Windows XP: Can only boot into safe mode

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
UPDATE
problem solved after running superantispyware and f-secure online

thanks for the input everyone. ill schedule regular scans of whatever i can on a weekly basis to avoid this in the future :)

This is a computer at my dad's business. I show up to work one day, and Windows is frozen (XP SP2), naturally, I reboot.

It wont boot into windows. It shows the loading screen then blacks out.
I can reboot into safe mode with networking.

My mother and father both say they made no changes to this computer, it worked fine a week ago but now does nothing but black out after the XP loading screen. .

Long ago I had them install ad-aware and spybot, as they have AntiVir on here, but they dont scan it as often as I tell them to, so I suspected perhaps it was some malware or a virus (dad will open absolutely anything in his email or on a web page)

So, it has Windows XP Home, SP2
Ad-aware
Spybot
Antivir

Ive run a full scan with all three, found some junk, cleaned it all....and it still blacks out after the loading screen.

Hardware:
Asus a7v-400 (socket a, integrated video) with an athlon xp 1800+, 512mb ram, a diamond sound card that is new-ish (its been in for a month)

I have an athlon server if i need to swap out hardware, is it worth the trouble? I looked over things in the system event viewer after a reboot and this is the only thing that stood out:
6/16/2008 1:10:23 PM The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x00000007, 0x00000cd4, 0x00020017, 0x854d1a28). A full dump was not saved.

I can get online so i can download some other spyware stuff like a-squared or superantispyware or maybe run another anti-vir check, but i dont have much time to spend at work doing things with it until tuesday or thursday, so any advice is appreciated.

thanks :)


 

law9933

Senior member
Sep 11, 2006
394
0
0
Super & a2 might find more.
Posting a HJT log could help.
Does Device Manager have any yellow or red marks?
SM only is usually a driver (often video), software conflict, or malware.
The same hardware is used in SM & Normal.
 

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
Originally posted by: law9933
SM only is usually a driver (often video), software conflict, or malware.
The same hardware is used in SM & Normal.

which is why i didnt bother messing with hardware yet, as i figured itd be a waste of time. ill add super and a2 tuesday if i have time and see what i come up with and get a hijack log up if that doesnt do any good.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
In the future, can I suggest (yes) setting them up a non-Administrator user account for daily-driver work if possible (meaning, DO IT unless they have software that cannot be persuaded to function in a Limited account, e.g. QuickBooks). And here's some more security suggestions to go with that.


In the present, what exactly did AntiVir and the other programs find? Can you name some malware names (look in AntiVir's quarantine)? And if there's anything important on the system, back it up as soon as you can, just in case things go from bad to worse. Email, contacts, favorites/bookmarks, files, etc.

they have AntiVir on here, but they dont scan it as often as I tell them to

You can schedule AntiVir scans. Right-click the tray icon, choose "Start AntiVir," and go to Administration > Scheduler. There should be a "Complete system scan" in the window. Checkmark the "Activated" box and then right-click the job, Edit Job, and set a time for the scan to run daily. You might want to set it to "Invisible" mode so they can't cancel it.

Also, if you right-click the tray icon and choose "Configure AntiVir," you can switch on Expert Mode and there's quite a bit of options there. In the General > Extended Threat Categories, definitely enable all the extended threat categories to include phish, pranks, and suspicious stuffs.
 

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
Originally posted by: mechBgon
In the future, can I suggest (yes) setting them up a non-Administrator user account for daily-driver work if possible (meaning, DO IT unless they have software that cannot be persuaded to function in a Limited account, e.g. QuickBooks). And here's some more security suggestions to go with that.


In the present, what exactly did AntiVir and the other programs find? Can you name some malware names (look in AntiVir's quarantine)? And if there's anything important on the system, back it up as soon as you can, just in case things go from bad to worse. Email, contacts, favorites/bookmarks, files, etc.

they have AntiVir on here, but they dont scan it as often as I tell them to

You can schedule AntiVir scans. Right-click the tray icon, choose "Start AntiVir," and go to Administration > Scheduler. There should be a "Complete system scan" in the window. Checkmark the "Activated" box and then right-click the job, Edit Job, and set a time for the scan to run daily. You might want to set it to "Invisible" mode so they can't cancel it.

Also, if you right-click the tray icon and choose "Configure AntiVir," you can switch on Expert Mode and there's quite a bit of options there. In the General > Extended Threat Categories, definitely enable all the extended threat categories to include phish, pranks, and suspicious stuffs.

other than quickbooks nothing should limit them. i dont recall most of the names, mostly it was tracking cookies from what i remember. asquared found more of the same, and superantispyware wont install in safe mode (a2 didnt give this error, meh)

the antivir scan found nada. the ad-aware quarantine manager report shows a long MRU list of recently opened files and such (nothing i do not recognize), a lot oftracking cookies, and:

ADWARE.180SOLUTIONS.SEEKMOSEARCHASSISTANT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[65]=File : C:\Documents and Settings\Jehu\Local Settings\Temp\1801D.tmp


spybot found traces of toolbars and such (mywebsearch, dittosidebar) but they werent on the installed list of software.

heres my HJT log. at a glance nothing seems out of place, but im not entirely familiar with the program.

Logfile of HijackThis v1.99.1
Scan saved at 9:20:16 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSN Search Toolbar Helper -

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar

Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar -

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition

Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search &

Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program

Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program

Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN

Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN

Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://update.microsoft.com/wi...ontrols/en/x86/client/

wuweb_site.cab?1143201578046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

Class) -

http://update.microsoft.com/mi...ontrols/en/x86/client/

muweb_site.cab?1143201656171
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH -

C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) -

Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira

GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON

CORPORATION - C:\Documents and Settings\All Users.WINDOWS\Application

Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) -

Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f

"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

ill have to get my mother to do a backup. really the only important thing that gets done on here is her quick books stuff, which she backs up weekly to give to her accountant anyway.

otherwise its used for my parents personal email and some web browsing
ill start looking around and see if they still have the oem system restore disk just in case :-/
 

corkyg

Elite Member | Peripherals
Super Moderator
Mar 4, 2000
27,370
239
106
If you can boot into SAFE MODE but not normally, odds are that your problem is a driver or drivers. The best way to tackle that is to use MSCONFIG. Boot into SAFE MODE and run MSCONFIG. Select Selective Start mode and edit the STARTUP list.

This reference is as good tutorial to follow. You can probably delete nearly all of the startup functions - the majority are not essentiasl for computer or OS operation, but have been placed there by software/programs for their convenience. Sometimes they create conflicts.

Knowledge and use of MSCONFIG is basic computer 101 stuff.

MSCONFIG
 

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
Originally posted by: corkyg
If you can boot into SAFE MODE but not normally, odds are that your problem is a driver or drivers. The best way to tackle that is to use MSCONFIG. Boot into SAFE MODE and run MSCONFIG. Select Selective Start mode and edit the STARTUP list.

This reference is as good tutorial to follow. You can probably delete nearly all of the startup functions - the majority are not essentiasl for computer or OS operation, but have been placed there by software/programs for their convenience. Sometimes they create conflicts.

Knowledge and use of MSCONFIG is basic computer 101 stuff.

MSCONFIG

ive run msconfig dozens of times on my parents other computers, where they both install so much crap that begins at startup that their systems regularly come to a crawl. they dont do that on the work computer so bad, mostly stuff that happens on this machine has been from email or browsing.

the startup list on this machine is almost pristine compared to their home units and while they did have stuff i dont like at startup (quicktime, itunes helper, something else) i long ago stopped those, well before this problem occurred.

i guess i didnt mention that i did it because there was nothing that looked funny on it when i check it out last week after the problem began.

im running f-secure online scanner on the system now. i couldnt install super so i wanted to run at least one more scan from something.

as for the msconfig startup list: jesus tapdancing christ, thats a huge list.

edit: f-secure shows these:
AdWare.Win32.Agent (spyware)
* System
FraudTool.Win32.DriveCleaner (spyware)
* System
Tracking Cookie (spyware)
* System