Problem Starting Windows - Epic Virus Battle

Status
Not open for further replies.

Velexia

Posts: 34   +0
Current Situation: Power, On. F1 (Case Opened), F8. Disable Automatic Restart on System Failure.

"A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000007E (0xC0000005, 0x3F3F3F3F, 0xF78F04FC, 0XF78F01F8)"​

The SYSTEM_THREAD_EXCEPTION_NOT_HANDLED bug check has a value of 0x0000007E. This bug check indicates that a system thread generated an exception that the error handler did not catch.

1 The exception code that was not handled
2 The address where the exception occurred
3 The address of the exception record
4 The address of the context record


This problem occurs when a System Preparation (Sysprep) image is created on a computer that uses an Intel processor and is then deployed to a computer that does not use an Intel processor.

This is a possibility, as I am dealing with viruses, and my computer uses an AMD CPU.

If this is the case, the following may work.. (I am going to try it after the CHKDSK /R completes...

Method 2
To work around this issue, run the recovery console by using the Windows XP CD. Then, select the recovery option. To run the Recovery Console from the Windows XP startup disk or from the Windows XP CD, follow these steps:

1. Insert the Windows XP startup disk in the floppy disk drive. Or, insert the Windows XP CD in the CD drive. Then, restart the computer.

Note If you are prompted, click to select any options that are required to start the computer from the CD drive.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. If you have a dual-boot computer or a multiple-boot computer, select the installation that you want to access from the Recovery Console.
4. When you are prompted, type the administrator password.

Note Press ENTER if the administrator password is blank.
5. At the Recovery Console command prompt, type the following command, and then press ENTER:
disable intelppm
6. To exit the Recovery Console and to restart the computer, type exit at the Recovery Console command prompt, and then press ENTER.

Edit: No luck with "disable intelppm." This was not the cause.



What has been done thus far:


I have performed the Repair Install (after some fiddling to get Repair to be an option at all), I have gone into the Recovery Console and disabled several systems from the listsvc:

PDCOMP, PDFRAME, PDRELI, PDRFRAME, PnkBstrK (From America's Army Video Game), TDPIPE, and TDTCP.

Also, after exploring with Dir C:\ I have located and deleted the following files:

C:\dens.exe
C:\enhs.exe
C:\siuhb.exe
C:\WINDOWS\kgt2k.ini
C:\WINDOWS\ntbtlog.txt
C:\WINDOWS\ocgen.log
C:\WINDOWS\ocmsn.log
C:\WINDOWS\Registration\(All Suspicious Files modified in the last 3 days)
C:\WINDOWS\Security\(All Suspicious Files modified in the last 3 days)
C:\WINDOWS\setupact.log
C:\WINDOWS\setuplog.txt
C:\WINDOWS\system.ini
C:\WINDOWS\Tasks\(All Suspicious Files modified in the last 3 days)
C:\WINDOWS\Temp\Perflib_Perfdata_2a8.dat
C:\WINDOWS\Temp\Perflib_Perfdata_500.dat
C:\WINDOWS\Temp\Perflib_Perfdata_6c4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat
C:\WINDOWS\Temp\Perflib_Perfdata_b4c.dat
C:\WINDOWS\Temp\Perflib_Perfdata_bd0.dat
C:\WINDOWS\Temp\Perflib_Perfdata_c2c.dat
C:\WINDOWS\Temp\WGANotify.settings
C:\WINDOWS\System32\critical_warning.html
C:\WINDOWS\System32\FNTCACHE.DAT
C:\WINDOWS\System32\GroupPolicy
C:\WINDOWS\System32\nmp.log
C:\WINDOWS\System32\nvapps.xml
C:\WINDOWS\System32\perfc009.dat
C:\WINDOWS\System32\perfh009.dat
C:\WINDOWS\System32\PerfStringBackup.ini
C:\WINDOWS\System32\sirenacm.dll
C:\WINDOWS\System32\wpa.bak

After deleting these files, I then performed another Repair Install (hoping to replace the deleted files such as sirenacm.dll and wpa.bak, otherwise, I have bookmarked websites where I can get fresh copies of those files).

I need to enable the SET command still, to investigate/deal with whatever is lurking in the following folders:

C:\My Web Sites
C:\Program Files
C:\System Volume Information

Also, this file has obviously been tampered with, but access is denied:

C:\config.msi

Edit: Config.Msi was a folder, and has been dealt with.


