Help! Can't boot even to safe mode. Can't re-install OS. 0xc000

[dlevy]

Hi all,



I'm hoping some experts are on the discussion group here because I am

getting close to a dead end. I am trying to help a friend restore his

Windows XP installation. It's a real doozie. He has a very expensive CAD

program on it and wants to avoid at all costs wiping the hard drive clean and

losing the program -- for which he has no installation software... (I know,

that was a dumb thing to lose the installation software, but it's been my

experience that it's all too common among the non-geek population...)



--This is a Dell laptop, but there is no recovery partition on the hard

drive, as far as I can tell. My friend said the OS was re-installed on it a

while back by a non-Dell technician. The disk info says 'volume created

3/25/09', so that sounds like it's what happened. It's a Dell Inspiron 6400

laptop, running Windows XP Pro, Spanish language version, purchased in

Argentina.

--The computer will not boot normally, nor to safe mode. In either mode, it

generates two pop-ups, both of which say: "The application failed to

initialize properly (0xc0000006). Click on OK to terminate the application"

(the equivalent of that, in Spanish). After clicking 'okay', the Windows

desktop appears but there are no icons or taskbar. The only thing I can do

is pull up the task manager, which shows about a dozen processes running.

Needless to say, explorer.exe is not one of them...

--I ran a short Dell diagnostics program before the BIOS POST. It threw up

a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).

But I think that's a red herring. I've read that the msg only means that the

log files shows an event.

--I ran CHKDSK using my own copy of the Win XP installation CD. It found an

error on the first check, then found no errors on the next two checks. So,

as far as I can tell, the hard drive is not failing.



I have looked over this article

"How to recover from a corrupted registry that prevents Windows XP from

starting"

http://support.microsoft.com/kb/307545



This seems like the direction I want to head in. But my questions are:



--Given the symptoms, would it make sense that the problem might be a

corrupted Windows registry?

--The MS support article says off-handedly, "This registry [that you are

restoring] was created and saved during the initial setup of Windows XP.

Therefore any changes and settings that occurred after the Setup program was

finished are lost." Well, that's a BIG problem. The whole point is to save

my friend's CAD program. If I am rolling back the system to the day it came

off the factory floor, then I might as well re-install the OS. Is there a

way to just roll back the system to a restore point, say a month or two ago?



Thanks in advance to thoughtful and well-informed replies.



Sincerely,



David Levy

Washington, DC

 

[John John - MVP]

dlevy wrote:

> Hi all,

>

> I'm hoping some experts are on the discussion group here because I am

> getting close to a dead end. I am trying to help a friend restore his

> Windows XP installation. It's a real doozie. He has a very expensive CAD

> program on it and wants to avoid at all costs wiping the hard drive clean and

> losing the program -- for which he has no installation software... (I know,

> that was a dumb thing to lose the installation software, but it's been my

> experience that it's all too common among the non-geek population...)

>

> --This is a Dell laptop, but there is no recovery partition on the hard

> drive, as far as I can tell. My friend said the OS was re-installed on it a

> while back by a non-Dell technician. The disk info says 'volume created

> 3/25/09', so that sounds like it's what happened. It's a Dell Inspiron 6400

> laptop, running Windows XP Pro, Spanish language version, purchased in

> Argentina.

> --The computer will not boot normally, nor to safe mode. In either mode, it

> generates two pop-ups, both of which say: "The application failed to

> initialize properly (0xc0000006). Click on OK to terminate the application"

> (the equivalent of that, in Spanish). After clicking 'okay', the Windows

> desktop appears but there are no icons or taskbar. The only thing I can do

> is pull up the task manager, which shows about a dozen processes running.

> Needless to say, explorer.exe is not one of them...

> --I ran a short Dell diagnostics program before the BIOS POST. It threw up

> a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).

> But I think that's a red herring. I've read that the msg only means that the

> log files shows an event.

> --I ran CHKDSK using my own copy of the Win XP installation CD. It found an

> error on the first check, then found no errors on the next two checks. So,

> as far as I can tell, the hard drive is not failing.

>

> I have looked over this article

> "How to recover from a corrupted registry that prevents Windows XP from

> starting"

> http://support.microsoft.com/kb/307545

>

> This seems like the direction I want to head in. But my questions are:

>

> --Given the symptoms, would it make sense that the problem might be a

> corrupted Windows registry?

> --The MS support article says off-handedly, "This registry [that you are

> restoring] was created and saved during the initial setup of Windows XP.

> Therefore any changes and settings that occurred after the Setup program was

> finished are lost." Well, that's a BIG problem. The whole point is to save

> my friend's CAD program. If I am rolling back the system to the day it came

> off the factory floor, then I might as well re-install the OS. Is there a

> way to just roll back the system to a restore point, say a month or two ago?

>

> Thanks in advance to thoughtful and well-informed replies.



In the Task Manager click on File -> New Task (Run...) and from there

you can try to launch programs or commands, try to launch Explorer.exe

from there and see what happens. From the same location you can launch

the Event Viewer (Eventvwr.msc) and see if there is anything useful in

the System Log.



John

 

[John John - MVP]

dlevy wrote:

> Hi all,

>

> I'm hoping some experts are on the discussion group here because I am

> getting close to a dead end. I am trying to help a friend restore his

> Windows XP installation. It's a real doozie. He has a very expensive CAD

> program on it and wants to avoid at all costs wiping the hard drive clean and

> losing the program -- for which he has no installation software... (I know,

> that was a dumb thing to lose the installation software, but it's been my

> experience that it's all too common among the non-geek population...)

>

> --This is a Dell laptop, but there is no recovery partition on the hard

> drive, as far as I can tell. My friend said the OS was re-installed on it a

> while back by a non-Dell technician. The disk info says 'volume created

> 3/25/09', so that sounds like it's what happened. It's a Dell Inspiron 6400

> laptop, running Windows XP Pro, Spanish language version, purchased in

> Argentina.

> --The computer will not boot normally, nor to safe mode. In either mode, it

> generates two pop-ups, both of which say: "The application failed to

> initialize properly (0xc0000006). Click on OK to terminate the application"

> (the equivalent of that, in Spanish). After clicking 'okay', the Windows

> desktop appears but there are no icons or taskbar. The only thing I can do

> is pull up the task manager, which shows about a dozen processes running.

> Needless to say, explorer.exe is not one of them...

> --I ran a short Dell diagnostics program before the BIOS POST. It threw up

> a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).

> But I think that's a red herring. I've read that the msg only means that the

> log files shows an event.

> --I ran CHKDSK using my own copy of the Win XP installation CD. It found an

> error on the first check, then found no errors on the next two checks. So,

> as far as I can tell, the hard drive is not failing.

>

> I have looked over this article

> "How to recover from a corrupted registry that prevents Windows XP from

> starting"

> http://support.microsoft.com/kb/307545

>

> This seems like the direction I want to head in. But my questions are:

>

> --Given the symptoms, would it make sense that the problem might be a

> corrupted Windows registry?

> --The MS support article says off-handedly, "This registry [that you are

> restoring] was created and saved during the initial setup of Windows XP.

> Therefore any changes and settings that occurred after the Setup program was

> finished are lost." Well, that's a BIG problem. The whole point is to save

> my friend's CAD program. If I am rolling back the system to the day it came

> off the factory floor, then I might as well re-install the OS. Is there a

> way to just roll back the system to a restore point, say a month or two ago?

>

> Thanks in advance to thoughtful and well-informed replies.



In the Task Manager click on File -> New Task (Run...) and from there

you can try to launch programs or commands, try to launch Explorer.exe

from there and see what happens. From the same location you can launch

the Event Viewer (Eventvwr.msc) and see if there is anything useful in

the System Log.



John

 

[Jose]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc000

On Jun 5, 4:57 pm, dlevy wrote:

> Hi all,

>

> I'm hoping some experts are on the discussion group here because I am

> getting close to a dead end.  I am trying to help a friend restore his

> Windows XP installation.  It's a real doozie.  He has a very expensive CAD

> program on it and wants to avoid at all costs wiping the hard drive cleanand

> losing the program -- for which he has no installation software...  (I know,

> that was a dumb thing to lose the installation software, but it's been my

> experience that it's all too common among the non-geek population...)

>

> --This is a Dell laptop, but there is no recovery partition on the hard

> drive, as far as I can tell.  My friend said the OS was re-installed onit a

> while back by a non-Dell technician.  The disk info says 'volume created

> 3/25/09', so that sounds like it's what happened.  It's a Dell Inspiron6400

> laptop, running Windows XP Pro, Spanish language version, purchased in

> Argentina.

> --The computer will not boot normally, nor to safe mode.  In either mode, it

> generates two pop-ups, both of which say:  "The application failed to

> initialize properly (0xc0000006). Click on OK to terminate the application"

> (the equivalent of that, in Spanish).  After clicking 'okay', the Windows

> desktop appears but there are no icons or taskbar.  The only thing I can do

> is pull up the task manager, which shows about a dozen processes running. 

> Needless to say, explorer.exe is not one of them...

> --I ran a short Dell diagnostics program before the BIOS POST.  It threw up

> a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).  

> But I think that's a red herring.  I've read that the msg only means that the

> log files shows an event.

> --I ran CHKDSK using my own copy of the Win XP installation CD.  It found an

> error on the first check, then found no errors on the next two checks.  So,

> as far as I can tell, the hard drive is not failing.

>

> I have looked over this article

> "How to recover from a corrupted registry that prevents Windows XP from

> starting"http://support.microsoft.com/kb/307545

>

> This seems like the direction I want to head in.  But my questions are:

>

> --Given the symptoms, would it make sense that the problem might be a

> corrupted Windows registry?

> --The MS support article says off-handedly, "This registry [that you are

> restoring] was created and saved during the initial setup of Windows XP.

> Therefore any changes and settings that occurred after the Setup program was

> finished are lost."  Well, that's a BIG problem.  The whole point is to save

> my friend's CAD program.  If I am rolling back the system to the day itcame

> off the factory floor, then I might as well re-install the OS.  Is there a

> way to just roll back the system to a restore point, say a month or two ago?

>

> Thanks in advance to thoughtful and well-informed replies.

>

> Sincerely,

>

> David Levy

> Washington, DC



Malicious software likes to trick you into thinking you need to

reinstall XP by making the simplest things not work - like no desktop,

unable to login, Safe Mode, System Restore, google.com, Task Manger,

regedit, cmd, etc. It is just trying to annoy you by breaking little

things.



You need to get your desktop working first, then you can resolve your

potential malware issue. I would also recommend to stop trying things

that might work maybe. You need to be fixing things. KB307545 is NOT

a good idea for your symptoms (or any symptoms).



From your background image, press CTRL-ALT-DEL and open Task Manager.



Look at the Processes tab and if the explorer.exe process is not

running, launch it.



Click File, New Task and in the box enter:



%windir%\explorer.exe



Click OK and see if you get your desktop back.



If explorer.exe is already running, it is likely the object of the

affliction and may need to be replaced (not hard).



It explorer.exe is already running, End the Process anyway and launch

a new one as indicated above.



If you are able to then get on the Internet, do this:



Download, install, update and do a full scan with these free malware

detection programs:



Malwarebytes (MBAM): http://malwarebytes.org/

SUPERAntiSpyware: (SAS): http://www.superantispyware.com/



They can be uninstalled later if desired.



Report back your situation after these steps.

 

[Jose]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc000

On Jun 5, 4:57 pm, dlevy wrote:

> Hi all,

>

> I'm hoping some experts are on the discussion group here because I am

> getting close to a dead end.  I am trying to help a friend restore his

> Windows XP installation.  It's a real doozie.  He has a very expensive CAD

> program on it and wants to avoid at all costs wiping the hard drive cleanand

> losing the program -- for which he has no installation software...  (I know,

> that was a dumb thing to lose the installation software, but it's been my

> experience that it's all too common among the non-geek population...)

>

> --This is a Dell laptop, but there is no recovery partition on the hard

> drive, as far as I can tell.  My friend said the OS was re-installed onit a

> while back by a non-Dell technician.  The disk info says 'volume created

> 3/25/09', so that sounds like it's what happened.  It's a Dell Inspiron6400

> laptop, running Windows XP Pro, Spanish language version, purchased in

> Argentina.

> --The computer will not boot normally, nor to safe mode.  In either mode, it

> generates two pop-ups, both of which say:  "The application failed to

> initialize properly (0xc0000006). Click on OK to terminate the application"

> (the equivalent of that, in Spanish).  After clicking 'okay', the Windows

> desktop appears but there are no icons or taskbar.  The only thing I can do

> is pull up the task manager, which shows about a dozen processes running. 

> Needless to say, explorer.exe is not one of them...

> --I ran a short Dell diagnostics program before the BIOS POST.  It threw up

> a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).  

> But I think that's a red herring.  I've read that the msg only means that the

> log files shows an event.

> --I ran CHKDSK using my own copy of the Win XP installation CD.  It found an

> error on the first check, then found no errors on the next two checks.  So,

> as far as I can tell, the hard drive is not failing.

>

> I have looked over this article

> "How to recover from a corrupted registry that prevents Windows XP from

> starting"http://support.microsoft.com/kb/307545

>

> This seems like the direction I want to head in.  But my questions are:

>

> --Given the symptoms, would it make sense that the problem might be a

> corrupted Windows registry?

> --The MS support article says off-handedly, "This registry [that you are

> restoring] was created and saved during the initial setup of Windows XP.

> Therefore any changes and settings that occurred after the Setup program was

> finished are lost."  Well, that's a BIG problem.  The whole point is to save

> my friend's CAD program.  If I am rolling back the system to the day itcame

> off the factory floor, then I might as well re-install the OS.  Is there a

> way to just roll back the system to a restore point, say a month or two ago?

>

> Thanks in advance to thoughtful and well-informed replies.

>

> Sincerely,

>

> David Levy

> Washington, DC



Malicious software likes to trick you into thinking you need to

reinstall XP by making the simplest things not work - like no desktop,

unable to login, Safe Mode, System Restore, google.com, Task Manger,

regedit, cmd, etc. It is just trying to annoy you by breaking little

things.



You need to get your desktop working first, then you can resolve your

potential malware issue. I would also recommend to stop trying things

that might work maybe. You need to be fixing things. KB307545 is NOT

a good idea for your symptoms (or any symptoms).



From your background image, press CTRL-ALT-DEL and open Task Manager.



Look at the Processes tab and if the explorer.exe process is not

running, launch it.



Click File, New Task and in the box enter:



%windir%\explorer.exe



Click OK and see if you get your desktop back.



If explorer.exe is already running, it is likely the object of the

affliction and may need to be replaced (not hard).



It explorer.exe is already running, End the Process anyway and launch

a new one as indicated above.



If you are able to then get on the Internet, do this:



Download, install, update and do a full scan with these free malware

detection programs:



Malwarebytes (MBAM): http://malwarebytes.org/

SUPERAntiSpyware: (SAS): http://www.superantispyware.com/



They can be uninstalled later if desired.



Report back your situation after these steps.

 

[dlevy]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

hi all,



many thanks to jose and john--the men in the white hats--for taking the time

to post some helpful advice! running explorer.exe from the task manager did

indeed work. i can now boot, after getting the aforementioned error

messages. but the system is still somewhere between molasses-slow and

i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...



i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple

times. MBAM found and deleted many infected objects. after i ran MBAM a few

times, SAS found a few more infected objects but would crash before it could

delete them. detailed log here at bottom. the system still won't boot

normally*. what's really annoying is that other aps, including the

hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.



i also tried to use 'system restore' (SR). there were dozens of restore

points available, going back 3 months:

1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and

said it could not restore.

2. in safe mode, roll back to a different restore point (4/14/10), SR

stopped again, but got a lot farther in the progress bar than the first time.



so, it looks like malware was responsible for the damage. i can only think

that the malware corrupted the restore points without deleting them and that

is why SR keeps failing. i'm not going to bother running HijackThis, at this

point, until requested. i assume that MBAM got rid of the active malware,

but now there's damage to the system files that i need to fix.



more informed and thoughtful comments are most welcome.



--d.



*i don't think it matters at this point, but i think i failed to notice, in

the 0xc0000006 error msgs that there is a file associated with each of them:

"gStart.exe" and "PCSuite.exe". also, after booting, notepad.exe fails to

launch and gives the same message. but wordpad and MS word will run.



_________

Log:



1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected

registry keys, 3 reg values, 3 reg data items and 16 files. Worm.Magania,

trojan.frethog, spyware.online.games, hijack.controlpanelstyle,

disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,

trojan.backdoor. all were quarantined and deleted.

2. after reboot, normal mode, MBAM quick scan--no infected objects

3. normal mode, quick scan, SAS--found 15 infected objects, including

Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the

'continue' button or any other button. Looks like it was in an endless loop

b/c task manager showed it consuming 10-20% of cpu time for two hours before

i killed the process. i couldn't 'end task' using task manager, had to 'end

process' instead. there were no logs in 'docs & settings\application

data\SAS' that were human readable.

4. safe mode, quick scan, SAS--found infected objects but then froze, same

as above.

5. safe mode, full scan, MBAM--found 137 infected files.

'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'. Only files were

infected, nothing else--registry, memory, etc.--found infected.

6. normal mode, full scan, SAS--Found 2 infected objects, both

"Trojan.RootKit/Gen" but then froze, same as above.

7. safe mode, full scan, MBAM--found 13 infected infected files, all

"Spyware.Online.Games", all 'quarantined and deleted'.

 

[dlevy]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

hi all,



many thanks to jose and john--the men in the white hats--for taking the time

to post some helpful advice! running explorer.exe from the task manager did

indeed work. i can now boot, after getting the aforementioned error

messages. but the system is still somewhere between molasses-slow and

i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...



i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple

times. MBAM found and deleted many infected objects. after i ran MBAM a few

times, SAS found a few more infected objects but would crash before it could

delete them. detailed log here at bottom. the system still won't boot

normally*. what's really annoying is that other aps, including the

hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.



i also tried to use 'system restore' (SR). there were dozens of restore

points available, going back 3 months:

1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and

said it could not restore.

2. in safe mode, roll back to a different restore point (4/14/10), SR

stopped again, but got a lot farther in the progress bar than the first time.



so, it looks like malware was responsible for the damage. i can only think

that the malware corrupted the restore points without deleting them and that

is why SR keeps failing. i'm not going to bother running HijackThis, at this

point, until requested. i assume that MBAM got rid of the active malware,

but now there's damage to the system files that i need to fix.



more informed and thoughtful comments are most welcome.



--d.



*i don't think it matters at this point, but i think i failed to notice, in

the 0xc0000006 error msgs that there is a file associated with each of them:

"gStart.exe" and "PCSuite.exe". also, after booting, notepad.exe fails to

launch and gives the same message. but wordpad and MS word will run.



_________

Log:



1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected

registry keys, 3 reg values, 3 reg data items and 16 files. Worm.Magania,

trojan.frethog, spyware.online.games, hijack.controlpanelstyle,

disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,

trojan.backdoor. all were quarantined and deleted.

2. after reboot, normal mode, MBAM quick scan--no infected objects

3. normal mode, quick scan, SAS--found 15 infected objects, including

Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the

'continue' button or any other button. Looks like it was in an endless loop

b/c task manager showed it consuming 10-20% of cpu time for two hours before

i killed the process. i couldn't 'end task' using task manager, had to 'end

process' instead. there were no logs in 'docs & settings\application

data\SAS' that were human readable.

4. safe mode, quick scan, SAS--found infected objects but then froze, same

as above.

5. safe mode, full scan, MBAM--found 137 infected files.

'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'. Only files were

infected, nothing else--registry, memory, etc.--found infected.

6. normal mode, full scan, SAS--Found 2 infected objects, both

"Trojan.RootKit/Gen" but then froze, same as above.

7. safe mode, full scan, MBAM--found 13 infected infected files, all

"Spyware.Online.Games", all 'quarantined and deleted'.

 

[Jose]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

On Jun 7, 5:44 pm, dlevy wrote:

> hi all,

>

> many thanks to jose and john--the men in the white hats--for taking the time

> to post some helpful advice!  running explorer.exe from the task manager did

> indeed work.  i can now boot, after getting the aforementioned error

> messages.  but the system is still somewhere between molasses-slow and

> i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

>

> i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple

> times.  MBAM found and deleted many infected objects.  after i ran MBAM a few

> times, SAS found a few more infected objects but would crash before it could

> delete them.  detailed log here at bottom.  the system still won't boot

> normally*.  what's really annoying is that other aps, including the

> hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

>

> i also tried to use 'system restore' (SR).  there were dozens of restore

> points available, going back 3 months:

> 1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and

> said it could not restore.

