Posts by gerbil

Bo, I found the red cross icon in shell32.dll [most system icons are stored in there]....now only if you are comfortable with going into registry.. ie have done it before... go start, run, type regedit and OK.
Click on My Computer at top, then go Edit, Find, type in..
shell32.dll,240
... and tell me the keys it occurs in.

.

Found the icon in shell32!!
Ira, in an explorer window if you go Tools, Folder Options, View tab, uncheck Hide Protected Op SYS files, Apply and OK... do you have a C:\autorun.inf file? If so, drag it into an empty notepad and post it, please. Lastly, check that box again to hide those files.
If you do not have that C:\autorun.inf file then next search [as a word or phrase] your C: drive for :
shell32.dll,240 [stop the search when it gets to C:\Windows... a waste of time]
If it is not found go start, run, type regedit and OK.
Click on My Computer at top, then go Edit, find, type in..
shell32.dll,240
... and tell me the keys it occurs in.

One other thing, in an explorer window if you go Tools, Folder Options, View tab, uncheck Hide Protected Op SYS files, Apply and OK... do you have a C:\autorun.inf file? If so, drag it into an empty notepad and post it, please. Lastly, check that box again to hide those files.

Sigh... those are correct. For the moment then I am stumped on solving the actual red cross problem, getting rid of the cross. I think your sys is clean, just that cross remains to be rid of.
Could you dlete your copy of combofix and dl a fresh copy and run it?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Here is a fresh way: save this text in the box using a notepad [wordwrap unchecked] as showkey.bat, dclick it to run and post the notepad that opens...

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\DefaultIcon" /s >> C:\showkey.txt
reg query "HKEY_CLASSES_ROOT\Drive\DefaultIcon" /s >> C:\showkey.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive" /s >> C:\showkey.txt
start C:\showkey.txt

Bo, from what you said a couple of posts back it sounds like you ran the batch file correctly [the no-wordwrap" bit is/was important, but you did that correctly, so the showkey.txt file should have been created, and it should have popped on your desktop too. Running the batch file again would not do damage but will only create an empty notepad the second time, so no need to do that.
Do you still have a red cross?

No C:\showkey.txt?? Should be, even if it is empty...

SP1 (6.00.2800.1106)?? Your OS is very old, outdated and very naked on the web - it is a sitting duck without the SP2 security upgrade.
But we must clean you before you upgrade.
Before we go any further please uninstall either Avast or AVG antivirus - they likely will conflict and the result is unpredictable.
Done it? Okay...
[There are traces of Symantec's AV there too but they may be removed later. Oh, there are some bits of MAfee also...!].

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [BMf7d4f0fe] Rundll32.exe "C:\WINDOWS\System32\mujtijws.dll",s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

Good. Now go Start, run, and paste in these lines:
sc delete McDetect.exe
sc delete …

If yu look in your C: root there should be a file C:\showkey.txt. If you dclick that it will open; if it is empty [no text] just say so.
You may delete showkey.bat - it has done its job. That black command window does just flash like that as the batch file runs.

You could use RockXP4 by Korben [or XPPID.exe] to change the Product key [scan and then enter the new, legal key], then let updates check it, activate it. That way you could avoid reinstallation.

I'd like to look at a key in your registry; this will do that, and then delete it.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt
__________________________________________________________

Open a fresh explorer window [my computer]

Don't worry about reposting the hijackthis log, Hifi, just keep that formatting in mind for future notepad posts.
It appears that you have a vundo infection, or traces of one, so...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If …

Hifi... could you please post that hijackthis log with Format Unwrapped in notepad, please?

Hello, braddyx.
Uninstall Bat.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {451c8c7a-3c49-44fa-9982-cbfd991c4e95} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O20 - Winlogon Notify: avicz32 - avicz32.dll (file missing)

Delete these files:
C:\WINDOWS\system32\wmsdkns.exe
And these folders:
C:\Program Files\Bat\
You must update XP SP2 - go to …

Okay, bo... start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {31D7F734-02C3-46F2-BDB0-B01EE77B9AC5} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {DDFA1356-E6ED-42a5-9D62-93211D424A90} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O20 - Winlogon Notify: hqjpkson - hqjpkson.dll (file missing)

Good, Now uninstall Search Settings.
Delete this file:
C:\WINDOWS\system32\mysidesearch_sidebar.dll
And say how things are...

Cheers, tony. Because that was a remote operating trojan if you do notice anything strange rerun Panda after a few days [CClean first, all accounts] and repost here.
If you do online banking, purchasing, emailing, it would be wise to change passwords now. I would. Just in case. Good luck out there.

Ira, if you carries out all the ops in my post above [cleared your restore points, deleted those four files, etc ...] then you should be clean?
To fix your icon get Powertoys for Windows Tweak UI [from M$ or whoever has it when you google for it]. Got it installed? Right, down the bottom to Repair, option you wnat is Rebuild Icons. This will reset your system to use the corect icons from Shell32.
Say how things are...

PSEXEC is a tool from Microsoft. Here: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
-see this::: PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools...
and this::: Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses...
My point is that it is a useful tool for a trojan to include. So if you don't do remote system operation like issuing Telnet commands or similar, amy I suggest that you search for and delete:
C:\WINDOWS\PSEXESVC.EXE
Now....

Most of the results in those two scans are benign cookies in frank's account. Run CCleaner in frank's ac.
When did you run Combofix? Please post the log if it was recent -ie to try to solve this problem.
Delete C:\Qoobox.
Panda deleted these three objects:
02887738 Trj/Downloader.PLF Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\nGpxx07\nGpxx071084.exe
02899162 Trj/Agent.HYR Virus/Trojan No 0 Yes Yes C:\Documents and Settings\frank\Application Data\Microsoft\Windows\emnubt.exe
02901758 Trj/Downloader.SQZ Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\wb3\snmaildriv3.exe

These are infecting your restore points:
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP178\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP177\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP178\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP177\snapshot\MFEX-1.DAT

==You should clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
=Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including …

Nice work, Tony. No, the ads on BearShare do not lead to anything worse.
This is an important question, though:
PSEXEC - did YOU install this tool?
Cheers.

Mmmm... there's not so much to do now. First of, start Hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\nnnommj.dll (file missing)
O2 - BHO: (no name) - {9ABBF08B-E836-4BF0-B571-F20A3C6DA202} - C:\WINDOWS\system32\mlljj.dll
O4 - HKLM\..\Run: [BMffce3aeb] Rundll32.exe "C:\WINDOWS\system32\biopjvmw.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: nnnommj - nnnommj.dll (file missing)

Good.
The Panda log explained [Panda Online Scan confines itself to removing viruses and worms, but it does point out other malware]:
-when you run CCleaner it only removes cookies from your account, hence some cookies from Patch's ac show in the log - if Patch runs CCleaner they will be removed [they are all benign..]. You can configure CCleaner to remove such items from all accounts if you so wish, it's fairly easy to set it but I won't go into it here.
-Bearshare. It has adware associated with it - savenow. I can remove that for you but doing so may break Bearshare - I don't know. If you go ahead and remove it and Bearshare stops working it is your choice whether to uninstall or reinstall BS.

==PSEXEC - did you load this? …

Ah, okay, a bit of history to the problem. Well, caper found you a good site; did you work through either of the two methods presented there? I only know a broad outline of how it works using a dynamic exception list to cull traffic from the stack, there is no way I can add to what is in that M$ article.
Yeah, I know, when something you don't actually want won't work it can still bug you.... it is a human frailty. ZoneAlarm is better... take a tablet or something until the niggle goes away.
:)

Hal.dll. Yeah. The first thing is to know which hal you want cos there are several; which one is right for you is determined by your BIOS capabilities and the type of hardware you have installed- ie your motherboard for a start. When you install windows Setup chooses and installs the one for your sys, and then calls it hal.dll. That is fine for the OS [one name fits all] but you have to find which one is actually installed. On a working sys that is easy - you got to system32, rclick hal.dll and choose properties. Select the Version tab, go down to the item name box and click Original File Name. And it pops in the Value box. This is the only way to find out the actual type of hal you have on your machine. You cannot do it via a command line such as in Recovery Console.
So you gotta find that out, and to do it you may need to slave your drive in another sys.
Then you gotta copy that actual file into your sys and rename it to hal.dll. Mostly it will be in a cab folder, that is, it will be a compacted file itself, so you also gotta expand it.
When you find that right hal the command you want is:
expand "C:\windows\driver cache\i386\sp2.cab" -F:halmacpi.dll C:\windows\system32\hal.dll

C:\windows\driver cache\i386\sp2.cab - this is where my various hal versions are....
-F:halmacpi.dll - this is my hal.... the -F: …

A worm is a program that can self replicate... make copies of itself... and send those to other computers on a network without any specific user action, such as you don't need to send an infected email or file cos the worm is capable of doing that itself. So if you made your anti-porn worm it would not stay in your business network, it would head out into the world. And that would make you a criminal, even if it was an anti-porn worm, cos porn is not illegal in most places, just perhaps undesirable. What you need is a site blocker, a net nanny, and there are lots of those pgms out there, free or paid.
Good luck.

You have ZoneAlarm Firewall running - it will automatically switch off Windows Fire Alarm [disallow it]. There is a checkbox.... actually ZoneAlarm seems to cancel WFW when ZA is started but then it should be possible to turn on WFW even though ZA is running, but you should not, they may conflict and traffic will be slower. Next time ZA starts it will turn off WFW.
Use hijackthis to fix these while you are on the job... nothing bad, just a cleanup:
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

And since you now have AVG Fre and not McAfee... go Start, Run and enter these lines:

sc delete McShield
sc delete McSysmon

Sorted?

