BleepingComputer.com: Tidserv 2 Activity and gaopdxserv.sys

are you able to boot into safe mode?

doing a system restore from the recovery console isn't easy.

we have a boot disk we can try and use if you can't boot into safe mode

but if you can boot into safe mode

do the following:

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.

now see if you can perform a system restore

It will not boot into safe mode, no.

This happened immediately after installing windows updates. Hasn't booted once since then.

And PS, the Recovery console isn't from a CD, I installed it as a part of Combofix, so I have the option to load it instead of Windows. I believe I can get the original windows disk though from the computer owner.

This post has been edited by Rynofasho: 10 June 2011 - 05:17 PM

Try this please. You will need a CD and a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
  
  
• Now download http://noahdfear.net/downloads/rst.sh to the USB drive
  
• Insert the USB drive and CD in the unbootable computer
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• Expand your USB (sdb1)
  
• Confirm that you see rst.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash rst.sh
  
• Press Enter
  
• After it has finished a report will be located at sdb1 named enum.log
  
• Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your unbootable computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

For whatever reason my DVD Rs arent working so I'll have to get CDs later or tomorrow. Ill post back. Thanks.

OK, thanks

FYI, finally had access to a DVD burner so I ran that software yesterday. I forgot the flash drive at home so I will post logs later. Thank you!

Turns out I actually remembered the drive and dropped it in the parking lot and someone was nice enough to grab it and turn it in. Whew!

37.1M Jun 13 22:17 /mnt/sda2/WINDOWS/system32/config/SOFTWARE
7.7M Jun 13 22:16 /mnt/sda2/WINDOWS/system32/config/SYSTEM

36.4M Apr 20 15:46 /sda2/~/RP1/~SOFTWARE
36.5M May 14 14:58 /sda2/~/RP11/~SOFTWARE
36.5M May 14 21:19 /sda2/~/RP12/~SOFTWARE
36.5M May 14 21:21 /sda2/~/RP13/~SOFTWARE
36.5M May 14 23:39 /sda2/~/RP14/~SOFTWARE
36.5M May 14 23:40 /sda2/~/RP15/~SOFTWARE
36.5M May 16 22:54 /sda2/~/RP16/~SOFTWARE
36.5M May 20 16:48 /sda2/~/RP17/~SOFTWARE
36.5M May 20 16:49 /sda2/~/RP18/~SOFTWARE
36.5M May 21 17:13 /sda2/~/RP19/~SOFTWARE
36.4M Apr 22 20:22 /sda2/~/RP2/~SOFTWARE
36.6M May 26 05:36 /sda2/~/RP20/~SOFTWARE
37.1M May 29 15:58 /sda2/~/RP21/~SOFTWARE
37.1M May 30 15:18 /sda2/~/RP22/~SOFTWARE
37.1M Jun 4 00:11 /sda2/~/RP23/~SOFTWARE
37.1M Jun 7 04:36 /sda2/~/RP24/~SOFTWARE
37.1M Jun 7 22:52 /sda2/~/RP25/~SOFTWARE
37.1M Jun 10 01:59 /sda2/~/RP26/~SOFTWARE
37.1M Jun 10 19:53 /sda2/~/RP27/~SOFTWARE
37.1M Jun 10 19:54 /sda2/~/RP28/~SOFTWARE
37.1M Jun 10 19:55 /sda2/~/RP29/~SOFTWARE
37.1M Jun 10 20:23 /sda2/~/RP30/~SOFTWARE
37.1M Jun 10 20:24 /sda2/~/RP31/~SOFTWARE
37.1M Jun 10 20:41 /sda2/~/RP32/~SOFTWARE
37.1M Jun 10 21:01 /sda2/~/RP33/~SOFTWARE
36.4M Apr 25 21:27 /sda2/~/RP4/~SOFTWARE
36.4M Apr 26 21:36 /sda2/~/RP5/~SOFTWARE
36.4M Apr 30 14:46 /sda2/~/RP6/~SOFTWARE
36.4M May 5 13:25 /sda2/~/RP7/~SOFTWARE
36.4M May 9 16:46 /sda2/~/RP9/~SOFTWARE
7.3M Apr 20 15:46 /sda2/~/RP1/~SYSTEM
7.3M May 14 14:58 /sda2/~/RP11/~SYSTEM
7.3M May 14 21:19 /sda2/~/RP12/~SYSTEM
7.3M May 14 21:21 /sda2/~/RP13/~SYSTEM
7.3M May 14 23:39 /sda2/~/RP14/~SYSTEM
7.3M May 14 23:40 /sda2/~/RP15/~SYSTEM
7.3M May 16 22:54 /sda2/~/RP16/~SYSTEM
7.3M May 20 16:48 /sda2/~/RP17/~SYSTEM
7.3M May 20 16:49 /sda2/~/RP18/~SYSTEM
7.3M May 21 17:13 /sda2/~/RP19/~SYSTEM
7.3M Apr 22 20:22 /sda2/~/RP2/~SYSTEM
7.3M May 26 05:36 /sda2/~/RP20/~SYSTEM
7.3M May 29 15:58 /sda2/~/RP21/~SYSTEM
7.3M May 30 15:18 /sda2/~/RP22/~SYSTEM
7.3M Jun 4 00:11 /sda2/~/RP23/~SYSTEM
8.0M Jun 7 04:36 /sda2/~/RP24/~SYSTEM
8.0M Jun 7 22:52 /sda2/~/RP25/~SYSTEM
8.0M Jun 10 01:59 /sda2/~/RP26/~SYSTEM
8.0M Jun 10 19:53 /sda2/~/RP27/~SYSTEM
8.0M Jun 10 19:54 /sda2/~/RP28/~SYSTEM
8.0M Jun 10 19:55 /sda2/~/RP29/~SYSTEM
8.0M Jun 10 20:23 /sda2/~/RP30/~SYSTEM
8.0M Jun 10 20:24 /sda2/~/RP31/~SYSTEM
8.0M Jun 10 20:41 /sda2/~/RP32/~SYSTEM
8.1M Jun 10 21:01 /sda2/~/RP33/~SYSTEM
7.3M Apr 25 21:27 /sda2/~/RP4/~SYSTEM
7.3M Apr 26 21:36 /sda2/~/RP5/~SYSTEM
7.3M Apr 30 14:46 /sda2/~/RP6/~SYSTEM
7.3M May 5 13:26 /sda2/~/RP7/~SYSTEM
7.3M May 9 16:46 /sda2/~/RP9/~SYSTEM

you posted on the 10th that the computer wouldn't boot, so let's pick the restore point from the 7th and see what that does for us, at least there are lots to choose from

boot back into xPUD with the CD

• Press File
  
• Expand mnt
  
• Expand your USB (sdb1)
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash rst.sh -r
  
• Type 25
  
• Press Enter
  
• After it has finished a report will be located at sdb1 named restore.log
  
• Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review

This post has been edited by CatByte: 14 June 2011 - 05:49 PM

Will do in a while. Was running a Dell Diagnostics CD I was able to burn and so far I'm pretty sure it found a hard drive issue.

During the SATA Disk Read Test, it reported the following:

Error Code 0F00:0244
Msg: Block 6456011: Uncorrectable data error or media is write protected

It's still running the rest of the Diagnostics so Ill try to restore it when it finishes and let you know. Thanks again for the continued help.

SOFTWARE hive restored from RP25
SYSTEM hive restored from RP25
SECURITY hive restored from RP25
SAM hive restored from RP25

Still BSODs at isapnp.sys

are you able to boot into safe mode?

if not, let's see if we can find a replacement for isapnp.sys

• download http://noahdfear.net/downloads/driver.sh to your USB
  
• Remove the USB and insert it in the infected computer
  
• Boot the computer into xPUD with the CD
  
• Click on File
  
• Expand mnt
  
• Expand your USB (sdb1)
  
• Confirm that you see driver.sh on the USB
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh -f
  
• Press Enter
  
• You will be prompted to input a filename.
  
• Type the following:
  
  isapnp.sys
  
  
• Press Enter
  
• If successful, the script will search this file.
  
• After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review

This post has been edited by CatByte: 15 June 2011 - 04:13 AM

CatByte,

I sincerely appreciate all the help you have given me to this point. As the hard drive has bad sectors now, I'm sure they will only continue to spread and get worse, and with hard drives being fairly inexpensive, I think I'm going to just recover the data from the current drive and slap a new hard drive in there and reinstall Windows. Again, I cannot thank you enough for the work you do on the forum here though.

Please close this thread.

Best,

Ryan

OK, thanks for letting me know.

It's probably the best decision for this machine, at least you have access to the data you need to save.