XP won't load in Normal or Safe Mode

Does Ctrl + Alt + Del work when you get to the desktop?

Whats the error code in the BSOD?

XP Pro - Sp2 is a good option.

For your scenario, most people would like to ::
1. Format the whole drive/ remove C:\... recreate it, so everything on it will be lost. And then do the whole setup.

2. if this time, you observer that nothing has changed the situation....you go for another known good installer of XP !!

Already tried that - no Apps showing and idle 98/99% and tskmgr.exe 0-1%.

This is weird? System idle stick at 98/99% - CPU usage varies from 2 - 8%. Virus?

Sorry I can't trap the BSOD error code, displays for a milisecond, trying for ages.
I've noticed in task manager lsass.exe and I'm wondering if it could be the Sasser worm or variation which seems to be going around at the moment (2 clients with Sasser infections in last 5 days).
 
 

Should have read:
I've noticed in task manager lsass.exe IS VERY BUSY and I'm wondering if it could be the Sasser worm or variation which seems to be going around at the moment (2 clients with Sasser infections in last 5 days).

 

So, can you start, say, Explorer from Task Manager?

No, I can't start any apps.

>>No, I can't start any apps.

When you try it, what happens?

by 'start explorer' it mean to do ctrl-alt-delete, choose taskman, choose file, new task, and physically type in 'explorer.exe'.... see what happens then.

That's what I did and browsed to "c:\windows\explorer.exe" but got the message that the file couldn't be found. However, I shouldn't have no progs would load as regedit.exe and notepad.exe do load.
So is it explorer.exe? Would this have been reloaded with the reinstallation?

That's what I did and browsed to "c:\windows\explorer.exe" but got the message that the file couldn't be found. However, I shouldn't have said before no progs would load as regedit.exe and notepad.exe do load.

So is it explorer.exe? Wouldn't this have been reloaded with the reinstallation?

since  you suppose it is a virsus, run  ALL these : (you can do it with the disk hooked to a working pc, to speed up the scan)

     adaware :      http://www.lavasoftusa.com/
     Spybot :        http://www.download.com/3000-8022-10122137.html
     MBAM  :   http://www.malwarebytes.org/mbam.php
http://housecall.trendmicro.com/                                                               online scan for trojans
http://www.spychecker.com/program/hijackthis.html                                   download
http://www.hijackthis.de/index.php?langselect=english                                check the log

I agree with mbam and hijackthis after I tried combofix.

It does sound like Explorer's been deleted though?

> peetm
You're right, but when I did the reinstall wouldn't explorer.exe have been reloaded?

>>You're right, but when I did the reinstall wouldn't explorer.exe have been reloaded?

Indeed, one would think that it should have been.  However, it seems as though it's not there?  Can you open a command-prompt - using 'New Task' from Task Manager ... i.e., run 'cmd' - does a command prompt open?

and try to rename explorer.exe to explorer.old

Just checked it,  yes I can run Cmd.

So, now you can have a look in C:\Windows and C:\Windows\System32 for Explorer.exe ... and, if you can run a command-prompt, do very much more -- but maybe huntin about for Explorer might be a good idea just now?

I managed to "ren explorer.exe explorer.old" at the cmd prompt, but no copy in the system32 folder. So I'm doing a repair install again.

No failed again. If I browse to run explorer.exe in task manager it tells me file cannot be found.

>>No failed again. If I browse to run explorer.exe in task manager it tells me file cannot be found.

But, didn't you just rename that as a .old?

I reinstalled XP again and the new explorer.exe could be browsed but not run (not found).

This is so odd.  When you reinstalled, did that mean you reformatted, or repaired?

Repaired

"reformatted, or repaired? "
Repaired

Thanks Admin3k. Can't find iexplorer.exe but copied over HiJack This and log attached.
SFC /scannow bring up a message Windows File Protection could not initiate a scan of protected system files. The specific error code is 0x000006ba (The RPC server is unavailable).

hijackthis.log

....and thanks for showing me how to trap the BSOD.
STOP: 0x0000007E (0x0000005, 0xF70DE174, 0xF7A3AD44, )xF7A3AA40)
 

That system is heavily infected alright
I can see there is a C:\Combofix.exe, have you already tried running Combofix ? , is this even Combofix ?, if so I doubt it will run , try renaming it to something else & please show us the log once done.
after you have ran combofix , you may want to give those tools a go in this order 
Microsoft Malicious software removal tool http://www.microsoft.com/security/malwareremove/default.mspx
SDFIX http://www.bleepingcomputer.com/files/sdfix.php
Malwarebytes antimalware http://www.malwarebytes.org/mbam.php as suggested by nobus

if any of those tools won't run , please rename it.
finally please post the logs.

