pc restarts after login, cant boot to safe mode

I really need some help from someone. Im using XP pro. I was surfing earlier minding my business when a ton of spywayre/malware just seemed to install out of nowhere. It changed my homepage and ran some XXX thing and popups etc...So I ran Spy Sweeper to try to get rid of it and about halfway through my computer just restarted out of the blue. So I let it load back up, logged on, and as soon as my desktop started to load it restarted again, and now it restarts everytime. My first thought was to run chkdsk. No help. So my second thought was try Safe mode, but as it started to load it got stuck and hung at "agp440.sys" and wouldnt load. I did a search and found someone said to disable it through the recovery console of my XP cd and it should load. Did that and now it gets stuck at "tdi.sys" and wont load! So now Im stuck without being able to boot normally or into safe mode to do anything at all and I dont know what is causing the problem. Is there a way on the XP cd to compare all files to see if something has been corrupted and if so repair it? Thats the only thing I can think to do right now. Please Help!!

 

Hello damaged,

You have so many problems at this point that I would do a clean re-install of the OS. Each problem gets in the way of solving another one and the time taken to do so in IMO would be better spent in recreating your system. Wait to see what others have to say, but any fix procedure is going to be time consuming and at the end you won't know whether the malware is gone.

Clean install of Pro how to: http://www.theeldergeek.com/xp_pro_install_-_graphic.htm

Afterwards take the time to learn how to protect yourself from this kind of attack. I don't know what kind of protection you have now, but it's clearly inadequate. First and foremost, disable ActiveX, it's one of the biggest holes in the IE.

Regards - Charles

 

Looks like ur system files are not happy.
Hardware/driver problem?
have u tried :
-booting in "last known good configuration "?
-checked the ram stick(s)?
-U say u've run chkdsk : was it through the recovery console?
-Have u just downloaded sp2 and if so, are ur BIOS/drivers up to date?
-starting the comp with the minimum hardware required (and no keyboard nor mouse)?

Malwares :
-Do u have another comp in which u could put that HD as slave and check for viruses&adwares? (and at the same time see if the HD itself hasn't got pbs)
In those desperate cases it wud be helpful. Or run an antivirus/malware scanner from a stand-alone system on a CD like BartPe. But creating that CD is gonna take u more time than repairing ur xp installation.

 

I fixed it! I was going through the recovery console commands and figured just for the heck of it I'd try chkdsk again with the /r switch. It took awhile and when it finished I tried to boot into safe mode again and it actually booted for some reason instead of hanging on 'tdi.sys'. I proceeded to run Spy Sweeper and about halfway through, just like before, it got to a certain point and the comp restarted. Tried to boot into safe mode again and it hung again. So I ran chkdsk /r again and booted into safe mode again no problems. I ran Spy Sweeper til it found about 30 items and stopped it and cleaned those items and voila I could boot normally again. Last, I went back into the recovery console and re-enabled 'agp440.sys'. So thank you guys who tried to help and am glad I didnt do a clean install right off the bat. And thanks to anyone else who might have tried to help. These forums are a valuable resource.

In regards to the protection I use, Spy Sweeper and Kaspersky Anti Virus usually do a good job of protecting me from unwanted c.r.a.p but for some reason I just realized my AV has been set to disabled for the past week or this probably wouldnt have happened.

Thanks again and hope this helps someone else if they ever need it.

 

Hi damaged,

Great that you were able to boot again. But I don't think you're out of the woods quite yet.

Use other other anti-malware scanners to check Spy Sweeper, MS Anti-Spyware for instance - link here http://www.windowsnewsletter.com/current-issue.html

Also think about prevention: http://www.infinisource.com/techfiles/surf-safe.html While KAV is probably the best AV to catch trojans, shouldn't rely only on it.

In regards to the protection I use, Spy Sweeper and Kaspersky Anti Virus usually do a good job of protecting me from unwanted c.r.a.p but for some reason I just realized my AV has been set to disabled for the past week

How did it get disabled?

Regards - Charles

 

You are right charlesvar, unfortunately I'm not out of the woods yet. A short while after fixing I was trying get my system as clean as possible and it happened again. I went through all the steps I outlined before and was able to boot again without it restarting, but now for some reason I have no internet at all. I checked all the services running and it seems everything that should be is. There are also a few other problems like not being able to access the internet options through IE (says restrictions are in effect, even though I deleted that particular reg entry). I really really don't want to have to do a clean install because I have quite alot of stuff installed and set up how I like it and that would be horrible. I'm out of ideas though as to why I cannot access the internet now though. I wish there was a way to compare files from the xp disc in case something important got deleted along the way.

I believe the thing that is causing all this trouble is a spy/malware called specific911 and from what I've read it's a real pain to fully remove.

Please respond if you think of something else I might try. Thanks.

P.S. I would just do a system restore, but of course about a week ago I turned it off because a program was constantly making restore points. Now they are all gone.

 

Hi Damaged,

I really really don't want to have to do a clean install because I have quite alot of stuff installed and set up how I like it and that would be horrible.

Ok, then give repairing the installation a shot, first the least invasive:

Start > Run > type cmd > ok (opens the command box) > type sfc /scannow at the blinking cursor

sfc - system file checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right click My Computer > manage, expand event viewer > system.

The second, a repair of the installation:
http://www.michaelstevenstech.com/XPrepairinstall.htm

Afterwards, if this works, then download HiJackThis v199.1 from here: http://radiosplace.com/

Download it to it's own folder for example C:\HijackThis - unzip (double click on zipped folder) - click on the executable - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

One of the Mods will then move this thread to the Security area for log analysis by one of the security experts.

Regards - Charles

 

Hi charlesvar, thanks for responding.

I tried the sfc /scannow and it completed but I'd say about 12 times during the scan it asked me for a XP SP1 disk, of which I do not have. I rebooted and still can't get online. Ive checked all the network connections and everything is reported as working properly, and the connection is working on my other two comps.

I will try to do the repair install now and let you know the results. Thanks

EDIT: I was going through the event viewer and there was a failure security audit for "IP Sec Services" saying it could not get a complete list of network interfaces on the machine, and to run the IP Sec monitor snap-in to troubleshoot. This happens at startup everytime and I see that tcp/ip is depended on this service. Could this be why I have no internet? How do I run the "IP Sec Monitor snap-in "?

 

Ok I still have no internet after the repair install. Here is the Hijack This Logfile (same as it was before the new install):

Logfile of HijackThis v1.99.1
Scan saved at 3:22:52 PM, on 02/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sony\Giga Pocket\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Opera7\opera.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Scott\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.com/_start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.5.118.79:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [STYLEXP] C:\PROGRA~1\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: initovl.exe.lnk = C:\Program Files\Sony\Giga Pocket\initovl.exe
O4 - Startup: usbsircs.exe.lnk = C:\Program Files\Sony\Giga Pocket\usbsircs.exe
O4 - Startup: ReserveModule.exe.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Leech It - C:\Documents and Settings\Scott\Desktop\Leech.htm
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: SYSTRAN: &Clear Translation Cache - C:\Program Files\Systran\Premium\menuClearCache.html
O8 - Extra context menu item: SYSTRAN: &Options - C:\Program Files\Systran\Premium\menuConfigure.html
O8 - Extra context menu item: SYSTRAN: &Register - C:\Program Files\Systran\Premium\menuRegister.html
O8 - Extra context menu item: SYSTRAN: &Translate - C:\Program Files\Systran\Premium\menuTranslate.html
O8 - Extra context menu item: SYSTRAN: Check for &Updates - C:\Program Files\Systran\Premium\menuUpdate.html
O8 - Extra context menu item: SYSTRAN: Translate All &Frames - C:\Program Files\Systran\Premium\menuTranslateAll.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslate.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslate.html (file missing)
O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslateAll.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuTranslateAll.html (file missing)
O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuConfigure.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuConfigure.html (file missing)
O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuClearCache.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuClearCache.html (file missing)
O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuRegister.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuRegister.html (file missing)
O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuUpdates.html (file missing)
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\Program Files\Systran\Premium\MenuUpdates.html (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .exe: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .rar: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .ZIP: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O13 - DefaultPrefix:
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: service - Unknown owner - C:\WINDOWS\SERVICE.EXE (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

 

damaged

Just a note to second a clean install as charlesvar's original post suggested.

 

Well yes that is the last resort but the only problem now is that my connection isnt working. When I try to disable and reenable it it says "limited or no connectivity ". I have tried alot of the things mentioned in the other threads on that but none have worked. However, surely there must be a way to find out what is causing this, rather than erasing the whole thing and starting over from scrap. I'm not ready to go down that road just yet.

 

Perhaps this is a clue to your internet problem. tdi.sys is a file related to networking and from the little bit of searching I've done on it, it appears your internet connection won't work if the file happens to be missing or corrupt. The fact that the boot process stopped when trying to load it makes me wonder. Have a look and see if you have the file in your windows\system32 folder. If it's there, perhaps it's one of the files sfc flagged as missing or corrupt. You could have a look in your event viewer to see what sfc came up with. Don't know if it shows you the name of the files or not but it may. Does anybody else know?

You could try replacing the file with one from another computer that's running XP. If you do this make sure it's the same version of XP that you're using (home, pro, sp1, sp2 etc.) I don't know if that will get it working or not because apparently you have other files sfc wanted to replace. They could be related too. If all you have is a restore disk, perhaps you could borrow an XP disk from somebody to use to run sfc with. If you had a disk of your own the easiest solution would probably be to do a repair install but if you have an OEM puter more than likely you can't do this using a regular windows cd. If, in the end, it comes down to having to format and start over there's a couple things you could try as you'd have nothing to lose anyway. If you haven't installed service pack 2 yet perhaps you could try installing it. It would most likely replace the files that are missing or corrupt and may get you going again. If you've already installed SP2 perhaps you could try uninstalling it, then reinstall it and see what happens. You could even give the internet a try before reinstalling SP2. Generally, I wouldn't suggest updating the OS to try to fix a problem but if, as I said, it comes down to formatting, you've got nothing to lose. If you do this, be sure to back up all of your goodies first, just in case.

