Rangerland Forum Information

[Rick91981]

Yeah, they made it a relatively painless - if time-consuming - process. Fortunately, I also had my laptop and a spare thumb drive at home, as it was necessary to download the portable version of SuperAntiSpyware and run it off of the thumb drive; SecurityTools totally blocked out MalWareBytes on me until after I ran SuperAntiSpyware.

Yep, the well coded programs block the removal tools. Some of them can be a bitch to remove.

Yay fixed. Thanks Rick.

Glad to help.

[Sed]

Yep, the well coded programs block the removal tools. Some of them can be a bitch to remove.

You know, I ended up talking with some of my students about it today, and here's my problem:

This was obviously a well-coded program, judging by its resistance to removal efforts. But for all of the time and effort that was put into writing the thing, you'd think that the person or people responsible would run a fucking spelling/grammar check on their "warning messages." I mean, honestly - if you're trying to make me thing that your piece of malware is a legitimate program, telling me that "some porgrams" have gained "unathorized access" is not the way to go.

Attention to detail, folks - it really does make a difference.

This post has been edited by Sed: Nov 16 2010, 08:53 PM

[Rick91981]

You know, I ended up talking with some of my students about it today, and here's my problem:

This was obviously a well-coded program, judging by its resistance to removal efforts. But for all of the time and effort that was put into writing the thing, you'd think that the person or people responsible would run a fucking spelling/grammar check on their "warning messages." I mean, honestly - if you're trying to make me thing that your piece of malware is a legitimate program, telling me that "some porgrams" have gained "unathorized access" is not the way to go.

Attention to detail, folks - it really does make a difference.

A large chunk of those malicious programs come from coders over seas where English is not their primary language which explains the lack of proper grammar.

[Sed]

A large chunk of those malicious programs come from coders over seas where English is not their primary language which explains the lack of proper grammar.

Oh, I know - it just makes me laugh.

[BoomStrakaLaka]

I'm having trouble with your suggestion on the hosts file. Not that your directions are wrong, I just don't know what I'm doing. I am not exactly sure which file is the hosts file, but I did open a couple in Notepad, and none of them gave me anything close to what I thought I should see. What is confusing is how many different things are named hosts.

I've provided a picture of the etc folder. Also, I downloaded MS Security Essentials, and it did find a few infections. However, I am unable to update their definitions, and when I try to access the Windows Update website, I am told IE cannot display the webpage. For MS Sec Essentials, I get error code 0x80072efe.

Is any of this related to svchost.exe taking up so much of the CPU at times?

Thanks again Rick.

Attached image(s)

 

[Beamer]

Your hosts file is the second one down that says "file." You can also get an installer here:
http://www.mvps.org/winhelp2002/hosts.htm


My recommendation is keep the file open and handy. They're too conservative there, and you'll find things like paid search ad redirects blocked. While this may sound like a good thing, many sites (such as yahoo) will use redirects for many sites. For instance, if you search "verizon wireless" the first hit is obviously verizonwireless.com but that particular link will have some redirects. The host file will block them and drive you nuts.



Honestly, though, with a good hosts file you'll have to actually try to get spyware and viruses.
And it has nothing to do with svchost.exe

[Beamer]

Also, if svchost.exe is eating your CPU, use this site:
http://www.fileinspect.com/fileinfo/svchost-exe/

It's got great directions for narrowing that down.

[Rick91981]

I'm having trouble with your suggestion on the hosts file. Not that your directions are wrong, I just don't know what I'm doing. I am not exactly sure which file is the hosts file, but I did open a couple in Notepad, and none of them gave me anything close to what I thought I should see. What is confusing is how many different things are named hosts.

I've provided a picture of the etc folder. Also, I downloaded MS Security Essentials, and it did find a few infections. However, I am unable to update their definitions, and when I try to access the Windows Update website, I am told IE cannot display the webpage. For MS Sec Essentials, I get error code 0x80072efe.

Is any of this related to svchost.exe taking up so much of the CPU at times?

Thanks again Rick.

That error is related to connectivity issues for Windows Updates. Check to see if the machine is connecting using a proxy. Open control panel then internet options. click the connection tab. Click the LAN settings button. If configured to connect using a proxy then uncheck that box and click ok. Try Windows update again. Also check your time and date settings on the machine as that can throw off Windows Updates sometimes.