Nobus - I ran Malwarebytes and this found no infections, I ran HiJackThis (see above log) from task Manager > cmd, however, I am unable to run Combofix this way. If I set up the "infected" drive as a slave drive Combofix will not scan it as only scans the system drive.

Admin3k - Thanks for confirming it is infected. I did install combofix but can't get it to scan the drive.

Admin3k - I ran MBAM yesterday but that found nothing.
1. Let me see if I can get a renamed Combofix onto the desktop as you suggest.
2. I'll then try the Microsoft tool and SDFix.
Any idea from the HiJack This log what the infection could be.
Thanks,
Mike
 

it seems the ntos.exe is the bad guy; here what i found for it : - last post  from : http://www.lavasoftsupport.com/index.php?showtopic=4792

OK, hopefully this will help someone. I have just found a work around for the NTOS.exe. I found as has been previously mentioned that i was unable to get into Windows XP after removing the said file. However i was able to to access Window's in safe mode.

When in safe mode i did a search in explorer for "ntos"... where i deleted all traces of the file appart from ntos.exe.000

I renamed ntos.exe.000 to ntos.exe and hey presto i was able to gain access to windows.

Now I can't open Task Manager in Safe Mode.
I have set up the "infected" drive as a slave, but combofix won't look at a slave.
I've ran Mbam again and SDFix (logs attached) but MBam finds nothing and SDFix only looks at the C: drive, not the infected E:

mbam-log-12-19-2008--10-42-49-.txt
Report.txt

Nobus - I can't find the NTOS.EXE file on either the good or infected drive?

Have you tried running msconfig and selecting 'Diagnostic Startup'?

Peetm - I presume you meant running that from task manager on the problem drive, but I can't get into task mgr anymore, even in safe mode.

I was running two drives - I removed the other and now I can get Task Manager.
Can't find msconfig though.

Admin3k - Now I've got the Task Mgr back I renamed combofix.exe to the desktop. That ran and deleted loads of files/folders and, although I'm still getting the BSOD in normal mode I've got the desktop back in safe mode. For the third time in 7 days Combofix has sorted my problem (maybe not quite fully in this case).
I'm running SDFix now and once that's completed I post the 2 logs.  

OK SDFix and uninstalling the video drivers sorted the BSOD and apart from a couple of McAfee Viruscan processes working at around 16% CPU usage I'm gradually getting there.
The system isn't quite clean yet looking at the logs and it certainly doesn't feel malware-free. I wonder if someone could look at the logs to see if I need to run a CFScript or which lines are to be removed in HiJack This?
Thanks
 
 
 
 
 

cf1.txt
cf2.txt
hijackthis2.txt

This line is HiJackThis2 log - Sasser?
O4 - HKLM\..\Run: [XP Antispyware 2009] "C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide

the ntos file was in your log file from post ID:23208823Author but maybe you have removed it already ?
remove this :
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe

If this log is indeed the latest , then there is some remaining cleanup to do
give Malwarebytes RogueRemover a try
http://www.malwarebytes.org/rogueremover.php
-  run SDFIX & Combofix again , make sure you have your antivirus program disabled while doing it, once completed save the logs to attach them here later. 
-update your antivirus and run a full scan, take note of which threats the scan found and how they were handled (deleted /qurantined,etc..)
If for some reason the update functionality is not working for Mcafee , try downloading the latest SuperDat file on a clean machine, then install it on the infected one
the latest is always here http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise
-Get CCleaner and run it
http://www.ccleaner.com/download 

- use Hijack this to remove those entries in the log( if they still exist)
 O2 - BHO: {13c5fac4-7e65-89a9-cf94-bf628ec74f00} - {00f47ce8-26fb-49fc-9a98-56e74caf5c31} - C:\WINDOWS\system32\uvkhno.dll (file missing)
 O2 - BHO: (no name) - {23826172-9E3D-4D5A-A72A-411FB783FDFD} - C:\WINDOWS\system32\geBqNddE.dll (file missing)
O2 - BHO: (no name) - {c83926f3-0b06-43db-9a99-6d46590330f1} - C:\WINDOWS\system32\wijumube.dll (file missing)
O4 - HKLM\..\Run: [XP Antispyware 2009] "C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide
.4 - HKCU\..\Run: [appsrvproc] C:\WINDOWS\system32\duxadwva.exe
 O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O21 - SSODL: DbUtilDsc - {3F17C9F7-AF42-CFA9-E65E-012D444D2324} - C:\Program Files\srhmoxc\DbUtilDsc.dll
you want to make sure the files & folders associated with those entries are also deleted 
if for some reason you can not delete any of them, use the utility  FileASSASIN in MBAM  > more tools section .
Finally please post an updated Hijack this log.

Good luck.
 

Thanks Admin3k - gone through all that.
McAfee found about 120 Vundo infections (excluding those already in CF's Qoobox/quarantine).
Also ran kaspersy online scanner.
Deleted lines in HJT as advised and logs attached.
Thanks,
Mike

cf4.txt
hijackthis4.log
kaspersky.txt

Just make sure this file captured by Kaspersky is physically deleted from your computer

C:\WINDOWS\system32\g78.exe

also the contents of C:\Qoobox\Quarantine\ can safely be deleted.

Other than that, all the logs look great, how is the machine doing ?

Thanks I've deleted the quanantined files now. I deleted the g78.exe file after completing Kaspersky.
Machine much better now, one BSOD on shutdown, but that appears an isolated case.
Only one thing - it takes nearly 10 minutes to settle down from start up with two Mcafee processes (vstskmgr.exe and mcshield.exe) are going mad taking between 8% and 50% of the CPU.
 

Usually the Antivirus is set up to scan startup objects , running processes ,etc.. on system startup, you can check Mcafee virus scan options to control this behaviour.

also disabling unneeded programs from startup can improve performance, disabling unneeded services , moving page file to a different drive than the system partition ,etc.. can improve performance a lot,, also consider upgrading the browser to IE7 & the OS to SP3
XP SP3 http://www.microsoft.com/downloads/details.aspx?FamilyID=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4
IE7 http://www.microsoft.com/downloads/details.aspx?familyid=9ae91ebe-3385-447c-8a30-081805b2f90b
Move Page file http://support.microsoft.com/kb/307886
disable unneeded services http://www.blackviper.com/WinXP/servicecfg.htm

You might also uninstall Kaspersky and then install AVG - often one AV often doesn't catch everything!  I always run two; in my case Sophos and AVG [and have done for years now]

I upgraded to SP3 and IE7 and increased virtual memory (only one partition/drive), editted the startup settings in Viruscan but no luck. I don't want to change any auto services to manual without speaking to the user.
I reinstalled McAfee, but eventually removed it and put on a trial version of Sophos. This resolves the problem, but I can't update this, it keeps telling me it "could not contact server." Is this because it's the trial version?
 

IMHO, the best lightweight & free Antivirus program is Avira antivirus, give it a go , you will find it is packed with features & has a very light footprint on the OS.
http://www.free-av.com/

my opinion is NOT toinstall  different AV scanners, since the settings of one can cancel the other + they cause more resource use of your system = slowness
i always favor 1 AV - let it be the one of your choice, but i use additional special "malware" tools :
     adaware :      http://www.lavasoftusa.com/
     Spybot :        http://www.download.com/3000-8022-10122137.html
     MBAM  :   http://www.malwarebytes.org/mbam.php
http://housecall.trendmicro.com/                                                               online scan for trojans
http://www.spychecker.com/program/hijackthis.html                                   download
http://www.hijackthis.de/index.php?langselect=english                                check the log

>>"could not contact server." Is this because it's the trial version?

A few steps involved, but nothing too stressful, and maybe worth a try?

http://www.sophos.com/support/knowledgebase/article/12793.html

@nobus

>> ... since the settings of one can cancel the other + they cause more resource use of your system = slowness

This is quite possibly true with some AV program combinations; all I can add is that Sophos and AVG run side-by-side on my machines and seem to have nothing but a positive effect.  As I said, I've been running both like this on multiple machines for many years now.

Nobus - Like you I always use just the one AV scanner. When things get past that (and in the last week infections have got past eTrust/McAfee and Symantec) I use Combofix, HiJack This, Malwarebytes and Kaspersky Online Scanner.
Peetm - Thanks for your all your ideas and help. Interesting to know Sophos and AVG will work together.
Admin3K - You resolved the problem I had with the startup by getting to run combofix and sdfix from the command prompt and other suggestions. I'm sticking with Avira for now. Nice and lightweight as you say, and system running well.
Thanks to you all.
 

Excellent help and advice

Glad you got it sorted.