Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Impossible to boot windows Vista - blue screen


  • This topic is locked This topic is locked
58 replies to this topic

#1 Piraus

Piraus

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 18 November 2011 - 11:31 AM

Dear, it's my first time i write here because it's the first time I'm experiencing such problem.
i will start from the beggining:
My pc is not able to boot anymore. after i have disabled the automatic restart on system failure i got the following blue screen:

STOP: c0000135 Ė The program canít start because consrv is missing. Try resintalling the program.
Posted Image

I have tried to search the net and it seems to be an effect of ZeroAccess MAX++
i have tried to get access to system registry with a windows vista installation dvd
but the problem is that after the pc loaded windows files from the dvd
Posted Image
it start to load windows
Posted Image
but then it stuck on a black screen. and nothing more happen.

at this point i really don't what to do to try to solve this problem.

please help me.
i wish to thanks anyone who will spend time to help me.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 19 November 2011 - 03:21 AM

Hello, this problem is caused because your computer was infected with a rootkit: one component was deleted, but Windows still wants to load it, hence the blue screen.

Download Farbar Recovery Scan Tool x64 and save it to a flash drive.

On a working computer, press Windows key + R and type notepad, press enter. Please copy the contents of the code box below into Notepad. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Plug the flashdrive into the infected PC.

Enter System Recovery Options.
  • Insert the Windows DVD.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Fix button and wait for the tool to finish.
[/list]The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Edited by elise025, 19 November 2011 - 03:22 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 21 November 2011 - 06:27 AM

Since you can't load the RE, lets do this differently.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • Type winsrv.dll and press enter.
  • After it has finished a report will be located on your USB drive named filefind.txt
  • Remove the USB drive and insert it back in your working computer and navigate to filefind.txt, post it for my review

    Please note - all text entries are case sensitive

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Piraus

Piraus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 21 November 2011 - 05:00 PM

as you requested, here you get the report.

Search results for winsrv.dll

2d94e4ce322f12061d3fa7dbe65e9ac5 /mnt/sda1/Windows/System32/winsrv.dll
439.5K Apr 20 2011

f58678eeb3f13de415b2803209ded0cc /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6000.16386_none_1066702a57c7960d/winsrv.dll
420.5K Nov 2 2006

a9c654098a5ca39618da9d022a6691b8 /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18000_none_129d322654b2a6e1/winsrv.dll
439.5K Jan 18 2008

2d94e4ce322f12061d3fa7dbe65e9ac5 /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18638_none_1284d01654c3b456/winsrv.dll
439.5K Apr 20 2011

cccfc223e76d14e622d8f2bb5e90b58d /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.22904_none_132adf496dcc953f/winsrv.dll
439.5K Apr 20 2011

e5e5e593d4850b0aa24cf58b552147f3 /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18456_none_1453a37851fc0bd5/winsrv.dll
440.5K Apr 20 2011

33353c4e98c0ccf7e2a817536eb58985 /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.22628_none_14ffb2816aff87a1/winsrv.dll
440.0K Apr 20 2011

thank you

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 22 November 2011 - 02:39 AM

Navigate in xPUD to this file: /mnt/sda1/Windows/System32/winsrv.dll

Right click on it and select Copy.

Now go to /mnt/sda1/Windows, right click in an empty space in that folder and select Paste.

You will now have /mnt/sda1/Windows/winsrv.dll <-- right click this file and select Rename. Rename the file to consrv.dll

Now right click on the file you just renamed to consrv.dll and select Copy.

Go to /mnt/sda1/Windows/System32, right click in an empty space and select Paste.

You should now see bot winsrv.dll and consrv.dll in the System32 folder.

Restart your computer and when in Windows, run the following scan.


We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Piraus

Piraus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 22 November 2011 - 04:55 AM

here we go.
the first part is perfect. I renamed the file.
then i tried to boot the pc and i founded the new problem.
what i mean is that we have solved the first problem (The program canít start because consrv is missing. Try resintalling the program.) and i can boot the pc, but it is like a time bomb.
i arrive to the screen where i can choose the user to log into windows.
but after a couple of sec the pc reboot itself.
and it keeps doing it as soon as i boot the pc, i arrive there and then it reboot (i have been able to choose the user and try to log in, but it seems like if i run out the time and then the pc rebooted).

this means that actually i'm not able to scan the pc

thank you

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 22 November 2011 - 06:06 AM

As a note, we have not resolved the consrv.dll problem, the registry still need to be adjusted, but this way we simply have it pointing to the right file, albeit renamed. :)

Using xPUD, navigate to your flashdrive, make sure you see driver.sh, click Tool > Open Terminal, type bash driver.sh -f and press enter.
Type userinit.exe and press enter.

Post me the resulting filefind.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Piraus

Piraus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 22 November 2011 - 04:02 PM

Search results for userinit.exe

a0ab2bb9a92293d9ce66e252719ab5fe /mnt/sda1/Windows/System32/userinit.exe
27.5K Jan 18 2008

0e135526e9785d085bcd9aede6fbcbf9 /mnt/sda1/Windows/SysWOW64/userinit.exe
24.5K Jan 18 2008

22027835939f86c3e47ad8e3fbde3d11 /mnt/sda1/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737/userinit.exe
24.0K Nov 2 2006

0e135526e9785d085bcd9aede6fbcbf9 /mnt/sda1/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b/userinit.exe
24.5K Jan 18 2008

46d5b6b80e4a5997f508f938f96b7628 /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_3610939d8d22586d/userinit.exe
27.5K Nov 2 2006

a0ab2bb9a92293d9ce66e252719ab5fe /mnt/sda1/Windows/winsxs/amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941/userinit.exe
27.5K Jan 18 2008

here we are...thank you

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 22 November 2011 - 04:04 PM

i arrive to the screen where i can choose the user to log into windows.
but after a couple of sec the pc reboot itself.

Have you tried this in Safe Mode as well?
Do the mouse and keyboard work at this point?
Does your desktop wallpaper come up at any point?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Piraus

Piraus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 22 November 2011 - 04:35 PM

i will try in safe mode (i have only tried in normal mode)
mouse and keyboard works fine,
and if i'm fast typing the password of my account it starts to load the desktop, but then the time run out and the the pc reboot itself

actually in safe mode the pc seems to be stable...it doesnt reboot...
so actually i should do this part i think
We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif

just 1 question, they are the same? i can use one of them or i have to put both on the pc and start one of them??


let's me update.
i have downloaded dds.scr
i have put it into my infected pc with a usb key
i have copied it to my desktop
i have double clicked
a prompt of msdos appared with some information
but in a couple of sec, i got a blu screen (the only thing i was able to read about it was something like "dumping physical memory to disk" with a % of progressing) as soon as this dumping finished (3-4 sec) the pc rebooted.
i logged in again in safe mode and i didnt find dds.scr anymore on my desktop...

i wait for instruction,
thaaaaankyoouuu :) (and forgive me if this post is not much clear)

Edited by Piraus, 22 November 2011 - 05:19 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 23 November 2011 - 07:21 AM

No problem, please try the following scan instead. :)



COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Piraus

Piraus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 23 November 2011 - 06:43 PM

Hi Elise i wish to update you.

1. I have tried to use ComboFix, but after i launched the program it gets stuck (exactly after it finishes to extract files when it starts to create destionation folder, to be more precise when it creates the 2 folder, if you need i can post you a photo of the screen)

2. So i decided to try to scan the pc with MalawareBytes Anti-malaware
2.1 I have downloaded the last version, and i have installed on the infected pc (where a really old version of MBAM was already installed)
2.2 even if i try to install the last version available when i start it i see a database dated 31/08/2011 (i have tried the install file of MBAM on anothe pc and it gives me the last database)
2.3 i have tried to unistall it completly and i have installed again but still i see the database of 31/08/2011 (moreover i cannot get the infected pc connected to internet because i'm actually using a internet key and when i plug it in during safe mode the pc doesn't see it)
2.4 i have performed a complete scan here the log (sorry i didn't thinked about the language of the log. of course ask me everythings you need to translate)
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Versione database: 7622

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.19088

24/11/2011 1.14.02
mbam-log-2011-11-24 (01-13-30).txt

Tipo di scansione: Scansione completa (C:\|E:\|)
Elementi esaminati: 337379
Tempo impiegato: 36 minuti, 16 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 0
Cartelle infette: 0
File infetti: 1

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
c:\Users\Salvo\AppData\Roaming\mIRC\xdccb440_2138\userinput.dll (Backdoor.Bot) -> No action taken.

Edited by Piraus, 23 November 2011 - 07:20 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 24 November 2011 - 02:14 AM

Press Windows key + R, type combofix /killall and press enter. See if it runs that way.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Piraus

Piraus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 24 November 2011 - 02:42 PM

hi elise. using your comand combofix /killall (i had to write the complete path like c:\users\piraus\desktop\combofix /killall) i was able to launch it. but when it finished to install itself the pc crashed again as of when i tried ddr.scr. so with a blue screen where it says dumping physical memory to disk.

pleease help :) thank you for everythings you are doing

Edited by Piraus, 24 November 2011 - 02:58 PM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:41 AM

Posted 24 November 2011 - 03:05 PM

Please run the following command (just like last time): combofix /nombr and see if it still crashes.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users