I have rebuilt the boot.ini, and downloaded a BIOS update onto this (EeePC Laptop) computer for my dead rig. I can put it into a Flash Drive, but I am unsure of the ability to update the BIOS via a flash drive without being able to get to the Welcome Screen (or past it).

I have attempted all forms of Safe Mode and every other option after F8. They all end in a Blue Screen of Death before the Welcome Screen.

I have been getting the BSOD ever since the boot.ini was rebuilt, the repair install was performed, and the CMOS was cleared.

Before those actions had been taken, when I would go to the Login Screen, only my Guest Account was visible "Droog." At that screen I would double crtl+alt+del to login as my Administrator Account, and the computer would start to load windows, then stop, and take me back to the Welcome Screen.

It's been doing this ever since Avast decided that "aec.sys" was a suspicious file, and wanted to do a boot-time scan (which found nothing).

Other symptoms of the virus army while I still had access to the desktop was the disabling of the System Restore function and the Task manager. I re-enabled both of those, but when Avast wanted to do another boot-time scan, upon restart they were both disabled again. I had Process Explorer, so I wasn't exceptionally worried about that.

I need assistance currently in getting past this Blue Screen of Death. I can then assess the situation with the Virus Army, and hopefully get into the Desktop again, where I can unleash hell =)

This is day 4 of the battle.

As a backup plan, I have ordered two new Hard Drives and a Copy of Windows 7, if all else fails. At which point I shall be doing recovery missions into my old Hard Drive for the numerous files which I am VERY attached to.

I may have left some things out (It's been 4 days...) So I will mention anything that I remember as it comes up =)
 
Oh, also, Hello! I am new =)

Thanks for any responses in advance =)

To update:

All deleted files that were necessary but infected have been recovered except...
"sirenacm.dll"

Currently C:\My Web Sites, C:\Program Files, and C:\System Volume Information are still obviously infected somewhere within their contents.

Edit:
My Web Sites is related to a program my ex-roommate recently downloaded, false alarm. Same with Program Files. System Volume Information's behavior also appears to be normal.


The folder C:\WINDOWS\security is also a problem. The files...
C:\WINDOWS\security\.
C:\WINDOWS\security\..

Are both infected, but I cannot delete them.

I attempted to rename them 1 (.) and 2 (..).

In doing that, I was able to delete "1." (..) was not renamed, and the "security" folder no longer shows, although searching for (..) or attempting to delete (..) does turn up results ("The file or directory is being used by another process"), suggesting that it is still there. It's last known date of modification was 12/17/09. Anything within the last month is suspicious to me, and anything within day 16-17 is ESPECIALLY suspicious since I have been unable to log into the computer on either of those dates.

Granted, trying DEL/REN C:\WINDOWS\NINJA\.. (A folder I know does not exist)
gets the exact same response as trying DEL/REN C:\WINDOWS\SECURITY\..

So, maybe I got rid of it after all =)

I am pondering trying the automated system recovery, and hoping to find a recovery file that dates before December...
 
From the LISTSVC command...

Unidentified Services (Those that have no description) that are Enabled:


Beep - System
Cdaudio - System
Changer - System
Copystar - Boot
dmboot - Boot
dmload - Boot
FGDSCSI - Manual
fgdxbus - Manual
Fips - System
Fs_Rec - System
i20mgmt - System
InCDrec - System
KSecDD - Boot
lbrtfdc - System
mnmdd - System
Modem - Manual
MountMgr - Boot
Msfs - System
Npfs - System
Null - System
nv - Manual
nvatabus - Boot
PartMgr - Boot
ParVdm - Auto
PCIDump - System
PCIIde - Boot
PfModNT - Auto
RDPCDD - System
RDPWD - Manual
SaiMini - Manual
SaiNtBus - Manual
Sfloppy - System
VgaSave - System
VolSnap - Boot
WDICA - Manual
Winsock - Manual
Winsock - Google Desktop Search Backup Before First Install - Manual
Winsock - Google Desktop Search backup Before Last Install - Manual

All Services that are disabled:


