Only boots in safe mode

EMachine T5212, Win XP SP3, pc tools firewall plus. Has decided since about 3 weeks ago, that it will only boot in safe mode. Can't figure out why it hands on "my personal settings".

Since I hadn't cleaned it in a while and it was getting real slow before this started, I have been working on the Malware Removel steps first.

Attached are the logs that have been generated - at least part of them. Rest will come in second post.

 

here's the other log.

 

Hi,

http://img822.imageshack.us/img822/6835/baticon.gif We're going to make a small batch file
Boot into Safe Mode with Networking.
Open Notepad
Copy what is inside the below text box

Paste it into Notepad
File > Save As > fixme.bat, make sure File Type : All Files is turned on. (we do not want to save it as a .txt)
Save this to your desktop.
Now run fixme.bat by double-clicking it.

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below in the order shown here:

1. Driver Detective
2. Java(TM) 6 Update 23 <-- old
3. StartNow Toolbar
4. Uniblue RegistryBooster <-- If you did not pay for it, uninstall it
5. Spy Sweeper Core <-- is this functioning? If not, uninstall
6. AVG 2011 <-- Reboot after you remove this. Try Normal Mode first, if Normal Mode still does not work, go back into Safe Mode with Networking

Once you have rebooted

Now download AVG Remover to your desktop >> Download Link
Now run it. After it is finished, Reboot your PC again

Continue with the below in Safe Mode with Networking only if Normal Mode still does not work.

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

http://img839.imageshack.us/img839/3005/combofixicon.gif Delete ComboFix.exe from your desktop.
Empty Recycle Bin.
Download a new copy of ComboFix to your desktop>> Download Link
Attach C:\ComboFix.txt when it is finished. (How to attach items to your post)

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Followed all instructions. See atached *.doc file for comments on most of first steps.
Completed all but still will not boot in normal mode. Continues to hang up on the window that says "loading your personal settings".

Attached are the logs,

 

Please download: McAfee Uninstaller

• Run it, you can run it from Safe Mode.
  Note: The CAPTCHA code is case sensitive.
• Reboot afterwards

Is your computer part of a domain?
Read the following: Windows XP Welcome Screen Appears to Stop Responding (Hang) During Logon

I see you have the following programs installed:

• Microsoft Forefront UAG endpoint components v4.0.0
• Microsoft Internationalized Domain Names Mitigation APIs
• Microsoft National Language Support Downlevel APIs

Do you know if you (or your company) are making use of these programs? Please answer in your next post, but continue with the below as it may be a AntiVirus that didn't get completely uninstalled.

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\$$$~1
C:\$$$ 
[COLOR="DarkRed"]Driver::[/COLOR]
WebrootSpySweeperService
AVGIDSAgent
avgwd
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Owner\Local Settings\Temp\2QqWgcLu.exe.part
C:\Documents and Settings\Owner\Local Settings\Temp\7.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\9.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\ACB0.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\BIT3.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\rRmwo1BU.exe.part
C:\Documents and Settings\Owner\Local Settings\Temp\TtyX85bS.exe.part
C:\Documents and Settings\Owner\Desktop\Driver Wonder.lnk
C:\Documents and Settings\All Users\Desktop\Driver Detective.lnk
C:\$$$
C:\WINDOWS\Temp\TMP000000013F6D3DD62FB7BD75
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
C:\WINDOWS\I386\USERINIT.EX_
C:\WINDOWS\ServicePackFiles\i386\userinit.exe
C:\WINDOWS\system32\userinit.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\Owner\Local Settings\Temp\7.dir
C:\Documents and Settings\Owner\Local Settings\Temp\7zO36.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\7zO3D.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\7zO8461172E
C:\Documents and Settings\Owner\Local Settings\Temp\is-GP21U.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\mia45.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\VSD29.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\WER7889.dir00
C:\Documents and Settings\Owner\Local Settings\Temp\WERaa03.dir00
c:\documents and settings\Owner\Application Data\Ihab
c:\documents and settings\Owner\Application Data\Ajipz
c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
C:\Documents and Settings\Owner\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}
c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
C:\Program Files\StartNow Toolbar
C:\Program Files\Webroot
C:\Program Files\Uniblue
C:\Documents and Settings\LocalService\Local Settings\Application Data\Driver Wonder Corp
c:\program files\Driver Wonder Corp
C:\$AVG8.VAULT$
C:\$AVG
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverWonder"=-
"StartNowToolbarHelper"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"=-
[COLOR="DarkRed"]SecCenter::[/COLOR]
AV:  *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

:celebrate Yesterday it booted to normal mode with some memory reference error messages.
Rebooted today and it went straight to the desktop password page [any way to eliminate that page popping up?] then directly to desktop. And so fast!! Didn't have the normal time to go get a cup of coffee.

Ran combofix - log attached.

deleted old and installed new java.

also ran mgtool.getlogs. see attached.

Is there anything else I should do?

Thanks a million! I was thinking I would have to buy a new computer.

 

Just one more minor trace of AVG to remove. The rest of your logs are clean.

http://img51.imageshack.us/img51/9017/regedit.gif Copy the bold text below to Notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "All files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

You can also delete this empty folder -> C:\$$$

Yes you can remove that. Review Method 1 here -> http://windowsxp.mvps.org/autologon.htm using the control userpasswords2 command.


http://img834.imageshack.us/img834/2930/fixiticon.gif Your ComboFix log shows the following "Cryptography Services Error !!"

Not a malware problem but if you start noticing you have issues downloading and installing Windows Updates, you can give this a try to see if it fixes it. Microsoft Fix it 50528

You're welcome. Surf safely!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!