Hi all. The last few days I've been having some problems...

I got a warning from Yahoo Mail when I signed in last week (after a few weeks absence) that my account had been breached and had been used to send spam to my contact list.

Around the same time Internet Explorer started encountering some errors (no details in the message box, just "Encountered error; have to close" sort of vagueness). Then Outlook Expresss did it a few times.
I got the blue screen once -- "Shutting down because the RPC (remote procedure call) was terminated unexpectedly". This was after I asked XP to shut down.
An attempt to compress the email folders in Outlook Express ending up terminating. (I thought it was disk-space related, since I had very little free disk space; I've since cleared out the Recycle Bin.)

My Avira AntiVir Personal -- which I keep up-to-date daily -- then started spitting out messages about VGEN/18460.372, and later a BOO/NutCrk-02 boot sector virus, and it gave a DOS/RPME.1314 virus warning about some Zip files.
(All the Avira messages were "Deny Access" as the actions -- it never gave me an option to just remove the Virus.)
XP at one point told me to run CHKDSK, which I did.

So I updated Avira Anti-Vir, restarted in Safe Mode, ran a scan, had it fix what it found. I also ran SpyBot S&D and it fixed a few things. A subsequent Avira scan and Spybot scan showed it was clean.

Then today it started spitting out DR/Hupigon.dsx.914 dropper messages in various DLL's, JPG's, etc when I was using IE. It also came up during the use of the Help file in Microsoft Works spreadsheet (WKSSS.CHM). And in the TTF (font) files when opening Outlook Express.
And earlier this afternoon, I noticed my Avira "umbrella" had switched to the closed icon, indicating the AntiVir Guard had been turned off. (It was "open umbrella" when I had booted up an hour earlier.)

The other thing I've noticed for months is that it seems like I get an "Update" very frequently -- I'm set for Microsoft to update automatically, but in recent months it seems like I can't go more than a day or two before it gives me the "Turn off without installing updates" option on the Shut-down menu. (I usually choose that Don't-Install option for several days, to save time on shutdown.) And my laptop does seems to begin processing something fairly regularly upon startup in recent month or two; I've always assumed this is the MS update download or the update being applied, but maybe it's virus-related?

I changed that Yahoo password; but did the virus-folks get notified of the new password I selected? How likely is it that any other passwords were snatched? 20%? 50%? 100%?
Any way to tell what other info they were sent (if any)?

Thanks in advance for your help!! :)

Here is the HJT log file I just ran --


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:52 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ENCOREPRO\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Swift To-Do List\Swift To-Do List.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Evernote\Evernote3\EvernoteTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John (Personal)\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SwiftToDoList] "C:\Program Files\Swift To-Do List\Swift To-Do List.exe" minimized
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Nero\NERO7~1\NEROBA~1\NBJ.exe"
O4 - Startup: Evernote.lnk = C:\Program Files\Evernote\Evernote3\EvernoteTray.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Startup: Shortcut to avgnt.exe.lnk = C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://rick.viewnetcam.com:81/kxhcm10.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/GeneralElectric/Coupons.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10472 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions.

John, If you still need help, and I am not seeing more than adware in this HJT log, I will do what I can to help you check your computer for malware. Keep in mind I can not promise fast or easy, if you want to proceed, we will start like this.

1) Make sure you have read and follow the "Before you Post" instructions. I strongly suggest you read all Pinned (sticky) information at the top of this forum, the information is there for you.

2) System Configuration Utility (MSConfig) is running in Selective Startup mode and I do not know what is turned off, return to Normal Mode until we finish, then you can return to SS to save your resources.

3) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

http://www.besttechie.net/mbam/mbam-setup.exe <<< download

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5) Since they had to get through your password to get to your email account, you might want to view this information:
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

Thanks...Phil

System Configuration Utility (MSConfig) is running in Selective Startup mode and I do not know what is turned off, return to Normal Mode until we finish, then you can return to SS to save your resources.

Thanks! I did turn use Selective Start (to conserve memory and speed boot-up). I'll turn it back to Normal, and I'll download and run Anti-Malware tonight.

You're saying there's no sign of Hupigon or other password-stealer? (Because that's the most recent alert I was getting from Avira.)

Thanks!
John

Not in the HJT log John, but the hackers have learned over the years to hide their junk from HJT. MBAM is the first step towards finding out what might be hidden.

Thanks

Is there an alternative to MalwareBytes that I could try?
I've been running MBAM repeatedly for a few hours, and it seems to be getting worse... Let me explain that --
MBAM has never been able to complete the Full Scan and return any log results. It goes into a Reboot after varying periods of time scanning. (This is in the SCAN phase, I've never even gotten to the FIX phase.)
It did the eventual-Reboot thing twice, so I watched the 3rd time, and of course after 35+ minutes of watching, it rebooted when I walked away, literally for a minute!
When it rebooted that 3rd time, it booted up into CHKDSK... Deleted some invalid filenames, deleted orphan file record segments, deleted some index entries.

So I ran MBAM again, got the Black (maybe it was Blue?) screen of death ("A problem has been detected...") and it rebooted.

After that reboot, my Avira umbrella icon was closed, and marked as "Service", so I activated it.

IE encountered a problem with an Add-on (Flash10b.ocx) and needed to close.

Ran MBAM again, and it quickly "encountered a problem and needs to close".
Same message for DrWatson Post-Mortem Debugger.

I closed the screen remnant of MBAM, but it wouldn't allow me to run it again because it thought it was already running. So I rebooted.

This time, when I started MBAM, even before it gave me the MBAM main screen, it said "encountered an errror and needs to close".

When I was able to start MBAM again, it scanned the [ some # ] C:\ items and found 376 infected objects in the first minute.
It kept finding some more, up to about 583 infected objects.

(Each of the previous times, even the long-running scans, and in all the subsequent times, it's only found 6 infected objects.)

The PC rebooted at some point, I ran MBAM again, found the usual 6 infected objects right away, and it scanned for a while. Then the dreaded Blue Screen -- "a problem has been detected and windows has been shut down to prevent damage to your computer."

I rebooted, ran it again, it ran somewhere over 20 minutes, then "encountered an error". Ditto DrWatson Post-Mortem Debugger.

No log file has ever been created by MBAM during all this, I'm guessing because it writes that at the END of the scan? It's always been 6 infected objects found, except for that one run where it found 583 or so. (But the MBAM runs after the 583 scan only found the usual 6...)

Is there some different program that might get us part of the way there, if only to enable MBAM to run all the way through? Or some setting that would at least let it record what it's finding prior to its closure?

Do you think any of this sounds like a failing hard-drive (I ask because of the CHKDSK messages), or is it the virus that's triggering the occasional Chkdsk message?

Thanks for all your help!!
John

Let's see if you can get combofix to run, please read and follow the directions carefully.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Sorry for the delay in replying... My computer gave up the ghost after boot-up this morning.

It booted into CHKDSK, didn't seem to find any errors.
When I logged into Windows, I got a WINDOWS - REGISTRY RECOVERY message box saying "One of the files containing the system's registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

I had trouble connecting to the internet -- although my MailWasher Pro was able to eventually connect to the internet, IE couldn't. I turned off and on the router and modem, and got through to Spybots to see part of your message, but then IE "encountered a problem and needed to close."

Tried IE again; got through, and after a minute I got the Blue Screen of Death and it tried to reboot, but gave me the message:
"Windows could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM. You can attempt to repair this file by starting Windows setup using the original setup CD-ROM. Select "r" at the first screen to start repair."

Well, it's a Toshiba laptop that came preloaded with Windows, and there's no Windows Setup CD. It did come with a "Toshiba Recovery and Applications/Drivers DVD", but it didn't want to boot up from that.
I tried the various options on the Safe Boot menu, but none let it boot up; same error message.

So I bought an Asus netbook computer today so I'd have something to help me fix my real laptop. That's what I'm typing on now. It's also XP.

What can you suggest? Is there a way to create the Setup CD it wants from the preloaded OS on either the netbook's drive, or from one of my backups of the laptop's drive? I have the XP sticker with the Product Key on the laptop, so I can prove it's a valid licensed copy of XP, albeit OEM.

Thanks!
John

John, you are getting way out of my area of expertise, which is malware removal. Here are two good, free forums which deal with operating system issues. They should be able to answer your questions.
Register free and post at only one.
Thanks

http://www.bleepingcomputer.com/forums/forum56.html
http://www.techsupportforum.com/microsoft-support/windows-xp-support/