Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

userinit.exe file damaged?


  • Please log in to reply

#16
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello,

That returns the following info:
"
The volume in drive C has no label
The volume Serial Number is 8096-17be

Directory of C:\WINDOWS\ERDNT

11/20/09 12:39a d------- 0 .
11/20/09 12:39a d------- 0 ..
11/20/09 10:37p d------- 0 18-11-2009
11/20/09 10:42p d------- 0 19-11-2009
11/20/09 10:10p d------- 0 cache
11/20/09 12:30a -a------ 110 CFrecovery.bat
11/20/09 09:52p d------- 0 Hiv-backup
11/20/09 12:30a d------- 0 subs

8 file(s) 110 bytes
111764025344 bytes free
"

Best wishes / Paul
  • 0

Advertisements


#17
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Good job...let's go back to the day before it started blue screening.

At the prompt, type each of the following, pressing Enter after each:

cd 19-11-2009
batch erdnt.con

After you input the second command you should see several files copied. Once this completes, type exit and press Enter. Let the machine try to boot normally.
  • 0

#18
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Good news!

That enabled 10 files to be copied.

The reboot initially led to a similar blue screen. Same one as last time, but with different technical information:

"
Technical information:

*** STOP: 0x0000007E (0xc0000005, 0xF76F32B2, 0xF7B94460, 0xF7B94160)

*** FLTMGR.SYS - Address F76F32B2 base at F76DB000, DateStamp 480251da

"

However I'm pleased to say that a subsequent reboot in safe mode was successful. I'm very pleased to see my files again - particularly the photos. My inclination at the moment is to back-up photos. If I did this, could the virus/trojan/baddies be contained within the photo files (jpegs)? Should I resist the urge to back these up until further tests are undertaken?

I don't know if this is relevant, but the safe mode reboot stayed on the 'Windows is starting up...' screen for much longer than usual (minutes) before eventually leading to normal safe mode.

I haven't connected the infected computer to the web yet as I recall from (I think) the instructions by admin that you directed to me earlier that it may be vulnerable to further attack after repair.

I haven't worked out how to check that the firewall is on from within safe mode.

Pleased to see that we're making progress

Thanks again! / Paul
  • 0

#19
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
You should be able to back up pictures and documents without problems.

Do you have or have you had any Symantec (Norton) software installed on the machine?
  • 0

#20
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks - I'll start backing up the photos

I don't think I've ever had Symantec (Norton) software on the machine. At least not in recent years (I've had the computer since April 2004)

I've had various free antivirus programmes on it over the years, so it's possible. Not in the last 3 years though.

Best wishes / Paul
  • 0

#21
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Let's see if we can find where the conflict is. It's pretty obviously a driver or a service that's causing the bsod's.

While in Safe Mode, click Start, then Run...type msconfig and click Ok.

In the Configuration window, click on the "Services" tab. Tick the box at the bottom to "Hide all Microsoft services", then click on the "Disable All" button. Apply the change. Reboot.

When the machine starts, if it starts, you'll see a configuration change dialog window. Just click Ok to that for now if you see it.

Let us know if the machine will boot normally with these services disabled.

If the machine fails to start normally, start it in Safe Mode again.
  • 0

#22
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks wannabe1

I think it will take me 2 or 3 evenings to back things up using safe mode (foolishly I'd never made backup copies, so there are a few years' worth). Once I've done that, I'll try those instructions and will report back here.

I'd noticed that the sound stopped working on the infected computer a few days before the blue screens emerged, so presumably there was disruption to those drivers?

Many thanks for your help / Paul
  • 0

#23
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok - I disabled those services. After reboot the blue screen reappeared when attempting to boot normally.

Should I continue to report the lines of technical information?

Safe mode still enables access. It takes much longer than usual to load in (about 4 mins on the 'Windows is starting up' screen).

I seem unable to transfer files between folders or to save to cd (I don't know if this is normal for safe mode). I can save to usb key (one file at a time)

Best wishes / Paul
  • 0

#24
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Safe mode loads slow...it's the nature of the beast.

Go back into msconfig and enable the services we disabled. Then click on the "General" tab and select "Diagnostic Startup"...apply the change and reboot. Will the machine boot normally using this configuration?
  • 0

#25
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Still bluescreens after those changes

Safe mode is still ok

Glad to hear that the slow loading is normal
  • 0

Advertisements


#26
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
In msconfig, you can set it back to Normal Boot.

This has got to be a driver...and one that's only used in normal mode.

When you see the bsod, along with the stop code (0x000000xx), is there any mention of a file name?

Let's look at event viewer and see if there's anything in there that might shed some light on this. Click Start, then Run, type eventvwr.msc...click Ok.

In Event Viewer, in the left pane, click on "System". In the right pane, look for any errors (red icons). If there are any listed, right click on a couple of the most recent ones and choose "Properties". See if any make mention of a file name.
  • 0

#27
paulmo

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello,
The current bsod reads:
"
Technical information:
*** STOP: 0x0000007E (0xC0000005, 0xF76E52B2, 0xF7B86460, 0xF7B86160)

*** FLTMGR.SYS - Address F76E52B2 baseat F76CD000, DateStamp 480251da
"

When I run Event Viewer, and click on "System" in the left pane, there are 999 events listed

In each case, when I right click the properties option comes up, but when I click on properties nothing happens. Similarly going to 'Action' and then clicking properties doesn't open anything. I tried saving the log as a text files which reveals a bit more detail - info from these log files is copied in brackets below:

The events listed include:

two warnings from 24/11/09 which list 'disk' as source and give an event number '51'
(log: An error was detected on device \Device\Harddisk1\D during a paging operation.)

an error from 23/11/09 which lists 'atapi' as source and gives an event number '9'
(log: The device, \Device\IdePort1, did not respond within the timeout period.)

five errors from 20/11/09 which list 'Service Control Manager' as source and give event numbers '7034', '7031'
(log: The KService service terminated unexpectedly. It has done this 1 time(s))
(log: The WMDM PMSP service terminated unexpectedly. It has done this 1 time(s))
(log: The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s))
(log: The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s))
(log: The Windows Defender service terminated unexpectedly. It has done this 1 time(s))
(log: The KService service terminated unexpectedly. It has done this 1 time(s))

a warning from 20/11/09 which lists 'E100B' as source and give an event number '4'
(log: Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down )

eight further errors from 20/11/09 which list 'Service Control Manager' as source and give event numbers '7000' or '7009'
(log: The KService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.)
(log: Timeout (30000 milliseconds ) waiting for the KService service to connect
(same log messages repeated for The Creative Service for CDROM Access service, The Bonjour Service, and The Apple Mobile Device service)

three warnings from 25/10/09 which lists 'WinDefend' as source and give event numbers of either '1006' or '3004'
(log: Windows Defender scan hasdetected spyware or other potentially unwanted software. For more information pleasesee the following: http://go.microsoft....threatis=142163
Path Found: process:pid:412;file:C:\WINDOWS\system32\xa.tmp )

no errors are listed before that time

Best wishes / Paul
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP