Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not boot up, BSOD flashes and then reboots


  • This topic is locked This topic is locked
36 replies to this topic

#1 buffalo_bill

buffalo_bill

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 May 2010 - 05:24 AM

Hi guys
I was recently infected by the rogue desktop security 2010 program and succesfully removed it, i think:)

anyway, after removal i thought id reboot to view the effects. The system starts up, then goes to the screen where you can choose from safe mode, last known good config etc etc. No matter what option I select, Windows XP attempts to start but flashes a BSOD for a split second and then reboots.

I am running Windows XP Home SVP2. I have my CD so i can perform a repair or re-install if needed.

If i choose to repair, will I lose files on the computer, eg - music.

Thankyou in advance smile.gif

BC AdBot (Login to Remove)

 


#2 cosmic_sniper05

cosmic_sniper05

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:01:20 AM

Posted 09 May 2010 - 06:03 AM

I had the same problem before. It was also due to a prior virus infection. A friend computer technician said that a vital file for windows to continue booting was corrupted. A re-installation worked for me. But I am not saying that it goes the same way with your problem.

Just to make sure, wait for second opinion from a more knowledgeable forum member.

medieval.gif ph34r.gif medieval.gif

Let's have a mental fusion!
Let us do our part to make this world a truly symbiotic place.

For other computer problems, this blog might be helpful:
http://cosmicsniper.blogspot.com

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:20 PM

Posted 09 May 2010 - 09:35 AM

FWIW: A repair install effort...is ineffective against malware. The only files replaced by a repair install are system files...since the source of an infection is hardly a system file...repairing an infected system is a waste of time (IMO) and may further impair efforts to deal with the malware.

For reference, BC Guide, Removal of Desktop Security 2010.

I will ask one of the BC Malware Team members to take a look at this thread and attempt to offer some guidance...be patient smile.gif, our members do not volunteer their time and effort according to any schedule.

Louis

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:20 PM

Posted 09 May 2010 - 11:27 AM

Hi, buffalo_bill smile.gif

welcome.gif

Lets give this a try. You will need a flash drive to move information from the sick computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 10 May 2010 - 05:14 AM

hello, thankyou for your reply smile.gif

I have done what you asked, but when the reatogo desktop is loading, i get this message

"x:\i386\System32\cmd.exe
x:\i386\system32\CONFIG.NT
The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose close to terminate the application."

After choosing ignore several times as it popped up, it eventually loaded and the desktop shows....yet there is no OTLPE icon to click sad.gif
Any ideas?
sorry if I have done something wrong haha

thankyou smile.gif

#6 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 10 May 2010 - 06:28 AM

oh wait, just re downloaded the iso and it has 2 more mb then my original download, its working now, will have results soon.

[edit] ok, I got otlpe to show on the desktop, along with a bunch of other icons, I try to run otlpe and it asks me to locate the windows folder, I attempt to browse the C drive (where my windows folder is located usually) and I am unable to browse, I can select it and choose ok, but i can not browse for the correct folder. When I select Local Disk C i get an error message saying "Target is not windows 2000 or later"


Sorry for the trouble sad.gif

thankyou smile.gif

Edited by buffalo_bill, 10 May 2010 - 06:52 AM.


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:20 PM

Posted 10 May 2010 - 02:42 PM

Changes are you have a SATA drive and its driver is not included in the Reatogo environment, or you are experiencing problems with the hard drive. Can you boot to the Recovery Console with the XP CD? The Recovery CD should end in the C:\Windows prompt. If it ends in C:\, please let me know.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 11 May 2010 - 02:34 AM

just did the recovery console thing
the prompt shown is C:\>

thanks

#9 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 11 May 2010 - 06:41 AM

i ran a chkdsk
rebooted and went back into recovery and the path is now c:\windows

i ran another chkdsk

and the computer will start now

should we continue on this to see what the issue was or are you satisfied to close the topic?

thanks smile.gif

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:20 PM

Posted 11 May 2010 - 08:18 AM

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 12 May 2010 - 06:56 AM

The log has been attached

Looking forward to your response


[attachment=56641:OTL.Txt]

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:20 PM

Posted 12 May 2010 - 10:53 AM

Please Run OTL once again as follows:
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    /md5start
    serial.sys
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

==============================================================
  1. Next, please download maxlook, saving the file to your desktop.
  2. Double click maxlook.exe to run it. Note - you must run it only once!
  3. Restart the computer and logon to the Recovery Console.
  4. Execute the following bolded command at the C:\windows> prompt
  5. batch look.bat
  6. You will see 1 file copied many times then return to the x:\windows> prompt.
  7. Type Exit to restart your computer then logon in normal mode.
  8. Once in Windows, obtain an Internet Connection. This program must download a tool to check files' signatures.
  9. Then go to Start -> Run, copy and paste the following command in the run Box and Click OK
    "%Userprofile%\Desktop\maxlook.exe" -sig
  10. It will produce looklog.txt in the C:\ folder.
  11. Please post the results here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 14 May 2010 - 08:34 AM

