Er......this really sucks. Help, please?

[DavidR]

The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

[oldman]

could not get my PC to boot up in safemode and it wasn't for lack of trying, so I could not run SDFix as was specified. Can I run it in normal mode?

The program was designed for safe mode.

Did you get errors? system lock up? etc


edit: Good thought DavidR

alex are you using a usb keyboard?

[alex1234]

Nope, I do not have a USB-anything hooked up.

This is related to my (separate?) problem of not being able to boot up XP; it extends to not being able to boot in Safe Mode, or Last Good Configuration, etc.

This is the most succinct description I have found so far:

Symptoms: 1. When booting in normal mode my windows XP system hangs after displaying the XP logo and progress bar. A black screen appears and then..
             or  2. When booting windows XP in safe mode the last driver that shows loaded is mup.sys. Then...
             or  3. Instead of XP freezing at mup.sys windows reboots itself repeatedly just after that driver loads.

from the site http://www.aitechsolutions.net/mupdotsysXPhang.html

Though in Symptom 1, my system can hang anywhere during the display of the XP logo and progress bar, and during loading of the desktop.

Again, I don't think this is related to this particular malware since this has been going on for months and months and was essentially the reason why I reformatted in the first place. And that didn't fix it for long, of course, though it was better for a time. That's why I've since thought it must be a hardware issue.

Incidentally, for professional curiosity's sake, it is much improved ever since my D: drive got marked with a dirty Chkdsk bit so that Chkdsk will often start after the XP logo disappears, and if I cancel it then XP will load successfully 1 time out of 5, whereas without this happening, XP loads successfully 1 time out of 50.

So in the first link that DavidR just posted, I don't think it'll help me in this case because I do not have any restore points prior to this particular malware, in fact the oldest one I have is Oct. 30, 2007. As for the second link, maybe I can try it but in all honesty I believe this problem separate. As well, the explanation on the link kinda went way over my head after a couple reads and I hesitate to apply fixes that I don't understand though I suppose it couldn't hurt.

[DavidR]

Now that you have described what happens when you try to get into safe mode, it doesn't sound like malware blocking the safe boot as that normally doesn't allow you any progression to the logo.

[oldman]

I'm still looking for a resolution for not being able to boot to safe mode. I think somethin is still there and am hoping that the scan in safe mode will reveal it.

[oldman]

alex do you get a blue screen with a error code on it during a failed startup, or does your computer just attempt to restart?

If the later, turn off the auto restart

1. Go to Start -> Control Panel -> System (Windows key+Pause works, too)
2. Go to Advanced
3. Under the Startup and Recovery section, click Settings...
4. Under System Failure un-check "Automatically restart

Now a failed boot will give a BSOD with a error code. Write it down everything), post it, we may be able to determine your startup problems. You will have to manually restart your computer with the power button.

[mauserme]

This is related to my (separate?) problem of not being able to boot up XP; it extends to not being able to boot in Safe Mode, or Last Good Configuration, etc.

This is the most succinct description I have found so far:

Symptoms: 1. When booting in normal mode my windows XP system hangs after displaying the XP logo and progress bar. A black screen appears and then..
             or  2. When booting windows XP in safe mode the last driver that shows loaded is mup.sys. Then...
             or  3. Instead of XP freezing at mup.sys windows reboots itself repeatedly just after that driver loads.

from the site http://www.aitechsolutions.net/mupdotsysXPhang.html

Though in Symptom 1, my system can hang anywhere during the display of the XP logo and progress bar, and during loading of the desktop.

...

Incidentally, for professional curiosity's sake, it is much improved ever since my D: drive got marked with a dirty Chkdsk bit so that Chkdsk will often start after the XP logo disappears, and if I cancel it then XP will load successfully 1 time out of 5, whereas without this happening, XP loads successfully 1 time out of 50.

See if running chkdsk in the recovery console helps.  It may take a long time and appear to hang so be patient.  I've done this successfully to clear the dirty bit and allow normal boots to either mode.

[oldman]

Hi alex

A bit more cleaning for you to do. Any progress on safe mode, or an error code?

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

First we must back up the entire registry.To do this

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg 

REGISTRY FIX

Regedit4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Messenger Service"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Messenger Service"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

After a reboot, could you run combofix and hjalex again and post the logs? We want to see if the keys are receated.

[Lisandro]

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg 

This does not allow recovering. Just test. You won't be able to restore the registry file because Windows will block a lot of 'in-use' keys.
ERUNT is a good and fully working tool for XP\Vista registry backup and restore.
http://www.larshederer.homepage.t-online.de/erunt/

[oldman]

Thanks Tech, I was just about to post the link for ERUNT.

@alex

When doing the reg fix, use the program in Tech's post to backup your registry. Use either that link or this one.

http://www.snapfiles.com/get/erunt.html

Here's something that may help the safe boot situation.

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let us know if you can access Safe Mode now?

[essexboy]

Agree with erunt but I keep forgetting to use it 

[Lisandro]

Agree with erunt but I keep forgetting to use it 

I set it as an automated task to run at startup (delayed).
It makes a backup every first boot of the day.

<path>\AUTOBACK.EXE <path>\#Date# /noconfirmdelete /noprogresswindow

[alex1234]

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt.

Attached.

do you get a blue screen with a error code on it during a failed startup, or does your computer just attempt to restart?

Neither really, at least not very often. I very very rarely get the blue screen, and an automatic restart occurs a little more frequently but still is rare. What happens almost always is that some time during the loading of Windows or the desktop, the screen will freeze, keyboard/mouse locks up, no error code at all.

I've just unchecked Automatic restart as instructed.

See if running chkdsk in the recovery console helps.  It may take a long time and appear to hang so be patient.

Can you give me an idea of how long it might take, please? I'm not impatient at all when it comes to stuff like this but with my PC freezing so much during these things, it's hard to know when it's frozen and when it's still chugging along. I have ran CHKDSK before (though not from the recovery console) and once I left it on overnight (eg. 12+ hours) and when I went back to it the next day, it was still stuck at the same line it had printed when I left it, something about inserting an entry into an index at location something something, or vice versa.

I have not rebooted since my last post, and will next try out what was posted, just wanted to post this first in case I'm unable to come back on here for some time afterwards.

[oldman]

thanks alex. Mauserme may be able to answer your question on the time frame. I'll try to decipher the log.

[alex1234]

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

At this step, I get an error from the Registry Editor:
Cannot import D:\Documents and Settings\Administrator\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

I made sure there was no space.