As far as the hosts file, you apparently have some program that is backup up your hosts file at regular intervals which is why there are so many in there. Not necessarily a bad thing so I wouldnt worry about it. As far as which file, it is the one that is just a "file" not a text file or backup file or anything like that. The second one down on the left column. The one that is 415KB (which tells me that you definitely have redirects in there. A typical size is 1-2KB).

[Rick91981]

Also, if svchost.exe is eating your CPU, use this site:
http://www.fileinspect.com/fileinfo/svchost-exe/

It's got great directions for narrowing that down.

The svhost.exe could be almost anything. Use process explorer to see what file it is exactly. Then we can determine if it is Windows on the fritz or spyware related.

[Beamer]

The svhost.exe could be almost anything. Use process explorer to see what file it is exactly. Then we can determine if it is Windows on the fritz or spyware related.

Which is linked to from that page with user-friendly directions on what it's doing.

[Rick91981]

Which is linked to from that page with user-friendly directions on what it's doing.

Fair enough. I didn't look at the link.

[BoomStrakaLaka]

When I opened the hosts file in notepad, all I saw was a lot of 汯浵獮挮浯. I saw no mention of local host. Just those characters.

Edit: Crap. It is appearing as Chinese characters (or some other language). It was actually all small rectangles.

This post has been edited by BoomStrakaLaka: Nov 19 2010, 11:25 AM

[Eric]

Well I think we see where the virus came from. Have you been to China recently?

[Rick91981]

When I opened the hosts file in notepad, all I saw was a lot of 汯浵獮挮浯. I saw no mention of local host. Just those characters.

Edit: Crap. It is appearing as Chinese characters (or some other language). It was actually all small rectangles.

Follow these instructions to get it back to the defaults.

http://support.microsoft.com/kb/972034

[BoomStrakaLaka]

Few things:

1) I checked the LAN Settings, and proxy setting is unchecked. Also checked Date/Time settings. Still cannot access Windows Update.

2) Followed the hosts file directions. However, I am still being redirected. One step of the hosts directions stated to hit yes to confirm that the filename extension will not be txt. I was never offered that prompt.

3) While running an MBAM scan, I monitored process explorer to see if svchost.exe would act up. It started reaching 75-80% (not quite as high as other times). I decided to mouse over it and see what kind of info it showed me. From my limited computer knowledge, it seems like legitimate stuff.

Before I post the pic, I would like to thank you for your time Rick. I didn't want to bother you with this, so I was posting this stuff on Computerhope.com last week. Although it seems they are quite good over there, it's not as "personal" as this board, and I would only get one response a day. Thank you very, very much. That goes to everyone else who chimes in to help (ie Beamer).

Edit: As you can tell, the pic is of the "mouse over" in process explorer.

This post has been edited by BoomStrakaLaka: Nov 19 2010, 02:53 PM

Attached image(s)

 

[Rick91981]

Few things:

1) I checked the LAN Settings, and proxy setting is unchecked. Also checked Date/Time settings. Still cannot access Windows Update.

2) Followed the hosts file directions. However, I am still being redirected. One step of the hosts directions stated to hit yes to confirm that the filename extension will not be txt. I was never offered that prompt.

3) While running an MBAM scan, I monitored process explorer to see if svchost.exe would act up. It started reaching 75-80% (not quite as high as other times). I decided to mouse over it and see what kind of info it showed me. From my limited computer knowledge, it seems like legitimate stuff.

Before I post the pic, I would like to thank you for your time Rick. I didn't want to bother you with this, so I was posting this stuff on Computerhope.com last week. Although it seems they are quite good over there, it's not as "personal" as this board, and I would only get one response a day. Thank you very, very much. That goes to everyone else who chimes in to help (ie Beamer).

Edit: As you can tell, the pic is of the "mouse over" in process explorer.

Yes those do appear to be legit processes running so I wouldn't worry much about it. As far as Windows Update start with this site to troubleshoot the issues.

For the hosts file if you are unsure about the prompts, just open the hosts file that is there, delete everything in it and copy paste the following into it

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Click save and then close it.


Next I would also try running a scan of spybot search and destroy. I would do this scan while in safe mode(reboot machine and begin pressing F8 as soon as it starts booting. keep pressing until prompted with a menu. Choose safe mode with networking).

