Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix crashed PC will not boot


  • This topic is locked This topic is locked
74 replies to this topic

#1 mat58

mat58

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 01 February 2010 - 09:25 PM

Hello,

This is my first post so if I make errors, please let me know so I don't make the same mistake twice.
This past weekend, I was working on a PC that showed numerous viruses. The owner visited a website which significantly slowed down the PC and from what she said other 'problems' started happening. She had no virus protection on the PC.
I ran Malwarebytes and found numerous adware, which it cleaned up. The PC continued to be sluggish.
I then downloaded ComboFix (as I have many times before working with other forums and techs) and began to run it. It installed the Microsoft Recovery Console and started to run. Identified rootkit problems and rebooted. That's when it never came back up and the PC just sat for HOURS with just a blinking cursor on a blank screen. After about 5 hours she shut down the PC. So now the PC will not boot to anything. Just a black screen with the cursor blinking in the upper left corner.
I currently have the hard disk connected to another PC to back up her documents, pictures, desktop, etc. Not sure what to do next. Is there a way to recover from where ComboFix crashed ?
This is store-built PC and the only discs that she gave me would rebuild the PC from scratch, losing everything. There is no XP system CD for me to boot from - just complete recovery. I'm trying real hard to avoid that option.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 01 February 2010 - 10:24 PM

Hello,

First a few comments and questions.

In what capacity are assisting the owner of this computer? Are you employed to repair it? Are you IT and this is a buisness computer? Is this a friend your helping?

You have run Combofix unsupervised.....this was ill advised!!

excl.gif This is a complex and powerful tool that should not be used except under the supervision and direction of a malware expert. It can and will render your computer unbootable permanently!! Also realize that in most circumstances a single run of Combofix is ineffective. Specialized scripts will be written specifically directing this program to clean-up based on your logs!! excl.gif

I might be able to help you recover but first I would like you to answer my questions.

Thanks,
~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 01 February 2010 - 11:16 PM

I am not employed -just helping as a friend. I help people in my neighborhood as a courtesy based on years of general PC technical support. I have used ComboFix in the past while working with other technical forums and technicians for review of logs. I was well aware of the risks of the tool - this has never happened before.


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 01 February 2010 - 11:24 PM

Let's begin,

Please reconnect the original HDD in the PC and see if you can boot into the Recovery Console. If you are unable to boot the RC STOP and tell me about it.


Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start.
Use the up and down arrow key to select Microsoft Windows Recovery Console.
You must enter which Windows installation to log onto. Type 1 and press enter.
At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.
At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.
Success?

After we get you booting I will help you clean that computer.

Kind regards,
~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 01 February 2010 - 11:47 PM

Thank you for your help. I put the hard drive back into the PC and tried to start it up. After all the BIOS screens, it just comes up with the blank screen with the blinking cursor

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 01 February 2010 - 11:56 PM

Let's create a bootable Recovery Console and run the commands.

Please go here and create a Recovery Console CD.

Just click the link provided there to download the recovery_console_cd.zip and unzip that to the desktop of your clean computer.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system.

For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.

For emergency boot disk uses, as well as to access the Recovery Console, the SP2 version can also be used on systems that have the SP3 upgrade.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You must enter which Windows installation to log onto. Type 1 and press enter.
At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.
At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.
Success?

After we get you booting I will help you clean that computer.

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 02 February 2010 - 12:08 AM

I'm working on it. Just so you know, the problem PC is running Windows XP Media Center. Will that make a difference ?

#8 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 02 February 2010 - 12:30 AM

Followed instructions exactly as instructed. PC rebooted, but still blank screen with blinking cursor on top.

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 02 February 2010 - 08:26 AM

Good morning,

QUOTE
Windows XP Media Center. Will that make a difference ?

No

==========

QUOTE
Followed instructions exactly as instructed. PC rebooted, but still blank screen with blinking cursor on top.

Were you able to get into the Bios to set the boot order so as to boot from the CD? <--- Important

==========

What is the make and model of that computer?

==========

Do you have any other devices connected? USB, other peripheral drive? If so please disconnect them

==========

Did you reconnect the original HDD exactly as it was before you extracted it?

==========

Did you change the jumpers when you connected to the other PC?

==========

Was there any thing else that you did prior to the CF run that might have resulted in the crash? Did you manually remove any suspicious files/folders?

==========

When you removed the HDD is it possible that you might have unseated a Ram module. Please check to make sure they are seated properly.

==========

Reset your Cmos. Pull the little battery on the Motherboard with the computer unplugged. Wait a few minutes then plug it back in. Make sure you note the proper orientation before you remove it.

Report back a detailed answer to each question,
Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 02 February 2010 - 07:03 PM

To answer the questions:

1. The PC would boot to the CD (yes I was able to change the order in the BIOS). I was able to go to the recovery console and perform the tasks you identified earlier.
2. The PC is a Fry's PC. The book says Model FM7945, and it looks like an EliteGroup motherboard - 915G-M5 Intel Pentium 4 640 3.2GHz with Hyper-Tthreading 800MHz systems bus, 2MB L2 cache
3. There is nothing else connected to the PC, other than monitor, keyboard and mouse.
4. HDD is put back EXACTLY as I removed it. No jumpers were changed when I connected to the working PC.
5. Haven't touched any jumpers.
6. The only thing I did prior to ComboFix was run Antimalwarebytes the day before, removing a number of Adware cookies - no viruses
7. RAM Modules have been verified to be seated properly.
8. Pulled the CMOS battery. Waited a few minutes and re-installed. CMOS has been reset to factory settings. Still booting to a blank screen.

Will be gone for a few hours. I'll check back later tonight. Once again, appreciate all the help.


#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 02 February 2010 - 08:47 PM

That for the detailed responses. thumbup2.gif

So you were able to boot the RC and run the commands? Did it report that files were copying?

Try this next please.....

Insert the RC CD
Restart your computer
Boot the Recovery Console again...
You must enter which Windows installation to log onto. Type the number that corresponds to your OS and press enter.
At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.
At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.
Success?

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 03 February 2010 - 12:13 AM

This time 10 files were copied. The previous instructions that you provided, there were a number of files copied.
It does not specify which files are being copied - just that files were copied.

Still no success in getting the PC to boot back to the hard drive.

Edited by mat58, 03 February 2010 - 12:14 AM.


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 03 February 2010 - 07:57 AM

We need to create some logs


First.........

After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      winlogon.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please post the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.


    Next........

  • Navigate here to the forum and click this link.
  • Download the program and save it to the REATOGO-X-PE desktop.
  • Once saved, close all other windows then double click the program to run it.
  • When completed, a log will open.
  • Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 03 February 2010 - 08:02 PM

Burned CD and began to boot up sick PC. Made 2 attempts, both with the same message (BSOD):
STOP: 0x0000007B (0xF7BEB528,0xC0000034, 0x00000000, 0x00000000)

The first time I booted, it went right to the BSOD, the second time I at least saw the Windows XP logo before it died.
I'm attempting a third boot, but even with the CD in the drive, it's back to the black screen with the blnking cursor. I"m going to a different PC to try to build a second CD and see if it makes a difference (I burned this one under XP - have another PC with Vista on it).

UPDATE: Removed and replaced CMOS battery to reset and was able to boot back to CD. Same BSOD with same error code
UPDATE: 3rd time possibly a charm! More information as I work through your instructions

Edited by mat58, 03 February 2010 - 08:57 PM.


#15 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:18 PM

Posted 03 February 2010 - 09:22 PM

Here is the first log:

Attached File  otl.txt   125.75KB   22 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users