Incanus

Quarantined files, now get "fatal system error" on boot

Recommended Posts

A friend gave me his parents' XP Home PC to look at for them. I ran Malwarebytes' AntiMalware, SuperAntiSpyware and Avira and they found and cleaned lots of infections. All seemed well, so I then put it online last night and found IE7 was being redirected to other sites. It clearly still wasn't completely clean, so I decided to give a-squared a go. I used the latest version as of last night (fresh download).

It found several problems and recommended quarantining a bunch of files. I was going to note their names and locations, but foolishly didn't - IIRC they were dll's in Windows and Windows\System. I should have researched them, but it was late and I was tired - I think I'd hoped that some auto-un-quarantine feature would kick in if it all went wrong. There had been so many infections before that I just assumed these "system" files were actually rogue files placed in the system folders.

Now, when Windows boots up, I get a blue screen, stop code (c000021a), fatal system error (0xc0000135) and "the windows logon process system process terminated unexpectedly" and it just won't boot.

Is there any way of getting these files out of quarantine? I've booted to a Linux live CD (Puppy) and nosed around, but they seem to be encrypted or something (well, that's the contents of the "Quarantine" directory, anyway). There's also a submit.dat file there - would that be of any use? It just looks like a list of three long hex numbers. I did click on a "submit for inspection to Emsi" button for some files last night, but IIRC they weren't the ones that were quarantined.

The "logs" directory just has a file "a-squared.db3" which I can't get to open in a text editor; I'd bene hoping it would at least tell me the names of the files that were quarantined so that I could copy them off another XP Home machine, but this too seems to be a no-hoper.

Can anyone offer any advice please?

Thanks a lot.

Share this post


Link to post
Share on other sites

Hi Incanus,

As I can see it from your description you quarantined what was not supposed to be quarantined even infected (see P.S.)

Please try system restore or the Last Known Good Configuration

If you can see C:\Program Files\a-squared Free\Quarantine folder from Linux just save it and it's content. Probably later when and if the system will be functional that will be possible at least to look at what was quarantined

The <>.DB3 file is an internal file in SQLite format. It contains a lot of info, but as for report - always use <<Save Report>>

You can use some free utilities for reading and queering <>.db3 ( SQLiteSpy )

My regards

P.S. Please read this Sticky That will help in the future

Share this post


Link to post
Share on other sites

All seemed well, so I then put it online last night and found IE7 was being redirected to other sites. It clearly still wasn't completely clean, so I decided to give a-squared a go. I used the latest version as of last night (fresh download).

The cause of this behavior is most likely either a patched system DLL or an installed rootkit. In both cases you really want to do a completely fresh reinstall since the system is completely subverted and can't be trusted anymore.

Is there any way of getting these files out of quarantine? I've booted to a Linux live CD (Puppy) and nosed around, but they seem to be encrypted or something (well, that's the contents of the "Quarantine" directory, anyway). There's also a submit.dat file there - would that be of any use? It just looks like a list of three long hex numbers. I did click on a "submit for inspection to Emsi" button for some files last night, but IIRC they weren't the ones that were quarantined.

Feel free to send the quarantined files to [email protected] I can give you a name of the files and the original content.

The "logs" directory just has a file "a-squared.db3" which I can't get to open in a text editor; I'd bene hoping it would at least tell me the names of the files that were quarantined so that I could copy them off another XP Home machine, but this too seems to be a no-hoper.

The file is a SQLite database. You can send the file as well and I can extract the names of the files you quarantined.

Share this post


Link to post
Share on other sites

Thanks, Lynx. I'd agree with your first statement! Wish I'd read the sticky first; I'm normally more careful than that.

I can't boot Windows at all - not normally, not into Safe Mode, nor Last Known Good Configuration - hence the Linux malarkey, and so System Restore isn't available. And "when and if the system will be functional" is where I'm trying to get to!

Have copied off the files. Thanks for the SQLiteSpy suggestion - I ran it but couldn't get anywhere with my .DB3 file, so will submit - see below response.

Hi Incanus,

As I can see it from your description you quarantined what was not supposed to be quarantined even infected (see P.S.)

Please try system restore or the Last Known Good Configuration

If you can see C:\Program Files\a-squared Free\Quarantine folder from Linux just save it and it's content. Probably later when and if the system will be functional that will be possible at least to look at what was quarantined

The <>.DB3 file is an internal file in SQLite format. It contains a lot of info, but as for report - always use <<Save Report>>

You can use some free utilities for reading and queering <>.db3 ( SQLiteSpy )

My regards

P.S. Please read this Sticky That will help in the future

Share this post


Link to post
Share on other sites

Thanks for that, Fabian. I'll zip up the files and send them to that address.

I did warn my friend that a fresh Windows install might be needed - his parents had been running it for a while without any AV on and the firewall off. I'd downloaded some rootkit checkers and they were going to be my next stop after A-Squared...!

The cause of this behavior is most likely either a patched system DLL or an installed rootkit. In both cases you really want to do a completely fresh reinstall since the system is completely subverted and can't be trusted anymore.

Feel free to send the quarantined files to [email protected] I can give you a name of the files and the original content.

The file is a SQLite database. You can send the file as well and I can extract the names of the files you quarantined.

Share this post


Link to post
Share on other sites

Thanks. I took a look at the files you sent. Your WS2_32.DLL got infected and was therefore removed. Without the file though winlogon.exe is unable to work correctly. So you may want to get a WS2_32.DLL from an uninfected system - preferably version 6.1.2600.2180. I sent you the infected copy of the file back. Only use it if there is absolutely no other way to get a clean version of that file.

The infected WS2_32.DLL may account for the redirections taking place as well by the way.

Share this post


Link to post
Share on other sites

Done! Thank you very, very much!!

With that info I was able in Linux to copy over the dll from another location on the PC (Windows\SoftwareDistribution\Download\...) into system32. Rebooted and presto! Straight back into Windows.

Not sure yet about the redirecting - will have to wait till I can get the machine online tonight at home, can't do that here at work. And the version of of ws2_32.dll there now is 5.1.2600.5512. I had a search on the web and can't see any references to a v6.1.2600.2180 - that number mostly refers to corpol.dll. But anyway, I'll tackle the system with some anti-rootkit tools to be sure, then whack on XP SP3 and run Windows updates which should get it as up to date as it can be.

Will bear in mind, though, what you said about the danger of the integrity of the whole system still having been compromised. I'd originally said to my friend, just based on his description of the problems, that sometimes the only way to be completely sure is to backup data, format and reinstall Windows.

Final question, if I may: were there any other files, or records of other files, that you saw had been removed in what I sent? Just because I'm sure that there was more than one filename in the list that A-Squared said it would quarantine for me, and I'm just a bit concerned that something else might prove not to be working further down the line.

Once again, heartfelt thanks for your help, Fabian.

Thanks. I took a look at the files you sent. Your WS2_32.DLL got infected and was therefore removed. Without the file though winlogon.exe is unable to work correctly. So you may want to get a WS2_32.DLL from an uninfected system - preferably version 6.1.2600.2180. I sent you the infected copy of the file back. Only use it if there is absolutely no other way to get a clean version of that file.

The infected WS2_32.DLL may account for the redirections taking place as well by the way.

Share this post


Link to post
Share on other sites

You should be able to look at the files in the quarantine yourself now. But there were other files as well. I just didn't take a closer look at them since I focused on the one causing your issue when starting Windows.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.