Hal.dll file

I ran that one but didn't plug it in.........you really think it may work lol. Okay okay I will. I hate this computer though..

 

Perhaps a dumb question but where is boot.ini.. from e: I just see boot.bak

 

boot.ini is in the root of E:

That could be your problem!

 

It is probably hidden. So Control Panel>Folder Options>View tab>Tick the circle for "Show hidden Files" and untick the box for "Hide Protected System Files".

Also right-click the boot.bak file and choose to Edit in Notepad. Just look to see if it is the same as the boot.ini. You only have to show us one of those files if they are the same.

 

None of my files are hidden..........and there is only a boot.bak no ini.. i'll attach the bak..............OR I won't upload it, it says invalid. I'll copy and paste it :

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

That looks like a fine boot file for your computer which has a tiny Dell partition as partition (1). So copy and paste it as a new boot.ini.
So you then see both a boot.bak and boot.ini in the E: drive with the same text.
Try to boot from the HD in the original computer.

 

I may love u if that works, brb!

 

Got the dell screen, then the windows xp screen..........now the lovely blue screen..

 

Says
STOP: c0000021a {Fatal system Error}
The session manager initialization system process terminated unexpectedly with the status of 0xc000003a (0x00000000 0x00000000).
The system has been shut down.

 

RIght before the blue screen it flashes real quick
autocheck not found, skipping autocheck

 

I'll look into the 000021a error which is common, so there may be a fix.

By any chance did you rename the original hal.dll or did you overwrite it? Just want to know if there is a possibility of restoring the original.

**Just so you know autocheck is chkdsk. Did you ever run chkdsk through all five stages when running MiniXP? It probably won't make a difference--I just want to know.

EDIT: Is Safe Mode an option now by hitting F8 repeatedly during the Dell screen?

 

The boot stage where the error is now occurring is likely here:

http://carrona.org/xpboot.html

 

I did the chkdsk from the cmd thing, not in minixp oh and it blue screens for safe mode too

 

...not sure what to do with that?

 

No worries, it's for reference only at this stage, part of the discussion to get to the root of this

 

I overwrote the broken hd Hal file with the one from my computer

 

Is your working PC on the same version of XP as well as the same Service Pack level?

I think we need to copy over Explorer and Winlogon via miniXP, if it then boots, I'd get it straight to the malware forum and the R&R.

 

elaborate??

I have no idea if its the same service pack, i'd say probably not.. just my guess though. I never run updates on my own

 

Hi satrow, I'm not having any luck with a quick fix for the 21a error.

I would suggest that renaming any existing files before replacing is advisable. I don't want to rule out an UNDO. I get confused on this MiniXP, although I know it is a useful tool and wouldn't think twice about using it myself.

h1p, If the hal.dll was overwritten then that is done.
So you ran the chkdsk from the Windows CD? When did you do that last? Has it been since changing the boot.ini? Maybe you could try booting from the Windows installation Cd in the broken computer and running a chkdsk /r from recovery console. [I'm only thinking that you could check that it will let you sign into your Windows installation and maybe running chkdsk will get rid of the message about skipping autocheck.]

 

that Bsod (c000021a) typically relates to winlogon.exe and csrss.exe (both in system32 folder). Once those are replaced with clean copies, high success rate in my experience

 

and maybe he needs to do a bootcfg /rebuild from recovery console

 

Checkout: http://www.sevenforums.com/crashes-debugging/152386-cant-seem-find-answer.html#post1308276 it looks like we'll need to add Lsass.exe to that list.

And a fuller sequence from Carrona:

As sach2 pointed out, a rename rather than replace is preferable.

This can be done with the drive back as a slave, it'll make h1p feel more comfortable about doing it.

 

h1p is learning lots today :-D

 

h1p is getting in over her head today, lol

 

:-D

I'll try to get you up to scratch quickly on the preparations you need to do before I get back to other matters elsewhere. You've already been through most of this process before so it shouldn't be a big problem to you

First, shut down the 'broken' PC, disconnect the 'bad' drive. Shutdown the good PC and add the 'bad' drive. Sounds familiar?

