Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

RasMan keeps trying to run every 5 minutes, Windows freezing/crashing,


  • Please log in to reply

#31
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Looks like we're back to square one... I did as you suggested, I scheduled an error-check upon boot, and Windows never booted. It got stuck at the loading screen, as usual. However, there was constant action on the hard drive. Does error-check run BEFORE Windows has loaded? I have disabled Windows' bootskin/screen, could it be that the error-check is in process but I simply cannot see it? Instead I see the black screen with a blinking line at the top left corner.

In any case, after waiting for several minutes, I forced a reboot, and it got stuck again and again. In safe mode also. After several attempts I tried 'Use last known good configuration', and with that I was able to get Windows to load up, but it froze after logging on.

Do you think this strongly hints at hardware problems rather than something caused by malware, after all? I get crashes (not freezing, just immediate reboot) when opening certain applications at times (cd burner, SeaTools, Autoruns, Procmon etc.) I have ran WinDiag to check memory however, and SeaTools to check hard drives, and main drive was OK.

Ah well, I need to try to figure out how I can enable the boot screen and see if it will enable me to view the error-check.
  • 0

Advertisements


#32
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
A few things to report:

I made a backup of my registry before uninstalling/reinstalling TCP/IP protocol. Since it did not work, I tried to bring back my old registry, but when doing so it said: "filename.reg cannot be imported. All information was not written successfully into the registry. The system or some other process has opened keys" (loosely translated). Now I notice that when running Autoruns, A LOT of Microsoft files now say "Not verified" before the signature. I do not recall seeing this before.

I found out how to enable boot logging on Procmon. When I enabled it, however, I got a bluescreen (STOP: 0x000000F4)

Bootlogging worked afterwards, and there were MANY mentions of Rasman. I did not know which to capture, and there were too many to capture all of them, so I took snippets from here and there, trying to capture as many different type of entries as possible, hoping one of them is related to the error entry (note: the entries appeared on the system event viewer at 07:22:40).

Please take a look at them if you can, and see if you're able to find anything alarming. If you think I should've included entries that either precede or succeed the logs I've included; I have full boot logs so I can dig out anything that's needed.

Thanks.

Attached Files


  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Since this is XP and we have run Combofix it should have the recovery console installed.

Start, Settings, Control Panel, System, Advanced, Startup and Recovery -Settings, and change the Time to Display the List of Operating Systems from two to 10 seconds. OK

Now Reboot. When it gives you a choice between your regular XP and the Recovery Console, hit the down arrow to select the Recovery Console then Enter. You should get a black screen with a C:\> prompt. Type with an Enter after each line:

chkdsk /f c:

It should run check disk now.
  • 0

#34
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

chkdsk /f c:


It says "Invalid Parameter". When using help function, it only displays the options /p and /r.

Did you mean /r?
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
OK. right use /r instead of /f. I'm not sure it needs the c:

http://en.wikipedia.org/wiki/CHKDSK
  • 0

#36
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK. Done. It found various small errors but no damaged sectors. What's next?

Did you take a look at the Procmon logs?
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Don't see anything obvious in them. Will send you a PM so you can send me the whole log.

Check your memory using the free download on http://www.memtest86.com/ You want Ver 4.0a - Windows (zip) ISO image for creating bootable CD. Download it, Save it then right click and Extract All. Burn the .iso file to a bootable disk. I recommend you use free iso burner http://www.freeisoburner.com/ if you are not familiar with the process.

Then boot off the CD and let it run for several complete passes. Does it show any errors?


Try to reset the permissions by following my post on this other topic:

http://www.geekstogo...ost__p__2204894
  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Something strange going on in this key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Let's look at it and the telephony service

Copy the next two line:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s > \junk.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony /s >> \junk.txt

Start, Run, cmd, OK then right click and Paste or Edit then Paste and the copied lines should appear. Hit Enter.

Now attach the file c:\junk.txt
  • 0

#39
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
It gave an error when running the commands: "Error: Access is denied in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials" but it still wrote something in the junk.txt. Let me know if you find anything unusual there.

Note that I had just ran the permission reset that you recommended (it indicated a few failures), a while before. Did it had an effect regarding that?

Also, I ran the memtest for over an hour. No errors.

Attached Files

  • Attached File  junk.txt   82.66KB   107 downloads

Edited by mcs123, 14 September 2012 - 11:38 AM.

  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials apparently only has System permission but I went into it by adding Administrator in the permissions and giving it full control but there is nothing there other than (default) and (Value not set).

The Telephony stuff is exactly the same as mine.

The Winlogon is showing SuperAntiSpyware. Do you still have that installed?

Does your PC have the group policy editor?

Start, Run, gpedit, OK

Does it come up?

You can forget the permissions thing if we have already done that.
  • 0

Advertisements


#41
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
It gives an error message and says no such thing found when trying to run gpedit.

SuperAntiSpyware's installation probably got removed as I ran the Repair Installation of Windows off the XP cd.
  • 0

#42
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Well, what's the next step? Resetting permissions has not stopped RasMan from trying to run at startup.
  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
I'm still looking for something. Since you have winrar, send me a copy of your registry backup.
  • 0

#44
mcs123

mcs123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, I've sent it.
  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Got both. Won't be able to do much tonight. Hopefully tomorrow.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP