Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Win XP home pc in bad shape..How to fix? 500 points awarded..

Posted on 2007-04-01
Medium Priority
Last Modified: 2013-11-22
My home pc (windows xp professional) is in bad shape. Some malware or trojan has gotten into it. Can experts give me direction as to how to fix this?

We ran Hijackthis and removed all the unwanted entries from registry. Ran Adaware (free version) and removed the critical objects. Ran spybot and removed the critical ones.

But now when we retstart in normal mode, desktop screen comes up and later, blue screen with message "Problem has been detected and windows has been shutdown to prevent damage".

We are still able to start the pc in safe mode with networking. Login as admininstrator, then we can run hijackthis etc..

My question is how can we restore the pc? Do I have to reinstall XP? Can we reinstall XP without losing any of the local datafiles? Or is everything already in pc wiped out? Do I have to reformat the harddrive?

Thanks, really need some direction here..
Question by:LubomirMasar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
LVL 38

Accepted Solution

younghv earned 1000 total points
ID: 18832577
Below is the Full Monte on XP Repair.
A lot of reading, but worth it.

Before trying another repair, download and ru SuperAntispyware in Safe Mode:

Download and install Superantispyware
Load Superantispyware and click the "check for updates" button.
Re-boot into "Safe Mode" (tap the F8 key during boot cycle and select 'Safe Mode'

* Start Superantispyware.
Click the "scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.


Insert the Windows XP CD in your drive. Reboot the computer and press "del" (or F2 or F10, or whatever key combo gets you in) to enter the BIOS setup. Look for the boot order of your drives (usually under Advanced Settings). Change the order so that the CD drive is the first boot device. Save and exit.

As the machine reboots this time it will find a bootable CD and prompt you to press any key to boot from the CD. Press a key. XP setup will now start to load - takes a little time before it requires input from you.

Once setup is ready it will prompt you to press 'R' to enter the recovery console or 'Enter' to continue installing Windows. We don't want the Repair Console here so just press Enter. Setup will then prompt you to accept the EULA by pressing F8. Press F8.

The next screen will show you the partition[s]] available and will inform you that Windows is installed (usually on the C: drive). At this screen you will have an option to press 'R' to repair the current installation. Press 'R' and setup will then take over and do the necessary work.
After you perform an in-place upgrade or repair installation, you must reinstall all updates to Windows.
Here are a couple of Microsoft Knowledge Base articles you should read which concern possible data loss when you reinstall/repair XP:;EN-US;312369
You May Lose Data or Program Settings After Reinstalling, Repairing, or Upgrading Windows XP;EN-US;312368
Data Loss May Occur After Reinstalling, Repairing, or Upgrading Windows XP

Note that, from the above articles, the problem of data loss if your Windows XP was installed by the OEM (Original Equipment Manufacturer) has been corrected if your Windows XP has Service Pack 1 installed.

This is another excellent article on how to perform an XP repair:


And check out the following articles.

Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option
InformationWeek, June 19, 2006
Fred Langa shows you how to completely rebuild, repair, or refresh an existing XP installation without losing data, and without having to reinstall user software, reformat, or otherwise destructively alter the setup.

Langa Letter: The OS Inside The OS
InformationWeek, April 30, 2006
Fred Langa shows how a simple tweak turns XP's low-level Recovery Console into a complete, standalone mini-operating system--in effect, an XP DOS!

Langa Letter: XP's Little-Known 'Rebuild' Command
InformationWeek, April 17, 2006
There's an easy fix for "Missing HAL.DLL," "Invalid Boot.Ini," and several other fatal startup errors, Fred Langa says.

How to Repair Windows XP

A system repair is not the same as getting into the Recovery Console.  To perform an XP repair: 

Expert Comment

ID: 18832751

I must say. Very thorough. Just thought I'd commend you on your response. Keep up the good work!
LVL 36

Expert Comment

ID: 18832821
Have you tried running a system restore?
Try doing that and restoring back a few weeks or even months and then run spybot and then highjackthis again (in safe mode).
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 18832847
Youngh, thanks so much for the thorough reply..
Before seeing the answer here from youngh, I had already run an XP reinstall. Chose the R option for recovery..went ahead and re-installed..
After this, I am fortunately in  slightly better shape! I am able to succdesfully restart the PC and Windows came back.
Ran adaware, which still found some critical objects again..So I am not clean yet..
ran Hijack this too..Please see below for the hijackthis log. Does anything in it look suspicious? Should I get rid of anything?


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:47:05 PM, on 4/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\\agent\mcdetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Anu\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {c04fad3c-6e9b-4c41-a370-2128298b18af} - C:\WINDOWS\system32\kbd(3).dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O10 - Unknown file in Winsock LSP: abcdefgh.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\\Agent\mcupdmgr.exe
O23 - Service: VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\\vso\mcvsrte.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\27.tmp (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of file - 5365 bytes
LVL 36

Expert Comment

ID: 18832874
Paste the log file into and look through the results.
The O10 - Unknown file in Winsock LSP: abcdefgh.dll are definetly a problem and the log analyser tells you what to do (done just try and fix it)
LVL 38

Expert Comment

ID: 18833724
Most of the top Experts around here have switched to SuperAntiSpyware.
It is fairly new on the market, but has outperformed all of the others over the past few months.

Please follow the guidelines in my earlier post and run it in Safe Mode.

LVL 47

Assisted Solution

rpggamergirl earned 1000 total points
ID: 18836655
I wouldn't recommend using the BETA version of Hijackthis because it has many bugs,(and the log can be confusing)

Your log is showing a variant of SDBot:

Please download LSPfix from here:
Unzip it to the desktop and run it.  Check "I know what I'm doing",
and then select each instance of "abcdefgh.dll" in the left-hand panel and click ">>" to move it to the right-hand panel.  
Then click Finish to allow LSPfix to rebuild the LSP chain

Afterwards only you can delete this dll most probably located in the system32 folder -->abcdefgh.dll

You have a variant of SDBot showing in your logfile:
Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back

Author Comment

ID: 18844409
A big thanks to all of you..I read all your suggestions and now it seems I am much better off.

I did not run a full xp reinstall. I ran only the repair (R) mode. I am too sensitive about the risk of losing data. More than the dat, I did not want to lose the installed applications..

But after xp repair, I followed the recommedations of rpggamergirl. Ran both LSPfix and SDFix.
Like younghv suggested, I did SuperAntiSpyware too.

These two things seems to have fixed my problem. I am very pleased to have discovered SuperAntiSpyware as it seems to be the best of the lot now.

So I am sharing my full points with younghv and rpggamergirl.

Is it a good idea for me to install IE 7? Will my PC be compatible with it?
What is the best free firewall software that I could setup for future protection?


Author Comment

ID: 18844454
well, really rpggamergirl solution sshould be the accepted solution, and younghv solution should be the assisted solution. They both should have 250 points and both are very very good answers and should go into knowledgebase..
LVL 38

Expert Comment

ID: 18844609
Hi LubomirMasar,
Thank you for the points split - R'girl and I have shared on many occasions, but I am not sure why one answer gets 'Accepted' and one is 'Assisted'.

Maybe I'll post a 500 point question about that - LOL.

Thanks again.

~rpg - see you around the zones.

LVL 47

Expert Comment

ID: 18848024
Hi LubomirMasar,
Doesn't matter to me if mine is only an assist, glad to know your problem is resolved, :)

I think it must be a bug, I've read somewhere, someone posted that he wasn't given the choice of which one to have the accepted answer. And when he clicked "submit" somehow it auto-pick accepted answer.

Thanks for the points!

See you around, Vic, :)

LVL 47

Expert Comment

ID: 18848092
okay.....NOT a bug apparently,
the first comment selected is automatically picked as the "accepted answer"
and for that feature to change we have to complain to them, and if they receive many complaints about it, then they might change it someday, :)

Please click on the "Feedback" button on the top right of this page and let them know, :)

LVL 38

Expert Comment

ID: 18849682
I knew you would find the answer - I will mention that also.


Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question