Posts by gerbil

Greentree, almost wasting my time here, fixing this, cos you are running a naked XP there, with no SP2 - how you have survived this long is wondrous.
Do these things.. see what happens:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:

R3 - URLSearchHook: {CF746002-94FB-101B-8C12-02608C454BFF} - - (no file)
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\aryowyvi.dll",forkonce
O4 - HKCU\..\Run: [ISMModule] "C:\Program …

Hello, Gary... you could just do this, use hijackthis to fix the following entry and then delete its file:

O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll

..But I would like to see if Combofix is set up to deal with it properly - there are a lot of reg keys and files that depend from the above BHO and which would remain, but neutralised. So, if you are willing, pls do this next after the above fix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Thanks.

Snertly, just looking at that combofix log I was really thinking format n reinstall....
Thanks for your info. But that's the second AVsystem chap who has died on me..... so I will wait to research it more. 2/2 is not good.

Ah... does it feel better now?
"well i use nod32, so u want me to uninstall nod32 and install AVG?" Well, NOD let em in, didn't it? But no, don't change.... AVG you can revert to an on-demand scanner for when you think you need it, just do an update b4 the scan [it will revert anyway after 30 days, n that's how I keep it]. And so far, no scanner catches everything...
Empty that quarantine bin, and you could run ComboFix to check for extras hiding... but your log shows clean.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
As a precaution, turn OFF, then ON your system restore on all drives to clear old restore points - one was infected.

Brilliant. You musta known we couldn't read that...
Post a hijackthis log, please?
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.

Okay, I got it from the page source, it's a backdoor trojan, Ciadoor.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
Start hijackthis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

This is important : you MUST remove all but one of your resident AV services. I suggest you keep only Zonelab.
You can help us a little by doing this, muffin:
-for a start I cannot tell what hijackthis version you have used, so if you have not already got this version.....
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
It appears that you have a vundo infection, or traces of one, so :
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

In normal mode:
-start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the …

You still have the problem, mix?
Cos your last log shows this desktop item...
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\prokyko.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\prokyko.html
Fix them both and delete the two files referred to.
Rclick your desktop in a clear space, properties [or control panel, display], desktop, customise desktop, web tab, and delete all entries there, OK n out.

Log's clean still.

Apart from the mouse problem, which could be a driver failure, could be just that mouse.... because all your pc's are affected. Are all the pc's on the router? Then that is the only? common. I would check its software if it has a firewall. You may need to reload it. Say how you go.

SP2 - BURN that file!! to a CD, or a thumbdrive... whatever, it would be such a shame to dl the file fer two days on a dialup unny to have it clag on you...

NOTE*** Set Albert up as a user before you do all that stuff. *****
....looks a lot, doesn't it? But it's straightfwd, almost fun.
There are two imposter smileys in that lot, in place of genuine : )
You cn change settings to direct downloads to that folder, or just direct the first downloads there n the browsers will remember it.
Albert. Yeah....

Heidi, I don't think that I would give pgms 10GB.. even if all that you ever used were written instead by M$ they could not bloat out that much.... I have all my dl'd installer files [60 plus of em..] in my pgm partition as well, driver updates, plus extra info like help files, other application resources... and I only have a total of 2GB in there [ have 6GB space total... but with 160GB on that drive i can spare the fat]. I'd set yours to 5GB max., 4 GB even. And I would stick with an alphabetic order of drive letters... the default lettering is fine and good.Windows will plug in an optical drive there somewhere... I would make the last partition a logical one also.. ie "inside" an extended partition - allows you to add drives later on. Well, you never know...
Rename Temp to anything but that, cos soo many files are called temp also. Shortstay, Transient... whatever. A pathname T:\temp\temp.tmp is laying in wait for you... :)

Okay. Moving stuff. First decide what you wish to move out of C: -
I would suggest from User take Application Data, Cookies, Favourites, My Documents, Recent [My Recent Documents];
from Local Settings I would take History, Temp, Templates, Temporary Internet Files, leaving behind the actual Local Settings directory.
I would also relocate Outlook Express mail folders, Opera cache and Firefox cache.
And tell the sys the new default applications path. I …

It's possibly a vundo infection...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log in a NEW thread over in the Viruses and Nasties forum, please.

jb, I'm just going to file that one away... nice that it does work in safe mode. I'm going to assume you used the Admin ac., so I guess that has full control of M$'s dodgy reg keys, if that is the problem....

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]

==Restart your computer in Safe Mode
Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

Heidi, is that an OEM-type XP installation disk you have there? Or a Dell Recovery disk? Since you reinstalled before I'll assume it is the former ....
Dell put a diagnostics utility on your hard drive in a hidden partition. That 31MB partition you deleted was it. But no loss there, there's no need to go eek. Let's move on.
Set your BIOS to boot from CD drive. Restart with the CD in the drive, and you should enter Windows Setup for XP straight away. Delete that C: partition so that you see the HD as ALL unallocated space. Now make a new partition for XP, set it to 8000MB. Format it, fully, as NTFS. Agree, enter your key, and let it rip.
When it completes you may have to load some drivers for chipset, video, sound etc from another CD. Don't load the Dell applications.
And stop there for the time being. Or if you like, use XP to partition the rest of the drive unallocated space. Just go to Disk Management console and do what I wrote about before. It's dead easy to use.
Sp2. So your Mum has a fast connection, eh? Right, mum's are used to being used.... so dl this file from M$; we'll use it later to upgrade to SP2 : http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
This gives you a file [266MB] which you can burn to a rewritable cd and load into your pc. Plus with it you can …

..deep in the registry.. I like that line... :)
Ah well, it was fun trying... a Restore? or a Repair..?

Inside the Setupapi.log you could do a word search for "access is denied", track down every instance. But as M$ says ud have to retry the installation with verbose logging enabled to get those reg references logged....Then if you find a reference to a key" hive?......\"vnd.ms.radio" go into registry and delete it everywhere it occurs.
Actually, I'd just try that key deletion straight off - find vnd.ms.radio.... M$ radio? what is that? And if you still get the access denied msg on the next attempt.. go into the setup.api log with word find .. you did set verbose for logging this time, didn you? to track down the next key that's blocking you.
To delete some keys you may have to change their permissions. Btw, that key does not exist in my SP2 registry..?!

Mozilla cookies... unlike with opera or IE it does not seem possible direct cookies anywhere special. The end location is set in the script somewhere? Default preferences. Anyway, where they end up in a working firefox is at %systemdrive%\documents and settings\user [that's your login..]\application data\mozilla\firefox\profiles\coded mumbo.j.default\cookies.txt
Phew!. If you have that file, and open it you will see a serial listing of your actual cookies' text content. Don't have that file? Or its Date Modified does not coincide with your last browsing date, such as today? Then your ff installation is corrupted, so reinstall it over the top of the old. There does seem no reg key to alter, nothing to change in the about:config file..... You kept a copy of the installation file, right? No?.. dl it again.

Restore will only return registry settings to what they were at that time. It will not undelete files. Your new installation on the new drive would not even see the old restore information on the Seagate -it would not know about its existence. But that is not your problem here.
What happens [if you can remember some paths...?] if you go Start, run, and enter:
G:\ the path to those files... eg G:\documents and settings\owner\My Documents... or whatever the path was
And the same for the Excel files? You may be able to get hints for paths from your new installation.
Windows deals with shell folders such as My Documents differently to the way it handles other files. Your data is most likely still there, you just need to get around windows.... those shell folders were established so that each user could easily gain access to his pictures, his documents etc without being exposed unnecessarily to those of other users unless he really wanted to, and had any permission required. I don't use Excel, but it could be for the same reason that you cannot see those files..ie another shell folder setup. Further, if you were using XP Pro you would need to take ownership of those files anyway, and M$ guide works for that: http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

It does sound as if some of the pgms in your OS which handle web browsing have become corrupted. Now I am not sure, but I would imagine that browsers other than IE use some of the OS's dlls to run various processes, such as handling html etc..., so as a first step I would try this: http://windowsxp.mvps.org/IEFIX.htm
If that does not do the job go Start, run, and
sfc /scannow
-for both fixes you will need your installation disc. Or you could try them in reverse order....

Goggle for Rest2514. Another is PCI Filerecovery. Both free, both fast, both simple, both good.

Every instance of an open webpage will have at least one connection, to secure sites there could be several; a couple running for your system [internal], multitab browsers such as firefox, opera will have at least one per tab. And so on.
But a hundred or so? Wow... typically I would have maybe 8-10 open.. but I aint the world's keenest browser.

Hello again... yes, you can open AVG AS, go into infections and finally remove all those files. As for vundo, it is gone.
Delete all the tools [Vundofix, ComboFix, Killbox] and their folders, reports... They will be targeted by your AV, AS systems, and anyway, when next you need them they will have been updated to cope.
This is the only log entry that bothers me:
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
-unfortunately it could be one of several things. Navigate to the file C:\WINDOWS\SMINST\launcher.exe as I mentioned earlier, check its properties.
If it is HP or audio related it should be safe to keep; but possibly in that case the reg entry is unnecessary? and could be fixed by hijackthis... manual starting of the pgm is still possible. If it has no owner I suggest fixing the entry, and if nothing untoward happens, deleting the file.
Cheers, and thanks. You gave good feedback.

Yes!...which is the process I pointed out.. diffren n better s'wares is all...
And until you mentioned it, I had never ever opened M$ Paint. Dunno whether to thank you or not...:)

If you goggle boot.bmp you will find simple instructions and a lot of free loading screen pics to select from. You can do it in far more "invasive" ways too, but personally i don't see the point... my loading screen is up for <6 secs.. and I'm generally not watching at that point....
Just for fun.. and yeah, i guess that's why we do this stuff, I modified my logon screen to match my desktop background/wallpaper. For logon, I get my wallpaper and then a lil logon window pops into it... and disappears when I do the business to be replaced by icons. Logonstudio is a good place to start for that shenanigans.

jb, check the Svcpack.log file for error messages. Goggle em.

Heh.. brothers...
HiJackThis:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe, select Open Misc Tools Section, check List minor Sections and press Generate Startup List....
And if it does not show up on that there is a specialty startup lister we can run...

That is better... vundo is getting improved all the time by its writers - it's their business you see, to deliver ads.... and beat cleaners. Interesting to see a vundo file have that particular extra launch key [dealt with below]. This file also was hidden, often it is visible: C:\Windows\System32\windii32.dll -> Trojan...
We learn on the job as Vundo is changed, and there are many variations out there. Now fix that same entry as before, and tell me if it returns...

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\sstsp.dll,CreateProtectProc

AVG AS: I note you did not click Apply all actions before you took the log, which means that I cannot see how you set the way AVG dealt with the files it found.
>>If you did as I recommended and changed the default action from Recommended to Quarantine please remove finally [delete] all files from the quarantine bin.
>>Otherwise:: under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan again, and then remove all it finds.
And thanks for educating me on the incompatibility of ComboFix and Vista - not having Vista, and not having dealt much with it, that point had escaped me....

Interesting. Could you pls do this [it is only the second time I have been presented with AVsystem care, and that other chap didn come back, so bear with me, please...]?
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to bunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
We'll go from there.

A M$ .doc is just code - ascii text plus formatting code for colours, shapes, arrangement; a .gif is a coded image map of pixels, the code may contain instructions for presenting multiple images [if they exist] embedded in the .gif file, and the two are way different. You will need some software. Take a screenshot of your doc with printscreen or a specialised screenshot reader such as ABBYY's, save the image as a .jpg, then use a software such as Adobe ImageReady or Ulead GIF Animator to convert and save as .gif.
Then rename without the extension.
It works.... I just tested it.

And I am sorry, but I really must go to bed - it is sooo late here..

Darn. There is a hidden file regenerating that entry.
Delete c:\vundofix.txt.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Restart your machine in safe mode, dclick VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file.
Post that log file, plus the contents of C:\vundofix.txt plus a new HijackThis log.

Please check to see if any of these files exist:
C:\windows\system32\pstss.bak1
C:\Windows\system32\pstss.ini
C:\Windows\system32\sstsp.dll
C:\Windows\system32\vtuvvtu.dll
C:\Users\ADVINC~1\AppData\Local\Temp\wrbwxbij.dll
[hijackthis will reomove the ergistry entry represented by that O4 listing, but will not actually delete the file in system32..]

If you fixed this entry before, it has regenerated....
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\sstsp.dll,CreateProtectProc
...but killbox should have deleted the file
C:\Windows\system32\sstsp.dll
Please fix that entry with hijackthis, and check by browsing that the file does not exist now.

Yeah, I checked, Vundofix and ComboFix do not work properly with Vista.. sigh....this next one does. But first, please fix this entry with hijackthis:

O4 - HKCU\..\Run: [MemoryManager] rundll32.exe "C:\Users\ADVINC~1\AppData\Local\Temp\wrbwxbij.dll",sitypnow

==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Select "Delete on reboot", click the "all files" button.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\windows\system32\pstss.bak1
C:\Windows\system32\pstss.ini
C:\Windows\system32\sstsp.dll
C:\Windows\system32\vtuvvtu.dll
C:\Users\ADVINC~1\AppData\Local\Temp\wrbwxbij.dll

In killbox, go File menu, choose Paste from clipboard. Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
I am not sure if that last file will have the same name -it has changed with restarts. If you have not restarted your sys since you made the last hijackthis log we should be okay...

Ah, sorry, best not...my error. I am totally unfamiliar with Vista... just a mo - I see that Vundofix could not delete those files, but detected them repeatedly... I'll give you another tool..

Ok, thank you [the vundofix log is cumulative... it adds each run's result]; this last tool should remove one more problem..
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

If you do not use the remove vundo function the tool is not going to do much, is it? If it stalls just restart by holding in the power button. Post the contents of C:\vundofix.txt. And you did not change the name of hijackthis.exe as I requested. I'm not particular what you call it, just change it. Please.

Cheers. Unfortunately hard drives do not last forever. It's just a question of changing before one hurts you, or gambling and waiting till it does.

Restart your sys. Part of wanting to see complete logs is to learn the order in which things were done, and whether Vundofix completed. Run Vundofix again, then do the second part, restarting manually if needs be. It is possible for some infections to break cleaning tools, but Vundofix is one that you run repeatedly until it has done its job. The whole point is, it should delete all the files it finds, and not you, otherwise its cleaning may not be complete. As for the blank time, a couple of minutes would be very long.... meaning it has stalled.
The firewall and AV do not interfere with what we are doing.

Log's clean. Suggest overheating, or dodgy PSU as first items to check.

Janis, I would copy valuable stuff to [rewritable] cd/dvd's immediately, and go out and get another drive to use as a main drive [install windows on it, etc..].
If you do not already have a backup regime, making copies of files on cd's etc is the simplest, quickest way. You could of course install windows on a new master drive, put the current one in as slave and copy from it to the new master....
But do something, cos the pain of lost data is great.... your symptoms could well be those of windows having trouble reading the drive.
To save money, make copies and wait n see... and risk losing only the latest stuff.

"Run as" is a sandbox [the top button...], a virtual environment windows creates to run the pgm. It allows the pgm to do as you wish it to data files, but will not permit it to change registry entries, or modify the OS.
Think of Run as as a new user, but with different, more restricted privileges.
Of course, you can use Run as to start an admin account [the bottom button...] so you can do normally restricted stuff if you are currently logged on as a user with no admin privileges. Provided you know any logon and password required. Not a sandbox, in this case.
But if you use Run as as a sandbox to run something that is actually infected, your AV should jump out at you with a warning. And break it.

Hello, it would have been nice to have seen the vundo report.... vundofix would have deleted the files it found, but there appear to be more, certainly you have other malware there. Let's do this:
Please rename hijackthis.exe to imabunny.exe - this is important.
I see that you ran vundofix online? Please try it this way:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Next, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {64A661E8-C8E0-4C78-845D-11DD70DFC188} - C:\Windows\system32\sstsp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\Windows\system32\vtuvvtu.dll
O4 - HKLM\..\Run: [cfmpgzwd.exe] C:\ProgramData\cfmpgzwd.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\sstsp.dll,CreateProtectProc
O13 - Gopher …

Janis, there is nothing wrong that shows on your log. You could use hijackthis to fix this entry - it's merely for an installer that has done its job and does not need to be on the autostart list:
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\JANISH~1\LOCALS~1\Temp\{C08042A7-7489-4744-9262-F52912808DF5}\ {D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
Frankly, if chkdsk warned me that my HD had damage I'd be waiting for the shop to open. My advice would be to get your data off, soon. Then you could slave it as a temporary drive eg virtual memory [page file] until it dies.

Hello, Heidi. Fair enough about the game images... you can take up that idea at any time you like down the track, and just load a game image into your temporary partition in some folder. We'll ignore em now though.
SP2. M$ put a deal of effort into that patch, and if you surf the web it is pretty vital to have. It is all about improving security.... and they continually update their work. I have never had a problem with my pc.... so SP2 works for me. I strongly suggest you borrow a friend's XP-SP2 disc to use for installation if your key is a general, not limited type. Otherwise use your CD and key then get the SP2 CD from M$.
Skip using diskpart, use the formatting tool on the XP CD to create the first partition, the one for Windows itself; it will automatically create one of the right type [primary, and active], you get to choose FAT32 or NTFS - choose NTFS. Once again, it is about security, besides it was designed for XP. To install XP only one partition is necessary, we'll create the others later using XP.
Right. Disconnect from the web, change your BIOS setting to boot from CD and restart with the CD loaded; or more simply start up, hit F11 to set the one-time boot source to CD, load your CD ...
Let Windows Setup start, delete any partitions it finds, then in the unpartitioned space create …

... And as somtimes happens I cannot see a thing wrong there.... but that seems to be characteristic of AVsystem care. Please run Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Rosie, it is various O4 entries that are possibly bogging your sys. A lot of them I do not recognise, but typically they are starting processes to speed stratup just in case you do use them, or are update checks. They all stay resident, taking up RAM. At a quick glance the only ones I would keep would be the Trend Micro and Zonealarm entries....
Do you use
Adobe Reader professionally? IF you have the paid version, iognore me, but I think it is a pig [free version...] and I dumped it for Foxit... does all the same things... better.

Jenjen, you do not have a virus or any malware showing in that log. But I STRONGLY advise you to remove one of your resident AV services, either Mcafee or AVG - they will conflict so badly anything can happen. Do it now.
Next, to clean up a bit, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - L:\PROGRA~3\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - L:\PROGRA~3\ICQ\ICQ.exe (file missing)

Then, if you have still not got those items working that you complain of, I would think that it is more likely a file corruption error, and not a series of registry settings suddenly incorrect. So I would recommend you run the windows file protection system to check ....
Start, run: sfc /scannow - you'll need your installation CD....
If that does not do it then try a windows Repair [not with recovery console, but a setup repair - that reverts M$ files and reg settings but does not interfere with your data files. Downside is that you must then update windows again.
Before attempting a Repair tho I would try this to put your mind at rest re viruses:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim …