Only boots to Safe Mode

[screen317]

Hi,

What happens when you boot up now? Any messages?

Run chkdsk /r from the Recovery Console and see what it says.

I will continue to consult with my colleagues.

[wrench]

Hello, no messages. Boot up same as before, bios runs, Windows tries to start fails, then bios runs again, then screen with Safe Mode is offered.

I ran CHKDSK as you requested, it went well, it listed time and date and a serial number d869-333b8. At the end it said "CHKDSK found one or more errors".

Upon reboot same as it has been. It went to the Safe Mode screen with no normal Windows boot-up.

I am ready for the next attempt. Thanks

[wrench]

.

[screen317]

Hi,

I would like you to attempt a Repair Installation using your CD as outlined here:

http://support.microsoft.com/kb/917964

Let me know if you need any assistance through the process.

[wrench]

Hello, I am sending this from another computer as the one we were working with has not responded well to treatment. I went to the Windows site and followed the directions to remove IE8, which was installed, with the recovery console from disc and that seemed to go well. The removal produced a stream of operations of which I got a few; missing files, then deleting files. I moved on to the next step which asked to do a repair from the disc which I did and it seemed to go well. First by deleting several files then installing new ones. It then said to start IE6 and be sure it works. This never happened as I got BSOD when restarting. Here is the BSOD information; DRIVER_IRQL_NOT_LESS_OR_EQUAL Technical Information;

***STOP: 0x000000D1 (0xF9E69000, 0x00000002, 0x00000000, 0xF9E5DF94)

*** BOOTVID.dll - Address F9E5DF94 base at F9E5D000, Datestamp 3b7d8345

What to do now ? I cannot access Safe Mode it loads all the drivers as normally then a window comes up that says

"Windows XP Setup cannot run under Safemode. Setup will restart now."

I have tried to restart without the disc and I get the same BSOD. If I restart with the disc I get the same setup screen as I have been through yet it does not correct the problem, after two setup runs, although it says "setup completed successfully." I missed a step somewhere but I don't see it???

Any other information I can offer from this attempt? Please let me know

[screen317]

Very interesting. Looks like malware may still be the cause here. I think if we can identify the problematic driver, then Windows will boot again.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

• Avira AntiVir Rescue System - Tutorial for Avira Rescue CD.
  If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.
• Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
• F-Secure Rescue CD - Rescue CD 3.01 released.
  Video: How to Remove Malware with F-Secure Rescue CD
  If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
• BitDefender LiveCD - Index of /rescue_cd
  If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
• Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
  If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

In particular, try Kaspersky's and Avira's first.

[wrench]

Hello and thanks for the referral. This is how it went with Kaspersky Rescue Disc; the virus detector ran for hours and came up with one Trojan. I will attempt to recreate precisely what it said with two instances of the exact same issue as follows;

Object:

n/Java/Deployment/cache/6.0/21/d50c015-218ca6a811main.class

Trojan Program:

Trojan-Downloader.Java.small.f

There were three choices as to the disposal of this Trojan; the recommended one was to do nothing with it. I did nothing and rebooted to the same BSOD, or dispose of it, or archive it.

I hope this helps! THANKS!

[screen317]

Hi,

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

Download Farbar Recovery Scan Tool and save it to a flash drive.

To enter System Recovery Options from the Advanced Boot Options:

Plug the flashdrive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[wrench]

Hello,Thanks for the help so far. I downloaded the FRST tool as requested. Problem with the USB boot. I was unable to bring up an advanced menu with "Repair Your Computer" in it. Here is what happened; while BIOS is running I tapped F8 and it goes to a screen that says (Please select boot device) it lists hard drive, DVD drive, Floppy drive, and USB. when the USB is selected it does not recognize it and the computer reboots. If I wait until BIOS completes and hit F8 it goes to the Safe Mode screen which does not offer any repair functions. I tried to enter the Recovery Console but as we went through above the same language that appeared before is back (NTLDR is compressed press CTL + ALT + DEL to restart)so I tried what you had said before in step 45 with no indication of any program running when I hit exit it rebooted with no change. I could find no access to the scenario you described, this is an XP machine if that matters. I believe I did as the directions indicated just could not get to the screen suggested. Is there another way in?

Thanks again for your valiant effort.

[screen317]

Things aren't looking good.

Would you consider backing up your data and formatting your hard drive/reinstalling Windows? This thread has been going on since May and formatting may be a more time efficient for you. What do you think?

[wrench]

Hello and thank you, I do appreciate your suggestion and have thought the same thing. Do you feel that you have exhausted your repair options? Reformatting, to me, is always the last resort. I can do that if you feel it is the right choice at this time. It is always the program loading that is so time consuming and laborious. Data storage is no problem most is currently stored off drive C.

I would have to do that with the C: drive as an external to another computer at this point as I can no longer even access Safe Mode to see what is salvageable.

Is it possible to transfer the "Trojan/virus" to the fresh computer within a program, application, or data? That would just ruin my day!

Thanks again I appreciate your help!

[screen317]

Hi,

At least point, yes I believe that formatting and reinstalling Windows is the best course of action. We certainly appreciated your patience as we tried troubleshooting!

You can recover your data off of your C: drive without slaving it. Use the following protocol:

We are going to try to salvage your data using PuppyLinux. You will need a blank CD or flash drive, as well as software to burn .iso images, such as FreeISOBurner or BurnCDCC.

Download PuppyLinux from here and save it to your Desktop.

Open FreeISOBurner. Configure it as follows:

1) Click Open and navigate to puppy-4.2-k2.6.25.16-seamonkey.iso on your Desktop.

2) Change the Drive to reflect the drive letter of your CD or USB drive.

3) Change the Burn Speed to as slow as possible (4x or lower preferred).

4) Click Burn

When it finishes, eject the CD and put it in the computer that will not boot.

If not already done so, configure that computer to boot from CD or USB first. To do so, restart your computer. Carefully read what appears on the screen to see which key need to be pressed to enter Setup.

From there, navigate using the keyboard to the Boot section, then use the Page Up and Page Down keys to move the CDROM or USB option first. Afterward, press F10 to save and exit setup. When the computer restarts, it will boot from your CD or USB drive instead of the damaged hard drive, and you will be presented with PuppyLinux.

It will say Linux will boot automatically in 8 seconds. Let it. It will proceed to "boot the kernel." You will be presented with a number of options. Select the default option for everything and you will see an interface with several icons on it.

Click (only once) on mount and the Pmount Puppy Drive Mounter menu will open. Click MOUNT next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.

A window will open titled /mnt/sda1 (or something similar).

You will now have access to all of your files in a familiar folder format. Right-click anything you wish to salvage, place your mouse over Dir '[foldername]', click Copy..., then click on the window containing your removable media. Right click empty space, and select Dir '[foldername]' then Paste...

When finished, click menu on the bottom left-hand corner of the screen, and click Shutdown.

In this way, if you only transfer your important documents, images, etc., you wont transfer the infection over, so your fresh wipe of the drive will really be starting over.

Let me know if you have any questions and if there is anything else I can do for you.

[wrench]

Thank you so very much for your diligent effort to save my C drive. Alas, some can be difficult. As I am in transition with two properties for sale and renovating my new abode, I will save this for the appropriate time to save to a medium and then set about formatting the drive. Thanks again to you AND Malwarebytes!

[screen317]

Thanks for letting me know.

Let me know how it goes!

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[PotoBicecit]

This is a good posting, I was wondering if I could use this write-up on my website, I will link it back to your website though. If this is a problem please let me know and I will take it down right away

[screen317]

Hi,

Which posting are you referring to, and which website?

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!