[attachment=56865:OTL.Txt]
[attachment=56866:looklog.txt]

both files are there
thanks :D

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:20 PM

Posted 14 May 2010 - 11:11 AM

Go to Start -> Run, copy and paste the following command in the run Box and Click OK

"%Userprofile%\Desktop\maxlook.exe" -cleanup

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    QUOTE
    :OTL
    O33 - MountPoints2\{0ee09eaa-949a-11de-9bdb-001d7d40161f}\Shell - "" = AutoRun
    O33 - MountPoints2\{0ee09eaa-949a-11de-9bdb-001d7d40161f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{0ee09eaa-949a-11de-9bdb-001d7d40161f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{138a3f9c-eb4f-11dd-a1d6-001d7d40161f}\Shell - "" = AutoRun
    O33 - MountPoints2\{138a3f9c-eb4f-11dd-a1d6-001d7d40161f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{138a3f9c-eb4f-11dd-a1d6-001d7d40161f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{76116057-d614-11dc-b852-00140401f65f}\Shell - "" = AutoRun
    O33 - MountPoints2\{76116057-d614-11dc-b852-00140401f65f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{76116057-d614-11dc-b852-00140401f65f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{9b46ad12-cf10-11dd-a2f0-00140401f65f}\Shell - "" = AutoRun
    O33 - MountPoints2\{9b46ad12-cf10-11dd-a2f0-00140401f65f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{9b46ad12-cf10-11dd-a2f0-00140401f65f}\Shell\AutoRun\command - "" = F:\DPFMate.exe -- File not found
    O33 - MountPoints2\{afbb91c2-cbe2-11dc-b829-00140401f65f}\Shell - "" = AutoRun
    O33 - MountPoints2\{afbb91c2-cbe2-11dc-b829-00140401f65f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{afbb91c2-cbe2-11dc-b829-00140401f65f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{c1b925fe-2cb3-11de-94dd-001d7d40161f}\Shell - "" = AutoRun
    O33 - MountPoints2\{c1b925fe-2cb3-11de-94dd-001d7d40161f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c1b925fe-2cb3-11de-94dd-001d7d40161f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{c84635be-dcfb-11dc-b85e-00140401f65f}\Shell - "" = AutoRun
    O33 - MountPoints2\{c84635be-dcfb-11dc-b85e-00140401f65f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c84635be-dcfb-11dc-b85e-00140401f65f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{cafb1b37-2e66-11de-94e0-001d7d40161f}\Shell - "" = AutoRun
    O33 - MountPoints2\{cafb1b37-2e66-11de-94e0-001d7d40161f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{cafb1b37-2e66-11de-94e0-001d7d40161f}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/18 05:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\untitled.JPG:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\The-Dream - Rainman (Demo).mp3:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\Step Up 2 The Streets - 06 - Trey Songz ft Plies - Can't Help But Wait (Official Remix).mp3:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\SL375037.JPG:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\Rank 1 - L.E.D There Be Light (Trance Energy Anthem 2009).mp3:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\Prom_Queen.mp3:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\Mario Feat. Bow Wow, Sean Garrett & Gucci Mane - Break Up (Remix).mp3:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\liverpool photo.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\lil-wayne-carter-3-cover_real.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\kid_cudi_2339363.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\kanye-west-graduation-cover.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\kanye_cudi_faderfort2_main.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\jamie2.JPG:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\jamie.JPG:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\Default.PLS:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\Billy Blue Feat. Akon - Story Of My Life (Mastered).mp3:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\496480jrt694jsq1.gif:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\35879u4yck9dhr1.gif:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\10112008184.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\10112008182.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\10112008181-001.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\10112008181.jpg:Roxio EMC Stream
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\ARGY\My Documents\10112008180.jpg:Roxio EMC Stream
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

    :files
    C:\WINDOWS\system32\drivers\serial.sys|C:\WINDOWS\ServicePackFiles\i386\serial.sys /replace

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

Re-run OTL as follows:
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in


    /md5start
    serial.sys
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 buffalo_bill

buffalo_bill
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 16 May 2010 - 06:04 AM

i tried both of the things you asked
the first scan, the computer didnt restart and i cant find the folder with the log file in it

n i cant upload the log from scond scan for some reason :S

Edited by buffalo_bill, 16 May 2010 - 06:09 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users