Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

blue screen on shutdown updates will not process


  • This topic is locked This topic is locked
36 replies to this topic

#1 jondich

jondich

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 10 August 2010 - 11:55 PM

I am having issues. Back in march the PC was having similar issues and I was told the problem was malware related so I am back to your sight.

Symptoms:
1) Computer will not shut all the way down. Stops at Blue screen. The computer must be unplugged to continue.
2) Computer will not boot into safe mode.
3) Computer will not boot into system restore console mode.
4) MBAM scan runs but finds no exceptions.
5) Security updates will not process
6) I am using Firefox and I am not able to make advance tool changes. firefox takes up to 5 minutes to load prior to contacting my home page.
7) SPYBOT will not load.
8) Trend microsystem appears to be updating but I don't think it is actually updated. The program is outdated and needs to be replaced with a current anti-virus program.

I would appreciate your help. Please be aware I work M-F 8 AM to 8 PM (EST).

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 17 August 2010 - 04:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 18 August 2010 - 08:27 PM

Updated files attached.

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 19 August 2010 - 05:45 PM

Hello,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Download Bootkit remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.


2.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

3.
Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Things to include in your next rely
Bootkit Remover log
MBRcheck log
RkuUnhooker log
How is your machine running now?



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 19 August 2010 - 08:10 PM

Thanks for the help.

1) I downloaded boot-kit remover. The file is and RAR file. I did not have a program to unzip the file. I downloaded 7-zip and was able to unzip the program. When I ran the program it ran successfully. However when I tried to use CTRL+c to copy the data in the black box it would not work. When I closed the black box I had a log file. I am attaching this file.

2) I ran MBR check. The log file is attached.

3) I ran rootkit. The log file is attached.

I shut down my computer. It tried to process security updates - unsuccessfully. I received a blue screen for roughly 15 minutes after which the computer shut down. I did not try malwarebytes or spybot. I did not try to boot into safe mode. The start up process is still very extended and sounds like it is taxing the hard drive. The start up process took roughly 10 minutes. I can't tell how the PC is running besides these simple observations.

Attached Files



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 19 August 2010 - 09:05 PM

Hello,

Let try a more powerful tool.

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 20 August 2010 - 01:03 AM

Fireman,

I ran combofix and am attaching the log report. It is to late to assess the status of the PC. I will get back to you tomorrow.

Have we found anything yet? First impressions is the PC is running a little better.

I am still getting the blue screen at shut down. It last for roughly 10 minutes before the system closes.
Start up is quicker but their is still a period 5-10 minutes were the hard drive is working very hard and I can not access any programs. I have looked under taskmanager and can not identify what is accessing the hard drive.
I still have the unprocessed security updates.
I did not try to enter safe mode.

Attached Files


Edited by jondich, 20 August 2010 - 06:52 AM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 20 August 2010 - 05:28 PM

Hello,


Lets try a few other things. I don't see any malware present.

1.
We need to repair Safe Mode

  • Please download Safe Boot Key Repair and save it to your desktop.
  • Run by double clicking on it or Right-click on it and click Open
  • Copy and paste the resultant log here in your next reply.
2.
We need to repair some of windows' internal registration settings
  1. Please download Dial-A-Fix from one of the following mirrors:
  2. Extract the zip file to your desktop.
  3. Double click Dial-a-Fix.exe to start the program.
  4. Press the green double checkmark box (Looks like this: )
  5. UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
  6. When the window looks like this, press the GO button in the bottom of the window.
  7. Exit/Close Dial-A-Fix
3.
We need to check your hard disk for errors.

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
*NOTE: This scan could take along time to complete, but let it finish.

4.
You may have corrupt critical system files. Let's see if we can fix that.
    1. Select
    2. Select All Programs
    3. Select Accessories
    4. Right click Command Prompt and choose OPEN

  • Type in sfc /scannow in the command window and press enter.

  • Note the space between the c and the /

  • If any files require replacing SFC will replace them. You may be asked to insert your Windows XP Disk for this process to continue. This can be done with a borrowed Windows XP disk if you don't have one.

