is first fired up.

Yeah, caper.. the post I made is for repairing a problem created by a specific piece of malware. He could have a problem with a system file, I don't know which.
Some system files can be replaced by using the EXPAND command in RC and the XP cd i386 directory.

Aw, heck.. I somehow missed adding the link in my earlier post. Comes from being on a slow connection - I don't always wait to read the post I just made.
http://support.microsoft.com/kb/218461
You could glance at this key in your machine to see if it reads as this one:
HKLM\System\CurrentControlSet\Control\Session Manager\ BootExecute:REG_MULTI_SZ: autocheck autochk *
The site above indicates how other entries affect this key.

I doubt that your problem has much to do with the Adobe installation other than that there was a restart involved. After the RAM check the POST checks all remaining system hardware - if won't run past the RAM check then there is either a hardware malfunction or a BIOS software error.
You could check the former by turning power off and replugging all hardware, removing unnecessary devices to see if you can achieve a basic boot. Suspect a hdd....
Check the latter by using F2 to set BIOS defaults [you will lose your customised BIOS settings unless you have saved them to some medium, assuming you had that option...]. If F2 does not work try swapping the mb battery power jumper or pulling the CMOS battery itself for a minute or so.

You might read this site for information. Chkdsk is normally run at each startup.

Because you have the Recovery Console you may wish to work your way through this procedure. It does seem that restarts as the Welcome screen is displayed do not have many causes other than this:
http://www.kellys-korner-xp.com/xp_wel_screen.htm
-start with the section:
"Or:
Place your XP CD in and navigate to the Recovery Console.
Change the C:\Windows prompt to: C:\Windows\System32 and copy userinit.exe to wsaupdater.exe..."

There is also this post by Yzowl:
http://www.msfn.org/board/Windows-Xp-Login-Problem-t42529.html
-use the Code line for the REG command.

These two methods [if they apply to you] attack the problem from different angles : one replaces wsupdater.exe with userintit.exe, the other uses the RC to repair the reg key so that it points to where it should [the default].
Not saying that this is your particular problem, though...

Well, yes it does. And it would pay to eliminate the hdd as a source.
Because your machine is actually still bootable then do this [this procedure will burn a diagnostic program onto a cd which in turn may be used to boot your machine and check the hd] :
You'll need access to a computer with Internet connectivity and a CD burner, plus a blank CD-R or CD-RW.
Then go to this link: http://www.woyaa.com/cgi-bin/download/jump.cgi?ID=708646
or this link: http://support.thetechguys.com/Uploads/%7Bb4d5f239-78d9-4bd8-8e7a-2de1983b4d7d%7D/DiagCD23.exe
Either Run the file download or Save diagcd23.exe to your computer and dclick it to run. The procedure is quite automatic: you will be asked to insert a blank CD for burning the file.
Once the disk is created, put it in your broken machine, then restart it. It should boot from the CD and then give you the opportunity to run a Long HDD (hard disk) test. The utility supports a wide range of disk manufacturers.
Say how you get on.

It can be Master if you put the 2nd drive on the secondary IDE controller, unless your optical drive is already Master on the secondary in which case make the hdd Slave there.

Any chance that it will start in Safe Mode? If so, go Control Panel>system>Advanced>Startup n Recovey Settings, uncheck Automatically Restart; set Write Debug Info to none.
See if there is an error code on your screen when it next halts, and note any drivers/services mentioned.

It is the trace of either a careless vundo infection, or a partial cure of the problem. This will start the sorting out:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
And finally:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

A problem with the page file will lock your sys down solid, if it is trying to access it. Think hdd problems.

ActiveX pgms seem to pop up all over your sys. If you find then in C:\Windows\Downloaded Pgm Files directory you can simply delete them.
With IE7 you can open IE, go Tools, Manage Add-ons, Enable or Disable Add-ons, select "Downloaded ActiveX Controls, select the ActiveX and delete it.
Or do this:
HiJackThis:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-select Scan Only.
Look at the O16 entries [these are the ActiveXs]... place checkmarks against the entries you do not want, and then press Fix Checked.

In normal mode the screen turns blue only when ntoskrnl is executing. The kernel initialises the boot drivers loaded by ntldr after examining the currentcontrolset key for the order, then loads remaining drivers and services. If there are no error codes on the bluescreen than it could be ntoskrnl.exe that has the problem. Surely if it was a driver issue then there would be a code? - the sys doesn't have an LKG to fall back to after the failure of an important driver, hence the restart. Or it could be a registry problem.. You could try replacing the kernel, other than that it is a Repair to fix the reg and/or drivers.
An installation on my sys takes about 20 mins [a very fast optical drive...]. Pity about the updates.
Just a thought... you might try a bootable memtest. Here... the dl version is free, creates a disk.
http://www.memtest86.com/

Going the F6 route is easier than using IDE Emulation for XP installation, and then switching back, because if you do not alter the reg and copy in the drivers before changing the BIOS modes you will get a bluescreen. Quite naturally, the procedure is well [as in profusely, not necessarily finely] documented on the web... but at least for Asus mb with Intel chipsets it is much simpler than they make out....

You wish to delete all partitions? Then simply erase the MBR. How? There are tools to do that.. partition managers [Easus is one] or specialty tools [MBRWhiskey, TestDisk]
http://red.boot-land.net/index.html
This dl contains both the GUI and commandline versions of MBRWhiz [or MBRWhiskey].
And I would have thought that JB's suggestion would do the job.

Hello, apocalypse.
Temporarily...
=Windows Defender - please disable its Realtime Protection....
Open Windows Defender, click Tools, General Settings, Scroll to and uncheck Turn on real-time protection.
Click Save and close Windows Defender.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

The /a and /s are parameters, the / identifies them as such, and cmd.exe can distinguish them so you can use a space, or not. dir /a /s, dir/a/s or dir /a/s will all work. Your cmd prompt if you did as i said should be
C:\Documents & Settings\Frank\Desktop
If you then enter dir/a/s and get path not found error that is passingly strange.. cos you are already in the directory; that is the path being used by the dir command. Intresting.
Ah, I know what yyou are doing wrong... I think... use fwd slashes for parameters, not backslashes. If you use backslashes like dir \a\s you are specifying a desktop folder called "" ie"nothing", and if you do not have such a beast you will get a path not found error. If you entered dir a/s you might instead get a file not found error.

That M&S job is a pretty cheap effort, caper... they couldn even be bothered, or didn have the nouse, to write a worm. A chain letter. Still, if you've got a big pool of dills...

Interesting how Oly seemed to answer your question before you asked it... Anyway, if there are no other users logged on and with running processes you won't see them... :)