Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Boot Normally Into Xp.onl Boots In Safe Mode


  • Please log in to reply
1 reply to this topic

#1 Absolute Yonks

Absolute Yonks

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 19 February 2008 - 03:53 PM

I am new to all of this and am trying to learn on the run. Probably am making a mistake or two here or there. But that sounds like how our lives get run anyhow (S O H K. . . !!!!)(SCHOOL OF HARD KNOCKS) I have tried all the system restore points. Reg scans virus scans spyware scans I can think of and still cant get any joy. I am including a Combo fix scan and a Dave Deckard's scan text for any kind BRAIN SURGEONS out there that might have a blue clue as to whats cooking. ALL HELP GRATEFULLY ACCEPTED.MUCH THANKS. Ab Yonks

Deckard's System Scanner v20071014.68
Run by DAVE on 2008-02-17 15:23:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-02-17 13:23:28 UTC - RP30 - Deckard's System Scanner Restore Point
8: 2008-02-17 12:08:25 UTC - RP29 - Made by Registry Mechanic
7: 2008-02-17 12:01:30 UTC - RP28 - Uniblue RegistryBooster
6: 2008-02-17 11:35:55 UTC - RP27 - Made by Registry Mechanic
5: 2008-02-17 11:28:59 UTC - RP26 - Removed ErrorSmart


-- First Restore Point --
1: 2008-02-17 10:55:27 UTC - RP22 - Installed RegClean


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as DAVE.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-17 15:28:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
C:\WINDOWS\mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\RegClean\RegClean.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DAVE\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


--
End of file - 5522 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-17 13:25:42 400 --a------ C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
2008-02-17 12:55:41 384 --a------ C:\WINDOWS\Tasks\RegClean Scheduled Scan.job
2008-02-13 11:46:11 388 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1199958333.job


-- Files created between 2008-01-17 and 2008-02-17 -----------------------------

2008-02-17 14:00:08 0 d-------- C:\Documents and Settings\DAVE\Application Data\Uniblue
2008-02-17 13:25:35 0 d-------- C:\Documents and Settings\DAVE\Application Data\ErrorSmart
2008-02-17 13:25:26 0 d-------- C:\Program Files\ErrorSmart
2008-02-17 13:23:01 0 d-------- C:\Documents and Settings\DAVE\Application Data\Opera
2008-02-17 13:22:49 0 d-------- C:\Program Files\Opera
2008-02-17 12:55:35 0 d-------- C:\Documents and Settings\DAVE\Application Data\RegClean
2008-02-17 12:55:27 0 d-------- C:\Program Files\RegClean
2008-02-16 11:15:26 0 d-------- C:\Program Files\NoAdware5.0
2008-02-13 21:16:18 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
2008-02-04 14:37:43 229376 --a------ C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat
2008-02-04 14:37:43 6144000 --a------ C:\Documents and Settings\DAVE\ntuser.dat
2008-02-01 21:03:34 786432 --a------ C:\Documents and Settings\Administrator.INKWISE\ntuser.dat
2008-01-31 00:00:14 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-01-29 14:56:22 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-01-29 08:41:07 0 d-------- C:\WINDOWS\pss
2008-01-29 08:28:56 0 d--hs---- C:\WINDOWS\CSC
2008-01-21 11:38:47 0 --a------ C:\WINDOWS\mozver.dat
2008-01-21 08:48:53 0 d-------- C:\Documents and Settings\DAVE\Application Data\Talkback


-- Find3M Report ---------------------------------------------------------------

2008-02-16 11:30:44 0 d-------- C:\Program Files\Replay Converter
2008-02-13 20:54:33 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-01 23:02:03 0 d-------- C:\Documents and Settings\DAVE\Application Data\Skype
2008-01-29 15:01:02 0 d-------- C:\Program Files\Google
2008-01-29 14:59:57 0 d-------- C:\Program Files\Snapshot Viewer
2008-01-29 14:56:09 0 d-------- C:\Program Files\Xvid
2008-01-29 14:56:09 0 d-------- C:\Program Files\D-Tools
2008-01-29 14:55:57 0 d-------- C:\Documents and Settings\DAVE\Application Data\Adobe
2008-01-28 21:22:18 0 d-------- C:\Program Files\DivXCodec
2008-01-28 21:22:17 0 d-------- C:\Program Files\NimoCodec Pack
2008-01-28 21:22:07 0 d-------- C:\Program Files\ACE Mega CoDecS Pack
2008-01-13 12:19:44 0 d-------- C:\Program Files\Common Files\Real
2008-01-11 22:26:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 20:54:40 0 d-------- C:\Program Files\QuickTime
2008-01-10 19:57:01 0 d-------- C:\Program Files\Common Files
2008-01-10 19:10:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 18:58:19 0 d-------- C:\Program Files\Spyware Doctor
2008-01-10 13:07:16 0 d-------- C:\Program Files\PCI Audio Applications
2008-01-10 11:54:59 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-01-10 11:54:59 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-01-10 11:43:25 20458 --a------ C:\WINDOWS\hpoins01.dat
2008-01-10 09:45:27 0 d-------- C:\Program Files\microsoft frontpage
2008-01-09 10:04:12 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-09 10:03:38 0 d-------- C:\Program Files\Messenger
2008-01-04 18:57:23 0 d-------- C:\Program Files\e-Sword
2007-12-18 08:27:45 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006/11/23 03:10 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006/12/05 10:55 PM]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003/09/11 05:00 AM]
"VTTimer"="VTTimer.exe" [2003/05/07 10:32 AM C:\WINDOWS\system32\VTTimer.exe]
"C-Media Mixer"="Mixer.exe" [2002/10/15 12:00 PM C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/01/10 08:54 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007/12/21 08:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006/08/28 01:52 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007/07/04 01:11 PM]
"@"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003/04/06 01:17:18 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003/04/06 01:06:58 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999/02/18 12:05:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTCLiveUpdate]
"C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{621cdd69-93cc-11da-ac40-00138f18cbb9}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d66d214-ad75-11dc-b0da-00138f18cbb9}]
Auto\command- Ghost.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif




-- End of Deckard's System Scanner: finished at 2008-02-17 15:30:36 ------------



ComboFix 08-02-17.2 - DAVE 2008-02-18 9:12:18.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.728 [GMT 2:00]
Running from: C:\Documents and Settings\DAVE\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 22:34 . 2008-02-18 08:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 15:22 . 2008-02-17 15:22 <DIR> d-------- C:\Deckard
2008-02-17 14:00 . 2008-02-17 14:00 <DIR> d-------- C:\Documents and Settings\DAVE\Application Data\Uniblue
2008-02-17 13:53 . 2008-02-17 22:53 687 --a------ C:\WINDOWS\win.tmp
2008-02-17 13:53 . 2008-02-16 14:32 227 --a------ C:\WINDOWS\system.tmp
2008-02-17 13:25 . 2008-02-17 13:28 <DIR> d-------- C:\Program Files\ErrorSmart
2008-02-17 13:25 . 2008-02-17 13:25 <DIR> d-------- C:\Documents and Settings\DAVE\Application Data\ErrorSmart
2008-02-17 13:22 . 2008-02-17 22:54 <DIR> d-------- C:\Program Files\Opera
2008-02-17 12:55 . 2008-02-17 13:10 <DIR> d-------- C:\Program Files\RegClean
2008-02-17 12:55 . 2008-02-17 12:57 <DIR> d-------- C:\Documents and Settings\DAVE\Application Data\RegClean
2008-02-16 11:15 . 2008-02-16 11:33 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-02-13 21:16 . 2008-02-13 21:16 <DIR> d-------- C:\Program Files\ESET
2008-02-13 21:16 . 2008-02-13 21:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
2008-01-31 00:00 . 2008-01-31 00:01 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-29 16:04 . 2008-02-18 08:22 90,112 --a------ C:\WINDOWS\DUMP2bd2.tmp
2008-01-22 23:12 . 2008-02-17 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 23:12 . 2008-01-22 23:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 11:38 . 2008-01-21 11:38 0 --a------ C:\WINDOWS\mozver.dat
2008-01-21 10:07 . 2008-01-21 10:07 <DIR> d-------- C:\Documents and Settings\USER\LOCALS~1
2008-01-21 08:48 . 2008-01-21 08:48 <DIR> d-------- C:\Documents and Settings\DAVE\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 20:54 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-17 20:54 --------- d-----w C:\Program Files\QuickTime
2008-02-16 09:30 --------- d-----w C:\Program Files\Replay Converter
2008-02-13 18:54 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-02-01 21:02 --------- d-----w C:\Documents and Settings\DAVE\Application Data\Skype
2008-01-29 13:01 --------- d-----w C:\Program Files\Google
2008-01-29 12:59 --------- d-----w C:\Program Files\Snapshot Viewer
2008-01-29 12:56 --------- d-----w C:\Program Files\Xvid
2008-01-29 12:56 --------- d-----w C:\Program Files\D-Tools
2008-01-28 19:22 --------- d-----w C:\Program Files\NimoCodec Pack
2008-01-28 19:22 --------- d-----w C:\Program Files\DivXCodec
2008-01-28 19:22 --------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2008-01-13 10:19 --------- d-----w C:\Program Files\Common Files\Real
2008-01-11 20:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 18:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime
2008-01-10 18:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-01-10 17:57 --------- d-----w C:\Program Files\Common Files\Softwin
2008-01-10 17:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-10 16:36 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-10 11:07 --------- d-----w C:\Program Files\PCI Audio Applications
2008-01-10 10:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-01-10 09:54 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2008-01-10 09:43 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-01-10 07:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT
2008-01-10 07:45 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-04 16:57 --------- d-----w C:\Program Files\e-Sword
2007-12-21 06:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 06:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 06:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-18 06:27 --------- d-----w C:\Program Files\Java
2006-07-20 12:06 15,272,744 ----a-w C:\Program Files\Install_Messenger_nous 5.exe
2006-07-18 18:03 12,754,672 ----a-w C:\Program Files\Windows MP10Setup.exe
2006-07-15 20:09 10,317,168 ----a-w C:\Program Files\SkypeSetup.exe
2006-07-06 08:12 182 ---ha-w C:\Documents and Settings\NetworkService.NT AUTHORITY\hpothb07.dat
2006-07-06 08:12 180 ---ha-w C:\Documents and Settings\LocalService.NT AUTHORITY\hpothb07.dat
2006-07-06 08:12 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-07-06 08:12 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2006-07-06 08:12 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-07-06 08:12 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-04-19 16:35 319 ---ha-w C:\Documents and Settings\DAVE\hpothb07.dat
2006-01-28 11:16 0 ---ha-w C:\Documents and Settings\MAIN\hpothb07.dat
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
<pre>
----a-w			48,925 2002-12-23 16:39:38  C:\Documents and Settings\DAVE\My Documents\inkwise\Drivers\Windows XP Pro Serial  Key Changer .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-08-28 13:52 2132112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 13:11 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 05:00 99840]
"VTTimer"="VTTimer.exe" [2003-05-07 10:32 36864 C:\WINDOWS\system32\VTTimer.exe]
"C-Media Mixer"="Mixer.exe" [2002-10-15 12:00 1818624 C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 20:54 98304]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-08-28 13:52 2132112]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 00:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTCLiveUpdate]
--a------ 2004-03-08 13:50 430080 C:\Program Files\LiveUpdate\LiveUpdate.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 11:25:42 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-02-13 09:46:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1199958333.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-02-17 10:55:41 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 09:13:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 9:13:54
ComboFix2.txt 2008-02-18 06:46:05

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:30 PM

Posted 19 February 2008 - 04:59 PM

If the system boots in Safe Mode...but won't boot in normal mode...then it seems safe to say that something that loads in normal mode (such as a driver) but does not load in Safe Mode (such as a driver) is borking your boot.

Which driver...that's a hard one.

Related post, IMO: http://www.bleepingcomputer.com/forums/t/102893/computer-reboots-every-5-mins-or-so/

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users