  • Be patient because the scan may take some time.

  • Allow the scan to run and when completed, reboot the system.

5.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Things to include in your next reply:
SAFEBOOT log
MBAM log
How is your machine running now?

Edited by fireman4it, 20 August 2010 - 05:28 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 20 August 2010 - 06:11 PM

Hello:

I have a quiestion. I do not have the XP install disks. However, the install files were loaded to my E:\ partition. Can I use these files if necessary?

I am leaving work now. I will be working on your instructions later this evening and tomorow.

Thanks for the help!

Edited by jondich, 20 August 2010 - 06:11 PM.


#10 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 21 August 2010 - 08:31 AM

Hello I tried to complete all 5 steps but ran into many problems.

1) Safe_boot. This completed successfully. I have attached the log.

2) Dial-A-Fix. The program encounter error. I have attached a word document with a screen shot of the error message.

3) CHKsks. This program completed without error. At least I did not see any sign of errors.

4) I was not able to run SFC scannow. I encountered errors. The program is looking for the intalll CD. My install files are located on my Z (E:\) directory. I looked on line and it appears there are options around this issue but I am waiting on your instructions.

5) I aborted the running of MBAM after 16 hours. It was stuck on the file startup.ini. I am going to try and run MBAM again.

Start up and shut down seem to be quicker. I still get a blue screen for 5-10 minutes when shutting down. Should I try and get log into safe mode?

Attached Files



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 21 August 2010 - 12:19 PM

Hello,

QUOTE
I was not able to run SFC scannow. I encountered errors. The program is looking for the intalll CD. My install files are located on my Z (E:\) directory. I looked on line and it appears there are options around this issue but I am waiting on your instructions.


Please do the following to see if we can fix this problem.

1. Revealin hidden files

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

2. Now Look in your C:\ Drive for the following folder. C:\I386. Is that folder present? Also look in E:\ drive and see if I386 Folder is present also.


QUOTE
2) Dial-A-Fix. The program encounter error. I have attached a word document with a screen shot of the error message.


Please run Dial-a-fix again with this line unchecked::
Explorer/IE/OE/shell/Wmp

Go ahead and try and boot into Safemode and tell me if it works.




" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 21 August 2010 - 03:43 PM

I have E:\I386. I do not have a C:\I386.

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 21 August 2010 - 04:11 PM

Hello,

We need to change the registry to lead sfc to your E:/ drive.


1.
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


2.
  • Go to Start then Run.
  • In the Run Box Type regedit then click OK
  • Next Find HKEY_LOCAL_MACHINE click the + sign.
  • Next Find SOFTWARE click the + sign
  • Next Find Microsoft click the + sign
  • Next Find Windows click the + sign
  • Next Find CurrentVersion click the + sign
  • Next Find Setup and click on it not the + sign
  • You will see various entries here on the right hand side. The one we want is called: SourcePath
  • Right click on SourcePath then click Modify
  • Change the Value Data to E:\ Click ok and close Regedit
  • Now run sfc \scannow again and see if it works.






" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 jondich

jondich
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 21 August 2010 - 04:15 PM

I aborted MBAM after 6 hours. The program was scanning desktop.ini for most of the time. The aborted log file showed 0 malware in scanned areas. (please note I have used MBAM for the past 2+ years and have never had it take that long to complete a scan on this PC.

I changed the folder view option. I have an E:\I386. I do not see a C:\I386.

I ran dial-a-fix as instructed. It completed successfully. I am attaching the log file.

I tried to reboot the PC into safe mode. The files loaded properly but I can not enter CTRL+ALT+DELETE. I had to force the PC to turn off (power switch).

I am still getting blue screen. Security updates are not processing.

Attached Files



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:12 PM

Posted 21 August 2010 - 04:27 PM

Hello,

Our posts have crossed paths. Please look at my last post before this one.

Edited by fireman4it, 27 August 2010 - 05:24 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users