Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Resident shield alert + Norton/desktop problems


  • This topic is locked This topic is locked
31 replies to this topic

#1 Artbroken

Artbroken

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 11 January 2011 - 04:29 PM

My mother's computer began having this "Resident Shield alert" popup yesterday morning.
Pops back up if you close it, redirects the browser to other sites.

In an effort to "fix" it, we tried installing Norton 360. (My brother has a purchased copy, which is good for installation on 3 PCs).

Upon installation, I got a windows message about certain files no longer being found and requesting a Windows XP service pack 3 CD. After a few moments, the PC rebooted itself to a blank desktop. Just the background - no icons or taskbar. Right-clicking the desktop brings up no menu.

I can access most things with Task Manager, except for explorer.exe.

I've got a DDS logfile, but didn't proceed with GMER, as I can't follow the posted instructions for that since I can't get to the directory it's been saved to.

I could try and uninstall norton, but don't want to screw things up more than they already may be. Here's the DDS log.


DDS (Ver_10-12-12.02) - NTFSx86
Run by 12345 at 14:46:02.04 on Tue 01/11/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.40 [GMT -6:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\12345\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.winonadailynews.com/
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

360\engine\4.2.0.12\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.2.0.12\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} -

hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2011-1-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2011-1-11 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-23

691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2011-1-11 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2011-1-11 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.2.0.12\ccsvchst.exe [2011-1-11 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2011-1-10 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20110110.002\IDSXpx86.sys [2011-1-11

341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20110111.002\NAVENG.SYS [2011-1-11

86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20110111.002\NAVEX15.SYS [2011-1-11

1360760]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-21 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\toolbarbroker.exe -->

c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [?]

=============== Created Last 30 ================

2011-01-11 19:49:33 339504 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\symtdiv.sys
2011-01-11 19:49:32 43696 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\srtspx.sys
2011-01-11 19:49:32 361904 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\symtdi.sys
2011-01-11 19:49:32 328752 ----a-r- c:\windows\system32\drivers\n360\0402000.00c\symds.sys
2011-01-11 19:49:32 325680 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\srtsp.sys
2011-01-11 19:49:32 173104 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\symefa.sys
2011-01-11 19:49:31 501888 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys
2011-01-11 19:49:31 116784 ----a-w- c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys
2011-01-11 19:48:52 -------- d-----w- c:\windows\system32\drivers\n360\0402000.00C
2011-01-11 04:14:17 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2011-01-11 04:14:16 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-01-11 04:14:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-11 04:14:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-01-11 04:14:04 -------- d-----w- c:\program files\Symantec
2011-01-11 04:14:04 -------- d-----w- c:\program files\common files\Symantec Shared
2011-01-11 04:12:56 -------- d-----w- c:\windows\system32\drivers\N360
2011-01-11 04:12:51 -------- d-----w- c:\program files\Norton 360
2011-01-11 04:12:39 -------- d-----w- c:\program files\NortonInstaller
2011-01-11 04:12:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-01-11 01:58:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-01-10 19:46:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-10 18:49:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-10 18:49:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-06 21:05:02 32768 ----a-w- c:\windows\system32\LXPRMON.DLL
2011-01-06 21:05:02 20480 ----a-w- c:\windows\system32\LXPMONUI.DLL
2011-01-06 21:05:00 -------- d-----w- c:\docume~1\12345\applic~1\FaxCtr
2011-01-06 21:04:42 98345 ----a-w- c:\windows\system32\IMHOST32.DLL
2011-01-06 21:04:42 98304 ----a-w- c:\windows\system32\IM31XPNG.DEL
2011-01-06 21:04:42 69632 ----a-w- c:\windows\system32\IM31XTIF.DEL
2011-01-06 21:04:42 49152 ----a-w- c:\windows\system32\IM31IMG.DIL
2011-01-06 21:04:42 339968 ----a-w- c:\windows\system32\IMGMAN32.DLL
2011-01-06 21:04:42 12288 ----a-w- c:\windows\system32\LXPMONRC.DLL
2011-01-06 21:04:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\FaxCtr
2011-01-06 21:04:17 -------- d-----w- c:\program files\Lexmark Fax Solutions
2011-01-06 19:55:36 -------- d-----w- c:\program files\Lx_cats
2011-01-06 19:53:56 -------- d-----w- C:\Temp
2011-01-06 19:53:31 -------- d-----w- C:\Lexmark
2011-01-06 19:48:34 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-01-06 19:48:34 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:46:58.71 ===============

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:55 PM

Posted 17 January 2011 - 09:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL Report

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


We also need a log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:


Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Best Regards,
oneof4.

Best Regards,
oneof4.


#3 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 17 January 2011 - 09:54 PM

Hello.

Starting the day after my original post, the computer will no longer boot completely.
I can access the F8 menu at startup and select Safe Mode, but it will hang at ...\System32\Drivers\Mup.sys and reboot itself.

Have done nothing else with it since the original post.

To summarize, in order in which they occured:

1. My mother's PC, which had AVG antivirus installed, began having a "Resident Shield Alert" screen popup.
2. Attempted to remove malware using Rkill and MalwareBytes, was unsuccessful.
3. removed AVG free antivirus.
3. Installed Norton 360 4.x.x.x. Computer asked for Windows disk, then shut down.
4. On restart, had only desktop background - no icons, start menu, taskbar. Able to access programs through Task Manager, but unable to use explorer.exe.
5. After subsequent shutdown, computer is unable to boot into windows, or safe mode.

I'm guessing I'll need to create a system/startup disk to run RTL and GMER, but will wait for instructions on that.

Thanks for your time - I know how busy all of you on this board are.

Edited by Artbroken, 17 January 2011 - 09:56 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 AM

Posted 19 January 2011 - 03:44 AM

Hello and sorry for the delay.

What happens when you let the computer boot normally? Do you still see the XP splash screen and does it just hang after that, or does it reboot automatically?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 19 January 2011 - 05:07 AM

No problem - I know how busy you all are.

When it boots normally, I do get the Windows XP splash screen.
It processes for 10-15 seconds, goes to black like it usually does before the desktop comes up, processes maybe 5 seconds more, then reboots automatically.
The desktop never actually comes up, it just stays dark.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 AM

Posted 19 January 2011 - 05:09 AM

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 19 January 2011 - 05:47 AM

This is the entirety of the text displayed:

Stop: c000021a {Fatal System Error}

The Windows Logon Process system process terminated unexpectedly with a status of
0xc0000005 (0x00000000 0x00000000)

The system has been shutdown.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 AM

Posted 19 January 2011 - 07:29 AM

Do you have an XP CD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 19 January 2011 - 11:48 AM

Yes, an XP Home version disk. The PC has XP professional.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 AM

Posted 19 January 2011 - 12:44 PM

That should work.

  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • When prompted to choose a windows installation, type 1 and press enter.
  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Type the following lines and press enter after each one:

map

This will show you all drive letters. Look for the drive letter for your CD Rom drive (usually D); if it is not D, please replace d:\ in the lines below with the correct drive letter.

expand d:\i386\explorer.ex_ explorer.exe

cd system32

expand d:\i386\winlogon.ex_ winlogon.exe

If at any point asked to overwrite the existing file, please do so. After the expand... lines, you should see a message: 1 file(s) expanded.

Type EXIT and press enter to reboot and let me know what happens.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 19 January 2011 - 01:27 PM

The files would not expand using:

expand d:\i386\explorer.ex_ explorer.exe and expand d:\i386\winlogon.ex_ winlogon.exe

but expand d:\i386\explorer.ex_ c:\windows and expand d:\i386\winlogon.ex_ c:\windows\system32 did work.

The computer gets farther along in the boot process - it now gets to the 2nd screen "Windows is starting up" with the mouse pointer, then goes dark - still with the mouse pointer - then reboots itself.

I rebooted to get the error code, and it's the same error as before:

"Stop: c000021a {Fatal System Error}

The Windows Logon Process system process terminated unexpectedly with a status of
0xc0000005 (0x00000000 0x00000000)

The system has been shutdown."

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 AM

Posted 19 January 2011 - 02:06 PM

Lets make sure those files are indeed in place.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
    Enter the following filenames (repeat the process for each one):
    winlogon.exe
    csrss.exe
    explorer.exe
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 19 January 2011 - 06:13 PM

Booted from CD.
used command bash driver.sh -f with all three files.
Created 3 filefind.txt files, copied and pasted below:


Search results for winlogon.exe

d2e35bcdfbab9d0390f140e6b50db6c6 /mnt/sda1/WINDOWS/system32/dllcache/winlogon.exe
496.0K Apr 14 2008

2246d8d8f4714a2cedb21ab9b1849abb /mnt/sda1/WINDOWS/system32/winlogon.exe
504.5K Aug 29 2002

Search results for csrss.exe

44f275c64738ea2056e3d9580c23b60f /mnt/sda1/WINDOWS/system32/csrss.exe
6.0K Apr 14 2008

44f275c64738ea2056e3d9580c23b60f /mnt/sda1/WINDOWS/system32/dllcache/csrss.exe
6.0K Apr 14 2008

Search results for explorer.exe

a82b28bfc2e4455fe43022a498c0ef0a /mnt/sda1/WINDOWS/explorer.exe
980.5K Aug 29 2002

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 AM

Posted 20 January 2011 - 03:19 AM

Do you have another computer with XP sp3 available that you could use to copy a file from?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Artbroken

Artbroken
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 20 January 2011 - 04:09 AM

The one I'm using (not the sick one) should be almost identical.
They were both purchased used from a university, same box, devices, etc..

This PC has XP professional version 2002, Service pack 3.

Edited by Artbroken, 20 January 2011 - 04:12 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users