Posts by gerbil

Hi, Ira, no, you do not need to delete fwdrv.err - it is an error log from your Sunbelt firewall.
I have had problems viewing this website with FF, missing sections of posts and so forth, so I now use Opera. It performs best with IE but I avoid using that unless a requisite of some websites.
The hijackthis log is clean, RenV applied the fix and reported no further spoofed files [they were those files in the Combofix logs with an incrementing number of spaces in the filename].
Is this file still extant?: C:\windows\system32\drivers\core.cache.dsk
If it will not delete in safe mode you could try this tool:
=This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
...or does it get regenerated?
Assuming that it is gone....
-your Windows\fonts files.... I don't know how to remove the bad ones except by arranging them by Modified order and seeing if that helps you select the block of incorrect files. The zip files ... try rclicking the headings border, and selecting View, List by Similarity.
- are your icons still incorrect?
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for …

I have no problem with time of reposting..
Could you do this, it may help to see the files.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
After that, it never hurts to clean, so...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
and then scan again...
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a …

Nope, no smiley disable here. Was. Gone.
Your suggestion to check a reply using the Reply with Quote button is good, though, tht cuts through them.
Thanks.

Please go Start, run and paste in these commands:
sc stop srosa
sc delete srosa
sc stop Megadrv3
sc delete Megadrv3
Good. The combofix /u instruction : I guessed that you had tried to install it on your desktop [it did not run so I could not see its location] - this cmd would have uninstalled it and its components, but you can do it manually- delete C:\Qoobox and combofix.exe, there may also be a folder beside combofix.exe containing its extracted files.
It looks like your Norton GhostTray.exe was infected, Combofix isolated it and Kaspersky found the quarantined file to be infected also. You will have to get an uninfected app and reinstall it; your ghost may be okay, though:
C:\QooBox\Quarantine\C\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ma skipped

Even after you deleted system32\driver\down directory it was recreated - Combofix found it again and quarantined two files. Kaspersky detected those:
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\667187.exe.vir Infected: Trojan.Win32.Pakes.ciw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\704687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped

Run CCleaner.
Run Panda online scan. http://www.pandasoftware.com/products/activescan?
Dl a fresh copy of Combofix and run it, I'd like to see the remaining Recent Files list which did not show in the last scan. http://download.bleepingcomputer.com/sUBs/ComboFix.exe
And provide a fresh hijackthis scan from normal mode also.

Ira, I probably confused you with my troubles with smileys interferring with text. However I it is important that you finish the remainder of my post #9. [vundofix and RenV]
Next, restart in Safe Mode then search for:
C:\windows\system32\drivers\core.cache.dsk
Order the files in drivers\ by date modified or date created and see if any other files were created at the same time - please post their entries here. Some other file is regenerating/protecting core.cache.dsk.
One may be core.sys, but I doubt it because Combofix would have found it... if it is, delete both core.sys and core.cache.dsk.
Delete...
C:\WINDOWS\SYSTEM32\modvlaff.ini
C:\WINDOWS\SYSTEM32\MRT.INI

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Core" /s >>C:\showkey.txt
start C:\showkey.txt
__________________________________________________________
-if it returns a blank notepad just say so - it means that that service I was querying for did not exist.

Ira, could you also please do the parts referring to Vundofix, and RenV involving the zipped file Log.txt please?

Good stuff, Zakjiii. Flashes sometimes do have autorun.inf files in them so that they start automatically playing, bu they sometimes also point to pests and not music.
By the way.. this hijackthis entry:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B25B7F9-398D-4FBA-9F22-A31D0743DD18}: NameServer = 85.255.64.2,85.255.65.2
I know lots of people do live there.. but you are using an ISP in Riga, right?

Hmmm, tsahi, Panda is usually supreme in removing Bagle. Let's try a different attack. Because Combofix will not run, even in Safe Mode please go Start, run and paste in ..
combofix /u
Okay, in Safe Mode with Networking:
Search for and delete this folder if it exists: C:\Windows\system32\drivers\down
-now go back to this site: http://download.bleepingcomputer.com/sUBs/ComboFix.exe -and instead of downloading click the Open box and see if it runs.
Try Panda once more; if it stalls then try this scan:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
or, if no success, this one:
==Bitdefender Online Scan using IE only from http://www.bitdefender.com/

I searched, but I cannot find a comreps.dll registered, so I have the feeling your sys has been whacked by a pest of some description, and it is probably Look2Me.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then...
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
If you wish to go with my educated guess then you can also do this:
==Download Look2Me-Destroyer: http://www.atribune.org/downloads/l2mfix.exe
Save the file to your desktop; dclick l2mfix.exe to start extraction/installation.
Close any programs you have open and then open the l2mfix folder on your desktop, dclick l2mfix.bat and select option #2.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and then present a log.
Run HT and post both logs, and tell of any problems you may still be having.

