Jump to content

BSOD After Removal


Recommended Posts

Hello Everyone.  

 

Machine was infected with some obnoxious toolbars.  Just an annoyance I thought... Ran MWB... All went well.  Found 28 things..... I didnt even look to see what they were honestly, I never have any trouble and trust the product.  Removed all, tells me to reboot and I do so.  Well, now all i get is a BSOD after (goes by in less than 2 seconds).  I cant read the BSOD fully.  Safe Mode, command Prompt, Last Known all just restart.  I assume this means that there has been some MBR infection that MWB doesnt mess with, but removed other pieces of the infection and now.... well I'm at wits end.

 

Win XP 32bit

SP3

MalwareBytes and MSE is only tools on it.  

 

I attempted a FIXMBR and FIXBOOT from Recovery Console....I got the message that MBR was not normal, want to do it anyway? and I said yes.  No change.

 

Went back to recovery console and ran bootcfg /scan but scan cant complete.  

 

Chckdsk ran, No errors.  All hardware passes Eurosoft tests.  

 

Any tips or pointers? 

Link to post
Share on other sites

I assume your accessing the recovery console via your XP CD, if so do the following from the RC

 

When you reach the command line in the Recovery Console type the following command and then press Enter.

bootcfg /rebuild

The bootcfg utility will scan your hard drives for any Windows XP installations and then display the results. Follow the remaining steps to add your Windows XP installation to the boot.ini file.

The first prompt asks Add installation to boot list? (Yes/No/All).

Type Y in response to this question and press Enter.

The next prompt asks you to Enter Load Identifier:.

This is the name of the operating system. For example, type Windows XP Professional or Windows XP Home Edition and press Enter.

The final prompt asks you to Enter OS Load options:.

Type /Fastdetect here and press Enter.

Take out the Windows XP CD, type exit and then press Enter to restart your PC. Does your PC boot OK....

 

Kevin

Link to post
Share on other sites

Hey Kevin, 

 

Thanks for Quick Reply,

 

Here is what I get when I attempted bootcfg /rebuild

 

scanning all disks for Windows installations.

 

Error: Failed to successfully scan disks for windows installations.

          This error may be caused by a corrupt file system, which would prevent Bootcfg from scanning.  Use chksdk to detect and             disk errors.

 

 

This is the same error I got when doing bootcfg /scan, as /scan is implied I believe in all Bootcfg commands.  

 

 

Also, I put the HDD in another machine in order to do a backup and decided to get a copy of the Malwarebytes logs just to see what kicked my butt.  Here is a copy of the logs.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.14.07
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
a :: CHECKOUT [administrator]
 
9/14/2013 11:52:17 AM
mbam-log-2013-09-14 (11-52-17).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203099
Time elapsed: 2 minute(s), 53 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\5689 (Trojan.Agent.SVC) -> Quarantined and deleted successfully.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 1
HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume1\DOCUME~1\a\AppData\Local\Temp\swientr\svrtcob\wow.dll) Good: (SHELL32.dll) -> Quarantined and repaired successfully.
 
Folders Detected: 7
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\lib (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
 
Files Detected: 28
C:\Documents and Settings\a\Application Data\KB2536276\KB2536276.pif (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\Documents and Settings\a\Application Data\KB974571\KB974571.pif (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ati2evxx.exe (Trojan.Agent.124Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\a\awt43abr.exe (Trojan.Lameshield.124) -> Quarantined and deleted successfully.
C:\Documents and Settings\a\a43vtzgbdgv.exe (Exploit.Drop.GS) -> Quarantined and deleted successfully.
C:\Documents and Settings\a\wgsdgsdgdsgsd.exe (Exploit.Drop.GS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\Security Center Update - 2544144429.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\nsprotector.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\abstraction.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\application.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\popupTransparent.xul (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
Link to post
Share on other sites

See if you can access system restore via the recover console, Boot to RC again from your XP CD the do the following:

 

At the C:\Windows> prompt type: cd system32\config
Once in this directory type: ren system system.bak
Once the file has been renamed type: cd \
At the C:\> prompt type: cd system~1
* If you get an "Access Denied" error, type exit and let the system reboot. Try getting into this directory again by starting over again.
In the system~1 directory type: cd _resto~1
In the cd_resto~1 directory type dir
* If available this will list each of the Restore Point folders. They'll be named rpX, where X is a number. The highest number will be the latest restore point and the lowest the oldest restore. Pick the earliest restore point, for example, if you have RP1 through RP7 go into the RP1 directory.
Go into the RP directory you wish to restore, by typing: cd rpX where X is the number of the RP you want to use
In the RP directory type: cd snapshot
Finally type: Copy _registry_machine_system C:\Windows\system32\config\system
After the file has copied successfully type exit and let the computer reboot normally to see if this resolves your issue.

Link to post
Share on other sites

Probably best way forward is a repair/install of the OS.....

 

1. Place your XP CD in the tray and re-boot, you should see the following image as it boots:

xp-setup-0-press-any-key-to.jpg

2. When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD. If you do not see that image you will have to change the boot order in the bios..

3. Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.

4. Do NOT choose the option to press R to use the Recovery Console.

5. In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.

6. Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.

Follow the instructions on the screen to complete Setup.

 

This will install your OS over the top of the original, No data should be lost that way. It is always prudent to back up any important data before you begin from a Linux live CD or similar.

 

 

Link to post
Share on other sites

No it will not be an issue, the system will revert back to SP2. After that is done you will have to update to SP3 again.... SP3 can be manually d/l at the following link:

 

http://www.microsoft.com/en-us/download/details.aspx?id=24

 

Internet Explorer will also revert back to 6 or 7 depending what was on your CD....

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.