Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

yet another antispywareudates.net infection [RESOLVED]


  • This topic is locked This topic is locked

#16
BillPro

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I ran combifix and the computer rebooted but now hangs up during the startup process displaying the following message:

Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file
.

Please advise. Thanks
  • 0

Advertisements


#17
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Did you run an old version of ComboFix.exe ?

You need a tech to fix that problem

Make a new topic in the Windows XP forum, tell them I sent you, and tell them of the above problem

Come back here once they have fixed that issue
  • 0

#18
BillPro

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I deleted the version previously installed and downloaded the new version from the link you provided. I was also careful to make sure all virus/spyware/firewall software was inactive.

I'll take this up with the tech folks and hopefully return to this post to finish things up. Thanks
  • 0

#19
steamwiz

steamwiz

    Malware Expert

  • Retired Staff
  • 68 posts
  • MVP
Hi Rorschach112

Excuse me for butting in here ...

RE:
Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file.

I have a thread at Spybot forum with this same problem...

I used a CFScript.txt to remove this file :- C:\WINDOWS\system32\dbafedacfbdafddbef.dll

But some interaction between this file & Combofix resulted in the entire system32 folder being quarantined in Qoobox.

---
When you ran the new Combofix it looks like Combofix tried to delete this file :-

2008-02-25 10:50:51 122385 --a------ C:\WINDOWS\system32\abfbdacbbfeacb.dll

Resulting in your system32 folder being quarantined in Qoobox ...

Resulting in the error you got ...

---
My poster at Spybot has not returned in several days, & sUBs would desperately like to get hold of a sample of this file :-

C:\WINDOWS\system32\abfbdacbbfeacb.dll

Please make sUBs aware of this thread,

There are ways to replace the system32 folder from Qoobox ... for instance slave the hdd to another machine OR boot up with ERD Commander, which I'm sure you are aware of ...

Then you can send a copy of that file to sUBs

Thanks

steam
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Thanks for the heads up steamwiz

I have mentioned it to sUBs just there.


Bill we may have to do a few more steps here, so lets leave your other topic for the time being.

Edited by Rorschach112, 10 March 2008 - 03:31 PM.

  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Bill

Do you have the Recovery Console installed or have the Recovery Console CD available ?
  • 0

#22
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, BillPro :)

The issue could be an unfortunate coincidence, but not necessary due to Combofix. In order to resolve this issue we need to load the Recovery Console to rename and rebuild the Boot.ini file, and create a new boot record in your computer. Consequently, before we continue, please let us know if you have the Windows XP installation CD, or if the Recovery Console is already installed in your computer.
  • 0

#23
BillPro

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I do have the Windows XP install CD.
  • 0

#24
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Note: Follow this process as given. If after loading the recovery console the prompt read as C:\>, stop and let us know. If it reads as C:\Windows>, then continue with the rest of the instructions.

We will first attempt to rename the Boot.ini file, then rebuild it.

Insert your Windows installation CD and restart the computer. If prompted, select any options required to boot from the CD. You will be prompted with the following options:

A. To setup Windows XP, press Enter.
B. To repair Windows XP installation using recovery console, press R.

Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

You will be presented with the following:

Microsoft Windows® Recovery Console
The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log onto
(To cancel, press ENTER)?


Press the number assigned to the installation you need access to on your keyboard and hit Enter.

In this case and if only the above is displayed is 1.

At the command prompt, type the following command and press Enter:

Attrib -s -h -r C:\Boot.ini
Ren C:\Boot.ini Boot.old
bootcfg /rebuild


  • When you receive a message that is similar to the following message, press Y:

    Total Identified Windows Installs: 1
    [1] C:\Windows
    Add installation to boot list? (Yes/No/All)

  • You receive a message that is similar to the following message:

    Enter Load Identifier

  • This is the name of the operating system. When you receive this message, type the name of your operating system, and then press ENTER. This is either Microsoft Windows XP Professional or Microsoft Windows XP Home Edition.
  • You receive a message that is similar to the following:

    Enter OS Load options

  • When you receive this message, type /fastdetect, and then press ENTER.

Once this process is completed, type EXIT and press ENTER to restart your computer.
  • 0

#25
BillPro

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Started the Recovery Console and got the C:\> prompt.
  • 0

Advertisements


#26
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
I will consult this with the Combofix developer for instructions. Will respond shortly.

Edited by JSntgRvr, 13 March 2008 - 08:04 PM.

  • 0

#27
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, BillPro :)

When you load the Recovery Console and reach the C:\ prompt, please type the following and let us know when and what type of error message you receive:

cd windows [Press Enter]
cd system32 [Press Enter]
  • 0

#28
BillPro

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
cd windows [Press Enter]
Access is denied.
cd system32 [Press Enter]
The system cannot find the file or directory specified.
  • 0

#29
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, BillPro :)

Since the Recovery Console is booting to the Root directory and not to the Windows Folder, then I have to agree with steamwiz, that something happened after running Combofix. Please follow any of the Options below and let me know any problems you may encounter, and outcome:

First option:

Slave the drive in another compurer and follow the instructions similar to the instructions below to move the System32.vir folder to the Windows folder, then rename both, the System32.vir to System32 and the Qoobox folder to QooBox-OLD in this drive.

Second option:

Use ERD Commander:

We need a special tool from Microsoft. It's a hefty 64.3 MB download but it's worth the trouble.
Please download & install the Microsoft Diagnostics and Recovery Toolset

Once you have it installed, locate the file :

C:\Program Files\Microsoft Diagnostics and Recovery Toolset\erd50.iso

It's an ISO file which you may burn onto a CD.

Reboot the machine with the ISO CD


Posted Image


Posted Image


You will receive the above message. Ignore it & continue


Posted Image


From Desktop, double click on 'My Computer'

Navigate to C:\Qoobox\Quarantine\C\Windows

Right click on the System32.vir folder & select "Move To ..."


Posted Image


Move it to the C:\Windows folder

Then Navigate to the C:\Windows & rename the folder from System32.vir to System32

The C:\QooBox folder should also be renamed to C:\QooBox-OLD


Posted Image


Restart the machine & remove the CD.
With any luck, your machine shall be accessible again


  • 0

#30
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, BillPro :)

Hello,

I downloaded the ms diag and recovery toolset, installed it and burnt the erd50.iso file onto a cd. The resulting cd was not bootable. I checked the help file that came with the software and found the following:

You cannot use the CD burning program that is included with Windows XP.
You will need the following items to successfully create a bootable CD from the ISO image that the ERD Commander Boot Media Wizard creates:
A CD-R or CD-RW drive.
A recordable CD (supported by your recordable drive).
CD burning software that supports your recordable drive and supports burning an ISO image directly to CD.

Can you suggest software that supports burning an ISO image directly to a CD?

Thanks, Bill.


Try BurnAtOnce

  • Please download BurnAtOnce and save it to your desktop. Click on Downloads, then on burnatonce 0.99.5
    • Install it by double-clicking on the file bao0995.exe that you downloaded.
    • Click Next, accept the license agreement, and click Next until the button says "Install". Click "Install" to finish.
  • Put a blank CD in your computer’s burner.
  • Right-click on the file erd50.iso, and select "burnatonce" from the menu.
  • Confirm that the box under the menu at the top says "erd50.iso".
  • Click the "Write" button.
  • When the disk finishes, eject the CD.
  • Configure the computer to start from the CD-ROM or DVD-ROM drive.
  • Insert the Image of erd50.iso that you burned to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
Let me know how it goes.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP