defrag, msconfig, Nero only run in Safe Mode -- PLEASE HELP

[Guest]

Windows XP Pro SP2
AVG Free 7.5 reports no problems
NOD32 trial reports no problems
Panda Antivirus online scan and NOD32 on-demand report a password stealer,
"pwdump2" in my Recycle Bin. No other problems.
Windows Defender reports no problems
Spybot S&D reports no problems
Full system scans (in both Normal and Safe Mode) with archive scanning
enabled; all definitions up-to-date.
I ran chkdsk /f /v /x on all drive volumes. My Windows and temp volumes
required a reboot to scan and I didn't quite catch the message output was
before it restarted, but I am fairly sure it said no problems (same as every
other volume).


In Normal Mode, I can't run certain programs, such as the System
Configuration Utility (\Windows\pchealth\helpctr\binaries\msconfig.exe). The
mouse pointer changes to the Wait cursor, then after a while back to the
regular arrow and nothing else happens. If I open up Task Manager, I can see
msconfig.exe in the list of processes.
Other programs malfunction. For example, if I run Disk Defragmenter and try
to analyze or defragment, it freezes up. Nero Burning ROM would start, but if
I tried to create a new compilation, it would pop up a message titled "Server
busy" with two buttons, "Switch to..." and "Retry." The first brings up the
Start Menu and the other only displays the same message again. I uninstalled
Nero but when reinstalling, the setup hangs at the end.

Everything works OK in Safe Mode: Directory Services Repair mode. As far as
I can tell, this is nearly identical to Normal mode. My video drivers load,
my network connection works and even my firewall loads at startup. I can't
tell what the difference is between the two modes though--and that's where
I'd like some expert assistance. I set up the Services so that it's the same
as in Safe ModeSREPAIR and I've combed through the bootlogs and the only
difference seems to be a slightly different order in which the drivers load.
So what is it that Safe ModeSREPAIR does differently so that the programs
work?

I've tried:
- I've disabled the bells and whistles such as BootSkin, LogonStudio and
WindowBlinds.
- I've disabled the virtual drive in Alcohol 120%.
- I uninstalled AVG Free 7.5, Nero 7 Premium Reloaded, my Microsoft mouse
and keyboard drivers, my video drivers, CursorXP and Styler.
- I've stopped my firewall from running at startup.
- I reinstalled Windows Media Player 11 and installed Internet Explorer 7
for the first time, thinking they may replace some damaged system files.
- I've tried running sfc /scannow.
- I've tried the permissions fix in the Microsoft management console, as
described here:
<http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=36&threadid=50160&enterthread=y>

 

[Gerry Cornell]

Have you carried out the suggestions in these links:

http://www.pandasoftware.com/virus_...?lst=sol&idvirus=36657&sitepanda=particulares

http://www.pandasoftware.com/virus_...?lst=sol&idvirus=36656&sitepanda=particulares

Also you should also read the other tabs in these links if you have not
already done so..

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Guest]

Thank you, but I don't believe my system is infected:

1. The value of
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\ImagePath
is
%SystemRoot%\system32\netdde.exe

2. There's a "Start" REG_DWORD with a value of "0x00000003 (3)" but no
"Start 2"

3. I can't find a file named REGEDIT32.EXE anywhere (displaying hidden and
system files is enabled).

4. I can't find any unusual emails in the Sent Items of either my default
mail client, my browser, or Outlook Express.

5. According to an online test, ports 1433 and 1434 are stealthed on my
computer.


Any hints, tips or suggestions regarding the problem of msconfig, defrag and
Nero only working in Safe Mode? I unknowingly wiped my System Restore points
when I chose one of the Safe Mode options. From past experience, I am sure a
repair install would not help and I would rather not format and reinstall
because this seems fixable and most programs work fine anyway.

 

[Gerry Cornell]

You said "Panda Antivirus online scan and NOD32 on-demand report
a password stealer, "pwdump2" in my Recycle Bin. No other problems.",

Have you emptied your Recycle Bin.? If yes have you turned System
Restore OFF and then ON?

Run your Panda Anti-Virus with updated definitions in Safe Mode. Does
show clean?

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Guest]

Thanks for the reply.

The Panda Antivirus is the online ActiveX version that runs inside Internet
Explorer. There are no definitions for me to update. NOD32 trial version is
up-to-date. AVG Free is uninstalled to avoid a conflict. By 'on demand,' I
meant manually scanning using the right-click menu.

I emptied the Recycle Bin and in either Safe or Normal Mode, a full system
scan with archive scanning enabled shows no threats in NOD32, Windows
Defender or Spybot S&D.

All System Restore points are gone <http://support.microsoft.com/kb/310560>
and it is currently off for all drives.

I strongly believe the defunct password stealer is unrelated to the problems
I'm experiencing.

 

[Gerry Cornell]

Please check Event Viewer for Warning / Error Reports in the System and
Application logs for when the error occurs and post copies.

You can access Event Viewer by selecting Start, Administrative Tools, and
Event Viewer. When researching the meaning of the error, information
regarding Event ID, Source and Description are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427&sd=tech

Part of the Description of the error will include a link, which you should
double click for further information. You can copy using copy and paste.
Often the link will, however, say there is no further information.
http://go.microsoft.com/fw.link/events.asp
(Please note the hyperlink above is for illustration purposes only)

A tip for posting copies of Error Reports! Run Event Viewer and double click
on the error you want to copy. In the window, which appears is a button
resembling two pages. Double click the button and close Event Viewer. Now
start your message (email) and do a paste into the body of the message. This
will paste the info from the Event Viewer Error Report complete with links
into the message. Make sure this is the first paste after exiting from Event
Viewer.

Are there any yellow question marks in Device Manager? Right click on
the My Computer icon on your Desktop and select Properties. Hardware,
Device Manager. If yes what is the Device Error code?


--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Guest]

There are no yellow question marks in Device Manager.

If I reproduce the problems, there's no entry created in the Event Viewer,
under Application or System. However, I seem to have found an entry for the
Nero installation process which hangs at the end. It said it may have failed
if I was running in Safe Mode (I wasn't), or the Windows Installer wasn't
correctly installed. I uninstalled and reinstalled KB893803. Then I chose a
Repair install for Nero and it still hangs at the end
<http://img165.imageshack.us/img165/6849/nerorepairinstallhg2.gif>. But now
the Event Viewer says the installation completed sucessfully:

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11707
Date: 23.11.2006
Time: 02:43:18
User: COMPUTER\Admin
Computer: COMPUTER
Description:
Product: Nero 7 -- Installation operation completed successfully. For more
information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 34 30 32 36 31 44 30 {40261D0
0008: 41 2d 41 33 38 35 2d 34 A-A385-4
0010: 43 31 41 2d 41 37 44 45 C1A-A7DE
0018: 2d 35 46 32 37 30 44 39 -5F270D9
0020: 42 38 36 30 44 7d B860D}


To recap, the symptoms are as follows:
- msconfig: mouse pointer changes to Wait cursor, then back to normal;
program window doesn't display, but msconfig.exe appears in the task list.
- defrag: clicking 'Analyze' or 'Defragment' freezes up the window. After
about a minute or two, the window returns to normal but the requested action
has not taken place.
- Nero: trying to create a new compilation pops up this dialog window
<http://img88.imageshack.us/img88/2391/neroerrorfg5.gif>. Clicking 'Switch
to' shows the Start Menu, while clicking 'Retry' many, many times eventually
loads up the requested new compilation.

According to the events.asp link above, the error number has something to do
with Remote Procedure Call. This service is Started and set to Automatic.
Remote Procedure Call (RPC) Locator is not started and set to Manual. I tried
manually starting it but there's no difference.

After googling, I found others with the same problem in Nero and it was
suggested to install the KB884020 patch. I did but it didn't help (since I
have all the patches, I guess it was already installed).

I'm open to any other suggestions you may have--including throwing in the
towel. I'm getting my files together for a backup and I've coped with the
possibility of a clean install if need be.