Posts by gerbil

Hello, Joan.
"However I deleted it (IE8) from "all programs" and now it's not appearing on start up"
-that's a bit heavy-handed, the problem will lie with something that is calling it, or some entry that is starting it. In XP in the Docs n Setts\You folder there is a folder called Start Menu, may be an entry there, but I don't know why anything would put one there. That is what caper is referring to.
This Browser Manager you have... it's starting from a very weird place, AppInit_DLLS. That key is usually the preserve of kernel stuff and antivirus. What is Browser Manager, what does it do?
I'd put IE8 back if it's still in your Recycle Bin. You could try restarting Hijackthis, scanning and putting a checkmark against:
O20 - AppInit_DLLs: c:\docume~1\alluse~1\applic~1\browse~1\22580~1.182{16cdf~1\brwmngr.dll
...and pressing Fix Checked.
Then restart.
I would not use Sybot myself.. you have good coverage with MBAM [the best antispyware tool] and Defender.
You run your compy as an Administrator, don't you? Otherwise that Appinit_DLLS entry would not have been made. Maybe you installed something, and that item piggy-backed in.

Battery out, leave compartment open. Submerge the phone in fresh water, swish it about to rinse the chlorine/urine out of it. Shake dry, use rice as pointed out by jtodd, with some sun on it for heat. When you think it is quite dry, give it another day or two. Seriously. Some chips lie so close to the boards that it is very difficult to remove the water/moisture from under them; it will insidiously attack the pins, tracks and solders via electrolysis. Coatings aren't over everything.
Get togs without a pocket. What do you need to carry?
Why do I feel the need to point out that it should not be cooked rice? :)

What hardware have you got connected? Try going with just the simplest arrangement, eg. keyboard only, no mouse. No USB hardware, use PS2 keyboard if available, maybe a PS2 mouse.
I'm not sure, but I think Esc was for Recovery options like Safe Mode, Normal Mode, Last Config...

Struggling still? You might try running Farbar Network Service Scan from http://www.bleepingcomputer.com/download/farbar-service-scanner/
Start it, check Internet Service, and Scan. Post the log.
It's a portable tool, run it from a UFD key.

Hey, look! There's a bar down there!
Sigh. In all my visits I had never used it... it barely slides into my conciousness.
But having just tried it, it looks handy for a quick visit to check responses.

No, nothing bad there, false positives is all. Here:
http://www.sevenforums.com/tutorials/48123-user-folder-add-remove-navigation-pane.html

No problems there, Q8i. Looks like you are ready to release into the wild, again.
Your trojan chose one of many ways to hide in Windows while having an effect upon something seemigly unrelated, hence nothing showed in Chrome itself, but only in IE settings.
You might google searchscopes. Most of the corrections we made in that Fix file were simply orphaned entries in reg, a tidy-up.

We're not quite there yet, Q8i. That trojan/worm causing the problem you have experienced often comes packaged with a rootkit. This tool should expose it if it exists:
Please download Roguekiller from http://majorgeeks.com/RogueKiller_d6983.html
-start it with a dclick and wait for the initial scan to complete. Press the report button, post the log that pops in notepad. Do not remove anything at this stage.

Hello, Q8i. This block, it's the same as before where I made a syntax error from force of habit of normal typing, but with the correction already made here. So start OTL again, and under Custom Scans/Fixes paste in the following:

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKU\S-1-5-21-3950603794-847189768-4124068-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[2012/08/06 12:38:43 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{47DC4CE8-594C-4150-B595-E935013DAC07}
[2012/08/06 12:38:31 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{5AF4FFAC-FAA9-47C4-AD22-542782FFFC61}
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
O4:[b]64bit:[/b] - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4:[b]64bit:[/b] - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-21-3950603794-847189768-4124068-1001..\Run: [AdobeBridge]  File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
O8:[b]64bit:[/b] - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - …

Whoops, that's a syntax error of mine, a typing habit. Sorry, but the first line of that fix should be..
:OTL
So paste the block in again, and move that colon to the front of the line. Press Run Fix, OK, and let it complete.

