TechSpot

Windows XP SP3 only boots to Safe Mode

Inactive
By RPTech
Sep 21, 2013
  1. Good day!

    My PC only boots to Safe Mode. Normal boot displays Windows splash screen; progress bar makes several passes then freezes. Attempting to load Windows to "Last Known Good Configuration" results in a freeze as well. I've not added any software nor hardware recently. I am running the latest Kaspersky AV (updated).

    Here is my FRST dump:
    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-09-2013
    Ran by SYSTEM on REATOGO on 21-09-2013 09:35:27
    Running from F:\
    Microsoft Windows XP (X86) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    HKLM\...\Run: [] - [x]
    HKLM\...\Run: [MSConfig] - C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [169984 2008-04-14] (Microsoft Corporation)
    Winlogon\Notify\klogon: C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
    Winlogon\Notify\WgaLogon: C:\Windows\system32\WgaLogon.dll (Microsoft Corporation)

    ========================== Services (Whitelisted) =================

    S2 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe [356376 2013-01-19] (Kaspersky Lab ZAO)
    S2 VRAID Log Service; C:\Program Files\VIA\RAID\vialogsv.exe [52888 2010-08-07] ()

    ==================== Drivers (Whitelisted) ====================

    S3 ALCXSENS; C:\Windows\System32\drivers\ALCXSENS.SYS [401152 2003-10-04] (Sensaura Ltd)
    S3 ALCXWDM; C:\Windows\System32\drivers\ALCXWDM.SYS [475788 2003-10-09] (Realtek Semiconductor Corp.)
    S2 Aspi32; C:\Windows\System32\Drivers\Aspi32.sys [25244 1999-09-10] (Adaptec)
    S2 BulkUsb; C:\Windows\System32\Drivers\usbscan.sys [15104 2008-04-14] (Microsoft Corporation)
    S3 FETND5BV; C:\Windows\System32\DRIVERS\fetnd5bv.sys [42496 2004-12-16] (VIA Technologies, Inc. )
    S3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc. )
    S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [9344 2009-04-17] (GARMIN Corp.)
    S3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [17432 2007-07-16] (Hewlett Packard)
    S1 hwinterface; C:\Windows\System32\Drivers\hwinterface.sys [3026 2010-09-05] (Logix4u)
    S0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [136024 2012-06-19] (Kaspersky Lab ZAO)
    S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [591968 2013-04-24] (Kaspersky Lab ZAO)
    S3 klim5; C:\Windows\System32\DRIVERS\klim5.sys [35672 2012-06-27] (Kaspersky Lab ZAO)
    S3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [24408 2013-01-19] (Kaspersky Lab)
    S3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [24920 2013-01-19] (Kaspersky Lab)
    S1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [44000 2013-06-19] (Kaspersky Lab ZAO)
    S1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [145040 2013-04-24] (Kaspersky Lab ZAO)
    S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [24832 2007-01-23] (http://libusb-win32.sourceforge.net)
    S2 NPF; C:\WINDOWS\system32\drivers\npf.sys [35088 2012-11-11] (CACE Technologies, Inc.)
    S0 viaagp1; C:\Windows\System32\DRIVERS\viaagp1.sys [27904 2003-07-02] (VIA Technologies, Inc.)
    S0 viamraid; C:\Windows\System32\DRIVERS\viamraid.sys [117248 2010-08-07] (VIA Technologies inc,.ltd)
    S4 IntelIde; No ImagePath
    S5 klflt; C:\Windows\System32\Drivers\klflt.sys [74336 2013-04-24] (Kaspersky Lab ZAO)
    S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
    S1 StarPortLite; system32\DRIVERS\StarPortLite.sys [x]
    S0 viasraid; system32\DRIVERS\viasraid.sys [x]
    S1 WS2IFSL;

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-09-21 09:35 - 2013-09-21 09:35 - 00000000 ____D C:\FRST
    2013-09-21 07:00 - 2013-09-21 07:10 - 00000000 ____D C:\Windows\pss
    2013-09-21 07:00 - 2013-09-21 07:00 - 00000000 __SHD C:\Windows\CSC
    2013-09-21 06:41 - 2013-09-21 06:41 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
    2013-09-21 06:30 - 2013-09-21 06:30 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
    2013-09-21 06:29 - 2013-09-21 06:42 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
    2013-09-21 06:29 - 2010-08-07 08:44 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
    2013-09-21 06:29 - 2010-08-07 08:38 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Macromedia
    2013-09-19 01:28 - 2013-09-19 01:28 - 00000000 __SHD C:\found.000
    2013-09-13 13:15 - 2013-09-13 13:15 - 04751752 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2013-09-12 03:09 - 2013-09-12 03:09 - 00014351 _____ C:\Windows\KB2870699-IE8.log
    2013-09-12 03:07 - 2013-09-12 03:07 - 00000000 __HDC C:\Windows\$NtUninstallKB2876315$
    2013-09-12 03:07 - 2013-09-12 03:07 - 00000000 __HDC C:\Windows\$NtUninstallKB2876217$
    2013-09-12 03:06 - 2013-09-12 03:06 - 00000000 __HDC C:\Windows\$NtUninstallKB2864063$
    2013-09-12 03:00 - 2013-09-12 03:00 - 00053248 _____ C:\Windows\System32\config\seciruty
    2013-09-11 04:17 - 2013-09-12 03:07 - 00013536 _____ C:\Windows\KB2876315.log
    2013-09-11 04:17 - 2013-09-12 03:07 - 00012545 _____ C:\Windows\KB2876217.log
    2013-09-11 04:17 - 2013-09-12 03:07 - 00012473 _____ C:\Windows\KB2864063.log
    2013-08-28 03:00 - 2013-08-28 03:00 - 00005661 _____ C:\Windows\KB2834904-v2.log
    2013-08-28 03:00 - 2013-08-28 03:00 - 00000000 __HDC C:\Windows\$NtUninstallKB2834904-v2_WM11$
    2013-08-28 03:00 - 2013-08-28 03:00 - 00000000 _____ C:\Windows\setuperr.log

