Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista not rebooting


  • This topic is locked This topic is locked
14 replies to this topic

#1 rahrah094

rahrah094

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 02 June 2010 - 07:40 PM

Hey everyone! I am in dire need of assistance. For the last 5 days my computer has been behaving erratically where half of the time I am able to log on and half of the time I am not and the BSOD was displayed. I decided to download and Iso of the vista repair cd (as for some reason the recovery partition of the hd was not working nor was system restore). After mounting it on a dvd, i ran the setup repair by accessing my dvd drive at startup. The system repair on the dvd said that the problem cannot be automatically fixed. NOWWWWWW.... I HAVE A BIGGER PROBLEM! After booting, I get a screen with two options: 1) launch system repair 2) normal startup. either way nothing works. Startup repair not functioning and normal startup just makes me reboot repeatedly. Background: I removed an antispyware soft virus a few days ago.

Could the problem be caused by virus related problems if I had not cleaned it up properly
or
did i mess up something in the BIOS --> could someone provide me with the default setting?

Please help me. I have all my work saved on that computer.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 03 June 2010 - 05:30 AM

Hello and welcome to BleepingComputer smile.gif

Please try the following steps. The created CD will also give you the possibility to access your drive and save any data needed (of course we will try to get your computer booting properly again, but just in case you need any data fast).

I will move this topic to a more appropriate forum.

Please download OTLPE (filesize 120,9 MB)
  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 rahrah094

rahrah094
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 03 June 2010 - 07:56 PM

Hi! Thanx for the quick response. The scan is in progress. I just wanted to confirm the process. I double clicked OTLPE, then it asked me to target an area so I picked the windows file. That is when the box for load all users appeared and then I ran the scan in the window that opened. Could you tell me what this scan is for? I am trying to learn as I go. Thanks!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 04 June 2010 - 03:19 AM

Hi there,
Yes you did it the right way smile.gif

This scan will show a bunch of drivers/services/startup entries and the associated files as well as some other info (recent created/modified files and so on). This will help me determine what the problem is and allows us also to run scripts to fix items.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 rahrah094

rahrah094
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 04 June 2010 - 01:56 PM

Ok.. sorry about not posting this earlier, the site seemed to be offline for a few hours. Anyway im attaching the file.

Attached Files

  • Attached File  OTL.Txt   106.97KB   7 downloads


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 05 June 2010 - 01:26 AM

Hello again,
I think I see the problem here smile.gif You have a nasty rootkit on board. Lets first look for a replacement copy.

Please rerun OTLPE and copy/paste the following text into the "custom scan/fix" field. Then click the NONE button and after that Run Scan. Post me the resulting log (please do not attach it).
CODE
/md5start
termdd.sys
/md5stop

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 rahrah094

rahrah094
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 05 June 2010 - 12:22 PM

Ok so here is the log:

OTL logfile created on: 6/5/2010 3:01:37 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Windows Vista ™ Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.74 Gb Total Space | 33.60 Gb Free Space | 24.57% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 9.64 Gb Free Space | 98.74% Space Free | Partition Type: NTFS
Drive E: | 3.76 Gb Total Space | 3.55 Gb Free Space | 94.48% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Custom Scans ==========



< MD5 for: TERMDD.SYS >
[2006/11/02 05:50:28 | 000,050,792 | ---- | M] (Microsoft Corporation) MD5=2C549BD9DD091FBFAA0A2A48E82EC2FB -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\termdd.sys
[2009/04/11 02:32:52 | 000,053,224 | ---- | M] (Microsoft Corporation) MD5=3CAD38910468EAB9A6479E2F01DB43C7 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\termdd.sys
[2009/04/11 02:32:52 | 000,053,224 | ---- | M] (Microsoft Corporation) MD5=3CAD38910468EAB9A6479E2F01DB43C7 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\termdd.sys
[2009/04/11 02:32:52 | 000,053,224 | ---- | M] () MD5=975A8BB5CB75B65097B660FFA2F08771 -- C:\Windows\System32\drivers\termdd.sys
[2008/01/20 22:23:01 | 000,054,328 | ---- | M] (Microsoft Corporation) MD5=A048056F5E1A96A9BF3071B91741A5AA -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\termdd.sys
[2008/01/20 22:23:01 | 000,054,328 | ---- | M] (Microsoft Corporation) MD5=A048056F5E1A96A9BF3071B91741A5AA -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\termdd.sys
< End of report >

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 05 June 2010 - 01:52 PM

Time for some fixing smile.gif

Please copy/paste the following text into OTLPE and click Run Fix. Afterwards try to boot and let me know what happens.

CODE
:files
C:\Windows\System32\drivers\termdd.sys|C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\termdd.sys /replace

:otl
DRV - [2010/06/02 01:44:52 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\Windows\System32\drivers\rzctrxgi.sys -- (rzctrxgi)
IE - HKU\Rahul_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Rahul_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

:commands
[emptytemp]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 rahrah094

rahrah094
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 05 June 2010 - 06:47 PM

Great!!! Its on clapping.gif now is it completely repaired? or should I do something else to clean up the laptop completely?Also, what can I do to prevent this on the future?

#10 rahrah094

rahrah094
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 05 June 2010 - 06:56 PM

Also my startup repair still is not working, is there a way to fix that?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 06 June 2010 - 01:58 AM

Hello again, lets first see if everything is cleaned up and then see what other problems are there.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 10 June 2010 - 06:18 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 rahrah094

rahrah094
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 June 2010 - 05:35 PM

Oh hi! I am so sorry for not replying earlier. Apparently my hard drive was on the verge of corruption so one day i logged on and the harddrive just crashed. I got it checked out and they say I will have to replace it. Thanks for all your help smile.gif But I guess I have another problem on my hands.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 15 June 2010 - 03:07 AM

Okay, please let me know if you need any more help here or if this topic can be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:24 PM

Posted 25 June 2010 - 09:17 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users