1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I can't get into Windows XP in Normal Mode

Discussion in 'Virus & Other Malware Removal' started by morin, Mar 29, 2010.

Thread Status:
Not open for further replies.
  1. morin

    morin Thread Starter

    Joined:
    Mar 29, 2010
    Messages:
    3
    After the Windows XP (SP2, Home) loading screen, all I see is a blank black screen, no mouse pointer visible. I'm suspecting its a trojan or something, or maybe a faulty Windows update. I've been updating my computer these fast few days, but the popular MS01-015 (KB977165) didn't affect my system, it wasn't infected with Allureon, and after installation it booted fine. Only thing I didn't install was Windows XP SP3 and Office SP3, because it requires my Office 2002 CD, which I don't have. Now I'm not entirely sure if my younger sister restarted this computer without installing those. Anyway she was the one who last used this - she said the computer hanged when she was using some Facebook profile styler/changer whatever. heard her say torrent.

    Anyway in the CCleaner, I saw some faulty .Net Framework 1.0 registry keys, missing shared DLLs, don't know if this had something to do with it?

    I can't install Msi's in Safe Mode (with Networking): "The system administrator has set policies to prevent this installation." Problem is, I'm the administrator.

    I have AVG 8.5, updated definitions, SUPERAntiSpyware. AVG detected nothing, SAS detected in Safe Mode is "Rogue.SystemSecurity" - usrsta.exe. I tried booting again but it failed, I can't launch XP in Normal Mode, or Recent Settings that Worked. After updating SAS' definitions I tried scanning again, and it found "Unclassified.Unknown Origin", registry keys in Windows/CurrentVersion/Ext/Stats. I'm installing a-squared free as of now...and will try restarting.

    Here is my HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:17:55 PM, on 03/29/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    H:\WINDOWS\System32\smss.exe
    H:\WINDOWS\system32\winlogon.exe
    H:\WINDOWS\system32\services.exe
    H:\WINDOWS\system32\lsass.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\Explorer.EXE
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    H:\WINDOWS\system32\mdm.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\DOCUME~1\ISACAD~1\LOCALS~1\Temp\SSUPDATE.EXE
    H:\WINDOWS\system32\wpmon.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\ISAC ADMIN\Application Data\mjusbsp\magicJack.exe
    H:\Program Files\a-squared Free\a2free.exe
    H:\WINDOWS\system32\notepad.exe
    H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    H:\Program Files\Orbitdownloader\orbitdm.exe
    H:\Program Files\Orbitdownloader\orbitnet.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - H:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: Brothersoft Toolbar - {e8de9422-3b2c-4243-bf6f-235da84d8ef8} - H:\Program Files\Brothersoft\tbBrot.dll
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - H:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - H:\Program Files\Xi\NetXfer\NXIEHelper.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - H:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Brothersoft Toolbar - {e8de9422-3b2c-4243-bf6f-235da84d8ef8} - H:\Program Files\Brothersoft\tbBrot.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - H:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - H:\Program Files\Orbitdownloader\GrabPro.dll
    O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - H:\Program Files\Xi\NetXfer\NXToolBar.dll
    O3 - Toolbar: Brothersoft Toolbar - {e8de9422-3b2c-4243-bf6f-235da84d8ef8} - H:\Program Files\Brothersoft\tbBrot.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [WPMon] H:\WINDOWS\system32\wpmon.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "H:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "H:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [LVCOMSX] H:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "H:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [4shared Update] "H:\Program Files\4shared Desktop\checkUpdate.exe"
    O4 - HKCU\..\Run: [NetXfer] "H:\Program Files\Xi\NetXfer\NetTransport.exe"
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [AdobeUpdater] "H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [cdloader] "H:\Documents and Settings\ISAC ADMIN\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
    O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\ISAC ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [4shared Desktop] "H:\Program Files\4shared Desktop\desktop.exe" "startup"
    O4 - HKCU\..\Run: [Yahoo! Pager] "H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: MagicDisc.lnk = H:\Program Files\MagicDisc\MagicDisc.exe
    O8 - Extra context menu item: &Download all 4shared files - H:\Program Files\4shared Desktop\down_all.htm
    O8 - Extra context menu item: &Download by Orbit - res://H:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Download using 4shared Desktop - H:\Program Files\4shared Desktop\down_link.htm
    O8 - Extra context menu item: &Grab video by Orbit - res://H:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://H:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://H:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: Download all by NetXfer - H:\Program Files\Xi\NetXfer\NXAddList.html
    O8 - Extra context menu item: Download by NetXfer - H:\Program Files\Xi\NetXfer\NXAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://H:\Program Files\Jewel Quest 2 & Jewel Quest 3 Bundle\Images\stg_drm.ocx
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://H:\Program Files\Bejeweled 2\Images\armhelper.ocx
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: H:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - H:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - H:\WINDOWS\system32\ASTSRV.EXE
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - H:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - H:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: ProtexisLicensing - Unknown owner - H:\WINDOWS\system32\PSIService.exe
    O23 - Service: Sandboxie Service (SbieSvc) - tzuk - H:\Program Files\Sandboxie\SbieSvc.exe

    --
    End of file - 14417 bytes​

    Sorry to be a pain, hehe, I can't really understand what caused my computer this.
     
  2. morin

    morin Thread Starter

    Joined:
    Mar 29, 2010
    Messages:
    3
    So a-squared detected WIN32.SuspectCrc!IK (drive:/windows/system32/f29931/krnln.fnr) and HackTool.Win32.Patcher!IK (drive:/windows/system32/f29931/com.run) and I restarted.

    Problem solved!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913273

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice