Solved Computer BSOD every time I run a security program

Correct ... SubInACL was not necessary for the swreg routine.

There is no log created for the SubInACL routine.

Lets do this one now.

Code:

cd /d  "%ProgramFiles%\Windows Resource Kits\Tools "
subinacl /subkeyreg HKEY_CURRENT_USER /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
exit
cls

Reboot.

If no BSOD, repeat with this one.

Code:

cd /d  "%ProgramFiles%\Windows Resource Kits\Tools "
subinacl /subkeyreg HKEY_LOCAL_MACHINE\System /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
exit
cls

If all is well after reboot, try running the scan again.

 

OK, ran the 2nd one and rebooted with no problem but after running the 3rd piece and rebooting it BSODs.

 

So I'm sure we're on the same page, you cannot start normally anymore after running the 3rd SubInACL routine? If so, this is a step forward .... gives me a location to concentrate on. Please verify that you can still access safe mode and sit tight for a bit while I check the system hive copy I have.

 

yep, same page. After the 3rd routine I can no longer boot into normal mode but I can still boot into safe mode and safe mode w/ networking. Again, thanks for your help, I can see this is a tricky one.

 

How many cd/dvd drives does the computer have?
If more than 1, do they all appear in My Computer?
Does device manager show errors on the cd/dvd drive(s)?

 

Just one DVD drive. It shows no errors in the device manager. Toshiba mk4025gas model

 

Boot into safe mode and open a command window.
Type in set devmgr_show_nonpresent_devices=1 and press enter.
Now type in devmgmt.msc and press enter.
This will launch the Windows Device Manager Console.
In the Device Manager Console, from the View menu, select Show Hidden Devices.
Expand DVD/CD ROM Drives.
You should see at least one greyed out drives as well as your Toshiba drive.
Right click the greyed out drive(s) and select Uninstall.

I would like for you to also look under some of the other categories for greyed out items, such as Mice, Network Adapters, Disk Drives, etc.
Remove anything listed you know doesn't belong, but don't remove anything you're unsure of.
Be aware that greyed out means only that the device is not connected, so may not necessarily warrant removing, eg; if you have a printer but it's not connected at the moment, etc.

Steer clear of the Non-Plug and Play Drivers, and System Devicves categories.

If it appears there are quite a number of devices greyed out that you know don't belong, be warned that removing them all could cause you to have to re-activate Windows.

Let me know if the above results in normal bootup upon restart.

 

There were 4 CD/DVD drive things there that I uninstalled and I also took off a few network things.

I do have a question. Under Other devices there is an Ethernet Controller, Network Controller, 2x NIC1394 and an Unknown Device. They are all greyed out, should I remove them too?

Also, under Network adapters there is an entry named RAS Async Adapter that says failed to remove when I try and remove it. It says it might be required to boot. Should I just leave that one alone?

I rebooted after doing what I felt comfortable with and it still BSOD

 

Weird, I just restarted again (into safe mode) and the other devices as well as the RAS Async Adapter thing are gone.

 

Unless you were in safe mode with networking, the network controller and such would not be active and might appeared greyed out. Best not to do anything with those.

I had hoped the cd drive cleanup might be the answer, as I had seen some of the associated drivers failed to load in the bootlog ..... since we had no such luck, lets get back to a bootable system for now. We at least know what section of the registry is presenting a problem and can continue troubleshooting that whilst in normal mode.

Boot up and do a system restore to the last one we created. Once you've logged on normally, repeat the procedure for removing hidden devices (you have to do the whole commandline thing) then reboot when done. Make sure things are working properly upon restart, eg: devices. If so, create a new restore point.

Then, I'd like you to download and install ERUNT and create a backup of the registry. Make note of the location of the backup and send me a zipped copy of the system file created.

 

OK, after getting it back to normal I show those same entries in other devices all as greyed out. Should I still leave those alone?

 

Go ahead and remove them then reboot.

What else is showing up greyed out?

 

I finally tracked down the problem to the data for one value under one registry key. The value should be a dword value and it is a hex(4) value with a seriously large amount of data in it. It contained enough data that merely trying to access the key caused my system to BSOD. Enough data that it caused the utility dumphive to crash whilst attempting to dump it's contents to text. Enough data that doing a registry search would cause a BSOD. Frankly, I've never seen anything like it, nor have I been able to determine as of yet what type of value a hex(4) is. I was able to get at least some of the data dumped to text (15.7MB) - I'm still trying to convert that data to something interpretable, but after converting bits and pieces of it, it doesn't appear malicious. I'll let you know if I do find anything rogue about it. Anyway, below is the fix.

Highlight and copy the contents of the code box below.

Code:

reg delete  "HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_24C5&SUBSYS_FF011179&REV_03#3&61AAA01&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\4\Controls\1" /v Channel0 /f
reg add  "HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_24C5&SUBSYS_FF011179&REV_03#3&61AAA01&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\4\Controls\1" /v Channel0 /t REG_DWORD /d 0
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Reboot and run whatever scan you want to test. Try searching the registry, etc.

 

Good news! After all we did last night I ran a scan with Kaspersky and it seems to have finished without BSOD. It found some malware thing called RTOH.dll //Packman. It appears to be some sort of hack file for Starcraft. I'm gonna remove it but I'm not sure its causing any problems.
I'm wondering if the problem (once you find it) wasn't with spybot as that is the one constant thing that was installed on the machine during this whole mess and just about the only security program I could run without problems.

 

That is good news! You did see my last post?

 

That did it! Thanks a lot noahdfear.

 

Excellent! Lets clean up our mess.

Click Start>Run and type or paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

Restart the computer to complete the uninstallation of gmer.

Delete RSIT.exe and the C:\rsit folder.
Delete mbr.exe and it's log.

You can delete any other logs that were created/saved too, as well as any other tools we used.

I'd recommend removing the C:\Windows ERUNT folder, then creating a new ERUNT backup when cleanup is complete.


Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.


Empty the recycle bin when done.

 

Looks like everything cleaned up nicely. Thanks Again.

 

You're welcome. Glad I could help.