Once you've checked connections and booted into Windows, hopefully the 'bad' drive will be E: again.

All you have to do is locate 4 files in the E:\Windows and \System32 folders and rename them (change the exe to bak) before copying 'new' versions over from the same locations in C:.

The files are \Windows\Explorer.exe, and in \Windows\System32, Lsass.exe, winlogon.exe and csrss.exe.

Once you're at the stage where you're ready to do this, check back if you have any queries, otherwise, if you're happy that you understand my (rushed) instructions, you can go ahead and make the renames, then proceed to the copy/paste of the 4 files.

Once you've completed this, the next task (obviously) will be to test the 'bad' drive.

Don't be surprised if the same or different errors occur on boot, we really don't yet know or fully understand what damage was done by the malware.

Please make notes of any and all errors or oddities and tell us about them.

 

Thank you thank you, I will get on this as soon as I get my kids to take a nap! Fingers crossed and thanks a ton!

 

skipping autocheck again
and c0000021a fatal system error blue screen again

 

Ok, we didn't attempt to fix autocheck yet but it clues us in to the area that boot fails. I think getting the same error probably means the HAL copied over was from a different Service Pack (as the last 4 files would be, too, if that was the case).

An alternative cause would be something called from the Registry during that part of boot, probably something added by malware but part of which or the file that was the target of it, has since been removed - goes back to my thoughts posted in about #6.

@All: who knows a simple method to decipher which SP level an offline XP drive is?

H1p, I think the next attempt will need the 'bad' drive back in the working PC again, I'm going back to work for a while, coffee break's over

 

Ready to give up yet?

 

NO!

Can you find the exact file sizes of the ndis.sys files on both drives, please? I think they should be in System32.

 

Nope. Do you have a boot.ini yet?

 

I'd personally try to do a bootcfg /rebuild. I'd rather have Windows rebuild it for me rather than copy pasting it from a working computer. Although i've seen it work both ways.

You can at least delete the old boot.ini edit once you make a new boot option. I usually name mine "test boot" or something just so i can distinguish the difference. and to freak out my coworker

 

and if that didn't work, i'd make sure i've done a full chkdsk. 5 stage, not 3.

 

how do I do bootcfg / rebuild? Didn't I do something with boot.ini awhile back or was that a different file

 

Boot is fine, post-boot/Winlogon is the problem.

 

First you're going to need the windows recovery console:

download here

Burn this as a bootable Image to a blank CD-R from a working computer. I like to use ImgBurn as my burning software (It's free too).

Then you're going to want to boot off the CD on the nonworking computer hard drive. You only have a few seconds to boot off CD.. so watch out for the "Press any key to boot off CD/DVD..." message.

Once successful, it will load a bunch of files... (takes about 30-45seconds)

Then you are prompted with a screen to INSTALL, REPAIR USING RECOVERY CONSOLE, or QUIT.

Press R for The recovery console
Let it do it's US keyboard detection thing (wait 5s)
It will ask you which Windows Installation you want to log into
In most cases, there is only one labeled: 1) Windows
So type in 1
ENTER
If it asks for administrator password, just leavei t blank and press ENTER
Now you should be at the C:\Windows> prompt

Type in the following..
bootcfg /rebuild
It will say something like "scanning this can take a while" (wait about 1 minute)
Which Windows installation do you want to edit? <- something like this :S
There should only be 1
Then it will ask what do you want to call the new OS Identifier
Here is where you can type test windows xp
Then it will ask if you want to use any special options (sorry this is kind of hard to explain lol)
I usually just type: /fastdetect
Press ENTER
Hopefully will say something along the lines of successful
Now you can type EXIT
Reboot the computer
Don't boot off the CD again.
If prompted to select which Windows installation you want to start, keep a look out for the one you just created called "test windows xp"
PRESS ENTER.

This is all troubleshooting, may not work, but worth a try imo

 

You're probably right satrow. don't have to try that if you don't want to lol

 

The basic boot process stops near the end of the following:

where the initial phrase on each line is the error and the bracketed comment is the fix.

Eg: MBR error (fixmbr) = if you get an error msg about the MBR, you run fixmbr.

Where we are now:

The logical thing to do would be to work methodically through the blue items:
1. Delete and recreate pagefile - test.
2. Access and check/modify the Autoruns settings in the Registry.
.
.
.


You have to remember that at this stage, many things are beginning to happen in parallel, what started last before the crash may not be the trigger, as an earlier process may still be running and loading other prerequisites for successfully reaching logon and the Desktop.

 

^ are those some of your notes ? :cool

 

It skipped asking me which windows I wanted to log into and it also didn't ask for a password. It has taken me to just "C:\

So I typed (though this may be wrong since you said it should be at windows) bootcfg /rebuild

and it says

Scanning all disks for windows installations. Please wait etc

Error: Failed to successfully scan disks for Windows installations. This error may be caused by a corrupt file system, which would prevent bootcfg from successfuly scanning. Use chkdsk to detect any disk errors.

Note: this operation must complete successfully in order for the /add or /rebuild commands to be utilized.

ugh!

 

http://forums.majorgeeks.com/showpost.php?p=1638559&postcount=49

 

can I do this from where i'm at right now? How specifically do I type it iff so.. said chkdsk c:/r nope wrong lol
did chkdsk and it says
the vol appears to contain one ore more unrecoverable problems..

I did the five step thing awhile back when you told me to!

(but I am more than willing to try it again if need be!! )

 

There is a space between : and /

I scheduled a 3 stage chkdsk for you a while back. I don't recall you ever running a 5 stage (the one that takes 2 hours + on average)

This is typically resolved by running a full chkdsk c: /r

You can try it from either your working computer (remember, the infected drive will be E: then)

or I think you can do it from the recovery console, or mini windows xp.. Lots of options

 

Trying it from rec console and thats when it says
The vol appears to contain one or more unrecoverable problems

Guess i'll put it back where it was an try

 

Ok its running the five stage chkdsk i'll be back when its done!

 

No, based on those of an MVP by the name of John Carrona, linked to in #62 and a similar thread of his over at Bleeping.

Some info on similar crashes from MSFT which might help get a handle on where the crash is and clues to more possible triggers:

and:

I've highlighted those that seem to be most relevant here given the history we have.

There are usually no error dumps created with this crash because the files needed to create it re involved in the crash itself, so evidence of the cause for this crash is limited.

At the completion of the ongoing Chkdsk, only the page file exists of the hardware related potential problems; we're still unsure of the SP levels of the 2 computers, so a comparison of a file like ndis.sys will give us confirmation either way. We know we're getting to the Winlogon so any available logs and Registry need scrutinising for clues.

There's still a chance that malware exists and is being triggered post-boot, during the Winlogon period.

 

so whats next boss

 

:-D
Assuming the drive is still hooked as slave:
Deleting the pagefile, E:\pagefile.sys, and getting a comparison of the ndis.sys file sizes from c:\Windows\System32\Drivers\ndis.sys cf. E:\Windows\System32\Drivers\ndis.sys. We need the real size not the size on disk - check the Properties tab for each.

The pagefile will be rebuilt next time Windows tries to boot from the drive, so the boot may take longer, it could be a GB or more in size.

If the ndis.sys file sizes are identical, I think we can disregard any thoughts of file mismatches, at least, as far as the 5 files that have already been replaced.

What was the result of the Chkdsk?

 

chkdsk said

488335837 kb in total disk space
27448320 kb in 116121 files
45000 kb in 9791 indexes
4 kb in bad sectors
224069 kb in use by the system
65536 kb in occupied by the log file.
460618444 kb avail on disk

 

Okay, on E the ndis.sys file is 178 kb (182,656 bytes)

and on C it is 178 (182,912 bytes) kb

aslo there is no e: pagefile.sys