Abiodsk
abp480n5
ACPIEC
adpu160m
Aha154x
aic78u2
aic78xx
Alerter
AliIde
amsint
asc
asc3350p
asc3350
Atdisk
cbidf2k
Cdfs
ClipSrv
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
Fastfat
Forceware Intelligent Application manager (IAM)
hpn
hpqcxs08
i2omp
IDriverT
InCDfs
InCDsrv
InCDsrvR
ini910u
IntelIde
iPod Service
JavaQuickStarterService
Messenger
mraid35x
NetDDE
NetDDEdsdm
Ntfs
p2pgasvc
p2pimsvc
p2psvc
Pcmcia
PDCOMP
PDFRAME
PDRELI
PDRFRAME
perc2
perc2hib
PnkBstrA
PnkBstrB
PnkBstrK
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RasAuto
RDSessMgr
RemoteAccess
seclogon
SENS
Simbad
Sparrow
Spooler
symc810
symc8xx
sym_hi
sym_u3
TDPIPE
TDTCP
TlntSvr
TosIde
Udfs
ultra
ViaIde
WMPNetworkSvc
wuauserv
 
All of that seems very awesome and requires something I do not have... Access to my Computer (I see that Blue Screen of Death, or one that flashes too fast to read on any and every attempt to start the computer (just before the Welcome Screen).)

I have attempted all forms of Safe Mode and every other option after F8. They all end in a Blue Screen of Death before the Welcome Screen.

The only things I can do right now involve the Windows XP Pro CD, and the BIOS.

I am going to download all of those Programs and put them on my flash drive to add to my Main Rig (It's been disconnected from the internet and will not be reconnected until it is all peachy inside) if I ever get access to it again. While I'm at it, I might as well poke around on this Laptop too, just to be safe =)

Current Situation: Power, On. F1 (Case Opened), F8. Disable Automatic Restart on System Failure.

"A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000007E (0xC0000005, 0x3F3F3F3F, 0xF78F04FC, 0XF78F01F8)"​
 
Try performing an XP repair:
XP Repair Install

I do appreciate that you are trying to help, but I think reading my posts, especially the first one, will help =)


What has been done thus far:


I have performed the Repair Install (after some fiddling to get Repair to be an option at all)...

...After deleting these files, I then performed another Repair Install (hoping to replace the deleted files such as sirenacm.dll and wpa.bak, otherwise, I have bookmarked websites where I can get fresh copies of those files).

Is there another Forum Area I should have posted this to?

The issue currently is getting past the Blue Screen of Death. Once that is complete, accessing my desktop is the next step, and from there, only then will I be able to follow the 8-Step Process and such =)

This seems like a possible avenue to fix my BSoD:

/NOEXECUTE

This option is only available on 32-bit versions of Windows when running on processors supporting no-execute protection. It enables no-execute protection (also known as Data Execution Protection - DEP), which results in the Memory Manager marking pages containing data as no-execute so that they cannot be executed as code. This can be useful for preventing malicious code from exploiting buffer overflow bugs with unexpected program input in order to execute arbitrary code. No-execute protection is always enabled on 64-bit versions of Windows on processors that support no-execute protection.

After further investigation it appears that this is not a viable solution. I have no ideas on what can be done =/
 
I do appreciate that you are trying to help, but I think reading my posts, especially the first one, will help =)

I suggest an complete reformat, and an editing of the thread title to read, "Epic Virus Blunders".

Oh, and stay away from P2P.
 
CHKDSK /R
CHKDSK is checking the volume...
CHKDSK is performing additional checking or recovery...
CHKDSK is performing additional checking or recovery...
CHKDSK is performing additional checking or recovery...
CHKDSK has finished checcking the volume.
134215008 kilobytes total disk space.
25674912 kilboytes are available.

4096 bytes in each allocation unit.
33553752 total allocation units on disk.
6418728 allocation units available on disk.

I suggest a complete reformat, and an editing of the thread title to read, "Epic Virus Blunders".

Oh, and stay away from P2P.

Will a "complete reformat" erase the data on the Hard Drive? because if so, that is not an option for me.

Also, I am not sure exactly what you mean by P2P but if it is "Peer to peer" I can assure you, that this has nothing to do with it.


All Services that are disabled:

...
p2pgasvc
p2pimsvc
p2psvc
...
 
Here are the logs from my laptop, which should be squeaky clean =)

This is mostly a practice run. Currently, Malwarebytes is scanning the main rig (which this thread is about).
 
Thank you! You finally got around to the logs we need. I'm reviewing them now. Please don't make any system changes or run any more diagnostics.

Edit: Have reviewed your logs. They are clean. IF you are still having a problem, please describe it to me in as few words as possible- no diagnostics. I will then determine if you need to run any additional program.
 
