Posts by gerbil

Hi... this is what you have: http://www.faronics.com/html/deepfreeze.asp
Basically the [key] entry you posted means that when winlogon.exe runs during startup this program is also started.
You are safe. If you do actually have deepfreeze.

Slow answer.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log in the Virus forum.
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html
AVG 8.0 at http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
...and one of these:
ZoneAlarm Free, Kerio, Comodo
http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp
Finally, get this:
Spywareblaster

You really must help us to help you!! Saying you have a popup problem is a pretty bland statement. Many tools run, but you don't list them.. so I could be wasting my time posting this....?

==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... …

Second thoughts, since rundll32.exe can get hung up by malware, and since some malware blocks [installation of] AV services you could try these:
First clean [all accounts on machine!!]
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts. Then...
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeusers/solutions/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Please ATTACH to your post the log it produces.

Hello there...
"I don't even know if I have a C:\windows\system32\dllcache folder " ... oh, yes you will, but you must display super-hidden files - in an explorer window go Tools, Folder options, View tab, uncheck Hide protected Op Sys files, Yes, Apply n Ok. And when you are done, hide them again!
That is a nice, clean log.
When you select the Desktop tab these extra dlls are called [they run under rundll32.exe]:
CSCDLL.dll
cscui.dll
MPR.dll
SETUPAPI.dll

Apart from that... I have nothing to offer.

mm... that didn't work, two of those entries are still there, so they may be protected by another file, or have permissions denied in registry. We can check that, or you can, manually. Are you cool with working in the registry? If those two entries will not delete with hijackthis then it is possible permissions on the keys have been changed to deny.
The easiest way to fix that is for you to open registry, change the permissions on those keys and then delete the two bad entries manually.
Full key names are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B9928CA-2B38-43C8-BE19-A4A6386DE417}]
and:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]: "byXPJCUO"="C:\WINDOWS\SYSTEM32\byXPJCUO.dll"

Here goes.... [have the registry window minimised so you can read this..]
A small point- when you first get to the Browser Helper Objects and Notify keys select each in turn by lclicking, go up to File tab, and Export each, to your desktop is fine, best even. Just in case.

Go Start, Run, type: regedit -and press Enter.
Expand HK_Local_Machine [by clicking the +]
Expand Software, then Microsoft, Windows, Current Version, Explorer, Browser Helper Objects.
Rclick {0B9928CA-2B38-43C8-BE19-A4A6386DE417}
In the menu that opens select Permissions....
You as an Admin User should be highlighted..
Check Allow for Full Control, Apply n OK.
Ripper, now in the left pane....
Rclick {0B9928CA-2B38-43C8-BE19-A4A6386DE417} and Delete...
Next...
Minimise that Windows key, expand Windows NT, CurrentVersion, Winlogon.
Rclick Notify.
In the menu that opens select Permissions....

Okay, let's try a tool which targets other malware. You did have quite a variety there.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
And now re-run Combofix, please, and post that log also.

Nothing in that screenshot to change, pinki, it just lists the wallpaper you are trying to show.

Okay, you are pretty much at the head of the queue with this particular one, a trojan downloader. JB is just learning this anti-malware stuff, he's hot on the tech side. So...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: (no name) - {0382CBBA-E318-4BEA-9649-45A5832AB9BD} - C:\WINDOWS\system32\fcccbAPJ.dll
O2 - BHO: (no name) - {0B9928CA-2B38-43C8-BE19-A4A6386DE417} - C:\WINDOWS\system32\byXPJCUO.dll
O20 - Winlogon Notify: byXPJCUO - C:\WINDOWS\SYSTEM32\byXPJCUO.dll

Good, now search for and delete these files:
C:\WINDOWS\system32\fcccbAPJ.dll
C:\WINDOWS\system32\byXPJCUO.dll

I do not think it is a Vundo infection, but let's check anyway...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix …

Pinki, another key that can come into play with wallpaper is this one:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
-it is where your wallpaper is referenced; also check the parent key, Desktop. Just look for entries that might deny wallpaper.
Some thirdparty software reg keys may also contain entries that disable wallpaper.

Oh, the wallpaper problem... Almost forgot. Well, there are a lot of keys involved in that, and the best fix is this one from Kelly's Korner. It is for XP, should work for Vista.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoMovingBands"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"Wallpaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispCPL"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"NoCDBurning"=dword:00000000
"NoComputersNearMe"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000

That ought to do the trick.... if Vista is something like XP in the relevant keys. Anyway, running it should not damage anything, it is just making/setting those entries so as to nullify them.

Interesting re RKR not wanting to play... did you use IE to download it... M$ is touchy about other browsers accessing some of their services.
Nothing shows in that log as malware. But you do have both Avast and McAfee running as active AV services, and that is a big problem, so please make a choice and remove one immediately. They can interfere unpredictably.
As I said, I do not see anything else bad there, but I am afraid that I am not Vista compatible... so I would have trouble helping further.

I will leave this problem to jb, don't really want to jump in - it was just the baby naming thing..
Anyway, while he is coming online you could rename that file this way:
Open Task Manager [ctrl-alt-del usually does it]
Got to File, New Task, type this line at the prompt:
cmd
-and press Enter. Then in the black command window that opens paste or type:
Rename C:\"Program Files\Trend Micro\HijackThis\HijackThis.exe" Imabunny.exe
-and press Enter. Then paste:
C:\"Program Files\Trend Micro\HijackThis\Imabunny.exe"
-and press Enter.

"My first born named after you!!"
Please let me solve this one, jb...?
Heh heh heh...

Next bit. There must be something hidden...
Please run Combofix again [after SDFix].
Then ... this is a shotgun approach, quit if/when something is turned up.
==Download [currently it will not dl correctly with Opera; use IE] the latest standalone version of Blacklight from http://www.f-secure.com/blacklight/ -follow the links until you get to where you can download Blacklight. Start it, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -read that page, dl the file at foot, start it and Scan.
Post the relevant logs.

ALL things are solvable.
Pinki, are you cool with working in the registry? If those two entries will not delete with that reg file I gave you then permissions on the Run key have been changed to deny.
The easiest way to fix that is for you to open registry, change the permissions on that key and then either delete the two bad entries manually or run my reg file.
Here goes....
Go Start, Run, type: regedit -and press Enter.
Expand HK_Current_User [by clicking the +]
Expand Software, then Microsoft, Windows, Current Version.
Rclick Run; in the menu that opens select Permissions....
You as an Admin User should be highlighted..
Check Allow for Full Control, Apply n OK.
Ripper, now in the right pane....
Rclick "dzrfwrbk" and Delete...
Rclick "mZAHXfkXDR" and Delete.
Close the registry page.
Did that do the job? Run a hijackthis to see if they are regenerated.

Thanks for attaching that log, JG, it does make it easier to read.
Delete C:\QOOBOX folder.

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}]

[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta\https]

[-HKEY_CLASSES_ROOT\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}]

[-HKEY_CLASSES_ROOT\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]

[-hkey_local_machine\software\classes\nn_bar_dummy.nn_bardummy.1]

[-hkey_local_machine\software\classes\nn_bar_dummy.nn_bardummy]

==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\Program Files\Common Files\fmmm\fmmmd\fmmmc.dll
C:\WINDOWS\system32\ordsregn.exe
C:\WINDOWS\system32\kfaflghp.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\srvcjfoias.exe
C:\WINDOWS\srvvjkbzix.exe[TagASaurus.exe]
C:\WINDOWS\876056.exe
C:\WINDOWS\srvvjkbzix.exe[Sos28.exe]
C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\stub_mm1.exe
C:\Program Files\Ringz Studio\Storm Codec\stormupd.dll
C:\WINDOWS\srvcjfoias.exe[PSDream.exe]
C:\WINDOWS\whCC-MTHREE.exe
C:\WINDOWS\cfg32p.dll
C:\WINDOWS\system32drei.exe
C:\WINDOWS\srvvjkbzix.exe[uni_7eh.exe]
C:\WINDOWS\srvvjkbzix.exe[109uninst.exe]
C:\WINDOWS\vlcfkcdp.exe
C:\WINDOWS\stub_mm6.exe
C:\Program Files\Game_Maker7\DrXJ.exe
C:\Program Files\Game_Maker7\crack.exe[DrXJ.exe]

-in killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" .
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.

