Win XP - cannot boot into safe mode

Follow the stuff below as best as you can. If you cannot boot in safe mode with networking , run the online scans in normal boot mode. As long as you can get into safe mode without networking run the other steps in safe mode. If you can never get into safe mode, tell us that and run everything in normal boot mode.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Do all the steps and scans in the sticky thread as indicated and in the order indicated. Microsoft Antispyware is no longer listed there. We removed it. Detects too many false positives. So I'm not sure why you are asking about running it.

Did you try using the msconfig method to boot into safe mode:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

When done you need to disable this, in order to boot normal.

 

I'm sure the MS Antispyware will be good eventually. When we think the time is right, we will more than likely put it in the list of tools to use.

 

Well that really stinks! I think there may be a way to edit a boot.ini file on your PC to stop this. Do you have your original bootable Windows XP CD so we can try booting to the recovery console?

The HijackThis problem could be related to some malware.

 

Thanks for jumping in while I was away Adryn! That's where I was head next!

Any ideas why safe mode boot will not work?

 

Pauliwood,

I want you to go here: http://www.merijn.org/files/hijackthis1982.zip

And get the older version 1.98.2 version of HJT. Yes that's correct the old version. Then unzip the executable (don't overwrite your 1.99 version) somewhere and try to run it. Do you get the same error? If not, post a log from this version.

 

That's good to know about Nero's InCD! Do you know what version you had and what you upgraded to?

 

You have a load of problems including the lastest VX2 infection. Do the following while I look at your HJT log. It will take a while to run the find.bat file mentioned below. Make sure you wait for it to complete.

Download the below tools:

http://www.downloads.subratam.org/DllCompare.exe

Pocket KillBox


VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP


Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

You also have another problem we need get fixed before attacking the VX2 issue.

Please download the following tool: LSP - Fix

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Now, do the same for aklsp.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Also, you need to disable Spybot's TeaTimer function or it will get in our way. You do this by clicking Mode, Advanced, Tools, Resident screen. And disable all the Spybot resident protections for now.

 

You're welcome. You got hit worse than you think. This is going to take a number of steps and reboots to clear up completely. Here is another part of the cleanup:

Some of the below stuff (like the O1 - Hosts lines and the yuoiyo.exe or similar process) will come back it is part of the VX2 infection we will be working on repairing.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
D:\WINDOWS\System32\msupd4.exe
D:\WINDOWS\System32\yuoiyo.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {08D9BCA0-C530-BF59-EB2E-E3BF17686296} - D:\WINDOWS\System32\mgqiazos.dll
O2 - BHO: (no name) - {1419B852-BB22-7B3C-0B4B-1EF0C318D7AD} - D:\WINDOWS\System32\yladwqae.dll
O2 - BHO: - {264DF37D-E5B9-4735-BE12-518D20F66341} - D:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {27E0B508-6B0E-EA49-BE91-0687B28990CE} - D:\WINDOWS\System32\kmdablve.dll
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - {6DFE48BF-3DC4-DA46-ADA2-851A5F1E31CD} - D:\WINDOWS\System32\icprlcrv.dll
O2 - BHO: (no name) - {84865702-83C9-6C50-F3CF-98512A97239A} - D:\WINDOWS\System32\tkkwqcfp.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {A8BBC0A6-E13D-36C0-C294-202D9BE199DA} - D:\WINDOWS\System32\bwfcjxrm.dll
O2 - BHO: (no name) - {CAA1DA65-158B-728E-10E8-D5382B0590C7} - D:\WINDOWS\System32\hfxvjzpa.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O23 - Service: Miscrosoft Updates Service 4 - Unknown - D:\WINDOWS\System32\msupd4.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
D:\Program Files\Toolbar <--- the whole folder
D:\WINDOWS\System32\msupd4.exe
D:\WINDOWS\System32\yuoiyo.exe
D:\WINDOWS\System32\mgqiazos.dll
D:\WINDOWS\System32\yladwqae.dll
D:\WINDOWS\lbbho.dll
D:\WINDOWS\System32\kmdablve.dll
D:\WINDOWS\System32\icprlcrv.dll
D:\WINDOWS\System32\tkkwqcfp.dll
D:\WINDOWS\System32\bwfcjxrm.dll
D:\WINDOWS\System32\hfxvjzpa.dl

Now reboot in normal mode and post a new HJT log.

I guess you logged out for the night! So I have to tell you that the find.bat log may not be valid anymore because these VX2 infections normally mutate at each reboot. But it's okay if you already ran it. Post the output anyway. Some of the data will be valid and need cleanup. But NOTE: from now on if you are asked to post a log from find.bat, DO NOT REBOOT afterwards. You will have to wait for us to post a fix for you. You can disconnect from the Internet but no reboots. Otherwise it will prolong the cleanup.

 

Run HJT and after exiting ALL browser windows (including this one) Fix the below items:
O2 - BHO: (no name) - {08D9BCA0-C530-BF59-EB2E-E3BF17686296} - (no file)
O2 - BHO: (no name) - {1419B852-BB22-7B3C-0B4B-1EF0C318D7AD} - (no file)
O2 - BHO: (no name) - {27E0B508-6B0E-EA49-BE91-0687B28990CE} - (no file)
O2 - BHO: (no name) - {6DFE48BF-3DC4-DA46-ADA2-851A5F1E31CD} - (no file)
O2 - BHO: (no name) - {84865702-83C9-6C50-F3CF-98512A97239A} - (no file)
O2 - BHO: (no name) - {A8BBC0A6-E13D-36C0-C294-202D9BE199DA} - (no file)
O2 - BHO: (no name) - {CAA1DA65-158B-728E-10E8-D5382B0590C7} - (no file)

Now Exit HJT!

Here are the files that we need to delete using Killbox.

D:\WINDOWS\System32\ir42l5ho1.dll
D:\WINDOWS\System32\k444lehq1h4e.dll
D:\WINDOWS\system32\guzygz.dll
D:\WINDOWS\system32\pumzpm.exe
D:\WINDOWS\system32\zpuozu.dll
D:\WINDOWS\system32\quyaqy.dat
D:\WINDOWS\system32\yuoiyo.exe
and D:\WINDOWS\System32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except D:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in D:\WINDOWS\System32\ir42l5ho1.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste D:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to
reboot Normally.

After it reboots get another findit.bat log and post it. Also post a new HJT log.

Also run Windows Explorer and look in the D:\WINDOWS\System32 folder and tell me if you see the guard.tmp file. If so, right click on it and select Delete. Tell me if that works?

 

Nope! I expected that!
Notice the file name is what we deleted: D:\WINDOWS\system32\pumzpm.exe


I need the last HJT and find.bat logs!

 

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygpuyp.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {08D9BCA0-C530-BF59-EB2E-E3BF17686296} - (no file) <---- did you forget to do all of these last time
O2 - BHO: (no name) - {1419B852-BB22-7B3C-0B4B-1EF0C318D7AD} - (no file)
O2 - BHO: (no name) - {27E0B508-6B0E-EA49-BE91-0687B28990CE} - (no file)
O2 - BHO: (no name) - {6DFE48BF-3DC4-DA46-ADA2-851A5F1E31CD} - (no file)
O2 - BHO: (no name) - {84865702-83C9-6C50-F3CF-98512A97239A} - (no file)
O2 - BHO: (no name) - {A8BBC0A6-E13D-36C0-C294-202D9BE199DA} - (no file)
O2 - BHO: (no name) - {CAA1DA65-158B-728E-10E8-D5382B0590C7} - (no file)
O4 - Global Startup: ygpuyp.exe

Then see if you can find this file with windows explorer
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygpuyp.exe

If so, right click on it and try to delete it. Tell me if all those steps work.

 

Normally! I would suggest that during cleanup steps you should not even be connected to the internet. And I hope you do exit all browsers (IE) and Windows Explorer sessions before you run HJT. It will have problems fixing things if you do not.

Wait for find.bat to complete and then fix the stuff with HJT and tell me if you were able to do what I asked (stop process, fix HJT lines, delete file).

Then we will see what to do next.

 

Okay! Reboot! And then post a new HJT log after reboot. Let me know if anymore error messages occur!

 

Run PocketKillbox, Copy and Paste D:\WINDOWS\System32\yuoiyo.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No to the quesion about reboot.

Then exit Killbox!


Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.

Now reboot! Post a new HJT log. Any messages?

After reboot look for this file:
D:\WINDOWS\System32\yuoiyo.exe

If found, try to delete it. Tell me the results.

 

Yes! Let's be safe and make sure we got all of this nasty crap!

 

Not yet!!! You still have
O2 - BHO: (no name) - {08D9BCA0-C530-BF59-EB2E-E3BF17686296} - (no file)
O2 - BHO: (no name) - {1419B852-BB22-7B3C-0B4B-1EF0C318D7AD} - (no file)
O2 - BHO: (no name) - {27E0B508-6B0E-EA49-BE91-0687B28990CE} - (no file)
O2 - BHO: (no name) - {6DFE48BF-3DC4-DA46-ADA2-851A5F1E31CD} - (no file)
O2 - BHO: (no name) - {84865702-83C9-6C50-F3CF-98512A97239A} - (no file)
O2 - BHO: (no name) - {A8BBC0A6-E13D-36C0-C294-202D9BE199DA} - (no file)
O2 - BHO: (no name) - {CAA1DA65-158B-728E-10E8-D5382B0590C7} - (no file)

Try fixing again. Then scan again. I don't need a log just tell me if they are gone. We may need another reboot in between and for you to open and close a browser to be sure.

 

Uninstall MS Antispyware and then try fixing them. Don't forget the reboot inbetween. If that does not work will have to manually search the registry for those CLSIDs and then delete them. We should use Registrar Lite to do that.

 

No! Look at your HJT log:

O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

 

Is this folder on your hard disk: D:\Program Files\Microsoft AntiSpyware ?
Do you see the program in Add/Remove Programs?