 

In this pacticular case I have to ride the same train going in the same direction as charlesvar and sparrow

There is something in there that keeps repeating/restarting itself and causing problems.

You fix it. It unfixes it.

yes guys it is really me.

And when you get all done again I would suggest installing Microsoft AntiSpyware.

BillyBob

 

I would also suggest that you loadup XP SP2. Which it appears you do not have when I see that it is asking for SP1.

Also make sure you keep up on Windows Critical updates.

BillyBob

 

Actually what shoud happen is that this thread should be moved to the Security section so that the malware can be worked on.

Regards - Charles

 

Well, I have to admit I never really took that close a look at the hijack this log. I can see right off the top that you don't want all those sites listed in the trusted zone. Hmmm. Maybe it would be best to get that mess cleaned up first but I would be willing to bet that the internet still won't work.

Also, since it appears that you've run some programs in an effort to get rid of the junk, it's possible your winsock got broke in the process. It might not hurt to try running LSP fix before doing this other stuff. If, once you recovered from the original crash, you had internet access and then lost it after running the spyware removal tools, the LSP fix may fix it for you. If you never had access right from the beginning, I have my doubts.

Nice catch BillyBob.

 

I've been doing some searching on your hijack this log and from what I see it would be better to get it cleaned up before you get connected to the internet again. I hesitate to tell you what to remove and what not to remove because I don't do enough of this to really feel comfortable doing so. If it was my system or if I was there where I could see the system I do it but under the circumstances I think it's best that somebody who does this on a regular basis has a look at it.

For one thing you have a virus. Quite a nasty one at that. In the O4 section in the hijack this log you'll see this.

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

cmd32.exe is it. You can have a look here to find out about it. Note at the very bottom it says this.

You'll have to be the judge on this. If this thread doesn't get moved shortly or if one of the guys that does this regular basis doesn't see it here you should post a copy of the hijack this log in the Removing Spyware & Viruses forum. If you do this, it wouldn't hurt to put a link in your post pointing to this thread. Also, if you've already done a virus check, and scanned for spyware etc., you should let them know this. Also, it wouldn't hurt to tell them the programs you've used to do this. I'll keep an eye out and follow this thread in case I can be of any use.

 

Ok first thanks to everyone who has replied.

Since the thread hasn't been moved yet I went ahead and fixed some of the things in HTJ (only the ones I knew to be bad). That seems to have gotten rid of the malware problems, but still no internet. One revelation though is that I started my computer in Safe Mode w/Networking and the internet works fine in there. Someone who knows more than I do might be able to get something from that fact. I just updated my AV defs and am running a full scan now from safe mode. Also, I do have SP1 and 2 installed its just the sfc was asking for a SP1 disk because some of those files must have been corrupted. I am getting that now and will run it again to fix them. I'll try the winsock fix too when it is done, but I remember looking around in some settings and it said winsock was running fine. Thanks again and I'll keep you all updated.

Also, here is what the new HJT Log looks like (ran from safe mode, not sure if that makes a difference):

Logfile of HijackThis v1.99.1
Scan saved at 4:18:13 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\Documents and Settings\Scott\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .exe: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .rar: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .ZIP: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

 

Hi Damaged,

Sorry about you not getting more help.

One more piece of advice, get yourself drive imaging software, something like Ghost or Acronis. That way you would have solved this problem in a few hours, not days.

Anyway, keep us posted.

Regards - Charles

 

damaged

If you insist on trying to clean up the machine rather than reinstall, here's what i'd suggest.
Keep systen restore turned off. Remove cookies, and all files in the windows\temp and prefetch folders and the temp folder in your docs\settings\path.
Then boot to safe mode and with all orher windows closed, rerun hijackthis and check these for removal. Then delete the hilighted files. You may need to run nove-on-boot to get then all.

Maybe paste this into notepad so it's available in safe mode.
---------------------------------------------------------------------
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: @sysiecom.dll,-2100 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2102 - {703436F1-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @sysiecom.dll,-2103 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2105 - {703436F2-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @sysiecom.dll,-2115 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2117 - {703436F3-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2108 - {703436F4-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2111 - {703436F5-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @sysiecom.dll,-2114 - {703436F6-3E1F-11d3-8F6B-00105A2A1D59} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .exe: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .rar: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .ZIP: C:\Program Files\Opera7\PLUGINS\NPFgc1.dll
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe

Some of the BHOs may need to be reinstalled later if you really want them. Personally, I don't use any. There's no way to tell if they're infected, so I think you should just delete them.

good luck.

You have sp2 now; make sure the firewall is turned on!