[noahdfear]

Execute the following command via Task Manager.

%systemroot%\system32\restore\rstrui.exe

If successful, it will open System Restore.
Select Restore my computer to an earlier time then click Next.
Using the calendar, look for a restore point (bolded day) at the time of the first ComboFix run or just before (mid-October?), select it then click Next.
Again, click Next to start the restore process and let me know the current state once the system restarts.

[Advertisements]

Hi,
Sorry for the delay ... I'm out of town and will be back at home late Saturday evening. I'll get back to this discussion when I'm home. Hope that's OK!

[jay_sohhn]

Hi,
Sorry for the delay ... I'm out of town and will be back at home late Saturday evening. I'll get back to this discussion when I'm home. Hope that's OK!

[noahdfear]

That's quite alright. Thanks for the update!

[jay_sohhn]

I ran system restore and tried to go back to mid-October. But for some reason, I was not able to go past November 6, 2009. So I just restored the computer to the November 6 settings. The computer restarted and I still cannot get a taskbar or start menu. I only see the wallpaper. Whew, sorry about all the trouble.

[noahdfear]

Open Task Manager and click File>New Task then type cmd and hit Enter to open a command window.
In the command window, type sfc /scannow then hit Enter.
This will start the System File Checker, which will replace any system files found to be corrupted if a replacement copy is found.
Occasionally the system cannot find one and will ask for the XP cd.
Since you have no cd drive, you'll have to skip any of those should it prompt you (click Cancel).

When finished, if not prompted to restart the computer, please do so, then let me know if there's any change.

[jay_sohhn]

I did as requested. When the scan was going, I was not prompted to restart at any time, nor was I asked to insert the XP CD. After the scan completed (about 30 minutes later) I had to restart the computer myself. No difference. When Windows starts, I still get the error message "The application failed to initialize properly (0xc000007b). Click on OK to terminate the application." Don't know if that's at all helpful. Thanks!

[noahdfear]

Unless I'm misunderstanding your reply, that stop error may be very helpful. Sounds as though you may also have one of the newer rootkit infections which infects storage controller drivers. Let's see if we can find a copy of the most commonly infected driver and replace it - atapi.sys. To do so, you will need to boot into the Recovery Console (RC).

Once in the RC at the C:\Windows> prompt, execute the following commands (in bold - notes inline) to see if there is a copy of atapi.sys available.

Section 1 - Check in Service Pack 3 installation source

cd servicepackfiles\i386 << the command prompt should read C:\Windows\ServicePackFiles\i386> if the directory exists - if non-existent, skip to section 2 below
dir atapi.sys << if the file exists it will be displayed with filesize and date info - if non-existent skip to section 2 below
ren c:\windows\system32\drivers\atapi.sys atapi.sys.vir << you will receive no confirmation this command succeeded - it will just return to the C:\windows\ServicePackFiles\i386> prompt
copy atapi.sys c:\windows\system32\drivers << if successful it will display 1 file copied to the screen and return to the command prompt - you are done
exit << this will restart the computer

Section 2 - In the event there is no copy at C:\Windows\ServicePackFiles\i386

cd c:\windows\system32\dllcache
dir atapi.sys << if one is not available, skip to section 3 below
ren c:\windows\system32\drivers\atapi.sys atapi.sys.vir
copy atapi.sys c:\windows\system32\drivers
exit

Section 3 - In the event there is no copy at C:\Windows\system32\dllcache

cd c:\windows\i386 << if this location doesn't exist, try cd C:\i386 and continue with next command - if neither directories exist, type exit to restart and let me know.
dir atapi.sys << if present, continue with next command - otherwise type exit to restart
ren c:\windows\system32\drivers\atapi.sys atapi.sys.vir
copy atapi.sys c:\windows\system32\drivers
exit

Let me know the results of the above actions. If you have questions, please ask before attempting anything.

[jay_sohhn]

Here's what I did:
Section 1:
Typed in cd servicepackfiles\i386.
RESULT: "The system cannot find the file or directory specified."

Section 2:
Typed in cd c:\windows\system32\dllcache, and hit enter.
Typed in dir atapi.sys.
RESULT: "No matching files were found."

Section 3:
Typed in cd c:\windows\i386, and hit enter.
Typed in dir atapi.sys, and hit enter.
RESULT: "No matching files were found."

[noahdfear]

Just reading back through previous posts and would like to clarify a couple of things.

Does the computer still load to the desktop, wallpaper only?
Does the error message displayed still refer to explorer.exe?
Can you still navigate with the Task Manager?

[noahdfear]

If answers to the above are yes, I would also like for you to check something else.
Restart the computer and begin tapping the F8 key to enable the advanced startup menu.
Select Safe Mode, then test both your user account and the Administrator user account to see if the behavior is any different.

[jay_sohhn]

Answers to above questions are "yes."

So I entered into Safe Mode and discovered that both my user account and the administrator account behave the same. In other words, when I start up in either account, I get the stop error message that I referred to above and cannot see a taskbar or start menu. I only see a black screen that says "Safe Mode" in all four corners of the screen along with something at the top center that says, "Microsoft ® XP ® (Build 2600.xpsp_sp3_gdr.090804-1435: Service Pack 3)

[noahdfear]

Using Task Manager, browse to c:\windows\erdnt\hiv-backup and see if you can determine the creation date on the files there.
Then do the same with the files in C:\windows\erdnt\subs

I'm interested in the security, sam, software and system files only.


Would you also try your usb flash drive again to see if it will function?

[jay_sohhn]

Here's what I found in c:\windows\erdnt\hiv-backup:
1. SAM: Created on Oct. 28, 2009, 12:46pm
2. Security: Created on Oct. 28, 2009, 12:46pm
3. Software: Created on Oct. 28, 2009, 12:46pm
4. System: Created on Oct. 28, 2009, 12:46pm

Here's what I found in C:\windows\erdnt\subs:
1. SAM: Created on Nov. 11, 2009, 3:46pm
2. Security: Created on Nov. 11, 2009, 3:46pm
3. Software: Created on Nov. 11, 2009, 3:46pm
4. System: Created on Nov. 11, 2009, 3:46pm

I tried the flashdrive I used last time and got the following error:
"Error loading newdev.dll. %1 is not a valid win32 application."

But then I tried another flashdrive, and it was successful. So maybe there's something quirky going on with the first flashdrive.

[noahdfear]

The newdev.dll should probably only get loaded when a device new to the system is attached. Maybe you've never used that one, or never used in that usb port?

Please run the erdnt.exe file in the hive-backup folder to restore the hives created at that time. Reboot when done and let me know if there's any change.

[jay_sohhn]

I did as directed. No change.