Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Use of Recovery Console for Missing / Corrupt hal.dll


  • This topic is locked This topic is locked
57 replies to this topic

#1 Lily123

Lily123

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 09 August 2011 - 08:03 AM

Hi everyone,

I wondered if someone could please offer me a little advice regarding the use of the Recovery Console program.

The problem is, every time I attempt to boot my computer, I get the following message:

“Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file”


This occurred shortly after my computer became infected with a number of viruses, including the Google redirect virus.

My operating system is Windows XP Home Edition. After researching online how to fix the problem, I understand that I have to use Recovery Console.

When I purchased my computer, I did get a CD (purple with white text) with the words:

‘Reinstallation CD
Microsoft Windows XP Home Edition
Including Service Pack 1
Only use this CD to reinstall the operating system on a Dell computer. This CD is not for reinstallation of programs or drivers”


My questions are:

1. Does this CD contain the Recovery Console program?
2. If I use this CD, is there a chance that I will lose any files (I have many files on my computer which are not currently backed-up)?

Any advice would be much appreciated!
Many thanks in advance :)

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:43 AM

Posted 09 August 2011 - 09:18 AM

The answers to your questions...should be contained in your Dell system owners manual.

System model?

FWIW: An infected system...should be the major concern. No point in addressing system issues until the infection issues are resolved.

Louis

#3 Lily123

Lily123
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 13 August 2011 - 06:08 AM

Hi there Louis

Thank you for your response.

My system model is a Dell Dimension 4550.

Although the system was infected with a number of viruses shortly before developing the missing / corrupt hal.dll message, I did manage to remove them with the exception of the Google redirect virus, which just affected my online searches.

I have referred to the Dell system owners manual as you suggested and unfortunately, there is no specific mention of the ‘recovery console’ program. It does however contain the following advice with regards to the Windows XP Service Pack 1 CD:

“The operating system CD provides options for reinstalling Windows XP. The options can overwrite files and possibly affect programs installed on your hard drive. Therefore, do not reinstall Windows XP unless instructed to do so by a Dell technical support representative.”

It does, however, go on to state:

“If your computer already has Windows XP installed and you want to recover your current Windows XP data, type ‘r’ to select the repair option, and then remove the CD from the drive.”I wondered if by selecting the ‘r’ option, this would run the ‘Recovery Console’ program?

Thanks again

#4 Drovers Dog

Drovers Dog

  • Members
  • 1,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:08:43 PM

Posted 13 August 2011 - 07:34 AM

Just boot the disk from XP, after making sure your BIOS has been changed to boot on to a CDROM where you put the disk, then, then typing in r, but you still have to gain access by saying it is 1, C: then when asked for Password, just hit "enter" (that is default)

Type in fixboot then press enter"

Try that? It should work.

Any Problems with this this Please Post back

Ray.

Edited by Drovers Dog, 13 August 2011 - 07:59 AM.

What ever you give to others, you will get back doubled, Just make sure you only give Nice Things?......DD saying

There is a saying, "You just can't make a silk purse out of a sow's ear" it means "to be happy with what you have and not look for the impossible"......DD saying

The "Spirit" of the people who died, on that terrible day 9/11 will NEVER REST until such time as the "Imbeciles" that caused it, are eliminated through out the World.....DD saying

What is a Dog?

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:43 AM

Posted 13 August 2011 - 09:17 AM

FWIW: Any effort to repair/address "obvious system problems" when a system is infected...is likely to prove futile, due to the possible issues caused by the malware, IMO.

Louis

#6 Lily123

Lily123
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 15 August 2011 - 08:50 AM

Just boot the disk from XP, after making sure your BIOS has been changed to boot on to a CDROM where you put the disk, then, then typing in r, but you still have to gain access by saying it is 1, C: then when asked for Password, just hit "enter" (that is default)

Type in fixboot then press enter"

Try that? It should work.

Any Problems with this this Please Post back

Ray.


Thank you very much Ray – I will give this a try and let you know how I get on with it :)

#7 Lily123

Lily123
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 16 August 2011 - 07:59 AM

Hi again Ray,

Well I tried your ‘fixboot’ suggestion using Recovery Console and Windows XP now boots up, which is great – thank you very much!!

However, before windows loads, I now get the message:

“Please select the operating system to start:
Windows XP Home Edition
Microsoft Windows XP Home Edition
Use the up and down arrow keys to move the highlight to your choice. Press enter to choose”


Selecting either option loads Windows with my personal settings where I can see that all of my files and programs are still intact – I just have to select one of the two options every time I boot up.

Unfortunately, I’m now having problems after Windows XP loads. After the ‘welcome’ screen, the icons on my desktop appear, as does the start toolbar. They then start to flash periodically and then completely disappear 30 seconds – 2 minutes after start-up. I am then left with just my wallpaper on the screen and cursor. The start toolbar and desktop icons do not reappear after this.

As a result, I am unable to access any program or file (I have tried accessing internet explorer as soon as windows loads when the icons are present, but it will not open). The only thing I can access is Windows Task Manager by holding down CTRL + ALT + DEL. I can also access System Restore via Windows Task Manager, but no ‘restore points’ are available to set my computer back to an earlier date.

I have also attempted to reboot in Safe Mode, but every single time that I do, I get a blue error screen with the following message:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you’ve seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated.

Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:

* * * STOP: 0x0000007B (0Xf8b4d528, 0Xc0000034, 0X00000000, 0x00000000)


I did experience this problem before the computer developed the missing / corrupt hal.dll message, so I am sure that it is not connected to this, I just wondered if you or anyone else had come across this problem before? Perhaps it would be advisable to start a new topic on this issue?

Any further advice would be very much appreciated.
Thank you again in advance :)

#8 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:08:43 PM

Posted 16 August 2011 - 04:32 PM

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 Drovers Dog

Drovers Dog

  • Members
  • 1,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:08:43 PM

Posted 16 August 2011 - 07:24 PM

I agree, it looks like some Malware could be there, so it is best to leave it for the experts.

Ray.
What ever you give to others, you will get back doubled, Just make sure you only give Nice Things?......DD saying

There is a saying, "You just can't make a silk purse out of a sow's ear" it means "to be happy with what you have and not look for the impossible"......DD saying

The "Spirit" of the people who died, on that terrible day 9/11 will NEVER REST until such time as the "Imbeciles" that caused it, are eliminated through out the World.....DD saying

What is a Dog?

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:43 AM

Posted 16 August 2011 - 09:15 PM

Lets start by fixing the boot process.

Boot to the Recovery Console.

At the prompt type the follwing pressing Enter after each line:

Attrib -s -h -r C:\Boot.ini
Del C:\Boot.ini
bootcfg /rebuild


  • When you receive a message that is similar to the following message, press Y:

    Total Identified Windows Installs: 1
    [1] C:\Windows
    Add installation to boot list? (Yes/No/All)

  • You receive a message that is similar to the following message:

    Enter Load Identifier

  • This is the name of the operating system. When you receive this message, type the name of your operating system, and then press ENTER. This is either Microsoft Windows XP Professional or Microsoft Windows XP Home Edition.
  • You receive a message that is similar to the following:

    Enter OS Load options

  • When you receive this message, type /fastdetect, and then press ENTER.

Once this process is completed, type EXIT and press ENTER to restart your computer.

Using the task Manager, as a New Task, browse to and run "C:\Program Files\Internet Explorer\iexplore.exe".

If able to connect to the Internet, run Combofix as follows: (Please note that you may need to use the task manager also to run Combofix [MyPoppy.exe] from your desktop)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to MyPoppy as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on MyPoppy.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\MyPoppy.txt" . ( I believe Combofix will also rename the report)
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 16 August 2011 - 09:23 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Lily123

Lily123
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 17 August 2011 - 09:06 AM

Thank you very much everyone (and JSntgRvr for such a detailed response – it is much appreciated!) I will try this right away and let you know how I get on. Thank you again :)

#13 Lily123

Lily123
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 19 August 2011 - 10:12 AM

Hi again JSntgRvr,

I have tried your suggestions with regards to fixing the boot process. After booting to Recovery Console, I went through all of the steps you described and all onscreen messages appeared as you predicted. However, after booting up (before Windows XP loads) I get the message:

“Please select the operating system to start:
Microsoft Windows XP Home Edition
Windows XP Home Edition
Microsoft Windows XP Home Edition
Use the up and down arrow keys to move the highlight to your choice. Press enter to choose”


Selecting either of the three options loads Windows with my personal settings – I just have to make a selection every time I boot up (this has only occurred after using the recovery console programme and being asked "enter load identifier"

After Windows loads, I’m still experiencing the flashing desktop icons / start bar. I have also noticed since my last post that the icons in my system tray next to the clock gradually disappear each time the screen flashes. I usually have icons for my antivirus, firewall, scanner, messenger and windows security alerts there, but just the clock remains before everything disappears completely.

I have attempted on several occasions to access the internet using Task Manager (“C:\Program Files\Internet Explorer\iexplore.exe”) so that I can download Combofix to my desktop. However, on every attempt, the timer cursor appears for 5 – 10 seconds and then nothing happens.

Since I’m unable to access the internet / open a browser window, would you suggest that I try and download Combofix onto disk using another computer?

Any advice would be much appreciated.
Thanks again for your help

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:43 AM

Posted 19 August 2011 - 12:18 PM

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Lily123

Lily123
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:43 AM

Posted 26 August 2011 - 08:07 AM

Thank you very much - I am still in the process of trying this solution and will post back once I have the reports.
Thanks again :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users