Posted 08 February 2009 - 10:07 AM
Hi chameleon, thanks for the reply. I spent a few more hours with the machine last night, and think I've got all the "kinks" out of it.
The machine has multiple users, so going through and deleting all of the temp files took a while. Under one of the users (with Admin rights, and the only account that was passworded), I found 3 files tagged as "Trojan.Agent", and the Malwarebytes software had no problem deleting them. Even finding the Temporary Internet Files proved to be a chore. After finding and deleting what I thought was all of the temps, I ran Spybot. It prompted me that it wanted to delete some 1600 temp files, so I closed the scan and went hunting for them myself. I had already enabled "View Hidden Files and Folders" in the global Folders-->View, but that didn't show the Temporary Internet Files. As that folder can be placed anywhere, I did a Search for it. I came up with nada. Scratching my head, I found a setting that I didn't know about previously that displayed it. I don't have XP on any machines, as I've never had the need to upgrade to it from Win2k SP4 (I've no need for Movie Maker or the XP firewall.), so that probably slowed me down a bit. With all temps finally deleted, I ran a Spybot scan which only showed tracking cookies.
I was also puzzled by a "bum" hard drive that was appearing. Apparently, a new hard drive was added (listed as 233GB NTFS). The original drive was split into two partitions. The first (31MB FAT) and the second (38.25GB NTFS). The smaller drive was tagged as EISA Configuration, which is Dell's Utilities, and the rest of that drive was (most likely) the original C:\ drive. It showed as "Healthy" in Disk Management, but couldn't be accessed via Explorer, which stated that it was not formatted. I checked the Event Viewer for clues, and found many errors of a "Bad Block". I tried to run chkdsk on it, but it wouldn't cooperate. A defrag on it halted at 12%. As the owner of the machine now has a 233GB drive that's 90% free, I assume they don't need the 38GB drive, and deleted it. My guess is, the original hdd died, and they upgraded, leaving the unusable partition showing because they didn't know how to delete it.
I tried booting normally now, and still had the same issue (unwanted, automatic reboot). Back in Safe Mode, this time with Networking (so I could grab files from my machine without wasting CD-R's). I found Firefox and installed it (I detest IE). The first time I launched Firefox, I was prompted by McAffee Site Advisor that it apparently wanted full control over everything Internet-related. I tried to disable the Site Advisor using it's own "Disable" link, but it wanted no part of that. I finally resorted to uninstalling that bloated POS, and installed Avast.
On the reboot after the Avast install, I let it go to normal. It rebooted right after the login, but I let it go normal again (just to see), and this time I got in. I let it sit for about an hour (a record for this machine, since I've had it here), and it seemed stable. Still convinced that SP3 was part of the problem, I searched Microsoft's site for anything I should look for, in uninstalling SP3, and then "went for it". Believe me, I was watching closely, with fingers crossed, during that uninstall. I've no idea the consequences of a Service Pack uninstall that is interrupted by a hard reset, nor did I want to find out. The uninstall went uneventful, and after it, the machine required a reboot. The machine is up now for 12 hours without issues.
I've no idea if any one of the above fixes was actually the fix, or if it was a combination of them (which is my guess). The bad drive may have been freaking Windows out. McAffee, coupled with XP, was definately too much bloat for the amount of RAM on board. And, I've read/heard too many horror stories about SP3 to ever suggest that someone "upgrade" to it. Anyway, it appears fixed. It was quite a challenge, but I'm glad it's over! =)
Sorry to be so long winded here, but I tried to leave as much info about what I did as I could, in case someone has a similar issue in the future (I hope not, for them, heh). Thanks again for the reply.