Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP doesn't boot after running combofix


  • This topic is locked This topic is locked
109 replies to this topic

#1 shashanks

shashanks

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 03:28 AM

Preface: My laptop had been infected with the not so good rootkits lately (earlier stdrt and then later zeroaccess). While I've been able to disinfect stdrt with the help of unhack me and combofix before, it all started a couple of weeks back when I'd noticed unhackme warning me about some random infections at the system startup, (it usually showed random values "xxxxx.sys" et al infected files). Each time I cleaned them , it would reboot and then upon restart, again present me with some random "xxxx.sys" or other infected file. Since I've seen similar episodes happening before, I was pretty sure it is another rootkit. After some googling, it appeared to have been infected with zeroaccess - however my comp never had the snailing effect nor were my browser(s) compromised and no ad-directing as well.

Troubleshooting: Desperate, I decided to run every possible rootkit detector (I know that it ain't such a good idea but problems come that way). Most of these detectors gave me a clean chit until avast aswMBR showed one of the files infected with win32:malob-el [cryp]. It did also show sptd warnings but I know I've dTPro installed on my system and hence the enumerator warnings. I'd saved all these logs for posting but BAM...I decided to run combofix again yesterday since it had helped me before.

The Problem: The only difference in using combofix this time is that I allowed it to download the recovery console this time. in my earlier adventures, I'd avoided the same. All went well...recovery console installed fine...scan ran well...report generated fine. After all this I rebooted my computer today and here is the REAL PROBLEM - Now, the computer just doesn't boot back. I am presented with (in order of appearance):
I. Boot options inlcuding
a. Windows recovery console
b. Debug mode
c. Windows XP Professional

followed in an instance by:
II. Terminal window saying:
"we apologize for the inconvinience, but windows did not start successfully. A recent hardware or software change might have changed this...and I am presented with options to boot from:
a. Safe Mode
b. Safe Mode with Networking
c. Safe Mode with command propmt
d. Last known good configuration, and
e. Start windows normally

No matter which one of the above I choose, immediately the windows initial screen appears and then a micro second BSOD, followed by a reboot (cycling). Quickly pressing "R" on boot options lets me get inside the recovery console but I have no clue what to do next.I am not any good at DOS :(

I really apologize for making it so long but wanted to be as precise as I could. Would really appreciate if anyone out there can help me get back in my system (and, I think I have learned why not to use combofix without pro help.) please...HELP! Many thanks already for going through all of this.
At least my pencil never crashes!

Best,
SS

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:26 AM

Posted 18 March 2012 - 05:42 AM

Please...do not duplicate post in different forums. I have deleted your later post in the Malware Removal Logs forum (since you attached no qualifying malware logs).

Since you can get into the Recovery Console...I suggest trying to run the chkdsk /r command from it.

When prompted to enter your Administrator password, just leave it blank and press Enter.

Ath the next prompt...type chkdsk /r (note the space between chkdsk and /r) and hit Enter.

The command should begin to execute.

Upon completion, the system will display a summary of chkdsk activity. If the system does not automatically reboot, type Exit and then hit Enter (this will reboot the system).

Let us know how that goes.

Louis

#3 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 07:51 AM

HI Louis,

At the onset, apologies for re-posting it in the malware section (I somehow thought I had posted wrongly in here). Shall keep that in mind.

I am really thankful to you for attending to my problem in such short time. As per your suggestion, running the chkdsk /r scan gives the following result(s):

chkdsk is cheking the volume...
chkdsk is performing additional checking or recovery...
chkdsk is performing additional checking or recovery...
chkdsk is performing additional checking or recovery...
chkdsk found and fixed one or more errors on the volume.
102398276 kilobytes total disk space.
69726864 kilobytes are available.

4096 in each allocation unit.

25599569 total allocation units on disk.
17431716 allocations units available on disk.

system did not reboot so I typed exit and was bought back to the same screens again....result - same. I can't boot in with any option (safe/normal/best known config) still :(. Please help.

Edited by shashanks, 18 March 2012 - 07:52 AM.

At least my pencil never crashes!

Best,
SS

#4 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 09:10 AM

Ohh and BTW, I've also tried disabling the "auto-restart on system failure" to be able to read BSOD inofrmation. The information shows:

A Problem has been detected and windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:


Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated.
Run CHKDSK /F to check for hard drive corruption, and then restart your computer.


Technical information:
***STOP: 0x0000007B (0xBA4CF524, 0xC0000034, 0x00000000, 0x00000000)
At least my pencil never crashes!

Best,
SS

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:26 AM

Posted 18 March 2012 - 10:04 AM

My request was just a gamble...it could not hurt and had the possibility of helping, but I didn't really expect much.

In any case, I've added your topic to our internal list of systems which cannot boot and one of our malware personnel will try to assist you with your situation.

Not much to do right now, other than sit back and await contact by one of our malware personnel :). Do not try to make changes to the system prior to instructions from the BC malware team who picks up this topic.

Louis

#6 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 10:50 AM

Thanks again Louis for adding the topic to internal list(s). I desperately look forward to receiving some help from BC. Posted ImagePosted Image


My request was just a gamble...it could not hurt and had the possibility of helping, but I didn't really expect much.

In any case, I've added your topic to our internal list of systems which cannot boot and one of our malware personnel will try to assist you with your situation.

Not much to do right now, other than sit back and await contact by one of our malware personnel :). Do not try to make changes to the system prior to instructions from the BC malware team who picks up this topic.

Louis




At least my pencil never crashes!

Best,
SS

#7 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 01:49 PM

In the interim, considering it to be safe enough, I downloaded seatools for DOS just to check the drive integrity. Burned and booted the ISO...and I am happy to see both short DST and long run pass without any error(s). Other notifications on the utility (drive information) show:

Device 0 is Seagate device STxxxxxxxAS (where xxx is the number for the drive) 5VH02K2H On Intel ICH7
Max native address 625142447
Device is 48 bit
SMART is supported and enabled
SMART has NOT been tripped
DST is supported
Logging feature set is supported
POH 2924 Current Temp 41
At least my pencil never crashes!

Best,
SS

#8 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 18 March 2012 - 03:49 PM

Here boot into the recovery console.
http://pcsupport.about.com/od/termsf/p/fixmbr.htm

#9 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 04:02 PM

Update: Unable to see any activity yet on BC, I decided I'll give Kaspersky rescue disk a chance...and voila! I am now able to login to the graphical UI which means that I now have access to all the logs that were generated in my earlier efforts to find the rootkit. I have quickly copied the last "qoobox" folder in a pen drive now and am now looking even more desperately at BC to assist me out of this problem. many thanks and I look forward.
At least my pencil never crashes!

Best,
SS

#10 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 18 March 2012 - 04:34 PM

Have you tried post 8 perhaps the mbr is corrupted.

#11 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 04:40 PM

Thanks I2. But do you really think playing with the MBR will be a good idea at this point? Especially now that I am able to access the drives & files?

Here boot into the recovery console.
http://pcsupport.about.com/od/termsf/p/fixmbr.htm


At least my pencil never crashes!

Best,
SS

#12 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 18 March 2012 - 04:46 PM

The link I sent to you can do no harm by running the command.Choice is yours. :)

#13 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 04:48 PM

Perhaps, that is something I thought of doing but I think I have already come a long way experimenting Posted ImagePosted Image. MBR is something that I'd want to touch only after I have all my data backed-up. But I appreciate your help very much mate :). I shall wait for some BC malware team member as Louis suggested and see how things go forward. Thanks again; do let me know if you bump into a similar thread elsewhere though!

Have you tried post 8 perhaps the mbr is corrupted.


At least my pencil never crashes!

Best,
SS

#14 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 18 March 2012 - 05:14 PM

Well the fixmbr command will not harm your pc I gurantee that. :) But I understand your concern.

Edited by InadequateInfirmity, 18 March 2012 - 05:15 PM.


#15 shashanks

shashanks
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi, India
  • Local time:04:56 PM

Posted 18 March 2012 - 10:37 PM

Can I look at BC to provide me some help here??Posted ImagePosted Image
At least my pencil never crashes!

Best,
SS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users