I finally got around to having access to my computer was the main thing. Without that I couldn't have even begun this process. However... "waves hand" these are not the logs you are looking for ~_^

I'm running scans on the "main rig" right now, which is the one that is having all of the problems =)

I'll post those logs as soon as I can. These were just a precaution, to be certain that my work computer was clean =)

Avira scan is complete (clean). Malwarebytes scan is complete (clean). Scanning with SUPERAntiSpyware currently (Adware.Tracking Cookies detected)...

All logs will be posted when the entire process is finished =)
 
I think I have a slight problem involving Malwarebytes which is going to make this take a lonnnnng time.

I let Malwarebytes run last night, hoping it would finish by the time I woke up... It was still on drive C:\ 9 hours later. So I was like...blegh! Quick scan then! Cancelled, and did a quick scan...

...and it doesn't say it in the log, but by the speed in which it scanned It seems pretty obvious that it only scanned the current partition of D:\

So I've reinstated the full scan, selecting only C:\ to be scanned. Hopefully by next week it will finish =D

I won't bother posting the D:\ log though, it goes like this.... nothing found, 0, nothing found, 0 etc =)

Edit: Solved this problem, and will be posting the entire scan log of all drives =)

Just hoping that when it scans the registry, it scans both installations...
 
Basically what's taking it so long is, it's getting stuck on a couple thousand images I have in a sprite ripper program (for making sprite based games).

Edit: It would appear that the ownership issue could have been what was causing the massive time lag. As soon as I started taking ownership of the folder and contents, the scanning picked up speed.


Edit:

I tried to simply delete the images, but I cannot access the folder. Access is denied while logged in, and after enableing the SET command for the recovery console, I attempted to delete the files, but they would not go away...

Some odd behavior... the folder is set to "read only" and when I attempt to change it, it automatically reverts to read only.

C:\Windows\Documents and Settings\Administrator\Desktop\Desktop Stuff is the path, I believe.

The only other folder that I can't access is "System Volume Information" which is normal... but not being able to access "Desktop Stuff" is strange. I've scanned every other part of the computer with Malwarebytes and it hasn't found a single thing (I was very thorough earlier in the Recovery Console).

Does anyone have any suggestions for gaining access to this "Desktop Stuff" folder to delete the ripper program and or image files? (I would just try to delete the whole folder, but there is a lot of important stuff in it).

One last weird note... scanning it starts to scan everything inside, but just hovering over it says it is empty. Checking via Recovery Console, nothing inside has been messed with in the last few months, so it might not be viral in nature.

Using Google Fu, I found this, which might be the issue...

This issue may occur if the folder that you cannot open was created on an NTFS file system volume by using a previous installation of Windows, and then installing Windows XP. This issue may occur although you enter the correct user name and password. This issue occurs because the security ID for the user has changed. Although you use the same user name and password, your security ID no longer matches the security ID of the owner of the folder that you cannot open.

For example, although you use the same user name and password, you may no longer have permission to open the folder after you complete the following steps:

1. Before you install Windows XP Professional, you change the actual location, or target location, of the My Documents folder to another volume.
2. You format the primary partition.
3. You install Windows XP Professional.

This should solve the problem =)

To resolve this issue, you must turn off Simple File Sharing, and then take ownership of the folder:

1. Turn off Simple File Sharing:
1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options, and then click the View tab.
3. Under Advanced Settings, click to clear the Use simple file sharing (Recommended) check box, and then click OK.
2. Right-click the folder that you want to take ownership of, and then click Properties.
3. Click the Security tab, and then click OK on the Security message, if one appears.
4. Click Advanced, and then click the Owner tab.
5. In the Name list, click your user name, Administrator if you are logged in as Administrator, or click the Administrators group.

If you want to take ownership of the contents of that folder, click to select the Replace owner on subcontainers and objects check box.
6. Click OK.

You may receive the following error message, where Folder is the name of the folder that you want to take ownership of:
You do not have permission to read the contents of directory Folder. Do you want to replace the directory permissions with permissions granting you Full Control? All permissions will be replaced if you press Yes.
7. Click Yes.
8. Click OK, and then reapply the permissions and security settings that you want for the folder and the folder contents.

"Desktop Stuff" folder problem solved =)

On an entirely different note, if you haven't seen Avatar yet, and you like James Cameron or Sci-Fi, go see it, in theatres, it is awesome =) (See it in 3D if possible)
 
Velexia you keep replying to your posts. There is an EDIT feature that you should use. It saves space and confusion
 
Velexia you keep replying to your posts. [You should use the edit feature,] it saves space and confusion

Sorry, like I said I am new to these forums, this is a forum etiquette that is completely alien and somewhat confusing to me.
 
The logs for my "Main Rig" are finished and attached below. However, there is a problem. SUPERAntiSpyware did scan C:\, but it could not scan the Memory or Registry of the Windows XP Pro installation on C:\.

HiJackThis cannot scan the processes that run when the Windows XP Pro installation on C:\ is running.

I will try to log onto that particular installation and repeat the process, but I expect to see the BSoD for trying =/

Indeed, the BSoD remains even in Safe Mode.

I attempted to make an ntbootlog.txt with "Enable Boot Logging" but the BSoD occurs before such a thing can be created.

I managed to take a split-second image with my digital camera as the BSoD flashed (it is different than when I disable automatic restart).

PAGE_FAULT_IN_NONPAGED_AREA

I just caught an image of the BSoD when trying to start normally, and it mentions no cause for the error at all, just the standard BSoD form.

Someone suggested that it might have something to do with my AntiVirus program. So I checked out the Awil Folder, and took a look at the Security tab, Group or user names...

I found this:

(Face icon with ?) S-1-5-21-141700133-287218729-725345543-500

That looks naughty to me. I instantly denied ALL permissions for that "user."
 
Your HijackThis log is not complete. I suggest you move over to the Windows OS forum.
 
Several sections of the log are missing.
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Missing sections
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
Missing sections
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Not enough Services


Please finish on one of the forums before posting on another. It is possible you could get conflicting information.
 
Well, I started on this forum, then decided I should probably look into the BSoD forum as well, since that was preventing me from getting anywhere over here.

Considering I haven't gotten any information from the BSoD forum involving viruses, or software, I'm fairly confident that none of it will conflict =)

It could possibly be that the HiJackThis log looks incomplete simply because this is a fresh install (less than 2 days old) of Windows on a fresh partition. As I said, the HiJackThis program can't access the other installation of windows, because I can't either (I can access the C:\ drive though, via the D:\ installation).

The processes that HiJackThis is not pickung up are...

csrss.exe
alg.exe
System
System Idle Process.

Fresh install of Windows. There is really nothing to see here. SUPERAntiSpyware was the only program able to pick up anything at all. In order to get any meaningful information out of this, I need access to the other Installation of Windows, and that doesn't look like it is going to happen.
 
You keep trying to over analyze everything instead of just doing it! Your posts are way too long and detailed. Believe it or not, sometimes too much information isn't helpful. There is a limit to how many diagnostics we can handle on an internet forum.

Make up your mind which forum you're going to post in and for what problem. Then follow the directions of your helper. It sounds like you need to get the system all together first!
 
All directions thus far have lead nowhere. If I was getting somewhere, I wouldn't keep updating what I have done, and why it hasn't worked.

Just doing...? I've been doing things for the last 5 days.

I have one problem, which consists of two parts. I cannot access my computer. Blue Screen of Death. Cause? Virus. I've attempted to get past the Blue Screen of Death in every way I can conceive of, and every way that these forums and others have suggested, to no avail.

I am giving out detailed information in the hopes that someone will recognize something and go "oh, I know about that, let's see if I can help."

Instead, people who can't help have been clogging up the "space" with replies and making it "confusing" for anyone who might be able to.

To everyone who has attempted to genuinely help I am exceptionally grateful, to those who want to help, bur can't, I appreciate the concern, and to those who have simply been rude, like Tmagic and cranky, I'm a little upset.

I've come to a decision here, and am in the process of doing it. Unfortunately, no one was able to help my situation except myself, but that is alright =)

I understand that a lot of the people on this forum have a method, and are very used to that method. Anything that deviates from that method leaves the zone of perfect understanding, and that makes it harder to help.

If I could simply follow the 8-step process as it was intended, I would have done that right off the bat. I however, have no way of doing that, and for the last 2 days I've been doing everything in my power to get to that position.

I thought that perhaps with this new breakthrough, the 8-step process was the next step. It wasn't.

I've spent far too long attempting to clear this Blue Screen of Death and have determined my final solution. Salvage my files (which I am thankfully able to do) and wipe the bloody thing clean.

However, first I have to make 100% certain that my files are clean. I just recently reset all permissions and ownership of all of my files. Having an unidentified bizarre user name with ownership of my files and full permissions to them does not seem like something I want =)

Again, thank you for everyone who tried to help me, I wish any of it had worked.

I am in the process of resolving it now, and won't need any further help (yet ^_^).
 
Status
Not open for further replies.
Back