The easiest way to kill the html is to go Select All, Copy, an paste it into a notepad.

Sounds like fun... but your computer will work just fine without explorer.exe, it's just a little harder to control it without that nice user interface.
And none of us are young enough to search for trojans from the C:\ prompt. What follows assumes that you got to Daniweb from another machine. Fine, but back to yours now.
Let's avoid using explorer for a while. Task manager has nothing to do with it so you can use it to launch pgms, you just go File > New Task(Run) and enter: iexplore.exe
From your C prompt [you mean a black cmd window?] it would be [paste this in]:
C:\"Program Files\Internet Explorer\iexplore.exe"
And either way an IE browser window should pop open. Now the neat thing is the quite large amount of interchangeability between IE and Windows Explorer - you can surf from WE and you can navigate about your folders from IE. So...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder in your Program Files. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
[For future quick temp …

If you want to be more sure that your machine is clean then do this:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
To fix your icon get Powertoys for Windows Tweak UI [from M$ or whoever has it when you google for it]. Got it installed? Right, down the bottom to Repair, option you wnat is Rebuild Icons. This will reset your system to use the corect icons from Shell32.

It does sound like you have a trojan in there feeding you malware. Ok, let's do this [in this order...]to see what shows up:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the …

Good-oh, tsahi.... if you're happy, I'm happy.
Cheers.

Zorcur, this thread is quite old, and very long. I have almost no idea what the problem you are experiencing is. May I suggest that you start a new thread and give as full a description as you can? By all means copy in bits of posts that are relevant [but pls do not link to them]. And then we may be able to help.

mmm... nothing to worry about with those cookies. Using CCLeaner every couple weeks fixes those. How about the points I mentioned in my last post?
After all this cleaning etc it may pay you to run a check on your precious system files. Go start, run, paste in..
sfc /scannow
..and load your XP disk.

That is a bit ugly.... These are the most unsafe of the entries in that log. We can clear the remainder of them easily.
Id Description Type Active Severity Disinfectable Disinfected Location
====================================================
00034463 adware/wupd Adware No 0 Yes No c:\windows\downloaded program files\mediagatewayx.dll
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\mediagatewayx.installer
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice
00219235 adware/commad Adware No 0 Yes No hkey_local_machine\system\controlset001\services\cmdservice
00248329 adware/toolbarpartner Adware No 0 Yes No c:\$$$_.log
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Irving Glemaud\Cookies\irving_glemaud@enhance[1].txt
02909334 Rootkit/Agent.IKR Virus/Trojan No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\Tablet2kk.sys
02909339 Adware/Maxifiles Adware No 1 Yes No C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe

Delete C:\QooBox\
Delete these files:
c:\windows\downloaded program files\mediagatewayx.dll
c:\$$$_.log
C:\WINDOWS\SYSTEM32\DRIVERS\Tablet2kk.sys
C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[-hkey_classes_root\mediagatewayx.installer]
[-hkey_local_machine\system\controlset001\enum\root\legacy_cmdservice]
[-hkey_local_machine\system\controlset001\services\cmdservice]
_________________________________________________________
Now if all those files above deleted successfully:
==You SHOULD clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is …

Hang on, have gone thru that list fully, will post a better procedure inside an hour..

It is guaranteed not to work without any RAM. I feel that if your sys will not work with the old [which I presume did work?] or new RAM then the mobo is in some way damaged. But as pointed out earlier, the DDR and DDR2 keyways are different, as are the number of pins.... perhaps it did not insert fully, but with pins overlapping anything could happen.

="So run this point clearance procedure again...[toggling system restore off/on clears all old points..]" - I hope you did this bit also, tsahi.
=SetupDTSB.exe - this has already been deleted by BitDefender. It is an optional Searchbar installed with Daemon Tools [you get the chance to stop its installation during DT setup]. So don't worry about it.
=3 boot sectors. If you had a third party bootmanager and 3 OS's on your hd[s] I would expect this, but if you only have XP then, umm, no. I don't know how your tech managed to get 3 on if you only have XP.... if you had 98 and XP [and no boot manager] XP would overwrite the 98 boot sector with its own code, so still only one boot sector....
If you do have only XP then, well, it is simpler to just ignore the other two. I could remove them for you [or tell you how to do it] but it involves software with a lot of err... destructive power. Really, the extras [if that is the case] can do no harm.
We'll have a go at fixing remote assistance if Panda gets thru ok. Rest easy.

