LubomirMasar
asked on
Win XP home pc in bad shape..How to fix? 500 points awarded..
My home pc (windows xp professional) is in bad shape. Some malware or trojan has gotten into it. Can experts give me direction as to how to fix this?
We ran Hijackthis and removed all the unwanted entries from registry. Ran Adaware (free version) and removed the critical objects. Ran spybot and removed the critical ones.
But now when we retstart in normal mode, desktop screen comes up and later, blue screen with message "Problem has been detected and windows has been shutdown to prevent damage".
We are still able to start the pc in safe mode with networking. Login as admininstrator, then we can run hijackthis etc..
My question is how can we restore the pc? Do I have to reinstall XP? Can we reinstall XP without losing any of the local datafiles? Or is everything already in pc wiped out? Do I have to reformat the harddrive?
Thanks, really need some direction here..
We ran Hijackthis and removed all the unwanted entries from registry. Ran Adaware (free version) and removed the critical objects. Ran spybot and removed the critical ones.
But now when we retstart in normal mode, desktop screen comes up and later, blue screen with message "Problem has been detected and windows has been shutdown to prevent damage".
We are still able to start the pc in safe mode with networking. Login as admininstrator, then we can run hijackthis etc..
My question is how can we restore the pc? Do I have to reinstall XP? Can we reinstall XP without losing any of the local datafiles? Or is everything already in pc wiped out? Do I have to reformat the harddrive?
Thanks, really need some direction here..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried running a system restore?
Try doing that and restoring back a few weeks or even months and then run spybot and then highjackthis again (in safe mode).
Try doing that and restoring back a few weeks or even months and then run spybot and then highjackthis again (in safe mode).
ASKER
Youngh, thanks so much for the thorough reply..
Before seeing the answer here from youngh, I had already run an XP reinstall. Chose the R option for recovery..went ahead and re-installed..
After this, I am fortunately in slightly better shape! I am able to succdesfully restart the PC and Windows came back.
Ran adaware, which still found some critical objects again..So I am not clean yet..
ran Hijack this too..Please see below for the hijackthis log. Does anything in it look suspicious? Should I get rid of anything?
************************** **********
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:47:05 PM, on 4/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
c:\program files\mcafee.com\agent\mcd etect.exe
c:\PROGRA~1\mcafee.com\age nt\mctsksh d.exe
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\PROGRA~1\McAfee\SPAMKI~ 1\MSKSrvr. exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\dllhos t.exe
C:\WINDOWS\System32\msdtc. exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Documents and Settings\Anu\Desktop\HiJac kThis_v2.e xe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {c04fad3c-6e9b-4c41-a370-2 128298b18a f} - C:\WINDOWS\system32\kbd(3) .dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM JPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PI NTLGNT\ImS cInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TI NTLGNT\TIN TSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TI NTLGNT\TIN TSETP.EXE /IMEName
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon. exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex e" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C 7D56CB8348 7} - C:\Program Files\Hello\PicasaCapture. dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C 7D56CB8348 7} - C:\Program Files\Hello\PicasaCapture. dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1 830C7DD7F5 D} - C:\PROGRA~1\COMMON~1\Skype \SKYPE4~1. DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\WINDOWS\System32\browse ui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0 0A0C90312E 1} - C:\WINDOWS\System32\browse ui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcd etect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\age nt\mctsksh d.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age nt\mcupdmg r.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\27.tmp (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~ 1\MSKSrvr. exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv c.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5365 bytes
************************** ********** ******
Before seeing the answer here from youngh, I had already run an XP reinstall. Chose the R option for recovery..went ahead and re-installed..
After this, I am fortunately in slightly better shape! I am able to succdesfully restart the PC and Windows came back.
Ran adaware, which still found some critical objects again..So I am not clean yet..
ran Hijack this too..Please see below for the hijackthis log. Does anything in it look suspicious? Should I get rid of anything?
**************************
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:47:05 PM, on 4/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Google\Common\Google
c:\program files\mcafee.com\agent\mcd
c:\PROGRA~1\mcafee.com\age
c:\PROGRA~1\mcafee.com\vso
C:\PROGRA~1\McAfee\SPAMKI~
C:\WINDOWS\System32\svchos
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\dllhos
C:\WINDOWS\System32\msdtc.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\GoogleToolbar
C:\Documents and Settings\Anu\Desktop\HiJac
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {c04fad3c-6e9b-4c41-a370-2
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PI
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TI
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TI
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcd
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\age
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\27.tmp (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5365 bytes
**************************
Paste the log file into http://www.hijackthis.de/en and look through the results.
The O10 - Unknown file in Winsock LSP: abcdefgh.dll are definetly a problem and the log analyser tells you what to do (done just try and fix it)
The O10 - Unknown file in Winsock LSP: abcdefgh.dll are definetly a problem and the log analyser tells you what to do (done just try and fix it)
LubomirMasar,
Most of the top Experts around here have switched to SuperAntiSpyware.
It is fairly new on the market, but has outperformed all of the others over the past few months.
Please follow the guidelines in my earlier post and run it in Safe Mode.
Thanks,
Vic
Most of the top Experts around here have switched to SuperAntiSpyware.
It is fairly new on the market, but has outperformed all of the others over the past few months.
Please follow the guidelines in my earlier post and run it in Safe Mode.
Thanks,
Vic
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A big thanks to all of you..I read all your suggestions and now it seems I am much better off.
I did not run a full xp reinstall. I ran only the repair (R) mode. I am too sensitive about the risk of losing data. More than the dat, I did not want to lose the installed applications..
But after xp repair, I followed the recommedations of rpggamergirl. Ran both LSPfix and SDFix.
Like younghv suggested, I did SuperAntiSpyware too.
These two things seems to have fixed my problem. I am very pleased to have discovered SuperAntiSpyware as it seems to be the best of the lot now.
So I am sharing my full points with younghv and rpggamergirl.
Is it a good idea for me to install IE 7? Will my PC be compatible with it?
What is the best free firewall software that I could setup for future protection?
LM
I did not run a full xp reinstall. I ran only the repair (R) mode. I am too sensitive about the risk of losing data. More than the dat, I did not want to lose the installed applications..
But after xp repair, I followed the recommedations of rpggamergirl. Ran both LSPfix and SDFix.
Like younghv suggested, I did SuperAntiSpyware too.
These two things seems to have fixed my problem. I am very pleased to have discovered SuperAntiSpyware as it seems to be the best of the lot now.
So I am sharing my full points with younghv and rpggamergirl.
Is it a good idea for me to install IE 7? Will my PC be compatible with it?
What is the best free firewall software that I could setup for future protection?
LM
ASKER
well, really rpggamergirl solution sshould be the accepted solution, and younghv solution should be the assisted solution. They both should have 250 points and both are very very good answers and should go into knowledgebase..
Hi LubomirMasar,
Thank you for the points split - R'girl and I have shared on many occasions, but I am not sure why one answer gets 'Accepted' and one is 'Assisted'.
Maybe I'll post a 500 point question about that - LOL.
Thanks again.
~rpg - see you around the zones.
Vic
Thank you for the points split - R'girl and I have shared on many occasions, but I am not sure why one answer gets 'Accepted' and one is 'Assisted'.
Maybe I'll post a 500 point question about that - LOL.
Thanks again.
~rpg - see you around the zones.
Vic
Hi LubomirMasar,
Doesn't matter to me if mine is only an assist, glad to know your problem is resolved, :)
I think it must be a bug, I've read somewhere, someone posted that he wasn't given the choice of which one to have the accepted answer. And when he clicked "submit" somehow it auto-pick accepted answer.
Thanks for the points!
See you around, Vic, :)
Doesn't matter to me if mine is only an assist, glad to know your problem is resolved, :)
I think it must be a bug, I've read somewhere, someone posted that he wasn't given the choice of which one to have the accepted answer. And when he clicked "submit" somehow it auto-pick accepted answer.
Thanks for the points!
See you around, Vic, :)
okay.....NOT a bug apparently,
the first comment selected is automatically picked as the "accepted answer"
and for that feature to change we have to complain to them, and if they receive many complaints about it, then they might change it someday, :)
Please click on the "Feedback" button on the top right of this page and let them know, :)
the first comment selected is automatically picked as the "accepted answer"
and for that feature to change we have to complain to them, and if they receive many complaints about it, then they might change it someday, :)
Please click on the "Feedback" button on the top right of this page and let them know, :)
Aha!
I knew you would find the answer - I will mention that also.
Vic
I knew you would find the answer - I will mention that also.
Vic
I must say. Very thorough. Just thought I'd commend you on your response. Keep up the good work!