    ==================== One Month Modified Files and Folders =======

    2013-09-21 09:35 - 2013-09-21 09:35 - 00000000 ____D C:\FRST
    2013-09-21 07:57 - 2010-08-06 20:31 - 00000278 ___SH C:\Documents and Settings\Dad\ntuser.ini
    2013-09-21 07:57 - 2010-08-06 20:24 - 01113109 _____ C:\Windows\WindowsUpdate.log
    2013-09-21 07:14 - 2006-02-28 08:00 - 00013646 _____ C:\Windows\System32\wpa.dbl
    2013-09-21 07:10 - 2013-09-21 07:00 - 00000000 ____D C:\Windows\pss
    2013-09-21 07:10 - 2010-08-06 18:04 - 00000211 ___SH C:\boot.ini
    2013-09-21 07:10 - 2006-02-28 08:00 - 00000645 _____ C:\Windows\win.ini
    2013-09-21 07:10 - 2006-02-28 08:00 - 00000243 _____ C:\Windows\system.ini
    2013-09-21 07:04 - 2010-08-06 20:22 - 00000000 ____D C:\Windows\Registration
    2013-09-21 07:00 - 2013-09-21 07:00 - 00000000 __SHD C:\Windows\CSC
    2013-09-21 06:42 - 2013-09-21 06:29 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
    2013-09-21 06:41 - 2013-09-21 06:41 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
    2013-09-21 06:30 - 2013-09-21 06:30 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
    2013-09-20 18:21 - 2010-08-06 18:05 - 00181098 _____ C:\Windows\setupact.log
    2013-09-20 13:57 - 2010-08-06 18:04 - 07077888 _____ C:\Windows\System32\config\system.bak
    2013-09-19 06:06 - 2010-08-06 20:29 - 00032656 _____ C:\Windows\SchedLgU.Txt
    2013-09-19 05:46 - 2013-01-19 09:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2013-09-19 05:31 - 2010-08-07 05:45 - 00001932 _____ C:\statusclient.log
    2013-09-19 05:31 - 2010-08-06 21:05 - 00190661 _____ C:\Windows\System32\nvapps.xml
    2013-09-19 01:28 - 2013-09-19 01:28 - 00000000 __SHD C:\found.000
    2013-09-13 18:31 - 2013-05-05 09:54 - 00000000 ____D C:\Documents and Settings\Dad\My Documents\SEFOA 2013
    2013-09-13 13:15 - 2013-09-13 13:15 - 04751752 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2013-09-13 13:15 - 2012-05-11 06:32 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2013-09-13 13:15 - 2012-04-11 20:36 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2013-09-12 03:26 - 2012-03-17 15:59 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
    2013-09-12 03:26 - 2010-08-06 18:05 - 00326704 _____ C:\Windows\System32\FNTCACHE.DAT
    2013-09-12 03:25 - 2010-08-06 18:08 - 00000456 _____ C:\Windows\wiadebug.log
    2013-09-12 03:25 - 2010-08-06 18:08 - 00000049 _____ C:\Windows\wiaservc.log
    2013-09-12 03:09 - 2013-09-12 03:09 - 00014351 _____ C:\Windows\KB2870699-IE8.log
    2013-09-12 03:09 - 2010-08-07 05:28 - 00209782 _____ C:\Windows\updspapi.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 01810745 _____ C:\Windows\iis6.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 01671549 _____ C:\Windows\FaxSetup.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00806264 _____ C:\Windows\ocgen.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00763649 _____ C:\Windows\tsoc.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00562625 _____ C:\Windows\comsetup.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00509266 _____ C:\Windows\msmqinst.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00339530 _____ C:\Windows\ntdtcsetup.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00292708 _____ C:\Windows\netfxocm.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00115781 _____ C:\Windows\MedCtrOC.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00092360 _____ C:\Windows\ocmsn.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00084484 _____ C:\Windows\tabletoc.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00083499 _____ C:\Windows\msgsocm.log
    2013-09-12 03:09 - 2010-08-06 18:06 - 00001374 _____ C:\Windows\imsins.log
    2013-09-12 03:07 - 2013-09-12 03:07 - 00000000 __HDC C:\Windows\$NtUninstallKB2876315$
    2013-09-12 03:07 - 2013-09-12 03:07 - 00000000 __HDC C:\Windows\$NtUninstallKB2876217$
    2013-09-12 03:07 - 2013-09-11 04:17 - 00013536 _____ C:\Windows\KB2876315.log
    2013-09-12 03:07 - 2013-09-11 04:17 - 00012545 _____ C:\Windows\KB2876217.log
    2013-09-12 03:07 - 2013-09-11 04:17 - 00012473 _____ C:\Windows\KB2864063.log
    2013-09-12 03:07 - 2010-08-06 18:06 - 00001374 _____ C:\Windows\imsins.BAK
    2013-09-12 03:06 - 2013-09-12 03:06 - 00000000 __HDC C:\Windows\$NtUninstallKB2864063$
    2013-09-12 03:04 - 2013-07-13 03:00 - 00000000 ____D C:\Windows\System32\MRT
    2013-09-12 03:01 - 2010-08-08 06:55 - 76725432 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-09-12 03:00 - 2013-09-12 03:00 - 00053248 _____ C:\Windows\System32\config\seciruty
    2013-09-11 20:28 - 2013-08-10 07:22 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2013-09-05 16:51 - 2013-08-11 11:29 - 00020092 _____ C:\Documents and Settings\Dad\Desktop\Roster with numbers.xlsx
    2013-09-03 16:35 - 2013-06-16 06:46 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
    2013-08-30 19:14 - 2013-07-12 17:41 - 00000000 ____D C:\Documents and Settings\Dad\Desktop\Harvey Littleton
    2013-08-29 23:47 - 2011-08-01 20:17 - 00000000 ____D C:\Documents and Settings\Dad\Application Data\HpUpdate
    2013-08-28 03:00 - 2013-08-28 03:00 - 00005661 _____ C:\Windows\KB2834904-v2.log
    2013-08-28 03:00 - 2013-08-28 03:00 - 00000000 __HDC C:\Windows\$NtUninstallKB2834904-v2_WM11$
    2013-08-28 03:00 - 2013-08-28 03:00 - 00000000 _____ C:\Windows\setuperr.log
    2013-08-23 06:12 - 2010-08-07 05:42 - 00000000 ____D C:\Program Files\Hewlett-Packard

    ==================== Known DLLs (Whitelisted) ============


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points (XP) =====================

    RP: -> 2013-08-18 14:37 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP999

    RP: -> 2013-08-17 13:00 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP998

    RP: -> 2013-08-16 07:27 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP997

    RP: -> 2013-08-16 04:46 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP996

    RP: -> 2013-08-15 03:00 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP995

    RP: -> 2013-08-14 03:00 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP994

    RP: -> 2013-08-13 21:23 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP993

    RP: -> 2013-08-12 17:56 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP992

    RP: -> 2013-08-11 11:13 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP991

    RP: -> 2013-09-21 07:03 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1028

    RP: -> 2013-09-19 05:39 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1027

    RP: -> 2013-09-18 15:09 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1026

    RP: -> 2013-09-17 14:05 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1025

    RP: -> 2013-09-16 10:41 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1024

    RP: -> 2013-09-15 09:54 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1023

    RP: -> 2013-09-14 04:42 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1022

    RP: -> 2013-09-13 03:00 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1021

    RP: -> 2013-09-12 03:00 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1020

    RP: -> 2013-09-10 22:49 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1019

    RP: -> 2013-09-09 22:01 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1018

    RP: -> 2013-09-08 06:45 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1017

    RP: -> 2013-09-07 00:09 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1016

    RP: -> 2013-09-05 23:26 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1015

    RP: -> 2013-09-04 21:59 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1014

    RP: -> 2013-09-03 19:21 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1013

    RP: -> 2013-09-02 14:40 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1012

    RP: -> 2013-09-01 13:22 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1011

    RP: -> 2013-08-31 09:32 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1010

    RP: -> 2013-08-30 08:10 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1009

    RP: -> 2013-08-29 03:52 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1008

    RP: -> 2013-08-28 03:00 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1007

    RP: -> 2013-08-27 23:52 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1006

    RP: -> 2013-08-26 23:30 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1005

    RP: -> 2013-08-25 13:48 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1004

    RP: -> 2013-08-24 12:27 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1003

    RP: -> 2013-08-23 08:36 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1002

    RP: -> 2013-08-21 18:53 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1001

    RP: -> 2013-08-20 06:07 - 028672 _restore{2591FEA6-58F6-416C-AA70-D32E94B265EA}\RP1000


    ==================== Memory info ===========================

    Percentage of memory in use: 12%
    Total physical RAM: 2047.48 MB
    Available physical RAM: 1786.45 MB
    Total Pagefile: 1878.14 MB
    Available Pagefile: 1811.71 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1994.18 MB

    ==================== Drives ================================

    Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    Drive c: () (Fixed) (Total:149.04 GB) (Free:86.11 GB) NTFS ==>[Drive with boot components (Windows XP)]
    Drive f: () (Removable) (Total:0.97 GB) (Free:0.59 GB) FAT
    Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 18492916)
    Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (Size: 993 MB) (Disk ID: 00000000)
    Partition 1: (Not Active) - (Size=992 MB) - (Type=06)

    ==================== End Of Log ============================

    And the Search results of FRST:
    Farbar Recovery Scan Tool (x86) Version: 20-09-2013
    Ran by SYSTEM at 2013-09-21 09:39:42
    Running from F:\
    Boot Mode: Recovery

    ================== Search: "services.exe" ===================

    C:\WINDOWS\system32\services.exe
    [2006-02-28 08:00] - [2009-02-06 07:11] - 0110592 ____A (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

    C:\WINDOWS\system32\dllcache\services.exe
    [2010-08-07 21:54] - [2009-02-06 07:11] - 0110592 ____C (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

    C:\WINDOWS\ServicePackFiles\i386\services.exe
    [2010-08-07 05:30] - [2008-04-14 05:42] - 0108544 ____C (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

    C:\WINDOWS\$NtUninstallKB956572$\services.exe
    [2010-08-08 06:54] - [2008-04-14 05:42] - 0108544 ____C (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

    C:\WINDOWS\$NtServicePackUninstall$\services.exe
    [2010-08-07 05:25] - [2006-02-28 08:00] - 0108032 ____C (Microsoft Corporation) c6ce6eec82f187615d1002bb3bb50ed4

    C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
    [2010-08-07 21:54] - [2009-02-06 07:06] - 0110592 ___AC (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6

    === End Of Search ===

    Any help genuinely appreciated. Thanks.

    RP
  2. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================

    I don't see anything malicious there.

    Do you remember when was the last time (date) when you were able to boot to normal mode?
  3. RPTech

    RPTech TS Rookie Topic Starter

    Thank you for your reply.

    The last time I was able to boot successfully was 3 or 4 days ago. Shutdown was normal. I've not had any indications of hardware issue, but that probably really amounts to nothing. Since I can get into Safe Mode repeatedly, I have taken the time to retrieve any files that cannot be duplicated. I'd rather not have to upgrade to a newer version at this time but that may not be an option here. Any related suggestions would be appreciated.
  4. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    You will need a USB flash drive.

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Next download rst.sh to your USB flash drive
    • Remove the USB & CD and insert it in the sick computer
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • Gently tap F12 and choose to boot from the CD
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see rst.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash rst.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named enum.log
    • Remove the USB drive and insert it back in your working computer and navigate to enum.log

      Please note - all text entries are case sensitive
    Copy and paste the enum.log for my review
  5. RPTech

    RPTech TS Rookie Topic Starter

    Enum.log entries below:


    32.4M Sep 21 16:12 /mnt/sda1/WINDOWS/system32/config/software
    6.8M Sep 21 16:12 /mnt/sda1/WINDOWS/system32/config/system

    32.4M Sep 8 10:45 /sda1/~/RP1017/~SOFTWARE
    32.4M Sep 10 02:01 /sda1/~/RP1018/~SOFTWARE
    32.4M Sep 11 02:49 /sda1/~/RP1019/~SOFTWARE
    32.4M Sep 12 07:00 /sda1/~/RP1020/~SOFTWARE
    32.4M Sep 13 07:00 /sda1/~/RP1021/~SOFTWARE
    32.4M Sep 14 08:42 /sda1/~/RP1022/~SOFTWARE
    32.4M Sep 15 13:54 /sda1/~/RP1023/~SOFTWARE
    32.4M Sep 16 14:41 /sda1/~/RP1024/~SOFTWARE
    32.4M Sep 17 18:05 /sda1/~/RP1025/~SOFTWARE
    32.4M Sep 18 19:09 /sda1/~/RP1026/~SOFTWARE
    32.4M Sep 19 09:39 /sda1/~/RP1027/~SOFTWARE
    32.4M Sep 21 11:03 /sda1/~/RP1028/~SOFTWARE
    32.2M Aug 11 15:13 /sda1/~/RP991/~SOFTWARE
    32.2M Aug 12 21:56 /sda1/~/RP992/~SOFTWARE
    32.2M Aug 14 01:23 /sda1/~/RP993/~SOFTWARE
    32.2M Aug 14 07:00 /sda1/~/RP994/~SOFTWARE
    32.2M Aug 15 07:00 /sda1/~/RP995/~SOFTWARE
    32.4M Aug 16 08:46 /sda1/~/RP996/~SOFTWARE
    32.4M Aug 16 11:27 /sda1/~/RP997/~SOFTWARE
    32.4M Aug 17 17:00 /sda1/~/RP998/~SOFTWARE
    32.4M Aug 18 18:37 /sda1/~/RP999/~SOFTWARE
    32.4M Aug 20 10:07 /sda1/~/RP1000/~SOFTWARE
    32.4M Aug 21 22:53 /sda1/~/RP1001/~SOFTWARE
    32.4M Aug 23 12:36 /sda1/~/RP1002/~SOFTWARE
    32.4M Aug 24 16:27 /sda1/~/RP1003/~SOFTWARE
    32.4M Aug 25 17:48 /sda1/~/RP1004/~SOFTWARE
    32.4M Aug 27 03:30 /sda1/~/RP1005/~SOFTWARE
    32.4M Aug 28 03:52 /sda1/~/RP1006/~SOFTWARE
    32.4M Aug 28 07:00 /sda1/~/RP1007/~SOFTWARE
    32.4M Aug 29 07:52 /sda1/~/RP1008/~SOFTWARE
    32.4M Aug 30 12:10 /sda1/~/RP1009/~SOFTWARE
    32.4M Aug 31 13:32 /sda1/~/RP1010/~SOFTWARE
    32.4M Sep 1 17:22 /sda1/~/RP1011/~SOFTWARE
    32.4M Sep 2 18:40 /sda1/~/RP1012/~SOFTWARE
    32.4M Sep 3 23:21 /sda1/~/RP1013/~SOFTWARE
    32.4M Sep 5 01:59 /sda1/~/RP1014/~SOFTWARE
    32.4M Sep 6 03:26 /sda1/~/RP1015/~SOFTWARE
    32.4M Sep 7 04:09 /sda1/~/RP1016/~SOFTWARE
    6.7M Sep 8 10:45 /sda1/~/RP1017/~SYSTEM
    6.7M Sep 10 02:01 /sda1/~/RP1018/~SYSTEM
    6.7M Sep 11 02:49 /sda1/~/RP1019/~SYSTEM
    6.7M Sep 12 07:00 /sda1/~/RP1020/~SYSTEM
    6.7M Sep 13 07:00 /sda1/~/RP1021/~SYSTEM
    6.7M Sep 14 08:42 /sda1/~/RP1022/~SYSTEM
    6.7M Sep 15 13:54 /sda1/~/RP1023/~SYSTEM
    6.7M Sep 16 14:41 /sda1/~/RP1024/~SYSTEM
    6.7M Sep 17 18:05 /sda1/~/RP1025/~SYSTEM
    6.7M Sep 18 19:09 /sda1/~/RP1026/~SYSTEM
    6.7M Sep 19 09:39 /sda1/~/RP1027/~SYSTEM
    6.7M Sep 21 11:03 /sda1/~/RP1028/~SYSTEM
    6.7M Aug 11 15:13 /sda1/~/RP991/~SYSTEM
    6.7M Aug 12 21:56 /sda1/~/RP992/~SYSTEM
    6.7M Aug 14 01:23 /sda1/~/RP993/~SYSTEM
    6.7M Aug 14 07:00 /sda1/~/RP994/~SYSTEM
    6.7M Aug 15 07:00 /sda1/~/RP995/~SYSTEM
    6.7M Aug 16 08:46 /sda1/~/RP996/~SYSTEM
    6.7M Aug 16 11:27 /sda1/~/RP997/~SYSTEM
    6.7M Aug 17 17:00 /sda1/~/RP998/~SYSTEM
    6.7M Aug 18 18:37 /sda1/~/RP999/~SYSTEM
    6.7M Aug 20 10:07 /sda1/~/RP1000/~SYSTEM
    6.7M Aug 21 22:53 /sda1/~/RP1001/~SYSTEM
    6.7M Aug 23 12:36 /sda1/~/RP1002/~SYSTEM
    6.7M Aug 24 16:27 /sda1/~/RP1003/~SYSTEM
    6.7M Aug 25 17:48 /sda1/~/RP1004/~SYSTEM
    6.7M Aug 27 03:30 /sda1/~/RP1005/~SYSTEM
    6.7M Aug 28 03:52 /sda1/~/RP1006/~SYSTEM
    6.7M Aug 28 07:00 /sda1/~/RP1007/~SYSTEM
    6.7M Aug 29 07:52 /sda1/~/RP1008/~SYSTEM
    6.7M Aug 30 12:10 /sda1/~/RP1009/~SYSTEM
    6.7M Aug 31 13:32 /sda1/~/RP1010/~SYSTEM
    6.7M Sep 1 17:22 /sda1/~/RP1011/~SYSTEM
    6.7M Sep 2 18:40 /sda1/~/RP1012/~SYSTEM
    6.7M Sep 3 23:21 /sda1/~/RP1013/~SYSTEM
    6.7M Sep 5 01:59 /sda1/~/RP1014/~SYSTEM
    6.7M Sep 6 03:26 /sda1/~/RP1015/~SYSTEM
    6.7M Sep 7 04:09 /sda1/~/RP1016/~SYSTEM
  6. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Please open the terminal again from your USB device and type:

    bash rst.sh -r

    Press Enter

    Type 1018 and press Enter.

    When done restart your computer normally and see if you can successfully log on now.
  7. RPTech

    RPTech TS Rookie Topic Starter

    Performed task as described above. PC does not boot normally, still freezes at the same point of the Windows splash screen progress bar. Can boot to Safe Mode as before.
  8. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Go Start>Run (Start Search in Vista/7), type in:
    msconfig
    Click OK (hit Enter in Vista/7).

    Click on Startup tab.
    Click Disable all
    IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

    Click Services tab.
    Put checkmark in Hide all Microsoft services
    Click Disable all.

    Click OK.
    Restart computer in Normal Mode.

    NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
    If you use Windows firewall, you're fine.

    Same problem?
  9. RPTech

    RPTech TS Rookie Topic Starter

    Good morning Broni,

    I fear I may actually have a hardware issue. PC will not boot to Safe Mode this morning. It attempts to but freezes when loading the MUP.sys file. The hard drive continues to have activity (hear it and see the light flashing) but it does not finish going to Safe Mode. It has been running this way for over an hour now.
  10. RPTech

    RPTech TS Rookie Topic Starter

    More information. Apparently we had a power outage last night. PC is set to restart after power disruption. I believe it is running CHKDSK now because of that. That is why it is stopped at MUP.sys. Will wait it out and post what I find.
  11. RPTech

    RPTech TS Rookie Topic Starter

    Ok, back to where I was. Can boot into Safe Mode. Completed tasks as you recommended. No change in outcome. PC freezes at same point in Windows splash screen showing progress bar.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Well, at this point since this is not malware related...

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.
  13. RPTech

    RPTech TS Rookie Topic Starter

    Thank you Broni for all your support! I genuinely appreciate your time and effort. Enjoy the rest of you weekend!

    Best regards,
    RP
  14. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Same to you :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.