==You must clear all your system restore points because some have been infected.... you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off …

AVG8 does it all, AV, AS, ActiveX blocker...
I do not use any realtime AS... I keep AVG AS and Spybot uptodate but rarely scan. I have Spywareblaster for ActiveX blocking and site blocker.
So cut the list to AVG8 and Spywareblaster. Occasionally update Spybot but no need to run it as a guard. My opinion, based on my activities. You may be a web rat for all I know.

labber, XP home does not have gpedit. Go to my post in the first page and apply it.
Or, if you wish, just do this and it will remove the key value involved.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

D/E is a SATA drive? I presume you are using a Sata-IDE converter because you write of IDE-0? I spose I could have looked up the drive code in that boot list you gave in Post #11.... but I didn't.
Okay, glad you have it sorted electrically... does the cd drive insist upon being Master, otherwise it will not work? Or is it because you chose that config and did not alter the rear panel jumper?
Could you please give me a copy of the C:\boot.ini?

Do you have Adaware 2007? Then Allow. Lsdelete.exe is a file in system32 from Adaware.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute" ="autocheck autochk * lsdelete"
....is in my sys. I have no problem with it.

AVG Quarantine.... that is a setting, explained in this line:
-under Scanner/ Settings please change the Default Action from Recommended Actions to QUARANTINE, and run the complete system scan.
What that change does is force AVG to save the suspect files in a safe so you can review them before deleting or restoring them; otherwise AVG will apply its inbuilt Rec. Actions which generally for detections is deletion.
Not preaching here, but cracks n stuff.... if I wrote a tasty bit of software and wanted payment for it I would be annoyed at folks bypassing me with cracks. So, being a software writer, I would push out my own cracks... and they would be bad. Loaded. Pestware, adware, the lot, to put folks off downloading stuff to beat my software. Writers do that.
And if you earn a living by loading trojans with adware for payment, well cracks are just another way to get ppl to accept your trojans and execute them.
Best you run this virus scan [CClean first]:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeusers/solutions/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Post the log it produces here.

Ok, fingers crossed here for you.
Seriously though, nothing we have done would damage a drive. If you set the jumpers according to its back panel diagram, as Master in the Primary and your sys does not any longer detect it, well, there are only two options.... first is back to the shop with it, second is flash BIOS with an upgrade if one is available.
But I'd be taking it back to the shop. Even new things break.
Is C: happy with the cd drive slaved with it?

Log is fine. If you wish to change registry settings... ie to FIX those R0, R1 entries you must..
Temporarily...
=Disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box.
How is AVG8 working with Spywareblaster?... there was a false positive detection issue earlier.
Defender. Spybot. AVG8. Overkill.

Hello, Cristalle... re the drive configuration - I am going to make a guess or two here.
Because you only had one hd and one cd drive before they were probably mounted on different IDE controllers and so both were set to Master? Then with the new hd installed the cd drive had to pair onto a controller with an hd and that may be the cause of a problem with BIOS and drive detection.
Now without knowing the make or type of your drives...
A. Put the hd's on the outer IDE cable connectors, one to each IDE controller.
B. Put the cd drive on the inner connector on IDE-1 [secondary controller] along with C: drive. That way the OS on E: gets a controller to itself and info transfer is more efficient. The OS does a lot of self checking, sys file reads while working and this setup means it won't get bogged down with file/music data transfers.
C1. If your sys and drives are reasonably new and if Cable Select CS is available simply set the jumpers on all drives to that; the system will sort out master and slave arrangements.
C2: Else if no CS, or simply if you wish, set the jumper on the hd on IDE-0 to Master [ Caution...if it is a Western Digital and is the ONLY unit on the controller then do not use a jumper], and....
On IDE-1 [secondary] set the hd …

Okay, that is one of the messages in ntldr, and because you reset the boot order to IDE-1 it is from the ntldr on C: drive; basically, it is saying that it is looking for XP but could not find or read the XP files on the E: drive. It managed earlier.
I have assumed a couple of things, and I should not have. Is your cd drive on the IDE-0 [primary] controller? That is fine, it should be the slave, the new hard drive the master. Is the old drive with C: master on the secondary controller? That is the configuration I wrote the boot.ini file for. But, please tell me the drives/controllers configuration that you have.
And did you get the cd drive working? Just wondering if the cabling connections are seated well because earlier the system booted just fine with IDE-1 as first boot device, and we have not altered anything on that.
To check could I have a copy of the boot.ini file on C: please, if you get the thing working? I do suspect connections are a problem atm.

Heya, Cristalle.. when you install an new XP it pays not to let it see the old one... you should have removed the old disk first.
Then you would have got the OS installed in E: [M$ boot drive] and D: set as the M$ system drive with the loader files in it.
Ah...
"Windows XP Professional"
"Windows XP Professional" .. that would be the boot.ini file on C:.
"C was always (System)" .. that means it would have been Active also, but Active does not show if it is set on the System drive. There is only ever one Active partition if you are using Windows to set things.
Your cd must have been working a bit ago, try checking the cables which may have been dislodged when you inserted the new hd.... I do not know why you are seeing the BBS bootROM as a boot device, cos you have the IDE disks available, but ignore it.

In the first post to you I forgot to tell you to set IDE-0 as boot drive after copying in those files to D: and making the new boot.ini file for D:.
It should have gone in here:
...note those two partition(2)....
-save it to D:\
Hide those OpSys files again.
Restart. ** Set boot order to IDE-0 first.** Might work.

-doing that should be sufficient to get it to boot using D:, then you can delete those …

If you type C: into the Start, Run window does that open them? Or if you type C: into the address bar in an explorer window?
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer"  >>C:\showkey.txt
start C:\showkey.txt
pause

Control Panel.... :)

I was wondering... btw, did you disable TeaTimer before running that reg file I gave?
Done it? Great. Now...
==Download SDFix from here: http://downloads.andymanchesta.com/R...ools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

***** Instead of ATF you may wish to substitue this cleaner.. it is the one I …

JGR, just one obvious pest to remove: searchbar.findthewebsiteyouneed.com
Fix this entry with hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
Good, now a clean..
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
...and a Spyware scan:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
...with your comments, please?

"my comps been working fine !"
That's all we need. Cheers.

The way Windows Setup works can be quite confusing... was the old disk with C: on it still IDE-0 when you installed XP on the other disk?
And you changed the Active partition setting from C: to D: yourself? [if you had tried to restart after that you should have gotten a "ntldr is missing" message and a blue screen].
Anyway... it reverted? Right...
=temporarily edit the boot.ini file in D:\ to look like this:

[boot loader]
timeout=6
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Prof D:" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Professional" /noexecute=optin /fastdetect

-then during login you will be certain which boot.ini is being used- if it is this one then you will actually see the menu. The second line I added is a nonsense for your sys, something has to be there otherwise you will not see the menu; do NOT choose it, just let the menu timeout to default after 6 secs.
=Check, or set, D: to be Active, that ntldr and ntdetect.com [and boot.ini] are in D:\.
=Shut down and restart into BIOS, set to boot from cd and insert your XP cd, boot into the Recovery Console by typing R to Repair when given the choice during Setup. [If the sys manages to boot into Windows again accidentally then it may revert the settings above; redo them]
Let the loading of Recovery Console run to the point where it asks if you …

Wheeee...!
Takes me back to my first post.... bad software causing explorer.exe to crash. We focussed a bit on malware being the issue, but we did clean out your worm along the way.
So it merely turned out to be a bad installation of something legit... well, it happens. :). A full-time guard, no less.
You've been quite forensic in tracking this down, well done.
Event Viewer you reach via CP, Admin Tools; you'll see also Performance in that menu, it's where logs are created [if logging is enabled].
I'm sure you realise that being in an Administrator ac all the time means that you give those privileges to any malware you pick up whilst on the web...
I'm not chasing kudos... as I told someone else, this is my version of crossword puzzles. I pick the problems where I think I can help, or those which present a good opportunity to extend my knowledge.
It's been fun. Cheers, bear.

You write like you are not in the Ukraine, so...
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Only if your Internet connection is now not working perform this.... In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - (no file)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{36E0607A-7608-42E8-A37C-B762491C2426}: NameServer = 85.255.116.50,85.255.112.86
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3BBCB58-9107-4336-89A2-15FC5F127074}: NameServer = 85.255.116.50,85.255.112.86
O17 - HKLM\System\CCS\Services\Tcpip\..\{C452D6C8-892A-4324-AE70-C9886BEB4F1C}: NameServer = 85.255.116.50,

Heya, Cristalle, yep, from your second pic I can see that Windows is installed on E: [the "boot" drive], which is a logical partition in an extended partition. Which is fine, but you can only mark a primary partition as Active, and you have done that- D: is Active. D: being the Active partition means it must also contain the boot or loader files [ntldr, ntdetect.com, boot.ini] because .... well, how much do you wish to know..?
Startup: ...this will be a very brief version of the chain of events!..... BIOS whirs, searches for the master boot record on the master disk [your Disk 00]. The MBR's partition table for the whole disk is read, logical partitions in an extended partition are successively investigated and the single, active partition is noted, the mbr code is loaded into memory, and BIOS hands control to that. The mbr code directs operations to the partition marked as active, specifically to its boot sector. All partitions contain the same boot sector code, but only that active partition's boot sector code is loaded; it assumes control and searches for certain files in the root of that partition. If your OS is XP then ntldr will be read into RAM and ntdetect.com will examine your hardware [and either BIOS or Windows will assign resources to them depending on whether you have ACPI].
ntldr will read boot.ini..... an on it goes.

You can check yourself that a logical drive cannot …

Sp3. 350mb.

Hello, Cristalle. When you installed a second windows xp OS in the E: volume it did not alter your boot.ini file in C:\, did not install in the root of your new volume E: the files to load the OS. That is because it detected the old OS. If you check in your disk management console you will see that C: is the system drive [contains what some of us call the boot files in the root which load the system files which can be in another volume] and E: is your boot drive [which naturally is not the drive containing the files which "boot" the OS, but the files which are loaded by them... ie, your new OS].
Don't blame me, that is the way M$ uses those terms, boot and system.
And that is why Windows will not let you format C:, it knows it will not be able to start.
You marked D: as your Active partition - it contains the boot sector code which would normally load the files in its root which load Windows. But they are not there. And they cannot be in E: because it is a logical partition.
But no problem. We have to make D: your System partition.
Firstly, in an explorer window you must alter the Tools, Folder options, View settings to show Protected OS files [uncheck that option].
=Check in your E: drive for two files E:\ntldr, E:\ntdetect.com. Not there? Ok, just copy …

.

WinNT\ServicePackFiles\i386 exists if you did an upgrade by download as against an installation with the servicepack included [or slipstreamed]. That folder is your cache for running sfc - put it in sourcepath as "SourcePath" = "C:\WINNT\ServicePackFiles"
sfc would ensure that the correct version was in place, and if you change that sourcepath it will use the file from that i386 folder. You could rerun sfc, this time using the servicepackfiles directory. But I doubt that the error originates from explorer.exe itself.
My point with Combofix deletion was that it times out after a week - it won't run after that time, if you try it will delete itself.
This is a succinct explanation of Active desktop.... http://www.microsoft.com/technet/archive/ie/reskit/ie4/Part3/part3c.mspx?mfr=true -but if you remove it and the error continues, then put it back.
A few words fell out of a line I edited in a previous post:
""Instead it was on Selective Startup with Load startup items selected " .... yep, it does that." ... "if you have items unchecked in the startup list." Those words were meant to be there; that is why msconfig switched from diagnostic to selective mode.
Does the event viewer not show any listing for the error? I just monitored my machine's activity while closing an explorer window - explorer.exe was the only process involved with about 750 dealings with the registry in the 0.10sec it took to complete. Four system dlls were involved, but no third party sware, AV …

er, bobby.... I use YPOPS! to run my free Yahoo email ac from OE... :)
It quietly downloads mail from yahoo whenever I open OE, deletes read mail as I delete it from OE, and sends my mail out through Yahoo.
I believe there is another interface pgm out there for hotmail.. but I don't use hotmail, so...

