Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

XP Pro SP3 resets (restarts) spybot hangs system when loadin

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

XP Pro SP3 resets (restarts) spybot hangs system when loadin

Unread postby drwiremore » June 14th, 2009, 10:50 am

Symptoms:
1) system shutdown needs to be clicked twice to work
2) right mouse on computer properties displays c:\windows\system32\SYSDM.CPL is not a valid windows image. (Was able to right mouse on computer and manage)
3) system hangs when "loading" spybot. (It installs, but can't run it to immunize)
4) System will reset, not a blue screen, but you hear a "click" like someone has just restarted the computer. Not a blue screen, but instead a black screen as the system begins its power up..bios, etc.
5) DVD(D), CD/R/W(E) not working; oddly both show up in dev mgr ad DVDs.

System had regcure, and a dated free AVG. Problem has been going on for 6 months. Can confirm that if you do "nothing" the system does not restart. Physical unit is clean, no dust, fans running, the powersupply is normal warm, not hot.

What I did:
1) copied sysdm.cpl from the dllcache, and this fixed items 1,2.
1a) removed the cd/dvd devices in safe mode, reboot, now they appear correct, although DVD doesn't work (works poorly and slowly), CD now works)

2) ran ccleaner and did some maintenance
3) ran mbam (in safe mode and normal) and it removed about 40+ items, ran till it reported noissues.
4) ran kapersky on-line, no errors found
5) did an sfc /scanonce, (pushed a copy of xp pro 2002 to c:\i386, regedit sourcepath to point to it and did the sfc), reboot.
6) Problem still remained, spybot won't run (have removed and reloaded in safe and normal mode) ran in safemode: VundoFix; Trojan.Vundo Removal Tool; VirtumundoBeGone and ComboFix...all came up with nothing. While I have these logs, have only posted the HJT (hijackthis.log) per the guidelines. dr (a very frustrated user)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:57 AM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Originals\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab

--
End of file - 3198 bytes
drwiremore
Active Member
 
Posts: 8
Joined: June 13th, 2009, 10:17 am
Advertisement
Register to Remove

Re: XP Pro SP3 resets (restarts) spybot hangs system when loadin

Unread postby MWR 3 day Mod » June 18th, 2009, 12:03 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: XP Pro SP3 resets (restarts) spybot hangs system when loadin

Unread postby jmw3 » June 18th, 2009, 3:19 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

You really should not be running ComboFix without trained assistance. It has the power to break a machine & render it inoperable if used inappropriately. Having said that I'd like to see the log.

One thing you might want to try with regards to Spybot hanging is to disable TeaTimer. It can cause real problems for a lot of malware scanners:

Disable Spybot's TeaTimer 1.5 & 1.6
  • If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
  • Click on Mode > Advanced Mode. When it prompts you, click Yes
  • On the left hand side, click on Tools
  • Check this box if it is not yet ticked: Resident
  • You will notice that Resident is now added under Tools. Click on Resident
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
  • Exit Spybot Search & Destroy
  • Restart your computer for the changes to take effect
Then try Spybot again.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
Contents of ComboFix log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: XP Pro SP3 resets (restarts) spybot hangs system when loadin

Unread postby drwiremore » June 18th, 2009, 4:17 am

Solved: stumbled on to a hardware issue, five main "caps" were domed, guessing high-heat on the motherboard adjacent to the cpu/sink/fan. Could not find root kits or malware anymore, because there was not any. Confirmed a hardware issue in the motherboard, please close this thread. Thanks for the reply; I really appreciate that you took the time to reply and offered advice and insight into tools. Your being a volunteer and helping folks is "appreciated" dr


Issue Follow-up Details:
Note: Caps or capacitors are typically flat on top. A small x, scored on the top. Under high-heat, a cap may pop, burst, or dome indicating a problem. That said: five main caps were domed.

The neighbor is a do-it-yourselfer, and I took no significance when they said they had replaced the fan by themselves. <boing> Upon closer examination, it was pointed out to me that the five large capacitors located next to the cpu/heat-sink/fan had domed (most likely from high heat.) Guessing this caused inconsistent behavior on the motherboard and cpu. Oddly, only certain programs stressed it, at least that I could repeat. When questioned, the neighbor said that the fan started to smell/smoke. ??? if it had stopped spinning and for how long. Went to the system board bios, and was dismayed that the "default" setting for the motherboard is to 'disable" high-temperature shut-down. Guessing it fried itself "partly."

As a test, did two things:
1) removed the existing hard-drive (A) from the system (leaving it intact, in case I was wrong and if so, could continue our diagnosis,) and installed a spare hard-drive, and fresh loaded XP pro 2002 on a newly created/formatted partition. Then, loaded spybot, same issue. Had the same issue with gmer, it would run and then the system would "post." Either heat or some portion of the cpu was failing. The memory passed a full mem test, and it worked without issue. That leaves the cpu or something on the board as root-cause. (in my opinion.)

2) having a spare system: put the hard-drive (A) into it, and it ran without issue, including spybot and gmer.

Root cause: An issue on the motherboard caused it to post either randomly or under stress by certain program(s), very odd. Given the test 1, 2 above, a malware removal in training person (me) guesses: hardware issue confirmed, repaired and now working without issue.

Thanks for the reply and offer for help. dr

PS: To your comment about the tools I used without formal training, yes, the risk was understood. I posted an original note, and being a do-it-yourselfer, replied to my own note, against forum rules. Therefore, I posted a 2nd note, and you folks are busy (understood), so we do what we can, while protecting the integrity of the troubled system. Appreciate the effort.

PPS: I have applied to malware university... (no reply after 4 days... guessing this is normal)

PPPS: In the end $300 of materials, and countless hours of diagnosis and rebuild "trials" for what ends up being a hardware issue, go-figure.
- purchased a new motherboard, and it was sata compatible, with limited ide
- replaced the now working 40GB IDE with a 160 gb SATA <duh>
- replaced a working power supply for one with sata connectors <duh>
- replaced a broken dvd rom IDE with a dvd r/w SATA (r/w for an extra 5 bucks.)
- installed new 2gb of memory, an improvement from the original 768 (512 + 256), cheap.
- the motherboard did not come with a cpu, installed a new 2200 dual Intel / Celeron
- aprox $50 for each ($42-52 each) $50 x 6 = $300.
- reused: floppy, cd/rw, the case.

Thanks again...hoping to be formally trained and be a volunteer for others... once certified.

dr (pending candidate for malware university)
drwiremore
Active Member
 
Posts: 8
Joined: June 13th, 2009, 10:17 am

Re: XP Pro SP3 resets (restarts) spybot hangs system when loadin

Unread postby jmw3 » June 18th, 2009, 4:56 am

Hello drwiremore
Good to see you go it sorted & thanks for letting me know.

PPS: I have applied to malware university... (no reply after 4 days... guessing this is normal)
Yes... it can at times take a week or so before you may here something, depending on how busy the Administrators are. So hang in there.
Thanks again...hoping to be formally trained and be a volunteer for others... once certified.

Can never have too many volounteers so Good Luck with it :thumbleft:
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: XP Pro SP3 resets (restarts) spybot hangs system when loadin

Unread postby Gary R » June 18th, 2009, 11:38 am

As you appear to have resolved your problems, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware