Haxdoor virus? STOP: 0x0000008e

[Bryan G]

I can't boot, I get to the start up screen with the Widnows XP logo for about 5 seconds then I get a BSOD: STOP: 0x0000008e.

I put another hard drive in a did a clean install and everything was OK so I know it's not the memory or hardware. My problem is I don't want a clean install, I want that copy of Windows back up and running.

I also did a Windows repair and it doesn't help.

I made a clone of this OS so I can play around with it and if I mess it up I can start over, my problem is, I don't know where to start....

[1972vet]

Quote:

Originally Posted by Bryan G

I can't boot, I get to the start up screen with the Widnows XP logo for about 5 seconds then I get a BSOD: STOP: 0x0000008e.

I put another hard drive in a did a clean install and everything was OK so I know it's not the memory or hardware. My problem is I don't want a clean install, I want that copy of Windows back up and running.

I also did a Windows repair and it doesn't help.

I made a clone of this OS so I can play around with it and if I mess it up I can start over, my problem is, I don't know where to start....

Can you boot to safe mode?

[Bryan G]

Quote:

Originally Posted by 1972vet

Can you boot to safe mode?

nope, can't boot to safe mode.

I am looking for a way to remove this with the windows recovery console or something that can scan on boot.

[1972vet]

Well the recovery console would be fine for us to use if we new for sure what we were targeting. Haxdoor is just one of a myriad of possibilities...

Let's try a boot CD.

In the infected system, make sure the boot sequence menu is set to boot from the CD-ROM drive...then follow the instructions below. When finished with them, you will return to this non-working system with a bootable CD that will scan the system for malicious software.

Please download Avira Antivir Rescue System.

Insert a blank CD into your CD-ROM drive, double-click on the rescue system package...then click the Burn CD button. When completed, remove the CD and insert it into the non-working operating system. Reboot the computer.

Allow the scan to complete and post back your results. Thanks!

[Bryan G]

that took a long time, now how do I get the log out of the PC that won't boot so I can post it here?

[Bryan G]

OK, maybe I misunderstood what you meant by results. I had the settings set to just scan and it showed the results. Now I set it to removed or rename infections and I'm running it again, then I'll let you know if it fixed my problem.

[Bryan G]

OK! Great! Thank you so much, I got to the log in screen now with no BSOD. Now I have a new problem, as soon as It logs me on it logs me right back off, even in safe node. I've had this problem before and should be able to fix it.

Thank you for your help

[1972vet]

Try logging on as "Administrator" in either mode. Tell us what happens. Thanks!

[Bryan G]

Quote:

Originally Posted by 1972vet

Try logging on as "Administrator" in either mode. Tell us what happens. Thanks!

I tried that, just logs me right back out as soon as it logs on..

In recovery console I typed c:windows\system32 then did a dir and found the userinit.exe and wsaupdater.exe are missing, I used this fix:

Code:

In recovery console from 
D: CD I386
I typed:
EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32

Now I can log in, but after the wallpaper is visible, it stops. I have a cursor and it moves but no right click, no taskbar, can't ctrl-alt-del, no desktop icons. I've had this problem before also, just can't remember what I did....

I'm about ready to do a windows repair from the CD....

[Bryan G]

OK, just for the heck of it I thought I'd look to see is explorer.exe is in C:\windows and I found it's been renamed to explorer.exe.XXX and there are also many other files with the .XXX added to the end of them.

[1972vet]

OK, let's get busy cleaning up the malware now...
Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt
New HijackThis log.

[Bryan G]

I already ran the windows recovery and have the desktop back. I'm removing the malware now. I should be all set, I hope.

I want to thank you for the help, you got me out of a jam.

[1972vet]

Are you so certain that you KNOW what is and is not malware?

[Bryan G]

Quote:

Originally Posted by 1972vet

Are you so certain that you KNOW what is and is not malware?

I just don't want to waist your time, you don't get paid for this help. I'll get this as clean as I can. If it's ok I'd like your help to see if it's all cleaned up when I'm done. I'd rather not waist your time until I need it.

[1972vet]

Sorry to disagree but my time is only wasted when/if a user chooses not to comply with the instructions provided.

Are you getting paid for the work you are doing with that system?

[Bryan G]

Quote:

Originally Posted by 1972vet

Sorry to disagree but my time is only wasted when/if a user chooses not to comply with the instructions provided.

Are you getting paid for the work you are doing with that system?

Would it be ok if I sent you a short PM before we continue?

[Bryan G]

never mind the PM, I'm following your steps but I'm having trouble. I started the combofix and it downloaded the recovery console then the PC froze. Now when I try to run combofix and it tries to download the recovery console it tells me I have no internet connection but the local area connection says I'm connected.

So I'm stuck now. I guess I should go ahead and just run combo fix for now but I want to wait until you tell me what to do next.

[Bryan G]

Edited: changed my mind.

[Bryan G]

well, combofix don't work. It gets to the point where it says "Scanning for infected files..." and just sits there.

[1972vet]

Quote:

...It gets to the point where it says "Scanning for infected files..." and just sits there.

Combofix works just fine. On a very badly infected machine, which I'm convinced your is, combofix may take quite a while to complete. Did you wait long enough?