Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Police Pro


  • Please log in to reply

#31
Raktor

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Onto a working computer, with a CD burner, please download the Hiren's BootCD v10.0 + Keyboard Patch iso image from the following link, then extract the contents to a folder of it's own.

http://www.hirensbootcd.net/

Next download and install the ISO Recorder version for your operating system (the operating system used to burn the cd).

Once ISO Recorder is installed, insert a blank cd then right click the Hiren'sBootCD.iso file in the Hiren's folder.
Select Copy Image to CD from the right click context menu.
Leave all settings to default in the CD Recording Wizard that opens and burn the disc.
When complete, insert the cd into your computer and restart.
You should be presented with a boot menu.
Select Start Mini Windows XP

You should now be able to copy over data to your external hard drive. I would not recommend backing up .exe files or .scr files, as there is the possibility of infection.
  • 0

Advertisements


#32
Raktor

Raktor

    Member

  • Member
  • PipPipPip
  • 268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#33
jay_sohhn

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Hi, Raktor ... sorry about the delay ... holidays were a bit busy. So here's the deal: the infected computer does not have a CD drive (it's a netbook). Should I just save everything onto an external flashdrive or something?
  • 0

#34
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Hi Jay,

I've re-opened your topic. Raktor is away for a few days, and if you're not opposed to it, I will continue helping you in his absence.

If you're up to it, I'd like to make another attempt at recovery. If so, do the following.

Start the Recovery Console and at the C:\Windows> prompt, type the following line.

copy c:\windows\servicepackfiles\i386\svchost.exe c:\windows\system32

It should report 1 file copied.
Type Exit to restart.

If the computer again gets to the logon and restarts, begin tapping F8 upon restart to enable the Advanced Start menu.
From this screen, select Disable Automatic Restart.
The computer should blue screen instead of restarting.
Please post the stop error information shown, and if one is named, the filename shown as the cause.
  • 0

#35
jay_sohhn

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Hi, noahdfear-
A tag team effort, eh? Good. Thanks very much for your willingness to help. Here's what I did and what happened:
1) At the c:\windows> prompt I entered the text you asked me to enter in. The computer spit back out "File not found."
2) I hit "exit." The computer then went into the neverending loop.
3) I hit F8 continuously and was able to enable the Advanced Startup Menu. I then disabled automatic restart.
4) The blue screen appeared and the following message appeared:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc000007b (0x00000000 0x00000000).
The system has been shut down.


Let me know what I should do next. Thanks again for your help!
  • 0

#36
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Try this one from the C:\Windows> prompt.

copy c:\windows\erdnt\cache\svchost.exe c:\windows\system32

If successful, but you still restart/bsod on startup, try this one.

copy c:\windows\erdnt\cache\atapi.sys c:\windows\system32\drivers

Let me know the results.
  • 0

#37
jay_sohhn

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Here's what I did:
1) copy c:\windows\erdnt\cache\svchost.exe c:\windows\system32
** Result: "1 file copied." I exited and went into the neverending loop.

2) copy c:\windows\erdnt\cache\atapi.sys c:\windows\system32\drivers
** Result: Computer asked me "Overwrite atapi.sys? <Yes/No/All>:
It seemed like any misstep here could be really bad, so maybe you can tell me what to do here?

Thanks.
  • 0

#38
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Answer yes. :)

I know it may seem as though a misstep on this file might seem really bad, but you're already in a non-boot situation - overwriting that 1 file with another copy can't really be that bad if you think about it. :)
  • 0

#39
jay_sohhn

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I tried your suggestions & got the restart/bsod loop again. Let me know what to do next. Thanks.
  • 0

#40
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Please repeat the instructions from Raktor's post #17 above and let me know the results.
  • 0

Advertisements


#41
jay_sohhn

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I followed the instructions as per Raktor's post #17. The computer spit back up "1 file(s) copied" ten different times. I typed "exit." And my computer keeps going through the restarting loop.
  • 0

#42
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
At the command prompt, please type the following, hitting Enter after each.

cd system32
dir winlogon.exe
dir csrss.exe
dir userinit.exe
dir svchost.exe


Write down the information displayed for each dir command - date, time and filesize, then post that information back here please.
I would also like for you to F8 and disable automatic restart once more and verify if the stop error remains the same.
  • 0

#43
jay_sohhn

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
1) After "dir winlogon.exe" I got the following message:
The volume in drive c has no label
The volume serial number is f48f-490d
Directory of c:\windows\system32\winlogon.exe
04/14/08 08:00a -------- 507904 winlogon.exe
1 file(s) 507904 bytes
29592096768 bytes free

2) After "dir csrss.exe" I got:
04/14/08 08:00a -a------ 6144 csrss.exe
1 file(s) 6144 bytes
29592096768 bytes free

3) After "dir userinit.exe" I got:
04/14/08 08:00a -------- 26112 userinit.exe
1 file(s) 26112 bytes
29592096768 bytes free

4) After "dir svc host.exe" I got:
10/09/09 08:33p -a------ 14336 svchost.exe
1 file(s) 14336 bytes
29592096768 bytes free

I disabled automatic restart. The error message that appeared on the blue screen was the exact same one as the one I posted earlier.

Thanks!
  • 0

#44
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Lets check a couple more.

cd system32
dir msv1_0.dll
dir wininet.dll
dir msasn1.dll
cd dllcache
dir msv1_0.dll
dir wininet.dll
dir msasn1.dll
dir svchost.exe


All I need is the first line from each dir command - the line that shows date, time and size.
  • 0

#45
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
New strategy.

Type the following commands at the c:\windows> prompt hitting Enter after each.

cd system32
ren msasn1.dll msasn1.old
ren msv1_0.dll msv1_0.old
cd dllcache
copy msasn1.dll c:\windows\system32
copy msv1_0.dll c:\windows\system32
exit



Let me know the results.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP