Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD after XP Repair Install


  • This topic is locked This topic is locked
49 replies to this topic

#1 Rathgar2

Rathgar2

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 05 April 2010 - 11:08 PM

How did I get here? Uggh Malware on April Fool's Day. Been fighting this BLEEPING problem for days now. I have a 6 year old Dell XPS running Windows XP Home SP3. with 2GB of RAM and have 3 internal Hardrives. Here are the steps I have gone through:

Safe Mode with Networking
D/Led Teamview for my helper friend.
D/Led a VB script to fix EXE association corruption.
D/Led a VB script to fix RegEdit lockout.
D/Led fresh MBAM and got it to run and update.
D/Led fresh Spybot Sn'D got it to run and update.
D/Led fresh HJT.
Did a round of scans to whack the Malware,
Had a friend advise me on cleaning the BHO's and other crap from HJT log.
D/Led fresh CClean ran clean up.

Got computer back into Normal Mode
Did another round of scans to whack the Malware,
D/Led copy of Avast to replace my Crappy McAfee.
Sytem was still a bit buggy.
Then did a Windows XP Home Repair Install.
The system would not start into Normal Mode.

Back to Safe Mode with Networking.
Ran CMD prompt.
Tried to run 'CHKDSK /r' but the DOS system said that the volume was in use but would I like to run it at next reboot Y/N?
I selected YES (bad move?)
Crap now I get a BLEEPING BSOD that cites no error type or associated files, just this:
Stop: 0x0000007E (0xC0000005, 0xBA210184, 0XBACFED3C, 0xBACFEA38)

So I cannot boot into normal mode now at all. All Safe Mode Flavors hang up on MUP.SYS. Was able to run the recovery console and ran a 'CHKDSK /r' and it said it fixed an error, but still cannot run the operating system. Should I re-try the repair install? Any Ideas?


EDIT: Moved from XP to Am I Infected, please read/follow suggested administrative procedures in the AII forum, thanks ~ Hamluis.

Edited by hamluis, 06 April 2010 - 09:27 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 06 April 2010 - 11:52 AM

Hi, Rathgar2 smile.gif

Welcome.

Lets give this a try. You will need a flash drive to move information from the sick computer to a working computer, so we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 06 April 2010 - 10:20 PM

I am at this step and am stuck: "Double-click on the OTLPE icon." I get a 'Browse For Folder-Choose Windows Directory' dialogue box. It lists drives on My Computer, A (floppy), B (RAMDisk), C (Removable Disk?), D (Dell_E173FP), X (ReatogoPE) & Shared Documents. When I select any of them I get a msg from 'RunScanner Error-Target is not windows 2000 or later.' I get this message on each drive I try. Under each of the of the drives there is no Windows folder to choose from. Is this normal, or am I doing something very wrong?
WTTW Ken

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 06 April 2010 - 11:32 PM

Possible scenarios would be a bad download, a bad burn, or lack of drivers to read the hard drive. Lets check the download. Run this program where the OTLPE.iso resides.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    QUOTE
    :filefind
    OTLPE.iso

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

By any chance, are you able to boot to the Recovery Console. If you do, would it end to the C:\Windows folder or to the C:\ folder?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 07 April 2010 - 01:49 AM

Yes I can boot into the Recovery console and when I do it does start in the C:\Windows directory. I have run that SystemLook utility on my clean healthy netbook with which I had D/Led the OTLPE. I hope it can tell you something useful.

I have been considering trying the Windows Repair Install again. Shall I? I also have been considering having my friend rescueing my data and to nuke the drive with the Format Beatdown and rebuild. I am sad to say that that feels like a white flag to the evil Malware empire, but I feel discouraged. Should I be weighing that last resort option now?
WTTW Ken

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 07 April 2010 - 06:51 AM

Windows repair is not the best option when the issue is malware related. The size and checksum of the download is correct. Please try to burn another CD at a lesser speed and retry.

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 07 April 2010 - 08:26 PM

Same after burning 2nd copy. I tried to again run the Recovery Console to do CHDSK /r and this time I was able to run it. I still cannot boot into normal but now I have gotten back into Safe Mode. Gonna Run DDS.scr and GMER which seem to run now. I'll post those logs soon.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 07 April 2010 - 10:30 PM

In addition, run this application.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 08 April 2010 - 12:34 AM

OK I ran these scans in Safe Mode with Networking (unable to boot into Normal Mode I hope that does not matter) here are the 2 logs from DDS.scr the one log from GMER and finally the OTL log. What do they tell you? Am I screwed?
WTTW Ken

Edited by Rathgar2, 08 April 2010 - 05:52 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 08 April 2010 - 12:58 AM

Safe mode with Networking is fine for the time being.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    QUOTE
    File::
    C:\WINDOWS\System32\drivers\jlpdfwd.sys
    C:\Documents and Settings\All Users\Application Data\_VOIDmfeklnmal.dll
    C:\WINDOWS\tasks\At9.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At1.job
    C:\Documents and Settings\Ken Jaedicke\Local Settings\Application Data\8Cq4r
    C:\Documents and Settings\All Users\Application Data\8Cq4r
    C:\Program Files\75750.dat

    Driver::
    jlpdfwd




    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe.
  4. Install the Recovery Console if prompted.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Tun OTL once again
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in


    /md5start
    svchost.exe
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

Edited by JSntgRvr, 08 April 2010 - 12:59 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 08 April 2010 - 01:50 AM

OK here are the logs. The 'Extras KJ 040710.txt' file I am not certain if it was created on the 2nd run of OTL. What do these logs tell you? I still get a BSOD when I attempt to boot into normal mode. Going to bed now, will check in next morning. Thanx again.
WTTW Ken

Edited by Rathgar2, 08 April 2010 - 01:59 AM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 08 April 2010 - 09:09 AM

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
File::
c:\windows\NV10241132.TMP
c:\windows\NV10681624.TMP

RenV::
c:\program files\Ahead\ODD Toolkit\dvdtray .exe
c:\program files\AOL 9.1\aol .exe
c:\program files\Canon\Canon MF Network Scan Utility\cnmfsut     .exe
c:\program files\Canon\Canon MF Network Scan Utility\cnmfsut    .exe
c:\program files\HP\Digital Imaging\bin\hpqsrmon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Sandboxie\sbiectrl .exe
c:\program files\Winamp\winampa .exe
c:\program files\Yahoo!\Messenger\yahoomessenger .exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"SunJavaUpdateSched"=-
"WinampAgent"=-
"NeroFilterCheck"=-
"DVDTray"=-
"NvCplDaemon"=-
"Acrobat Assistant 8.0"=-
"hpqSRMon"=-
"HP Software Update"=-
"MFNetworkScanUtility"=-
"SRFirstRun"=-

Driver::
TfNetMon




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 08 April 2010 - 09:13 AM

Double Posted

Edited by JSntgRvr, 08 April 2010 - 09:14 AM.
Double Posted

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:04 PM

Posted 08 April 2010 - 09:13 AM

You submitted the Extra.txt. I need to see the OTL.txt report. Attempt to run it again. please. I believe the svchost.exe file is patched.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:01:04 PM

Posted 08 April 2010 - 05:49 PM

Damn, I thought I had posted all 3 logs. Looks like it exceeded the space allotted to this thread. Going back to delete the previous attachments.

Edited by Rathgar2, 08 April 2010 - 08:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users