Posts by gerbil

No, not java, but javascript.. :). There is a difference. [And if you have java check in contol panel andd update from there...
This is a broad brush we shall apply now, but somewhere in this the problem should be resolved....
Go to Start > Run and then cutnpaste and Enter the following 2 lines [you need to press OK after each DLL file is re-registered].
---- LINE 1
regsvr32 urlmon.dll mshtml.dll shdocvw.dll browseui.dll jscript.dll vbscript.dll scrrun.dll msxml.dll actxprxy.dll softpub.dll wintrust.dll dssenh.dll

---- LINE 2
regsvr32 rsaenh.dll gpkcsp.dll sccbase.dll slbcsp.dll cryptdlg.dll oleaut32.dll ole32.dll shell32.dll msjava.dll hlink.dll Schannel.dll Rsabase.dll initpki.dll

Do not worry if some of these do not run or are not found. It simply means that particular dll does not apply to your version or system configuration.

Btw, Microsoft will mail you an SP2 cd for just a couple of dollars, turnaround is about a week if you are in northern america.

I do wonder if it is not something like this program checker trying to run but failing? I understand it calls home to check processes running to see if they are legit?
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
Fix it with hijackthis....

A delay is not a problem for me, Pablo.
Let's try to delete manually the file that Vundofix could not..
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Now first off start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

Now go in and rclick these files and use Unlocker....
C:\WINDOWS\system32\pmnmnnm.dll
C:\WINDOWS\mrofinu72.exe
Restart your machine, delete C:\vundofix.txt, dl a fresh copy of Vundofix and run it.
Post another Hijackthis log.

Hi again... logonui.exe normally resides in system32. There should be no such directory E:\WINDOWS\SSTEM~1 [it is a corruption of some sort, malware?] - and that abbreviation is wrong for system32, it refers to some directory [or file!!] named sstem+whatever. So check in your system32 for logonui.exe; if it exists happily delete the E:\WINDOWS\SSTEM~1\logonui.exe

Delete the file..:
E:\WINDOWS\SSTEM~1\logonui.exe
-fixing the entry as advised above only removes the registry key which starts the process, you then delete the file if it is bad, as this one is.
Glad you are up and running again.

This pgm will remove C:\Program Files\Internet Explorer\svchost.exe
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
-if for some reason you cannot dl that file, delete it in safe mode. It may of course be regenerated. Next...
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Clean with ATF and run that Panda online scan.
Okay, please run HT again and repost with the fixwareout log.

FF is a copy of Opera... try Opera. I do not use IE7 but perhaps a reinstallation of IE7 is called for. Or revert to IE6.
http://www.opera.com/download/

Cool... :)
I must assume that this feature is set automatically for web page desktop backgrounds so that the white lable text is visible if the webpage at that part of the desktop happens to display a pale colour..
These things are all logical..? but so confounding if you did not intend using particular aspects...

Well, dammit, caper, you beat me this time.
... :)

What happens if you use Firefox or Opera? Being serious here...

Ok, fooling around with someone else's problem the other day I noticed that when I locked web content on desktop it changed my shadowed icon labels to backgrounded just like yours. This is my last shot: Rclick your desktop, choose Arrange icons by, uncheck Lock web items on desktop [that is, if it is checked... :), ].

Just adding to Overwhelmed's post...
Do this first:
MyWebSearch Search Assistant - Go to Add/Remove programs and remove MyWebSearch...
and then run thru that list of hijackthis entries.
Note: this entry is okay, it is just up to you whether you want to have that browser button:
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DL

To check for web content, rclick on desktop, go properties, desktop, customise desktop, web, and check if any sites etc are listed.

Yeah... FF is a "copy" of Opera - they adopted many of Opera's features. I switched to using FF for daniweb cos it was faster than Opera for me. Now that I use hosts to block all the ads on the pages though... the difference is not there. May switch back... go Opera!, you unknown king of browsers, you.

Aw heck, then it must be my settings, thanks Crunchie... an there are so many possibilities for playing with them in FF. Sigh. Looking in the error console it sees a lot of html errors in some pages in daniweb; doen't seem to be able to ignore them all... must be a setting for that somewhere..?

Interestingly, Opera pulls it all in...

Just delete this one: C:\Program Files\Internet Explorer\svchost.exe
...browse to it in Explorer and delete the file.
Of course, you can always do this... go Start, run, enter cmd
Then in the black window paste at the prompt:
del C:\Program Files\Internet Explorer\svchost.exe
It's just another way of doing the same thing! Windows is full of other ways.
That O17 entry: I was wondering if that was for your ISP [01.com] because that entry was not in your first log..

Thanks for that reply, vj.
Dll sharing conflicts.

Okay. Do you have any active web content on your desktop? Try removing that...

Crunchie, FF is not rendering this thread fully - I cannot see what you posted about in his Combofix log... there are gaps. ... it could be my FF settings, I do not know. Could you mention this to the backroom boys pls?

ActiveX control is a term given to a program which can be automatically downloaded and executed [by the browser, usually IE; FF and Opera don't use them].
Safe ones are signed and recognised by M$; depending upon how you have set IE Security you will or will not be warned about safe and/or unsafe ones, or they will not be allowed in at all. Also Spywareblaster has a comprehensive list which it loads into registry of known bad ones - they will not get loaded no matter what your IE security settings are. I recommend you set IE security to Medium [custom level]. Panda's AX control is safe - it is the program which runs its online detection service.
ATF Cleaner works with IE, Opera and FF as per the tabs - you select which browser's caches you wish to clean.
No mates to borrow an XP-SP2 disc from? You are not infringing any rules by doing that as long as you input your own licence.

Taking a naked XP onto the web is waving a red flag to a bull - they WILL get you. Now this has arrived:- C:\Program Files\Internet Explorer\svchost.exe .. delete it.
Is 01.com your ISP?...
O17 - HKLM\System\CCS\Services\Tcpip\..\{F732A02F-5674-43C2-AEEA-583194263FFC}: NameServer = 66.81.1.251 66.81.1.252

Just about anybody, neighbour, workmate, milkman should have a disc you can borrow [and burn a copy of..] - it does them exactly no ill at all unless you lose/destroy …

Give this a go, vj...
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file plus a hijjackthis log:...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button.
Post the log here.
.

Go start, run, paste in this:
control sysdm.cpl,,3
-press Performance settings, and check Use drop shadows for icon labels on desktop, apply n ok.

Just so you know, this is the key involved.... shown is the locked value [6]; setting value as [4] unlocks web items. You are unsetting bit 2 - if locked value is 2 you would set 0.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"GeneralFlags"=dword:00000006

..and hughv's method does just that - you can do it from either safe or normal modes. But something else is wrong; locking web items should not crash the desktop.

I see cake crumbs... :)

You may have dropped through the cracks here, billy. So.... while crunchie is having a cup of tea:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [cjkkkjzipnm] E:\WINDOWS\system32\cjkkkjzipnm.exe
O4 - HKLM\..\RunServices: [cjkkkjzipnm] E:\WINDOWS\system32\cjkkkjzipnm.exe

Good. Delete these files:
E:\WINDOWS\system32\cjkkkjzipnm.exe
E:\WINDOWS\system32\cjkkkjzipnm.exe

Now if you are gaming you don't need all those toolbars and browser helpers, do you [they sit in memory...]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - E:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LXCFCATS] rundll32 E:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
...and you don't need anything in the trusted zone [why bypass all your normal site safety settings?]
O15 - Trusted Zone: *.line6.net

Be a little careful!
This msconfig.exe is in the wrong place: C:\WINDOWS\system32\msconfig .exe
-it should be in C:\windows\pchealth\helpctr\binaries\, so I suggest you check its owner. If it is not from Microsoft, delete it.
C:\WINDOWS\system32\temp.000.... I would delete this, system32 is not the place for temp files.
Delete this file: C:\WINDOWS\system32\SSQRQ.DLL.del
Nircmd is from combofix.
C:\WINDOWS\system32\MFC71.dll - this file is legitimate!!
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdgwqudt] -fix this with hijackthis... start it, place a check against this entry:-
O20 - Winlogon Notify: ¨ ? ? ? - C:\WINDOWS\
...and press Fix Checked.

ssqrq.dll removal does not seem to have been handled correctly... this file [with .del extension] exists: C:\WINDOWS\system32\SSQRQ.DLL.del
So may I suggest:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\qrqss.*

Click the Add Files button, and next the Remove Vundo button.******

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could …

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..Run: [Microsoft Update Machine] bheqtp.exe
O4 - HKLM..RunServices: [Microsoft Windows Update x86] firefox.exe
O4 - HKCU..Run: [Microsoft Update Machine] bheqtp.exe

Good, now find these two files and delete them [they will be in system32 ]
bheqtp.exe
firefox.exe [this one is nothing to do with your beloved ff!]
Say how things are.

It would not hurt to do this procedure...[ it would be an alternative to the above...]
-Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1
-click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
-GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

Legit... stops ppl using cheats in Punkbuster online games.
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe

Except for this...!!
O20 - Winlogon Notify: abc32reg - C:\Documents and Settings\All Users\Documents\Settings\abc32.dll

Post C:\vundofix.txt also...

What you really should do is this:
==Get SP2 [download the installer file they suggest is for professionals]. Just save it...http://www.microsoft.com/downloads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Install SP2 yourself. After making sure Windows firewall is running [it should be by default] go to the Windows update site and update!!
Then get one AV, one AS, one firewall, and Spywareblaster.

[Instead of doing that huge SP2 dl you could just borrow a mate's XP SP2 disc and use your own licence numbers with it. And then update...]

The selections I posted are grouped, they serve differing functions.
The first group is AV, antivirus is all they do. Not spyware, [not trojans], not adware...
Spywareblaster blocks hundreds of programs considered to be bad from even being downloaded to your computer; it works via registry and uses almost nil resources [ a check in registry is going to be made anyway if something like an activeX tries to come in...].
Firewalls block everything uninvited from coming in, and will ask for permission to let a process access the internet. You will be invisible.
You could also get AVG AS... All it does is antispyware, adware, trojans etc.
But your best plan would be to get SP2 and then those things...

==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.

Say how you get on.

My money is on a javascript problem [form submission] and it's either with you or your ISP.
Talk to em.

I use ZA, and happy with that.
How did you get it? Email attachment... is the usual way.
Anyway, is everything okay now?

...

I am afraid it is already too late to recover your data, weera. It has been overwritten.
I hope you have backups on separate media.. cd or dvd.... any drives you connect before running a cleaner will get infected also.
May I suggest that you install a good AV?
Choose one of these:
AVG FRE, Avast, Avira....

AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
[while you are there, get this: AVG AS 7.5]
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html
...and one of these:
ZoneAlarm Free, Kerio, Comodo

Vista trojan/anything proof? Oh dear, all those poor malware writers that will be out of work....
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: Office toolbar - {4722D065-A352-42FB-924C-EAEF5A1AE571} - C:\Windows\sysosa.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Office toolbar - {BC660FC4-4B54-4CC7-AC65-23B0CA1FBBB0} - C:\Windows\sysosa.dll

Good. Now search for and delete this file:
C:\Windows\sysosa.dll
-if it puts up a fight delete it in safe mode.
Say how things are now.

I understand, nightel.
The only way as far as I know that IE could be starting is for some process to be calling it. That process either has to be running from startup else is hooked into some other process so that when you or the sys starts the latter the hooking module is called and starts. Eg this key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Explorer \ShellExecuteHooks
For those that are set to start automatically with your sys, try this:
autoruns.exe: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Either Icesword [get the english version and help files] or RKUnhooker [RootkitUnhooker] give you a deeper look at what is running, what ports are open and connected to where, hooks, and of course check for rootkits.. :).
Just a few tools for you to examine your sys with...
Good luck.

That is a clean scan, Nightel [you didn't use the firefox tab in ATF...?], apart from the entry at the top re Savenow adware in Registry - the method you used to remove WhenUSave may have left something...
I assume that IE still pops open?
You could search your registry for these keys and delete them:
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xtractor Plus_is1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Free Software
HKEY_CLASSES_ROOT\WUSN.1
HKEY_CLASSES_ROOT\CLSID\{E2F2B9D0-96B9-4B25-B90C-636ECB207D18}

And use these as fields for searching registry;
72A836D1-BC00-43C0-A941-17960E4FB842
43382522-A846-46F4-AC57-1F71AE6E1086
AppID\127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB
WhenU
WUSN.1
FC327B3F-377B-4CB7-8B61-27CD69816BC3
FEE7FD53-3356-4D4D-8978-2C4AE3A7E109
E2F2B9D0-96B9-4B25-B90C-636ECB207D18
Tedious stuff; all I can think of though. What does IE do when it pops, where is it directed?

Yes, dt, do as comodore recommends, you must, simply must use an AV.
Choose one of these:
AVG FRE, Avast, Avira....

AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html

Get this:
Spywareblaster
and one of these:
ZoneAlarm Free, Kerio, Comodo

PS... this is the latest HT version:http://www.majorgeeks.com/download5554.html
And now that your sys is clean... GET SP2 !! [skip SP1...]

Oh, okay, I thought you may have been behind a network server.
Your log shows nothing, perhaps try this:
Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

What is your reason for using this false proxy:
Internet Settings,ProxyServer = 0.0.0.0:80

And for my two bob's worth, I like AVG AV, clean and functional, and after an initial full sys scan you should not have to scan again, cos its active component automatically checks everything that runs, is run, or tries to run.
Spywareblaster is neat, you just gotta have it. It uses the registry and CLSID values of nasty ActiveX's to block them... if they were already on when you loaded SWB they cannot run, and if any of those listed try to get on they are blocked. It's neat, and almost no load. That registry is going to be checked anyway.. SWB just puts entries in it.
A bit more, fixing an O23 entry with Hijackthis does not delete it; it should disable and stop it. But you can use the HT feature under Misc Tools- Delete an NT service.
So many ways to do things.. such choices to make.

Ah, Vista... don't use that reg file -it's for XP.
And yep, neither Panda nor SDFix are vista ready..
Nor am I.

It is difficult to help without that hijackthis log file as a starter.... run another scan if you must and just paste it in from that notepad.

Hi, dt, that black command window will just flash. To actually see what happens you could modify that command business as follows:
Go Start, run cmd.
Then into the black command window that opens paste in:
sc delete "Integrated Windows Authentication"
That way the window will stay open so you can see the result. You close it with exit or the white cross.
So can you still see that service displayed in Services.msc? If so, in that command window [run cmd...] paste:
sc stop "Integrated Windows Authentication"
then...
sc delete "Integrated Windows Authentication"
Post a fresh HT log. Or if it does still exist try this before you make and post that log:

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.

Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Dl this:
http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
=extract the .reg file, dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Help us help you:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Oh, and if your OS still does not validate may I suggest you work through the detail of this article?
http://www.pchell.com/support/windowsgenuineadvantage.shtml
Start with "I have a legal copyof..., but...", run the M$ diagnostic and then so on...

And either XPPID.exe or RockXP4.exe will enable you to easily reload your valid authentification key again. Get either on the net from a rep site.