[BoomStrakaLaka]

Just as I posted about how these seem to be legit processes, svchost went wild again, and I received an error report (details shown in photo attached). I googled svchost.exe and the other file mentioned in the error report (ntdll.dll) in the same search. I found a bunch of forums/sites with other's troubles and solutions with the same problem I am having. Apparently, windows addressed this in one of their updates. Also, many state that the issue is related to svchost.exe trying to access updates and it is unable to. There are several suggestions by people, and I am hesitant to choose which to do, especially since most are around 3 years old. One solution suggests to run ComboFix. I wanted to run it, but ComboFix indicates that AntiVir, AOL Antivirus, and AVG need to be disabled. Antivir and AVG have been uninstalled, and I have no idea where AOL Antivirus is. I don't understand why ComboFix sees them as running processes.

Also, I ran Spybot in safe mode and it found 7 items. Upon rebooting into "normal" mode, I still cannot access windows update website, which seems like it is related to the svchost issue.

One final thing, when I open the hosts file in notepad and attempt to copy/paste what you told me to, it doesnt allow me to save it.

It says "Cannot create the C:\WINDOWS\system32\drivers\etc\hosts file. Make sure the path and file name are correct."

Attached image(s)

 

[Beamer]

For the host pad error, go to your start menu, right click on Notepad and select "run as administrator."

[BoomStrakaLaka]

For the host pad error, go to your start menu, right click on Notepad and select "run as administrator."

Just tried. Same message appeared.

[Beamer]

Apologies if you did this already, but can you do a ctrl-alt-delete, go to the task manager, and tell us all the processes you have running?

[BoomStrakaLaka]

Apologies if you did this already, but can you do a ctrl-alt-delete, go to the task manager, and tell us all the processes you have running?

Please, never apologize. You are the one trying to help me (especially since it is at no charge). Here is a print screen of the processes (broke it into two because obviously it wouldn't fit on one screen).

Also, mods and users, when this friggin machine is fixed, I will detach all photos from the post, because I imagine it is quite the eyesore.

Attached File(s)

 processes.bmp ( 1.49mb ) Number of downloads: 15

 

[Rick91981]

You are the one trying to help me (especially since it is at no charge).

Woah we never said that we wouldn't send a bill!


All processes look legit except the services.exe. That can often mean spyware/virus.

Combofix is a great program but I don't recommend to run it until a last resort as it can easily mess up the machine if not used properly.

Lets start with looking at the run key in your registry(please do not make any changes in the registry until directed to do so).

1) start->run
2) type in regedit and press enter
3) using the directory tree on the left side browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and post a screen shot of that

[BoomStrakaLaka]

Before I attach the pic, one side note. I know you've informed me before that Windows Firewall is sufficient, but I am running Online Armor. That was one of the steps required at computerhope.com. Please let me know what you would like me to do in regards to Online Armor.

Attached File(s)

 current_version_run.bmp ( 1.49mb ) Number of downloads: 14

 

[Beamer]

Well, utezasazasaza.dll is certainly the standout there.

[Beamer]

edit - follow Rick's post. Mine is about nuking the issue, his is about diagnosing it.

My recommendation, Rick may disagree:
Try start - programs - accessories - command prompt
Type regsvr32 /u utezasazasaza.dll
Then search utezasazasaza.dll and delete it.
Delete that entry in your registry.
Reboot and see if it's back, both physically and in the registry.



If it's back, and unless Rick has other advice, I'd recommend taking this to Bleeping Computer or Major Geeks:
http://www.bleepingcomputer.com/forums/forum22.html
http://forums.majorgeeks.com/forumdisplay.php?f=35

Getting rid of that may be quick and easy, but I'm thinking it's time to bring in deeper tools like Gmer.
Personally I'd send you there because people on this board have probably seen this before and may be able to direct you more accurately.
Rick may be able to, too. But, for me we're about to hit an area I'm not as comfortable guiding you through without being there. Rick has more experience on that end.

This post has been edited by Beamer: Nov 20 2010, 02:54 PM

[Rick91981]

Before I attach the pic, one side note. I know you've informed me before that Windows Firewall is sufficient, but I am running Online Armor. That was one of the steps required at computerhope.com. Please let me know what you would like me to do in regards to Online Armor.

Online Armor is fine but not needed. Ill leave that up to personal preference as to what you do with it.

Well, utezasazasaza.dll is certainly the standout there.

Yep. That screams spyware.


First things first, before making a change to the registry, back it up.

1) open regedit
2) file -> export
3) at the bottom choose all (as opposed to selected branch)
4) pick a name and save location then click save


Next highlight the lbihoko and press delete. If prompted say yes you are sure you wish to delete it.

Reboot the machine.

Go to www.virustotal.com and upload the c:\windows\utezasazasaza.dll file and let it analyze it. Hopefully it will give us an idea of what virus we are dealing with.

Next would be to rename the file. Open windows explorer and go to tools -> folder options
click the view tab
choose show hidden and system files
uncheck the hide extentions for known types
browse to c:\windows
find the file and right click and choose rename.
delete the .dll at the end and add .bad in its place


If no adverse effects come from renaming it after a day or so then it is safe to delete that file.

[Rick91981]

edit - follow Rick's post. Mine is about nuking the issue, his is about diagnosing it.

My recommendation, Rick may disagree:
Try start - programs - accessories - command prompt
Type regsvr32 /u utezasazasaza.dll
Then search utezasazasaza.dll and delete it.
Delete that entry in your registry.
Reboot and see if it's back, both physically and in the registry.

That'll work.

If it's back, and unless Rick has other advice, I'd recommend taking this to Bleeping Computer or Major Geeks:
http://www.bleepingcomputer.com/forums/forum22.html
http://forums.majorgeeks.com/forumdisplay.php?f=35

Bleepingcomputer.com are the best out there and they'd be my reccomendation.

Getting rid of that may be quick and easy, but I'm thinking it's time to bring in deeper tools like Gmer.
Personally I'd send you there because people on this board have probably seen this before and may be able to direct you more accurately.
Rick may be able to, too. But, for me we're about to hit an area I'm not as comfortable guiding you through without being there. Rick has more experience on that end.

I'm not so sure it is a rootkit. If it were I don't think there would be traces in the registry that are so easy to find.

[BoomStrakaLaka]

Here are the results of the analysis at viristotal.com. Should I proceed with the renaming of it?

Antivirus results
AhnLab-V3 - 2010.11.20.00 - 2010.11.19 - -
AntiVir - 7.10.14.55 - 2010.11.19 - -
Antiy-AVL - 2.0.3.7 - 2010.11.20 - -
Avast - 4.8.1351.0 - 2010.11.20 - -
Avast5 - 5.0.594.0 - 2010.11.20 - -
AVG - 9.0.0.851 - 2010.11.20 - -
BitDefender - 7.2 - 2010.11.20 - Gen:Variant.Kazy.3281
CAT-QuickHeal - 11.00 - 2010.11.09 - -
ClamAV - 0.96.4.0 - 2010.11.20 - -
Command - 5.2.11.5 - 2010.11.20 - -
Comodo - 6785 - 2010.11.20 - -
DrWeb - 5.0.2.03300 - 2010.11.20 - -
Emsisoft - 5.0.0.50 - 2010.11.20 - -
eSafe - 7.0.17.0 - 2010.11.18 - -
eTrust-Vet - 36.1.7989 - 2010.11.20 - -
F-Prot - 4.6.2.117 - 2010.11.20 - -
F-Secure - 9.0.16160.0 - 2010.11.20 - Gen:Variant.Kazy.3281
Fortinet - 4.2.254.0 - 2010.11.20 - -
GData - 21 - 2010.11.20 - Gen:Variant.Kazy.3281
Ikarus - T3.1.1.90.0 - 2010.11.20 - -
Jiangmin - 13.0.900 - 2010.11.20 - -
K7AntiVirus - 9.68.3041 - 2010.11.20 - -
Kaspersky - 7.0.0.125 - 2010.11.20 - -
McAfee - 5.400.0.1158 - 2010.11.20 - Hiloti.gen.g
McAfee-GW-Edition - 2010.1C - 2010.11.20 - Hiloti.gen.g
Microsoft - 1.6402 - 2010.11.19 - -
NOD32 - 5635 - 2010.11.20 - -
Norman - 6.06.10 - 2010.11.20 - -
nProtect - 2010-11-20.01 - 2010.11.20 - Gen:Variant.Kazy.3281
Panda - 10.0.2.7 - 2010.11.20 - Suspicious file
PCTools - 7.0.3.5 - 2010.11.20 - -
Prevx - 3.0 - 2010.11.20 - -
Rising - 22.74.04.00 - 2010.11.20 - -
Sophos - 4.59.0 - 2010.11.20 - Mal/Hiloti-C
SUPERAntiSpyware - 4.40.0.1006 - 2010.11.20 - -
Symantec - 20101.2.0.161 - 2010.11.20 - -
TheHacker - 6.7.0.1.087 - 2010.11.20 - -
TrendMicro - 9.120.0.1004 - 2010.11.20 - TROJ_HILOTI.SMEO
TrendMicro-HouseCall - 9.120.0.1004 - 2010.11.20 - TROJ_HILOTI.SMEO
VBA32 - 3.12.14.2 - 2010.11.19 - -
VIPRE - 7363 - 2010.11.20 - Trojan.Win32.Hiloti.ba (v)
ViRobot - 2010.11.20.4158 - 2010.11.20 - -
VirusBuster - 13.6.51.0 - 2010.11.20 - Trojan.Hiloti.Gen!Pac.2
File info:
MD5: fccfaeb983272ca0b85ad9f151a1901b
SHA1: 9371bdfe53e0407cda02ed51b0bfe686363bd798
SHA256: aecf4e80a9eda3fef2731db90c8b728b28491ef76f7a86715327683cf81a6b31
File size: 189440 bytes
Scan date: 2010-11-20 20:14:12 (UTC)

[BoomStrakaLaka]

Just to let you know, I am running out of the house for a few errands. I really appreciate how quickly you guys have been responding today. It's unbelievable. You guys need lives (just kidding).

I figured I would let you know in case you were waiting for a response from me.

[Rick91981]

Delete the reg key and rename the file.

If that gets rid of it then perfect, but I have a feeling when you reboot and go back to the run key in regedit there will be a different randomly generated file. But lets try it and see what happens.

[BoomStrakaLaka]

It seems like the key has not returned after a reboot. Not that I expected it to cure everything, but the windows update website still doesn't load.

Attached File(s)

 new_reg.bmp ( 1.49mb ) Number of downloads: 21

 

[Rick91981]

OK that is a good sign that the regkey did not return. Progress has been made.


Now as far as WinUpdates....when does it fail? Does it try to download and install them and then fail? or does it not even get to the site?

[Rick91981]

Also cant remember if I asked or not, but what service pack is installed? (you can tell by right clicking my computer and selecting properties).

[BoomStrakaLaka]

Service Pack 3.

In regards to Windows Update, I cannot access the website. It says the page cannot be displayed. I wanted to try to attempt to download updates via the control panel, but svchost.exe is taking up so much of the CPU that I'm lucky to post this.

[Rick91981]

Lets try going to the control panel then internet options. Click the security tab. Click on each of the four zones and click the default button for each if it is highlighted. Also while in that window click on the connections tab and then click the LAN settings button at the bottom. At the bottom make sure the check box for use a proxy server for your LAN is unchecked and then click ok.

[BoomStrakaLaka]

Lets try going to the control panel then internet options. Click the security tab. Click on each of the four zones and click the default button for each if it is highlighted. Also while in that window click on the connections tab and then click the LAN settings button at the bottom. At the bottom make sure the check box for use a proxy server for your LAN is unchecked and then click ok.

No luck.

[Rick91981]

I would try the SmifraudFix tool. Run it from safemode and choose options 2 and 5 in that order. If prompted about cleaning the registry or replacing an infected wininet.dll file say yes.

You could also try resetting your TCPIP stack and Winsockl.
1) Click start -> run
2) type netsh int ip reset c:\resetlog.txt and hit enter
3) type netsh winsock reset catalog and hit enter
4) reboot


If none of that works then take it over to bleepingcomputer.net as there is something more deeply rooted than I can find.

[rightbug]

Arrgh. Okay. I came home from work tonight and my new computer (Windows 7) was in a boot loop. Hilary tells me the computer was on but the monitor had no signal when she got home so she cold booted it just before I came in.

I can boot into safe mode no problem.

I cannot boot into safe mode with networking. That sends me right back into the boot loop.

I did a system restore back as far as it would let me go (not far, the 22nd) and that did not fix the issue.

At that point I had to leave to drive down to CT for the weekend so I didn't have time to write down error messages or anything that might be useful so I guess I'm looking for general advice here. On Monday the McAffee Anti-virus that came with the computer expired so I uninstalled it and installed Windows Security Essentials. Windows Security Essentials installed correctly and has been running fine but it did not prompt me to reboot so this may be the first time the computer has rebooted since that was installed.

I guess my first step would be to uninstall WSE. What does tit tell me that safe mode works but safe mode with networking does not?

As a side note, my replacement backup drive arrived Tuesday and I have not installed it yet. As I waited and waited for the system restore to initialize I was killing myself for trying that before backing things up. If the hard drive bricks at this point I lose everything. Years of photos and 60GB of music. What a diasterous chain of events. I am pretty sure the current issue is not hard drive related but, if it turns out to be, I'm going to have to start suspecting something envrionmental. Or is it just a series of unfortunate coincidences? The computer is well vented and in a cool corner.

[Rick91981]

Sounds driver or hardware related. Best guess would be your network card. Boot into safe mode. Open the device manager (control panel -> system then on the right side of that window will be a link for device manager). Find the section for network adapters and expand it. Find your ethernet card in there and right click and choose disable. Now reboot into Windows normal mode and see what happens. If it boots that tells you it is the network card.

If not, back into safe mode. Go back into the control panel and then system. This time on the left side of that window choose advanced system settings. In the new window choose the advanced tab. Click the settings button in the startup and recovery section. Now towards the bottom in the section for system failure you should see a checkbox for automatically restart. Uncheck that and click ok. Now reboot and this time it should hopefully bluescreen. That should give us some information as to what is happening. IF you do get a bluescreen let me know what it says. You dont need to tell me the thing in its entirety the info I am looking for that is most important is the STOP ERROR. It is a string of Hex numbers. It will be a singular one followed by 4 numbers in parenthesis. I need the singular number. It will also say a short phrase in all caps separated by an underscore instead of spaces. That is also useful. Finally if we are lucky it will give us a filename that can lead us to the cause of the problem

[rightbug]

Sounds driver or hardware related. Best guess would be your network card. Boot into safe mode. Open the device manager (control panel -> system then on the right side of that window will be a link for device manager). Find the section for network adapters and expand it. Find your ethernet card in there and right click and choose disable. Now reboot into Windows normal mode and see what happens. If it boots that tells you it is the network card.

If not, back into safe mode. Go back into the control panel and then system. This time on the left side of that window choose advanced system settings. In the new window choose the advanced tab. Click the settings button in the startup and recovery section. Now towards the bottom in the section for system failure you should see a checkbox for automatically restart. Uncheck that and click ok. Now reboot and this time it should hopefully bluescreen. That should give us some information as to what is happening. IF you do get a bluescreen let me know what it says. You dont need to tell me the thing in its entirety the info I am looking for that is most important is the STOP ERROR. It is a string of Hex numbers. It will be a singular one followed by 4 numbers in parenthesis. I need the singular number. It will also say a short phrase in all caps separated by an underscore instead of spaces. That is also useful. Finally if we are lucky it will give us a filename that can lead us to the cause of the problem

Awesome -- Thanks. I'll try that when I get home. I think it may have actually given me the stop error in a report when I booted to safe mnode. I copied it to a text file before tryingthe system restore but everyone was waiting for me in the car by the time the restore finished so I had to run

[rightbug]

Okay!

Disabling the ethernet card, interestingly, did not change the situation. 'Still stuck in a boot loop even with the ethernet card disabled so I moved on to your second suggestion.

The stop eror is

DRIVER_IRQL_NOT_LESS_OR_EQUAL

0x000000D1

Googling around I see this is likely a driver issue:

Stop 0x000000D1 or DRIVER_IRQL_NOT_LESS_OR_EQUAL
The Stop 0xD1 message indicates that the system attempted to access pageable memory using a kernel process IRQL that was too high. Drivers that have used improper addresses typically cause this error.

Interpreting the Message
This Stop message has four parameters:

Memory referenced.
IRQL at time of reference.
Type of access (0x00000000 = read operation, 0x00000001 = write operation).
Address that referenced memory.
Resolving the Problem
For additional troubleshooting suggestions that apply to all Stop errors, see "Stop Message Checklist" later in this appendix.

Stop 0xD1 messages can occur after installing faulty drivers or system services. If a driver is listed by name, disable, remove, or roll back that driver to confirm that this resolves the error. If so, contact the manufacturer about a possible update. Using updated software is especially important for backup programs, multimedia applications, antivirus scanners, DVD playback, and CD mastering tools.
For more information about Stop 0xD1 messages, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search using keywords winnt, 0x000000D1, and 0xD1.

That's for XP but I take it it's the same for Windows 7. The million dollar question is how do I fix it? How do I know which driver is causing trouble? As I said, I tried restoring back as far as it would let me which was three days before the boot loop started. (I had not rebooted during that time.) So the easiest solution is off the table. Another problem, of course, is that the computer will not boot into any mode with networking. And I am terrified of doing anything that will lose the data on the hard drive because my backup drive just arrived and I did not install it so if I lose what's on that drive, I've finally lost all of the data I've been scrambling to save fo the last six months. (Primarily family photos and my music collection.)

[rightbug]

Ah ha! Show more restore points I'm now restoring back to the 11th. Hopefully this will work.

[rightbug]

Okay -- That did the trick. Thank god. Thanks for the help Rick.

I'm going to guess it was Windows Security Essentials that screwed tjhings up which kind of sucks as I was hoping to use that as a nice, no thought required, free anti-virus solution. I used to use AVG but I've been incresingly unhappy about their bloat and intrusive advertizing.

[rightbug]

Ah! Cocksucker. So, WSE is off the hook. System restore restored McAffee. To install AVG, I had to uninstall McAffee and as soon as I rebooted I was right back where I started. So the problem is with uninstalling McAffee which sucks because I don't want to use it, especially now, but I can't install WSE without uninstalling it.

[Rick91981]

Sorry for the late response. Glad you are on the right track though.

Yes definitely sounds like McAfee is on the fritz. That Blue screen error is always either driver or software related. Basically it means the program is trying to access a chunk of memory that doesn't exist. It is the result of poor coding or a bug in the software.

First off, if you are so worried about photos and music I would recommend an online backup. Carbonite and Mozy are the two big ones. I use Mozy and have no problems at all. I hear good things about Carbonite but have no personal experience with it. It is worth the small annual fee ($60 for Mozy. Not sure about Carbonite) to know your data is safe. Especially for the family photos that are irreplaceable. This way in case of a harddrive crash you can restore your data with no troubles. (note, it is a backup and not storage. do not delete photos locally or they will be unavailable after 30 days from Mozy). Depending on the size of your data and the speed of your internet connection, the initial backup can take a week or two.

Now once you have data backed up, at least to another harddrive for the time being, then proceed with removing McAfee. Because it is such a piece of shit you need to remove it from the add/remove programs in the control panel(do not reboot yet) and then run a McAfee removal tool. The tool is available from mcafee's website. Direct link here. Save the tool to your desktop. Right click it and choose run as administrator. When the UAC prompt says are you sure click allow. When the mcafee tool finishes then reboot. Now you should be clear to install Security Essentials. I agree about AVG, I used to love it but its gone down the shitter the last few years.

[Sed]

I'll second Mozy - it's unobtrusive, and once the initial backup has run (like Rick said, it can take a pretty long time to finish) the subsequent backups are pretty quick.

We got it mostly to protect pictures that we haven't backed up to DVD yet. Once I have a hard backup somewhere, I delete from the HDD. I also have things backed up to an external HDD, but I need to get a larger external. I think that the one that I have now is 250GB. If you would've told me 12 years ago that I'd ever need more than the 10GB drive that I had then, I would have laughed. Then again, I didn't have a digital camera and children.

[rightbug]

Awesome -- Thanks for both recommendations guys!

[xcdudesquadloves...]

The top of my browser just turned to chinese.

Here's what I mean:



Has the takeover begun

[Rick91981]

The top of my browser just turned to chinese.

Here's what I mean:



Has the takeover begun

Umm.... is it just firefox or all windows? Just certain sites or all sites? Details.

[Sed]

My Firefox did that once in awhile, too - the Real Player plug-in was the culprit in my case.