Solved

Win XP home pc in bad shape..How to fix? 500 points awarded..

Posted on 2007-04-01
13
539 Views
Last Modified: 2013-11-22
My home pc (windows xp professional) is in bad shape. Some malware or trojan has gotten into it. Can experts give me direction as to how to fix this?

We ran Hijackthis and removed all the unwanted entries from registry. Ran Adaware (free version) and removed the critical objects. Ran spybot and removed the critical ones.

But now when we retstart in normal mode, desktop screen comes up and later, blue screen with message "Problem has been detected and windows has been shutdown to prevent damage".

We are still able to start the pc in safe mode with networking. Login as admininstrator, then we can run hijackthis etc..

My question is how can we restore the pc? Do I have to reinstall XP? Can we reinstall XP without losing any of the local datafiles? Or is everything already in pc wiped out? Do I have to reformat the harddrive?

Thanks, really need some direction here..
0
Comment
Question by:LubomirMasar
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 38

Accepted Solution

by:
younghv earned 250 total points
Comment Utility
Below is the Full Monte on XP Repair.
A lot of reading, but worth it.

Before trying another repair, download and ru SuperAntispyware in Safe Mode:

Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the "check for updates" button.
Re-boot into "Safe Mode" (tap the F8 key during boot cycle and select 'Safe Mode'

* Start Superantispyware.
Click the "scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.



XP REPAIR

Insert the Windows XP CD in your drive. Reboot the computer and press "del" (or F2 or F10, or whatever key combo gets you in) to enter the BIOS setup. Look for the boot order of your drives (usually under Advanced Settings). Change the order so that the CD drive is the first boot device. Save and exit.

As the machine reboots this time it will find a bootable CD and prompt you to press any key to boot from the CD. Press a key. XP setup will now start to load - takes a little time before it requires input from you.

Once setup is ready it will prompt you to press 'R' to enter the recovery console or 'Enter' to continue installing Windows. We don't want the Repair Console here so just press Enter. Setup will then prompt you to accept the EULA by pressing F8. Press F8.

The next screen will show you the partition[s]] available and will inform you that Windows is installed (usually on the C: drive). At this screen you will have an option to press 'R' to repair the current installation. Press 'R' and setup will then take over and do the necessary work.
After you perform an in-place upgrade or repair installation, you must reinstall all updates to Windows.
Here are a couple of Microsoft Knowledge Base articles you should read which concern possible data loss when you reinstall/repair XP:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;312369
You May Lose Data or Program Settings After Reinstalling, Repairing, or Upgrading Windows XP

http://support.microsoft.com/default.aspx?scid=kb;EN-US;312368
Data Loss May Occur After Reinstalling, Repairing, or Upgrading Windows XP

Note that, from the above articles, the problem of data loss if your Windows XP was installed by the OEM (Original Equipment Manufacturer) has been corrected if your Windows XP has Service Pack 1 installed.


This is another excellent article on how to perform an XP repair:

http://www.michaelstevenstech.com/XPrepairinstall.htm

Visit, http://www.informationweek.com/authors/showAuthor.jhtml?authorID=1111&headParams=fredlanga&subSection=Fred+Langa&section=windows

And check out the following articles.

Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option
InformationWeek, June 19, 2006
Fred Langa shows you how to completely rebuild, repair, or refresh an existing XP installation without losing data, and without having to reinstall user software, reformat, or otherwise destructively alter the setup.

Langa Letter: The OS Inside The OS
InformationWeek, April 30, 2006
Fred Langa shows how a simple tweak turns XP's low-level Recovery Console into a complete, standalone mini-operating system--in effect, an XP DOS!

Langa Letter: XP's Little-Known 'Rebuild' Command
InformationWeek, April 17, 2006
There's an easy fix for "Missing HAL.DLL," "Invalid Boot.Ini," and several other fatal startup errors, Fred Langa says.

How to Repair Windows XP
http://www.alaynah.net/shehar/repair_xp.htm

A system repair is not the same as getting into the Recovery Console.  To perform an XP repair:

http://www.microsoft.com/WindowsXP/expertzone/tips/dougknox/doug92.asp 
0
 
LVL 3

Expert Comment

by:TheTechGuysNYC
Comment Utility
younghv:

I must say. Very thorough. Just thought I'd commend you on your response. Keep up the good work!
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Have you tried running a system restore?
Try doing that and restoring back a few weeks or even months and then run spybot and then highjackthis again (in safe mode).
0
 

Author Comment

by:LubomirMasar
Comment Utility
Youngh, thanks so much for the thorough reply..
Before seeing the answer here from youngh, I had already run an XP reinstall. Chose the R option for recovery..went ahead and re-installed..
After this, I am fortunately in  slightly better shape! I am able to succdesfully restart the PC and Windows came back.
Ran adaware, which still found some critical objects again..So I am not clean yet..
ran Hijack this too..Please see below for the hijackthis log. Does anything in it look suspicious? Should I get rid of anything?

************************************

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:47:05 PM, on 4/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Anu\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {c04fad3c-6e9b-4c41-a370-2128298b18af} - C:\WINDOWS\system32\kbd(3).dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\27.tmp (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5365 bytes
******************************************
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Paste the log file into http://www.hijackthis.de/en and look through the results.
The O10 - Unknown file in Winsock LSP: abcdefgh.dll are definetly a problem and the log analyser tells you what to do (done just try and fix it)
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
LubomirMasar,
Most of the top Experts around here have switched to SuperAntiSpyware.
It is fairly new on the market, but has outperformed all of the others over the past few months.

Please follow the guidelines in my earlier post and run it in Safe Mode.

Thanks,
Vic
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 250 total points
Comment Utility
Hi,
I wouldn't recommend using the BETA version of Hijackthis because it has many bugs,(and the log can be confusing)


Your log is showing a variant of SDBot:

Please download LSPfix from here:
http://www.downloads.subratam.org/lspfix.zip
Unzip it to the desktop and run it.  Check "I know what I'm doing",
and then select each instance of "abcdefgh.dll" in the left-hand panel and click ">>" to move it to the right-hand panel.  
Then click Finish to allow LSPfix to rebuild the LSP chain


Afterwards only you can delete this dll most probably located in the system32 folder -->abcdefgh.dll


You have a variant of SDBot showing in your logfile:
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
0
 

Author Comment

by:LubomirMasar
Comment Utility
A big thanks to all of you..I read all your suggestions and now it seems I am much better off.

I did not run a full xp reinstall. I ran only the repair (R) mode. I am too sensitive about the risk of losing data. More than the dat, I did not want to lose the installed applications..

But after xp repair, I followed the recommedations of rpggamergirl. Ran both LSPfix and SDFix.
Like younghv suggested, I did SuperAntiSpyware too.

These two things seems to have fixed my problem. I am very pleased to have discovered SuperAntiSpyware as it seems to be the best of the lot now.

So I am sharing my full points with younghv and rpggamergirl.

Is it a good idea for me to install IE 7? Will my PC be compatible with it?
What is the best free firewall software that I could setup for future protection?

LM
0
 

Author Comment

by:LubomirMasar
Comment Utility
well, really rpggamergirl solution sshould be the accepted solution, and younghv solution should be the assisted solution. They both should have 250 points and both are very very good answers and should go into knowledgebase..
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Hi LubomirMasar,
Thank you for the points split - R'girl and I have shared on many occasions, but I am not sure why one answer gets 'Accepted' and one is 'Assisted'.

Maybe I'll post a 500 point question about that - LOL.

Thanks again.

~rpg - see you around the zones.

Vic
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Hi LubomirMasar,
Doesn't matter to me if mine is only an assist, glad to know your problem is resolved, :)

I think it must be a bug, I've read somewhere, someone posted that he wasn't given the choice of which one to have the accepted answer. And when he clicked "submit" somehow it auto-pick accepted answer.

Thanks for the points!

See you around, Vic, :)

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
okay.....NOT a bug apparently,
the first comment selected is automatically picked as the "accepted answer"
and for that feature to change we have to complain to them, and if they receive many complaints about it, then they might change it someday, :)

Please click on the "Feedback" button on the top right of this page and let them know, :)

0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Aha!
I knew you would find the answer - I will mention that also.

Vic
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now