Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky removed rootkit, after reboot no op system


  • Please log in to reply
22 replies to this topic

#1 gpracer1

gpracer1

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 05 December 2009 - 09:58 PM

History: Had some viruses, scanned with Mbam, Mcaffee (uninstalled) and now Kaspersky. Kas found some and deleted last week. I still had a freaking browser redirect problem though. I come home tonight and Kasp says it needs to reboot to disinfect some virus.....I think it was something like file atapi w32.tdss.y rootkit or something close.
I said ok to reboot, now I get perpetual reboots like there is no operating system.
I used Hirems to access through mini windows xp and my stuff is there.
Installed the XP recovery console, and when I try to run, it goes to blue screen of death BSOD.
Typing on my laptop to access here.
Im stuck.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:42 AM

Posted 08 December 2009 - 08:05 PM

If you still need help. please post back
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 PM

Posted 08 December 2009 - 08:18 PM

This problem can be caused by the virus modifying the userinit.exe file. If this is the case the following fix will solve it.

We will have to create a small 'fix CD' to solve this problem.
Please download RC.ISO and save it somewhere you can find it.
Also download MagicISO and install it.

Start MagicISO. You should see a window informing you about the full version of MagicISO.
In the bottom right select Try It! and the program will open.
Click on File and then on Open and navigate to the RC.ISO file you downloaded. Select it, and click Open.

First, we'll need to add a clean version of userinit.exe to the current RC.ISO
  • In the upper right pane, double click on the i386 folder.
  • Right click in the upper right pane and select Add Files...
  • Navigate to C:\Windows\System32 and select userinit.exe
  • Then click Open to add userinit.exe to the CD image.
  • Click File and select Save As...
  • Name the file RCplus and save it somewhere you can find it.
Next, we'll need to burn the newly created image to a disk that we can use to fix the problem.
  • Put a blank CD-R disk in your CD burner and close the tray. If an AutoPlay window opens, close it.
  • Click on Tools and select Burn CD/DVD with ISO.... A window will appear.
  • Click on the little folder to the right of CD/DVD Image File then navigate to the newly created RCplus.iso Image file and click Open.
  • In the CD/DVD Writing Speed drop-down menu choose the 8X setting.
  • Under Format make sure that Mode 1 is selected.
  • And finally, click on the Burn it! button to burn RCplus.iso to disk.
Once the disk is burned, put it in the machine you want to fix and restart it.
Boot to the CD just as you would with a Windows XP disk.
At the Welcome to Setup screen, press R to enter the Recovery Console.
Choose the installation to be repaired by number (usually 1) and press Enter.
When you are asked for the Administrator password, enter the password or leave it blank (default) and press Enter.

At the C:\Windows> prompt, type the following commands pressing Enter after each one. Note: Watch the spaces.

D:
cd i386
copy userinit.exe c:\windows\system32
exit

After putting in the third command, you should receive the message 1 file copied which will indicate that the operation succeeded.
Now take out the CD and reboot your computer to normal mode. Try to log in and it should let you back in.

If that doesn't work try copying the atapi.sys file from C:\WINDOWS\ServicePackFiles\i386 to C:\WINDOWS\system32\drivers.

Edited by garmanma, 09 December 2009 - 04:29 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 gpracer1

gpracer1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 08 December 2009 - 08:52 PM

Ill try that and get back to you, thanks.

#5 gpracer1

gpracer1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 08 December 2009 - 09:19 PM

Put in cd and tried to start recovery mode....get BSOD.
Technical info: ***STOP: 0x0000007B (0xF78DA63C, 0xC0000034, 0x00000000, 0x00000000)

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 PM

Posted 08 December 2009 - 09:58 PM

Can you copy the userinit.exe file from C:\WINDOWS\ServicePackFiles\i386 to C:\WINDOWS\system32 with Hirems.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 gpracer1

gpracer1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 09 December 2009 - 12:38 AM

Yes I did that before I replied.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 PM

Posted 09 December 2009 - 01:39 AM

And did you try copying the atapi.sys file from C:\WINDOWS\ServicePackFiles\i386 to C:\WINDOWS\system32\drivers.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 gpracer1

gpracer1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 09 December 2009 - 08:33 AM

Yup, did that too. It either flashes the BSOD and reboots, or gets hung on the BSOD.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 PM

Posted 09 December 2009 - 04:24 PM

Try the same thing with these two files:

iastor.sys
nvata.sys

Note however that these particular files may not be on your computer: it depends on the make and model of the machine.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 gpracer1

gpracer1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 December 2009 - 10:15 PM

Its and Emachines, and no I dont have those files. :thumbsup:

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 PM

Posted 10 December 2009 - 10:23 PM

You could try a repair install:

How to Perform a Windows XP Repair Install
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:42 PM

Posted 11 December 2009 - 05:42 AM

now I get perpetual reboots like there is no operating system.

I would be interested to know what information the BSOD error message displayed when attempting to start the system normally (as opposed to when booting from the XP Recovery Console CD).

Please do the following ....
Get a look at the error message presented by the BSOD (blue screen of death).
Start tapping the F8 key after you press the ON button, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
Use the UP/DOWN arrow keys to select "Disable automatic restart on system failure" and press the <ENTER> key.
Your system will attempt to restart normally, but when it crashes, it will not re-start. Instead, you will see a BSOD with error message.
Record the error message details, and post in this thread.

Edited by AustrAlien, 11 December 2009 - 05:42 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 gpracer1

gpracer1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 12 December 2009 - 11:51 AM

I have about 10 options, and that is not there.

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 PM

Posted 12 December 2009 - 04:12 PM

Here it is the 9th option down, directly under "Debugging Mode". Do you get the same list?

Posted Image

Also, have you tried "Last Known Good Configuration"?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users