Hal.dll file

First I was fixing a PC with some kind of "MS Remover" virus. I was going through the steps listed on your page that you should try before you post. Got to the Malware Bytes Program and it froze upon deleting the two infections it found. Restarted the computer to try and run the program again and got this error:

Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file.

I tried the windows recovery from the windows XP cd. Its unable to complete, nothing works when I hit F8 (any of the listed options).

What are my options now?
Do I have any besides totally reinstalling windows?
Thanks in advance.

 

Most likely, it found and deleted an infected system file (.sys). Do you remember by chance what it found? Did you read what it was deleting?

 

Yes you have options, first logical one would be to replace whatever malwarebytes removed, with a clean copy from the windows xp install cd. I can even get you the file if you know what it removed.

Also, if you're unsure about which file it removed, we need to get the mbam.log off the hard drive. It should have created one. It should show which files it deleted.

 

Not the entire thing, had I known it was going to do that I would of written it down! It let me restart prior to that, it was some sort of trojan though, don't remember the whole file name. But like I said the virus that prompted me to get this computer was MS remover? It was a program who's icon was a little grey dot in the task bar

 

Really impressed with the quick response! Thank you. It won't even load windows though, not in safe mode not anything. I made a windows xp cd and tried to repair and it said it couldn't complete that either. All that it does is flash the Dell screen the come up with that message on the black/white screen.

 

Sounds like scareware.

Regardless, to get your computer up and running... I'd like to see what malwarebytes removed.

The malwarebytes log, for Windows XP, should be stored in the following location of the infected computer's hard drive:

C:\Documents and Settings\[yourusername]\Application Data\Malwarebytes\Logs


You need a bootable CD to access it.. I prefer Hiren's boot CD, found here: download link

So.. after you finish creating this CD.. (You'll need a blank CD-R)

1. Boot off CD on the infected machine, using this CD
2. Look for "Mini Windows XP"
3. Open My Computer
4. Go to this directory: C:\Documents and Settings\[yourusername]\Application Data\Malwarebytes\Logs

and.. Either send the log to a flash drive and upload it here, or write down what it says and type it out here.

Pay particular attention to anything with .sys attached to it

 

The whole "documents and settings" folder is inaccessible. When I try to click on it from the mini xp, the whole thing freezes up and it won't show any of the directories below it.

 

Just tried putting the not working hard drive into my other computer that is also running xp and copying the hal file, that apparently doesn't work eithe, please help!!!

 

How many times did you try to access the documents and settings folder? You're on windows xp right?

 

Does the working computer see the infected hard drive at all?

 

Yes, I was able to copy and paste the file but it didn't work, error still shows when I put it back in its own computer..

 

Tried it two or three times, by restarting it..all other folders seem readable

 

that's because hal.dll isn't what malwarebytes deleted. Did you read my post? here

We need to figure out what is in the log provided by malwarebytes.

And.. answer my other question.. Windows XP, Vista or Windows 7? Which one are you running?

 

windows xp

 

C:\Documents and Settings\[yourusername]\Application Data\Malwarebytes\Logs

You did replace [yourusername] with your actual username right? That was just an example.

Regardless, if you're on windows xp and trying to access that folder, it should not be locking up on if you're in Hiren, unless there is some type of hard drive corruption or hard drive failure.

 

I was looking in the file directory.. is that the same difference? Would I able ab le to access the log file if I plugged it back into my [working] computer?

 

soooooooo I put the not working hard drive into my other computer and its able to acess ALL of the other folders on the drive, but when I click on documents and settings it sits there for awhile with the hr glass, then says drive is not formatted, would you like to format now

 

Do not format the drive!!!

This is a weird problem because it's acting like the drive is failing and isn't even seeing any partitions, but then you say you can view all other folders. I need some time to think about this, be back later

 

Thank you, I appreciate it greatly!

 

Hi,

With the HD in the working computer can you get into Documents and Settings from the Command Prompt?

Try Start>Run>type in cmd and hit <enter>.
Now type the drive letter of the messed up XP installation followed by a colon ie. C: or D: or whatever drive letter is correct for that partition. Should be the same drive letter you go to in the normal Explorer window.
Now your prompt should be short like C:\> or D:\>
Type in cd docume* and hit <enter>
Does your prompt now look like C:\>Documents and Settings>

 

Hi h1p,

I'll try to help you out on this one too, or at least, try to help find out what's happening here so thisisu can get some time to study it more closely

We'll need to test what the problem is, to get another chance at seeing these folders, you'll need to reboot.

First, you need to study this page, pay attention because the methods vary slightly depending on which version of XP the master PC is running.

Once you have got the idea, Safe Mode for Home, normal mode for Professional, reboot to that mode, pull up the page again so you have it at hand for reference and then open Explorer and follow the steps carefully. You can either try to take ownership of the D: (check that it's the correct drive!) or of the main folder that's problematic: C:\Documents and Settings

Good luck and make notes on any errors you might see along the way.

Hi sach2 ^^

 

Data error (cyclic redudancy check).

 

I'm sorry, but do I do this with the hard drive in my working computer? If NOT, I can't boot into safe mode or anything on the broken one..

 

Yes. You have to attach the hard drive that is having problems to a working computer. Just make sure your still booting off the working hard drive (Sometimes it will try to boot off of the new drive you just attached to the PC) Then you have to go into BIOs and change a setting. That's another story.

 

You get that error message when you have the hard drive attached to a working computer?

 

This should have worked. but you have to be on the correct drive. You can switch drives using command prompt by typing:

c:
d:
e:
f:

etc..

you can also use the dir command to show the contents of the current folder you're targeting. Hopefully I'm not confusing you. We still need to see the contents of that log by mbam, which, if you're on windows xp, should be in the Documents and Settings folder. I posted the full path of it in a previous post.

%ALLUSERSPROFILE%

Another command you can type to take you directly to the application data folder that we need to get into. You're going to want to type it exactly like that, with the percentage signs. But make sure you're on the SLAVE hard drive (the one you just hooked up (the one with malware infections) by making use of the E: command.

I'm just guessing, it's most likely the E: drive.. since D: is usually reserved for the CD/DVD-ROM drivedrive unless you have multiple drives ...

 

Yes. When I type cd docume*

 

Okay I did this one by first typing e: then typing %ALLUSERSPROFILE% and it says..
"C:\Documents' is not recognized as an internal or external command, operable program or batch file."

I know you said to type it from the E:\ and I did.........

 

It did initially try and b oot off of the broken drive but I changed that

 

I should also add, that when I type "dir" from "e" documents and settings does come up int he list of directories. (Sorry for the multiple posts...

 

So that we all get a baseline on your current drive layout, can you attach a screenshot from Disk Management (Start > Run, diskmgmt.msc) showing the layout and drive letters etc. like the below?



Also ensure that you have unhidden all files and folders:

and then make a screenshot of Explorer showing the list of files and folders on the 'bad' drive and attach it too.

 

Let's just see if we can repeat the cyclic error or get to the mbam log.

Try and look for the Documents and Settings folder by getting a directory listing of few possible drive letters. So at whichever prompt you are at now try:

dir d:
dir e:
dir f:
dir g:

See if any of them give you a Documents and Settings folder in the list.

 

E is the broken drive, it shows docs and settings in the dir list

 

From a command prompt (cmd) try
type in E: then hit <enter>
type in cd docume~1 and hit <enter> [That is the "~" key to the left of the number 1 on the keyboard.]

Do you get an error or do you get the E:\Documents and Settings> prompt?

 

It says

E:\>Cd docume~1
Data error (cyclic redundancy check).

E:\>

Any chance we could do a showmypc

 

Sorry..just now seeing your req for a screen shot of windows explorer....

 

through windows explorer. E: drive

You can't get to E:\documents and settings\Application Data\Malwarebytes

Correct?

 

I wouldn't mind doing a teamviewer at this point LOL

 

Right.. It doesn't even have the little + next to it to expand the folders, and when I click on it it sits for awhile then says the thing about it not being formatted..

