Jump to content

windows xp won't boot after scan

mtSungirl

By mtSungirl
in Resolved Malware Removal Logs

 Share

Recommended Posts

mtSungirl

mtSungirl

Posted
  • Author
Posted
Welcome to the forum.

When the computer boots up, do you see the bios loading screen, how far does it get?

Do you have access to a computer that has a cd burner so you can create a disk?

Do you have a usb flash drive?

Let me know, MrC

Hi and thanks for the reply:

I see the bios screen, which gives me the option to hit F8 for HP's bios-controlled boot menu, or I can hit F5 to go into the Microsoft boot options like safe mode. I've tried all the options listed on the Microsoft boot screen, including safe mode, safe mode + network, +command, etc. and it does nothing.

When I boot in safe mode, I see three lines of information that appear to point to DLL files. The last file it points to is KDCOM.DLL. Then it just stops doing anything.

I do have access to a CD burner, and I read on this forum about a bootable disk option called "Secured2K." I created this disk and I do have access to a USB flash drive. I know someone who has the exact same model computer I have: an HP VL420 MT.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted
When I boot in safe mode, I see three lines of information that appear to point to DLL files. The last file it points to is KDCOM.DLL. Then it just stops doing anything.

That's a Windows file and belongs in C:\WINDOWS\system32

There's an extra copy in C:\WINDOWS\system32\dllcache

See if you can get the names of the other two files

-----------------

I do have access to a CD burner, and I read on this forum about a bootable disk option called "Secured2K."

I'm not familiar with this cd, but if you can use it to see if KDCOM.DLL is present in C:\WINDOWS\system32, that would be Great.

----------------------

Please download HJT from here and copy it to your flash drive.

--------------------

The disk I wanted you to make is OTLPE:

Download OTLPE from here or here

Now put a blank cd-r in your burner and double click on OTLPEStd.exe, it will automatically burn the cd. (burn it at a slow speed to avoid errors)

Once you have the cd, boot the computer up using it.

Note : If you do not know how to set your computer to boot from CD follow the steps here

It's going to go something like this when OTLPE loads:

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the C:\OTL.txt file in your reply.

--------------------

After you do that, drag HJT.exe to the desktop and double click to it to run it.

You want to click scan and then when done, click save log

It will be on the desktop, copy it to your flash drive and post it back here along with the OTL.txt

MrC

Link to post
Share on other sites
mtSungirl

mtSungirl

Posted
  • Author
Posted
That's a Windows file and belongs in C:\WINDOWS\system32

There's an extra copy in C:\WINDOWS\system32\dllcache

See if you can get the names of the other two files

The full list of files that appear in safe mode are:

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\ntoskrnl.exe

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\hal.dll

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\KDCOM.DLL

I'm not familiar with this cd, but if you can use it to see if KDCOM.DLL is present in C:\WINDOWS\system32, that would be Great.

All three files are present.

----------------------

Please download HJT from here and copy it to your flash drive.

The disk I wanted you to make is OTLPE:

I've run both as you'd instructed and the files are attached. I think there might be something wrong with the hijackthis file, as it isn't looking at my C:\ drive, but an "X:\" drive. Is that by design?

I wanted to point out that a couple days ago, I'd searched the web for ways to get my XP to boot, and one of the suggestions was to run "FIXBOOT" on the C drive. I did that, to no effect. So I think the boot.ini file will be reflected in my attachment as having changed --that was me.

Thanks again --hopefully the attachments will point to the problem.

OTL.Txt

hijackthis.log

Link to post
Share on other sites
mtSungirl

mtSungirl

Posted
  • Author
Posted
OK, You did everything correctly.

Let me look over the logs and I'll get back to you tomorrow, MrC

Thanks so much, MrC! Also, I thought it'd be helpful if I posted my Malwarebytes log, which is the last thing that generated before my boot problems started. It's listed below:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5562

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/20/2011 7:59:04 PM

mbam-log-2011-01-20 (19-59-04).txt

Scan type: Quick scan

Objects scanned: 176662

Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\mtSunGirl\local settings\Temp\16A.tmp (Rootkit.TDSS.XGen) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\16B.tmp (Rootkit.TDSS.XGen) -> Delete on reboot.

c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

c:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, I managed to get to it tonight.

It looks like the boot.ini was modified:

[2011/01/21 18:14:39 | 000,000,211 | RHS- | M] () -- C:\boot.ini

Did you rebuild it?

---------------------------------

There's one bad driver (file) running on the system:

DRV - [2011/01/20 19:59:06 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nwuvqxbq.sys -- (dqyoh)

-----------

You'll have to do this on the working computer and then copy it to your flash drive and then to the sick computer. What you want to copy is in the code box and then copy and paste it in under the Custom Scans/Fixes Box of OTLPE

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following 
    :OTL
    DRV - [2011/01/20 19:59:06 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nwuvqxbq.sys -- (dqyoh)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - CLSID or File not found.
    :Files
     C:\WINDOWS\System32\drivers\nwuvqxbq.sys
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Let me know, MrC

Link to post
Share on other sites
mtSungirl

mtSungirl

Posted
  • Author
Posted

Hi MrC:

OK, I managed to get to it tonight.

It looks like the boot.ini was modified:

[2011/01/21 18:14:39 | 000,000,211 | RHS- | M] () -- C:\boot.ini

Did you rebuild it?

Yes, that was me in an attempt to fix the boot problem a couple days ago. It was a suggestion I'd found in a Google search that didn't pan out.

[*]Then click the Run Fix button at the top

[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"

[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Let me know, MrC

I ran the job and below are the results:

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dqyoh deleted successfully.

C:\WINDOWS\system32\drivers\nwuvqxbq.sys moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\CDBurn deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ not found.

========== FILES ==========

File\Folder C:\WINDOWS\System32\drivers\nwuvqxbq.sys not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 148 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User

->Temp folder emptied: 148 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: mtSunGirl

->Temp folder emptied: 65032000 bytes

->Temporary Internet Files folder emptied: 29422576 bytes

->Java cache emptied: 97013 bytes

->FireFox cache emptied: 59509708 bytes

->Apple Safari cache emptied: 1177600 bytes

->Flash cache emptied: 85051 bytes

User: NetworkService

->Temp folder emptied: 228424 bytes

->Temporary Internet Files folder emptied: 4473608 bytes

->Flash cache emptied: 39668 bytes

User: Owner

->Temp folder emptied: 148 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 1111668 bytes

%systemroot%\System32 .tmp files removed: 74729009 bytes

%systemroot%\System32\dllcache .tmp files removed: 6144 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 728818 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12978424 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35930 bytes

Total Files Cleaned = 238.00 mb

OTLPE by OldTimer - Version 3.1.44.1 log created on 01232011_223721

Link to post
Share on other sites
mtSungirl

mtSungirl

Posted
  • Author
Posted
The OTLPE process went OK.

How did you run the FIXBOOT command?

Someone else I know has a full-blown Windows XP Professional installation disk. That doesn't help me reinstall Windows, because my machine is running XP Home edition. But it was enough for me to boot from it, run the "repair" choice and get to a prompt where I could run the "FIXBOOT" command.

Do you have the recovery console installed?

It's only for XP Professional, not HP Home.

What's the operating system? XP home or Pro

My operating system is XP Home.

Looks like you have 2 partitions on the drive > correct?

Yes, that's correct. The C drive has my Windows installation and the D drive is just another partition for the rest of my files (I also install programs to this drive to keep the C drive space down)

Thank you again!

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

When you see these files, do you get any error messages like missing a file?

The full list of files that appear in safe mode are:

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\ntoskrnl.exe

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\hal.dll

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\System32\KDCOM.DLL

------------------------------

Rather then going back and forth, tries these procedures in this order:

(Try the computer after each one)

1. > The same way you ran FIXBOOT, run this command chkdsk /f

Info on running the rest can be found HERE and

here

Try these (the same way you ran FIXBOOT and chkdsk /f)

All the ones below are from here

#1: Use a Windows startup disk (if you have a floppy)

You'll have to set bios to boot from floppy if you have on.

------------------

#5: Fix a corrupt Boot.ini

use this command: Bootcfg /Rebuild

http://www.computerhope.com/issues/ch000648.htm <------good tutorial here

http://support.microsoft.com/kb/314477 <---here

------------------

#6: Fix a corrupt partition boot sector

http://www.microsoft.com/resources/documen...t.mspx?mfr=true

---------------------

#7: Fix a corrupt master boot record

http://www.microsoft.com/resources/documen...r.mspx?mfr=true

---------------------

If there's any questions on a particular procedure, let me know and I'll see if I can answer it.

Let me know, MrC

Link to post
Share on other sites
mtSungirl

mtSungirl

Posted
  • Author
Posted
When you see these files, do you get any error messages like missing a file?

No, I wasn't getting any error messages, it would just stop and not proceed any further.

I think all is lost and I'll have to re-install windows and delete all my data.

At least the OTLPE disk has allowed me to get to my files and back up any recent changes to a Flash drive.

I copied all the DLL files from my friend's identical computer to my pc's System32 and System32/drivers folders. That actually allowed me to boot...but when it loaded my desktop, all I saw was my background image, no taskbar, no icons, nothing.

I tried re-installing explorer.exe from my friend's computer, but it wouldn't help. After a while, the computer would shut itself down. Something about it couldn't run RPC. Frustrating.

So, I think I'm going to move what files I can off this machine and take my HP recovery disk and wipe the drive with a fresh format and copy of Windows.

[[sigh]] :D

Thanks for the help.

Link to post
Share on other sites
mtSungirl

mtSungirl

Posted
  • Author
Posted
Well we gave it our best shot, that's all we can do.

Reinstall will be your best bet. :D

If there's any questions....please post back.

Take a look at My Preventive Maintenance to keep your computer safe and secure and to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Thanks again MrC --I appreciate your sticking with me on this.

And I very much appreciate the OTLPE boot disk. It's an amazing lifesafer in terms of retrieving files --I could even get on the internet using the IE6 browser that came with it. Really cool tool. Hadn't heard of Windows PE until this week. ;)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.