Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looping startup win xp pro after system fix infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 tbussell

tbussell

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 21 November 2011 - 02:45 PM

Greetings

System - Gateway PC with XP Pro

History - Running internet Mozilla I had a pop up for System Fix. I closed it and whut down the computer after watching all open tabs close.

Curent Symtoms - Looping XP startup that fails and opens black screen and text for options to start in Safe Mode etc. Whether I select an option or leave the system alone it will reboot to the same screen. I have tried it 200 times with F8 and get the same results.

Exception - Twice I got into Safe Mode and I was able to access Malwarebutes and run it successfully. The reboot attempt reverted to the same symptom of looping. My screen saver did run while in Safe Mode so it appears that my files are still nitact.

I am stuck and need some help,
Thanks
tbussell

Edited by hamluis, 21 November 2011 - 02:54 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 21 November 2011 - 08:38 PM

:welcome:

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Once this process is completed, download Dumpit by noahdfear to the USB drive.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Confirm that you see the file dumpit in your USB drive and double click on it.
  • After it has finished a report will be located in your USB drive named mbr.zip
  • Plug the USB back into the clean computer post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.zip file must be attached to your reply.

Edited by JSntgRvr, 21 November 2011 - 08:38 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 21 November 2011 - 09:59 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 tbussell

tbussell
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 22 November 2011 - 01:06 AM

Thanks so much for this extensive help.

I succeeded in preparing the CD and USB files and also booting the damaged computer into xPUD.

I clicked on mnt and the only folders were sda1 and sda2. sda 1 list a numbers of files or programs and sda2 appears to be empty.

How shall I proceed?

Thanks again.

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 22 November 2011 - 02:04 AM

What are you saying is that you cannot see the drive that contains the Operating System, folders such as Documents and settings and the folder Windows?

Do you have an XP installation CD?

Is your hard drive sata?

Edited by JSntgRvr, 22 November 2011 - 02:07 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 tbussell

tbussell
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 22 November 2011 - 09:28 AM

I am trying to say that in xPUD under mnt I see two icons:

* sda 1 & sda2

sda1 contains a several sub folders including Documents and Settings along with the Windows folder.

sda2 aooears to be empty.

I did click on all of the sub folders looking for the driver.sh as instructed, but I did not see an icon for that file. That is why I am inquiring before proceeding.

I do have an XP Professional Reinstallation CD. It is from another computer and shows Service Pack 1 as opposed to the Service Pack 2 that I am running.

Thanks again.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 22 November 2011 - 10:41 AM

OK. The USB drive is not being recognized.

While on xPUD, remove the USB drive, wait five seconds and insert. See if doing that the USB drive is recognized and added as a drive folder.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 22 November 2011 - 11:02 AM

If the issue persists, see if you are able to create a bootable CD using PE bilder.

If successful, download Farbar Recovery Scan Tool and save it a USB drive.

Boot to the PE CD.

  • Once on the desktop, determine the drive letter assigned to your USB drive.

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.

  • Once you have identified the drive letter to your USB drive, then bring the computer to a Command prompt.
  • In the command window type X: and press Enter (Change the X with the drive letter to your USB drive). You should now be at the USB drive letter command prompt.
  • Type frst and press Enter
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 tbussell

tbussell
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 22 November 2011 - 05:05 PM

You have been so prompt and detailed in your responses that I hate to have to report less than complete execution.

I had success in booting from the damaged computer in xPUD where the screen appears to start normally and then xPUD appears instead of the safe mode optional start up menu (which doesn't actually work).

I tried executing the alternative of the boot disc of pebuild.exe on 3 different CD's and download attempts. That program does not boot or interupt my flawed start up status currently.

I went back and tried to execute xPUD again 3 times and I did look at all of the folders looking for the driver.sh file on the USB port on the damaged computer. That did not succeed but I have a third option under mnt on xPUD that appears to be stored files and programs on the C drive of the damaged computer. That label is sda3 and it is a new result.

Sorry to have to ask for further help.
Thanks again.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 22 November 2011 - 11:51 PM

Have you tested the pebuild CD in your working computer? Sometimes you have to force the boot from the CD, either throughout the BIOS, or by pressing an specific key to reach the boot menu, such as F12 during boot. The other option will be to boot from a USB drive and include all in it. I will give you the instruction just in case.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • The computer must be set to boot from the USB drive
  • In some computers you need to tap F12 and choose to boot from the USB, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

Please note - all text entries are case sensitive

Edited by JSntgRvr, 22 November 2011 - 11:57 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 tbussell

tbussell
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 24 November 2011 - 02:24 AM

Thank you once again for the extensive help. I have worked all day on this and here are the results.

1. I was able to download the xPUD files to the desktop and to format a new USB device. When I attempted to load from the desktop to the USB I got two messages on different attempts. First that I did not have permission and later that the application was not windows32 app. I was stopped at that point.

2. I went to another site to find the xPUD file (http://xpud.org/download.en.html ) I was able to download the file here and also transfer it to the USB. I attempted to boot on the damaged computer, but it did not change the symtoms of the looping pattern described earlier. I then tried to put both the USB and CD with the xPUD files on each and attempt a boot. Again no success.

3. During the startup process I have tried to enter the boot options using function key F10. In this process I get a blue screen with the following error message.

*** STOP: 0x0000007B (0xF7A09524,0xC0000034,0x00000000,0x00000000)

I so appreciate your patience and help.
tbussell

#12 tbussell

tbussell
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 24 November 2011 - 02:29 AM

I forgot to mention that the result of #2 above was that with the CD with xPUD I was able to boot back into xPUD, however the mnt files did not change with the subfolders of sda1 with the same content and sda2 that still has no files.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 24 November 2011 - 10:03 AM

Thank you once again for the extensive help. I have worked all day on this and here are the results.

1. I was able to download the xPUD files to the desktop and to format a new USB device. When I attempted to load from the desktop to the USB I got two messages on different attempts. First that I did not have permission and later that the application was not windows32 app. I was stopped at that point.

2. I went to another site to find the xPUD file (http://xpud.org/download.en.html ) I was able to download the file here and also transfer it to the USB. I attempted to boot on the damaged computer, but it did not change the symtoms of the looping pattern described earlier. I then tried to put both the USB and CD with the xPUD files on each and attempt a boot. Again no success.

3. During the startup process I have tried to enter the boot options using function key F10. In this process I get a blue screen with the following error message.

*** STOP: 0x0000007B (0xF7A09524,0xC0000034,0x00000000,0x00000000)

I so appreciate your patience and help.
tbussell


I must assume you did not copy the .ISO file directly to the USB, but used the ISO to USB utility to extract its contents to the USB.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 tbussell

tbussell
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 24 November 2011 - 12:21 PM

i copied the download to my desktop into what looked like an MS Word environment and then copy the desktop file to the USB device. Should I try to download it directly from the website directly to my USB device and then try to boot on the damaged computer?

I wated the USB device as the damaged computer was trying to boot and the USB lite up extensively.
Thanks
tbussell

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,682 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:55 PM

Posted 24 November 2011 - 01:00 PM

I don't know if your are following the required steps. There are no copying in the process. There are two files involved, the xPUd iso, which is an image of the boot CD, and a second file, the xPud installer to the usb drive, that is the program that will extract the image into the USB dive. See the picture.

[attachment=112247:unetbootin-win.jpg]

Once the process is completed, the USB should be bootable. During the boot process, press F12 or the key that will bring the boot menu, and select the USB drive.

If the boot menu is not a available, then enter the BIOS setup utility and set the boot order to USB first.

Edited by JSntgRvr, 24 November 2011 - 01:01 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users