Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to boot/reboot after removing malware infection


  • This topic is locked This topic is locked
43 replies to this topic

#1 marisajoy

marisajoy

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 June 2010 - 02:56 PM

Hello...

My netbook was infected with Antimalware Doctor. After several days and a whole lot of help, the infection was removed. During the removal process, I kept getting errors with System Restore and Roxio Backon Track. I was advised to post in this forum for additional help since the remaining issues are System Restore and Roxio related.

The original topic is here: Netbook infected with Antimalware Doctor. There are a lot of posts in this topic, including a bunch of log files, so I'm including a summary of steps taken at the end of this post.

Here's a summary of the current issues:

When I try to shut down or restart the machine via the start menu, it goes to the "windows is shutting down" screen, but never shuts down. I end up having to manually power the machine off and turn it back on. When powering it back on, the screen that appears is prompting me to select a start up mode (safe mode, last known good, normal, etc.) Have tried both safe mode and normal - just bings me back to the same screen. The option that allows me to boot up is the "last known good configuration" option. Safe mode and normal mode were working until I disabled system restore again (per the instructions in post #47)

Disk Check will not run. The last time I tried was from within safe mode and received a message sayig that it needed to access files that were in use. I selected the eoption to have it run @ restart. Now, when restarting the machine (via last known good configuration), the disk check screen comes up and shows "cannot open the volume for direct access" then it exits and the startup continues.

I think there are still some "pieces" of Roxio left on the machine because there are some roxio-related errors showing in Event Viewer (see post #46)


Steps taken so far:
- Had malware infection
- couldn't run gmer unless only "sections" option selected
- tried to disable AVG but some of its processes were still running
- combofix would't go past the "sholdnt be longer than 10 mins screen"
- couldn't uninstall AVG, had to use avgremover (post #13)
- diasbled Roxio Backon Track (botservice.exe) and combofix was able to run (16)
- issue updating java, froze during uninstall of old version and new version would not install via offline install. was able to install via online install. (19)
- am still not 100% positive that java is installed poperly (21)
- malware infection deemed removed and was given additional steps to follow but did not get past resetting system restore (25)
- (28) machine froze turning off system restore and had to be manually restarted **this is when rebooting the machine stopped working properly**
- Couldn't open system properties to turn system restore back on
- unable to run disk check (30) machine would not fully boot, system restore tab missing
- reinstalled system restore but still wont run
- unsuccesful uninstal of roxio using revo (35)
- disk check *almost* works: In safe mode with both boxes checked, got a message saying that there were files in use that needed to be acessed for the scan and clicked "yes" on schedule scan to run @ next restart. When I restarted, the scan screen (w/blue background) came up for a few seconds. Error mesage "cannot open the volume for direct access" then the startup process continued.
- (43) tried running combofix after adding a script, stalled @ windows is shutting down
- (45) ran combofix after adding a different script, stalled again @ same point **this is when I became unable to boot to either safe or normal mode and have to use "last known good configuration"**
- (46) event viewer errors from last run of combofix
- (48) can't disable roxio saib service and freeze when trying to disable system restore


Thanks !
- MARISA
ps - sorry if there are spelling errors...tried to use the spellcheck but am getting a mesage saying "ieSpell not detected". It prompts me to go to the download page, but I'd rather not add anything new right now and potentially cause more my poor machine any additional troubles.

Edited by marisajoy, 06 June 2010 - 04:39 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 AM

Posted 06 June 2010 - 04:28 PM

Hi, marisajoy smile.gif

welcome.gif

Lets give this a try. We may be able help you throughout an External Environment, which simply means you will need to burn a boot CD with especial tools. You will also need a flash drive to move information from the troubled computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.
  • Download OTLPEStd.exe to your desktop. NOTE: This file is 93.1MB in size so it may take some time to download.
  • Once downloaded, insert a blank CD in your burner and click on OTLPEStd.exe.The executable includes the OTLPE_New_Std.iso and a copy of imgburn, a program to burn .iso files. When executed, the application will extract both and start the burning process automatically.
  • Once the CD is burned, boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 marisajoy

marisajoy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 June 2010 - 04:34 PM

Hi...

My machine does not have a cd drive. Is it possible to make a flash drive bootable?

Also, the affected machine is not currently unusable. Will boot when I select the "use last known good configuration" option.

Thanks!

Edited by marisajoy, 06 June 2010 - 04:37 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 AM

Posted 06 June 2010 - 04:40 PM

Lets rty this:

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
    • Download OTLPEStd.exe from one of the following links and save it to your Desktop: mirror1 or mirror2
    • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
    • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
  1. Once you have 7-zip install, decompress OTLPEStd.exe by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop



  2. Open the folder OTLPEStd which will be created in the same location as OTLPEStd.exe and right-click OTLPE_New_Std.iso. Select 7-Zip and from the submenu select Extract files... and extract the content onto your Desktop in a OTLPE folder:



  3. Please also decompress eeepcfr to your systemroot (usually C:\).
  4. Empty the flash drive you want to install OTLPE on.
  5. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
  6. Press any key when asked to in the black window that opens.
  7. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
    For Drive Label: type in OTLPE.
    Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
    Finally check Enable File Copy.




  8. Click on Start, accept the disclaimers and wait for the program to finish.
Your bootable flash drive should now be ready!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 marisajoy

marisajoy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 June 2010 - 06:09 PM

Hi,

PeToUSB isn't working properly for me. Am able to follow the instructions and start the file copying process. When the process has almost completed, a window comes up: "failed to copy a file". This has happened three times.

The first time, I also got a popup down near the clock from windows saying that some data had been lost. When I looked at the drivves properties, it showed 0 bytes used and 0 bytes free. This did not happen the second or third time. It now shows 313mb used and 1.55gb free.

The drive I'm trying to use has 2GB capacity. I only had about 6 files on it and deleted all files before starting.

Should I try to boot from it anyway? Or could this cause more issues?

Edited by marisajoy, 06 June 2010 - 06:12 PM.


#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:57 AM

Posted 06 June 2010 - 06:14 PM

Pardon the interruption...but is this the same system you recently initiated a query about in Internal Hardware regarding beep codes?

Louis

#7 marisajoy

marisajoy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 June 2010 - 06:27 PM

Hi...

It's a different system.

The machine that had the malware and now won't start properly is my netbook. The machine with the beeping is my desktop. The desktop issue has been going on for a while and i'd been putting off dealing with it because I had the netbook to use.

Am pretty much having major technical difficulties over here. sad.gif

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:57 AM

Posted 06 June 2010 - 06:40 PM

No problem, just wanted to clarify smile.gif.

Louis

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:57 AM

Posted 06 June 2010 - 06:45 PM

I'm moving this topic to the log forum for you. It will keep the same link. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 AM

Posted 06 June 2010 - 10:01 PM

Is the machine you are using to create the Boot USB drive having issues? How far can you boot your netbook? Can you run programs in the netbook?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 marisajoy

marisajoy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 June 2010 - 10:34 PM

Am using the netbook right now. The netbook will start up, but only if I use the last known good configuration option. And it will not shut down unless i manually power it off. Have been using the netbook to try and create the boot USB. It didn't even occur to me that it might not work because of the issues it's having.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 AM

Posted 06 June 2010 - 10:52 PM

Since the Noteboot is having issues, it may be reason you haven't been able to create the Boot USB Drive. Can you boot to the Recovery Console? If you do follow these steps:

I am assuming you are running XP.
  1. Download maxlook, saving the file to your desktop.
  2. Double click maxlook.exe to run it. Note - you must run it only once!
  3. Restart the computer and logon to the Recovery Console.
  4. Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C
  5. batch look.bat
  6. You will see 1 file copied many times then return to the x:\windows> prompt.
  7. Type Exit to restart your computer then logon in normal mode.
  8. Once in Windows, obtain an Internet Connection. This program must download a tool to check files' signatures.
  9. Then go to Start -> Run, copy and paste the following command in the run Box and Click OK
    "%Userprofile%\Desktop\maxlook.exe" -sig
  10. It will produce looklog.txt in the C:\ folder.
  11. Please post the results here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 marisajoy

marisajoy
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 June 2010 - 11:29 PM

Tried to but cannot enter the recovery console. immediately get a message saying:
a disk read error occurred. press ctrl+alt+del to restart.

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 AM

Posted 07 June 2010 - 12:59 AM

There may be a patched driver. You main problem is the lack of a CD_ROM. Is there the possibility that you can create the Boot USB Drive in a friend's computer?

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

---------------------------------------------------------------------------


See if you can download these to your infected computer. If not then download through a clean one and transfer and then follow the instructions.

Please download OTH.scr to your desktop

Note: If you are using Firefox right-click and use "Save link As". Otherwise, on some systems, FF attempts to open the file as a script and you will just see a bunch of gibberish.

Please download OTL to your Desktop
Please download the attached to your destop

Double click the OTH file and select Kill All Processes, your desktop will go blank

Then select Start OTL
OTL will now run
  • double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
    Select Scan.txt that you downloaded
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Copy and paste the contents back here.

Edited by JSntgRvr, 07 June 2010 - 01:03 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 AM

Posted 07 June 2010 - 01:05 AM

Refresh the page. Additional instructions posted above.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users