Posts by gerbil

If the second sys was almost identical to your mates [same chipset, mb] then you conceivably could install in that one, but do expect a blue screen when you put the drive back.

Okay, this is a bit interesting. Single stepping thru v2 does not show any hdd detection. I see the screen "IDE detection..." but the next is blank, then it shows your cdrom as a Liteon. I think BIOS cannot recognise your hdd [and next thing your sys is trying to boot from the hdd, but the drivers loaded list is incomplete?] which is why it shuts down and pushes you off to other modes to start from.
But for BIOS to be looking to boot from the hdd means it has not recognised your installation cd in the cd drive. It sees the cdrom device but cannot read the cd. Now I have never tried running Windows Setup without a hdd :), so I don't know how it would react, but the sys is trying to load from the hdd, hence the driver list.... weird.
That error screen may occur if for example you had AHCI [or RAID] set as the mode for Sata configuration of disks but did not have the drivers installed [the F6 thing], but you don't get into Setup. There is a problem with the hdd setup in BIOS, i think? How have you configured the drive? Try IDE mode for a start. Is the hdd an IDE? I see a screen showing AHCI mode, but that mode is for a Sata drive only.
Mem scan... more than 3GB and XP-32 is not happy. The native windows driver is all that is needed …

Hang amo. Just stepping thru your videos. I cannot see your IDE? drive shown as detected?

Hi, you don't need a second run with MBAM, just go straight on with combofix and the hijackthis scan.

Spidey, I just saw your Kaspersky log in the other forum... do this before you run the other tools above; they will also make new restore points.
==You must clear all your system restore points because some have been infected.... you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
We will have to do this again when your sys is clean.

Hello spidey, well that is a start. What trojan did Spybot find?
Run these two scans in order given - the first is a scan for certain specified malwares, the second is also but will give me a look at some information, then make the hijackthis log.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL …

Spidey, go Tools, Folder Options, View, choose to Show hidden files n folders. Check if in the root of both C: and D: you have an autorun.inf file. If so, delete them. When you click on a drive those files run... who knows what they are trying to initiate. If there they most likely were emplaced by malware. Run a scan, eg Spybot SD.

Hi, spidey, make sure when you save it that there is a blank line below the @="none" line in your notepad .reg file, otherwise it will not be accepted.

Hi. Run this script... I think it will solve your problem...
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Drive\shell]
@="none"

Urk. Some malware disable Task Manager, some disable Safe Mode. Your symptom suggests that some drivers are not loading successfully [they continue to load and initialise in the background while the logon screen is up].I see that you have tried a Windows Repair [not Recovery Console] with no success, so it may be time to slave the drive, copy out the wanted files to a DVD or any other drive, delete them on the bad drive and then run chkdsk /p [and chkdsk /r if required] on it. Format the partition and reinstall.
If you have space on the drive you could create a new partition and install into that. Then copy out files and run chkdsk on the old OS's partition.
Just for such a thing I usually leave five or ten GB unallocated on a drive. But I don't do movie stuff with my sys so I have space to burn.

Arthas, I need a good slapping. Ignore my post about those two shell keys - that's something I put in my sys.
But do try post #18

I could add that you were infected by a known piece of malware, most likely via an infected thumdrive. Try this:
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

** ==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF. Run ATF in any other accounts.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to …

Interesting lil problem that you have. Have you already checked that when you type the full command in the run window that you get the same thing..? ie type cmd.exe instead of cmd
And have you checked that in these two keys below that cmd points to system32\cmd.exe ? This reg file will fix that for you...

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Folder\shell\Command_Prompt\command]
@="C:\\WINDOWS\\system32\\cmd.exe \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\Command_Prompt\command]
@="C:\\WINDOWS\\system32\\cmd.exe \"%1\""

Pinki, you never did run Combofix for me... if you have 32bit Vista it will work:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

And lemme see these values, please:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}"  >C:\showkey.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcserver32" >>C:\showkey.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]" >> C:\showkey.txt
start C:\showkey.txt
pause

You may notice there are 2 sections to the All Programs list... top section starts with a few, select M$ shortcuts, but you can drag others into there to keep them at head of the queue, or remove any from there.

With that new installation of Windows [the one you did not want] on the different drive, naturally your old desktop will not be there. It should not have been there with the original reinstallation either.
Run chkdsk on the C: drive, then unplug the drive that has the second windows on it [you do not want that one to be detected by Setup], format C: and install.
Your third party pgms will require reinstallation.
I don't think that game on the website you quoted works with SP2 installations...?

Nothing in that screenshot to change, pinki, it just lists the wallpaper you are trying to show.

Pinki, another key that can come into play with wallpaper is this one:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
-it is where your wallpaper is referenced; also check the parent key, Desktop. Just look for entries that might deny wallpaper.
Some thirdparty software reg keys may also contain entries that disable wallpaper.

Oh, the wallpaper problem... Almost forgot. Well, there are a lot of keys involved in that, and the best fix is this one from Kelly's Korner. It is for XP, should work for Vista.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoMovingBands"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"Wallpaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispCPL"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"NoCDBurning"=dword:00000000
"NoComputersNearMe"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000

That ought to do the trick.... if Vista is something like XP in the relevant keys. Anyway, running it should not damage anything, it is just making/setting those entries so as to nullify them.

Interesting re RKR not wanting to play... did you use IE to download it... M$ is touchy about other browsers accessing some of their services.
Nothing shows in that log as malware. But you do have both Avast and McAfee running as active AV services, and that is a big problem, so please make a choice and remove one immediately. They can interfere unpredictably.
As I said, I do not see anything else bad there, but I am afraid that I am not Vista compatible... so I would have trouble helping further.

Next bit. There must be something hidden...
Please run Combofix again [after SDFix].
Then ... this is a shotgun approach, quit if/when something is turned up.
==Download [currently it will not dl correctly with Opera; use IE] the latest standalone version of Blacklight from http://www.f-secure.com/blacklight/ -follow the links until you get to where you can download Blacklight. Start it, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -read that page, dl the file at foot, start it and Scan.
Post the relevant logs.

ALL things are solvable.
Pinki, are you cool with working in the registry? If those two entries will not delete with that reg file I gave you then permissions on the Run key have been changed to deny.
The easiest way to fix that is for you to open registry, change the permissions on that key and then either delete the two bad entries manually or run my reg file.
Here goes....
Go Start, Run, type: regedit -and press Enter.
Expand HK_Current_User [by clicking the +]
Expand Software, then Microsoft, Windows, Current Version.
Rclick Run; in the menu that opens select Permissions....
You as an Admin User should be highlighted..
Check Allow for Full Control, Apply n OK.
Ripper, now in the right pane....
Rclick "dzrfwrbk" and Delete...
Rclick "mZAHXfkXDR" and Delete.
Close the registry page.
Did that do the job? Run a hijackthis to see if they are regenerated.

I was wondering... btw, did you disable TeaTimer before running that reg file I gave?
Done it? Great. Now...
==Download SDFix from here: http://downloads.andymanchesta.com/R...ools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

***** Instead of ATF you may wish to substitue this cleaner.. it is the one I …

WinNT\ServicePackFiles\i386 exists if you did an upgrade by download as against an installation with the servicepack included [or slipstreamed]. That folder is your cache for running sfc - put it in sourcepath as "SourcePath" = "C:\WINNT\ServicePackFiles"
sfc would ensure that the correct version was in place, and if you change that sourcepath it will use the file from that i386 folder. You could rerun sfc, this time using the servicepackfiles directory. But I doubt that the error originates from explorer.exe itself.
My point with Combofix deletion was that it times out after a week - it won't run after that time, if you try it will delete itself.
This is a succinct explanation of Active desktop.... http://www.microsoft.com/technet/archive/ie/reskit/ie4/Part3/part3c.mspx?mfr=true -but if you remove it and the error continues, then put it back.
A few words fell out of a line I edited in a previous post:
""Instead it was on Selective Startup with Load startup items selected " .... yep, it does that." ... "if you have items unchecked in the startup list." Those words were meant to be there; that is why msconfig switched from diagnostic to selective mode.
Does the event viewer not show any listing for the error? I just monitored my machine's activity while closing an explorer window - explorer.exe was the only process involved with about 750 dealings with the registry in the 0.10sec it took to complete. Four system dlls were involved, but no third party sware, AV …

I'll check back in a bit for that SDFix log....

