TechSpot

Problem Starting Windows - Epic Virus Battle

By Velexia
Dec 19, 2009
Topic Status:
Not open for further replies.
  1. Current Situation: Power, On. F1 (Case Opened), F8. Disable Automatic Restart on System Failure.

    "A problem has been detected and windows has been shut down to prevent damage to your computer.

    If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

    Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

    Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

    Technical information:

    *** STOP: 0x0000007E (0xC0000005, 0x3F3F3F3F, 0xF78F04FC, 0XF78F01F8)"​

    This is a possibility, as I am dealing with viruses, and my computer uses an AMD CPU.

    If this is the case, the following may work.. (I am going to try it after the CHKDSK /R completes...


    Edit: No luck with "disable intelppm." This was not the cause.



    What has been done thus far:


    I have performed the Repair Install (after some fiddling to get Repair to be an option at all), I have gone into the Recovery Console and disabled several systems from the listsvc:

    PDCOMP, PDFRAME, PDRELI, PDRFRAME, PnkBstrK (From America's Army Video Game), TDPIPE, and TDTCP.

    Also, after exploring with Dir C:\ I have located and deleted the following files:

    C:\dens.exe
    C:\enhs.exe
    C:\siuhb.exe
    C:\WINDOWS\kgt2k.ini
    C:\WINDOWS\ntbtlog.txt
    C:\WINDOWS\ocgen.log
    C:\WINDOWS\ocmsn.log
    C:\WINDOWS\Registration\(All Suspicious Files modified in the last 3 days)
    C:\WINDOWS\Security\(All Suspicious Files modified in the last 3 days)
    C:\WINDOWS\setupact.log
    C:\WINDOWS\setuplog.txt
    C:\WINDOWS\system.ini
    C:\WINDOWS\Tasks\(All Suspicious Files modified in the last 3 days)
    C:\WINDOWS\Temp\Perflib_Perfdata_2a8.dat
    C:\WINDOWS\Temp\Perflib_Perfdata_500.dat
    C:\WINDOWS\Temp\Perflib_Perfdata_6c4.dat
    C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat
    C:\WINDOWS\Temp\Perflib_Perfdata_b4c.dat
    C:\WINDOWS\Temp\Perflib_Perfdata_bd0.dat
    C:\WINDOWS\Temp\Perflib_Perfdata_c2c.dat
    C:\WINDOWS\Temp\WGANotify.settings
    C:\WINDOWS\System32\critical_warning.html
    C:\WINDOWS\System32\FNTCACHE.DAT
    C:\WINDOWS\System32\GroupPolicy
    C:\WINDOWS\System32\nmp.log
    C:\WINDOWS\System32\nvapps.xml
    C:\WINDOWS\System32\perfc009.dat
    C:\WINDOWS\System32\perfh009.dat
    C:\WINDOWS\System32\PerfStringBackup.ini
    C:\WINDOWS\System32\sirenacm.dll
    C:\WINDOWS\System32\wpa.bak

    After deleting these files, I then performed another Repair Install (hoping to replace the deleted files such as sirenacm.dll and wpa.bak, otherwise, I have bookmarked websites where I can get fresh copies of those files).

    I need to enable the SET command still, to investigate/deal with whatever is lurking in the following folders:

    C:\My Web Sites
    C:\Program Files
    C:\System Volume Information

    Also, this file has obviously been tampered with, but access is denied:

    C:\config.msi

    Edit: Config.Msi was a folder, and has been dealt with.


    I have rebuilt the boot.ini, and downloaded a BIOS update onto this (EeePC Laptop) computer for my dead rig. I can put it into a Flash Drive, but I am unsure of the ability to update the BIOS via a flash drive without being able to get to the Welcome Screen (or past it).

    I have attempted all forms of Safe Mode and every other option after F8. They all end in a Blue Screen of Death before the Welcome Screen.

    I have been getting the BSOD ever since the boot.ini was rebuilt, the repair install was performed, and the CMOS was cleared.

    Before those actions had been taken, when I would go to the Login Screen, only my Guest Account was visible "Droog." At that screen I would double crtl+alt+del to login as my Administrator Account, and the computer would start to load windows, then stop, and take me back to the Welcome Screen.

    It's been doing this ever since Avast decided that "aec.sys" was a suspicious file, and wanted to do a boot-time scan (which found nothing).

    Other symptoms of the virus army while I still had access to the desktop was the disabling of the System Restore function and the Task manager. I re-enabled both of those, but when Avast wanted to do another boot-time scan, upon restart they were both disabled again. I had Process Explorer, so I wasn't exceptionally worried about that.

    I need assistance currently in getting past this Blue Screen of Death. I can then assess the situation with the Virus Army, and hopefully get into the Desktop again, where I can unleash hell =)

    This is day 4 of the battle.

    As a backup plan, I have ordered two new Hard Drives and a Copy of Windows 7, if all else fails. At which point I shall be doing recovery missions into my old Hard Drive for the numerous files which I am VERY attached to.

    I may have left some things out (It's been 4 days...) So I will mention anything that I remember as it comes up =)
     
  2. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    Oh, also, Hello! I am new =)

    Thanks for any responses in advance =)

    To update:

    All deleted files that were necessary but infected have been recovered except...
    "sirenacm.dll"

    Currently C:\My Web Sites, C:\Program Files, and C:\System Volume Information are still obviously infected somewhere within their contents.

    Edit:
    My Web Sites is related to a program my ex-roommate recently downloaded, false alarm. Same with Program Files. System Volume Information's behavior also appears to be normal.


    The folder C:\WINDOWS\security is also a problem. The files...
    C:\WINDOWS\security\.
    C:\WINDOWS\security\..

    Are both infected, but I cannot delete them.

    I attempted to rename them 1 (.) and 2 (..).

    In doing that, I was able to delete "1." (..) was not renamed, and the "security" folder no longer shows, although searching for (..) or attempting to delete (..) does turn up results ("The file or directory is being used by another process"), suggesting that it is still there. It's last known date of modification was 12/17/09. Anything within the last month is suspicious to me, and anything within day 16-17 is ESPECIALLY suspicious since I have been unable to log into the computer on either of those dates.

    Granted, trying DEL/REN C:\WINDOWS\NINJA\.. (A folder I know does not exist)
    gets the exact same response as trying DEL/REN C:\WINDOWS\SECURITY\..

    So, maybe I got rid of it after all =)

    I am pondering trying the automated system recovery, and hoping to find a recovery file that dates before December...
     
  3. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    From the LISTSVC command...

    Unidentified Services (Those that have no description) that are Enabled:


    Beep - System
    Cdaudio - System
    Changer - System
    Copystar - Boot
    dmboot - Boot
    dmload - Boot
    FGDSCSI - Manual
    fgdxbus - Manual
    Fips - System
    Fs_Rec - System
    i20mgmt - System
    InCDrec - System
    KSecDD - Boot
    lbrtfdc - System
    mnmdd - System
    Modem - Manual
    MountMgr - Boot
    Msfs - System
    Npfs - System
    Null - System
    nv - Manual
    nvatabus - Boot
    PartMgr - Boot
    ParVdm - Auto
    PCIDump - System
    PCIIde - Boot
    PfModNT - Auto
    RDPCDD - System
    RDPWD - Manual
    SaiMini - Manual
    SaiNtBus - Manual
    Sfloppy - System
    VgaSave - System
    VolSnap - Boot
    WDICA - Manual
    Winsock - Manual
    Winsock - Google Desktop Search Backup Before First Install - Manual
    Winsock - Google Desktop Search backup Before Last Install - Manual

    All Services that are disabled:


    Abiodsk
    abp480n5
    ACPIEC
    adpu160m
    Aha154x
    aic78u2
    aic78xx
    Alerter
    AliIde
    amsint
    asc
    asc3350p
    asc3350
    Atdisk
    cbidf2k
    Cdfs
    ClipSrv
    CmdIde
    Cpqarray
    dac2w2k
    dac960nt
    dpti2o
    Fastfat
    Forceware Intelligent Application manager (IAM)
    hpn
    hpqcxs08
    i2omp
    IDriverT
    InCDfs
    InCDsrv
    InCDsrvR
    ini910u
    IntelIde
    iPod Service
    JavaQuickStarterService
    Messenger
    mraid35x
    NetDDE
    NetDDEdsdm
    Ntfs
    p2pgasvc
    p2pimsvc
    p2psvc
    Pcmcia
    PDCOMP
    PDFRAME
    PDRELI
    PDRFRAME
    perc2
    perc2hib
    PnkBstrA
    PnkBstrB
    PnkBstrK
    ql1080
    Ql10wnt
    ql12160
    ql1240
    ql1280
    RasAuto
    RDSessMgr
    RemoteAccess
    seclogon
    SENS
    Simbad
    Sparrow
    Spooler
    symc810
    symc8xx
    sym_hi
    sym_u3
    TDPIPE
    TDTCP
    TlntSvr
    TosIde
    Udfs
    ultra
    ViaIde
    WMPNetworkSvc
    wuauserv
     
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,872   +166

    Have you seen this thread:
    8-Step Virus & Malware Removal Instructions

    It is much easier for us to help you if you follow and post the 3 logs asked for. These are just a starting point, and more in depth help will follow if needed
     
  5. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    All of that seems very awesome and requires something I do not have... Access to my Computer (I see that Blue Screen of Death, or one that flashes too fast to read on any and every attempt to start the computer (just before the Welcome Screen).)

    The only things I can do right now involve the Windows XP Pro CD, and the BIOS.

    I am going to download all of those Programs and put them on my flash drive to add to my Main Rig (It's been disconnected from the internet and will not be reconnected until it is all peachy inside) if I ever get access to it again. While I'm at it, I might as well poke around on this Laptop too, just to be safe =)

     
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,872   +166

  7. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    I do appreciate that you are trying to help, but I think reading my posts, especially the first one, will help =)

    Is there another Forum Area I should have posted this to?

    The issue currently is getting past the Blue Screen of Death. Once that is complete, accessing my desktop is the next step, and from there, only then will I be able to follow the 8-Step Process and such =)

    This seems like a possible avenue to fix my BSoD:

    After further investigation it appears that this is not a viable solution. I have no ideas on what can be done =/
     
  8. captaincranky

    captaincranky TechSpot Addict Posts: 10,735   +894

    I suggest an complete reformat, and an editing of the thread title to read, "Epic Virus Blunders".

    Oh, and stay away from P2P.
     
  9. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    CHKDSK /R
    CHKDSK is checking the volume...
    CHKDSK is performing additional checking or recovery...
    CHKDSK is performing additional checking or recovery...
    CHKDSK is performing additional checking or recovery...
    CHKDSK has finished checcking the volume.
    134215008 kilobytes total disk space.
    25674912 kilboytes are available.

    4096 bytes in each allocation unit.
    33553752 total allocation units on disk.
    6418728 allocation units available on disk.

    Will a "complete reformat" erase the data on the Hard Drive? because if so, that is not an option for me.

    Also, I am not sure exactly what you mean by P2P but if it is "Peer to peer" I can assure you, that this has nothing to do with it.

     
  10. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    Via 30GB Partition and a fresh install of Windows XP Professional, I now have access to my Main Rig. Time to start this 8-Step Process =)
     
  11. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    Here are the logs from my laptop, which should be squeaky clean =)

    This is mostly a practice run. Currently, Malwarebytes is scanning the main rig (which this thread is about).
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you! You finally got around to the logs we need. I'm reviewing them now. Please don't make any system changes or run any more diagnostics.

