Windows XP Machine - BSOD on Root Repeal

Hi,

I am having some issues, and I hope that somebody can help...

I have a Windows XP Laptop that I was getting various Symantec Notifications that I assumed were Malware related. Computer would boot up and run fine (although a bit slowly), but I would get occasional notifications from the Symantec Endpoint Protection blocking traffic from 192.168.1.1 (my router) as well as other unwanted traffic messages.

Ran Super Anti Spyware - (it found a few cookies)
Ran Malwarebytes - (It found nothing)
Ran Combofix - midway through I got an Windows must close the following program (rmbr.3xe), but after I clicked "Don't Send" it ran the rest of the way through, and all seemed fine
Ran RootRepeal - During RootRepeal, the computer blue screened and I haven't been able to get it to start up since. (even in Safe Mode)

I have all of the logs saved, unfortunately they are on the computer that will no longer start. Any help as to what my next step should be woud be great.

Thanks.

 

Hi jmorrison518,

Do you have a blank CD and a flash drive?
Note: The flash drive is optional as you should be able to access the internet with the below to upload the logs.

If so you can follow the below:

Download OTLPENet.exe to your desktop
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD

Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Please be patient while this loads.


Your system should now display a Reatogo desktop.
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Change Drivers and Services to "All".
Drag and drop the scan.txt I've attached into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
Press the http://img171.imageshack.us/img171/2405/runscanotl.png button to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.
Also copy C:\ComboFix.txt to your flash drive so you can upload it here
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Attach the C:\OTL.txt file to your next reply. (How to attach)

 

OK...

I went through everything with a few issues...

When asked "Do you wish to load the remote registry", select Yes - It never asked this
Change Drivers and Services to "All". - Where do I do this?
Drag and drop the scan.txt I've attached into the text-field. - When I drag the scan.txt file into the Custom Scans/Fixes window, the program throws an error "Not a Valid Fix File"

 

I was able to get the logs though!

 

I've attached a screenshot showing this.

Just try copy pasting the text that is inside the scan.txt file into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Good job

 

Code:

SUPERAntiSpyware Scan Log
Scan type       : [B][COLOR="Red"]Quick Scan[/COLOR][/B]

Should have been a Complete Scan as the Read and Run Me requested.

Nothing really stands out in the ComboFix log. Curious as to what RootRepeal is hanging up on.

Also, see if you can .zip up and attach any and all .dmp files in the following directory: C:\WINDOWS\Minidump

These are the logs from the BSODs you've received.

 

I was able to get the OTL PE file (attached), and the only .dmp file that I was able to find was in c:\Documents and Settings\All USers\Application Data\Dr Watson. I have attached that as well. c:\windows\minidump was empty.

Thanks.

 

Here is the .dmp file

 

That isn't the type of .dmp file I was looking for. It's not a big deal though since you were able to get me an OTL log.

Let's try to fix some things from OTL and then see if your PC will boot up properly again.

Boot using the OTLPENet CD again and when you reopen OTLPE, copy paste the information from the fix.txt file I've attached to this message into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
Once you have done that, then click http://img3.imageshack.us/img3/407/otlrunfix.png button and let it attempt to fix the items.

You will need to reboot your PC without using the OTLPENet CD to see if your PC can boot all the way into Windows.

Let me know how you progress and if you have any questions.

 

Followed your instructions, and ran the fix. It ran all the way through, but on restart (in normal Windows mode) the computer blue screened again.

 

Do you know which bluescreen error code you are receiving? If not due to it restarting on its own, use the below to get it to stay so you can gather some information.

• Reboot your PC
• Start pressing F8 continuously after the initial Dell splash screen.
• You should now be here:

http://msinfluentials.com/blogs/jesper/Disable%20Automatic%20Restart.jpg

• From the list, go down to the one that says : Disable automatic restart on system failure
• Press ENTER

Your system will now attempt to boot, when and if you get a bluescreen, it will stick. Write down any and all technical information for us to review here
http://img585.imageshack.us/img585/148/techinfo.jpg

________________________________________________________________________________


http://img827.imageshack.us/img827/1263/frst.gif Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC and boot up using the OTLPENet CD.

Once you are on the desktop of OTLPENet, go to My Computer and find your flash drive from the list of drives.

• Now double-click FRST.exe to open the program (from your flash drive).
• When the tool opens click Yes to disclaimer.
• Include a checkmark in "List Drivers MD5".
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach FRST.txt to your next reply. (How to attach)

 

When I get the bluescreen, it doesn't restart on it's own, it just hangs.

The technical information section reads as follows...

*** STOP: 0x0000007E (0xc0000005, 0x89344988, 0xB8513BE8, 0xB85138E4)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or support group for further assistance

I have run the application and attached the log as requested.

Thanks.

 

Code:

2011-12-26 16:00 - 2011-[B][COLOR="Indigo"]12-26[/COLOR][/B] [B][COLOR="Red"]16:00[/COLOR][/B] - 0001980 ____A C:\Documents and Settings\jmorrison\My Documents\rrlog.txt

Is this the log from RootRepeal? If so, please attach it to your next post.

Code:

2011-12-26 17:27 - 2011-[B][COLOR="Indigo"]12-26[/COLOR][/B] [B][COLOR="Red"]16:03[/COLOR][/B] - 0175854 ____A C:\MGlogs.zip

You have an MGlogs.zip too and it was run after RootRepeal which is the correct order. Can you attach MGlogs.zip as well?

Code:

2011-12-27 00:07 - 2011-[B][COLOR="indigo"]12-27[/COLOR][/B] [B][COLOR="Red"]00:07[/COLOR][/B] - 0014681 ____A C:\ComboFix.txt

This last part is confusing to me -- The ComboFix log here is dated on the 27th which is today -- Which is before you started having BSODs.

_________________________________________________

Can you attach MGlogs.zip and rrlog.txt for analysis while I analyze the rest of your logs.

 

The MGlogs.zip and rrlog.txt are from earlier on the 26th, when I ran the "Read & Run Me" procedure. I didn't bother uploading any logs though because at the time all seemed to be running ok (after I ran the Read & Run Me) It took a few hours before I started getting the notifications again, so I re-ran the Read & Run Me to get fresh logs.

The Combofix file was run on 12/26 at 11:51PM, and the log was created on 12/27 at 12:07AM

I have attached the MGLogs and RRlog that you requested, but they are from earlier in the day when the procedure ran through fine.

 

I am not seeing anything malicious that would be preventing startup at this point. You may end up needing to do a Repair installation of Windows XP.

However, let's try something a little less drastic first to see if it helps you boot successfully:

http://img827.imageshack.us/img827/1263/frst.gif Copy the below text in the code box below and save it as fixlist.txt

Code:

start
RP: -> 2011-12-24 09:51 - 032768 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP406
end

Copy fixlist.txt to your flash drive. Make sure you still have FRST.exe on your flash drive otherwise this will not work.

Now boot into OTLPENet again and launch FRST.exe from your flash drive.
This time, press the [Fix] button and wait for it to process.
The tool will make a log on the flashdrive (Fixlog.txt) please attach this to your next post. (How to attach)

 

Here is fixlog.txt

 

System still does not boot?

 

No. I am still getting the BSOD on startup.

 

Hi,

At this point I would recommend doing a Repair Installation of Windows XP. See the following guide for full details: How-to repair Windows XP

 

OK, I will try that.

Thanks for all that you have done.

 

You're welcome and good luck to you