Hello, Q8i.
Start OTL again, under Custom Scans/Fixes paste in the following:

OTL:
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKU\S-1-5-21-3950603794-847189768-4124068-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[2012/08/06 12:38:43 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{47DC4CE8-594C-4150-B595-E935013DAC07}
[2012/08/06 12:38:31 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{5AF4FFAC-FAA9-47C4-AD22-542782FFFC61}
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
O4:[b]64bit:[/b] - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4:[b]64bit:[/b] - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-21-3950603794-847189768-4124068-1001..\Run: [AdobeBridge]  File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
O8:[b]64bit:[/b] - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM …

Hokay. Download OTL from http://oldtimer.geekstogo.com/OTL.exe
=Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
=Download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

=Start TDSSKiller, click Change Parameters. Under Additional options check both boxes, Verify Driver Digital Signature and Detect TDLFS file system; click OK.
-click Start scan;
-if TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required];
-press Continue also on any Skip prompt for suspicious files. Do not delete or quarantine any files.
Post the log from C:.

=Dclick mbam-setup.exe to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

=Dclick OTL.exe to start the application; in the window that opens choose, Scan All …

regsvr32 wucltui.dll was one I confused with wucltux.dll. Some vista stuff crept into my fix, but no matter. Just another reason to loathe vista... That auto-fix from M$ that you ran covers it [it includes all the terms for xp, vista and W7].
I only let Windows notify me of the available updates, I like to choose what I feel is relevant.
After a virus, sometimes near enough is as good as you can hope for after it is killed. Tracking some minor changes can be exhausting, and unfulfilling.
Cheers.

I made a slip in that list of registration files. I gave you wuwebv.dll, which is for Vista. It should be wuweb.dll for XP. You should have the latter in system32, delete wuwebv.dll, and run:
regsvr32 wuapi.dll wuaueng.dll wups.dll wups2.dll wuweb.dll wucltux.dll
Sigh.
Try checking for updates manually. There is always one to download...
Svchost instances... yes you can have several running. My sys has 8 just now. Each Svchost holds a group of service libraries that together form a single process which performs some task, say net services. I think.

Good work. No need for OTL now; Babylon is a persistent, well-embedded toolbar and redirector, no more.

It's got cunning. They know you're going to try that...
Download OTL from http://oldtimer.geekstogo.com/OTL.exe
Dclick OTL.exe to start the application; in the window that opens choose, Scan All Users, Minimal Output, Standard Registry ALL, check both LOP and Purity boxes, and then press Run Scan.
The scan will take maybe 5 minutes; 2 notepads will present [they are saved to the place from where you ran OTL.exe] - post both, please.

Hmmm, that didn't go fully well...and I don't know why I put in a Combofix service to remove, late nights, I guess.. :), no harm. But this is quite wrong:
File PTYTEMP] not found.
File PTYFLASH] not found.
File PTYJAVA] not found. - It appears that the first 3 characters of each line were missed when you pasted? No problem, no need to rerun the tool.

You are going to have to find a copy of this file on your sys: C:\WINDOWS\system32\wuauserv.dll - perhaps in ServicePackFiles\i386, or Software Distribution, or on an installation cd, or just download it, and copy it over to system32.
Then in a cmd window run this [press Enter each time it waits]:
regsvr32 wuapi.dll wuaueng.dll wups.dll wups2.dll wuwebv.dll wucltux.dll
If that does not restart the update service then I offer this set of commands [you could make a .cmd file of them in Notepad, and run by dclick]:

net stop bits
regsvr32 /u wuaueng.dll /s
regsvr32 wuaueng.dll /s
net start bits
net start wuauserv
wuauclt.exe /resetauthorization /detectnow

And if that doesn't work, then there is the whole hog here: http://support.microsoft.com/kb/971058/en-us
Say how it all goes.

Use this codebox instead for the OTL fix - I added 3 more files/folders to be removed.

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
DRV - File not found [Kernel | On_Demand | Unknown] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\ALSysIO.sys -- (ALSysIO)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}: D:\Documents and Settings\Sabre2th\Local Settings\Application Data\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}\
O18 - Protocol\Handler\msdaipp - No CLSID value found
:Files
d:\documents and settings\sabre2th\local settings\application data\{3A05A615-CEDF-11E1-8270-B8AC6F996F26}
d:\documents and settings\sabre2th\local settings\application data\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}
d:\documents and settings\sabre2th\application data\mdgfi.dll
d:\windows\System32\spoolsv.exe|d:\windows\ServicePackFiles\i386\spoolsv.exe /replace
:cleanup
GMER
TDSSKiller
:Commands
[EMPTYTEMP]
[EMPTYFLASH]
[EMPTYJAVA]

That's good, Sabre. There are a few things to fix, still. Btw, once the rootkit was removed, MBAM could see, and so quarantined, that file and folder I listed for manual deletion.
Your d:\windows\System32\spoolsv.exe ... is missing ... there is a good but earlier copy at d:\windows\ServicePackFiles\i386\spoolsv.exe, and OTL will replace the missing file with this, but I recommend you get the later version by downloading KB2347290 from M$ Updates.
Copy the following code into OTL's Custom Fixes/Scans box, then press Run Fix.

