Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP effectively rendered useless except for Safe Mode. No exe's can run. Suspicious System Log entries.


  • Please log in to reply
No replies to this topic

#1 Marc Animal

Marc Animal

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 22 March 2010 - 11:03 PM

Thank you in advance for any help you can provide; it is much appreciated! This is my first post for help so bear with me and straighten me out if I am in need of it...

I am helping someone get their computer back into an operational state. It is a Windows XP SP3 machine.

I contemplated starting this topic in the Virus, Trojan, Spyware, and Malware Removal Logs, but being new I thought it might be better for me to start here - especially because it's hard to pinpoint what is going on with the machine I am working on.

In a nutshell, Windows XP can NOT start up normally. At some point in the startup routine the computer throws error messages that look exactly like this: "userinit.exe - Application Error: The application failed to initialize properly (0xc0000022). Click OK to terminate the application." After you click "OK", and if the stars have aligned correctly, you may actually get to see some desktop icons and even the Taskbar and Start Button. However most of the time all you get is the Wallpaper and nothing further. Regardless, once this message appears, any further exe you try to execute will have the same fate. Essentially all you can do is reboot.

So I reboot and start in Safe Mode. Oddly enough the computer spins like a top. Checking the System Event Log will reveal some interesting behind the scenes activity - almost an entire log full of entries from when Windows was started normally, even though there was no obvious activity. The events are all similar to this:

Event Type: Warning
Event Source: AMP
Event Category: Amp message
Event Id: 1
Date: 3/22/2010
Time: 9:53:50 PM
User: N/A
Computer: ComputerName
Description: Infection detected in C:\Windows\System32\WGATRAY.EXE

The only difference in all the logs is the Description - I have seen pretty much any .dll, .sys, .drv, and .exe file in any directory. They are all valid paths with valid filenames.

I have tried to Goolge this ("Amp message" "Infection detected") and come up with no hits. Feels like Malware to me, but nothing I can find any information on. No other searching has proven especially effective.

System Restore is enabled and the user thinks that they started having problems around February 26th. I have restored back to before February 21st and still get the same behavior from the machine.

The computer also has Norton Go Back and I did try once or twice to restore to previous dates but with no change to system behavior.

I did run an updated MBAM scan in Safe Mode as well as SpyBot S&D. The only real hit I got was an Adware for an Coupons.com, but I believe that has been happily on the computer for quite some time. I did remove it anyway for kicks and it did not help.

One of my web searches related to the original problem of not being able to execute any exe files led me down a path of trying to allocate Read permissions on all dll and ocx files for the BuiltIn\Users account. That resulted in a very bad BSOD situation. :flowers: Fortunately either System Restore or Norton Go Back got me out of that one... :thumbsup:

That is about the time that I decided it was time to utilize this community as it has been very helpful to me in the past!

I did not generate any logs for this topic yet because I can only run in Safe Mode. However I am more than happy to do so if it will help.

Any thoughts or ideas would be greatly appreciated!

Thanks so much. ...Marc Animal

Edited by Marc Animal, 22 March 2010 - 11:05 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users