registry corruption due to services - vista won't load in normal mode

Discussion in 'Software' started by headmeetwall, Jun 18, 2011.

  1. headmeetwall

    headmeetwall Private E-2

    Ok, so here goes -

    I have a sony vaio laptop running vista home ultimate service pack 2 - I did have an argument with a virus a while back - but cleaned it up (or so I thought) but when I went to do windows updates a month or so later - everything went to hell....

    so I'm not sure if it was the update that made things go screwy, or I missed something in my virus removal, but I was pretty thorough and none of the scans I do now show any viral issues.

    Windows loads fine in safe mode, however what I can't do is change any settings (like stop the auto start on crash - etc) and have it save. I also can't set it to save any type of dump files. (grrrr)

    When I try to load in normal mode, I enter my password, and the welcome comes on, and a minute later I'm in BSOD land with an 8e error. I can't get the rest of the error, it flashes too fast. I don't see it pointing to anything specific.

    The sony tech guy, right as my 15 minutes of time ran out said it could be fixed, that my services are corrupting the registry not allowing windows to start - so they would have to repair the registry first, then look at the services...but for them to do it I'd have to give them my first born....or my entire bank account balance.

    not.

    I'm a registry editing novice - learning more and more but need a bigger geek to help me tackle this mess. I shouldn't have to go drastic and reinstall vista...

    I can't do a system restore - one of the things I had to turn off was the restore mode when I was cleaning the virus.

    Using the disk and trying startup repair produces nothing - says my os starts normally (it lies!!!! lol)

    thoughts? questions? sledgehammer I could borrow?
     
    headmeetwall, Jun 18, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you get into msconfig in safe mode? If so, go to the services tab and click the box to hide all MS services, then stop the rest. Also go to the start up tab and stop all of them. Now reboot and see if you can get into normal mode. If so, you will have to keep going back into msconfig and enabling services until you find the one that faults.
     
    TimW, Jun 18, 2011
    #2
  3. headmeetwall

    headmeetwall Private E-2

    Nope - didn't work. Still BSODing

    When I disabled them (and applied - just in case you ask lol), it showed the date and time, when I go back in, that date disabled is gone - so I'm assuming any change I made didn't stick to start with so it still loads everything?

    To be more specific - all the non microsoft services show "stopped" (with the date gone), and everything on startup - the date is gone.
     
    headmeetwall, Jun 18, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Give us the exact BSOD error message and hopefully one of us will be able to troubleshoot it.
     
    TimW, Jun 18, 2011
    #4
  5. headmeetwall

    headmeetwall Private E-2

    here you go, I assumed I could skip the typical BSOD yadda yadda and go straight to the technical info:

    PITA since I can't get the setting to stick in safe mode to stop the auto restart - F8, restart, F8 restart...(bang bang bang)

    anyway, I did it a few times as the codes change a bit - I'm assuming it still points to the same problem though.

    #1

    0x0000008e (0xC0000005, 0x82C62759, 0x8EBAC91C, 0x00000000)

    creating crash dump....etc....
    **************
    #2

    0x0000008e (0xC0000005, 0x82C89759, 0xADF9E91C, 0x00000000)

    creating crash dump...etc..
    *****************************

    #3

    0x0000008e (0xC0000005, 0x82C8A759, 0xAAB3291C, 0x00000000)

    creating crash dump...etc....

    ****************************

    #4

    0x0000008e (0xC0000005, 0x82C88759, 0xAB0DD91C, 0x00000000)

    creating crash dump..etc...

    **************************************

    my codes are in your hands now....be gentle...
     
    headmeetwall, Jun 18, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jun 18, 2011
    #6
  7. headmeetwall

    headmeetwall Private E-2

    I found that the other day - Reimage is almost $60 bucks if you want it to repair anything, and looking at reviews for it - meh. If I HAAAVE to I will....but to spend $60 with no real guarantees....:p

    I tested my RAM with memtest86 and didn't find any issues, ran the typical scans via command prompt for the HD and it didn't detect anything bad, I have a couple of exclamation points in the device manager under network adapters (6TO4, and ISATAP adapters 16, 7 & 9) but again, research (as well as the uninstall reinstall rollback etc) didn't seem to indicate that was a big issue.

    My BSODs aren't pointing to any .sys file specifically, but I did uninstall then reinstall sp2 - didn't fix anything.

    tdsskiller DID find a rootkit a long time ago - and repaired it - but that was before this problem started happening.
     
    headmeetwall, Jun 18, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I was looking for a catch. Oh, well. Onward and upward. Did you recently install any new hardware?
     
