Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected IE8 and Bluescreen in Safemode


  • Please log in to reply
19 replies to this topic

#1 rboone2020

rboone2020

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 26 November 2009 - 11:51 PM

Hi Bleeping Folks,

I've been working for some time trying to fix up a Dell M2300 laptop running Windows XP, with latest updates.
I have removed lots of infections (not sure what changed to bring these all on, but I think its related to a recent
use of lots of strange thumb drives). Most of the problems are under control, but two remain, I suspect one
routine and one more troublesome.

My copy of Internet Explore 8 is redirecting to bogus search sites. I would move forward with all the steps
other people have gotten from Bleeping Computer, but so many of the steps say you should only do so with
supervision, so here I post.

The other problem is more troublesome. I wanted to do some scans in Safemode, but I have found that I
cannot. After MUP.SYS loads, I get an error (0000000050 with however many zeros), and a
PAGE_DEFAULT_IN_NONPAGE_SPACE error. Any suggestions, shy of a reinstall?

Thanks, folks,
Randy

BC AdBot (Login to Remove)

 


#2 petewills

petewills

  • Members
  • 1,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:02:13 PM

Posted 27 November 2009 - 11:17 AM

In the 'Security Am I infected? What do I do?' forum they generally start you off with the following programs, which many of us use routinely:

SuperAntiSpyware

http://www.superantispyware.com/download.html

and

Malwarebytes

http://www.malwarebytes.org/mbam.php

They can usually take care of Browser Hijacks.

It's programs like Combofix that should NOT be run, without supervision, by people who have trained in
the program and know how to interpret the logs.

Stop Error: 0000000050 -etc. - Page_Fault_in_nonpaged_area. is the usual one.

It could be a conflict caused by the video card - nvidia based cards are prone to this error message.

Reinstall updated video card drivers, may help.

#3 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 27 November 2009 - 09:38 PM

Thanks for your reply. Video driver problems is an interesting thought. I have used
SuperAntiSpyware and Malwarebytes a great deal. Lots of scans. It catches some things,
but I wonder if the scans miss something because I can't go into Safemode. Anyway,
lots of scans but still redirecting.

I did indeed have an Nvidia driver that was a few months older than the most
current. I updated that. Unfortunately, it didn't change the error I received when I
tried to go into Safemode.

Thanks again for your help,
Randy

Edited by rboone2020, 27 November 2009 - 09:38 PM.


#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:13 PM

Posted 28 November 2009 - 05:41 AM

Export SafeBoot key for diagnosis
Let's have a look at your SafeBoot registry key.

* Click Start > Run
* Copy and paste the following code in the open Run box (Do not copy the word "code")
regedit /e C:\SafeBootK.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"
* Now click OK
* Double-click/Open My Computer and then navigate to C:\ drive
* In there, you should see a file called SafeBootK.txt
* Double-click it to open the file with Notepad.
* Copy and paste the whole contents of SafeBootK.txt in your next reply please.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 28 November 2009 - 10:50 AM

Thanks, AustraAlien,

This is a new check for me. The log is as follows:

Thanks again,
Randy

******************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lavasoft Ad-Aware Service]
@="Service"

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:13 PM

Posted 28 November 2009 - 01:05 PM

Most of the data in your SafeBoot key is missing.

Download and run SafeBootKeyRepair by sUBs to repair Safe Mode.

* Please download SafeBootKeyRepair and save it to your Desktop.
http://download.bleepingcomputer.com/sUBs/...otKeyRepair.exe
* Close all programs/windows so that you have nothing open and are at your Desktop.
* Run SafeBootKeyRepair by double-clicking on it, or right-click on it and click "Open". If you are using Vista, please right-click and choose "Run as Administrator".
* A black command prompt window will appear with the message "Please wait..."
* It will now begin to scan, please be patient while it scans The scan should take no longer than 1 minute.
* When finished, a log containing the results will be opened.
* Copy and paste the whole contents in your next reply.
Note: The log can also be retrieved from your C:\ drive with the filename entitled "SAFEBOOT_REPAIR.TXT"

Can you now load Windows in Safe Mode?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 28 November 2009 - 10:13 PM

Thanks. The SafeBootKeyRepair seemed to run normally. I would post a log, but things went downhill.
I was unable to reboot the machine for some time, with it hanging at the Windows logo or after bringing
up the desktop. I tried Safemode but that continued to give the page fault error. I tried to use the last
good configuration, but that hung as well. The machine did boot with "Debugging" mode, but the net,
and even the Start menu, wouldn't come up. So I continued to reboot, and managed to squeeze in a
call to the Windows Task Manager. I was able to boot the system and have the cursor awake and such.
But now Winlogon.exe is using 50% of the CPUs (its a duo core), and other processes are swamping
the other 50%. If I kill whatever may be the highest usage (can't kill Winlogon.exe, I'm speaking of
the other processor, presumably), something seems to take its place, running full bore. Right now it's
SmcGui.exe, and sometimes System. I'd post a SafeBootKeyRepair log, but the Net is not working on
that machine, and I'm hesitant to be moving thumb drives around, for fear of contaminating the machine
I'm on now.

