Can only boot in safe mode

My son got malware on his computer from running an attachment in msn. Now the computer continually reboots when it gets to the Windows XP welcome screen. Disabling automatic restart on system failure gives a BSOD

DRIVER_IRQL_NOT_LESS_OR EQUAL

*** STOP: 0x000000D1 (0x000005EA, 0x00000002, 0x00000000,0xF404B877)

*** AEWLVNET.SYS - Address F404B877 base at F4048000, Datestamp 3d9d83ea

I have tried to follow your instructions in 'Read and Run me first' but I could only work in Safe Mode / Safe Mode with networking. CounterSpy would not run. Spybot S+D found Smitfraud-C Toolbar 888 and SpyHunter. Bitdefender wouldn't update its virus definitions but I ran it anyway. It found and deleted mcc.exe and tel.exe.

I haven't done a 'hijack this' log as it says you must be in normal mode but I can from safe mode if you want me to. please help!

 

More attachments.

 

As nobody had replied I decided to look at this a bit more myself. I realised the file aewlvnet.sys that was stopping me booting in normal mode was for my wireless network adapter. I moved the file elsewhere and renamed it. I could then boot into nomal mode but windows\system32\services.exe terminated unexpectedly with status code 1073741819 and shut the computer down after 1 minute. However, I saw that the computer was trying to connect to an XFire server. I deleted XFire and the computer then booted normally and stayed on, but without any network connections. I tried deleting and then reinstalling my wireless network adapter from the original installation discs. This put back a file aewlvnet.sys and half way through the installation rebooted the computer. I went back to safe mode, deleted aewlvnet.sys again and then ran 'hijack this' in normal mode (but without any functioning network). Also note that my Sophos virus software detected the virus MSNMk-E in two system restore points.

I am posting this from a different computer. Note that my wireless adapter has been working for several years without any problems.

Can anyone tell me where to go from here?

 

You were right, the changes didn't make any difference, but thanks for your help anyway.

I agree that I may now have a software problem, but I am absolutely convinced that it was caused by malware. My son got a message in MSN that he clicked on. This put some icons on the desktop (mcc.exe and others?) Then, the next time he wanted to start MSN, it told him to run an exe file, which he did. (Sorry, I don't know the precise details. I am relying on the memory of an 11-year old.) This is when all the problems immediately started. Note that my daughter also got the same message on her computer, and got the same icons on her desktop. However, she didn't run the exe. I was able to get rid of the problem with Sophos and her computer seems clean now.

I can't go back to an restore points before the problem occurred because there aren't any I can access. If I click on any days before the problem in December, nothing happens. If I click on the back arrow to go to November, nothing happens also. However, there are restore points that have been created since the problem. Also note that the windows firewall became
disabled at the time of the problem. It got turned off and couldn't be turned back on due to an 'unknown error'. I think I have fixed this by following a registry edit I found on another website.

To summarise, I am now left with a computer that will work in safe mode with networking, including with the network functioning, when my wireless network adapter aewlvnet.sys is installed. However, in normal mode I get the message about system32\services.exe terminating with status code 1073741819 and the system shuts down after one minute. If I run shutdown -
a, the shutdown dialogue stops but the computer doesn't function (i.e. clicking on icons or the start menu doesn't do anything) and I have to reboot anyway. If I delete or rename aewlvnet.sys, then I can boot in normal mode without any problems (but obviously without any network). I have got new copies of the driver from the original installation discs and also from the Actiontec website, but they are the same. I have tried troubleshooting by disabling drivers in safe mode and the rebooting in normal mode, but the only driver that gives any problem is the network one.

I have seen on other websites that system32\services.exe terminating with status code 1073741819 can be the signature of a worm. However, I have run Sophos from a CD-R with windows in safe mode with command prompt and nothing is found.

I have attached a new log from GetRunKey, run in normal mode without the network driver. Do I look clean now?

I really don't know what to do next. If you have no more suggestions, I will try posting this to the software forum as you suggest.

Thanks for your help.

 

I had problems running sfc because the computer only has a restore CD, not an original XP cd. However, it does have a c:\I386 folder so I followed the advice on another web page and edited the registry to point there. (I hope that is OK - the restore cd has an I386 subfolder but it only contains cabinet files.) I then ran the regsvr32 command. However, as soon as I reinstated the network driver and plugged in my adapter, the problem recurred.

Blacklight beta didn't find anything.

AVG Anti rootkit detector found a hidden driver file C:\WINDOWS\system32:lzx32.sys (see logs attached.) Is this significant?

 

Great! The AVG anti rootkit seems to have deleted it. I rebooted and ran another scan, which was clear. The report log button was greyed out, presumably because it didn't find anything.

I then reinstated the network driver and plugged my wireless adapter in. It worked straight away!

Is there anything else I need to run, now my network is back, or am I clear?

Thanks so much for your time and help.