> 2. in safe mode, roll back to a different restore point (4/14/10), SR

> stopped again, but got a lot farther in the progress bar than the first time.

>

> so, it looks like malware was responsible for the damage.  i can only think

> that the malware corrupted the restore points without deleting them and that

> is why SR keeps failing.  i'm not going to bother running HijackThis, at this

> point, until requested.  i assume that MBAM got rid of the active malware,

> but now there's damage to the system files that i need to fix.

>

> more informed and thoughtful comments are most welcome.

>

> --d.

>

> *i don't think it matters at this point, but i think i failed to notice, in

> the 0xc0000006 error msgs that there is a file associated with each of them:

> "gStart.exe" and "PCSuite.exe".  also, after booting, notepad.exe failsto

> launch and gives the same message.  but wordpad and MS word will run.

>

> _________

> Log:

>

> 1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected

> registry keys, 3 reg values, 3 reg data items and 16 files.  Worm.Magania,

> trojan.frethog, spyware.online.games, hijack.controlpanelstyle,

> disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,

> trojan.backdoor.  all were quarantined and deleted.

> 2. after reboot, normal mode, MBAM quick scan--no infected objects

> 3. normal mode, quick scan, SAS--found 15 infected objects, including

> Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the

> 'continue' button or any other button.   Looks like it was in an endless loop

> b/c task manager showed it consuming 10-20% of cpu time for two hours before

> i killed the process.  i couldn't 'end task' using task manager, had to'end

> process' instead.  there were no logs in 'docs & settings\application

> data\SAS' that were human readable.

> 4. safe mode, quick scan, SAS--found infected objects but then froze, same

> as above.

> 5. safe mode, full scan, MBAM--found 137 infected files.  

> 'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'.  Only files were

> infected, nothing else--registry, memory, etc.--found infected.

> 6. normal mode, full scan, SAS--Found 2 infected objects, both

> "Trojan.RootKit/Gen" but then froze, same as above.

> 7. safe mode, full scan, MBAM--found 13 infected infected files, all

> "Spyware.Online.Games", all 'quarantined and deleted'.



That is a lot of junk, but you're doing good.



To me, it does not make sense to run quick scans with MBAM or SAS,

especially if you think you have a problem. Things are skipped that

you might not want to skip, so do the most thorough scan that is

offered unless you are in some really big hurry for some reason (this

is my opinion).



MBAM does also not recommend running in Safe Mode, but SAS seems to

suggest it sometimes "if you have problems in Normal Mode". I think

if you want an efficient scan, you should run full in Normal - always,

but you have to do what you have to do sometimes to get things to at

least sort of work.



Anywho, you should really want the full scans to run clean. Some

malicious software recognizes mbam.exe and superantispyware.exe (and

regedit.exe, taskmgr.exe, cmd.exe, rstrui.exe, etc., etc.) as a

running process and just will not allow them to run, so you have to

fool it, but you sound like you are getting past that point.



You could rename/copy the executables to something the malicious

software will not recognize - like superantispyware.exe --> dlevy.exe

and run dlevy.exe instead. The malicious software will not recognize

that. I do think some will recognize jose.exe though. This is very

annoying to me.



What is your other anti-whatever environment? Avira!, AVG, Norton,

McAfee, MSE, etc. I would disable any stuff like that temporarily and

let MBAM and SAS work unfettered.



When you say MBAM and SAS found things, are you letting it fix the

things they find? I know it sounds like SAS is having some problem.



Is your explorer.exe/desktop working now or do you still need to fix

that? Here is how you can replace your explorer.exe if you think or

even suspect it is corrupted:



Look in Task Manager and if explorer.exe is running, terminate it,

then from TM browse to c:\windows\system32 and rename the explorer.exe

to something you can remember (just in case) so explorer.exe is now

"missing". Windows File Protection should replace it quickly and

silently with a backup copy from c:\windows\system32\dllcache or just

manually copy the one from dllcache over to c:\windows\system32, then

launch it again or reboot. There are probably several copies of

explorer.exe on your system. You can't do this if explorer.exe is

running.



Posting Hijackthis logs is inappropriate for this forum, but somebody

will tell you the correct place to send them for analysis if you want

to do that. If I had one here I would first look at you startup items

(the 04s), but we can see all that stuff another way.



Download and install CCleaner from here:



http://www.piriform.com/ccleaner



Launch it and save the Startup information to a text file. Click

Tools, Startup, Save to text file... and save the startup information

to your desktop (or someplace you can find it) open the file with a

text editor, select all and paste the contents back here for analysis.



I have zero startup items, so you could disable all or some of yours

from CCleaner (this does not uninstall anything), and reboot and see

how that goes.



Uninstall CCleaner later if you don't like it (most people seem to

like it for it's other features).



I would not trust or worry about your Restore Points just yet. System

Restore is not a time machine. With all that junk, after I got all

cleaned up, I would whack them all anyway - just because they might be

corrupted or afflicted, maybe. Don't take any chances like that -

just whack them all when you are running again.

