Windows Vista BSOD on normal boot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Aperantos, May 21, 2011.

  1. Aperantos

    Aperantos Private E-2

    A family member asked if I could take a look at their computer to see if it is recoverable. They informed me that someone else attempted to clean it up first so I am not sure of what was done to it before it reached my hands.

    Computer Specs:
    Dell Inspiron 1545
    Windows Vista 32-bit
    2.0 Ghz Dual-Core CPU
    4 GB RAM

    The problem:
    When attempting to boot up the machine normally after signing into the user account the computer crashes and the BSOD screen appears with the following error code:

    STOP 0x0000008E (0xC0000005,…. ,….., 0x00000000)
    The first and last error code within the parenthesis are allways the same where as the middle two will change.

    Booting into safe mode appears to work fine.

    What I have done:
    Used a windows vista recovery disc to perform the following
    1. Repair windows starup - This step found nothing wrong with the startup.
    2. Ran chkdsk on the C: drive - This step found nothing wrong with the hard drive.
    3. Ran memory test - nothing wrong was found.
    4. Ran bootrec.exe /fixmbr

    I ran CCleaner to repair the registry as well as to cleanup the temp IE files.

    I attempted to sign into safemode so I could change the BSOD settings so that it would create a minidump file, however the setting kept reverting back to what it was after I rebooted. The same thing happened when I attempted to turn of UAC which made it difficult for the next steps.

    I signed into safemode with network and attempted to perform the MajorGeeks Malware removal process. I am attaching the log files that resulted from the various programs.

    I appreciate any help you can give me to find a solution to this problem.
     

    Attached Files:

    Aperantos, May 21, 2011
    #1
  2. Aperantos

    Aperantos Private E-2

    Here are the remaining two log files that were created during the Malware removal troublshooting process.
     

    Attached Files:

    Aperantos, May 21, 2011
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Users\vhendri\AppData\Local\ep448752qdfhri3u7lx2ad6ed5m88uy4
C:\Users\vhendri\AppData\Local\Lyexiyi.dat
C:\Users\vhendri\AppData\Local\Rhowuqotolixa.bin
C:\Users\vhendri\AppData\Roaming\Microsoft\Windows\Templates\ep448752qdfhri3u7lx2ad6ed5m88uy4
C:\ProgramData\ep448752qdfhri3u7lx2ad6ed5m88uy4
C:\Users\vhendri\AppData\Roaming\Sun\kbmovm.dll

Folder::
C:\ProgramData\AVAST Software
C:\ProgramData\Norton
C:\ProgramData\NortonInstaller
C:\Program Files\AVAST Software
C:\Program Files\NortonInstaller
C:\Program Files\Norton Internet Security
C:\$AVG8.VAULT$

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"lpc"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run this:
    TDSSkiller - How to run

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:
    * TDSSKiller log
    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 22, 2011
    #3
  4. Aperantos

    Aperantos Private E-2

    Ok, I completed the requested scans. The only snag I seemed to encounter was during the combofix. The machine suddenly rebooted during the scan. I also didn't see the combofix.txt located in the path you specified. Instead I found it in C:\Combofix\combofix.txt. I have attached the log just in case this is the correct file. All the other scans completed without a problem. Please let me know what else needs to be done.

    Thank you for the assistance.
     

    Attached Files:

    Aperantos, May 22, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Leave a description of how things are running for TimW to see. :)
     
    Kestrel13!, May 22, 2011
    #5
  6. Aperantos

    Aperantos Private E-2

    Well the computer is still displaying a BSOD during normal boot. Still only able to sign in using safemode. Thats currently how things are running.
     
    Aperantos, May 22, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\ProgramData\16655c
C:\ProgramData\c23480
C:\ProgramData\fabd04
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, May 22, 2011
    #7
  8. Aperantos

    Aperantos Private E-2

    OK I have attached the new logs. I noticed after combofix ran and my computer restarted that I was prompted to install a driver. However I was not able to capture what driver it was asking for as my laptops battery died and shut down before I was able to record it. The next time I booted up the laptop I was not prompted again for the driver.

    Current status of laptop: Still displays a BSOD during normal boot after login. Safemode continues to work.
     

    Attached Files:

    Aperantos, May 22, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :dir
C:\ProgramData\16655c
C:\ProgramData\c23480
C:\ProgramData\fabd04
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    Kestrel13!, May 22, 2011
    #9
  10. Aperantos

    Aperantos Private E-2

    Attached is the systemlook.txt file as requested
     

    Attached Files:

    Aperantos, May 22, 2011
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can delete those three files:
    C:\ProgramData\16655c
    C:\ProgramData\c23480
    C:\ProgramData\fabd04

    Boot into safe mode and go to msconfig. Check the startup tab and disable everything. Boot back into normal mode and see if you still get the BSOD's. Let me know.
     
    TimW, May 23, 2011
    #11
  12. Aperantos

    Aperantos Private E-2

    I deleted the three folders specified. I disabled all startup items in msconfig. When I signed into normal mode I received the BSOD screen again. I proceeded to sign back into safemode and checked msconfig again and all the settings that were disabled are now re-enabled as if the settings didn't stick. I disabled them a second time, just in case but received the same result.
     
    Aperantos, May 23, 2011
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    While in Safe Mode, click Start, then Run, type msconfig in the "Open" field, and click "Ok". Click on the "Services" tab. Tick the checkbox at the bottom to "Hide all Microsoft services" then click on "Disable All". Apply the change and reboot into Normal Mode. If you get another blue screen error, please note the number and see if there are any file names mentioned on the error screen.


    If the machine will run this way without a blue screen, go back in and enable one of the disabled services and let it run for a while again. Keep doing this until it blue screens again. The last service to be enabled will be the culprit. Let me know what that is...or if you have another blue screen before you enable any of them.
     
    TimW, May 23, 2011
    #13
  14. Aperantos

    Aperantos Private E-2

    I was really hopeful for this step but it appears that disabling the non-Microsoft services resulted in the BSOD once again so I was unable to continue with the process of enabling services one by one. The BSOD screen is displaying the same code with no additional information.
     
    Aperantos, May 23, 2011
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    C:\Users\vhendri\AppData\Roaming\Sun\kbmovm.dll

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    We may need to send you to the software forum for your BSOD issues.
     
    TimW, May 23, 2011
    #15
  16. Aperantos

    Aperantos Private E-2

    I have completed all the requested steps you provided, please see my comments listed below.

    The reg file was successfully added to the registry.

    I normally receive the Accept button for Hijack this at least once, however this time when I ran it I didn't receive any agreement window to accept. In any case I attached the log as requested.

    Current System Status: Still receiving BSOD
     

    Attached Files:

    Aperantos, May 23, 2011
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. At this point I suggest you post in the software forum for help with your BSOD issues.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, May 24, 2011
    #17
  18. Aperantos

    Aperantos Private E-2

    Thank you very much for all of your assistance on this laptop. Even though we were not able to get it working I have gained an increased insight on how to troubleshoot further than I had previously done. I have spoken with the owner of the laptop and suggested that we just do a backup of their files and then use the System restore partition to reset to the factory default of windows. There is no need for additional support and this thread can be closed. Again thank you for your persistence and fast responses.
     
    Aperantos, May 24, 2011
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, May 24, 2011
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds