XP won't boot in normal or safe mode

Hello,

I was recently having issues with google redirecting me to wrong sites, and then a virus popped up (AntivirusLive / InternetSecurity 2010 or some similar form). I attempted to restart my computer in safe mode so I could run malwarebytes, but it would not get past mup.sys when the list of files came up. If I try to start in normal mode, it gets to the XP splash screen with the progress bar moving at the bottom and just stays there. My computer does not crash or restart at these points, it just stays put at either mup.sys or the xp screen.

Any advise on how to fix this issue so I don't have to reformat and lose all my data would be greatly appreciated.

Edited by boopme, 04 March 2010 - 03:31 PM.
Moved to malware removal~~boopme

Hi Devy,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please tell me if the situation is still the same.

Also tell me if you have Windows XP installation CD or Windows Vista installation DVD or any Boot CD.

Thanks for the quick response farbar.

I agree not to make any changes from now on.

My situation has changed slightly. Now even selecting normal mode results in a list of files that ends on mup.sys

And yes, I do have my XP installation CD

Edited by Devy, 04 March 2010 - 04:32 PM.

Let's try this to get it to boot before we do something else. If it booted please remain there and don't shut off or restart.

Use F8 after restart to get to advanced mode and select:
Last Known Good configuration and let it boot.
If you could not boot restart again, use F8 and select:
Safe Mode with Command Prompt
If you could not boot restart again, use F8 and select:
Debugging Mode.

I tried those three choices, and they all ended up giving the list ending with Mup.sys and stayed there

1. To start the Recovery Console directly from the Windows XP CD you would do the following:
   • Insert the Windows XP cd in your computer.
   • Restart your computer so you are booting off of the CD.
   • When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
   • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
   • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.
   • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
   
   
2. Type map and press enter.
   It will give you the drive letters. Note down the letter of you CD-ROM. If it is a letter other than E you should repolce the letter e when applying the expand command later on if the command is needed to be applied.
   
   ren c:\windows\system32\drivers\atapi.sys atapi.old
   (It will returns to the prompt again without notification)
   Copy c:\windows\servicepackfiles\i386\atapi.sys c:\windows\system32\drivers
   (If you get a notification "1 file(s) copied you don't need to do the next expand command and go to exit command. But if you get notification that the file doesn't exist proceed with expand command)
   expand e:\I386\atapi.sy_ c:\windows\system32\drivers
   (You should be notified that the file expanded)
   exit
   
   You may remove the CD or let Windows boot normally.

Aright! My computer booted successfully after following the above instructions, although my desktop background had changed, a few of my desktop icons are missing, and a message appeared saying I have 30 days left for activation

Great.

Let's wait for the activation issue while. please don't reboot or shut down until we have a log.

Please perform the following scan:

• Download DDS by sUBs from the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run. When done it will open two logs:
  • DDS.txt
  • Attach.txt
• Copy and paste the logs to your reply.

Here is the DDS.txt log:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 1:59:17.31 on 04/03/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.3034 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTFMON.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\Administrator.RS-700D26F5BAAB.000\Desktop\É.pif

============== Pseudo HJT Report ===============

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-03-04 05:04:51 0 d-sh--w- C:\found.000
2010-03-02 09:46:10 25472 ----a-w- c:\windows\system32\drivers\agp440.sys
2010-03-02 09:01:03 229 --sha-w- C:\boot-ini.bak
2010-02-26 16:38:01 0 d-----w- c:\windows\tmp
2010-02-26 15:52:54 105344 ----a-w- c:\windows\system32\drivers\mup.sys
2010-02-22 23:38:29 26112 ----a-w- c:\windows\system32\userinit.exe

==================== Find3M ====================

2010-02-22 23:27:17 791552 ----a-w- c:\windows\system32\drivers\nuffd.bad
2010-02-22 03:51:22 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-02-22 03:29:37 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-28 22:04:26 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-28 22:04:26 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-11 20:45:06 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-12-11 20:44:50 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-12-11 20:43:12 3620864 ----a-w- c:\windows\system32\aticaldd.dll
2009-12-11 20:41:34 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-12-11 20:26:24 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-12-11 20:25:22 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2009-12-11 20:25:08 13434880 ----a-w- c:\windows\system32\atioglxx.dll
2009-12-11 20:23:34 3521408 ----a-w- c:\windows\system32\ati3duag.dll
2009-12-11 20:09:36 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-12-11 20:09:18 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-12-11 20:09:04 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-12-11 20:08:54 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-12-11 20:08:38 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-12-11 20:07:42 2154752 ----a-w- c:\windows\system32\ativvaxx.dll
2009-12-11 20:07:18 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-12-11 20:07:16 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-12-11 20:05:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-12-11 20:01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-12-11 19:59:08 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-12-11 19:58:40 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-12-11 19:57:40 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2009-12-11 19:52:20 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-12-11 19:50:40 64512 ----a-w- c:\windows\system32\atimpc32.dll
2009-12-11 19:50:40 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-06-24 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 1:59:40.62 ===============

Here is the Attach.txt log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 31/08/2008 7:47:26 PM
System Uptime: 03/04/2010 12:22:42 AM (-719 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5Q-PRO
Processor: Intel Pentium III Xeon processor | LGA 775 | 2666/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 197.375 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1002&DEV_9440&SUBSYS_05021002&REV_00\4&22FC202A&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1002&DEV_9440&SUBSYS_05021002&REV_00\4&22FC202A&0&0008
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_13F6&DEV_8788&SUBSYS_82751043&REV_00\5&3518C6D2&0&2000E0
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_13F6&DEV_8788&SUBSYS_82751043&REV_00\5&3518C6D2&0&2000E0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1969&DEV_1026&SUBSYS_82261043&REV_B0\4&20515DB1&0&00E5
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1969&DEV_1026&SUBSYS_82261043&REV_B0\4&20515DB1&0&00E5
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_82D41043&REV_00\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_82D41043&REV_00\3&11583659&0&FB
Service:

==== System Restore Points ===================

RP1: 04/03/2010 12:23:54 AM - System Checkpoint

==== Installed Programs ======================

Update for Windows XP (KB911164)

==== End Of File ===========================

(zipped and attached)

Edited by farbar, 04 March 2010 - 08:19 PM.
Opening the log

The reason you get activations notification is that the userinit.exe file is replace (on February by an earlier version).

Something is not right. No list of installed programs and you reported missing icons. Are you sure you have booted to your usual account?

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:

• Go to the File menu at the top of the Notepad and select Save as.
• Select Save in: desktop
• Fill in File name: look.bat
• Save as type: All file types (*.*)
• Click save.
• Close the Notepad.
• Locate look.bat on the desktop. It should look like this:
• Double-click to run it.
• A notepad opens, copy and paste the content (log.txt) to your reply.

Here is my log.txt:


User accounts for \\RS-700D26F5BAAB

-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
SUPPORT_388945a0
The command completed successfully.

Administrator
Administrator.RS-700D26F5BAAB
Administrator.RS-700D26F5BAAB.000
All Users
Default User
LocalService
LocalService.NT AUTHORITY
NetworkService
NetworkService.NT AUTHORITY
Ryan
TEMP

Something is not right. No list of installed programs and you reported missing icons. Are you sure you have booted to your usual account?

Open your Malwarebytes' Anti-Malware.

• First update it, to do that under the Update tab press "Check for Updates".
• Under Scanner tab select "Perform Quick Scan", then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

I am not 100% sure I am in the proper account. When I booted after following the instructions in your third post, I was not given the option on selecting the account with my name (the only one that normally appears), it just went right to the desktop and I have not rebooted since then. Also, in the start menu, it says Administrator at the top instead of my name.

I will now run malwarebytes and post the log when finished.

Thank you for all of your help so far.