[JSntgRvr]

Boot with the Reatogo CD. Using explorer (Right click on the Start button and select Explore), navigate to the C:\ folder. Rename the Boot.ini file to Boot.ini.vir. Restart the computer to Normal Mode and test. Does it complaint about the boot.ini file?

[Advertisements]

Adding the .vir made no difference in the way it started up - saw the Window XP window then it went to black screen again.

In the original scan - did I see a whole bunch of drivers (DR) inactive? I know, it's not my area but I wondered about it at first and never asked.

I do appreciate the help.

bamakodaker

[bamakodaker]

Adding the .vir made no difference in the way it started up - saw the Window XP window then it went to black screen again.

In the original scan - did I see a whole bunch of drivers (DR) inactive? I know, it's not my area but I wondered about it at first and never asked.

I do appreciate the help.

bamakodaker

[JSntgRvr]

Those files are missing and are part of setup. They shouldn't be part of the problem. Lets take a look at registry backups in the system.

Download the enclosed folder, Save and extract its contents to the flash drive. (Do not save or extract this file into your working computer)

While in the Reatogo desktop, navigate to the Flash drive and double click on the Query.bat. If all goes well the batch file will disappear and a Log.txt will be saved in the C:\ folder. Copy that file to the flash drive and post its contents in your next reply

If the file is too large to post, please scroll down in your replay to attachments, and attach the report.

[bamakodaker]

I hope I did all this last step correct. You mentioned a possible HUGE text response.
Below is the response from the previous step.
bamakodaker


Volume in drive C is HP_PAVILION
Volume Serial Number is 28FA-81DD

Directory of C:\WINDOWS\System32\config

12/06/2005 12:51 PM <DIR> .
12/06/2005 12:51 PM <DIR> ..
06/07/2006 02:30 AM 65,536 AppEvent.Evt
11/20/2010 05:17 PM 262,144 default
12/04/2005 05:42 PM 94,208 default.sav
06/07/2006 02:31 AM 262,144 SAM
06/07/2006 02:30 AM 65,536 SecEvent.Evt
06/07/2006 02:31 AM 262,144 SECURITY
11/23/2010 08:40 PM 26,476,544 software
12/04/2005 05:42 PM 634,880 software.sav
06/07/2006 02:30 AM 65,536 SysEvent.Evt
11/24/2010 03:19 PM 4,980,736 system
12/04/2005 05:42 PM 884,736 system.sav
11/11/2010 07:41 PM <DIR> systemprofile
12/04/2005 05:42 PM 262,144 userdiff
12 File(s) 34,316,288 bytes
3 Dir(s) 75,305,959,424 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 28FA-81DD

[JSntgRvr]

That was it? Is there a C:\System Volume Information folder in that computer?

[bamakodaker]

Ahhhh, I thought I was just looking for a log file after running that last query. I'll run it again then look for the System Volume Information folder.

I was just wondering if this folder might show on a previous scan? I will not be able to check the XP computer until Saturday evening.

bamakodaker

Edited by bamakodaker, 26 November 2010 - 10:39 PM.

[bamakodaker]

Ok - I look in the C drive for the System Volume Information folder.
I did find it but it is grayed out, I am unable to access the folder.It said it had 2 files and no folders. 20.0KB, date of 11/1/10.

I thought I still had an active Query on the thumb drive. When I double clicked the gmer.exe I get a flag saying x:\i386\system32\config\system: system can no find file selected. The flag is on top of window - GMER 1.0.15.15477. When OK is selected a folder shows with a tab Mootkit/Malware it has 2 threads in it.

Anyway - that's all I know at this time.

I look forward to any suggestions offered.

bamakodaker

[JSntgRvr]

GMER won't properly run in an external environment such as Reatogo.

Seems there are no restore points available. I see signs that you had ran Combofix before. Remove the query.zip previously downloaded.

Download the enclosed folder. Save and extract its contents to the flash drive. (Do not save or extract this file into your working computer)

While in the Reatogo desktop, navigate to the Flash drive and double click on the Query.bat. If all goes well the batch file will disappear and a Log.txt will be saved in the C:\ folder. Copy that file to the flash drive and post its contents in your next reply

If the file is too large to post, please scroll down in your replay to attachments, and attach the report.

[bamakodaker]

I'm downloading Query from my home PC into the drive. I'll drive over to the XP computer and run this process again. After the Query is activated I simply look for a text file with today's date. Does it matter if it's in C drive or in the OTL folder?

I'll check to see if the Sys Vol Info folder is still grayed out.

I'll add the results when I get back.

Much thanks,
bamakodaker

RESULTS * * * *

Attached Files

•  Log11-28.txt   19.49KB   373 downloads

Edited by bamakodaker, 28 November 2010 - 08:09 PM.

[JSntgRvr]

The latest Registry backup is dated March 20, 2010, when Combofix was ran and a backup was created. That is better than nothing, so lets attempt to restore the registry back to that date.

Boot the computer to the Reatogo environment. Using Windows Explorer (Right click on the Start button and select Explore), navigate to the C:\WINDOWS\ERDNT\Hiv-backup folder. Rename the ERDNT.CON file to ERDNT.BAT, then double click on it. Wait until the MSDOS window closes, then restart the computer in Normal Mode.

Let me know the outcome.

[bamakodaker]

I removed CD, restarted. It came up as days of old, went to the screen to choose which user to log on as, I selected one quickly (while the computer was still clicking away at start up) and - - - it 'froze up'! I can't type anything and the cursor will not move. I'll restart again.
bamakodaker

I restarted, waiting till it wasn't clicking much - by then it was at the window to choose user, the cursor kept moving around - until I selected the user to type in the password and it froze up again - can't type and cursor frozen.

Normally to turn it off I have to hold in the power button a while before it will power down. Now, in this 'frozen' state, as soon as I push the power button the 'shutting down' screen comes up.
bamakodaker

Edited by bamakodaker, 28 November 2010 - 09:44 PM.

[JSntgRvr]

Lets try another repair. This time from the Repair folder if exist. Follow these instructions carefully. Extract the contents of the enclosed file directly to the USB drive. Do not run this program on the working computer.

Download the enclosed folder, Save and extract its contents to the flash drive. (Do not save or extract this file into your working computer)

Boot the sick computer with the Reatogo CD. While in the Reatogo desktop, navigate to the Flash drive and double click on the Repair.bat. If all goes well the batch file will disappear after the MSDOS window closes.

Retry Normal Windows.

[bamakodaker]

I knew I'd find a reply after I left there and got home! lol
I'll go run it and see what happens.

Oh, what all should we do to XP after it starts up - as far as malware/virus programs? I downloaded GTG list of programs onto flashdrive. I hope I have them all.

Ummm - any idea what caused the problems with the XP?

Much thanks,
bamakodaker

[bamakodaker]

Started up computer - got to Windows XP start window then a flag comes up saying "Whey trying to update a password this return status indicates that the provided password is not correct". Then another window shows saying 'Monitor going to sleep', then there is an 'HP Invent' window, a brief 'DOS' type window, then the Windows XP start window then the above message. It keeps going around in a loop. It did not stop till I turned it off after 6 to 8 cycles. I never saw a 'Sign In' window.

I'll look for your reply but will not be able to post results until tomorrow.

I am most grateful for your help.

bamakodaker

[JSntgRvr]

Something must have gone terribly wrong. One thing for sure, the registry somehow was modified, but despite our efforts to make the computer bootable by replacing the registry with old copies, the issue persists. I believe the only option you have at this point is to perform a Repair Install, but for that you will need a Windows XP Installation CD.

Lets restore the registry to the one originally found. Follow these instructions carefully. Extract the contents of the enclosed file directly to the USB drive. Do not run this program on the working computer.

Download the enclosed folder. Save and extract its contents to the flash drive. (Do not save or extract this file into your working computer)

Boot the sick computer with the Reatogo CD. While in the Reatogo desktop, navigate to the Flash drive and double click on the Restore.bat. If all goes well the batch file will disappear after the MSDOS window closes.

Here are instructions to perform a Repair Install. You should use at least the Microsoft Windows XP Service Pack 2 Version to effectively repair the computer:

http://michaelsteven...pairinstall.htm

I hate to lose one, but I see no other option.