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
DRV - File not found [Kernel | On_Demand | Unknown] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\ALSysIO.sys -- (ALSysIO)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}: D:\Documents and Settings\Sabre2th\Local Settings\Application Data\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}\
O18 - Protocol\Handler\msdaipp - No CLSID value found
:Files
d:\windows\System32\spoolsv.exe|d:\windows\ServicePackFiles\i386\spoolsv.exe /replace
:cleanup
GMER
TDSSKiller
:Commands
[EMPTYTEMP]
[EMPTYFLASH]
[EMPTYJAVA]

Post that log.

Remove all old versions of Java.
Delete RKill and its log
Go Start, and Run d:\documents and settings\Sabre2th\Desktop\Virus hunting\ComboFix.exe /Uninstall

To be safe, use Avast to scan both iexplore.exe in Pgm Files\Internet Explorer and explorer.exe in \Windows.
Rerun Rkill [the flashing black cmd windows are normal] and when Avast alerts you set the permission to Allow and Ok it each time. Rkill.exe etc should finalise and present a log in a notepad, and disappear as a running process. It is important to try to run all these procedures in Normal mode

Sabre, make sure that all your Avast services are running. Some failed to start earlier.
The rootkit has regenerated after some earlier action. Right, you need to follow these instructions carefully: firstly, you shall download some tools and updates; secondly attempt a couple of deletions, then run the tools in the order given WITHOUT any reboot until Combofix demands it [a reboot would restart any malware configured to start at boot].
-download Rkill, save it to your desktop, from http://www.bleepingcomputer.com/download/rkill/
-download this file also to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-download OTL from http://oldtimer.geekstogo.com/OTL.exe
-update MBAM, don't scan yet.
Okay, run these tools in Normal mode, close all other applications but keep a copy of these instructions open in a notepad.
**Dclick the Rkill icon to start it, if it runs successfully a notepad log will pop, don't post it. If it doesn't run, try running the downloads from one or both of these sites:
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
If none work, please say.
**Run TDSSkiller, if TDSS or TDLFS show again then quarantine them.

**Do a Full scan with the updated MBAM, fix what it finds but do not reboot even if requested.

**attempt to delete this file and folder; you will have to show hidden files and folders in explorer, else use the cmd window and DIR, then DEL.
file- D:\windows\assembly\GAC\Desktop.ini
folder- D:\Documents and Settings\Sabre2th\Local Settings\Application Data{156cc7ff-8a28-25e2-b67c-d02b1d0250a9}\

**Combofix: turn …

Apache2.2\bin\httpd.exe

Hi again, sabre.
Please rerun TDSSkiller, and Delete these two entries when they show:
\Device\Harddisk0\DR0 ( TDSS File System ) - warning
\Device\Harddisk0\DR0 - detected TDSS File System (1)
-post the log.

Now let's see if this can detect more of that rootkit. Download aswMBR from http://www.bleepingcomputer.com/download/aswmbr/
Start it, press Scan [it will download virus definitions from Avast], then Save log. Post that, please.
An MBR.dat file will appear on your desktop, it is a copy of your MBR. Do not delete it.

Hello, sabre,
==Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
-click Change Parameters. Under Additional options, check both boxes, Verify Driver Digital Signature and Detect TDLFS file system; click OK.
-click Start scan;
-if TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required];
-press Continue also on any Skip prompt for suspicious files. Do not delete or quarantine any files.
Post the log from D:.

Right. Reset the Print Spooler to automatic, it's not the one I was interested in.
The problem lies with a startup entry in registry or elsewhere, and the best way to find that and fix it is with Autoruns. Download it (a zip archive) from http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Or you can Run it from the site - there is a link for that.
Start Autoruns, it will open at the Everything tab. Search for and uncheck every instance of dlcjtime.dll -there may be more than one entry. Click OK, reboot.
Did that work?

And you are sure that file is where that message says XP is looking for it : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll ?
The message pops at system start? Maybe something that that software depends upon has not also been started; it's a Dell software, go into Services, find Dell printer entry and set it to Manual, and Stop it. That way, when you wish to print the service will start.at that time, and not at system start.

Well, that is interesting, rman. I get the default explorer process running with desktop; if I open explorer windows no more open. Setting "Launch... in sep process" will give me another instance. But only one, no matter how many windows are open. : so two max..

Read up, rman. You will not get more than 2 explorer processes no matter how many windows you open.

" I am up to Version 7 Update 4." I have 6.32/5. Latest.
Next point. You, in America, need better news feeds. Those are simply awful.
The first site runs ActiveXs and (Macromedia) Flash continuously under IE, uses mshtml.dll continuously. Contacts host periodically. IE process uses a lot of javascript (jscript.dll). The sites are hogs. Even Opera runs on, but only 5% CPU. My IE6 uses 35% CPU time.
IE6??!! It's what I use when I must use IE... :)
HuffnPuff is the same. "What these five pregnant celebs have in common". Oh, i am so gunna click that link. Good christ.

This may sound silly, but you do have TCP/IP enabled as a protocol? (Network Connections > Local Area Connection, Properties). There should be a check next to the Internet Protocol (TCP/IP) entry, If that entry is not there, then choose Install, highlight Protocol, press Add.... and go from there.

Probably time to run chkdsk /r from your recovery console, either from your installation cd, or via download from one of:
http://www.thecomputerparamedic.com/files/rc.iso
http://www.webtree.ca/windowsxp/tools/bootdiscs/xp_rec_con.zip
http://www.mediafire.com/?rnuzmyjdwz2
It is an advantage to put the RC onto your systemdrive [C:]; instructions for doing this can be had from Microsoft via search.

I beg to differ, jb. Under XP, if there is an attempt to open explorer a check is first done to see if it is already running. If so, then a new window is opened via the first explorer instance. A second instance can be opened by checking Launch folder window under a separate process in Folder Options. But only a second will be opened this way. I think, but have not checked, that a second can also be opened under the System as owner...

Somewhat more seriously, you could reinstall Revo over the top of the old installation, and then try Add/Rmv Pgms again. And if that fails just delete the pgm manually, anything related in DocsnSetts\User folder also. With the executables gone remnants are just a bit of wasted space, same goes for missed registry entries.

Have you tried using Revo Uninstaller?

Do you have CCleaner? Is it set to under Tools > Drive Wipe to Wipe Free Space on that drive? Then uncheck that, delete the folders. By free space, CCleaner means space occupied by already deleted files [the files often still exist unless overwritten, but the pointer in the file manager is altered so as to show them as deleted].
If it is not set to wipe free space then it is playing at wiping some drive space, so uninstall CCLeaner, reinstall it, and delete those folders.

Sysprep? You mean you tried this command in a Start, Run box in Safe Mode?:
rundll32.exe syssetup,SetupOobeBnk
-that should reset activation timer. To restart the activation process you could [again in Safe Mode] try editing HKLM\Software\Microsoft\WindowsNT\Current Version\WPAEvents\oobetimer to 0, and then RUN:
%systemroot%\system32\oobe\msoobe /a.
Searching, though, shows those solutions are required after a Repair, not a fresh installation. If it is indeed some security chip on the mb you may find a reset option inside BIOS.

Things I would suspect....
Memory. Get memtest86+ from .org, load it to some medium and boot cold from that. The site has informative reading. Run it for half an hour at least; you don't want even a single error.
You mention POST restarting by itself [before XP starts loading] - this points to a power problem - if some mb voltages are seen to go out of range [a warm-up voltage swing] a cpu reset signal is generated > your sys restarts. Check your PSU voltages from cold [it must be connected to a load [eg. the mb] to work at all; a tech will have a device which when plugged in will give readings of all voltages... a minute's work]. He won't see a spike with it, though. And it could be the monitoring chip on the mb hiccuping.. easiest is to swap out the PSU for a check.
But the PSU scenario doesn't sit well with the XP driver loading screen running on now.... and that SafeMode entry failure points to a registry problem, or failure to load/read the hive properly > hdd failure. Run a diagnostic [bootable] from your hdd manufacturer's site.
The most basic starting componentry you can go with is one mem stick, cpu, psu, mb [and video card if no internal graphics on the mb] - add pieces [with power off] from there to test : hdd, video, other pci, kbd.
Could be a chip on your mb or …

To ease the chore of cleaning, get CCleaner. Set it to open and/or run by rclick context in the Recycle Bin [as you install it, you'll see what I mean]. Maybe personalise it by visiting the options tab to include any other files/folders.
Prefetch? Leave it alone.. old stuff gets cycled out, & XP uses a file in there to order stuff on your hdd.
Cheers.

Hi. A file with a name like that is probably not what you want on your machine. A search for its base-name brings up nothing. In looking for it, have you set the criteria so as to show hidden system files and folders? [explorer, tools tab, folder options, view tab, uncheck Hide prtoected op sys files], then do a search.
Does it show in Task Manager as a running process? Then Process Explorer [google that] will locate it [rclick on process, go properties for full pathname].
Still cannot locate it? Then run Malwarebytes Antimalware, and GMER. For instructions, sites to dl from, check in the Viruses forum sticky section [stuff to run before asking for help post].
What did you use to spot the loading of it?

Copy them to a cd and mail them to him. Gotta be faster than 15KB/sec.

Driver updating, yet another example of how people allow computers to take over their lives. If everything is working as you would like it/expect it, Device Manager reports no problems, and there is no amazing, new feature offered by an update then a driver update will not necessarily deliver anything. Check the update changelog - many updates will not apply to your situation. An example might be a change to ensure compatibility with some new widget that your sys doesn't boast, or to fix an obscure chance error that you've never experienced.
Sure, when you buy a piece of kit the driver software that comes with it may be a bit ropy.... a rush job just to get the hardware on the shelves [I'm a cynic] and an update might get more from the thing, but often, no.

A pity you did not try the software I suggested. It lists accounts and permits to change/remove XP account passwords. Simple as, totally effective.

I use cd080802.exe.

" When I clicked the "OK", the "Unable..." box disappeared and "Log On to Windows" was fully presented."
-at that point are you unable to remove Administrator from the box [backspace it out] and type your own username?.... and can you then log in? If so, use control userpasswords2 again, recheck that box, set an Administrator pw if you so wish. Or clear it...
I much prefer to use net user in the cmd window to alter accounts.
Run net in a cmd window... and so on. You have full control of accounts from here.

Microsoft® Windows® Operating System Microsoft Corporation 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 32-bit

Whoops. Vinod, I should have told you that to see desktop.ini files you must go [in an explorer window] Tools tab > folder options > View tab, and uncheck temporarily Hide Protected Opsys Files. That will reveal desktop.ini in those locations. Delete them; Windows will rebuild the files at next startup. And advisedly recheck that hiding option...

A search with this string: shell32.dll,-21787
...shows that it is an issue known to Microsoft.
As they say here... http://support.microsoft.com/kb/330132
...simply search for and delete desktop.ini file in these folders:
systemdrive:\Documents and Settings\All Users\Start Menu\Programs\Startup
systemdrive:\Documents and Settings\All Users\Start Menu\Programs
systemdrive:\Documents and Settings\All Users\Start Menu
-your systemdrive is likely C:

Cheers.

Got a pic of those caps?
As for the error, try running chkdsk from the REcovery Console:
chkdsk /r

If you mean that you downloaded the whole Windows XP SP3 OS then you won't get help with installing that on this site. If you downloaded the SP3 upgrade file, KB936929-SP3-x86-ENU.exe, then yes, you can install it from a pendrive. But why not copy it onto your hdd first?

I am not sure a good cable should have that effect.
Some motherboards assign different properties to their different SATA ports.... but network drive?? You don't have to leave it as a logical drive.... a primary drive or two on a disk can be a handy thing.

I think a sector is first picked as being bad when it is shown as containing data, but that data is unreadable or in disagreement with the file table. The data may be recoverable [an advantage of NTFS], it may not.... but if writing zeroes to that sector is possible then it will have its defect status revoked by the drive electronics.
If again it fails [weak magnetics, say] then once more it will be marked and perhaps mapped to a reserved sector on the drive.
You can use something like siw.exe to see how many spare sectors have been reallocated on your drives if they support SMART. There may also be a count of uncorrectable sectors.