Hi! I’m new here and sure hope you can help me. Apologies in advance for the length of this post but I want to include as much info for you as I can. We’re running Windows XP Media Center Edition with SP2 on a Dell Dimension, and use Trend Micro PC-cillin for virus/spyware protection. We recently returned from vacation to find a very sick computer, thanks to a well-meaning-but-not-very-computer-savvy friend. There were at least four different (bogus) Windows Security warnings that popped up repeatedly, and when we tried to access Internet Explorer, our homepage was redirected (unsuccessfully, thanks to PC-cillin) to “softwarereferral.com” or “safenavweb.com”.

I ran a virus/spyware scan but didn’t find anything. I installed, updated and ran Ad-Aware Plus, which didn’t find anything either.

Then I found your site. I initially thought Zlob was the problem, so I followed the Option 1 instructions on “How to Remove Zlob.trojan.Media-Codec, Goldcodec, Silvercodec, Braincodec” -- I downloaded SmitfraudFix (by S!Ri), removed the infected files it found, and saved the textfile log.

The problems persisted, though, so I then found your instructions on Malware Removal (“You Must Read This Before Posting a Hijackthis Log”).

1. I downloaded and ran ATF-Cleaner.exe. I then created a new System Restore point.
2. I downloaded and ran Malwarebytes’ Anti-Malware. It found and removed about ten things, and I saved the log.
3. I downloaded and ran SUPERAntiSpyware Home Edition. After 2.5 hrs, it found an additional five things which it quarantined; I successfully rebooted and everything was looking great! No more warning pop-ups, no more homepage redirection. I copied and saved the log information.
4. I went to the Online - Panda ActiveScan site. There was no “Scan your PC” button, just a “Scan Now” or a “Register” button. I registered, then clicked the “Scan Now” button; I believe it installed an ActiveX component (which your instructions said was OK), but I couldn’t get the scan started. I wasn’t too concerned because I really thought I was out of the woods at this point. I’d found and cleaned Winifixer, Rogue.VirusIsolator, Zlob, (maybe others but those are the ones I remember), so I proceeded to the next step.
5. Windows Update – I found a critical update for Windows XP Service Pack 3, which I installed. When I rebooted, I got the following blue screen message:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

An attempt was made to execute non-executable memory.

If this is the first time you’ve seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:

***STOP: 0x000000FC (0xF7AA98E8, 0xF7AA9848, 0x00000001)

Rebooting in safe mode brings up the same stop screen and I either can’t or don’t know how to do anything else from there. Too late, I read your warning about installing SP2 if malware is still present. I’m guessing that warning applies to SP3 as well and that there was still some malware present when I installed SP3.

I’d gladly send you the logs but at this point I can’t get to them. So I’m stuck -- what do I do now (besides cry in frustration)?

Can you get into Normal or Safe Mode ?

Thanks for replying - I really appreciate the help!

If I just turn on the computer and don’t do anything else, I first get a Dell screen for about a second, then a black screen that says:

We apologize for the inconvenience, but Windows did not start successfully. A recent hardware of software change might have caused this.

If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Good Configuration to revert to the most recent settings that worked.

If a previous startup attempt was interrupted due to a power failure or because the Power or Reset button was pressed, or if you aren’t sure what caused the problem, choose Start Windows Normally.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration
Start Normally

If instead I start the computer and hit F8, I am able to get to the black screen with the Windows Advanced Options menu.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable boot login
Enable VGA mode
Last Known Good Configuration
Directory Services Restore Mode (Windows Domain Controllers only)
Debugging mode
Disable automatic restart on system failure
Start Windows Normally
Reboot
Return to OS choices menu

From there, I’m given a choice of operating systems – WindowsXP Media Center Edition is the only option.

Starting either way, if I choose Safe Mode, I get lots of lines of white text like:

multi (0),disk (0), rdisk (0), partition(2)\WINDOWS\System 32\Drivers\ (etc, etc)

Then I get a blue screen / stop error indicating Page_fault_in_nonpaged_area, with the following technical information line:

0x00000050 (0xFFFFFF96, 0x00000000, 0xF7AFB8E8, 0x00000000)

If instead I choose either Last Know Good Configuration or Start Normally, I get the Windows startup screen for a few seconds, then the blue screen / stop error (text in previous post) indicating that an attempt was made to execute non-executable memory, with the following technical information line:

0x000000FC (0xF7AA98E8, 0x07354963, 0xF7AA9848, 0x00000001)

Do you have an AMD processor ?

I don't think this is malware related

Here's all the tech info on my system:

MS Windows XP Media Center Edition 2005 running on Dell Dimension E510
Intel Pentium 4 Processor 630 with HT Technology (3.0 GHz)
1 GB DDR2 SDRAM at 533 MHz
160GB Serial ATA Hard Drive (7200RPM)
256MB ATI Hyper Memory PCI-Express X16 (DVI/VGA/TV out) Radeon X600 SE video card
Intel Pro 100M Integrated PCI NIC Card
Trend Micro PC-cillian anti-virus & anti-spyware

Thanks!

Ok I would recommend that you post this problem in the Windows XP forum

Tell them I sent you over

Once they have you logging back in, come back here and we will remove the malware

Many thanks for your help and advice - with a little luck I'll be back soon!