    Edit: Have reviewed your logs. They are clean. IF you are still having a problem, please describe it to me in as few words as possible- no diagnostics. I will then determine if you need to run any additional program.
     
  13. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    I finally got around to having access to my computer was the main thing. Without that I couldn't have even begun this process. However... "waves hand" these are not the logs you are looking for ~_^

    I'm running scans on the "main rig" right now, which is the one that is having all of the problems =)

    I'll post those logs as soon as I can. These were just a precaution, to be certain that my work computer was clean =)

    Avira scan is complete (clean). Malwarebytes scan is complete (clean). Scanning with SUPERAntiSpyware currently (Adware.Tracking Cookies detected)...

    All logs will be posted when the entire process is finished =)
     
  14. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    I think I have a slight problem involving Malwarebytes which is going to make this take a lonnnnng time.

    I let Malwarebytes run last night, hoping it would finish by the time I woke up... It was still on drive C:\ 9 hours later. So I was like...blegh! Quick scan then! Cancelled, and did a quick scan...

    ...and it doesn't say it in the log, but by the speed in which it scanned It seems pretty obvious that it only scanned the current partition of D:\

    So I've reinstated the full scan, selecting only C:\ to be scanned. Hopefully by next week it will finish =D

    I won't bother posting the D:\ log though, it goes like this.... nothing found, 0, nothing found, 0 etc =)

    Edit: Solved this problem, and will be posting the entire scan log of all drives =)

    Just hoping that when it scans the registry, it scans both installations...
     
  15. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    Basically what's taking it so long is, it's getting stuck on a couple thousand images I have in a sprite ripper program (for making sprite based games).

    Edit: It would appear that the ownership issue could have been what was causing the massive time lag. As soon as I started taking ownership of the folder and contents, the scanning picked up speed.


    Edit:

    I tried to simply delete the images, but I cannot access the folder. Access is denied while logged in, and after enableing the SET command for the recovery console, I attempted to delete the files, but they would not go away...

    Some odd behavior... the folder is set to "read only" and when I attempt to change it, it automatically reverts to read only.

    C:\Windows\Documents and Settings\Administrator\Desktop\Desktop Stuff is the path, I believe.

    The only other folder that I can't access is "System Volume Information" which is normal... but not being able to access "Desktop Stuff" is strange. I've scanned every other part of the computer with Malwarebytes and it hasn't found a single thing (I was very thorough earlier in the Recovery Console).

    Does anyone have any suggestions for gaining access to this "Desktop Stuff" folder to delete the ripper program and or image files? (I would just try to delete the whole folder, but there is a lot of important stuff in it).

    One last weird note... scanning it starts to scan everything inside, but just hovering over it says it is empty. Checking via Recovery Console, nothing inside has been messed with in the last few months, so it might not be viral in nature.

    Using Google Fu, I found this, which might be the issue...

    This should solve the problem =)

    "Desktop Stuff" folder problem solved =)

    On an entirely different note, if you haven't seen Avatar yet, and you like James Cameron or Sci-Fi, go see it, in theatres, it is awesome =) (See it in 3D if possible)
     
  16. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,872   +166

    Velexia you keep replying to your posts. There is an EDIT feature that you should use. It saves space and confusion
     
  17. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    Sorry, like I said I am new to these forums, this is a forum etiquette that is completely alien and somewhat confusing to me.
     
  18. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    The logs for my "Main Rig" are finished and attached below. However, there is a problem. SUPERAntiSpyware did scan C:\, but it could not scan the Memory or Registry of the Windows XP Pro installation on C:\.

    HiJackThis cannot scan the processes that run when the Windows XP Pro installation on C:\ is running.

    I will try to log onto that particular installation and repeat the process, but I expect to see the BSoD for trying =/

    Indeed, the BSoD remains even in Safe Mode.

    I attempted to make an ntbootlog.txt with "Enable Boot Logging" but the BSoD occurs before such a thing can be created.

    I managed to take a split-second image with my digital camera as the BSoD flashed (it is different than when I disable automatic restart).

    I just caught an image of the BSoD when trying to start normally, and it mentions no cause for the error at all, just the standard BSoD form.

    Someone suggested that it might have something to do with my AntiVirus program. So I checked out the Awil Folder, and took a look at the Security tab, Group or user names...

    I found this:

    That looks naughty to me. I instantly denied ALL permissions for that "user."
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your HijackThis log is not complete. I suggest you move over to the Windows OS forum.
     
  20. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    I'm over in the BSoD Windows OS forum as well. What do you mean by... not complete?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Several sections of the log are missing.
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    Missing sections
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    Missing sections
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    Not enough Services


    Please finish on one of the forums before posting on another. It is possible you could get conflicting information.
     
  22. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    Well, I started on this forum, then decided I should probably look into the BSoD forum as well, since that was preventing me from getting anywhere over here.

    Considering I haven't gotten any information from the BSoD forum involving viruses, or software, I'm fairly confident that none of it will conflict =)

    It could possibly be that the HiJackThis log looks incomplete simply because this is a fresh install (less than 2 days old) of Windows on a fresh partition. As I said, the HiJackThis program can't access the other installation of windows, because I can't either (I can access the C:\ drive though, via the D:\ installation).

    The processes that HiJackThis is not pickung up are...

    csrss.exe
    alg.exe
    System
    System Idle Process.

    Fresh install of Windows. There is really nothing to see here. SUPERAntiSpyware was the only program able to pick up anything at all. In order to get any meaningful information out of this, I need access to the other Installation of Windows, and that doesn't look like it is going to happen.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You keep trying to over analyze everything instead of just doing it! Your posts are way too long and detailed. Believe it or not, sometimes too much information isn't helpful. There is a limit to how many diagnostics we can handle on an internet forum.

    Make up your mind which forum you're going to post in and for what problem. Then follow the directions of your helper. It sounds like you need to get the system all together first!
     
  24. Velexia

    Velexia TS Rookie Topic Starter Posts: 34

    All directions thus far have lead nowhere. If I was getting somewhere, I wouldn't keep updating what I have done, and why it hasn't worked.

    Just doing...? I've been doing things for the last 5 days.

    I have one problem, which consists of two parts. I cannot access my computer. Blue Screen of Death. Cause? Virus. I've attempted to get past the Blue Screen of Death in every way I can conceive of, and every way that these forums and others have suggested, to no avail.

    I am giving out detailed information in the hopes that someone will recognize something and go "oh, I know about that, let's see if I can help."

    Instead, people who can't help have been clogging up the "space" with replies and making it "confusing" for anyone who might be able to.

    To everyone who has attempted to genuinely help I am exceptionally grateful, to those who want to help, bur can't, I appreciate the concern, and to those who have simply been rude, like Tmagic and cranky, I'm a little upset.

    I've come to a decision here, and am in the process of doing it. Unfortunately, no one was able to help my situation except myself, but that is alright =)

    I understand that a lot of the people on this forum have a method, and are very used to that method. Anything that deviates from that method leaves the zone of perfect understanding, and that makes it harder to help.

    If I could simply follow the 8-step process as it was intended, I would have done that right off the bat. I however, have no way of doing that, and for the last 2 days I've been doing everything in my power to get to that position.

    I thought that perhaps with this new breakthrough, the 8-step process was the next step. It wasn't.

    I've spent far too long attempting to clear this Blue Screen of Death and have determined my final solution. Salvage my files (which I am thankfully able to do) and wipe the bloody thing clean.

    However, first I have to make 100% certain that my files are clean. I just recently reset all permissions and ownership of all of my files. Having an unidentified bizarre user name with ownership of my files and full permissions to them does not seem like something I want =)

    Again, thank you for everyone who tried to help me, I wish any of it had worked.

    I am in the process of resolving it now, and won't need any further help (yet ^_^).
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thanks for the update. Have a Happy Holiday Season.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.