XP won't start anymore

[Daave]

Great stuff, Gerry!

I didn't write down all the info, but got some. I won't have the
computer after today, and since it is an older model, I've suggested
he get a new one.

for one of the IRQL:

0x00000101, 0x00000002, 0x00000001, 0x804E60C4


Bad pool caller:

0x00000007, 0x00000CD4, 0x02070004, 0x8320FBC0

another STOP 0x0000008E,0x0064006A, 0xF3E92CF0, 0x00000000

Although it's possible that hardware isues are responsible for the
above, malware can also be a cause. In another post you mentioned the
appearance of a "winweb security" window. I still think that you need to
address your malware infection! One more time:

http://www.bleepingcomputer.com/malware-removal/remove-winweb-security

 

[Bill H.]

I'm pretty sure I've taken care of the malware. Haven't seen it in a while.

Interesting at this point.

I created a new user account while in safe mode. Now, if I let it boot
normally, it gets to the logon screen showing two users. After about 20
seconds just sitting at that screen, it reboots!

So far, safe mode always seems to work. Just can't do much there.

I guess that means there's a software issue somewhere. If I set msconfig to
dianostic, it still reboots shortly after the desktop comes up.

--Bill

 

[Daave]

I'm pretty sure I've taken care of the malware. Haven't seen it in a
while.

Interesting at this point.

I created a new user account while in safe mode. Now, if I let it
boot normally, it gets to the logon screen showing two users. After
about 20 seconds just sitting at that screen, it reboots!

So far, safe mode always seems to work. Just can't do much there.

I guess that means there's a software issue somewhere.

Agreed. And I'll bet you *still* have malware.

The best thing to do at this point (short of a clean install, which you
might wind up needing to do anyway) is to run HijackThis and post your
log to an appropriate forum. For more information (courtesy of David
Lipman):

1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe


2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"


3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

[Daave's Note: There is a warning that a "recent rootkit infection has
been interfering with Deckard's System Scanner (DSS) resulting in
possible damage to the Operating System." Has this been addressed?
To OP: You may want to hold off on DSS for the time being!]


4. Save the scan results (Main.txt and Extra.txt)


5. And then post the contents of Main.txt and Extra.txt in your post in
one of the below expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here! }


Forums where you can get expert advice for HiJack This! (HJT) and
Deckard's System Scanner
Logs.


NOTE: Registration is REQUIRED in any of the below before posting a log


Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0


Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7


Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

 

[Bill H.]

Yes, it does appear that way.

I keep rebooting into safe mode, with network wire disconnected, and using
spybot.

It keeps finding Fraud.AntiMalwares in windows/system32/winctrl32.dll. I
tell it to fix, it says it's fixed (it renames it), but upon reboot into
safe mode, the original file returns. And with command prompt, I still
can't delete it, says "access denied."

I checked my winxp, and that file is NOT there (whew!), but I wanted to see
if it were a legit windows file, maybe I could copy it over, but that's out.

--Bill

 

[Daave]

Yes, it does appear that way.

I keep rebooting into safe mode, with network wire disconnected, and
using spybot.

It keeps finding Fraud.AntiMalwares in windows/system32/winctrl32.dll.
I tell it to fix, it says it's fixed (it renames it), but upon reboot
into safe mode, the original file returns. And with command prompt, I
still can't delete it, says "access denied."

I checked my winxp, and that file is NOT there (whew!), but I wanted
to see if it were a legit windows file, maybe I could copy it over,
but that's out.

The file will unfortunately return.

You need expert help. You need to follow the directions from my last
post. In the meantime, you can look here:

http://www.bleepingcomputer.com/startups/WinCtrl32.dll-23047.html

http://www.bleepingcomputer.com/forums/topic131299.html

 

[Bill H.]

Thanks.

Ran malwarebytes. It found a couple more that spybot missed, but it, too,
seems unable to eliminate winctrl32.dll.

I guess nobody can get rid of winctrl32.dll. :-(

--Bill

 

[Gerry]

Bill

http://www.bleepingcomputer.com/startups/WinCtrl32.dll-23047.html


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Daave]

Heh, maybe he'll notice the link this time. ;-)

(I guess in certain circumstances, top-posting can be beneficial!)

 

[Bill H.]

OK, SDfix seems to have been able to remove the winctrl32.dll and keep it
from coming back. That's the good news.


The bad news, the computer continues to reboot whenever trying to get into
normal mode.

And something I'm stumped on. I created a new account (while in safe mode)
yet when I boot into safe mode, that new account is not listed.

--Bill

 

[Daave]

OK, SDfix seems to have been able to remove the winctrl32.dll and keep
it from coming back. That's the good news.


The bad news, the computer continues to reboot whenever trying to get
into normal mode.

And something I'm stumped on. I created a new account (while in safe
mode) yet when I boot into safe mode, that new account is not listed.

One more time:

The best thing to do at this point (short of a clean install, which you
might wind up needing to do anyway) is to run HijackThis and post your
log to an appropriate forum. For more information (courtesy of David
Lipman):

1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe


2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"


3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

[Daave's Note: There is a warning that a "recent rootkit infection has
been interfering with Deckard's System Scanner (DSS) resulting in
possible damage to the Operating System." Has this been addressed?
To OP: You may want to hold off on DSS for the time being!]


4. Save the scan results (Main.txt and Extra.txt)


5. And then post the contents of Main.txt and Extra.txt in your post in
one of the below expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here! }


Forums where you can get expert advice for HiJack This! (HJT) and
Deckard's System Scanner
Logs.


NOTE: Registration is REQUIRED in any of the below before posting a log


Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0


Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7


Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

 

[Bill H.]

the link to dss.exe reports page not found.

I didn't think I'd have the computer past today, but looks like its mine for
another couple of days.

I'll post the log, but it will be from safe mode...

--Bill

 

[Bill H.]

I did those 4 steps with the repair CD (both sp2). No change.

I don't know what else I can do with the repair disk command prompt.

And what to clean up in safe mode? Setting msconfig for diagnostic startup
also results in the computer rebooting shortly after the desktop is
displayed. I thought I'd be smart and create a new user in safe mode and try
to log in under normal mode, but all I get is the default background image
and not a single icon. Have to hit reset to get out of that one.

I was thinking of running sfc in safe mode, but it won't run in safe mode.
:-(

--Bill

 

[Bill H.]

Thanks, Anna.

Latest:

I believe all traces of malware are now gone. Originally, there were
several, and winweb security remnants were impossible to get rid of until I
tried sdfix. Now I no longer have a winctrl32.dll in system32.

I set to not auto restart, and got various stop msgs, previously posted.
Now, I mostly get a 0x0000007F, with all four following parameters
0x00000000. I also sometimes get PAGE_FAULT_IN_NONPAGED_AREA and
IRQL_NOT_LESS_OR_EQUAL.

I did a thorough hardware diag (Dell) and it found nothing wrong.

Tell me more about a repair install.

--Bill

 

[Gerry]

Bill

Can you post a complete copy of the latest Stop Error report. Let's see
if anything has changed?


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Anna]

I did those 4 steps with the repair CD (both sp2). No change.

I don't know what else I can do with the repair disk command prompt.

And what to clean up in safe mode? Setting msconfig for diagnostic
startup also results in the computer rebooting shortly after the desktop
is displayed. I thought I'd be smart and create a new user in safe mode
and try to log in under normal mode, but all I get is the default
background image and not a single icon. Have to hit reset to get out of
that one.

I was thinking of running sfc in safe mode, but it won't run in safe mode.
:-(

--Bill

Bill:
Just out of curiosity...

Is there any reason you haven't undertaken a Repair install of the OS as has
been previously suggested to you? Or have you done so and that too didn't
"work"?
Anna

 

[db ·´¯`·.¸. .>]

well, the next step would
be to do a repair installation
via your windows cd.

it is not too different from
an sfc, but the method
above would be initiated
via the cd.

boot again with your cd
and select install this time.

the cd will scan your disk
and eventually find an o.s.
already installed to it.

the repair installation will
compare your system files
on the disk with the genuine
ones on the cd.

if there are any missing or
corrupted system files on
the disk, the cd will replace
them.

here is the instructions:

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx


be sure to make the proper
selection towards repairing
the o.s., because the other
options the cd will provide
after it scans your disk
will be to re-install the
whole o.s. from scratch and
you don't want this at this
time.

 

[Anna]

Just out of curiosity...

Is there any reason you haven't undertaken a Repair install of the OS as
has been previously suggested to you? Or have you done so and that too
didn't "work"?
Anna

Thanks, Anna.
Latest:
I believe all traces of malware are now gone. (SNIP)
I did a thorough hardware diag (Dell) and it found nothing wrong.
Tell me more about a repair install.
--Bill

Bill:
Assuming you have a non-OEM-branded XP OS installation CD at your disposal
and not merely an OEM recovery CD or recovery partition situation, you might
consider running a Repair install of the XP OS at this point in time in view
of your other futile attempts to get the system up & running. Unfortunately,
since you mentioned "Dell" in your last post it's conceivable that you do
*not* have such an XP OP installation CD that will allow you to undertake a
Repair install since all you might have is the so-called "Recovery" or
"Restore" disk that Dell generally provides with their machines. And that
media will ordinarily not provide for a Repair install of the OS. But
assuming you *do* have an XP OS installation CD that allows you to undertake
a Repair install, here's some info about it...

Undertaking a Repair install of the OS is a relatively straightforward
process. It would be roughly akin to making a fresh install of the OS, but
in nearly every case your existing programs & user-created data would be
retained. Notice I said "nearly". While it would be a rather rare situation
where data would be lost or corrupted as a result of a failed Repair
install, and as unlikely as it may be, it *could* happen.

So if there are any programs and/or other data on your present drive that
are absolutely crucial to you and you could not tolerate their loss, then I
would strongly suggest that before undertaking this Repair install operation
that you first either make a "clone" of your existing HDD (using a
disk-imaging or disk-cloning program) or, if that's not practical, install
the HDD in another machine as a secondary HDD so that you can pull off
whatever data you want onto some removable media, e.g., flash drive, CD,
etc.

Again, it's a relatively rare event that a loss or corruption of data will
occur even when the Repair install is unsuccessful, but it *can* happen. So
I want you to be aware of this.

There are a number of websites that contain step-by-step instructions for
undertaking a Repair install. As I've indicated it's not a difficult nor
terribly time-consuming process. Again, it's roughly similar to making a
fresh install of the XP OS. If you do a Google search on "XP repair
install", you'll be pointed to many of these sites. Here are a few...
http://www.michaelstevenstech.com/XPrepairinstall.htm#RI
http://www.webtree.ca/windowsxp/repair_xp.htm
http://www.geekstogo.com/forum/index.php?showtopic=138
http://www.windowsreinstall.com/winxppro/installxpcdrepair/indexfullpage.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;315341

Assuming the Repair install is successful, you should use your A-V program
to immediately check out your PC for any virus infestation. Hopefully you'll
undertake the Repair install with an XP OS installation CD that contains (a
slipstreamed) SP3 so that it won't be an onerous task to download/install
*all* the MS critical updates since SP3 was released. On the other hand if
you undertake the Repair install with a XP-SP2 installation CD you will have
to download/install *all* the MS critical updates since SP2 was released,
which *will* be an onerous task. Alternatively you could install SP3 after
the Repair install assuming the Repair install has been successful. Anyway,
give this some thought if you can't get your system back to a functional
state any other way and, of course you have the requisite XP OS installation
CD that allows you to undertake a Repair install of the OS.

Just one other thing...
It's conceivable (although it doesn't sound like it) that you're dealing
with some hardware-type problem here and not just a corruption of the OS.
Where a hardware-type problem is the culprit in cases like the one you
describe, it's usually the HDD that's defective although it's entirely
possible some other major component of your system may be at the root of the
problem you're experiencing. In any event, it's possible (although again
from your description of the problem, unlikely) that you may be dealing with
a defective HDD so it probably would be wise at this point to check out the
HDD with a HDD diagnostic utility you can (usually) download from the
website of the disk's manufacturer. It's very easy to use - the downloaded
program allows you to create either as a bootable floppy disk or bootable CD
containing the HDD diagnostic program. So give that some consideration as
well. On the other hand if the Dell hardware diagnostic program found no
problem with the HDD I suppose it's safe to assume there is no problem
there.
Anna

 

[db ·´¯`·.¸. .>]

I'm leaning more on a incompatible or
corrupted driver, side since safe mode
functions and not normal mode.

it's reminiscent of having enable
battery backup in the power control
panel, whereas after a short while,
if not immediately the system shuts
down due to seeing zero battery charge.

however, there is no battery backup
connected.

 

[Bill H.]

Well, some things have changed.

For the moment (not to get too excited), it has been rebooting into normal
mode OK.

I now have an issue that I get an error about not being able to run
c:\windows\Kroduk.dll. I find an entry in the registry wanting to run
kroduk, with a key "Svelokara." I remove the key, reboot, and get the same
msg again and that reg entry has returned.

Spybot says I'm OK, I dl'ed and installed windows defender, which says I'm
ok, and ran AVG and deleted all the cookies it found and the zip files
containing malware found and removed by sdfix.

--Bill

 

[Daave]

Well, some things have changed.

For the moment (not to get too excited), it has been rebooting into
normal mode OK.

I now have an issue that I get an error about not being able to run
c:\windows\Kroduk.dll. I find an entry in the registry wanting to run
kroduk, with a key "Svelokara." I remove the key, reboot, and get the
same msg again and that reg entry has returned.

Sounds like you still have a rootkit infection.