 

If you would like to me try to fix your problems (sounds like a permissions issue) and at least get the mbam log uploaded here. There is a free remote PC control program called TeamViewer.

Click the big green Start Full Version It's Free! button to download the application, save it to your Desktop so you can find it easily later. Double click it, and, Select RUN (not Install). And provide me via PM or AIM your ID and password. ID usually looks something like 715094166, and password is usually about 4 numbers

And if you don't want to do this, that's fine too, just trying to help you out while I have some free time

 

Alright I will go get that now, hopefully you're still on.. I've used "showmypc.com" before so i'm sure this one is similar..

 

yep still here, i've never used showmypc, but yes it should be pretty much the same

 

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6904

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/20/2011 4:41:21 PM
mbam-log-2011-06-20 (16-41-21).txt

Scan type: Quick scan
Objects scanned: 164978
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\qlonocri.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\unihanoti.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntiVirus 2010 (Rogue.AntiVirus2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gnoditex (Trojan.Hiloti) -> Value: Gnoditex -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idegat (IPH.Trojan.Hiloti.B) -> Value: Idegat -> Delete on reboot.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Robert George\Local Settings\Application Data\pyw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Robert George\Local Settings\Application Data\pyw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Robert George\Local Settings\Application Data\oxh.exe" -a "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\qlonocri.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\unihanoti.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.
c:\documents and settings\all users\application data\mlvrrsbwxbwm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\start menu\programs\startup\wknjalkd.exe (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\spool\prtprocs\w32x86\1998E.tmp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temp\opmpeosvwstdrcqk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temp\0.9803927517366827.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\vsldsj\setup.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temporary internet files\Content.IE5\CNOMW2DZ\windows-update-sp3-kb81367-setup[1].exe (Rogue.MSRemovalTool) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temporary internet files\Content.IE5\DGZQA944\windows-update-sp2-kb97806-setup[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temporary internet files\Content.IE5\OWBDOT56\windows-update-sp3-kb59661-setup[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temporary internet files\Content.IE5\OWBDOT56\windows-update-sp3-kb68550-setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\local settings\temporary internet files\Content.IE5\OWBDOT56\windows-update-sp3-kb89141-setup[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\application data\Adobe\plugs\mmc212656.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\application data\Adobe\plugs\mmc45.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\robert george\application data\Adobe\plugs\mmc70.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

 

View attachment SUPERAntiSpyware Scan Log - 06-20-2011 - 23-09-29.log

 

I don't want to interfere with what you are doing now.

Have you done a chkdsk on the E: drive recently? My Computer right click E: and select Properties. Then on the tools tab select Check for Errors. Just leave the one box (fix errors) checked for now and see if it finds any errors.

***
The cyclic redundancy can be a bad drive or a bad controller etc. That it is only happening on one folder and when connected to this computer brings up that it could be a filesystem error which chkdsk would attempt to address.

You might also look at the name brand of HD for the 500gb one and get the manufacturer's HD diagnostic and run both the long and the short test just to see if there is an obvious problem

One other thought is are your HD's IDE or SATA? If IDE then you might want to double check that you are setting jumpers correctly when moving the HD over to the working computer.

 

It sounds like all he needed was a chkdsk, once he ran a stage 3 chkdsk, he was able to access that folder and upload the logs.

I didn't see any required system files deleted in his logs so just had him put it (the infected hdd) back into the original computer case.

Hopefully all is well

 

After chkdsk it still doesn't boot into windows, still the stupid hal file deal

 

We only did a 3 stage chkdsk. You may want to try a 5 stage chkdsk (chkdsk e: /r). It takes a lot longer to complete but may be worth it.

You can do this from mini windows xp or by reattaching the hdd back to your working computer.

 

Since you have already tried replacing the hal.dll maybe try ruling out two other things:

1) Open your e:\boot.ini in notepad and let us know what it says.
2) What is in that WinXP folder on drive E:? Are the folders inside similar to the folders inside your Windows folder on that drive or is just your files?