Can only Boot Safe Mode - Botched CWS Removal?

Hi,
I am running Windows XP SP2 Home Edition - current on all MS critical updates.
System is a home-built machine, based on Athlon 64 3200+ CPU with 1GB of RAM.
This PC has run essentially problem-free for it's first 6 months.
My DSL ISP is SBC Yahoo! (Now ATT) and I am using their "free" online protection package, which includes versions of Anti-Virus and Anti-Spy, provided by Computer Associates. Two nights ago, my system was behaving very sluggishly so i decided to run some maintenance. I ran the Anti-Spy program and it claimed to detect CWS.QTTasks. Surprisingly, given it's notarity, I had never heard of the CoolWebSearch suite of hijackers. Anyhow, I selected to have AntiSpy "remove" the detected malware. Then I went to reboot. That's when thing got bad.
The reboot would not go past the Windows logo screen, with the bars moving from left to right (forever). I had to hold the power button down to force the machine off. Ever since then I have only been able to succesfully boot into safe mode. I tried system restore, successively going back through a number of restore points. No joy. From safe mode I've run Ant-Virus. I've also run SpyBot Search & Destroy, AdAware personal SE and SBC Yahoo! (ca) Anti-Spy. They found a few things, which I cleaned up. I also ran CCleaner and got rid of a bunch of crap and broken regisrty links. But the PC still can only boot into safe mode.
I suspect that whatever the Anti-Spy scan detected, it botched the removal and corrupted something in my registry. Can anyone PLEASE help me?
One more thing. For some reason my anti-virus "active" selection keeps getting deselected. I'll go into the SBC online protection menu and turn it on, and then a moment later it goes off again. Very suspicious.
Thanks!

 

Chaslang,
Thanks for your comments. Yes, one would think that the SBC Anti-Spy tool would have a restore function. However, when I click on the "Restore" button the removed items list is empty. But I know I saw it find something it identified as CWS.QTTasks and I selected remove. That was the last thing I did before the first failed attempt to a normal boot.
You are right that I should be complaining to SBC - and I will. You are also right that they will probably not be much help. That is why I figured I would try as much as I practically can on my own, with forum help, before giving them the call. I already sent their email tech support an email and their response was very polite but basically said (I'm screwed) my system was already so messed-up that I would need phone support. They gave me a toll free number, which I'll use when I exhaust myself and muster the patience to deal with them.
There is another possibiliy i was considering, that this is was not a botched CWA removal, but that may have been just a coincindence. Maybe the PC got a virus via one of the non-administarator users. That the infection is contained, without administrator privledges, and it manifests itself during the failure to normal boot only when trying to load that user's profile. (Just a guess, but I grasping at straws here.)
I will use this bad luck to finally become more knowlegable about the HijackThis tool. Currently, I am going through the whole "before you post a HijackThis log" regimen now. Maybe something will turn up. I'll post the log when I get to that point.
Cheers.

 

Chaslang,
Thanks for your comments. Yes, one would think that the SBC Anti-Spy tool would have a restore function. However, when I click on the "Restore" button the removed items list is empty. But I know I saw it find something it identified as CWS.QTTasks and I selected remove. That was the last thing I did before the first failed attempt to a normal boot.
You are right that I should be complaining to SBC - and I will. You are also right that they will probably not be much help. That is why I figured I would try as much as I practically can on my own, with forum help, before giving them the call. I already sent their email tech support an email and their response was very polite but basically said (I'm screwed) my system was already so messed-up that I would need phone support. They gave me a toll free number, which I'll use when I exhaust myself and muster the patience to deal with them.
There is another possibiliy i was considering, that this is was not a botched CWA removal, but that may have been just a coincindence. Maybe the PC got a virus via one of the non-administarator users. That the infection is contained, without administrator privledges, and it manifests itself during the failure to normal boot only when trying to load that user's profile. (Just a guess, but I grasping at straws here.)
I will use this bad luck to finally become more knowlegable about the HijackThis tool. Currently, I am going through the whole "before you post a HijackThis log" regimen now. Maybe something will turn up. I'll post the log when I get to that point.
Cheers.

 

Oops! Beats me. Didn't intend the duplicate post. Sorry about that.
Responses to your your previous two questions are below.
Normal boot will not go past the Windows logo screen, with the three bars moving from left to right in the white-lined rectangle, which is below the word Windows. It just stays there. I've let it go for hours. The only thing I can do from there is hold the power button down until the power shuts off. When I power back up, I get one beep, an apparently succesful POST and then a screen which says windows did not start successfully. I am offered three safe mode options: regular, with networking and with command prompt. Also offers "last know good configuration" option, which does not work either. Normal boot won't go anywhere but the Windows logo screen (with the moving bars). For some reason, safe mode with networking doesn't seem to work either. On my DSL modem, the green light for ethernet does not illuminate.
To answer your second question, I didn't try to find out whether I could create a new user account in safe mode. I don't see the point in trying, because the normal boot process never gets far enough for me to select a user account.
Thanks.
-HMS

 

I was just scrolling through my Windows event viewer and noticed a failed logon event. It identified the logon process as Advapi. Googling advapi led me to this site (http://www.auditmypc.com/process/advapi.asp) where the description was NOT comforting and included the following: "The process known as Advapi.exe is installed and started by a variant of the Netdevil virus (also known as netdevil12 and netdevil1.2). It should not be confused with the 'Advapi32' process."
Funny that my Anti-Virus, nor any of the other malware software I run found it. This could be a coincidental infection or related to my problem. Hopefully, time will tell. Anyting you might add would be appreciated.
-HMS

 

p.s. I did some further looking into this and it seems that what the event viewer is showing is related to the advapi32 process, NOT advapi.exe. A Windows search of my hard drive did not find the latter. Sorry about the false alarm.

 

Joy! You were right, the problem does not appear to be malware-related....
Further, the contemporaneousness of the alledged removal of CWS.QTTasks by SBC/Computer Associates' Anti-Spy and the subsequent failure to normal start appears to have been coincidental. Today I decided to backtrack a bit and recheck device manager for problems. The only devise with yellow exclaimation mark was for my APC UPS battery. Couldn't be, but what the heck. I put the product CD in the drive and reinstalled the device. Fixed that problem AND restarted Normal. Unbelievable! Since that I've performed a couple of requisite updates, which my system found when tapping back into the net after a 5 day absence. Subsequent restarts have been normal.
Thanks for your concern and assistance Chaslang. Good thing I waited a bit to complain to SBC and/or Computer Associates. Wasn't their fault (this time). And still unexplained is why the removed items list was empty when I went to undo what Anti-Spy did.
Ciao,
-HMS
p.s. Why am I prompted to log in, even if I already just had a moment ago, whenever I try to post?