You have the VTP pack... and is/was pskill.exe a part of the package..? Combofix broke that one.. :)
I imagine you are comforatble in there, so open registry and go to these two keys and delete them:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x?\Enum\Root\Legacy_WUDFRDD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x?\Enum\Root\Service_WudfRdd
where the x? stands for whatever controlset the keys are in....
I cannot see anything else.
Delete Vundofix and its files in C:\
Go start, run: combofix /u -to remove combofix.
May as well remove MBAM also...
Good luck out there.
[Crunchie swears by Avast.... I use AVG, but it is bugging me with a daily popup to buy it lately, and that may be enough to get me to change...]

Hmm, that scan missed the mark, but this next scan targets the downloaders behind some of the websites that were added to your trusted zone - that seems a good place to check for the source of the scamming/popups...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
And then this:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Briefly, yes. You will need an interface program. OE is an email client, whereas Yahoo and hotmail are web-based... when you are looking at your mail in those two all you are doing is looking at just another webpage, albeit one you need a password for. For Yahoo interfacing, try YPops.

I'll check back in a bit for that SDFix log....

==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

What? these two entries
O4 - HKCU\..\Run: [dzrfwrbk] C:\ProgramData\dzrfwrbk\uditkjcp.exe
O4 - HKCU\..\Run: [mZAHXfkXDR] C:\ProgramData\apmnyvkr\wbyhojgp.exe
are still showing up in the notepad log of hijackthis? That reg file should have removed them..?
PLease finish the remainder of my previous post [from Done it? Great. Now...].

sfc only takes what it needs to restore corrupted files, and it knows which versions to take in original form from a folder or cd, and which to take from the updates.
The Security bulletins:
MS07-069 [= KB942615] replaced MS07-057 which repl. MS07-045 which repl MS07-033 which repl MS07-027.
Aaaannnd: The latest bulletin, MS08-010 KB944533, replaced MS07-069 !!
MS07-043 and MS05-055 were separate issues.
Now you could google for the KB articles which represent those... but I have a feeling that Panda picked up those old bulletins from the Windows directory. If you expand C:\Windows almost the first entries are blue $NtUninstallKB****** folders - these are the files which have been replaced by updates along with an app and a batch file which run if you wish to reinstall the old files over the top of the newer [via Add/Remove pgms!].
Which you might be tempted to do if the update in question caused problems. Well, they [blue $NtUninstallKB****** folders] build up, and if all is sweeet I tend to delete em. Do that.
unPPC6000? Delete it. It's PeoplePC or CoolWebSearch.
C:\CABS\9519160_XP_2K is just one driver. Were there no .cab files in C:\CABS ? [C:\CABS would be the sourcepath if there were, but .cabs tend to be drivers...]. No matter anyway, sfc completed happily, found what it wanted. It does just close when successful, no bells or whistles.
"When it does the blank blue screen for a few seconds and comes …

Panda only deletes viruses and worms in this free scan, but points out adware and trojans etc.
This one is adware, delete it...c:\winnt\system32\unppc.exe
This one is part of a telnet service from Sysinternals. If you do not use telnet, did not install that service, then delete it [can be used by hackers]...C:\WINNT\PSEXESVC.EXE
I must admit I have no idea why the scan shows those critical updates as vulnerabilities - they were only released in Dec last year... are they actually installed?
SFC should work with cab files. It sounds as if your dllcache directory is corrupted. You can change this registry key so that sourcepath points to the DIRECTORY the cab files are in [don't point it at the cab files themselves]:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\whatever directory contains cab files..."
Or you could try to borrow a cd and copy the I386 folder to the C:root, [eg C:\i386] and point sfc at that...
Combofix infected? Nah, Panda dislikes it... but yes, you can delete it if you wish [or just leave it there for a week and it will timeout and when you try to start it it will remove itself.. :), or you can paste into the run window...
C:\Documents and Settings\Administrator\My Documents\downloads\ComboFix.exe /u
Come back if you need help with sfc....

John, if you wish, try to Repair the installation via Windows Setup - if it recognises the existing OS it will give you that option. That way you will not have to reinstall other software. But why not extract your registration codes and then format, reinstall, reload your apps and so start with a clean slate.
Windows is too sensitive to be clever with it.