Scrapple, are you hooked into your corporate network when you observe the behaviour noted in your second paragraph, #5 post? Because I know some network servers are configured to check and correct some settings on individual machines in the network. eg, they ensure your sys fits in with the required corp profile, like forcing software updates, checking softwares are running.... It is no use someone trying to send you an inhouse mail if your client is not running, and it could be likewise with RightFax [faxctl.exe]. There is no reason for a startup item to reinsert itself. Check that with your IT dept. They gotta know the answer to that one!

Pity they didn't take the machine, too. Okay, no, I don't need to see any report from that diagnostic program... you can just tell us its verdict.
It will only test to find problems,,, but at least you will know if your troubles are disk hardware based or not.
I still think that to get Setup to work you are going to need the Sata driver from your motherboard manuf...

Outlook.exe is the email client for M Office. RightFax is a third party extension to Outlook that invokes outlook's email client capabilities. You have RightFax as a startup, it is going to call outlook.exe so that it can run. DCOM and Terminal Services are naturally going to be invoked as handlers.
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\FaxCtrl.exe
You have an "IT" dept? What do they do? I could be free for a good price....
I'm glad your AS n AV services didn pick it up... but your IT oughta be on top of your softwares.
[Jus being cheeky. I'm allowed that...]

Ah, yes, that did a job. Some malware was detected in your Restore points. If you did those operations I listed in my last post in order given then your new restore point got infected too. So run this point clearance procedure again...[toggling system restore off/on clears all old points..]
=In case you are tempted to do a system restore we must clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

Ah, DAEMON Tools was picked up earlier but I ignored it - I do not know what yours was but legit versions are safer.
You have 3 boot sectors? Seems like a lot....
H:\rthrw.com.. by any chance have you used a plugin of some sort, eg a USB device like a thumbdrive? That would explain the mountpoints2 entry in your registry [Windows remembers every USB device you ever plug in..]. Anyway, that device is infected. Delete its contents and format it.
Just as a point of …

Yeah... formatting a hard drive, even a so-called high level format does not erase your files. What it does do is empty the file structure table [so that files are "lost" ie they are not indexed anywhere] and write a new MBR [which loses the partition information that was in the old MBR].
Reinstalling Windows will pretty much just overwrite the old windows files, depending upon how fragmented your OS partition was. Any half decent software will find those lost partitions that are still on your hd physically, plus recover lost files, although fragmenting may make them tough to recover, but still recoverable.
If you don't have secrets or are not selling the hd you don't need to overwrite it with 1's an 0's to erase data, but old partitions can confuse some file recovery software. They will NOT interfere with a new OS installation, nor confuse it - it just will not know they exist.
DBAN is just one of many like softwares. I don't know how it could be considered dangerous. Erasing is a time consuming business though, very disk intensive, ... if it does tip your hd over the edge, well, all to the good, it was going to die anyway. DBAN won't interfere with the real disc structure [the original low level format] so you just quick format as part of the new Setup run as per normal.
As for old viruses etc, a normal quick format and reinstallation of OS will …

May I ask what the notepad reported as previously in the key for "Shell" = ?

Ahhh... that's fixed it, thanks, Crunchie. Talk about a maze. I had, and selected, the Message Editor Interface option of Extra Formatting Controls [no std format editor - cscgal]

This lil batch file will query what entry is currently in the key resposible for launching explorer.exe as your shell at startup; it will then replace whatever exists with the correct value. Please mention if the notepad that opens is empty.
==Copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Shell /t REG_SZ /d explorer.exe /f
start C:\showkey.txt
__________________________________________________________

explorer.exe manages those bits you say are missing... in TM go Files, New Task, and type:
explorer.exe
If your desktop is not restored then you probably have some malware, it could be just an explorer.exe corruption which would be fixed on a restart, or you may need to reload it from yuor XP cd [go Start, run, paste in..
sfc /scannow
and load your cd when requested]
If that does not work for you, ie restore the desktop and windows, then port your case over to Viruses n Nasties, post a hijackthis log]

Configure IE to allow Active-X's from trusted sites [you did use IE, right? It works by ActiveX component installation [a small application] so you must use IE and no other browser], plus Avast to accept PandaActiveScan.
I just tested the scan site; it worked/commenced loading.

What I see in Advanced:

If that is your ISP then that hijackthis entry is fine, Zaki. Don't fix it.. [or if you did already then simply restore it from the Hijackthis Misc Tools section, or reestablish your network connection via Control Panel.
Cheers.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b995f78-6e3d-11db-9c36-0014858a3979}" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AXX5-00401C648513}" /f
reg query "HKEY_LOCAL_MACHINE\SYSTEM" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

=Delete file:
H:\rthrw.com
=Empty your Recycle bin.
=In case you are tempted to do a system restore we must clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

There appears to be a backdoor trojan operating; I cannot yet pinpoint what is disrupting Panda and Combofix.
A trace of malware does show in that Panda log fragment, this scan should work on it:
==Bitdefender Online Scan using IE only from http://www.bitdefender.com/