Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Home Won't Start Correctly...skuns.dat Is On Computer


  • Please log in to reply
10 replies to this topic

#1 AaronWest

AaronWest

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 27 November 2007 - 01:23 PM

I have a computer that I am working on for a friend. It is an HP Pavilion a610n running Windows XP Home (Build 2600.xpsp2.030422-1633: Service Pack 1) that when you first turn it on it comes up with the following message:

{Message Box: services.exe - Bad Image} The application or DLL C:\WINDOWS\System32\skuns.dat is not a valid Windows image. Please check this against your installation diskette.

Upon hitting OK, the message appears again this time in a Message Box with the title "lsass.exe - Bad Image"

Hitting OK there will take me to the user login screen.

I tried booting in Safe Mode and this is what happens:

{Message Box: services.exe - Bad Image} The application or DLL C:\WINDOWS\System32\skuns.dat is not a valid Windows image. Please check this against your installation diskette.

Upon hitting OK, the message appears again this time in a Message Box with the title "lsass.exe - Bad Image"

Hitting OK there will take me to the user login screen.

Here I login as Administrator and the above message appears again, this time with the title "userinit.exe - Bad Image"
Hitting OK gets the same message with the title "SDTrayApp.exe - Bad Image"

It then does nothing more (Black screen with Safe Mode in four corners). The mouse works, but nothing else appears. In fact, Ctrl+Alt+Delete won't bring up the Task Manager, either.

Sometimes it also includes the message with the title "explorer.exe - Bad Image" between the userinit.exe and SDTrayApp.exe messages. When it does, it will appear to load further, bringing up a message box that has the following title "bvdfeseaxbmtrerbxfdfeqwr3qw3fhmy5egrsdb" and message "Run-time error '5': Invalid procedure call or argument"

Upon hitting OK, it will again sit Idle with the Black screen and Safe Mode in four corners. However, when I hit Ctrl+Alt+Delete now, it brings up the message again, this time for taskmgr.exe. Upon hitting OK, Task Manager will load. It will show nothing in the Applications tab. The following are in the Processes Tab:

taskmgr.exe
SDTrayApp.exe
swdsvc.exe
svcntaux.exe
evchost.exe
aawservice.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process

I would appreciate any help in getting this to work correctly. Thanks!

Aaron

BC AdBot (Login to Remove)

 


m

#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:46 PM

Posted 27 November 2007 - 05:50 PM

"skuns.dat "
I'd say you're infected. Try visiting our malware forums further down the main forum page
Read this article first
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Good luck
Mark

Edited by garmanma, 27 November 2007 - 05:51 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 54,820 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:46 PM

Posted 27 November 2007 - 05:53 PM

http://www.bleepingcomputer.com/startups/s....dat-20478.html

I think you need to read and comply with the instructions for malware problems...there should be a Start Here button near the top of this page.

Louis

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 27 November 2007 - 10:50 PM

If your using Win XP or 2000, please print out and follow the generic instructions for using SmitfraudFix in BC's self-help tutorial "How to remove the Smitfraud/Generic Zlob".
(scroll down to Removal Instructions; ignore the part showing symptoms in a HijackThis log as they may not apply in your case.)
If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!

Next, download RogueRemover and save to you Desktop. (compatible with Windows 2000, NT, XP, Vista)
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
  • During installation an icon will automatically be created on your Desktop.
  • If the program does not open after installation, double-click on the RogueRemover icon to launch.
  • Select "Check for Updates" and click Download if any are found.
  • Wait for the updates to finish downloading, then Close the update window.
  • Select "Scan" and follow the onscreen directions to remove anything found.
  • If nothing is found, exit RogueRemover.
  • If RogueRemover finds something, it will present a list of detected items.
  • Click "Remove selected", then Yes at the prompt.
  • Wait for the removal to complete and then close RogueRemover.
If using Windows Vista, be sure to Run As Administrator

Then download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 AaronWest

AaronWest
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 28 November 2007 - 09:35 AM

I appreciate the suggestions. However, I can't get to that point. In case you didn't read my post entirely, I can't access any programs. I can't download anything. I can't run any applications. It all hangs before I can get there. If I could at least get to that point, then I feel confident about continuing on my own. It's getting to that point that I am having difficulty with. Thanks for understanding and providing help.

-Aaron

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 28 November 2007 - 11:14 AM

I thought your problem only involved the OS not starting correctly and receiving error messages. If you cannot bootup properly, run any programs or download anything that may help resolve this, your options are limited. You can try doing a Repair Install.

"Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option"
"How to install and use the Windows XP Recovery Console".

The better course of action would be to reformat and reinstall the OS. If these problems are all related to malware, a Repair Install may NOT help! Please read "When should I re-format?".

"Clean Install Windows XP".
"XP Clean Install (Interactive Setup)".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 AaronWest

AaronWest
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 28 November 2007 - 11:32 AM

That's what I was afraid of. Is there any way to manually start explorer since I can access the Task Manager and start other programs through the "New Task..." button on the applications tab? I found I was able to run the latest version of AdAware and SpyBot via this way. Without explorer, though, I'm not sure how to load or run anything that's not already on the system. Thanks, again!

-Aaron

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 28 November 2007 - 01:00 PM

You can try that or better if it can be done in safe mode but I'm not sure if your existing programs will do the job.

Another thing you can try through Task Manager is using rstrui.exe (System Restore) to return to a previous state before your problems began.
When Task Manager opens, select "New Task" at the bottom of the Applications Tab and in the Open box: type (or copy and paste): C:\WINDOWS\system32\Restore\rstrui.exe
Hit Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 AtlanticShores

AtlanticShores

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 28 November 2007 - 07:58 PM

"LSASSE.EXE" is a backdoor worm allowing a remote operator full access to your friend's computer.

"CSRSS.EXE" is a credit card and bank account number collecting Trojan --

BOTH of these are very vicious and need to be removed.

I would encourage you to run HiJackThis and/or WinUtilities and post your HJT log in this forum.

If "WIN NT 5.1:2600" shows on line 2, your friend's computer is in a botnet -- an identity theft botnet -- and he is not longer administrator of his machine. He will have to take some strong steps to remove this system -- like a hard reformat of his drive. After saving his data, I would assume.


But all of his information, his data has been compromised. That is a given with LSASSE.EXE on his machine.


I have a computer that I am working on for a friend. It is an HP Pavilion a610n running Windows XP Home (Build 2600.xpsp2.030422-1633: Service Pack 1) that when you first turn it on it comes up with the following message:

{Message Box: services.exe - Bad Image} The application or DLL C:\WINDOWS\System32\skuns.dat is not a valid Windows image. Please check this against your installation diskette.

Upon hitting OK, the message appears again this time in a Message Box with the title "lsass.exe - Bad Image"

Hitting OK there will take me to the user login screen.

I tried booting in Safe Mode and this is what happens:

{Message Box: services.exe - Bad Image} The application or DLL C:\WINDOWS\System32\skuns.dat is not a valid Windows image. Please check this against your installation diskette.

Upon hitting OK, the message appears again this time in a Message Box with the title "lsass.exe - Bad Image"

Hitting OK there will take me to the user login screen.

Here I login as Administrator and the above message appears again, this time with the title "userinit.exe - Bad Image"
Hitting OK gets the same message with the title "SDTrayApp.exe - Bad Image"

It then does nothing more (Black screen with Safe Mode in four corners). The mouse works, but nothing else appears. In fact, Ctrl+Alt+Delete won't bring up the Task Manager, either.

Sometimes it also includes the message with the title "explorer.exe - Bad Image" between the userinit.exe and SDTrayApp.exe messages. When it does, it will appear to load further, bringing up a message box that has the following title "bvdfeseaxbmtrerbxfdfeqwr3qw3fhmy5egrsdb" and message "Run-time error '5': Invalid procedure call or argument"

Upon hitting OK, it will again sit Idle with the Black screen and Safe Mode in four corners. However, when I hit Ctrl+Alt+Delete now, it brings up the message again, this time for taskmgr.exe. Upon hitting OK, Task Manager will load. It will show nothing in the Applications tab. The following are in the Processes Tab:

taskmgr.exe
SDTrayApp.exe
swdsvc.exe
svcntaux.exe
evchost.exe
aawservice.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process

I would appreciate any help in getting this to work correctly. Thanks!

Aaron



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:46 PM

Posted 29 November 2007 - 09:22 AM

csrss.exe is also the main executable for the Microsoft Client/Server Runtime Server Subsystem.
lsass.exe is a system process of the Microsoft Windows security mechanisms. Check your spelling.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 29 November 2007 - 01:45 PM

Also, their are many infections that will put the compromised computer on a botnet. It is not as specific as what it is being made out to be.

I agree that this system is so badly infected that a reformat would be what I would do. Don't confuse reformat with a reinstall of the OS or a repair install. Wipe your drive before reinstalling the OS.

However, since you want to try to fix this if you can get programs to work there is a regfix you can try.

Open Notepad and copy the text in the quotebox then paste it into notepad:

REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"


Name the file ExeFix.reg, be sure to save as All Files type and save it to your desktop. Then double-click the file and allow it to merge with your registry.

Normally I would ask that you backup your registry before doing this, but I think you are past this stage--back up any data you want to save first. But this should allow you to run executable programs again. Since Notepad is an executable, I'll send this file as an attachment via PM. If your reg file associations are borked as well then you'll be running out of options.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users