Posts by gerbil

Another good one is PCInspector from http://www.pcinspector.de/file_recovery/UK/welcome.htm
but it is big, and you really should have had it on your machine first.
Btw, both those are true freeware. But i don't know what you would use for emals...

Go here and get REST2514 http://www.free2u.org/freeware/system_utilities/file_management/file_recovery/rest2514.html
It's simple to use, can be downloaded to a floppy and extracted to the same floppy and run from the floppy too, so minimal or no file damage/overwriting risk in your pc. Read the help file, but all you do is enter an extension like .jpg, or .txt... and be astounded.

well i was bored.....and it works : )))))))

Great stuff! and now you feel that much more satisfied cos there is nothing like doing it all by yourself....
Cheers, g.

Hi munecka, you didn't get it all.. :)

Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip unzip it onto your desktop.
Dclick killbox to start it. First off, make a quick check on your hosts file : go Tools, click Hosts File - in the notepad that opens the default is a hashed example followed by a valid hosts redirection line, 127.0.0.1 localhost
If there are no other lines in the file then skip the Hoster instruction block below.
In Killbox select "Delete on reboot", click the "single file" button.
Copy the pathname in the following line into the textbox:-

C:\WINDOWS\system32\xuabhqgp.dll

Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
On restart:-

==Please download Hoster: http://www.funkytoad.com/download/hoster.zip and Extract it to your Desktop.
==Click the Restore MS Hosts Button and then click OK and exit Hoster.

Now open an explorer window and rename hijackthis.exe to Simplesimon.exe. Start hijackthis [Simplesimon], close all other applications and windows and press Do a Scan Only. Place checks against all the following if they exist:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\xuabhqgp.dll",setvm
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 …

Panda is picking up traces of need2find, wupd and baidubar adware pests. If you are not getting any ads or popups now then i would ignore their existence. To remove all the keys or files would take an inordinate effort.
Now that you appear clean, change your banking, email passwords if you have not already.
"It's late now, so I'll get back to you soon on the O4s."... still applies.. :)

I can only talk for XP, but i imagine the similarity to 2000 will be uncanny...
My Computer, My Documents are two of a group of special shell folders... Diehards can change those icons, but is it worth the huge trouble? The default icons are stored in shell32.dll or explorer.exe.
My Computer is icon #100 explorer.exe
My Documents is icon#235 shell32.dll
-there are hundreds of em in shell32.dll, and either your shell32 and exploreer.exe are broken [sfc /scannow will fix that] or your reg is pointing to the sky.
There are several My Computer keys for icons, or icon groups - for start panel, folder icons... u have a lot of reg editing to do...test this one: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\MyDocs

Name: Bitmap
Data: %SystemRoot%\System32\shell32.dll,235
-that, as i pointed out, is for XP... icon 235, from an icon group, is a yellow folder with an envelope slipping inside. The icon u get from the group depends upon user-selected icon size and display colour range [bits].
Tweak UI rebuilds icons.. sfc /scannow rebuilds sys files, windows repair option rebuilds the reg.

These icons, texts etc that make up windows are drawn from M$ system files. Either some of your sys files have been altered, or registry is pointing to implants. Work on the first cos it is easiest.
If you have a M$ install CD insert it and go Start > Run, type sfc /scannow ..and OK.
That will sort out that side of the problem. Come back if it still exists.

Hello, ENNGLISH, please say if you were you able to delete the 3 files:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
C:\WINNT\sys32.exe
I would like you to check for their presence as before [no need to use task manager] and report back if any have returned .

In normal mode will do...
Click Start, go My Computer and Local Drive C: [or open an explorer window however you wish]
-in the left pane tree [click Folders icon if you must] expand C:; expand WINNT; lclick system32.
-in the right pane search for the first two files above . Collapse system32 folder and highlight [lclick] WINNT in left pane. Check for the third file in the right pane.

Hi, Donchetito, please learn a little thing from the virus scans on those 3 logs- note that of all the tests only one found an infection in the third log... this is why we request several different scans, it's known as layering. Not one of them is perfect yet.
Delete those 3 renamed files.
Now, 3 more to remove; they are no longer being called so a simple search and delete should suffice:
C:\WINDOWS\system32\ciuyckb.exe
dxclib303562752.dll
pjjmedjd.dll
-- the 2nd and 3rd are very likely in the same folder as the 1st; if not use the search functions to locate them. Delete all three.
More scans...
As in my first post to you [#2 above], start ATF Cleaner, when it opens go Select all, and then Empty Selected.
Close ATF.
Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Delete, and run the scan. Save the log file and only then click Apply all actions. Go to Infections tab > Quarantine, select all entries and Remove them to clear the earlier found problems. Post the log file.
And finally this new one: try an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-the link to the scan is just above the padlock pic.... free online virus scan.. enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

That layering thing.. here is …

nemesis, that regkey...
[Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch] you checked and posted is okay [scan picked up a false positive, is all], so just delete your copy of the text file from your sys if you kept one.
These 3 files....
C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec
-Avenger got one, HT got another and AVG cleaned the last - i don't think i was being too zealous in getting you to do a final check for them... they are gone.
If there is no Need2find program files folder then it is gone. Ignore the key.
No Altnet or Myway folders in program files?
Then good, you are looking pretty clean.
CCleaner has a reg cleaner function - start it, select issues, check the 2 lefthand boxes [that automatically fills all the boxes] , Scan for Issues and then fix them. [which should, but may not, take care of any need2find reg entries]
Update and run Adaware - if it reports anything other than cookies or your MRU list items post the log.
Do another Panda scan, post the log if it finds anything other than cookies.
And just in case, this one: go to http://www.f-secure.com/blacklight/ and click the link at foot of page to download the latest version. Start it, agree, scan. If it finds anything, post it. [leave pc alone while it runs]

It's late now, so I'll get back to you soon …

Please do what philliephan suggested with those 3 files [he may be a junior poster in training, but he's hot!! I'm just feverish...]. I too would like to see what put them there...
What to do with them? Let's kill them for certain [stop them running] and delete them....

Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip unzip it onto your desktop.
Dclick killbox to start it. Select "Delete on reboot", click the "all files" button.
Highlight these three files below and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\yxdxj.dll
C:\WINDOWS\system32\izxfae34.sys
C:\WINDOWS\sys0162438219112006.exe

In killbox, go File menu, choose Paste from clipboard. Click the red and white button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]

On restart, open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to and locate the three above files and rename them. Try:

C:\WINDOWS\AAAyxdxj.dll
C:\WINDOWS\system32\AAAizxfae34.sys
C:\WINDOWS\AAAsys0162438219112006.exe
[next time we want them they will be bunched [a bit..]; and with the wrong names they are neutered]

-----------------------------------------------------------
Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system …

.

Great work! The rootkit pe386 is toast.

Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip unzip it onto your desktop.
Dclick killbox to start it. Select "Delete on reboot", click the "all files" button.
Highlight these three files below and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec

In killbox, go File menu, choose Paste from clipboard. Click the red and white button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]

On restart, go into Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account. Password is probably blank...
Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to and locate the three above files and delete them.
----------------------------------------------------------------------
Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off …

...we could do this with hijackthis functions, but i want you to follow the process i have outlined above. Ignore the HT desktop icon, delete it in fact, it is not a program to use willynilly.

The confusions that arise through choice of font plus similar, genuine-sounding names are part of the ploy to avoid detection by the uninitiated [or the careless].
Now. Do not concern yourself with dry runs - I shall do my best to not actually harm your system.
First, we must try to stop the possibility of a malware recognising Hijackthis and also enable you to find them.
Second, we must stop the processes that we wish to remove from running.
Third, we delete those processes.
Fourth, we remove the registry keys that call those processes.
Now i shall reiterate and enlarge upon those instructions.
1. Open an explorer window, navigate to your download\unzip folder and open it; in the right pane rclick Hijackthis.exe, select rename in the context menu and change it to Strawdogs.exe.
Still in that window go to tools > folder options > view tab, look down the list and press the button Show hidden files and folders, Apply and OK.
2.We go to safe mode.... Restart your computer, press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the YOUR NORMAL ACCOUNT, not the Administrator account.
[safe mode loads the bare minimum of drivers and processes necessary to get the …

in task manager if you stop a process it is no big deal - your pc may crashor merely halt if it you choose the wrong one, but no real harm is done, a restart will cure it. If, though, you delete the wrong file in system32 some effort will need to be gone into to rebuild it....
So, in the first case i was telling you to not miss the bad one by stopping the good one, in the second cse i was telling you not to delete spoolsv.exe, as that is a good one [for printing services].
To avoid font problems, SPOOLSV.EXE is a valid M$ file. Leave it alone.
SPOOISV.EXE is the one we need to remove.
The reason for stopping a process is that it is not possible to delete a running process...

Donchetito,
would you please, in an explorer window, go tools > folder options> view tab, and press Show hidden files and folders; Apply and OK.
Then would you please check if these 3 files are present in your system:
C:\WINDOWS\yxdxj.dll
C:\WINDOWS\system32\izxfae34.sys
C:\WINDOWS\sys0162438219112006.exe
I cannot find what created them.... i know it's a long time back, but they were put there on 13th November last year.
Ring any bells?
Apart from these your logs appear clean.

as a quick guide, from recovery console type:
cmd <enter>
devmgmt.msc <enter>
and there you will have your device/driver management window again.

kljadi, i missed your last post..... sorry... it fell thru a gap. if you have not formatted yet just uninstall the drivers, and reinstall them[if they worked before] or do a driver rollback while you download updated drivers from the manufacturers. If you need help with using recovery console to do that just post again!!

I've already download hoster.zip and I can get it on the infected computer. I also have HijackThis on it, which , if I'm correct, is all I need just now, right?

I tried to get to Panda for a scan but the bugger wouldn't let me go there! Let me know if we should continue. I'm willing to push this old brain (69+ years) at least for a little while.

Yep.. these were my points.. :) ;sorry i did not outline your expected limitations more fully in my earlier post....but the second post fairly lists what may be happening on your computer and how you are limited in your initial responses.
And no, what you have attempted is no problem, just go ahead and try what i said, and if you succeed then we will try some deeper searching and cleaning. If you don't succeed, we'll try something else. So for now do the thing with HT [rem to change its name!, cos some pests know it by now and block it from seeing them]. We'll get there, but once we start please don't mixnmatch solutions....I'm not being arrogant here, it is that i don't want to lose track of what you are doing. Doing stuff posted here by others is ok cos i can see that, but i'll miss action on other sites.
Cheers, an go for it.
PS.. to see some hidden files/folders like system32: in an explorer window, go tools > folder options > …

rabid as in mad dog.. keylogger- a pgm which copies your keystrokes, paying particular attention usually to password entries such as in banking forms, and periodically sends them off, or holds them for collection by a bot.
A short description of the activities of one of your trojans courtesy f-Secure:
-joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods -channels
-scans for vulnerable computers using a number of exploits (see below) and reports to a hacker
-tries to spread to network shares, bruteforces share passwords using the hardcoded list
-steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords)
-steals Outlook account information (SMTP and POP server names, logins and passwords)
-steals HTTP e-mail server logins and passwords (Hotmail)
-sniffs network traffic (packet sniffer)
-downloads and runs files on an infected computer
-opens a pipe-based remote command shell on an infected computer
-act as a proxy server on a selected port
-collects information about an infected system (software and hardware configuration)
-finds and terminates competing bots
-performs a DoS (Denial of Service) attack
-updates itself from Internet
==in short, your computer can be controlled remotely, is a pest to others on the network, and some of your personal info can be collected. You have a backdoor trojan - it opens your computer so that it can be controlled externally.

And the other …

guard.exe..... i take it that you have just downloaded AVG.- this, then, is the realtime protection unit. It stops after 30 days unless you feed it money. Let it run while you can have the benefit of it. It will remain in mem even if it is not running.

Okay, now for some fun. You have a rabid emailer which is probably why you cannot get right out into the net, and a backdoor trojan. Fixing them may be easy, or it may be hard.
First, please rename Hijackthis.exe to Simplesimon.exe.

===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the YOUR NORMAL ACCOUNT, not the Administrator account.
Go Ctrl/Alt/Del once to start task manager. Click processes tab, locate and end these three processes:

spooIsv.exe
sysamp.exe
sys32.exe [watch the spelling of that first one: spoolsv.exe is a real process, don't want to miss the baddie!]

Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to C:\WINNT\System32 and open that folder. Locate the three above .exe files and delete them. And this time the spelling of the …

Good-oh. Next steps...

===Download this file: http://download.bleepingcomputer.com/sUBs/combofix.exe

==Either register your Creative Labs gear or include this line to fix below..
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

==Rename Hijackthis.exe to SimpleSimon.exe; start it by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis. Run a scan and then place checks beside the following if they exist [and the O4 above if you so wish..], and press Fix Checked.

C:\DOCUME~1\Carol\LOCALS~1\Temp\clclean.0001
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ciuyckb.exe
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - blank (file missing)
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [izxfae34] "RUNDLL32.EXE" w018f680.dll,n 006fae2e00000003018f680
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\YSTEM~1\rundll32.exe" -vt yazb
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll,pjjmedjd.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Combofix:
-- to run it dclick the combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.

A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Fine. Now run a new Hijackthis …

and finally, but definitely not least.... :). I am glad i am able to help, and your response was thanks enough. I am tickled by it. [you may think the site, Daniweb, a worthy cause, though...]

PS... if you must put up an email address take simple steps to make scanning bots miss it - whenever they see that @ they zero in... so type addies something like yourname05[at]aol.com

A few things to clean up yet... fix them with iamabunny... :) as before [you didn't have to call it that, almost any name would have done; i was pulling your leg a bit..]
First off, and VERY IMPORTANTLY, we gotta go after that rootkit pe386. Note that SDFix found it, but it cannot remove it. Possibly the best thing I can do is to send you to this page http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html -- read down [note the SDfix report..] until you come to RustockB [pe386] removal instructions. Download the file from that link... ah, just follow the instructions! Post the log[s] it produces here. Immediately!!!
[honesty bit... I have not used this tool cos i do not have a rootkit to play with, but i trust the site implicitly...]

Done that, posted the log... now move onto these fixes:
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [network administration] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B57F951-2E37-448B-A41D-EEB095D9108B}: NameServer = 205.188.146.145

==you have an internet reset entry to wanadoo.... which is now orange. If you don't wish to keep this as a homepage fix this:
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
==if your relplayer is working fine then you could remove this new hardware detector:
O4 …

I must say that i find your pc's inability to connect to the web a bit ironic, cos you have amongst other pests a backdoor trojan [ an IRC bot in this case], and that one would most definitely want to connect. A backdoor trojan?- it means that you have a trojan implanted which allows someone to control your computer. After this is over you will want to change passwords, esp any banking or other critical passwords...you have been keylogged.

Okay let's get started. It's going to be a pest but copy these downloads into the pc. They fit on a floppy. But first you must delete the instance of hijackthis you have used, and download a fresh copy from http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files. Rename the hijackthis.exe to imabunny.exe.
-when next you run it first close ALL other applications and any open windows including the explorer window containing HijackThis.

===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1

===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

===ATF- Dclick ATF-Cleaner .exe to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Close ATF.

===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced …

Uninstall your burning software and see what happens... sonic cine should be ok with your setup.

that's a file from Roxio, i believe?. Update/reinstall your burning software and I would suggest updating your optical drive drivers also, or at least uninstall the device and then reinstall it/them.

apart from a few other glitches you have a little problem with deluxe communications. they stretch the meaning of deluxe. it is a surfsidekick clone.

For a start go to add/remove pgms and uninstall deluxe communications if you see it.

===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and update it.
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 -click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Close ATF.
Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.
Then run HT again and post a new logfile.

...that is a moderately annoying way to present logs. But as it turns out, I think all you need do is double your RAM if you wish to continue running so many programs at startup.
The AVG log is clean; may i suggest that before you run it in future you do a cookie cleanup first? Use this product....

===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 -click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox at the top, Select All again, and Empty Selected again.
Close ATF.

You could run HT again and fix these null entries:-

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

And then i would advise going through your programs and only allowing those you REALLY wish to start when you boot your puter. Unused autostarts waste your RAM because a part of them stays resident. I mean, just start a pgm manually.
===Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel …

===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
===Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please run it with the default settings]. Put an icon on your desktop for regular use.
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and update it.

Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Now select the Applications tab and Run Cleaner.

Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up clean.

Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to …

Go Start > run, type regedit in the box and press OK.
Navigate to this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Open the System subkey by lclicking it [it highlights]. Check to see if there is a Dword in the right pane with a name something like NoDispDsktopPage.... if it exists and has a value of 1, then either change the value to 0 or delete the actual Dword.
Depending on what put the Dword there, there may be a corresponding Dword in HKLM hive also. Change that one's value to zero or delete it also.
NOTE To delete the Dword, just highlight it and press delete key.
If you are unsure about this, just highlight System subkey as before, and export it. Post the notepad file here.

thanks for the link, pp. And to you to, tori, for getting me to notice those logs put in by ZA. CCleaner in its current form will delete some of the txt files, but not the tvDebug.log one, which does grow.....
This link shows a few simple methods....
http://forum.ccleaner.com/lofiversion/index.php/t1596.html
If you use CCleaner as a temp file cleaner, then the mod there is cool.

CCleaner. It's free, so you are not tempted to crack it.

..this is going to sound really silly, but will it work with power adaptor plugged in instead of from battery?

Ooooo... reinstalling windows is a big gun.. a huge step. i tremble at the thought of doing it without an image to load. try this:
===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode with Command Prompt and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
See if you can run chkdsk command successfully in Safe Mode. [ chkdsk c: /f ]
If that passes, then run sfc /scannow
[have your XP install CD handy to insert when it asks for it, or you may load it before you start the scan].

c:\windows\internet logs is a folder created by zone alarm. If the size of it bothers you then delete the contents of each .txt file in there. I bet you cannot delete the .log files while ZA is running.
I have only 20 ZAlog...txt files, so i assume they are deleted on a rolling basis automatically.
Those other windows\fff88... files? i have no idea... those clsid nos are not on the web so i would guess that something dodgy put them there. Try a f-secure blacklight beta scan, or kaspersky online scan, or rootkitdetector.

delete all instances as in EVERYTHING it finds?

"in this case i think..think...that if you rclick in a clear spot on your desktop, go properties > desktop > customise desktop >web and then delete any entries there, you should then be clear of your problem" // well, yes, delete any entries that you do not use to create desktop backgrounds [any entries in there can be used to create a background - you add webpages you wish to use// normally it is empty]
I take it that you got your desktop rclick back?

did u fix that case error you mentioned in your first post.... the case sensor rickdev mentioned reports to BIOS - you can disable it in there. And it does not hurt to at least unplug n replug all connections.
Disk check to run is, in your case,
chkdsk c: /f
-time it takes depends upon the number of files you have. Try very hard not to stop it prematurely, best is to not use PC while it runs. It basically checks the written disk surface by running a series of checks on each file. Of course, implied in that is a check of all the HD subsystems....
Finally, your backup drive. If C: fails checks, then why not put windows on it?. But because that disk is a single volume [D:]you will lose all your data on it, so backup to DVD first. The way to avoid that in future is to put more than one volume on a HD. I strongly recommend installing windows xp to a 6 - 8GB partition of its own.... and if you are likely to leave all temp files, folders with windows then make it 10GB. Put apps and data in other partitions - that way a format of the system volume where windows lives will not hurt your data if in the future you wish to reinstall again.

cool. if you have a M$ XP install CD i'd suggest running sfc /scannow just in case some files got damaged in the process...

good-oh. actually, that's great. sfc would've been next after hardware checks. I wonder why they break, those dlls? virus or trojans at work, maybe... anyway, do say if it was the problem.

[sfc /scannow checks protected files being used by the sys for overwriting; if it detects that it copies in new files from the dllcache; if the dllcache has corrupted files it asks for the CD.... but it beats me why the cache gets corrupted - i always have to load the CD...]

keys are not coded into the disks, so go for it. A code is generated based on your licence key and your hardware config, is all. That is what you will submit for validation.

Last known good config will be the reg files saved from the last good shutdown. Ur email problem may not have triggered a bad shutdown, so the LKGC probably will not be of much help to you. Sys restore allows you to wind back further, and is the one you should use if windows is working enough to allow you to access it.
Something else to try is to unplug from the net and uninstall your AV program, and then reinstall and update it.
As for IE7, dcc is right. Avoid it once you are clear of it. Looking on from the sidelines, it just does not seem worth the bother.

how did u install IE7, debi? did u just let it install along with a bunch of other windows updates? Cos there is some talk [and that is all it is..] that that procedure can lead to problems... that it may be best to fully update and then do the installation by itself.
Perhaps you could wind back some updates - uninstall those that came with IE7 and later, do a REPAIR of windows if you have a M$ XP install CD... and then update again.
I'm not saying this will work, it's just something to try.
And if you get your sys together, leave IE7 to those who love risk and problems.

well, you are all getting a bit off the HD, but not enough. Just cos it's easy to do, i'd whip the sides off the case and with power off replug everything i could see, including RAM sticks. The more adventurous could even unlock the big one, the processor, lever it up then back and relock it. Don't fully unplug it, cos ul then be tempted to run fingers over the pins and sneeze on em.
Next job is to get your XP install CD and run recovery console, do a chkdsk /p
If it returns any errors at all, do a chkdsk /r
And then a chkdsk /p to check.
It is devilishly difficult to check for viruses if windows will not run...
And do come back with your solutions, please?

Fascinating. So you had [before the probelm] a DVD burner as master and a CD drive as slave both on the secondary IDE connector? And you have reinstalled the DVD again and all is ok after the repair? What happened with the "full" C: volume?

like with a lot of dinosaur fossils, i think we are missing some bones. Is that all the log? if not, please post it all.

Test the mobo = toast bit by putting a second HD onto the secondary IDE adaptor [as a master, mind!]...[everyone has a spare HD too...]
ie.. a primary master hd - your current sys drive on one cable, and a secondary master HD on the other cable.

meundies, it'd be a help if you posted what your cabling setup/drive types really are...sata..ide...you do not say. I mean, i could say if ur drives are IDE, then don't put the burner on the same connector as your HD... but i'm wasting time doing that, cos it may not be the case. And i do not think it matters a hoot whether the master is inboard or at the end of the ide cable, just so long as it says it is master. Oh, and on an IDE cable pin1 is the red stripe side. has to be.
If the drives are not showing up in BIOS, then swap the power cable, get another IDE cable [evryone has six of them in a drawer..], and if still not showing in BIOS, ur mobo is toast.

ok. iam guilty of a bit of ...what.. laziness..? here. Call it a hangover from DOS training. XP does not use a config.sys file. It may be there, along with io.sys and msdos.sys, but unused. DOS did...and i like a lot of others type that...sigh... : XP has a system32\config\system file.... which is what is usually the problem ppl are referring to in this sort of post. And one from someone else's puter is not going to do the job.
Get the full and correct text of the error....
... it took me long enough to stop referring to the DOS prompt in windows XP when i meant the command prompt... I'm almost at the point of nitpicking ppl over it now.. :)