Norton or Symantec AVs.... you have to get the removal tool particular to your version from their website to uninstall it completely.
The other uninstall entries? Well, you would not uninstall hotfixes or updates, now would you? And some apps, eg, Nero, contain several parts all of which you do not have to keep. Okay, you don't have Nero, it was just an example, and I don't have Roxio, but it seems like the same case - they have a bundle of applications which are not standalone because they run under a parent module, but you don't have to hold all the child modules.... CCleaner puts up all pgms whereas Add/Rmv Pgms in CP has a checkbox to enable you to ignore Windows Updates...
You do have Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
and....
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
I only have the 1.1 and hotfix.... you could uninstall the old version 1.0 and its hotfix.

I remember that option to turn off smileys was there in advanced posting, but I don't have it now... or it has been moved, an I do dislike searching for such mundane stuff.
Peeked at smiley page... an gawd, there's thousands of em...

Ira, skip the post above... I have taken a lesson in smiley annhilation and smiley "code" and now know what the line should be... please use THIS new line to replace the bottom line in CFScript.txt.

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

Actually, here is the whole CFScript thing reposted to eliminate error:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

__________________________________________________________
Killall::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\utxhpiev.dll
C:\WINDOWS\SYSTEM32\vqdduwgj.dll
C:\WINDOWS\SYSTEM32\ooamstjb.dll
C:\WINDOWS\SYSTEM32\rhrxhuva.dll
C:\WINDOWS\SYSTEM32\fwtatqob.dll
C:\WINDOWS\SYSTEM32\lphvwlaf.dll
C:\WINDOWS\SYSTEM32\lxpngupc.dll
C:\PROGRA~1\McAfee.com\Agent\MC7B14~1 .EX
C:\PROGRA~1\McAfee.com\Agent
C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe

Folder::
C:\Temp\tn3

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fengpef"=-

[-HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
__________________________________________________________

Beauty. Now to train/request repondents with logs from scans that return reg entries to do the same....
Looks like the Love smiley threw me... I thought it had somehow taken out

:LocalSubNet; looks like it was actually :*

Sigh... have to use code tags to even type a msg... those smileys...where's me gun?

:*

= :*
Yep...

Actually, a revision in the order of things will make the process easier...
Make a new folder in OE, drag into it from the inbox all the mail you wish to keep.. avoiding the probelm emails...
Delete that mail and the junk you do not wish to keep from your inbox... again avoiding the problem emails....
Then go into explorer and drag your inbox.dbx into notepad... and so on from there.

Crunchie, how do I stop those sodding stupid smileys from disrupting the text..... that last reg repair line formats incorrectly if you copy it into notepad. Man, but those things really wee me off.
"3389:TCP"= 3389:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22009
will copy incorrectly.

Ira, because of the icons appearing in my text, you will have to edit the line where they appear as follows-
-please replace the three "*" in the line below with colons ":" and use the new line to replace the bottom line in CFScript.txt.
"3389:TCP"= 3389:TCP*LocalSubNet*Disabled*@xpsp2res.dll,-22009

It looks like Combofix was not too happy with that workload - it may not have appreciated the way or what I fed it [actually the formatting on this webpage alters filenames...], so we shall try again and also use another specialised tool that should remove your multiplying infection.
Also you have a lot of open ports on your machine - we shall close those.
=Please go to Scheduled Tasks and remove this :
C:\WINDOWS\Tasks\McAfee.com Update Check (D8QVF341-Irving Glemaud).job
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
=Restart your system in Safe Mode.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] …

Hi... OE is good at this, corrupting its mailboxes. Well-known for it, in fact. It is most likely to occur if you let your mailboxes get large. How large? How long is a piece of string.
I can help you to delete those particular mails, I can even help you read them but not to see pictures.
Lessee, a typical OE mailbox eg your inbox, is basically a long stream of text, your emails, strung one after another. Even the graphics are text characters. The individual emails are separated by their headers, the to and from info. As a new email arrives it is added to the bottom of the string. At the top of this long stream of joined emails is file header info, a list of all those to's and from's and subjects. Right, now you know that you can do stuff.
Open an explorer window, navigate to your OE mailboxes under your account in Local Settings. There will be a hashed name folder, and inside that your email boxes. Open a notepad and drag inbox.dbx into it [if it is large, say a couple hundred megs, then it may take a couple minutes to load!!; you may need to tickle the notepad with your cursor to get it to come to life after disk activity stops]. Good, there they all are; now open OE, and using [part of] a Subject entry from the bad emails as the search text do a Text Find op …

Cool.

On second thoughts, get rid of these files - just delete them:
C:\Documents and Settings\Osnat\Desktop\emule config files\EvID4226Patch.exe
C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch.exe
C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe]
Panda is saying they contain a virus:W32/Bagle.RP.worm... and since you copped the effects of the Bagle worm I would say that they could be the source - a worm is some bit of malware you must download and install by your own actions.
The advantage of more ports is not worth the trouble.

"Memory Processes Infected: 4
Memory Modules Infected: 1
Registry Keys Infected: 184
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 26
Files Infected: 249"
Heh.... but I have seen worse, so you don't get the record....
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.

Interesting... Shareaza leaves ports open....
=I assume you are the creator of this file?:
C:\Program Files\Friday May …

Okay, I see they should be benign... the patch removes SP2's TCP/IP stack limit.

Nice effort. We have some leads from that.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr" = -
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr" = -
[HKEY_CURRENT_USER\Software\FirstRRun]
"FirstRRRun" = -
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ssgrate.exe" = -
__________________________________________________________

In safe mode, delete [if they exist]:

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sy
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\forõ.exe
C:\WINDOWS\system32\noat.exe

Try now to restart your AV [switch to normal mode].
Then dl a fresh copy of Combofix and try to run it, safe or normal mode, but the latter would be more convenient. Run Panda again, also.

I have no idea what this is [from Panda rpt...]:
emule config files\EvID4226Patch.exe
or this: emule_patch\EvID4226Patch.exe
or this:emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe].

"Search" as it is in Regedit is not a full disclosure search. But if you navigate to the actual entries and cannot delete them manually, rclick the key, > properties and set permissions so that you have control.

Boom-boom.

Fine, John, that is a lot of good info. My progress bar sweeps across too fast for me to count the individual steps, but it sweeps 4 1/2 times across. Each sweep is supposed to represent so many drivers loaded. Once that stage is finished ntldr hands control to ntoskrnl.exe.
"* To specify additional SCSI adapters, CD-ROM drives, or special disk controllers for use with Windows, including those for which you have a device support disk from a mass storage device manufacturer, press S."
==That is the F6 we are concerned with, and at this point you should press S and insert a floppy with the Sata driver on it. Now I am not sure if there is actually a fault with your driver or not, it was merely one step to test. A bad or missing Sata driver or reg entry would explain why Setup from the CD does not proceed to Recovery Console etc.
If you wish to actually test your hd then this should do a comprehensive check of it:
Your machine is actually still bootable so do this [this procedure will, by itself, burn a diagnostic program onto a cd which in turn may be used to boot your machine and check the hd] :
== Checking A HDD That Will Not Load The OpSys

You'll need access to a computer with Internet connectivity and a CD burner, plus a blank CD-R or CD-RW.
Then go to this link: …

Correction to the order of things. Would you please perform this section of the fix detailed above last ie aftre the CFScript/Combofix run?

=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\MC75C2~1.EXE
O4 - HKCU\..\Run: [Fengpef] "C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

==Go Start, run, type or paste this line into the run text box and press Enter:
sc delete mcupdmgr.exe
Search for and delete this file:
C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe
What is in this folder?:
C:\Program Files\Incomplete
Delete this folder:
C:\PROGRA~1\McAfee.com
C:\Documents and Settings\All Users\Application Data\McAfee.com
==Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.5 is current....
Good-oh.

This is how it sometimes works out there in crack land. I write some nice software, it disappoints me that someone makes a crack for it and puts it out there. But hey!, I write software too, so I put my own crack out there anonymously, but mine packs a nasty punch to teach a lesson. Else I load it with pestware like ad downloaders....
You just gotta know your crack groups.
Glad you've got the sys up n running again.

Just how did you uninstall Mcafee? There are traces of it everywhere.
=Uninstall [Add/Remove pgms] Yazzle and any other pgm that contains "Oin" eg Yazzle by Oin.
=Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\MC75C2~1.EXE
O4 - HKCU\..\Run: [Fengpef] "C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

==Go Start, run, type or paste this line into the run text box and press Enter:
sc delete mcupdmgr.exe
Search for and delete this file:
C:\Documents and Settings\Irving Glemaud\My Documents\?ppPatch\m?hta.exe
What is in this folder?:
C:\Program Files\Incomplete
Delete this folder:
C:\PROGRA~1\McAfee.com
C:\Documents and Settings\All Users\Application Data\McAfee.com
==Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.5 is current....

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a …

Oh dear... this will take me a while to check.

Hiya, Icky. I see you have switched to McAfee AV, so go to Symantec's site and dl and run the removal tool for the version of their AV that you tried to remove.

=Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Okay, post those two logs plus a fresh hijackthis scan result, please.

Joe, currently you have two active AV services running. That is going to lead to conflict esp where AVG and Symantec are concerned, and your sys will be unpredictably unstable. without making any judgements as to relative worth, because you have added AVG Fre I suggest you remove it. Now. Anyway, Symantec is a cow to remove...
If you wish a scan for pests in addition to your installed, active AV try online scans - they do not insert themselves into the kernel. This is a good one, but please run a cleaner first:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Oh, and here is a cleaner:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For …

tsahima, then please apply what i set out in post #7 first - it will restore your safe mode; you may then be able to run combofix in safe mode, then try the others in normal mode... [you may need to delete combofix and dl a fresh copy].

"after the black screen with the windows logo comes on with the stats bar" - this at least indicates that the startup process [in BIOS] has located the active partition on the hd, that the boot sector code has been located and read, that that in turn has loaded ntldr from the root, and that ntldr is running.
ntldr has obviously loaded bootvid.dll [you are seeing the logo video] and a few other boot images. And then it stops; perhaps the Services key is corrupt and some boot device drivers are not being loaded, perhaps some of the drivers themselves are missing. It is the Services key which tells ntldr what to load; your Sata driver entry is included in there [the driver itself is in system32]...
You never did come back and tell me if you tried pressing F6 when you booted from the XP cd. If the Sata driver is not loaded then the cd's Setup will not see the hd - the cd's Setup boot process does not operate the same way as booting from the hd because it naturally has its own boot loader and driver files. When booting from the hd the boot sector code allows the system root to be read from the hd [but it does not show the system how to read any more than that].
During the normal hd startup do you see the progress bar under the logo move at all? - it should pass across four …

Also, is there a way I can put that Latvia entry back into my registry easily?... yes you could do that export, or use hijackthis restore funcion: go to Main menu, Backups, and check and restore the entry.
As for the first, no.. I am a little unwilling to run that setup.exe file, but it may be legitimate. I don't know.

Your system speaker? In CP, go to Sounds and Audio devices > Sounds, and select No Sounds...

That link you kindly provided tries to install a browser extension...
.xpi files: This is basically a ZIP file that, when opened by the browser utility, installs a browser extension. This extension applies to both Mozilla and Firefox browsers. ..... file you dl is dv-fox.xpi - search for and delete it, plus the setup .exe file it spawned.

==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe....
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "wpclsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Next start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20

Good. Say how things are.

When you have finished that procedure above I would like you to run this reg file I have zipped and attached. It will repair your SP2 safe boot key plus remove a couple of mapped drive entries in mountpoints2 that I do not like the look of.... one is recalling deleted files?
Just unzip the file and dclick it to run, agree to merge with your registry.
Come back with those logs.

Okay, I can see why some of your security softwares and scanners were disabled - you picked up the Bagle worm; it does that. You are quite badly infected otherwise. And at the moment you cannot enter Safe Mode because some registry entries have been altered - we will fix that later.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs …

Hi again.. the reason I asked about Riga is because you are connected to the net via Latnet Serviss Ltd, in Latvia. This entry points it out:
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20
I have no reason to doubt their being genuine... just hope that you will check your ISP/connection details via control panel.
Vista Parental Control - I am totally in the dark about its operation, as I am about much that is Vista related. But I can see that all your net traffic is going through it [and on out into the wide world via Latvia...].
Anyway, if you wish to remove it [parental control] then we can...
I do not have a setup.exe assoc with FF... check the Date Created time - it should match others...

Good-oh, y2. By the way, your firewall is down, disabled!

Mobos have only low voltage power... you would not hear it "clicking" if it did arc over because most circuits on em are current limited anyway... and the dust would have to be moist and... most of the board's conductive points are varnished.... the only high V is in the PSU which has a back end of about 380vDC.. and ud only hear it click once.
Still, mobos do die.

That little 32MB partition was probably some sort of recovery image for the original computer. Dump it.
60GB? Put the OS into a 10GB partition, apps in another, maybe 5GB, data in a third making up the remainder. All NTFS.

Hello, Ira, for a start let's see where this takes us:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis log too.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

It wouldn't be the first time that System Mechanic has dropped a spanner into the works. Lesseee, top right of its console, options? Try restore or recover.

Tricky. Was the eagle file meant to be of the actual warplane? Anyway, try running those scans in Safe mode.... and if they work there you might try running hijackthis again in normal mode - if it does then post that log [hijackthis run in safe mode leaves us a little blind because some processes are not started there]

Hi fruehling, just checking a couple of things.. are you in Riga? .. and is your AV working fully?
Ok, your problem with webbing... do you realise you have microsoft's parental control application running? It intercepts your net traffic and ..what shall I say?... sanitises it. I don't know how it works, or what it does in detail, but because it is running as a layered service provider it operates at a level "beneath" your browser, intercepting all traffic - so it should be browser independent - you might Google it: wpclsp.dll
Nah, you did everything correctly, it's just that your post came when we were all away eating Easter eggs. Crunchie played the bunny.

Hello, y2.
It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt

[[ To restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.]]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution …

Pleased to be able to help, ryun.
Cheers.

Could be some malware broke winlogon.exe.