Can't Boot Into Windows

By mukulika
Apr 5, 2010
  1. Hi guys. Ran into a bit of a problem. I use Windows XP Pro. Yesterday, my sister unknowingly double-clicked on a virus infested pen drive. Since shutting the computer down, it isn't booting into Windows. It comes to the screen where it says that the computer, in its last running session, was not shut down properly, and would I prefer to start it in the safe mode. If I try to boot in the safe mode, it shows a screen loading a number of processes for a few seconds, and then I hear the RAM beep again and the computer restarts. If I try to boot in normally, it comes to the screen where I see the Windows bar loading. From here, it restarts. Don't really know what I should do.

    Thanks in advance for any help.
  2. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    On working computer...

    Download, and run Flash Disinfector, and save it to your desktop.

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.


    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)


    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under Custom Scan box paste this in:

        %systemroot%\*. /mp /s
        %systemroot%\system32\*.dll /lockedfiles
        %systemroot%\Tasks\*.job /lockedfiles
        %systemroot%\system32\drivers\*.sys /lockedfiles
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
  3. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thank you Mr. Broni. I'm caught up a little over the weekend but I'll post that log as soon as I can. Will probably get down to it tomorrow.
  4. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    No problem :)
  5. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Reopened on OP request:

    Attached Files:

    • OTL.Txt
      File size:
      119 KB
  6. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thanks a lot, Mr. Broni. :) Looking forward to your reply.
  7. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Do this on the computer you are posting from:
    Copy the text in the codebox below:

    O1 - Hosts:
    O1 - Hosts:
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
    O2 - BHO: () - {F9365A70-67B4-4A09-8501-8B011E238E13} - C:\WINDOWS\system32\shbrhvv.dll ()
    O4 - HKU\systemprofile_ON_C..\Run: [AVG7_Run] D:\COMPUT~1\avgw.exe File not found
    O4 - Startup: Error locating startup folders.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\ (Reg Error: Key error.)
    O18 - Protocol\Handler\ipp - No CLSID value found
    O18 - Protocol\Handler\msdaipp - No CLSID value found
    O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-5318630162-6260009324-117845635-3709\winsystem.exe) - C:\RECYCLER\S-1-5-21-5318630162-6260009324-117845635-3709\winsystem.exe ()
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
    [2010/04/04 22:57:18 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2001/08/23 08:00:00 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\shbrhvv.dll
    SRV - [2001/08/23 08:00:00 | 000,112,128 | ---- | M] () [Auto] -- C:\WINDOWS\system32\shbrhvv.dll -- (smnlitau)
    C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\system32\dllcache\atapi.sys /replace
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive

    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.
  8. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thank you. Will try that as soon as I can and let you know. :)
  9. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Take your time :)
  10. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Finally, can boot into Windows! Yipee! :D Everything looks the way it used to. Thanks a lot, Mr. Broni. I have attached the log file. Please do let me know if there's anything I have to do after this.

    Thanks a ton, again! :)

    Attached Files:

  11. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Could you also please explain what went wrong with the system?

    Thank you! :)
  12. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Nice job :)
    Well, your computer was seriously infected.
    Probably still is, but we're able to remove main culprits, so you're able to boot normally.
    We still have some checking to do.

    Now, I want you to go through all steps listed here: and post required logs.
  13. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thanks! Shall post them as soon as possible. :)
  14. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Take your time :)
  15. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thanks a lot, Mr. Broni. I am attaching all the requested log files.

    Just one thing though. As soon as GMER finished scanning and produced the log, my system froze. Had to restart. Is that a cause for concern?

    Thank you for all the help. Please do let me know what I must do after this. :)

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    You're very welcome :)

    No, GMER is really powerful scanner and sometimes it may cause such effect.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Download HijackThis:
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
  17. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thank you very much. Shall get down to it this evening and post right back. :)
  18. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    You're welcome :)
  19. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Here are the two .txt files that you had asked me to post. Thanks a ton for all the help. :)

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Make sure, you allow recovery console installation on next Combofix run.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:


    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  21. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Oops! Sorry about that! Here are the new .txt files.

    Thanks a lot. :)

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Please, delete your GMER file and...

    Download GMER:, by clicking on Download EXE button.
    Alternative downloads:
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
  23. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thank you so much, Mr. Broni! Here is the new log file.

    Since running GMER the second time around, my system is freezing (thrice so far) and there was a random restart once. Icons on the desktop are vanishing upon double-clicking on them. I hope I get this posted onto the forum before another system freeze (my third attempt at posting). :blackeye:

    I am also trying to attach the .dmp file that was generated once the system restarted. I received this error: "A fatal error occurred on your system"

    BCCode : f4 BCP1 : 00000003 BCP2 : 868A3DA0 BCP3 : 868A3F14
    BCP4 : 80606586 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

    Doesn't make any sense to me obviously, and I don't know if it'll help you diagnose the problem. Posting it anyway.

    Thanks again for all the help. :)

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 52,795   +343

    Please download Profiles by noahdfear.

    * Save it to your desktop.
    * Double-click profiles.exe and post its log when you reply.


    Download the MBR Rootkit Detector: to your desktop.

    * Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.


    Delete your Combofix file, download fresh one, run it and post fresh log.
  25. mukulika

    mukulika TS Rookie Topic Starter Posts: 53

    Thanks a lot, Mr. Broni. Shall get down to it as soon as I can and post right back. :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...