Topic: Windows did not start successfully

[Mrs Twaddle]

Basically, I was playing solitaire, heard a funny noise, kind of a chug chug chug (very very quietly) then the p.c froze, had a blue screen of death with advice on what to do if this was the first time this has happened and other nonsense about the bios and how to disable some stuff... then it went POOOOFF!!!

Now when you turn it on you get "Windows did not start succesfully, a recent hardware or software change may have caused this" blah blah lots of options of what start up mode to try... tried them all it just goes to the black windows screen then restarts.. a constant loop.

I'm too scared to chuck in a recovery disc, as hubby will freak if he looses all his work.. i can't get the hardrive cable out to put the harddrive in the other puter to rescue his files..

I just want to crawl under a rock

[richard]

First stage... let's break out of that loop so we can see what's fallen over, aye?

While it's restarting, hit f8 for safe-mode... one of the options you'll be offered is turning off 'auto-restart on error'.

Then when it BSODs, it'll stay like that so we can see the error-message.

(PS, if you're feeling brave, tell theelnombre you already have used the recovery-disk... then run. It'll teach him about backups...)

[Mrs Twaddle]

'k

here goes, and it ain't pretty

unmountable_boot_volume

(lots of info about the bios and disabling stuff, plus info on uninstalling the new hardware)

then a load of number STOP: 0x000000ed and so on

[richard]

Sounds like the HD might have gone tits-up... and the chugging was the 'click-of-death'... if that's the case, the recovery-disk ain't gonna solve it anyways.

You really need to figure how to get that drive out into the other machine to see if it's readable at all... if there's not room to get the cable out, removing drive-screws might give you enough movement? (I presume this isn't the lappy you're talking about?)

If there's a second parameter after that 'stop', you might be luckier... you might just have a damaged filesystem... chkdsk /r from the recovery-console would fix that (maybe).

[Mrs Twaddle]

I had a horrible feeling you were going to say that.. (we didn't get the lappy after, we have a second p.c, which i'm currently on)

My brother has got the drive out before so i know it is possible.. i'm just so terrified of breaking it..

Ahh feck, basically then if i manage to get the drive out to check it, if i can't access it, then it is all gone... I HATE PUTERS!!! shoot me now.

[richard]

Second thoughts... have a go with that recovery-console anyways... do you know how to get there?

[richard]

"Borrowed" from M$

1.   Start your computer with the Windows startup disks, or with the Windows CD-ROM if your computer can start from the CD-ROM drive.
   
2.   When the Welcome to Setup screen appears, press R to select the repair option.   

3.   If you have a dual-boot or multiple-boot computer, select the Windows installation that you want to access from the Recovery Console.
   
4.   Type the administrator password when you are prompted to do so. NOTE: If no administrator password exists, press ENTER.   

5.   At the command prompt, on the drive where Windows is installed, type chkdsk /r, and then press ENTER.
   
6.   At the command prompt, type exit, and then press ENTER to restart your computer.

[Mrs Twaddle]

'k will try... it can't get any worse can it..


that just checks the files though doesn't it, doesn't overwrite software?

[richard]

'k will try... it can't get any worse can it..


that just checks the files though doesn't it, doesn't overwrite software?

It doesn't overwrite anything... there may be a few stray files that need to be identifying... in the worst case, it may be impossible and you're no worse off for trying.

[Katzy]

If it comes to it, Rich, which I hope it doesn't, I can send Hiren.

[richard]

If it comes to it, Rich, which I hope it doesn't, I can send Hiren.

Here's hoping...

[Mrs Twaddle]

it's working

thank you thank you thank you thank you thank you thank you thank you thank you thank youthank you thank you thank youthank you thank you thank youthank you thank you thank youthank you thank you thank youthank you thank you thank youthank you thank you thank you


but the antivirus is missing, not sure what else, infact the entire antivirus folder is missing


still, thank you soo much, going to back it all up in the morning

[Derek]

What AV did you have on it

Can you run HJT and post a log

[Mrs Twaddle]

i ran avast, and if it helps i found a folder on the "naughty" drive called found.000 and avast is in that.

Currently using antivir until i can figure out the problem

Hi-Jack Log

Logfile of HijackThis v1.99.1
Scan saved at 07:51:19, on 13/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\system32\winvbie.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ms-update] scvhost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu   &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms   &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm   &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms   &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms   &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms   &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm   &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123796483019
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_jfp_nf/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BD49099-875E-4265-B639-0AA63772D599}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4151184-F7B6-4F7E-8C85-F81F4D636038}: NameServer = 194.72.0.114 194.74.65.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BD49099-875E-4265-B639-0AA63772D599}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: 00123 - Unknown owner - \\86.136.214.30\print$\eraseme_37080.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - I:\Program Files\Adobe\Version Cue\service\VersionCue.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[richard]

i ran avast, and if it helps i found a folder on the "naughty" drive called found.000 and avast is in that.

That's because Avast was the broken part of the filesystem... the checkdisk you just ran 'found' it, where windows had lost track... maybe will be able to see why, because it seems a bit odd to me the damage was so specific... maybe something naughty was trying to disable the AV and got a bit over-enthusiastic?

[Mrs Twaddle]

Thats what i am thinking, it seem to be the only thing affected too

[Derek]

yes you have been attacked by one of the sdbots/agobots that target AV's

before we go too far down cleaning can you do this so we can see what else is hiding

• Download WinPFind
  
• Right Click the Zip Folder and Select "Extract All"
  
• Extract it somewhere you will remember like the Desktop
  
• Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

• Click " Configure Scan Options"
  
• Select " Run Add ONs" and then select ALL the options in the box  below it, Press Apply
  
• Now Click "Start Scan"
  
• It will scan the entire System, so please be patient!
  
• Once the Scan is Complete
• Reboot back to Normal Mode!
  
• Go to the WinPFind folder
  
• Locate WinPFind.txt
  
• Place those results in the next post!. It will be too big to post  so you will need to attach it to your reply

[/list]

and I need a copy of this file to examine please

please go to  http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to  upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\WINDOWS\System32\scvhost.exe

[Mrs Twaddle]

you want a copy of C:\WINDOWS\System32\scvhost.exe when it is done? as well as the log? (just making sure)

[Derek]

and see if you can find this file & folder    print$\eraseme_37080.exe

it is definitely part of the problem and is probably a rootkit hiding lots more

go to start/run and type services.msc press OK
when the screen opens scroll down to Remote Procedure Call (RPC) Helper right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

be very careful to get the right one as there might be  several similar named ones there

00123

now open HJT press config/misc tools and select delete an NT service

paste this into the box & press OK

00123

then
Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily 

then

Run hijackthis, put a tick in the box  beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\system32\winvbie.dll (file missing)
O4 - HKLM\..\Run: [ms-update] scvhost.exe
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe

now Start  killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED  paste the first file listed below into the full pathname and file to delete box

The  file name will appear in the window,  select delete on reboot , press the red X button, say yes to the prompt  and  NOto reboot now  then repeat for each file in turn

[Note: Killbox makes backups of all deleted files & folders in a folder called  C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

C:\WINDOWS\System32\scvhost.exe

Then on killbox top bar press tools/delete temp files, in the pop up box  in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then  on the drop down user account box, select your account, then repeat for every user account on the computer   

then reboot & post a new HJT log and teh wpfind log

[Derek]

I want the svchost.exe BEFORE doinmg anything else please

[Mrs Twaddle]

do you want svchost now or after wpfind scan?

[Derek]

and read here
http://vil.nai.com/vil/content/v_125239.htm

after I've seen wpfind and if what I think MIGHT be there is there I will want some files to examine but I might suggest format & reinstall

I have never seen a service with the file running from an IP number & that suggests a complete take over of your system if he is able to do that

[Derek]

do you want svchost now or after wpfind scan?

NOT SVCHOST but SCVHOST

[Mrs Twaddle]

Sorry typo

 now or after winpfind

[richard]

Looks like it was a good job it broke, otherwise this little swine might have gone undetected for quite a while...