What? these two entries
O4 - HKCU\..\Run: [dzrfwrbk] C:\ProgramData\dzrfwrbk\uditkjcp.exe
O4 - HKCU\..\Run: [mZAHXfkXDR] C:\ProgramData\apmnyvkr\wbyhojgp.exe
are still showing up in the notepad log of hijackthis? That reg file should have removed them..?
PLease finish the remainder of my previous post [from Done it? Great. Now...].

sfc only takes what it needs to restore corrupted files, and it knows which versions to take in original form from a folder or cd, and which to take from the updates.
The Security bulletins:
MS07-069 [= KB942615] replaced MS07-057 which repl. MS07-045 which repl MS07-033 which repl MS07-027.
Aaaannnd: The latest bulletin, MS08-010 KB944533, replaced MS07-069 !!
MS07-043 and MS05-055 were separate issues.
Now you could google for the KB articles which represent those... but I have a feeling that Panda picked up those old bulletins from the Windows directory. If you expand C:\Windows almost the first entries are blue $NtUninstallKB****** folders - these are the files which have been replaced by updates along with an app and a batch file which run if you wish to reinstall the old files over the top of the newer [via Add/Remove pgms!].
Which you might be tempted to do if the update in question caused problems. Well, they [blue $NtUninstallKB****** folders] build up, and if all is sweeet I tend to delete em. Do that.
unPPC6000? Delete it. It's PeoplePC or CoolWebSearch.
C:\CABS\9519160_XP_2K is just one driver. Were there no .cab files in C:\CABS ? [C:\CABS would be the sourcepath if there were, but .cabs tend to be drivers...]. No matter anyway, sfc completed happily, found what it wanted. It does just close when successful, no bells or whistles.
"When it does the blank blue screen for a few seconds and comes …

Panda only deletes viruses and worms in this free scan, but points out adware and trojans etc.
This one is adware, delete it...c:\winnt\system32\unppc.exe
This one is part of a telnet service from Sysinternals. If you do not use telnet, did not install that service, then delete it [can be used by hackers]...C:\WINNT\PSEXESVC.EXE
I must admit I have no idea why the scan shows those critical updates as vulnerabilities - they were only released in Dec last year... are they actually installed?
SFC should work with cab files. It sounds as if your dllcache directory is corrupted. You can change this registry key so that sourcepath points to the DIRECTORY the cab files are in [don't point it at the cab files themselves]:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\whatever directory contains cab files..."
Or you could try to borrow a cd and copy the I386 folder to the C:root, [eg C:\i386] and point sfc at that...
Combofix infected? Nah, Panda dislikes it... but yes, you can delete it if you wish [or just leave it there for a week and it will timeout and when you try to start it it will remove itself.. :), or you can paste into the run window...
C:\Documents and Settings\Administrator\My Documents\downloads\ComboFix.exe /u
Come back if you need help with sfc....

Log is clean. If you really are worried you could scan with a trojan hunter like AVG AS.
Truly, cabal.exe is not a worry. Submit it here if you wish:
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination:

Back in the days of DOS it was a brave new world, the settlers were gazing enthusiastically out into the wilderness and Microsoft was loved as one of the guides who brought them face to face with it.. But then Microsoft rounded them all up and herded them out into it, some against their will, and now the wolves are circling.
Do you see in the BDF log the .dbx file? That is probably the source - an email.
"However it did not have the Make writeable button instead it was a Make readonly button"... yeah, that means it was already writable, so it gave you the option of making it read-only to stop simply written scripts altering it.
Everything happened correctly with combofix.
=Delete this file:
C:\WINNT\d3dx.dat
There seems to be a problem with your C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ folder. I do not know if it is simply to do with the AShampoo file ASFWHide in there.... I suggest you disconnect from the net, shutdown AShampoo, close any browsers, readers, applications and delete the Temp folder itselfthen recreate it. Restart your firewall.
As far as the error goes, well, there could be sys file corruption still. It can get tedious to scan your system, but I would run this last one [cclean first!]:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeusers/solutions/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise …

Yeah, but is the problem with AVG AS or AVG AV?
AVG AV does funny stuff... for a while it suddenly started picking up my IceSword, did it a couple of times, and breaking it, and then it just started ignoring it. Dunno what that was about...
If it is AVG AV doing over cabal.exe, go into the virus vault and select cabla.exe, hit the restore button. That's gotta be quicker than reinstalling the game. And it should learn from that.

Yeah... if you run a proper firewall [not windows one-way deal] it would detect if a trojan was trying to call out and warn you. The game file is okay, though, it is a false alarm.
You are using AVG AS?

Cabal.exe, the game file? And AVG AS is detecting it? That would be because it is packed [and the packer wrapper shows up] and many AV/AS wares pick up the packers as Trouble: viruses etc often use packers to disguise their files, to avoid strings being recognised. Set your AVG to ignore it, cos for "heal" you should read "break" in this case...
Lessee... in Scanner, Settings set Quarantine as the default action;
Then in Infections, Exceptions add a rule to ignore it.

peater, this is not a site that supports cracks.. that is just how it is. But if you have a problem with your sys, take the time to make a new thread outlining it. No point getting cranked up over a blind thread... many out there end up like that for whatever reason.

Pinki, no, I cannot tell you why that is so, it is new to me. Possibly a new form of attack/hiding to avoid being Fixed by hijackthis...? But we have their names, and so they have no place to hide...
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"dzrfwrbk"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"mZAHXfkXDR"=-

Good. Now browse to [or search] and delete these two files in an explorer window:
C:\ProgramData\dzrfwrbk\uditkjcp.exe
C:\ProgramData\apmnyvkr\wbyhojgp.exe
....and delete these two folders:
C:\ProgramData\dzrfwrbk\
C:\ProgramData\apmnyvkr\

They should be gone now.

By the way, if you look into your Combofix log you will note that you have had that erasme_*****.exe /winbin worm for over a year - that has given it ample time to make many copies of itself, and also to trot out into networked computers. It infects Explorer.exe as well....
To make sure it is gone...
==Run a BitDefender online scan: http://www.bitdefender.com/scan8/ie.html - and post the results, please.

=Check your hosts file, it may have been modified to block some security sites.
If you wish to clear your hosts file manually [C:\Windows\system32\drivers\etc\hosts] you may not be able to save the changed/corrected file. This is because some security applications, possibly also various malware, will lock your Hosts file [make it read-only] as a protection.
Go Start, run, type cmd -press Enter. Paste this line into the window at the prompt, press Enter, close the window and try to save the file again.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS

Drag HOSTS into a notepad and make any changes, then save it.
Or just use this tool:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click the top button Make Writable if it is available
-click Restore MS Hosts File button.

I guess I missed your post because for a while Opera was not working with this site, and so I did not look in much. Anyway.... you will notice that I have turned on your windows updates in one of the registry lines - if you do not want that just delete these two lines from the block before you run it with Combofix...
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= -

Heh.... I still like playing Diablo II also... okay, let's get down to it.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

File::
C:\WINNT\eraseme_18043.exe
C:\WINNT\eraseme_18536.exe
C:\WINNT\eraseme_24270.exe
C:\WINNT\eraseme_25226.exe
C:\WINNT\eraseme_27280.exe
C:\WINNT\eraseme_27710.exe
C:\WINNT\eraseme_28350.exe
C:\WINNT\eraseme_28884.exe
C:\WINNT\eraseme_41588.exe
C:\WINNT\eraseme_51842.exe
C:\WINNT\eraseme_55717.exe
C:\WINNT\eraseme_61051.exe
C:\WINNT\eraseme_68082.exe
C:\WINNT\eraseme_70626.exe
C:\WINNT\eraseme_74404.exe
C:\WINNT\eraseme_84170.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msci"=-

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= -

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FCKK"= -

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

352 Megs gone? That will be your most precious photos smoked... :)

I'll gt back to you tonight. Sorry, but I actually missed your post...

Pinki, to allow the fix to be made, temporarily disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box.
=In Normal mode, start hijackthis and select Scan Only. Check these two entries and press Fix Checked.

O4 - HKCU\..\Run: [dzrfwrbk] C:\ProgramData\dzrfwrbk\uditkjcp.exe
O4 - HKCU\..\Run: [mZAHXfkXDR] C:\ProgramData\apmnyvkr\wbyhojgp.exe

Good. Now delete these two files:
C:\ProgramData\dzrfwrbk\uditkjcp.exe
C:\ProgramData\apmnyvkr\wbyhojgp.exe
and delete these two folders:
C:\ProgramData\dzrfwrbk\
C:\ProgramData\apmnyvkr\

Done it? Great. Now...
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any …

Try uninstalling Spywaredoctor, run your chkdsk and then reinstall it.

Explorer.exe basically is Windows isn't it? Yep, it's the pretty UI that you usually use to start pgms from and navigate about your files.
The blank blue screen is what you see when explorer stops running - no desktop icons, task bar, backgound etc. It does look like some bad software is killing explorer.... and bad software is most often malware.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
We'll go from there. And you can rarely give too much info....

Probably nothing.
Rundll32.exe is the pgm that enables the various objects in dlls to be run as executables. An example: open your TM, go to processes tab, order the process name column and then rclick your system clock, click Adjust Date and Time - a new rundll32 willl open up.
From your log you can see that [NvCplDaemon], C:\WINDOWS\system32\NvCpl.dll is using rundll32 - this is your Nvidea graphics tray icon.
I could add that your hd will be showing its run lamp if your sys is using the page file, or windows is taking the chance to organise your files for smoother loading [it will do this in the background, using an organisational file in the prefetch folder that it has built after watching you work].

..and while in control panel go to windows components and uncheck OE to remove it from your Start pgm list [it does not uninstall it...].
Bobby means you gotta have an email client pgm similar to OE... you can't use a web page emailer like say, Yahoo, as a default. Being a M$ product though, M$ makes an exception for Hotmail...
You can also make the choice via CP, Set Pgm Access & Defaults - it detects email clients available on your sys, like say, Opera, if you use that browser.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS\IECodecPlg.dll

Use hijackthis to fix those two entries, then delete C:\WINDOWS\IECodecPlg.dll
I don't see this file running...C:\Documents and Settings\K & W\My Documents\asdgsdf\SYSTEM\April, 27 2008\svchost.exe
...delete it from safe mode.

==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Ira, a slight change.. please run this file first:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

Help with Code Tags
(Toggle Plain Text)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /f
start C:\showkey.txt

If that notepad is not empty then please post it.
This file looks like the one I gave you earlier, the difference is that the name is changed to DriveIcons by removing a space....
Grrr.....

Ira, this is about my last shot. Please in an explorer window go tools> folder options> view, and uncheck Hide Protected Op Sys Files.
Next do a search for Iconcache.db - they will pop up for each user in C:\Documents & Settings\User \Local Settings\Application Data.
Delete em. All of em. If you feel uncomfortable about that save them to a thumbdrive and then delete them, and from the Recycle bin as well.
Log off then on again. The iconcache.db will be recreated under your user account, and for other users when they log on.
I'm trying this because sometimes the iconcache does not get updated as often as it should. They sys uses this cache instead of hunting for the originals evry time. See what happens.
Thanks for the chatlnk info. I could not tell.
Oh, hide those Protected Op Sys files again. Dangerous to have them out where you can fiddle with them inadvertantly.

Ira, I don't know what purpose that file C:\Documents and Settings\Irving Glemaud\chatlnk.exe serves. Please rename it to..
C:\Documents and Settings\Irving Glemaud\chatlnk.exe.susp
..and see what happens.

:)... it is probably still there, but now with no label at all in a file table, so it is not worth trying to get it back. Anyway an exe has no right to be in Application Data. Can be, but should not be. try submitting this one...
C:\Documents and Settings\Irving Glemaud\chatlnk.exe

Sounds interesting... could you hop into your Recycle Bin and restore that services.exe file, then...
Virus Scan:
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination.
Btw, you could have just checked its properties instead of trying to run it. Interesting that it came up as an illegal operation though, an exe should just run, or try to.

From inspecting the action on my machine I only have one other key that may be involved.... another poster, bojadada says he was given a reg key solution but he is being coy about it....
Here goes.. save this as showkey.bat.... as all files... I have added a pause command so that you can see what the cmd window is about.

reg query "HKCU\SOFTWARE\Classes\Applications\Explorer.exe\Drives\C" /s >C:\showkey.txt
start C:\showkey.txt
pause

What is this file?:
C:\Documents and Settings\Irving Glemaud\services.exe
A google search showed that the key which you checked earlier but which is not on your machine is one actually used in some attacks, but obviously not in all. I asked bojadada to check it on his pc but I think he somehow misran the file as he did not get a notepad popping.....