Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can't boot computer after using combofix


  • Please log in to reply
7 replies to this topic

#1 visitorq

visitorq

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 18 June 2010 - 06:41 AM

hey,

About a week ago I had this rogue spyware called antimalware doctor on my pc, that I wanted to remove. So I asked help on a dutch site called pc-helpforum. But the problem didn't seem to get solved, so eventually they instructed I should use combofix to fix my computer. The topic can be found here: http://www.pc-helpforum.be/f163/anti-malwaredoctor-25252/

Well I did as instructed and downloaded and ran combofix, but while it was fixing my computer, my computer crashed. After that, I managed to boot my computer one last time. There wasn't a combofix log, but everything seemed to work as usual.
The next day when I try to boot my computer, I got BSOD everytime when it tried to start windows. BSOD stays on the screen only for half a second, and then it shuts down and leaves me with the options to start windows normal or to use systemrepair.

My version of windows is Vista Home Premium, and I'm using a Dell studio laptop.

I tried system repair, but that doesn't help, also I don't have any restore points. I think combofix deleted them.
I remember combofix made a registry back-up before scanning my computer. Is it possible to retrieve this registry back-up. So I can boot my computer normally. I just want to boot my computer one last time so I can back-up a few files that I can't miss. After that I 'm restoring it back to it's factory settings.
thanks
peace&love

ps: I tried booting into save mode but that doesn't work either.

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:38 AM

Posted 18 June 2010 - 11:54 AM

<<I just want to boot my computer one last time so I can back-up a few files that I can't miss. After that I 'm restoring it back to it's factory settings.>>

If all you want to do is retrieve data files...why not just remove the hard drive, attach to a different system...and move the files, then do the recovery/restore thing?

Louis



#3 visitorq

visitorq
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 19 June 2010 - 05:50 AM

There's an idea! smile.gif But I'm afraid I might infect "that other system" . You sure there isn't an other way?
Combofix made this registry back-up and downloaded that recovery console for a reason, right?
So basically what I want to do is to get back to that restore point combofix made, before my computer got all messed up.

You think you could help me with that?

thank you very much for helping me out


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:38 AM

Posted 19 June 2010 - 05:21 PM

I can't help you with ComboFix...never used it, only know that it is a specialized malware tool that is not to be run without proper supervision/guidance from someone trained to use it.

As for infecting a system by attaching a hard drive...I suppose that happens when the system is not adequately protected. I try to ensure that my systems are adequately protected and I have used my systems to neutralize infected hard drives from the systems of friends/associates.

Louis

#5 visitorq

visitorq
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 21 June 2010 - 02:55 PM

Wow, cool story bro thumbup2.gif ,

Anyway, somebody out there who can help me with this combofix-thing?

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:38 AM

Posted 22 June 2010 - 05:25 PM

I'll continue helping you out here. We will be moved to a different forum shortly, but for now. Let's do the following please...

First... we will require a blank writable CD and a USB to help recover your files and deal with the unbootable situation.

Please read here and download ImgBurn and install it as we will use that to burn a file onto your CD.
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first. Unable to do this? Please read here.


  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.
You can use your USB and copy and paste the files you need from your computer onto the USB and then copy it to the working computer as well.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 visitorq

visitorq
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 28 June 2010 - 06:12 AM

Sweet!!! thumbup.gif
I managed to boot my computer into REATOGO-X-PE.
And I did a scan with OTL.
here's the text file:
Attached File  OTL.Txt   242.41KB   11 downloads

ps: I had to use a flash drive from 512 mb to copy the file because I have don't have a wired connection.
However, when I wanted to connect my 1-terabyte external HDD from lacie, it was not recognised and didn't show up in my computer. Do you know something I can do about that, because I really want to back up some files.

Anyway, you helped me out a lot with this cd!

thanks
grtz
m

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:38 AM

Posted 28 June 2010 - 11:21 AM

Hello again. smile.gif

Let's get the machine back, and then you can back it up there easily, if you want and then we can continue to disinfect it. If worse comes to worse, I have some instructions that we can do to help you backup all your data files as needed. Let's start off with this fix, it should fix it.

---
Save the following text to your USB stick as fix.txt It must be named this, or the automated fix won't work.


Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


QUOTE
:files
C:\Windows\System32\drivers\iastor.sys|C:\Drivers\storage\R180982\iastor.sys /replace


Boot back into the OTLPE enviroment.

* Double-click on the OTLPE icon.
* When asked "Do you wish to load the remote registry", select Yes
* When asked "Do you wish to load remote user profile(s) for scanning", select Yes
* Ensure the box "Automatically Load All Remaining Users" is checked and press OK
* OTL should now start.
* Click the red Run Fix button.
* You should be presented with a message "No Fix has been Provided! Do you want to load it from a file? Click Yes.
* Browse to the fix.txt file on your USB stick, and click Open. The fix will then appear in the Custom Scans/Fixes window.
* Click the red Run Fix button again.
* OTL may ask to reboot the machine. Please do so.
* If OTL did not reboot the machine, click OK and the log will open. Save this to your USB stick. Post the contents of the log in your next reply.
* If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Let me know how it goes. Reboot your computer without the disk and see if Windows loads properly. smile.gif Then, there's still quite a lot of infections and stuff on your machine that we can take care of next post. smile.gif

With regards,
Extremeboy

Edited by extremeboy, 28 June 2010 - 11:21 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users