Jump to content

WinXP SP3 Gets STOP code after removal of Thinkpoint


Recommended Posts

I followed instructions on Bleepingcomputer.com to remove Thinkpoint rogue antivirus. This included running Malwarebytes Antimalware. After removal, the system starts to boot (I get the Windows splash screen) and then gets a STOP codec000021a {Fatal System Error}. The Windows logon process system process terminated unexpectedly with a status of 0xc0000005 (0x0000000,0x0000000).

I have done a system repair with the Windows CD but still get the stop code. I can boot to a Hirens Boot CD and then select "Boot from Hard Drive" and this will take me into Windows and everything appears normal. If I boot into safe mode, it starts loading the drivers and then stops after loading MUP.SYS, then giving me the stop code.

Any ideas?

Thanks,

Roger

Link to post
Share on other sites

Hi Roger, we do not support the use of Hirens boot CD, since it contains copyrighted files and contains copyrighted software/software that is used to circumvent existing security measures.

However, if you have an XP CD we can create another disk. If not, we'll use a linux-based CD.

Link to post
Share on other sites

Hi Roger, we do not support the use of Hirens boot CD, since it contains copyrighted files and contains copyrighted software/software that is used to circumvent existing security measures.

However, if you have an XP CD we can create another disk. If not, we'll use a linux-based CD.

Yes, I have the Windows XP Home SP3 Cd.

Thanks,

Roger

Link to post
Share on other sites

Hi, please try this:

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe

  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.

2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.

        [*]Custom: (include files and folders from this directory)

        • No information is necessary, leave blank.

        [*]Output:

        • Keep the default

    • Media output
      • Choose Create ISO image

      • Do not choose Burn to CD/DVD
        • Download the RunScanner plugin and save it to your desktop

        http://www.paraglidernc.com/Files/RunScanner10025.cab

        Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

        • Press the Plugin button on the PE Builder interface
        • Press the Add button and navigate to the location of the RunScanner plugin to install
        • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable

        [*]When your done press Close and the PE Builder interface will re-appear

    3. Click on the "Build" button

    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit

    4. Burn your ISO file to CD

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.

    http://oldtimer.geekstogo.com/OTLPE.zip

    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created

    • Insert the CD in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

      [*]Once the desktop appears, you will receive a message asking: Do you want to start Network support?

      • Click on No

      [*]After it loads press the Go button in the lower left and do this....

      • Go
      • System
      • Display
      • Screen Resolution
      • 1024x768

      Next choose....

      • Go
      • Programs
      • A43 File Management Utility

    ==========

    In A43File Management you should see your flash drive

    Navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.cmd.

    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start
      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to Use Safelist
      • Uncheck LOP and Purity check

      Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

      [*]Push runscanbutton.png

      [*]A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

Link to post
Share on other sites

Hi, please try this:

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe

  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.

2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.

        [*]Custom: (include files and folders from this directory)

        • No information is necessary, leave blank.

        [*]Output:

        • Keep the default

    • Media output
      • Choose Create ISO image

      • Do not choose Burn to CD/DVD
        • Download the RunScanner plugin and save it to your desktop

        http://www.paraglidernc.com/Files/RunScanner10025.cab

        Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

        • Press the Plugin button on the PE Builder interface
        • Press the Add button and navigate to the location of the RunScanner plugin to install
        • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable

        [*]When your done press Close and the PE Builder interface will re-appear

    3. Click on the "Build" button

    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit

    4. Burn your ISO file to CD

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.

    http://oldtimer.geekstogo.com/OTLPE.zip

    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created

    • Insert the CD in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

      [*]Once the desktop appears, you will receive a message asking: Do you want to start Network support?

      • Click on No

      [*]After it loads press the Go button in the lower left and do this....

      • Go
      • System
      • Display
      • Screen Resolution
      • 1024x768

      Next choose....

      • Go
      • Programs
      • A43 File Management Utility

    ==========

    In A43File Management you should see your flash drive

    Navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.cmd.

    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start
      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to Use Safelist
      • Uncheck LOP and Purity check

      Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

      [*]Push runscanbutton.png

      [*]A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

Thanks! It worked and I have attached both TXT files to this reply.

Roger

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Well done. ;)

Quite some malware showing there; lets remove what jumps in the eye, and see if it will boot afterwards.

Please rerun OTL, copy/paste the following text into the "custom scan/fix" field and click Run Fix.

:otl
O20 - HKU\Dominic_ON_C Winlogon: Shell - (C:\Documents and Settings\Dominic\Application Data\hotfix.exe) - C:\Documents and Settings\Dominic\Application Data\hotfix.exe File not found

:files
c:\windows\tasks\at*.job

:commands
[emptytemp]

Please let me know if you still get the BSOD now.

Link to post
Share on other sites

Well done. ;)

Quite some malware showing there; lets remove what jumps in the eye, and see if it will boot afterwards.

Please rerun OTL, copy/paste the following text into the "custom scan/fix" field and click Run Fix.

:otl
O20 - HKU\Dominic_ON_C Winlogon: Shell - (C:\Documents and Settings\Dominic\Application Data\hotfix.exe) - C:\Documents and Settings\Dominic\Application Data\hotfix.exe File not found

:files
c:\windows\tasks\at*.job

:commands
[emptytemp]

Please let me know if you still get the BSOD now.

Hi,

I ran the fix, but unfortunately, I still get the same stop code and BSOD. I've attached the log file.

Thanks!

Fixed_11302010_122617.txt

Link to post
Share on other sites

Please rerun OTLPE, copy/paste the following and click the NONE button and then Run Scan. Post me the resulting log.

HKU\Dominic_ON_C Winlogon\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

OK. I've attached Extras-2.txt, from the previous run that I forgot to upload last time and OTL_3.txt from this latest run.

Roger

Extras_2.Txt

OTL_3.Txt

Link to post
Share on other sites

Thanks, Elise. Here is the latest log:

OTL logfile created on: 12/1/2010 8:02:55 AM - Run

OTLPE by OldTimer - Version 3.1.43.0 Folder = D:\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 98.00% Paging File free

Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.09 Gb Total Space | 107.60 Gb Free Space | 36.10% Space Free | Partition Type: NTFS

Drive D: | 953.58 Mb Total Space | 149.69 Mb Free Space | 15.70% Space Free | Partition Type: FAT

Drive X: | 159.37 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MININT-JVC | User Name: SYSTEM

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

Using ControlSet: ControlSet001

========== Custom Scans ==========

< HKU\Dominic_ON_C\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >

"ParseAutoexec" = 1

"ExcludeProfileDirs" = Local Settings;Temporary Internet Files;History;Temp

"BuildNumber" = 2600

"Shell" = C:\Documents and Settings\Dominic\Application Data\hotfix.exe -- File not found

< End of report >

Link to post
Share on other sites

Please run the following fix and let me know how things are afterwards:

:otl
SRV - [2010/11/28 02:08:03 | 000,396,160 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand] -- C:\Documents and Settings\Owner\Local Settings\Temp\OJ.exe -- (OJ)

I ran the fix (with NONE) selected. Still get the same stop code. Here is the log:

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OJ deleted successfully.

File C:\Documents and Settings\Owner\Local Settings\Temp\OJ.exe not found.

OTLPE by OldTimer - Version 3.1.43.0 log created on 12012010_141607

Thanks.

Link to post
Share on other sites

Hi again,

  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.

    [*]Your PC should now boot from your XP-CD.

    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

    [*]When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

    [*]When prompted to choose a windows installation, type 1 and press enter.

    [*]When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

    [*]A command prompt will open

Type fixmbr and press enter.

Type EXIT and press enter to reboot. Let me know what happens.

Link to post
Share on other sites

Hi Roger, I'm glad to hear that.

Thinkpoint often comes bundled with the TDL4 rootkit which alters the MBR in order to load.

However, there is still quite some other malware present in the OTL logs.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Log.txt in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.