# Trying to sprint, waist deep in mud



## CoRoMo (Sep 4, 2007)

Compaq DeskPro
996 Mhz
Max Memory Cap: 512MB
Currently Installed: 512MB
18.6Gb Hardrive
12.4Gb of Free Space
Only one peripheral connected: HP DeskJet 930C Printer

Windows 2009 5.0 w/ Service Pack 4
CA Security Suite 2009, updated and scans on a schedule
CCleaner, updated and ran regularly
WinPatrol, updated and always running
Defragmented when needed and otherwise maintained on a regular basis.
Nothing out of the ordinary is listed in the Task Manager's process list that would be using up this much of the memory. Something has infected this machine.

This PC has always ran fine and fast enough for my needs.
But it has progressively gotten slower over the past few months.
Now at a snails pace. My HJT log below...



> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 11:38:54 AM, on 10/15/2009
> Platform: Windows 2000 SP4 (WinNT 5.00.2195)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> ...


----------



## CoRoMo (Sep 4, 2007)

This thread hasn't seen any replies yet, but my computer is definitely getting worse. So, I thought I'd post another HJT log and bump the thread. My computer will completely freeze up at times now, and this never used to happen. The PC has always ran fine up until a few months ago.

Thanks for any help.



> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 7:16:37 AM, on 10/27/2009
> Platform: Windows 2000 SP4 (WinNT 5.00.2195)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> ...


----------



## eddie5659 (Mar 19, 2001)

Hiya

Download *TFC by OldTimer* to your desktop

 Please double-click *TFC.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
It *will close all programs* when run, so make sure you have *saved all your work* before you begin.
Click the *Start* button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. *Let it run uninterrupted to completion*. 
Once it's finished it should *reboot your machine*. If it does not, please *manually reboot the machine* yourself to ensure a complete clean.

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply._

Click *Close* to exit the program.

*We Need to check for Rootkits with RootRepeal*

Download RootRepeal from the following location and save it to your desktop.
*Zip Mirrors (Recommended)*
Primary Mirror
Secondary Mirror
Secondary Mirror

*Rar Mirrors* - Only if you know what a RAR is and can extract it.
Primary Mirror
Secondary Mirror
Secondary Mirror


Extract RootRepeal.exe from the archive.
Open







on your desktop.
Click the







tab.
Click the







button.
Check all seven boxes:








Push Ok
Check the box for your main system drive (Usually C, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the







button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Click on the *Go Advanced* button for the uploading options at the bottom of this page (in the picture below  ) [/list]











In there, at the bottom, click on the button *Manage Attachments* (in the picture below  .
A window will appear, and then Browse to *RSReport.zip* on your Desktop.
Click Upload, and when uploaded click *Close this Window*
Then, in the previous window, click on *Add Reply*










Please include the *MBAM log, SAS log, RootRepeal.txt and a fresh HijackThis log *in your next reply

Regards

eddie


----------



## CoRoMo (Sep 4, 2007)

Attached are my logs.

RootRepeal would not initialize. I downloaded and extracted a version from each of your (recommended) links, but each one encountered the following error when I attempted to open the application.



> RootRepeal Error
> 
> Exception Address: 0x004eca19


----------



## eddie5659 (Mar 19, 2001)

Can you do this for me first:

Download ComboFix from one of these locations:

*Link 1*
*Link 2*
*Link 3*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

===============

For RootRepeal, try this:

Please start RootRepeal, and, *before doing anything else*, try changing the "Disk Access Level" in the Settings->Options dialog. Try moving it to the "Special" or "High" level. Also, click on the Files tab, and *uncheck* "Use lowest level for MBR check".

Please let me know if this fixes the problem.

eddie


----------



## CoRoMo (Sep 4, 2007)

I ran ComboFix. It produced several errors before eventually rebooting; errors regarding inability to locate creg.dat, temp.dat, and others. The log is attached. It states that "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!", but I was not prompted about installing it during ComboFix's scan.



> try changing the "Disk Access Level" in the Settings->Options dialog. Try moving it to the "Special" or "High" level. Also, click on the Files tab, and uncheck "Use lowest level for MBR check".


I'm not sure how to go about doing this. This OS is Windows 2000, so my 'START->SETTINGS->' menu only includes...

Control Panel
Network and Dial-up Connections
Printers and Faxes
Taskbar & Start Menu.

Let me know how to adjust those options, and thank you for the help.


----------



## eddie5659 (Mar 19, 2001)

Wasn't home this weekend, but will be back tonight. In the meantime, as I can't download any files at work to check the RootRepeal, lets take a look at an RSIT log whilst I look into the ComboFix problem for you 


Download *random's system information tool (RSIT)* by *random/random* from *here*.
*It is important that is saved to your desktop.*
Double click on *RSIT.exe* to run *RSIT*.
Click *Continue* at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both *log.txt* (<<will be maximized) and *info.txt* (<<will be minimized)

eddie


----------



## CoRoMo (Sep 4, 2007)

My RSIT logs are attached.


----------



## eddie5659 (Mar 19, 2001)

For the ComboFix, it should run okay in Windows 2000.

Rightlclick on the ComboFix and select *Rename* and call it *Project.exe*.

Then try running it again, as the log you gave has nothing in it.

------------

As for RootRepeal, its my fault. If you look at the top of RootRepeal, you will see a menu bar. Click on *Settings* and then *Options*.

In there, in the *General* tab, try moving the slider bar to either the "Special" or "High" level. On the *Files* tab, uncheck "Use lowest level for MBR check".

Now, try running RootRepeal again 

eddie


----------



## CoRoMo (Sep 4, 2007)

The problem with RootRepeal is that it never opens.
When I double click on the icon, it opens a status window that says:

Initializing, please wait...

After a few seconds, the error:


> RootRepeal Error
> 
> Exception Address: 0x004eca19


I'm never able to adjust any settings because this error prevents the application from fully initializing.

I renamed ComboFix Project.exe and ran it again. It encountered several errors, some regarding denied access, others referred to inability to delete a file, and then it rebooted my system, after asking that I write down a number of file names for possible needed use later. After rebooting, it continued to run for a bit, several more errors asking that I either Okay or Ignore an issue. Finally, it ended, but I don't find a log anywhere to be found.


----------



## CoRoMo (Sep 4, 2007)

I ran Project.exe again and it asked to be updated to the latest version. It ran successfully this time, but the log looks empty again. It is attached.

RootRepeal continues to encounter that same error that prevents it from ever initializing.


----------



## CoRoMo (Sep 4, 2007)

I ran Project.exe again in an attempt to record every error that occurs during the scan. There were more than ten errors. However, this time, ComboFix produced a good log. It is attached.

RootRepeal continues to suffer from the very same error that prevents it from initializing.


----------



## eddie5659 (Mar 19, 2001)

Thanks for the log. Just looking at something, as you have something in there that doesn't seem right.

Back in a bit


----------



## eddie5659 (Mar 19, 2001)

Please download *this zip file* to your desktop
Locate *Export.zip* and unzip it to your desktop
Now locate *Export.cmd* and double click it to run the script
A black command window will open briefly then close, this is normal
When complete a Notepad file will open, please copy and paste the entire contents into your next reply
Note: A copy of the Notepad file can be found at C:\export.txt. You can delete it, along with the zip and cmd files after posting the contents here.


----------



## CoRoMo (Sep 4, 2007)

Here you go.

The log is attached.


----------



## eddie5659 (Mar 19, 2001)

Well, that was okay. The delay from my end was finding someone with Windows 2000 to have a log to compare with 

I'll have a detailed look again tonight, so bear with me


----------



## eddie5659 (Mar 19, 2001)

Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"*box on the top of the page:

*c:\winnt\system32\comres.dll*

 Click on the *Upload* button
 Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
 Paste the contents of the Clipboard in your next reply.

Also, do the same for these:

*c:\winnt\system32\drivers\_usbhub20.sys_.vir
c:\winnt\system32\drivers\_BVRPMPR5.SYS_.vir
*

eddie


----------



## eddie5659 (Mar 19, 2001)

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.
*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
 Click the *Save report...* button.










 Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply


----------



## CoRoMo (Sep 4, 2007)

The comres.dll file is not located in the system32 folder. If it was before, it is not now. It could not be found. Here are the other two reports.



> VirSCAN.org Scanned Report :
> Scanned time : 2009/11/13 13:21:25 (MST)
> Scanner results: *Scanners did not find malware!*
> File Name : _usbhub20.sys_.vir
> ...





> VirSCAN.org Scanned Report :
> Scanned time : 2009/11/13 13:25:49 (MST)
> Scanner results: *3% Scanner(s) (1/37) found malware!*
> File Name : _BVRPMPR5.SYS_.vir
> ...


----------



## CoRoMo (Sep 4, 2007)

KasReport.txt is attached.


----------



## eddie5659 (Mar 19, 2001)

Okay, it looks like this may not be malware related, so lets try some other things:

First off, download and install 2000 Service Pack 4 Network Install for IT Professionals:

http://www.microsoft.com/downloads/...F1-749F-49F4-8010-297BD6CA33A0&displaylang=en

Then, after the reboot, can you delete the original ComboFix you have installed and re-download a fresh copy and run it as before and post the log 

We have some other things to try as well, to look at, but lets try this part first 

eddie


----------



## CoRoMo (Sep 4, 2007)

I downloaded and installed the service pack.

ComboFix log attached.


----------



## eddie5659 (Mar 19, 2001)

Its a bit better, but some are still looking like they're failing. In case you're wondering what I'm talking about, in the ComboFix log is a SigCheck.

All failed before the service pack, but some are 50/50 now. So, lets try a little test:

Go to Control Panel | AddRemove Programs.

Click on the box to show updates. Then, locate this one:

KB329115

And uninstall it.

Then, go here:

http://support.microsoft.com/kb/329115

And install it the update again. As you have Windows 2000 SP4, scroll down to that link.

Or, click this one, as its a direct link:

http://www.microsoft.com/downloads/...01-1F6F-4F88-AE9E-6F4636D43D9F&displaylang=en

Then, when its installed, reboot if it hasn't asked you to, and post a fresh ComboFix log.

eddie


----------



## CoRoMo (Sep 4, 2007)

> Click on the box to show updates.


I don't see a box that I could click to show updates.
Of all the Hotfix/updates that are plainly listed, none are KB329115.


----------



## eddie5659 (Mar 19, 2001)

Hmmm, back in a min


----------



## eddie5659 (Mar 19, 2001)

Okay, lets have a looksee at which updates you have. Saves you searching thru them all, to find a few particular ones.

Open HijackThis, click Config, click Misc Tools
Click "*Open Uninstall Manager*"
Click "Save List" (generates *uninstall_list.txt*)
Click Save, copy and paste the results in your next post.


----------



## CoRoMo (Sep 4, 2007)

Here it is...



> Adobe Flash Player 10 Plugin
> Adobe Flash Player ActiveX
> Adobe Reader 7.0.9
> CA Anti-Spyware
> ...


----------



## eddie5659 (Mar 19, 2001)

Hmmm, interesting. None are there.

However, I see most are the newer updates, so that may be why.

Can you go here, and see if there are any updates that you need:

http://v4.windowsupdate.microsoft.com/

If not, I'll have a look at this in depth. Also, lets check that the hard-drive is okay:


Double-click My Computer, and then right-click the hard disk drive you want to check (eg the main drive, say C-drive)
Click Properties, and then click Tools. 
In Error-checking, click Check Now

Let me know how it goes, it may take a while.


----------



## CoRoMo (Sep 4, 2007)

windowsupdate.microsoft.com had nothing for me.



> *Review and Install Updates *
> 
> Install Updates Download size (total): 0 KB
> Estimated time at your connection speed: 0 minutes
> ...


I've had problems with the disk check. It has failed a few times now, but I'll keep trying it. Do you want me to check either:

_'Automatically fix file system errors'_
_'Scan for and attempt recovery of bad sectors'_

Or should I just run it without either of them checked?
If I either don't check either box, or if I only check the second one regarding recover of sectors, toward the end of Phase 2, I get an error that states, "Windows was unable to complete the disk check".


----------



## eddie5659 (Mar 19, 2001)

Okay, see if this helps:

what you're experiencing is what Windows refers to as "setting the dirty bit" and what you have to do is unset that bit. Every time Windows starts, autochk.exe is called by the kernel to scan all volumes to check if the volume dirty bit is set. If the dirty bit is set, autochk performs an immediate chkdsk /f on that volume. Chkdsk /f verifies file system integrity and attempts to fix any problems with the volume. It is usually caused by a hard shut down or a power loss during a read-right operation on that particular drive.

At the command prompt type *fsutil dirty query c:* (or the relevant drive letter). This queries the drive, and more than likely it will tell you that it is dirty.

Next type *CHKNTFS /X C:* The X tells Windows not to check that particular drive on the next reboot.

Reboot, it should load to the desktop

Once Windows has loaded bring up another CMD prompt and type *Chkdsk /f /r c:*

This should take you through the 5 stages of the scan and will unset the dirty bit.

At a command prompt, type *fsutil dirty query c* and Windows will confirm that the dirty bit is not set on that drive.


----------



## CoRoMo (Sep 4, 2007)

Here's how that went.



> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
> 
> C:\ *...* >fsutil dirty query c:
> ...


----------



## eddie5659 (Mar 19, 2001)

Okay, looks like I'll need to do something for you 

When I get home, I'll upload a copy of the FSUtil.exe from my XP system, and explain what to do


----------



## eddie5659 (Mar 19, 2001)

Just to let you know, I had to have someone with XP and 2000 to do a test for me, and its worked!

So, will sort this out tonight for you


----------



## eddie5659 (Mar 19, 2001)

Okay, first of all, download the attached zip.

Then, extract them to the C:\Windows\System32 folder.

Once they're there, try running the command again as you did before.

Hopefully it should work.

eddie


----------



## CoRoMo (Sep 4, 2007)

I downloaded and extracted that zip file to the correct folder and ran the command again, but it was _'not recognized as an internal or external command,
operable program'_. Same as before.


----------



## eddie5659 (Mar 19, 2001)

Nuts 

At work at the moment, but will look again at home for you, as I'll have more time (tea-break for 10 mins)


----------



## eddie5659 (Mar 19, 2001)

Is it the first bit it stalls on:

*fsutil dirty query c*

Or this part:

*CHKNTFS /X C:*

*edit* Just looked at the top, and its 'fsutil'.


----------



## CoRoMo (Sep 4, 2007)

Yeah, just the first command.

I haven't tried the second command yet. Should I?


----------



## eddie5659 (Mar 19, 2001)

Just realised I asked you to copy the files to C:\Windows\System32

In Win2000 it should be C:\Winnt\System32

Can you try copying to that folder instead?


----------



## CoRoMo (Sep 4, 2007)

Okay. I put them in the right folder and was notified that fsutil was already there, but I replaced it. It worked this time...



> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
> 
> C:....>fsutil dirty query c:
> ...


----------



## eddie5659 (Mar 19, 2001)

Good to see it worked, and its not dirty.

So, lets try running Scandisk in safe mode. If you're not sure, this is how:


Restart your computer, and when the Boot menu appears, press F8.

When the Windows Advanced Options menu appears, select an option, and then press ENTER.

When the Boot menu appears again, with the words "Safe Mode" displayed in red at the bottom, select the installation you want to start, and then press ENTER.

From the list, select *Safe Mode (Safeboot_Option=Minimal)*

This shows all the options, in case you're curious:

http://support.microsoft.com/kb/202485

But I think there may be things running causing the slowdown of scandisk.


----------



## CoRoMo (Sep 4, 2007)

Okay, that more issues.

When trying to enter safe mode, I got three blue screens/stop screens. I'd select *Safe Mode (Safeboot_Option=Minimal)* and immediately afterward I'd get the stop screen on two of those attempts. One attempt took me to the option to select the OS to start, but after selecting it I got the BSoD/stop screen.

On two separate attempts, when I chose the OS to start, it simply did not enter safe mode. It started the system as normal.


----------



## eddie5659 (Mar 19, 2001)

This is your current system specs:



> Compaq DeskPro
> 996 Mhz
> Max Memory Cap: 512MB
> Currently Installed: 512MB
> Platform: Windows 2000 SP4


Now, as you have a low amount of RAM and processor speed, running CA Security Suite may be causing the slownless.

If you look at the hijackThis log, these are running:



> C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
> C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
> C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
> C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
> ...


These are running all the time on your system, and may be a bit overloaded. I assume its a paid version, so you should be able to re-install if it doesn't help, but see if uninstalling CA Internet Security Suite speeds the system up.

Also, lets see if your RAM is failing, though 512MB is not a lot, which may be a problem.

*Click this for a guide to using Memtest*

*Click this to download Memtest*

Run it overnight if possible

If you have a cd/dvd writer, go for the *Download - Pre-Compiled Bootable ISO (.zip)*

With Memtest86 the Report is accumulated on-screen while the test is scanning with various patterns.
A *Pass %* (percentage of Test completed) keeps a progress tally of any single test Run. 
Each portion of a Test Run is called a "Pass". The term "Pass" is misleading, in that people could think it means "pass" as in a passing score.
But it actually means a "pass" like the full swing of a digital photo copy scanner swinging across the page.

Then below that Pass percentage is the progress of the specific pattern test
Below that is *Testing*: which shows the amount of RAM being Tested
Below that is a description of the *Test Pattern* being "passed" during that portion of the test.
For instance moving "inversions" "1" and "0", Then 8 bit pattern inversions, then on and on.... 
In pattern fefefefefe , or 45a2d44d, fffffffed, 00000020, etc

Below that information is the *Results Report*
Time, - Cached(RAM) - RsvdMem - MemMap - Cache on/off - ECC - Test Pass - - Errors - Ecc Errs

The critical indicator is the (green) Errors item
(on the actual test screen it is not highlighted in green and I am just using the highlight to point you at the correct item)

We won't often see any results in the ECC Errs section since this is for ECC RAM which is most often used in Servers requiring Error Correction Chip RAM. (ECC RAM stick look the same as non-ecc, but have an additional small chip for error correction) non-ecc = 8x64, ECC = 8x64 plus one small additional chip
___________________________________________________

"*Any*" number other than Zero under Errors constitutes a *FAILURE*

Ordinarily the number will be a quite LARGE number, but a smaller number (constituting a Random Sequence Error) can be just as deadly to the accurate performance of a machine as a steady failure.
_____________________________________________________

The above information is "just how I have come to understand" MemTest86 results and does not constitute any sort of authoritative wisdom.

MemTest86 has quite a good *Readme.txt* that comes with the zipped download and as I recall also provides additional research links. It would be well to read it.
_____________________________________________________

At the very Bottom of the MemTest86 screen is the *Navigation Bar*

(ESC)*exit* ( C ) *configuration* (sp) scroll_lock (cr)scroll_unlock

To *EXIT* memtest86 - press - *ESC*
(No need to turn off the machine, it will simply proceed to attempt to boot into Windows)

To configure *other information* for viewing - press - *C*

To *get out-of* the "other information" popup, just hit "*space bar*"

Hope this helps.

eddie


----------



## eddie5659 (Mar 19, 2001)

I've also moved this to a forum so others can reply, as it looks like its not malware related.

Also, we'll remove the programs we've used later tonight for the malware stuff, as all my links are at home


----------



## CoRoMo (Sep 4, 2007)

I uninstalled CA Security Suite and upon reboot, I've gotten a stop screen. All subsequent attempts to reboot end up with the stop screen. It won't reboot into save mode either. That ends up at the stop screen too.

Okay, so if this thing is done for good, how do I get some recent data that I need off of it?
I back up this PC's data and have most all of it on an external, but the very most recent stuff needs to be retrieved if at all possible.

Any ideas?


----------



## eddie5659 (Mar 19, 2001)

What does the blue screen say, as in any numbers or writing?


----------



## CoRoMo (Sep 4, 2007)

Well, I've got that HD installed into another PC now retrieving the data.

The blue screen, IIRC, said something about KMODE.

I'll have to get that HD back into that machine to record the info.


----------



## eddie5659 (Mar 19, 2001)

It looks like that the drive is failing, so removing as much data as you can is probably the only option, like you're doing at the moment.

However, see if you can do this:

Restart the computer.
Press F8 when you receive the following message: 
Please select the operating system to start 
In Windows Advanced Option Menu, use the arrow keys to select Last Known Good Configuration, and then press ENTER.
If you are running other operating systems on the computer, click Microsoft Windows 2000 from the list that is displayed, and then press ENTER.

WARNING: After you start your computer by using the last known good configuration, changes that you made since the last successful startup are lost.

http://support.microsoft.com/kb/315396


----------

