Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rrpcsb.exe error, BSOD and then Boot.Mebroot


  • This topic is locked This topic is locked
62 replies to this topic

#1 jagazz

jagazz

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 28 February 2010 - 09:51 PM

I have originally posted this problem in "Windows XP Home and Professional" and have been asked to post it here for more help.
Here's what happened:
have a Thinkpad T43 with Windows XP service pack 3 installed. Off late, I have been getting the rrpscb.exe error immediately after boot up and nothing else works on the computer. The instruction at "0x7c911689" referenced memory at "0x00000000". The memory could not be "read". Shortly after, I get the blue screen with the message,"PAGE_FAULT_IN_NONPAGED_AREA".
Attempts at solving the problem:
1) Tried safe mode: did not even boot up.
2) Tried windows recovery console: says NTLDR is compressed, CTRL+ALT+DEL to restart: essentially didn't work
3) My computer did not come with a recovery CD, so I made one from here: http://www.microsoft.com/downloads/details...;displaylang=en
but was not able to get into recovery console.
4) Upon advise, ran Dr. Web Live CD and it found a few trojans and other previously quarantined items. I first tried curing the files followed by deleting them. I restarted my system but have the same rrpcsb.exe issue.
5) Then checked each of my RAM sticks using memtest: found no errors after multiple passes.
6) I tried rebooting one more time and got the error, "paging file too small". After multiple attempts, I was able to boot up the computer and found that the paging memory file was only 256MB. I was able to increase it to 2GB, although my computer was very slow to respond. Since then, it hasn't booted up. It has been going to the bluescreen.
7) In an attempt to salvage the data on the hard disk, I've gotten the disk out and put it in a USB enclosure and tried reading it with another computer. As soon as I connected it, Symantec Auto-Protect Scan kicked in and started popping out this message over and over:

Risk: Boot.Mebroot
File: Master Boot Record for Physical drive number 2
Location: Boot Record
Action taken: Clean Failed: Quarantine Failed: Access Allowed.

I cannot access the drive and I disconnected it. Please help how I can recover my data, clean my drive and get my computer working again.
Thank you for the help!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:43 AM

Posted 01 March 2010 - 03:16 PM

Hi, jagazz smile.gif

Welcome.

Lets give this a try. You will need a flash drive to move information from the sick computer to a working computer, so we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 01 March 2010 - 11:33 PM

Hi JSntgRvr,
Thanks for offering to help!!

I got to the point where I made the CD and Double-click on the OTLPE icon.
I get to the question, "Browse for Folder, Choose Windows Directory"
I have the following options:
RAMDisk (B:)
Local Disk (C:)
ReatogoPE (X:)
Shared Documents

I choose each of the options on successive retries and have been getting: "RunScanner Error: Target is no windows 2000 or later".
What am I supposed to do? Please help!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:43 AM

Posted 01 March 2010 - 11:43 PM

It could be due to a bad download or a bad burn.

Run this program on the computer with the OTLPE.iso file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    QUOTE
    :filefind
    OTLPE.iso

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Based on the information I may be able to know if it is due to a bad download.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 01 March 2010 - 11:49 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:47 on 01/03/2010 by jagazz (Limited User)

========== filefind ==========

Searching for "OTLPE.iso"
C:\Documents and Settings\jagazz\Desktop\comp TS\OTLPE.iso --a--- 290236416 bytes [03:47 02/03/2010] [03:55 02/03/2010] 3BD19DB0ADB880A39DD80C704CB907D0

-=End Of File=-

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:43 AM

Posted 01 March 2010 - 11:54 PM

The download is correct. Please burn another CD and retry.

Edited by JSntgRvr, 01 March 2010 - 11:54 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 01 March 2010 - 11:58 PM

ok, getting right on it!
thank you

#8 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 02 March 2010 - 12:24 AM

still the same issue....

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:43 AM

Posted 02 March 2010 - 12:25 AM

Browse to the C:\Windows folder if present.

Edited by JSntgRvr, 02 March 2010 - 12:25 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 02 March 2010 - 12:33 AM

even that doesn't work
sad.gif

#11 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 02 March 2010 - 12:59 AM

is there any way to save my data?

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:43 AM

Posted 02 March 2010 - 01:02 AM

How did you boot to the Recovery Console, thoughout the built in option in the Advanced Menu, or did you use an installation CD?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 02 March 2010 - 01:07 AM

no never made it to the recovery console, it's unaccessible.
i just used the cd i made using your instructions to boot it up..

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:43 AM

Posted 02 March 2010 - 01:44 AM

I understand that, because the NTLDR is compressed. That should not happen when the boot is perform from a CD.

Follow these steps:
  1. Go to this link for information on how to burn an iso image:
  2. Download the rc.iso file.
  3. Save it to your desktop.
  4. Put a blank CD in your computer’s burner.
  5. Follow the instructions on the previous link to burn the rc.iso image to a CD
  6. When the disk finishes, eject the CD.
  7. Configure the sick computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
  8. Insert the Image of rc.iso that you burned to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
  9. When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
  10. You will be prompted with the following options:
    QUOTE
    A. To setup Windows XP, press Enter.
    B. To repair Windows XP installation using recovery console, press R.

    Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

  11. You will be presented with the following:


    QUOTE
    Microsoft Windows® Recovery Console

    The Recovery Console provides system repair and recovery functionality.
    Type EXIT to quit the Recovery Console and restart the computer.

    1: C:\WINDOWS

    Which Windows Installation would you like to log onto
    (To cancel, press ENTER)?

  12. Press the number next to the installation above, in this case, 1 on your keyboard and hit Enter.
  13. At the command prompt, type the following command and press Enter after each line:


    Attrib -c C:\NTLDR
    Fixmbr
    Exit

  14. Confirm the creation of a new MBR (Master Boot Record) if prompted.
Allow the computer restart from the Hard Drive.

If successful, try this:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. Install the Recovery Console if prompted.
  9. When finished, it will produce a report for you.
  10. Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Edited by JSntgRvr, 02 March 2010 - 01:48 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 jagazz

jagazz
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 02 March 2010 - 02:16 AM

Thanks Again!!
I got to the point where I did C:\WINDOWS>Fixmbr
This what message I got:
__________________________________________________
** CAUTON **

This computer appears to have a non-standard or invalid master boot record.

FIXMBR may damage your partition tables if you proceed.

This could cause all the partitions on the hard disk to become inaccessible.

If you are not having problems accessing your drive, do not continue.

Are you sure you want to write a new MBR?

__________________________________________________

Should I continue? Do I risk losing my data on the hard disk? Please advise!
Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users