Solved Can't Boot Into Windows

[mukulika]

Hi guys. Ran into a bit of a problem. I use Windows XP Pro. Yesterday, my sister unknowingly double-clicked on a virus infested pen drive. Since shutting the computer down, it isn't booting into Windows. It comes to the screen where it says that the computer, in its last running session, was not shut down properly, and would I prefer to start it in the safe mode. If I try to boot in the safe mode, it shows a screen loading a number of processes for a few seconds, and then I hear the RAM beep again and the computer restarts. If I try to boot in normally, it comes to the screen where I see the Windows bar loading. From here, it restarts. Don't really know what I should do.

Thanks in advance for any help.

 

[Broni]

On working computer...

Download, and run Flash Disinfector, and save it to your desktop.

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

==========================================================================

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

 

[mukulika]

Thank you Mr. Broni. I'm caught up a little over the weekend but I'll post that log as soon as I can. Will probably get down to it tomorrow.

 

[Broni]

No problem

 

[Broni]

Reopened on OP request:

Hi guys. This is with reference to this thread. Sorry, Mr. Broni. It was a little difficult to get hold of a working computer to download the program you asked me to. Hence the delay. I have attached the .txt file. Thanks for all the help.

 

[mukulika]

Thanks a lot, Mr. Broni. Looking forward to your reply.

 

[Broni]

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82   www.sifymall.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
O2 - BHO: () - {F9365A70-67B4-4A09-8501-8B011E238E13} - C:\WINDOWS\system32\shbrhvv.dll ()
O4 - HKU\systemprofile_ON_C..\Run: [AVG7_Run] D:\COMPUT~1\avgw.exe File not found
O4 - Startup: Error locating startup folders.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\msdaipp - No CLSID value found
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-5318630162-6260009324-117845635-3709\winsystem.exe) - C:\RECYCLER\S-1-5-21-5318630162-6260009324-117845635-3709\winsystem.exe ()
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
[2010/04/04 22:57:18 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2001/08/23 08:00:00 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\shbrhvv.dll

:Services
SRV - [2001/08/23 08:00:00 | 000,112,128 | ---- | M] () [Auto] -- C:\WINDOWS\system32\shbrhvv.dll -- (smnlitau)

:Reg

:Files
C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\system32\dllcache\atapi.sys /replace

:Commands
[purity]
[emptytemp]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Attempt to reboot normally into windows.

 

[mukulika]

Thank you. Will try that as soon as I can and let you know.

 

[Broni]

Take your time

 

[mukulika]

Finally, can boot into Windows! Yipee! Everything looks the way it used to. Thanks a lot, Mr. Broni. I have attached the log file. Please do let me know if there's anything I have to do after this.

Thanks a ton, again!

 

[mukulika]

Could you also please explain what went wrong with the system?

Thank you!

 

[Broni]

Nice job
Well, your computer was seriously infected.
Probably still is, but we're able to remove main culprits, so you're able to boot normally.
We still have some checking to do.

Now, I want you to go through all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and post required logs.

 

[mukulika]

Thanks! Shall post them as soon as possible.

 

[Broni]

Take your time

 

[mukulika]

Thanks a lot, Mr. Broni. I am attaching all the requested log files.

Just one thing though. As soon as GMER finished scanning and produced the log, my system froze. Had to restart. Is that a cause for concern?

Thank you for all the help. Please do let me know what I must do after this.

 

[Broni]

You're very welcome

As soon as GMER finished scanning and produced the log, my system froze. Had to restart. Is that a cause for concern?

No, GMER is really powerful scanner and sometimes it may cause such effect.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

 

[mukulika]

Thank you very much. Shall get down to it this evening and post right back.

 

[Broni]

You're welcome

 

[mukulika]

Here are the two .txt files that you had asked me to post. Thanks a ton for all the help.

 

[Broni]

Make sure, you allow recovery console installation on next Combofix run.


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

Folder::

Driver::
vjdytg
smnlitau

NetSvc::
smnlitau
vjdytg

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[mukulika]

Oops! Sorry about that! Here are the new .txt files.

Thanks a lot.

 

[Broni]

Please, delete your GMER file and...

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

 

[mukulika]

Thank you so much, Mr. Broni! Here is the new log file.

Since running GMER the second time around, my system is freezing (thrice so far) and there was a random restart once. Icons on the desktop are vanishing upon double-clicking on them. I hope I get this posted onto the forum before another system freeze (my third attempt at posting). :blackeye:

I am also trying to attach the .dmp file that was generated once the system restarted. I received this error: "A fatal error occurred on your system"

BCCode : f4 BCP1 : 00000003 BCP2 : 868A3DA0 BCP3 : 868A3F14
BCP4 : 80606586 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

Doesn't make any sense to me obviously, and I don't know if it'll help you diagnose the problem. Posting it anyway.

Thanks again for all the help.

 

[Broni]

Please download Profiles by noahdfear.

* Save it to your desktop.
* Double-click profiles.exe and post its log when you reply.

=======================================================================

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

========================================================================

Delete your Combofix file, download fresh one, run it and post fresh log.

 

[mukulika]

Thanks a lot, Mr. Broni. Shall get down to it as soon as I can and post right back.