Thanks once again for your help. I'll look forward to your advice; right now she's dead in the water.

Randy

#8 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 28 November 2009 - 10:39 PM

AustraAlien,

Well, more experimentation. I tried "Boot with debugging" or the like (I'm not sure what some of these
options even do ...) and was able to get into the computer, without being dominated by Winlogon.exe.
The SafeBoot repair log is shown below. (Would these logs be easier to read if I removed the blank
lines?)

Thanks once again,
Randy

**********************************************

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Lavasoft Ad-Aware Service

Edited by rboone2020, 28 November 2009 - 10:43 PM.


#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:13 PM

Posted 29 November 2009 - 10:28 PM

The SafeBoot key was successfully imported into the registry, but it might no longer be there, by the sound of it. Let's not worry about repairing Safe Mode for the moment: You need to get your system stabilised and usable first.

Let's see if you can do the following ...
Please use the instructions provided in post #2 by garmanma at the following link, to run MBAM (Quick Scan), ATF Cleaner, SAS and Dr.Web CureIt!
http://www.bleepingcomputer.com/forums/ind...t&p=1499922

*Remember to update MBAM & SAS before running each scan.
If you can't access Safe Mode, when the instructions call for doing so, just use Widows in normal mode.
Remove all problems found: Then post the logs from each of the scans (no log from ATF Cleaner).

Follow that up with a Full Scan by MBAM, and post the log from that too.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 30 November 2009 - 09:38 PM

AustraAlien, I've let ya down. I completed the scans (7 hours for Dr Web!). MalwareBytes found a few things,
SAS came back clean, Dr. Web found three troublesome things, plus perhaps 20 more that had been
quarantined by my copy of Symantec. These scans were run in "Debugging mode", as the only bootup
method that would work. I'd post the results of the scans, but no go. I have spent the last 1.5 hours
trying every boot method I could find. They fail in various ways (hanging at the welcome screen,
a normal cursor but non-responsive and when the cursor is moved to the task bar, an hour glass,
a perpetual hour glass and the Windows Task center won't come up, etc.). Safemode doesn't work.
So now she's a brick, and I can't complete the final MalewareBytes full scan.

If you have a magic suggestion, I'd appreciate it. Otherwise, I can dig up an XP start disk tomorrow,
or perhaps a recovery disk. Otherwise, I can purchase Windows 7, wipe the disk, and jump into the
21st century.

As you bid, Sensei

Randy

Edited by rboone2020, 30 November 2009 - 09:40 PM.


#11 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 01 December 2009 - 04:37 AM

Hi AustraAlien,

I tried skipping startup programs by holding down Shift on bootup. I don't
know how well it worked, but I was able to squeeze in a run of MSCONFIG,
and I turned off all startup programs. That left the machine bootable.
I then completed the final Malwarebytes scan, which found a couple of
Rootkits and removed them. The file included notes to myself at the
top, shown below.

So some progress, I believe. Any suggestions are appreciated.

Randy

************************************************



Dr. Web took perhaps 7 hours to finish, and I had
to move the laptop after the first attempt, so I missed that log. The
Dr. Web scan had found a resident trojan, and the same trojan in a file,
and deleted those. Then it was quiet until it came to my Symantec
Quaratine directory, and listed perhaps 20 things that it removed.
I was unable to suspend the machine at that point, to take it to work
and continue scans. So I was forced to stop it. The scan you see below
was for a full second scan, which was allowed to finish.



***************************************
ORIGINAL MALWARE QUICK SCAN
***************************************

Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 3

11/29/2009 9:10:04 PM
mbam-log-2009-11-29 (21-10-04).txt

Scan type: Quick Scan
Objects scanned: 129417
Time elapsed: 12 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\caonima1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdlcmd.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

***********************************
SAS Scan Log
***********************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/30/2009 at 00:25 AM

Application Version : 4.31.1000

Core Rules Database Version : 4318
Trace Rules Database Version: 2177

Scan type : Complete Scan
Total Scan Time : 02:42:20

Memory items scanned : 550
Memory threats detected : 0
Registry items scanned : 14986
Registry threats detected : 0
File items scanned : 433108
File threats detected : 1

Trojan.Dropper/Gen-NV
C:\XRVHO.EXE

**********************************
Dr Web Partial Scan Log
**********************************

SamplesVB6.chm\StreetMap/Routing/Create_route_between_two_points/Visual_Basic/CreateRoute.bas.htm;C:\Program Files\ArcGIS\DeveloperKit\Help\VB\SamplesVB6.chm;Modification of VBS.Generic.240;;
SamplesVB6.chm\StreetMap/Routing/Usage_of_barriers/Visual_Basic/UsageBarriers.bas.htm;C:\Program Files\ArcGIS\DeveloperKit\Help\VB\SamplesVB6.chm;Modification of VBS.Generic.240;;
SamplesVB6.chm;C:\Program Files\ArcGIS\DeveloperKit\Help\VB;Container contains infected objects;Moved.;
xampp-win32-1.6.7-installer.exe\data220;C:\Toys\xampp-win32-1.6.7-installer.exe;Program.PrcView.3725;;
xampp-win32-1.6.7-installer.exe;C:\Toys;Archive contains infected objects;Moved.;


***********************************
Last Full MalwareBytes Scan
***********************************

Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 3

12/1/2009 2:24:17 AM
mbam-log-2009-12-01 (02-24-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 577438
Time elapsed: 2 hour(s), 47 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ29.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ2A.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdlcmd.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{85001C11-7E94-49F7-B374-E1C1D9F93837}\RP2\A0000056.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{85001C11-7E94-49F7-B374-E1C1D9F93837}\RP2\A0001071.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{85001C11-7E94-49F7-B374-E1C1D9F93837}\RP3\A0004181.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{85001C11-7E94-49F7-B374-E1C1D9F93837}\RP4\A0018207.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{85001C11-7E94-49F7-B374-E1C1D9F93837}\RP4\A0019224.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:13 PM

Posted 01 December 2009 - 05:32 AM

So some progress, I believe. Any suggestions are appreciated.

You hardly need any help from me: You are doing just fine yourself. Well done!

Those rootkit references don't look good!
Please follow steps 1, 2 & 3 in post #5 by garmanma in the following link ...
http://www.bleepingcomputer.com/forums/ind...t&p=1508509

Edited by AustrAlien, 01 December 2009 - 05:32 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 01 December 2009 - 10:30 AM

Oh, all an illusion. Even a monkey punching at keys gets lucky sometimes.

The scans follow:


*************************************
RootRepeal
*************************************

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 03:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000CEC
Image Path: 00000CEC
Address: 0xB483B000 Size: 71424 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7861000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADE8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB420A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\perflib_perfdata_434.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Program Files\Yahoo! Games\Bejeweled Twist\BejeweledTwist.exe:{F54B5B24-9E0A-EFC2-B83D-1CDF56D101FB}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Zuma's Revenge - Adventure\ZumasRevengeAdventure.exe:{75B3EC72-43BB-F0E0-5B8E-1F66A87AB7EE}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\dugjdpixzmldj.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091123.037\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\log\log_48.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Randall Boone\Local Settings\Apps\2.0\69REZTD9.62Q\8YHBRGVE.LXT\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Randall Boone\Local Settings\Apps\2.0\69REZTD9.62Q\8YHBRGVE.LXT\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x882e53d8]!

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

Hidden Services
-------------------
Service Name: qfimtturfdvoz
Image Path: C:\WINDOWS\system32\drivers\dugjdpixzmldj.sys

==EOF==



*********************************
Win32kDiag
*********************************

Running from: C:\Documents and Settings\Randall Boone\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Randall Boone\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!





*************************************
Redirected DOS command
*************************************

Volume in drive C has no label.
Volume Serial Number is A867-FA9D

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 70,703,951,872 bytes free

#14 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:13 PM

Posted 01 December 2009 - 12:56 PM

You hardly need any help from me: You are doing just fine yourself.

The Win32kDiag log is normal/clean .... no problem
Your "Redirected DOS command" is normal/clean .... no problem

Re: RR log

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

"Lbd.sys" is Ad-Aware and is OK.

What do you make of the following .... ?
They all look suspect to me.

Drivers
-------------------
Name: 00000CEC <<< google this one
Image Path: 00000CEC
Address: 0xB483B000 Size: 71424 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\str.sys <<< google this one
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\dugjdpixzmldj.sys
Status: Invisible to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x882e53d8]!

Hidden Services
-------------------
Service Name: qfimtturfdvoz
Image Path: C:\WINDOWS\system32\drivers\dugjdpixzmldj.sys


AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 01 December 2009 - 01:31 PM

Suspect indeed.

Str.sys seems to be really nasty. I can't remove it. Reboots fail to clean it, and if I go
into the directory itself to remove it by hand, it does not show. Others have reported
similar grief with this one.

I can't find anything specific to 0000CEC that pertains directly to viruses or the like.
But hex-like numbers are pretty common, so hard to search for.

dugjdpixzmldj.sys literally has no hits on Google. Yikes. Perhaps they'll name that one
after me. The same is true for its service name, qfimtturfdvoz.

Scary stuff. I hesitate to cast doubt, but must confess that Windows 7 is now on order.

Randy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users