    TimW, Jun 18, 2011
    #8
  9. headmeetwall

    headmeetwall Private E-2

    nope - no hardware
     
    headmeetwall, Jun 18, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Updated your drivers?
     
    TimW, Jun 18, 2011
    #10
  11. headmeetwall

    headmeetwall Private E-2

    after this happened - thinking it might be driver related, I went through the device manager and went one by one checking all of them, reinstalled the video driver, and the SATA - reinstalled my dvd driver since it wasn't working in safe mode (does now)....

    but nothing BEFORE the problem.
     
    headmeetwall, Jun 18, 2011
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am at a loss. Maybe someone else can help you with this. Have you tried doing a system restore?
     
    TimW, Jun 18, 2011
    #12
  13. headmeetwall

    headmeetwall Private E-2

    my restore points are gone - I had disabled it and deleted my restore points when I cleaned the virus. After I cleaned it I re-enabled and created a restore point, and had a few thereafter - but after it went all hooey with the windows updates, system restore would only work if I used it via the install disk (still shows it as offline in safe mode and won't work with command prompts) and when I brought it up - all my restore points were missing.

    No clues from the BSOD error messages huh?

    At least I don't feel so bad that I'm so frustrated...
     
    Last edited: Jun 18, 2011
    headmeetwall, Jun 18, 2011
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I've asked that someone else look at this. In the meantime, do you have your important data and files backed up in case you need to reinstall?

    And are we certain that you are malware free??
     
    TimW, Jun 18, 2011
    #14
  15. headmeetwall

    headmeetwall Private E-2

    I'm working on my backup now - since I'm starting to think I may have to (sigh) reinstall...I'm still holding out some hope.

    Malaware (paid version), Eset online scanner, tdsskiller, adaware - all come up clean

    something else I should maybe run?
     
    headmeetwall, Jun 18, 2011
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That probably covered the bases. Although Ad-aware is basically worthless these days. I would have figured that TDSSKiller would have been the one to find a cause. If it's clean, then it is back to maybe drivers. Sigh. Again, hopefully someone else will have a clue.
     
    TimW, Jun 18, 2011
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you run combofix.exe so we can see if there are locked reg. keys?
     
    TimW, Jun 18, 2011
    #17
  18. headmeetwall

    headmeetwall Private E-2

    I'll give it a shot!
     
    headmeetwall, Jun 18, 2011
    #18
  19. headmeetwall

    headmeetwall Private E-2

    AH HA! there are...

    although now we get into the stuff I'm a novice at - are they leftover from the virus I had that for some reason didn't get detected? Or something else?
     

    Attached Files:

    headmeetwall, Jun 18, 2011
    #19
  20. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    headmeetwall

    *With the number of deletions ComboFix made (including a Trojan.agent), "Orphans Removed", and "Locked Registry Keys" - it's best that you do this for search for further malware:

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide

    and then attach the requested logs in a new thread in our Malware Removal Forum when you finish these instructions.

    dr.m
     
    Last edited: Jun 18, 2011
    dr.moriarty, Jun 18, 2011
    #20
  21. headmeetwall

    headmeetwall Private E-2

    wheee - this just gets funner and funnerer...

    and it is off to the Malware Forum

    TIM! THANK YOU for your initial help!!!!
     
    headmeetwall, Jun 19, 2011
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do this while I go look for your malware thread:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\srv1790]

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Attach the new log.
     
    TimW, Jun 19, 2011
    #22
  23. headmeetwall

    headmeetwall Private E-2

    Tim - I'm still doing the scans for the malware post - I couldn't keep my eyes open any longer last night lol

    I'll do this after I'm done - I'm in the middle of root repeal - have MG next....
     
    Last edited: Jun 19, 2011
    headmeetwall, Jun 19, 2011
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem, as this will carry over to your malware thread. ;)
     
    TimW, Jun 19, 2011
    #24
  25. headmeetwall

    headmeetwall Private E-2

    ok, malware thread is up - I tried to run combofix with the kill file you created, it would run but would reboot my system at the end (couldn't catch what it said specifically) and since I crash at normal startup - it didn't save a log. I had to run it without the script to get a log for the malware thread.
     
    headmeetwall, Jun 19, 2011
    #25

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds