Help! Can't boot even to safe mode. Can't re-install OS. 0xc00 [Help and Support]

Prev: How safe is a registry cleaner?
Next: Windows Movie Maker

From: dlevy on 7 Jun 2010 17:44

hi all,

many thanks to jose and john--the men in the white hats--for taking the time
to post some helpful advice! running explorer.exe from the task manager did
indeed work. i can now boot, after getting the aforementioned error
messages. but the system is still somewhere between molasses-slow and
i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple
times. MBAM found and deleted many infected objects. after i ran MBAM a few
times, SAS found a few more infected objects but would crash before it could
delete them. detailed log here at bottom. the system still won't boot
normally*. what's really annoying is that other aps, including the
hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

i also tried to use 'system restore' (SR). there were dozens of restore
points available, going back 3 months:
1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and
said it could not restore.
2. in safe mode, roll back to a different restore point (4/14/10), SR
stopped again, but got a lot farther in the progress bar than the first time.

so, it looks like malware was responsible for the damage. i can only think
that the malware corrupted the restore points without deleting them and that
is why SR keeps failing. i'm not going to bother running HijackThis, at this
point, until requested. i assume that MBAM got rid of the active malware,
but now there's damage to the system files that i need to fix.

more informed and thoughtful comments are most welcome.

--d.

*i don't think it matters at this point, but i think i failed to notice, in
the 0xc0000006 error msgs that there is a file associated with each of them:
"gStart.exe" and "PCSuite.exe". also, after booting, notepad.exe fails to
launch and gives the same message. but wordpad and MS word will run.

_________
Log:

1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected
registry keys, 3 reg values, 3 reg data items and 16 files. Worm.Magania,
trojan.frethog, spyware.online.games, hijack.controlpanelstyle,
disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,
trojan.backdoor. all were quarantined and deleted.
2. after reboot, normal mode, MBAM quick scan--no infected objects
3. normal mode, quick scan, SAS--found 15 infected objects, including
Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the
'continue' button or any other button. Looks like it was in an endless loop
b/c task manager showed it consuming 10-20% of cpu time for two hours before
i killed the process. i couldn't 'end task' using task manager, had to 'end
process' instead. there were no logs in 'docs & settings\application
data\SAS' that were human readable.
4. safe mode, quick scan, SAS--found infected objects but then froze, same
as above.
5. safe mode, full scan, MBAM--found 137 infected files.
'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'. Only files were
infected, nothing else--registry, memory, etc.--found infected.
6. normal mode, full scan, SAS--Found 2 infected objects, both
"Trojan.RootKit/Gen" but then froze, same as above.
7. safe mode, full scan, MBAM--found 13 infected infected files, all
"Spyware.Online.Games", all 'quarantined and deleted'.

From: Jose on 7 Jun 2010 19:27

On Jun 7, 5:44 pm, dlevy <dl...(a)discussions.microsoft.com> wrote:
> hi all,
>
> many thanks to jose and john--the men in the white hats--for taking the time
> to post some helpful advice! running explorer.exe from the task manager did
> indeed work. i can now boot, after getting the aforementioned error
> messages. but the system is still somewhere between molasses-slow and
> i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...
>
> i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple
> times. MBAM found and deleted many infected objects. after i ran MBAM a few
> times, SAS found a few more infected objects but would crash before it could
> delete them. detailed log here at bottom. the system still won't boot
> normally*. what's really annoying is that other aps, including the
> hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.
>
> i also tried to use 'system restore' (SR). there were dozens of restore
> points available, going back 3 months:
> 1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and
> said it could not restore.
> 2. in safe mode, roll back to a different restore point (4/14/10), SR
> stopped again, but got a lot farther in the progress bar than the first time.
>
> so, it looks like malware was responsible for the damage. i can only think
> that the malware corrupted the restore points without deleting them and that
> is why SR keeps failing. i'm not going to bother running HijackThis, at this
> point, until requested. i assume that MBAM got rid of the active malware,
> but now there's damage to the system files that i need to fix.
>
> more informed and thoughtful comments are most welcome.
>
> --d.
>
> *i don't think it matters at this point, but i think i failed to notice, in
> the 0xc0000006 error msgs that there is a file associated with each of them:
> "gStart.exe" and "PCSuite.exe". also, after booting, notepad.exe fails to
> launch and gives the same message. but wordpad and MS word will run.
>
> _________
> Log:
>
> 1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected
> registry keys, 3 reg values, 3 reg data items and 16 files. Worm.Magania,
> trojan.frethog, spyware.online.games, hijack.controlpanelstyle,
> disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,
> trojan.backdoor. all were quarantined and deleted.
> 2. after reboot, normal mode, MBAM quick scan--no infected objects
> 3. normal mode, quick scan, SAS--found 15 infected objects, including
> Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the
> 'continue' button or any other button. Looks like it was in an endless loop
> b/c task manager showed it consuming 10-20% of cpu time for two hours before
> i killed the process. i couldn't 'end task' using task manager, had to 'end
> process' instead. there were no logs in 'docs & settings\application
> data\SAS' that were human readable.
> 4. safe mode, quick scan, SAS--found infected objects but then froze, same
> as above.
> 5. safe mode, full scan, MBAM--found 137 infected files.
> 'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'. Only files were
> infected, nothing else--registry, memory, etc.--found infected.
> 6. normal mode, full scan, SAS--Found 2 infected objects, both
> "Trojan.RootKit/Gen" but then froze, same as above.
> 7. safe mode, full scan, MBAM--found 13 infected infected files, all
> "Spyware.Online.Games", all 'quarantined and deleted'.

That is a lot of junk, but you're doing good.

To me, it does not make sense to run quick scans with MBAM or SAS,
especially if you think you have a problem. Things are skipped that
you might not want to skip, so do the most thorough scan that is
offered unless you are in some really big hurry for some reason (this
is my opinion).

MBAM does also not recommend running in Safe Mode, but SAS seems to
suggest it sometimes "if you have problems in Normal Mode". I think
if you want an efficient scan, you should run full in Normal - always,
but you have to do what you have to do sometimes to get things to at
least sort of work.

Anywho, you should really want the full scans to run clean. Some
malicious software recognizes mbam.exe and superantispyware.exe (and
regedit.exe, taskmgr.exe, cmd.exe, rstrui.exe, etc., etc.) as a
running process and just will not allow them to run, so you have to
fool it, but you sound like you are getting past that point.

You could rename/copy the executables to something the malicious
software will not recognize - like superantispyware.exe --> dlevy.exe
and run dlevy.exe instead. The malicious software will not recognize
that. I do think some will recognize jose.exe though. This is very
annoying to me.

What is your other anti-whatever environment? Avira!, AVG, Norton,
McAfee, MSE, etc. I would disable any stuff like that temporarily and
let MBAM and SAS work unfettered.

When you say MBAM and SAS found things, are you letting it fix the
things they find? I know it sounds like SAS is having some problem.

Is your explorer.exe/desktop working now or do you still need to fix
that? Here is how you can replace your explorer.exe if you think or
even suspect it is corrupted:

Look in Task Manager and if explorer.exe is running, terminate it,
then from TM browse to c:\windows\system32 and rename the explorer.exe
to something you can remember (just in case) so explorer.exe is now
"missing". Windows File Protection should replace it quickly and
silently with a backup copy from c:\windows\system32\dllcache or just
manually copy the one from dllcache over to c:\windows\system32, then
launch it again or reboot. There are probably several copies of
explorer.exe on your system. You can't do this if explorer.exe is
running.

Posting Hijackthis logs is inappropriate for this forum, but somebody
will tell you the correct place to send them for analysis if you want
to do that. If I had one here I would first look at you startup items
(the 04s), but we can see all that stuff another way.

Download and install CCleaner from here:

http://www.piriform.com/ccleaner

Launch it and save the Startup information to a text file. Click
Tools, Startup, Save to text file... and save the startup information
to your desktop (or someplace you can find it) open the file with a
text editor, select all and paste the contents back here for analysis.

I have zero startup items, so you could disable all or some of yours
from CCleaner (this does not uninstall anything), and reboot and see
how that goes.

Uninstall CCleaner later if you don't like it (most people seem to
like it for it's other features).

I would not trust or worry about your Restore Points just yet. System
Restore is not a time machine. With all that junk, after I got all
cleaned up, I would whack them all anyway - just because they might be
corrupted or afflicted, maybe. Don't take any chances like that -
just whack them all when you are running again.

From: Jose on 7 Jun 2010 19:46

From: dlevy on 8 Jun 2010 01:24

hi jose,

thanks for all your thoughtful comments. i have talked with the friend who
owns the laptop. he says he is going to try to get another copy of the CAD
installation software from Argentina. so, for the moment at least, the
pressure is off. if there were a silver bullet solution, i would take the
time to try it, but it looks like there is a lot more work to do. i might
try your recommendations, though, just out of curiosity and sheer cussedness.
what i have distilled from your posts is the following plan:

1. run both MBAM and SAS in normal mode until they are clean, if possible.
2. rename explorer.exe and let win xp create a new copy
3. update CCleaner (already installed), post startup items to forum.

i will post again, once i get more information from my friend about whether
he will be able to get the software from argentina or not.

thanks again to the man in the white hat!

--david levy
washington, dc

From: dlevy on 10 Jun 2010 01:21

okay, i got a confirmation from my friend. he's getting replacement software
from argentina, so i'm just going to wipe the hard drive and re-install the
OS.

i did run MBAM in normal mode, full scan, it found no infected object. but
i think the damage was already done and it would have been pretty complicated
re-building the system files, keys, etc. while i would have liked to fix the
existing OS just as a challenge, it would have been too time consuming.
all's well that ends well.

thanks again, jose. so, there really are people in the world wearing white
hats.

"hi-yo silver away!"

"who was that masked man, anyway?"

The Lone Ranger's Creed
"I believe.....

That to have a friend, a man must be one.[24]

That all men are created equal and that everyone has within himself the
power to make this a better world.

That God put the firewood there, but that every man must gather and light it
himself.

In being prepared physically, mentally, and morally to fight when necessary
for that which is right.

That a man should make the most of what equipment he has.

That 'this government of the people, by the people, and for the people'
shall live always.

That men should live by the rule of what is best for the greatest number.

That sooner or later...somewhere...somehow...we must settle with the world
and make payment for what we have taken.

That all things change but truth, and that truth alone, lives on forever.

In my Creator, my country, my fellow man."

http://en.wikipedia.org/wiki/The_Lone_Ranger

|
Pages: 1
Prev: How safe is a registry cleaner?
Next: Windows Movie Maker