Posts by gerbil

Combofix is now configured so that it will only run from the desktop.
Re the Panda scan and "the security warning bar refuses to show itself" just check in IE options that "Download signed ActiveX controls" is set to Prompt.

Hi, Bob... mmm, re chkdsk, i noticed the found.000 folder from a couple of weeks ago. Did you install any app on the 27th or 28th of last month, something that requires .net framework?
Just a thought... would you try uninstalling AVG8 and report back on how things are? Keep a firewall running.

Pinki, no "sorry" about it! And now I have the SP3 safeboot keylist also, which may come in handy. But I cannot agree to that proposal of yours because some of those keys in the threatexpert report appear to be, in fact actually are, legitimate - it's just that they may or may not be present on some machines so the malware itself makes sure that they exist for its own use. Any that are bad are sure to exist on blacklists, so why not run the tools which incorporate such things. I cannot be sure because you have not provided any logs of your own bu some elements in that report are indicative of worm presence. So do this [it is safer...]
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there …

Cool. Don't forget to clean out the malware that deleted your keys.

Nothing shows as bad in that file.. thanks. Did Combofix not work? What happens if you dl the file using another computer to a thumbdrive, drag it onto your desktop and then dclick the icon there?
And did you try the Panda scan using Firefox [which does not use ActiveX]?
Does TM work in normal mode now?
Anyway, try this in a cmd window in Safe mode: rmdir /S C:\WINDOWS\privacy_danger
And if that will not delete the directory run through it file by file with this tool [normal mode or safe]:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

mmm... I did check another didier page.. but no mention of differences. Look, that file I gave you is merely a list of things to load, individual drivers or groups thereof. If any are incorrect.. ie in my list but not in your machine, or the list is incomplete.. then you will merely get what you get now - nothing. And we can remove those supplied subkeys if needs be. It is safe to try.

Weasel, I'd like to see the contents of a couple of reg keys...
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg query "HKCU\Software\Microsoft\Internet Explorer\Main" >C:\showkey.txt
reg query "HKCU\Software\Microsoft\Internet Connection Wizard" >>C:\showkey.txt
reg query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" >>C:\showkey.txt
reg query "HKLM\SOFTWARE\Microsoft\Internet Connection Wizard" >>C:\showkey.txt
start C:\showkey.txt
pause

If showkey.txt is long please attach the file to your next post.

Delete that directory, privacy_danger. This will do it [see if TM works in normal mode now]:
Go TM, Run cmd, then paste in the window:
rmdir /s /q C:\WINDOWS\privacy_danger

Let's see if these are blocked - first clean, then do the scan [and Safe Mode with Networking is fine, if needs be]:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run …

You are joking, aren't you? Not using a virus database? These things, I woulda thought, take some huge collaborative effort. Course, the best AV is to cut the net cable n glue up all the I/O devices. Anyway...an you should know this... the key is:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000
Best of luck. Really.

No help?

Using Safe Mode would be just fine, weasel

Nope... I know when I'm out of my depth. I'd be checking some app installed a month ago - there is a problem with dll versions hence the SxS errors. But the recent explosion of errors beats me. Hard disk failing? Try running chkdsk on C:

Reposting to give you a zipped file... more manageable. Do you think this shonky site would let me edit the previous post to add an attachment? No way would that button work [and I was inside the time limit..]
Pinki, that driver list you are seeing is the boot-level drivers only, you need the rest of them. Now this list of drivers/driver groups is taken from my SP2 machine... I'm on a slowish connection so have not gotten around to dling that 60+MB SP3 file yet.
If you load these they may do the job, if they don't then nothing will be broken, you will still be able to start in normal mode cos the safeboot key is not read for a normal load. At worst, you'll get a bluescreen. You would then have to find the correct key from someone with an SP3 machine. I've done a bit of a web search and can not find a reference file or key list, not even a whinge that there is a difference.
This file will add these keys to those that you have there already. Note that your AV service will not have been started...
==Unzip the attached .reg file, dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
And give it a shot.

Pinki, that driver list you are seeing is the boot-level drivers only, you need the rest of them. Now this list of drivers/driver groups is taken from my SP2 machine... I'm on a slowish connection so have not gotten around to dling that 60+MB SP3 file yet.
If you load these they may do the job, if they don't then nothing will be broken - at worst, you'll get a bluescreen. You will still be able to start in normal mode cos the safeboot key is not read for a normal load. You would then have to find the correct key from someone with an SP3 machine. I've done a bit of a web search and can not find a reference file or key list, not even a whinge that there is a difference.
This file will add these keys to those that you have there already.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP …

Timing of the F8 press can be important... you should wait until BIOS lists your hard drives; its action is then to simulate the addition of /safeboot to the load instruction in your boot.ini. Pressing F8 to early on my machine will start the Drive boot order menu, at least on my machine.

Heya, pinki.... starting with the silly stuff first.... just ensure that your Function keys are activated at boot and not the alternates on the keys. Do you not even get to the screen with the several Mode choices?
Thinking of slapping me cos you're not that silly? Okay, just check these two keys in your registry [in normal mode]:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal] ... should have almost 15 CLSIDs and maybe 30 other subkeys like File System, Primary Disk..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network] ... should have close to 20 CLSIDs and 60 - 70 other subkeys.
All these subkeys have only a Default value; they tell the kernel which drivers and driver groups to load [the scrolling list on the black background]. Some malwares delete them for a bit of fun.

THE-LJ0KJPSTCRG - who is that user!?
In Event Viewer if you dclick on the oldest error of these:
Error SideBySide THE-LJ0KJPSTCRG
Error Service Control Manager BOBS ...
...what is shown as the Description? What modules are failing?
Your SCM is quite unhappy at running some of your services, and I have a feeling that the problem relates to the account of this user:THE-LJ0KJPSTCRG.
Check in Application and Security Error logs also.

You're doing fine. This should solve the redirection problem:
Use hijackthis to fix these two entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Delete this file:
C:\WINDOWS\privacy_danger\index.htm

To make things a bit easier, instead of using explorer [it is only a UI] use Task Manager instead.... even without your explorer running you can start it with Ctrl-Alt-Del. Then go Files > New Task[Run] and paste in:
H:\Help\HiJackThis.exe
To delete that file, run instead:
cmd
..and paste into the cmd window:
del /f C:\WINDOWS\privacy_danger\index.htm
Now try with a freshly dl'd copy of MBAM [or Run from the dl site]. Only if that will not work then do this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-Important! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

I don't know how much RAM you have, but you need more.. :) ... what a lot of auto-start stuff!
You have MyWay Search Assistant - do you wish to keep it? You can get rid of it if you wish...
First see if it is listed in Add/Remove pgms list - remove it if able, then..
Go start > run, paste:
MsiExec.exe /X {78d944d7-a97b-4004-ab0a-b5ad06839940} -and Enter. If it is found click yes at the prompt.
Next delete the MyWay files/folder in Program Files [use myway as a search string...].

C:\WINDOWS\C0130Mon.exe - what is this?

I understand, weasel, so let's work for the moment with what you have: please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll
O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll

Now delete these files... if they put up a fight I can give you a tool to do it with, else you can delete them from Safe Mode.

C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\wnslvxtf.dll
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\system32\WIKI.DLL -this one may be in the windows folder if not here.

The deleter...Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

Once those files are gone try again to run MBAM and the new version of hijackthis. If they still cannot run from the dl'd files, Run them from the dl site instead [Hijackthis will give you a warning about running from a temp folder, but proceed anyway].
Good luck.

BIOS ran, right? It POSTed okay, then just stopped, with a black screen and blinking cursor?

==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Post also a fresh hijackthis [your version is obsolete!!] log with your comments:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

A note... if you dl MBAM to somewhere easy to find you can start it from Task Manager > File > New Task >... Enter mbam-setup.exe

In Power Options do you have the sys set to restart if a failure occurs? Try setting it to No Restart. That is for any power problems. To prevent restarts resulting from software problems set your sys to not restart [uncheck the box] in Startup and Recovery options under System, Advanced tab. About the rest... try giving us a hijackthis log. Do this in order:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.
…

I should point out that any changes you make to the path via Set command in cmd window only last while that cmd window is open. How temporary is that? Permanent changes to your environment must be made via the lil Env Variables window that you know. Or into the reg keys directly. Just wondering if your User keys are different to the machine keys?
Your paths should be in here:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
But if there is a path entry here: HKEY_CURRENT_USER\Environment
..it would override the HKLM paths.
Still thinking...

Guy... look at my post in this thread, and follow its instructions in yours.
http://www.daniweb.com/forums/thread147529.html

Hello, deepu... this is my understanding of the gif problem... yes, a gif extension is defined as an image file, or a series of images with instructions for the hosting image software so as to show animation... timings etc.
But what application runs the gif in your system depends upon file associations in your reg, and a piece of malware can subvert those so as to run a "gif" as an executable, and name an executable code file as a gif file. A decent malware will replace the files that you successfully delete from hidden spares. Try this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-Important! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the …

Ah.. okay.
Lessee... properties. Under layout tab set your Window Size to what you wish; I use width=85, height = 35. Next, to enable the sliders set the related Buffer Sizes to larger proportions. eg. if you wish to have a vertical slider set height to say, 300 - if this number is smaller than the Window Size height you will not have a slider. I use 300 height, 85 width. I suspect your maximisation problem arises because your buffer and window sizes are the same -maximising tries to set the window to the buffer size [limited by physical screen size, of course].
Still playing around here... gotta sort the path problem yet.

..which is where a Repair comes in... I assume you already tried copying in another cmd.exe.

Another of the System Variables should be:
ComSpec with a value C:\Windows\system32\cmd.exe
There seems to be no way to repair the command processor with a simple action, and seeing with ProcMon what is involved in merely opening a cmd window rather rules out a manual fix.

Dangerous? Simply that it has capabilities that enable you to delete partition tables; change disk geometry, partition types... which are things you certainly do not want to do. You are making me uncomfortable.. so may I suggest that you ignore the TestDisk part and use the PhotoRec section instead?
"TestDisk doesn't need to be installed, you only need to extract the full windows subdirectory and run win\photorec_win.exe"
For the helpfile, which you should read, run doc\testdisk.html
Because doing that often is unwieldy I use batch commands of the form:

@ECHO OFF
Start /D"E:\Disk & System Tools\Disk Tools\testdisk-6.9\doc" testdisk.html

-saved as, say, 00TestdiskHelp.cmd. You would naturally replace my path E:\Disk & System Tools\Disk Tools with yours...
Another:
@ECHO OFF
Start /D"E:\Disk & System Tools\Disk Tools\testdisk-6.9\win" photorec_win.exe

-saved as, say, 00PhotoRec.cmd

as the man said. But I cannot see sfc fixing bad clusters for you. It checks protected windows files are current and extant, is all.

I think I would be concerned... when chkdsk detects bad clusters I think they are above and beyond the ones dealt with by the SMART system in the drive controller - that technology replaces bad sectors with spares from a hidden stash and its actions are invisible to the OS. Monitor them.. if they increase over a reasonable time then danger is nearing as far as hdd failure is concerned.
chkdsk /f fixes errors as it finds them while checking the integrity of the file system against the used clusters of sectors; any bad sectors are isolated and reported.
chkdsk /r goes further in that it also checks unused clusters and isolates bad ones.
I have to ask: are C: and D: drives [or partitions] on the same hdd?
Can you backup any files or directories from C: ? Be selective, get as much as you can.
A quick read of sites shows that some backup pgms will hang up over bad clusters. Isolating them, deleting the affected files and continuing the backup seems the way to go. Better backup pgms give you the option of ignoring bad clusters. You do get a backup but with data missing.

Most of those I listed were merely orphaned entries [files called but not there anymore...], it was only the two O4 entries that I thought were of some concern, plus their related files.
Comodo is a complex but thorough firewall and system defense, some will not like it because of that...

Don't know what you mean by main menu.

Orright. Comodo.. take notice of the various options available on the popups, using them can simplify life.
Panda is a good scan... really good. Never hurts to get a second opinion. MBAM targets trojans, adware, spyware... Panda is a lilttle more complete, dare I say?

Ello puddin,
your error indicates that ntfs.sys cannot deal with your hdd. Could be the driver itself, but a problem with the hdd itself or some interference from your AV are possible. So if you cannot restart in safe mode to disable your AV and run chkdsk /f as sugggested then grab your installation cd and enter the Recovery Console, and run chkdsk from there.
Note the different parameters:
First run... chkdsk C: /p to check the disk; if it reports any errors then run.. chkdsk C: /r
[chkdsk /f is not valid with the RC, it works only in the OS].

Is it possible to extract the files from the thumbs.db file??? Thumbs.db contains only the low resolution thumbnails of your pictures that are displayed in explorer if you select that option in View.

A good uninstaller with a complete .ini file to guide it should remove all files [sometimes giving you choices] and registry entries. It is a pretty invasive application which has reg entries which could impair your OS, mostly they just add an insignificant amount of clog. Sys Res can't do anything about remnant files, it may be able to restore your registry so that it does not contain orphaned entries, but it can be that some are in areas the Sys Res app does not save in Restore Points. Hence the proliferation of Reg cleaners.... consider though that an app may create 5 or 20, even 50 entries, but the reg of a moderately-loaded system in all its hives contains tens of thousands... so a few are neither here nor there. Restoring to an earlier date is a simple thing to test if a problem occurs, but you should consider the effect on working installations made later than that date, so if it does not solve it then you revert to avoid conflicts with those installations.
Try researching the effectiveness of System Resore, you will see that it is not the perfect answer.

Hello, Marie, apologies to you for your posts being ignored. Did you use Hijackthis to fix these log entries:
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\system32\Renovate.exe
O4 - HKLM\..\Run: [Install5G] D:\Install.exe

And did you delete the files:
C:\WINDOWS\system32\Renovate.exe ?
D:\Install.exe

You should get a proper firewall, ie Comodo, Kerio or ZoneAlarm
This is handy: Spywareblaster
Cheers. Feel free to ask for more help.. :)

Hello, shane... for a start I think you need a better Firewall. If you check the nod32 log entries you posted you will see that svchost.exe was contacting dangerous websites. Comodo Firewall Pro [free] would have alerted you to the fact that it was attempting to make web connections before any connection was made.
The hijackthis log shows as clean, but you could use it to fix these two orphaned entries:
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

Something must be there, though, to cause svchost to open connections, so to check a little further would you please:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will …

Heya, Polop, good stuff. But re your hurt, I was referring to file deletion; not sure I said or meant lost forever: "But not if they have been overwritten.... nothing can help then."
There is a great difference between deletion and erasure... deletion simply involves removing a file table entry and freeing up the file space on the disk; all the file still exists [until some other file is written into the freed space], it just does not have a pointer to it. The tool I suggested is pretty thorough, another good and quick one is Restoration.exe which has a distinct advantage in that it will dl to and run from a removable drive like a floppy with no installation required. Which means that there is less risk of new files overwriting deleted file space.
I was surprised when I first ran TestDisk for another task - it found a couple of partitions and some of their files that I had long since deleted or moved the boundaries thereof. A good tool just a bit dangerous, is all. Try it.

Regarding a backup program... it's not very helpful of me if I don't suggest one... after sorting through a selection this is the one I use [the freeware version].
http://www.2brightsparks.com/syncback/
Very easy to setup... and then it just works. Can't ask for more than that.
Its interface makes it easy to choose files, folders, to backup and also to remove unwanted backed-up material, schedule backups etc.

Jabari.... I am not really interested enough to wring information out of you... I did also ask, twice now, for the name of the login application that you loaded. Can't do much without it.
Meanwhile, fix these entries in your registry: to do that...
Start hijackthis, -select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {1634B365-0D36-49E9-928C-744CAF2949DB} - (no file)
O2 - BHO: (no name) - {2FA24518-5FE0-4CF1-8BA1-8EB9BE93AA50} - (no file)
O2 - BHO: targetedbanner browser optimizer - {7132bbc3-5219-f356-6084-8ec17cec3c26} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8CA37024-C7DF-45A2-ADF8-0CC4671FC5CC} - (no file)
O2 - BHO: (no name) - {8EEB2711-9D21-4f9c-99A1-B7FC5A8CA56A} - (no file)
O2 - BHO: (no name) - {FC309944-7CF3-7F05-FF39-7AA2E49F429E} - (no file)
O2 - BHO: (no name) - {ff277b66-2200-4807-a445-24324a7ba80a} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [caseyvideo]
O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\PokerTime\MPPoker.exe (file missing) (HKCU)
O15 - Trusted Zone: *.download.com
O20 - Winlogon Notify: khfETmJa - khfETmJa.dll (file missing)

good luck.

As abu says, you probably have an infection of sorts.. registry keys do not spontaneously change.. so first I would try this scan:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

The fix for the FolderOptions the you require is this:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=-

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=-

"prmary has 3 parts with win 2003 standerd in C:"
"other hard disk is single partition; second disk is with windows Xp"
[Boot Loader]
Timeout=10
Default=C:\$WIN_NT$.~BT\BOOTSECT.DAT
[Operating Systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /fastdetect

Hello, male, it does look like the XP installation fell over. It has left an incorrect entry in the boot.ini file - the Default is pointing to the Restart file that is used during installation.
And there are three Oses shown in the selection list!
This should work for you:

[Boot Loader]
Timeout=5
Default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[Operating Systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect

If you do not like the default I have chosen for you simply paste this line in instead:
Default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

I agree with Frank, it's possibly a video chip issue, and if it is onboard video then the mb requires attention.

Hi, Frank.. consider that SysRes saves some of your registry and some info about your system files [not all of either] then it follows that in cases of damage to those areas a rolling back to earlier settings will be of help.
Perhaps a bad pgm installation or a virus does some damage.... so you remove the problem ...ie uninstall the pgm or destroy the virus, but some damage to registry or sys files remains - then a Sys Res may help.
A like problem can arise say when the OS is recording changes to files, registry etc and an impromptu shutdown occurs; LKG may solve that, it may not. I use ERUNT for a more complete registry backup, but have not as yet required its service.
SysRes will not fix or return damaged or deleted data files.

I think you may be taking him a little to far down the track of excitement and despair. AMD processors have 19 thousand tiny pins on em, maybe even more than that, and they bend so easily if you mishandle them. And heatsink paste should not dry out.. so it is best not to remove the heatsink...just dust the fan, make sure it spins is all.

What does Disk Management report for your drive?

Try sfc anyway - you may have the \386 files installed somewhere, like in hte C: root... [they are what it uses]
Else may I suggest that you try borrowing a disk? Or get one of the correct type for your installation burnt?

In Safe Mode try going to the login app you loaded [under program files] and start the uninstaller, if it exists. You login will have registry entries to start it running, so just deleting stuff will not work. You would just end up with no login screen at all.
Sorta like now... :)
Okay, in Safe Mode with Networking:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
We're a bit blind as to what you have... what exactly is your login app? They differ widely as to how they work.
Pretty much what I advised in the other thread of yours. You don't help us, we can't help you.