 

[Jose]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

On Jun 7, 5:44 pm, dlevy wrote:

> hi all,

>

> many thanks to jose and john--the men in the white hats--for taking the time

> to post some helpful advice!  running explorer.exe from the task manager did

> indeed work.  i can now boot, after getting the aforementioned error

> messages.  but the system is still somewhere between molasses-slow and

> i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

>

> i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple

> times.  MBAM found and deleted many infected objects.  after i ran MBAM a few

> times, SAS found a few more infected objects but would crash before it could

> delete them.  detailed log here at bottom.  the system still won't boot

> normally*.  what's really annoying is that other aps, including the

> hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

>

> i also tried to use 'system restore' (SR).  there were dozens of restore

> points available, going back 3 months:

> 1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and

> said it could not restore.

> 2. in safe mode, roll back to a different restore point (4/14/10), SR

> stopped again, but got a lot farther in the progress bar than the first time.

>

> so, it looks like malware was responsible for the damage.  i can only think

> that the malware corrupted the restore points without deleting them and that

> is why SR keeps failing.  i'm not going to bother running HijackThis, at this

> point, until requested.  i assume that MBAM got rid of the active malware,

> but now there's damage to the system files that i need to fix.

>

> more informed and thoughtful comments are most welcome.

>

> --d.

>

> *i don't think it matters at this point, but i think i failed to notice, in

> the 0xc0000006 error msgs that there is a file associated with each of them:

> "gStart.exe" and "PCSuite.exe".  also, after booting, notepad.exe failsto

> launch and gives the same message.  but wordpad and MS word will run.

>

> _________

> Log:

>

> 1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected

> registry keys, 3 reg values, 3 reg data items and 16 files.  Worm.Magania,

> trojan.frethog, spyware.online.games, hijack.controlpanelstyle,

> disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,

> trojan.backdoor.  all were quarantined and deleted.

> 2. after reboot, normal mode, MBAM quick scan--no infected objects

> 3. normal mode, quick scan, SAS--found 15 infected objects, including

> Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the

> 'continue' button or any other button.   Looks like it was in an endless loop

> b/c task manager showed it consuming 10-20% of cpu time for two hours before

> i killed the process.  i couldn't 'end task' using task manager, had to'end

> process' instead.  there were no logs in 'docs & settings\application

> data\SAS' that were human readable.

> 4. safe mode, quick scan, SAS--found infected objects but then froze, same

> as above.

> 5. safe mode, full scan, MBAM--found 137 infected files.  

> 'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'.  Only files were

> infected, nothing else--registry, memory, etc.--found infected.

> 6. normal mode, full scan, SAS--Found 2 infected objects, both

> "Trojan.RootKit/Gen" but then froze, same as above.

> 7. safe mode, full scan, MBAM--found 13 infected infected files, all

> "Spyware.Online.Games", all 'quarantined and deleted'.



That is a lot of junk, but you're doing good.



To me, it does not make sense to run quick scans with MBAM or SAS,

especially if you think you have a problem. Things are skipped that

you might not want to skip, so do the most thorough scan that is

offered unless you are in some really big hurry for some reason (this

is my opinion).



MBAM does also not recommend running in Safe Mode, but SAS seems to

suggest it sometimes "if you have problems in Normal Mode". I think

if you want an efficient scan, you should run full in Normal - always,

but you have to do what you have to do sometimes to get things to at

least sort of work.



Anywho, you should really want the full scans to run clean. Some

malicious software recognizes mbam.exe and superantispyware.exe (and

regedit.exe, taskmgr.exe, cmd.exe, rstrui.exe, etc., etc.) as a

running process and just will not allow them to run, so you have to

fool it, but you sound like you are getting past that point.



You could rename/copy the executables to something the malicious

software will not recognize - like superantispyware.exe --> dlevy.exe

and run dlevy.exe instead. The malicious software will not recognize

that. I do think some will recognize jose.exe though. This is very

annoying to me.



What is your other anti-whatever environment? Avira!, AVG, Norton,

McAfee, MSE, etc. I would disable any stuff like that temporarily and

let MBAM and SAS work unfettered.



When you say MBAM and SAS found things, are you letting it fix the

things they find? I know it sounds like SAS is having some problem.



Is your explorer.exe/desktop working now or do you still need to fix

that? Here is how you can replace your explorer.exe if you think or

even suspect it is corrupted:



Look in Task Manager and if explorer.exe is running, terminate it,

then from TM browse to c:\windows\system32 and rename the explorer.exe

to something you can remember (just in case) so explorer.exe is now

"missing". Windows File Protection should replace it quickly and

silently with a backup copy from c:\windows\system32\dllcache or just

manually copy the one from dllcache over to c:\windows\system32, then

launch it again or reboot. There are probably several copies of

explorer.exe on your system. You can't do this if explorer.exe is

running.



Posting Hijackthis logs is inappropriate for this forum, but somebody

will tell you the correct place to send them for analysis if you want

to do that. If I had one here I would first look at you startup items

(the 04s), but we can see all that stuff another way.



Download and install CCleaner from here:



http://www.piriform.com/ccleaner



Launch it and save the Startup information to a text file. Click

Tools, Startup, Save to text file... and save the startup information

to your desktop (or someplace you can find it) open the file with a

text editor, select all and paste the contents back here for analysis.



I have zero startup items, so you could disable all or some of yours

from CCleaner (this does not uninstall anything), and reboot and see

how that goes.



Uninstall CCleaner later if you don't like it (most people seem to

like it for it's other features).



I would not trust or worry about your Restore Points just yet. System

Restore is not a time machine. With all that junk, after I got all

cleaned up, I would whack them all anyway - just because they might be

corrupted or afflicted, maybe. Don't take any chances like that -

just whack them all when you are running again.

 

[Jose]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

On Jun 7, 5:44 pm, dlevy wrote:

> hi all,

>

> many thanks to jose and john--the men in the white hats--for taking the time

> to post some helpful advice!  running explorer.exe from the task manager did

> indeed work.  i can now boot, after getting the aforementioned error

> messages.  but the system is still somewhere between molasses-slow and

> i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

>

> i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple

> times.  MBAM found and deleted many infected objects.  after i ran MBAM a few

> times, SAS found a few more infected objects but would crash before it could

> delete them.  detailed log here at bottom.  the system still won't boot

> normally*.  what's really annoying is that other aps, including the

> hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

>

> i also tried to use 'system restore' (SR).  there were dozens of restore

> points available, going back 3 months:

> 1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and

> said it could not restore.

> 2. in safe mode, roll back to a different restore point (4/14/10), SR

> stopped again, but got a lot farther in the progress bar than the first time.

>

> so, it looks like malware was responsible for the damage.  i can only think

> that the malware corrupted the restore points without deleting them and that

> is why SR keeps failing.  i'm not going to bother running HijackThis, at this

> point, until requested.  i assume that MBAM got rid of the active malware,

> but now there's damage to the system files that i need to fix.

>

> more informed and thoughtful comments are most welcome.

>

> --d.

>

> *i don't think it matters at this point, but i think i failed to notice, in

> the 0xc0000006 error msgs that there is a file associated with each of them:

> "gStart.exe" and "PCSuite.exe".  also, after booting, notepad.exe failsto

> launch and gives the same message.  but wordpad and MS word will run.

>

> _________

> Log:

>

> 1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected

> registry keys, 3 reg values, 3 reg data items and 16 files.  Worm.Magania,

> trojan.frethog, spyware.online.games, hijack.controlpanelstyle,

> disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,

> trojan.backdoor.  all were quarantined and deleted.

> 2. after reboot, normal mode, MBAM quick scan--no infected objects

> 3. normal mode, quick scan, SAS--found 15 infected objects, including

> Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the

> 'continue' button or any other button.   Looks like it was in an endless loop

> b/c task manager showed it consuming 10-20% of cpu time for two hours before

> i killed the process.  i couldn't 'end task' using task manager, had to'end

> process' instead.  there were no logs in 'docs & settings\application

> data\SAS' that were human readable.

> 4. safe mode, quick scan, SAS--found infected objects but then froze, same

> as above.

> 5. safe mode, full scan, MBAM--found 137 infected files.  

> 'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'.  Only files were

> infected, nothing else--registry, memory, etc.--found infected.

> 6. normal mode, full scan, SAS--Found 2 infected objects, both

> "Trojan.RootKit/Gen" but then froze, same as above.

> 7. safe mode, full scan, MBAM--found 13 infected infected files, all

> "Spyware.Online.Games", all 'quarantined and deleted'.



Oh yeah- this will not hurt if you have not done it already:



Boot into the Windows Recovery Console using a bootable XP

installation CD, or create on a bootable XP Recovery Console CD.



This is not the same as any recovery disks that might have come a

store bought system. If you are not sure what kind of bootable CD you

have, make a bootable XP Recovery Console CD and be sure.



You can create a bootable XP Recovery Console CD when no XP media is

available by following the directions in this link:



http://www.bleepingcomputer.com/forums/topic276527.html



For each of your hard disk partitions, you should then run:



chkdsk /r



For example, from the Recovery Console prompt, enter:



chkdsk c: /r



You can create a bootable XP Recovery Console CD when no XP media is

available by following the directions in this link:



http://www.bleepingcomputer.com/forums/topic276527.html

 

[Jose]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

On Jun 7, 5:44 pm, dlevy wrote:

> hi all,

>

> many thanks to jose and john--the men in the white hats--for taking the time

> to post some helpful advice!  running explorer.exe from the task manager did

> indeed work.  i can now boot, after getting the aforementioned error

> messages.  but the system is still somewhere between molasses-slow and

> i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

>

> i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple

> times.  MBAM found and deleted many infected objects.  after i ran MBAM a few

> times, SAS found a few more infected objects but would crash before it could

> delete them.  detailed log here at bottom.  the system still won't boot

> normally*.  what's really annoying is that other aps, including the

> hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

>

> i also tried to use 'system restore' (SR).  there were dozens of restore

> points available, going back 3 months:

> 1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and

> said it could not restore.

> 2. in safe mode, roll back to a different restore point (4/14/10), SR

> stopped again, but got a lot farther in the progress bar than the first time.

>

> so, it looks like malware was responsible for the damage.  i can only think

> that the malware corrupted the restore points without deleting them and that

> is why SR keeps failing.  i'm not going to bother running HijackThis, at this

> point, until requested.  i assume that MBAM got rid of the active malware,

> but now there's damage to the system files that i need to fix.

>

> more informed and thoughtful comments are most welcome.

>

> --d.

>

> *i don't think it matters at this point, but i think i failed to notice, in

> the 0xc0000006 error msgs that there is a file associated with each of them:

> "gStart.exe" and "PCSuite.exe".  also, after booting, notepad.exe failsto

> launch and gives the same message.  but wordpad and MS word will run.

>

> _________

> Log:

>

> 1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected

> registry keys, 3 reg values, 3 reg data items and 16 files.  Worm.Magania,

> trojan.frethog, spyware.online.games, hijack.controlpanelstyle,

> disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,

> trojan.backdoor.  all were quarantined and deleted.

> 2. after reboot, normal mode, MBAM quick scan--no infected objects

> 3. normal mode, quick scan, SAS--found 15 infected objects, including

> Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the

> 'continue' button or any other button.   Looks like it was in an endless loop

> b/c task manager showed it consuming 10-20% of cpu time for two hours before

> i killed the process.  i couldn't 'end task' using task manager, had to'end

> process' instead.  there were no logs in 'docs & settings\application

> data\SAS' that were human readable.

> 4. safe mode, quick scan, SAS--found infected objects but then froze, same

> as above.

> 5. safe mode, full scan, MBAM--found 137 infected files.  

> 'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'.  Only files were

> infected, nothing else--registry, memory, etc.--found infected.

> 6. normal mode, full scan, SAS--Found 2 infected objects, both

> "Trojan.RootKit/Gen" but then froze, same as above.

> 7. safe mode, full scan, MBAM--found 13 infected infected files, all

> "Spyware.Online.Games", all 'quarantined and deleted'.



Oh yeah- this will not hurt if you have not done it already:



Boot into the Windows Recovery Console using a bootable XP

installation CD, or create on a bootable XP Recovery Console CD.



This is not the same as any recovery disks that might have come a

store bought system. If you are not sure what kind of bootable CD you

have, make a bootable XP Recovery Console CD and be sure.



You can create a bootable XP Recovery Console CD when no XP media is

available by following the directions in this link:



http://www.bleepingcomputer.com/forums/topic276527.html



For each of your hard disk partitions, you should then run:



chkdsk /r



For example, from the Recovery Console prompt, enter:



chkdsk c: /r



You can create a bootable XP Recovery Console CD when no XP media is

available by following the directions in this link:



http://www.bleepingcomputer.com/forums/topic276527.html

 

[dlevy]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

hi jose,



thanks for all your thoughtful comments. i have talked with the friend who

owns the laptop. he says he is going to try to get another copy of the CAD

installation software from Argentina. so, for the moment at least, the

pressure is off. if there were a silver bullet solution, i would take the

time to try it, but it looks like there is a lot more work to do. i might

try your recommendations, though, just out of curiosity and sheer cussedness.

what i have distilled from your posts is the following plan:



1. run both MBAM and SAS in normal mode until they are clean, if possible.

2. rename explorer.exe and let win xp create a new copy

3. update CCleaner (already installed), post startup items to forum.



i will post again, once i get more information from my friend about whether

he will be able to get the software from argentina or not.



thanks again to the man in the white hat!



--david levy

washington, dc

 

[dlevy]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

hi jose,



thanks for all your thoughtful comments. i have talked with the friend who

owns the laptop. he says he is going to try to get another copy of the CAD

installation software from Argentina. so, for the moment at least, the

pressure is off. if there were a silver bullet solution, i would take the

time to try it, but it looks like there is a lot more work to do. i might

try your recommendations, though, just out of curiosity and sheer cussedness.

what i have distilled from your posts is the following plan:



1. run both MBAM and SAS in normal mode until they are clean, if possible.

2. rename explorer.exe and let win xp create a new copy

3. update CCleaner (already installed), post startup items to forum.



i will post again, once i get more information from my friend about whether

he will be able to get the software from argentina or not.



thanks again to the man in the white hat!



--david levy

washington, dc

 

[dlevy]

Help! Can't boot even to safe mode. Can't re-install OS. 0xc00

okay, i got a confirmation from my friend. he's getting replacement software

from argentina, so i'm just going to wipe the hard drive and re-install the

OS.



i did run MBAM in normal mode, full scan, it found no infected object. but

i think the damage was already done and it would have been pretty complicated

re-building the system files, keys, etc. while i would have liked to fix the

existing OS just as a challenge, it would have been too time consuming.

all's well that ends well.



thanks again, jose. so, there really are people in the world wearing white

hats.



"hi-yo silver away!"



"who was that masked man, anyway?"



The Lone Ranger's Creed

"I believe.....



That to have a friend, a man must be one.[24]



That all men are created equal and that everyone has within himself the

power to make this a better world.



That God put the firewood there, but that every man must gather and light it

himself.



In being prepared physically, mentally, and morally to fight when necessary

for that which is right.



That a man should make the most of what equipment he has.



That 'this government of the people, by the people, and for the people'

shall live always.



That men should live by the rule of what is best for the greatest number.



That sooner or later...somewhere...somehow...we must settle with the world

and make payment for what we have taken.



That all things change but truth, and that truth alone, lives on forever.



In my Creator, my country, my fellow man."



http://en.wikipedia.org/wiki/The_Lone_Ranger