1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can't Boot - Perpetual Start up cycle

Discussion in 'Virus & Other Malware Removal' started by 2byC, Jan 24, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    The system is an Intel main board, Pentium 4, 3.00 Ghz, with 1024 RAM.
    I know that I contracted one of those bogus anti-virus software programs where they try to make you buy their program. Last time this happened I simply did a system restore back to an earlier date. This time I first did a "turn off the computer" procedure. Now when I try to re-start, the system counts through the RAM (to 1024mb), detects the legacy keyboard, mouse, USB , etc., and the instruction Press f2 to enter setup. The next screen asks me to choose Windows XP or Windows Recovery Console. If I am quick enough, I can select the recovery console, but then I get a C Prompt and I do not have the knowledge of what to type next.
    If I select Windows XP, then the screen shows the choices to enter SAFE mode, or Last Known Good Configuration, or Start Windows Normally.
    If I select Start Windows Normally or Last Known Good Configuration, the next screen is black with the Windows Logo and the moving blue progress bar, and then instead of starting, it goes right back to counting the RAM and the cycle continues without stopping unless I power off with the push button switch.
    If I select SAFE Mode, the next screen is full of various lines that all begin with "multi(0) disk (0)rdisk(0) partition 1\Windows\ System 32\Drivers\ etc. and then instead of starting, it goes right back to counting the RAM and the cycle continues without stopping unless I power off with the push button switch.
    I don't think I have any way to run HiJackThis.
    I have thought of installing the hard drive in another computer as a slave drive, but is there an easier way to clean this up?

    Thanks, Richard
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    when you get to recovery console
    try the fixes shown here

    try the fixboot option first
    http://www.myfixes.com/articles/system

    It might work or it might not & you might have to end up doinga reinstall
     
  3. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    I followed the link you provided and followed the instruction sequence. It went almost exactly like the example. I also copied the files that it suggested could be optional but might be necessary.

    However, the system is still in the loop. One time I was able to get it to start in safe mode. But it did not seem to be functional, and since that one time, even when I choose "start in safe mode" it returns to the loop.

    What now?

    Thank you,
    Richard
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Only suggestion I can make is reinstall windows
     
  5. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    Thank you for the recommendation that I reinstall Windows XP.
    I have browsed a few threads on this and other sites, and the concensus seems to be that I can re-install and probably not lose files such as documents and photos, although I may have to reinstall a few programs.

    Do you agree with that and can you point me to a good thread or page on the reinstall.

    Also, I have a new in the box Western Digital 320 GB EIDE that, although outdated, is compatible with this system which I built in 2004 and twice as large as the existing drive which has been adequate.

    What do you think of installing it as the primary drive and moving the existing drive to a slave to recover the needed files? Would this be a safer method?

    Thanks again,
    Richard
     
  6. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    This will probably be surprising to you after my last post. However I got the system to boot.
    Sometime back I had created a boot disk called the Ultimate Boot Disk CD from a website.
    I checked my boot order and this disk opened successfully. When I selected "Boot first hard disk" it returned to the loop, but when I selected "Boot second hard disk" the system started.
    a. It took a long time to start
    b. I have two user names. The user name I was using when I got infected opened but it was partially dysfunctional.
    c. The other user name opens and seems to be entirely functional. Although it was slow to load, it responds to instructions quickly.
    d. The infected user name would not open HiJackThis. It also has a new icon called WindowsScan and has numerous error messages about "Ram usage5 high" and Damaged hard drive clusters" and more.
    e. The other user name does not show the WindowsScan or the error messages.
    f. I was able to run HiJackThis on the alternate user name.
    g. Should we use the following HiJackThis log and proceed with clean up or do you still recommend the reinstall?

    Thank you for your attention,
    Richard

    Log Follows:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:18:33 AM, on 1/27/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Documents and Settings\Richard\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171735694\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R2400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /P24 "EPSON Stylus Photo R2400" /O6 "USB001" /M "Stylus Photo R2400"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
    O4 - HKUS\S-1-5-21-1715567821-1060284298-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-1715567821-1060284298-682003330-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
    O4 - HKUS\S-1-5-21-1715567821-1060284298-682003330-1003\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User '?')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_11) -
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 8570 bytes
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    we can try a clear up but you might still need to reinstall

    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Here or Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues
     
  8. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    I ran Combo Fix following instructions as closely as I could with the infected system.
    The Combo Fix log is 92 pages long in 12 point Times New Roman font.
    Should I copy and paste it into a reply or more than one reply? Or should I send it as an attachment, or run it again and hope it is shorter?

    Or does the lengthy log indicate a need to reinstall?
    I have tried to back up some files (I have recent backups but not the most recent possible,) but the drag and drop feature in My Documents is not functional.

    Thanks for your advice,
    Richard
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    please attach it
    if it is that large then you might have to zip it first
    please don't run combofix again until we have seen what ity found on that first run
     
  10. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    Log attached as requested.
     

    Attached Files:

  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    please go to c:\qoobox & find ComboFix5.txt upload that here so I can see what was fixed in previous run
    it might be inside the quarantine folder
     
  12. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    Attached is ComboFix5 found in C://qoobox as requested. I renamed it ComboFix5Send to be sure I could find it.
    Thank you,
    Richard
     

    Attached Files:

  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    reboot & run combofix again please
     
  14. 2byC

    2byC Thread Starter

    Joined:
    Jan 7, 2009
    Messages:
    83
    As instructed I re-booted and ran ComboFix again.

    The following observations may be important. I know you are busy, so simply ignore anything not relevant. No reply to each item will mean to me that they are not relevant a this time.
    1. Every time I re-boot, I run Msconfig to check on my startup status in System Configuration Utility. The system is running in selective startup mode. When I reset to normal startup and then re-boot, the system reverts to selective startup on its own. I am unable to start in normal startup mode.
    2. I am still booting from my Ultimate Boot CD. When I select "boot first hard drive" the system loops.
    I am only able to boot by selecting "boot second hard drive". I conclude (but am not certain) that I am booting from the slave drive I took out of my last computer and installed in order to access its assorted files. However it may have a complete XP Pro OS on it.
    Does this mean that ComboFix is not working on my primary drive ?
    3. The System Configuration Utility shows that I have 35 processes running. It also indicates that I am using zero percent CPU at idle. I have never seen a system that idled at 0% CPU.

    Latest ComboFix Log attached. Also this time I see a folder called Quarantined Files (in qoobox) that I did not observe in the previous run, and I think was generated this time.It is attached as well.

    Thanks again,
    Richard
     

    Attached Files:

  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    I can't see any fix for this one except reinstall windows on the first hard drive

    yes we have cleared some junk away but it look s like missing or damaged system files where combofix can't do a cryptographic check
    that normally means something has deleted vital files that are needed for windws to boot
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/976617

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice