[BillPro]

The boot disk worked and I loaded the ERD commander. When I navigated to C:\Qoobox\Quarantine\C\Windows rather than containing two folders (system32 and system32.vir) it only contained the system32 folder. Since the system32.vir folder was the one I was supposed to move I'm not sure how to proceed.

[Advertisements]

Hi, BillPro

1. Navigate to the C:\Windows folder (Not the one in the Qoobox folder, but the one in the C:\ folder). Is there a System32 folder within the C:\Windows folder?

2. Can you list the folders within the C:\Qoobox\Quarantine\C\Windows folder?

3. Can you list the folders within the C:\Qoobox\Quarantine\C\Windows\System32 folder?

I need to have a better picture of your system. Besides a CD_ROM drive, does it have a floppy disk drive? Is the computer a Laptop or a Desktop? The computer you are using to communicate with us at this time, is it a Laptop or a Desktop? Had you ever established an administrator password to logon as an administrator in the sick computer? Please provide me any other information you may think may help us have a better picture of both your systems.

[JSntgRvr]

Hi, BillPro

1. Navigate to the C:\Windows folder (Not the one in the Qoobox folder, but the one in the C:\ folder). Is there a System32 folder within the C:\Windows folder?

2. Can you list the folders within the C:\Qoobox\Quarantine\C\Windows folder?

3. Can you list the folders within the C:\Qoobox\Quarantine\C\Windows\System32 folder?

I need to have a better picture of your system. Besides a CD_ROM drive, does it have a floppy disk drive? Is the computer a Laptop or a Desktop? The computer you are using to communicate with us at this time, is it a Laptop or a Desktop? Had you ever established an administrator password to logon as an administrator in the sick computer? Please provide me any other information you may think may help us have a better picture of both your systems.

[BillPro]

1. Yes, there is a system32 folder in the C:\Windows folder. Within the system32 folder there are three files (abfbdacbbfeacb.dll.vir, mcrh.tmp.vir, wnscpsu.exe.vir) and one folder with the name ".vir".

2. The are no folders in C:\Qoobox\Quarantine\C\Windows folder (now called C:\Qoobox-OLD\Quarantine\C\Windows).

3. As stated above there is no system32 folder in C:\Qoobox-OLD\Quarantine\C\Windows

Besides a CD_ROM drive, does it have a floppy disk drive? There is no floppy drive
Is the computer a Laptop or a Desktop? Laptop
The computer you are using to communicate with us at this time, is it a Laptop or a Desktop? Laptop
Had you ever established an administrator password to logon as an administrator in the sick computer? I don't recall

I hope this helps, Bill

[JSntgRvr]

Thanks, Bill

We have established that the problem with the computer was not due to the moving of the System32 folder to Combofix's Quarantine. The problem we are now facing is that when the Recovery Console is loaded, an Access Denied error is being returned when you attempt to access the C:\Windows folder. That could be due to the Administrator Password.

I will consult with my colleagues the possibility of restoring the the Registry Backup done by Combofix using other means.

I will post back shortly.

[JSntgRvr]

Hi, BillPro

Using ERD Commander, please navigate to the C:\Windows\erdnt\hiv-backup folder. Double-click the ERDNT.EXE file to start the restoration program. Once completed, restart the computer (Make sure you remove the CD).

Keep me posted.

[BillPro]

The laptop still doesn't boot and I get the same error message I've been getting:
Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll
Please re-install a copy of the above file.

[JSntgRvr]

The laptop still doesn't boot and I get the same error message I've been getting:
Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll
Please re-install a copy of the above file.

Attempt the Recovery Console. Are you still booting to the C:\ rather than to the C:\Windows prompt.

[BillPro]

I initiated the Windows Recovery Console and it brought me to the C:\> prompt. How should I proceed?

[JSntgRvr]

I initiated the Windows Recovery Console and it brought me to the C:\> prompt. How should I proceed?

In the Recovery Console, type the following and press Enter:

cd Windows

Do you still receiving an Access Denied error when you do that?

Let obtain some information that may help us recover this system. I wish your responses be on a timely basis as time is a factor to resolve this issue.

Using ERD Commander

• verify if the Hal.dll file is physically present in the C:\Windows\System32 folder
• verify if the C:\Windows\Repair folder exists
• verify if these files exist in the C:\Windows\Repair folders
  
  • default
  • sam
  • security
  • software
  • system
• verify if the C:\Boot.ini exist.
  
  • Are there other files that start with "Boot"?

Edited by JSntgRvr, 30 March 2008 - 06:23 PM.

[BillPro]

Do you still receiving an Access Denied error when you do that? Yes

verify if the Hal.dll file is physically present in the C:\Windows\System32 folder - contains two folders (.vir, config) and three VIR files (abfbdacbbfeacb.dll.vir, mcrh.tmp.vir, wnscpsu.exe.vir)

verify if the C:\Windows\Repair folder exists - Yes
verify if these files exist in the C:\Windows\Repair folders Yes
(autoexec.nt, config.nt, default, ntuser.dat, sam, secsetup.inf, security, setup.log, software, system)

default
sam
security
software
system

verify if the C:\Boot.ini exist. - Yes, with these characters "BoOT.INi"

Are there other files that start with "Boot"?
C:\Combofix\Boot.bat
C:\WINDOWS\pss\boot.ini.backup
those similiar:
Bootable.gif, Bootable.jpg, bootcons.chm, bootstat.dat, bootstrap.js

[JSntgRvr]

verify if the Hal.dll file is physically present in the C:\Windows\System32 folder - contains two folders (.vir, config) and three VIR files (abfbdacbbfeacb.dll.vir, mcrh.tmp.vir, wnscpsu.exe.vir)

So, within the C:\Windows\System32 there are only two folders? We are talking about the System32 folder within the C:\Windows folder, not the one in the Qoobox folder. Please confirm this.

[BillPro]

So, within the C:\Windows\System32 there are only two folders? Yes
We are talking about the System32 folder within the C:\Windows folder, not the one in the Qoobox folder.
That is correct.

[JSntgRvr]

Can you check if the Hal.dll is in the System32 folder located in the C:\Qoobox\Quarantine\C\Windows. If it does, does it appear as hal.dll or hal.dll.vir. What else you see within that folder?

[BillPro]

Can you check if the Hal.dll is in the System32 folder located in the C:\Qoobox\Quarantine\C\Windows.
I don't have a directory named "C:\Qoobox\Quarantine\C\Windows" rather one named "C:\Qoobox-OLD\Quarantine\C\Windows". Hal.dll does not exist in that directory nor do any files, the folder is empty.

If it does, does it appear as hal.dll or hal.dll.vir. What else you see within that folder? As stated, nothing.

[JSntgRvr]

Standby. I am booting with ERD to confirm something.