Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Completely disabled by SecureBill,inc virus / malware! [Closed]

Started by Duncan63 , Jan 23 2012 02:08 PM

  • This topic is locked This topic is locked

#16
Dakeyras
Posted 09 February 2012 - 06:40 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

My sincere apologies for the prolonged delay on my behalf, unforeseen circumstances I'm afraid due to recent inclement weather in my locale.

OK, what I propose first is we check if we can create a working internet connection with your son's machine via xPUD. You can try either wireless or a eithernet cable depending on what you use at home/how your son's machine connects etc.

Then if that is successful we can check if any System Restore points are availble that can be invoked to a point before the actual current non booting issue. If not we will merely try something else...

Next:

Note: All of the below will be done via your son's machine.

Boot your Son's machine with the xPUD disk again...

Click on Setting >> then under System check if the machine is able to gain internet access via using either of the below options and following the prompts:-

WiFi
setup wireless connection

Or:-

Ethernet
setup wired connection

If able to create a connection with either, click on Menu then:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and download rst.sh

Then click on File >> double click on MMT to expand >> under File System >> Downloads >> you should now see rst.sh. Copy that/move it to the location sda1

Then navigate back to MMT >> sda1

  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located next to rst.sh named enum.log
Copy the contents of enum.log >> click on Menu in the left-hand side >> Web Browser /Firefox

Post the contents of enum.log for my review(if available/able to do so) and we will go from there, thank you.
  • 0

Advertisements

#17
Duncan63
Posted 09 February 2012 - 01:55 PM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi, and thanks :)

Took me a while to work out what to open enum.log with once I created it but eventually realised I could open it with Firefox Web Browser, so here it is!

28.5M Jan 24 02:36 /mnt/sda2/WINDOWS/system32/config/SOFTWARE
9.8M Jan 24 02:36 /mnt/sda2/WINDOWS/system32/config/SYSTEM

27.5M Oct 28 00:36 /sda2/~/RP281/~SOFTWARE
27.5M Oct 31 20:27 /sda2/~/RP282/~SOFTWARE
27.5M Nov 4 01:03 /sda2/~/RP283/~SOFTWARE
27.5M Nov 7 01:51 /sda2/~/RP284/~SOFTWARE
27.5M Nov 10 18:26 /sda2/~/RP285/~SOFTWARE
27.5M Nov 10 23:25 /sda2/~/RP286/~SOFTWARE
27.5M Nov 14 02:20 /sda2/~/RP287/~SOFTWARE
27.5M Nov 18 00:01 /sda2/~/RP288/~SOFTWARE
27.5M Nov 22 21:03 /sda2/~/RP289/~SOFTWARE
27.5M Nov 25 00:35 /sda2/~/RP290/~SOFTWARE
27.5M Nov 26 02:35 /sda2/~/RP291/~SOFTWARE
27.5M Dec 3 02:56 /sda2/~/RP292/~SOFTWARE
27.5M Dec 6 20:03 /sda2/~/RP293/~SOFTWARE
27.5M Dec 8 20:43 /sda2/~/RP294/~SOFTWARE
27.5M Dec 13 21:31 /sda2/~/RP295/~SOFTWARE
27.5M Dec 14 20:06 /sda2/~/RP296/~SOFTWARE
27.5M Dec 15 21:16 /sda2/~/RP297/~SOFTWARE
27.5M Dec 17 20:27 /sda2/~/RP298/~SOFTWARE
27.5M Dec 19 01:43 /sda2/~/RP299/~SOFTWARE
27.5M Dec 27 22:29 /sda2/~/RP300/~SOFTWARE
27.5M Jan 1 21:35 /sda2/~/RP301/~SOFTWARE
27.5M Jan 7 21:05 /sda2/~/RP302/~SOFTWARE
27.5M Jan 9 03:56 /sda2/~/RP303/~SOFTWARE
27.5M Jan 11 18:21 /sda2/~/RP304/~SOFTWARE
27.6M Jan 12 18:31 /sda2/~/RP305/~SOFTWARE
27.6M Jan 13 16:57 /sda2/~/RP306/~SOFTWARE
28.4M Jan 16 03:37 /sda2/~/RP307/~SOFTWARE
28.4M Jan 20 19:25 /sda2/~/RP308/~SOFTWARE
28.4M Jan 20 19:27 /sda2/~/RP309/~SOFTWARE
28.4M Jan 21 21:08 /sda2/~/RP310/~SOFTWARE
28.4M Jan 22 23:29 /sda2/~/RP311/~SOFTWARE
28.4M Jan 23 19:32 /sda2/~/RP312/~SOFTWARE
28.4M Jan 23 19:37 /sda2/~/RP313/~SOFTWARE
28.4M Jan 23 19:49 /sda2/~/RP314/~SOFTWARE
28.4M Jan 23 23:29 /sda2/~/RP315/~SOFTWARE
7.0M Oct 28 00:36 /sda2/~/RP281/~SYSTEM
7.0M Oct 31 20:27 /sda2/~/RP282/~SYSTEM
7.0M Nov 4 01:03 /sda2/~/RP283/~SYSTEM
7.0M Nov 7 01:51 /sda2/~/RP284/~SYSTEM
7.0M Nov 10 18:26 /sda2/~/RP285/~SYSTEM
7.0M Nov 10 23:25 /sda2/~/RP286/~SYSTEM
7.0M Nov 14 02:20 /sda2/~/RP287/~SYSTEM
7.0M Nov 18 00:01 /sda2/~/RP288/~SYSTEM
7.0M Nov 22 21:03 /sda2/~/RP289/~SYSTEM
7.0M Nov 25 00:35 /sda2/~/RP290/~SYSTEM
7.0M Nov 26 02:35 /sda2/~/RP291/~SYSTEM
7.0M Dec 3 02:56 /sda2/~/RP292/~SYSTEM
7.0M Dec 6 20:03 /sda2/~/RP293/~SYSTEM
7.0M Dec 8 20:43 /sda2/~/RP294/~SYSTEM
7.0M Dec 13 21:31 /sda2/~/RP295/~SYSTEM
7.0M Dec 14 20:06 /sda2/~/RP296/~SYSTEM
7.0M Dec 15 21:16 /sda2/~/RP297/~SYSTEM
7.0M Dec 17 20:27 /sda2/~/RP298/~SYSTEM
7.0M Dec 19 01:43 /sda2/~/RP299/~SYSTEM
7.0M Dec 27 22:29 /sda2/~/RP300/~SYSTEM
7.0M Jan 1 21:35 /sda2/~/RP301/~SYSTEM
7.0M Jan 7 21:06 /sda2/~/RP302/~SYSTEM
7.0M Jan 9 03:56 /sda2/~/RP303/~SYSTEM
7.0M Jan 11 18:21 /sda2/~/RP304/~SYSTEM
7.0M Jan 12 18:31 /sda2/~/RP305/~SYSTEM
7.0M Jan 13 16:57 /sda2/~/RP306/~SYSTEM
7.0M Jan 16 03:37 /sda2/~/RP307/~SYSTEM
7.0M Jan 20 19:25 /sda2/~/RP308/~SYSTEM
7.0M Jan 20 19:27 /sda2/~/RP309/~SYSTEM
7.0M Jan 21 21:08 /sda2/~/RP310/~SYSTEM
7.0M Jan 22 23:29 /sda2/~/RP311/~SYSTEM
7.0M Jan 23 19:32 /sda2/~/RP312/~SYSTEM
7.0M Jan 23 19:37 /sda2/~/RP313/~SYSTEM
7.1M Jan 23 19:49 /sda2/~/RP314/~SYSTEM
9.5M Jan 23 23:29 /sda2/~/RP315/~SYSTEM

Hope this helps - best regards.

Edited by Duncan63, 09 February 2012 - 01:59 PM.

  • 0

#18
Dakeyras
Posted 10 February 2012 - 06:18 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

There are a fair few System Restore points, so lets see if one can be invoked as follows.

Boot your Son's machine with the xPUD disk again...

Click on File >> double click on MMT to expand >> sda1 >> both rst.sh and the prior log created should be there now.

  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r
  • Type RP308
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log <-- If the machine will not boot afterwards, use xPUD to post this log for my review as you did prior for the enum.log etc.
  • Please try to boot into normal Windows now and indicate if you were successful
Please note - all text entries are case sensitive
  • 0

#19
Duncan63
Posted 10 February 2012 - 09:06 AM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi :rolleyes: ,

Tried it and unfortunately no joy - It tells me in the Terminal that "Restore point RP308 not found!" and the contents of restore.log merely mimic this - nothing else. I tried the same with a couple of more distant restore points and got the same!
  • 0

#20
Dakeyras
Posted 10 February 2012 - 09:41 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
OK try a more recent one then please(see below). :)

RP315
  • 0

#21
Duncan63
Posted 10 February 2012 - 01:09 PM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi again,

No joy with that either, I'm afraid. :upset:
  • 0

#22
Dakeyras
Posted 11 February 2012 - 06:12 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

No joy with that either, I'm afraid.

OK I think no point trying any others then as all are probably corrupted and or have been compromised by malware for example.

Lets check if the actual MBR(master boot record) can/does require repairing and or has a specific infection as follows...

Next:

Boot your Son's machine with the xPUD disk again.

Click on Menu then:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and download ransom.sh

Then click on File >> double click on MMT to expand >> under File System >> Downloads >> you should now see ransom.sh. Copy that/move it to the location sda1

Then navigate back to MMT >> sda1

  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash ransom.sh
  • You may see the message:-

    ransomware mbr code detected on /dev/sda
    repairing mbr on /dev/sda
    mbr code OK on /dev/sdb

  • A log file will also have been created.
  • This should only take a brief moment to complete
  • Once completed > type exit to close the Terminal Window
  • Now go to Home >> restart >> remove the xPUD CD from the machine before it starts to reboot to allow the machine to reboot normally.
  • If the script was successful, the machine should now be booting normally
Note: If ransomware code is not detected you will be prompted to provide a dump of the actual MBR. No need at this time and merely exit the Terminal Console and inform myself of such in your next reply.
  • 0

#23
Duncan63
Posted 11 February 2012 - 06:49 AM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi again!

When I bashed rassom.sh it actually came up with

"no ransomware code detected on /dev/sda
dump the mbr of this drive? y/n" :

I selected "y" and it came back with

"dumping first track to sda64.bin

Add done! Please reboot."

So I did, and then I read your final comment, so I guess I screwed up?!

When I now reboot without xPUD it still comes up with the same hal.dll missing message.
  • 0

#24
Dakeyras
Posted 13 February 2012 - 03:55 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

So I did, and then I read your final comment, so I guess I screwed up?!

Not in the least I assure you!

When I now reboot without xPUD it still comes up with the same hal.dll missing message.

OK what we will do now is check if any copies of the aforementioned file on your son's machine as follows...

Reason being the original hal.dll(hardware abstraction layer, dymamic link library) file which is located at:-

C:\Windows\System32\hal.dll

May indeed be missing and or comprimised by malware. So if there is another version on-board we may be able to copy/move that and check if the machine will boot up afterwards.

Next:

Boot your Son's machine with the xPUD disk again.

Click on Menu then:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and download driver.sh

Then click on File >> double click on MMT to expand >> under File System >> Downloads >> you should now see driver.sh. Copy that/move it to the location sda1

Now navigate back to MMT >> sda1

  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    hal.dll

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will created, named filefind.txt
Please note - all text entries are case sensitive

Post the contents of filefind.txt for my review(if available/able to do so) and we will go from there, thank you.
  • 0

#25
Duncan63
Posted 13 February 2012 - 01:05 PM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi again,

after bashing driver.sh and searching for HAL.DLL the Terminal displayed the following msg:

/mnt/sda2/i386/HAL.DLL


and the contents of filefind.txt as follows:

Search results for hal.dll

f9a83d160c80ee6f45aa577cb101b83f /mnt/sda2/i386/HAL.DLL
128.6K Nov 16 2004


I checked in /mnt/sda2/i386/ and HAL.DLL is definitely there!

I also checked in /mnt/sda2/windows/system32 and there is no hal.dll in there (but there is on my good machine). I assume you're going to tell me to copy the file from i386 to system32 and then try to reboot, but I'll wait until you confirm that!

Over to you! :P

Edited by Duncan63, 13 February 2012 - 01:23 PM.

  • 0

Advertisements

#26
Dakeyras
Posted 14 February 2012 - 05:43 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Boot your Son's machine with the xPUD disk again.

Click on Menu then:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and download the attached replace.txt <-- see below

Then click on File >> double click on MMT to expand >> under File System >> Downloads >> you should now see replace.txt. Copy that/move it to the location sda1

Now navigate back to MMT >> sda1

  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -r
  • Press Enter
  • You should see similier to the below:-

    Begining replacement procedure

  • Then:-

    Done!

  • There should also be a report created named filerep.txt after the above is completed.
  • Close the Terminal Window >> click on Home >> Power Off >> Restart
Please note - all text entries are case sensitive

Let myself know if your Son's machine is now able to boot-up nomamlly. If not post the contents of the filerep.txt for my review, thank you
  • 0

#27
Duncan63
Posted 14 February 2012 - 12:35 PM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi, Did everything that you said and got the 'Beginning replacement procedure' and 'Done!' messages, but when I rebooted still got the 'missing / corrupt hal.dll' message again.

Contents of filerep.txt below:

Beginning replacement procedure

That's it! :surrender:

Edited by Duncan63, 14 February 2012 - 12:41 PM.

  • 0

#28
Dakeyras
Posted 15 February 2012 - 06:47 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

when I rebooted still got the 'missing / corrupt hal.dll' message again.

OK follow the instructions again please in post #24(no need to re-download driver.sh, just follow the prior instructions to search for hal.dll etc) and post the new contents of filefind.txt for my review.

Note: In the event hal.dll is now located at C:\Windows\System32\hal.dll, no need to post the contents of filefind.txt, merely inform myself. This may indicate the version copied is corrupt and we will have to take a different approach again.

If it inst located in the system32 folder carry out the instructions below in Manual File Copy.

Manual File Copy:

Lets see if you can manually copy accross hal.dll as follows via xPUD...

Click on File >> mnt >> sda2 >> i386 >> scroll down until you locate hal.dll >> right-click on it and select Copy

Now navigate back to sda2 >> Windows >> system32 >> click on Edit and select Paste

Click on Home >> Power Off >> Restart

Let myself know if your Son's machine is now able to boot normally.
  • 0

#29
Duncan63
Posted 15 February 2012 - 04:36 PM

Duncan63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi again!

OK - hal.dll was not at Windows>>System32, so I copied it from i386 and placed it there.

On rebooting (without xPUD) I now get the message:

Windows could not start because of an error in the software.
Please report this problem as:
load needed DLLs for kernel.
Please contact your support person to report this problem.

Also, as I guess you'd expect, the contents of findfile.txt were the same as they were after I carried out your instructions after post #24, i.e. same hex code followed by the same folder location (i386).

Not looking good without the original installation disks, is it?! :wacko:

Edited by Duncan63, 15 February 2012 - 04:39 PM.

  • 0

#30
Dakeyras
Posted 15 February 2012 - 06:02 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Not looking good at all I'm afraid, being totally honest. As you correctly surmised a actual XP Installation CD-ROM to use would be best...

Error Messages When You Start Your Computer if Windows Program Files Are Missing or Damaged

Encountered such in the past with a XP machine and I did advise a actual reformat and reinstallation, rather than a in-place upgrade at the time.

Even if I am able to find out which Operating System files are still missing, there may be not any available too replace with judging by the fact there was only one copy of hal.dll left when usually at least say two or three in various folders/locations. Plus the actual Operating System may be damaged beyond anything I could advise anyway...

However all may not be lost as I will sleep on it so to speak and research further on your behalf tomorrow morning for a viable solution, though ultimately you may need to purchase a new genuine XP Installation CD-ROM.

In the meantime carry out the below for me please.

Next:

You mentioned in a prior post the current problems seemed to occur after a Malwarebytes Anti-Malware run/advised removals. So I would like to review that log if available as follows...

Boot your Son's machine with the xPUD disk again.

Click on File >> mnt >> sda2 >> Documents and Settings >> Administrator >> Application Data >> Malwarebytes >> Malwarebytes' Anti-Malware >> Logs >> the log from the last scan run/removals which was before the current problems.

Copy the contents of the requested Malwarebytes Anti-Malware Log >> click on Menu in the left-hand side >>

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and post the contents of the log for my review(if available/able to do so).
  • 0
Back to Can't Run Any Antivirus or Malware Removal Programs · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Can't Run Any Antivirus or Malware Removal Programs

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP