Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Boot into Normal Mode


  • This topic is locked This topic is locked
11 replies to this topic

#1 rwbil

rwbil

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 31 March 2012 - 04:08 PM

I can boot my computer into Safe Mode, but cannot boot into Normal Mode. It automatically reboots right after I enter my PW.

I have a Dell running Vista 32 Bit machine.

Here is a list of what I have already tried,

1) I opened up Msconfig and changed it to Selective startup. I thought I would attempt to isolate what start up program or process was causing it not to boot. But when I try to reboot in Selective Startup it just automatically reboots and when I open Msconfig in Safe Mode, I notice it automatically changed from Selective startup back to Normal Startup.

2) I have run all the following programs:

SuperAntiSpyware
Sbybot
CC Cleaner - Both files and registry cleaners
Glary Utilities
CombatFix
Malwarebytes

Combofix kept saying AVG was installed even though I ran AVG Remover, rebooted and do not see AVG Anywhere.

I should add Combofix, did run and found 3 infected files including SVCHOST. It then automatically rebooted. But the problems continue.

3) Just in case it might be a memory problem, I ran a memory tester and it said the memory was fine.

4) Booted to a CD and ran bootrec.exe /fixMBR. Still does not boot in Normal Mode. But something different did happen.

Normally when I boot in Normal Mode after I select the user and type in my PW it displays the Welcome screen for 2 seconds and then automatically reboots before the desktop appears. This time after running bootrec.exe /fixMBR the desktop actual came up for about 2 seconds before the system automatically rebooted. I rebooted again in normal mode again and then it did like it previously did and automatically rebooted after the welcome screen.

I was not sure if it was some fluke that the desktop came up or not, so I did the whole process again and again when rebooted in normal mode the Desktop appeared for a second and then rebooted.


5) Ran Chkdsk /r and Chkdsk /f. Still does not boot in Normal Mode

6) Also ran SFC /scannow. Still does not boot in Normal Mode

7) Also restore does not work.

Per the instructions here I ran GMER and DDS and have attached those logs. I had also ran Combofix previously and have attached that log.


Thanks in advance,
Robert

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 06 April 2012 - 10:39 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 rwbil

rwbil
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 08 April 2012 - 08:31 AM

Thanks,

I subscribed and I am here.

Robert

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 08 April 2012 - 10:13 AM

Download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#5 rwbil

rwbil
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 08 April 2012 - 10:30 AM

I did not mention it, but I already ran that program and generated the file, which I am attaching. I had to create a bootable disk to run it though. I have a Dell 32bit machine running Window Vista. I hit F8 and then selected Repair Your Computer. I did not get a keyboard or operating system choice. It asked for my user name and pw. When I entered my user name and pw, it came back and stated Domain could not be found or contacted and just ended their. I only have a simple home network connected via a wireless router. No server client setup.

Finally got a Vista Bootable CD and was able to run FRST. Attached is the FRST.Txt File.

Is there anyway to entire boot process and what program, driver, service is being loaded when the system re-boots? or does it not work that way?

Thanks in advance,
Robert

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 08 April 2012 - 05:12 PM

We've found what we came for. Fake drivers which have to be replaced, first we can find the back up copies.

Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

winlogon.exe;explorer.exe;svchost.exe

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: winlogon.exe;explorer.exe;svchost.exe

Click Search button and post the log (Search.txt) it makes in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 rwbil

rwbil
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 08 April 2012 - 10:27 PM

What do you look for in FRST.txt to identify problem areas? Attached is the file. My computer came with a D drive image recovery, so they never included an operating system CD.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 09 April 2012 - 05:04 PM

What do you look for in FRST.txt to identify problem areas?

Usually I look in the Bamital & volsnap Check area. If the md5 is not showing as legit I need to research it to see whether it is a known, legitimate one or not. There are lots of places on the log to check though.


Please rerun FRST as shown.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

TDL4: custom:26000022

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press the Fix button just once and wait.
[*]The tool will make a log on the flashdrive (Fixlog.txt) please post it in your reply.[/list]
Posted Image
m0le is a proud member of UNITE

#9 rwbil

rwbil
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 09 April 2012 - 10:27 PM

I ran the program and afterwards the computer came up in Normal Mode, but I have not had time to play with it to make sure it does not reboot. What exactly did that command do?


Also is there a program that tracks every change made to one's computer and keeps a nice log stating any registry changes and etc. And has an undo option.

Thanks in advance,
Robert

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 10 April 2012 - 06:15 PM

What exactly did that command do?

The command removes the TDL4 entry in the Boot Configuration Data (BCD) or Boot Loader. This is sometimes left over when the infection is removed incorrectly.

is there a program that tracks every change made to one's computer and keeps a nice log stating any registry changes and etc. And has an undo option.

Most paid antiviruses contain a feature which logs all changes. I don't think Undo is a possible feature. I have linked to Comodo's page because it details it the best way. Is this what you mean?
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 15 April 2012 - 05:47 AM

Are you still there?
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:15 PM

Posted 16 April 2012 - 06:50 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users