xp boot problem

Computer was running slow. XP with all updates. , Avast virus indicated blocking attempts from websites, incoming.

I ran Malwarebytes and it identified 7 pgms trojins and maybe another spyware . It "fixed" then reboot.

fThe system will not boot. It falls out then comes up to the screen that gives you boot options such as safe, safe + net, Last known good .

every choice will go back to a system reboot. Safe boots appear to be loading drivers then the reboot and back to this page.

If I could get to system restore I was going to try that but I cannot get to safe mode. Or even command prompt.

 

Download the demo of ERD Commander 2007 here. 30 day trial. The site is German but the program is in English. Just click the download button.

http://www.chip.de/downloads/Microsoft-Diagnostics-and-Recovery-Toolset_35181963.html

Run the program in an admin account. It will create erd50.iso in C:\Program Files\Microsoft Diagnostics and Recovery Toolset\

Burn the iso with Imgburn or other burning software that can burn images.

Boot the CD. It should find your Windows installation directory. Select that and click Okay. At the Erd desktop,select System Restore.

http://i258.photobucket.com/albums/hh255/Jeet89/2003608975998435287_rs.jpg

 

Thank you , Awesom tool, That got me to my restore. but...... no joy. Computer is still in the loop of fail to boot. Windows Normally - 30 sec count down then reboots.
safe modes etc return here.

What now? Would windows repair be useful? but does the Service pack 3 make my disc useless at ths point?

Appreciate the Help.

 

If you have the full install disk of XP, try the steps here.

http://icrontic.com/article/repair_windows_xp

If you need to do a full repair, it would be a good idea to slipstream SP3 into your install disk. It is easily done with Autostreamer

http://www.neowin.net/forum/topic/223562-autostreamer-1033/page__p__584639141#entry584639141

 

Reads like the MBR might need fixing before moving to the next stage.

Do you see any Blue screen? If so, can you get the details, photo?

 

I see no blue screen. cold boot. --> ACER splash, then to the "windows failed to start" screen and the count down timer

Safe mode shows several files loading then drops out to the reboot.

I have a smartsuite 2011 bootable disk which looks like it has a MBR utility but that sounds like it may be over my head. I fear going beyond point of no return.

steps please. :-o

 

MBR utilities on an Acer (or other OEM) PC could be problematic anyway, if the drive contains a hidden recovery partition.

What is the Smartsuite 2011 disc, who makes it, do you have a URL?

 

Hi my friend , is this the only message in your welcome screen windows failed to start or is showing another message similiar to this Windows failed to start. A recent hardware or software change might be the cause. ? :wave

 

falcon attack yes sir, that is the one. it is black with white lettering, and starts off as you described. it defaults to the option at the bottom. "Start windows normally" and a 30 sec count down timer. if nothing is selected it tries that.
above this is option for "last known good" and above this choice. are safe , safe with networking and i think, a command prompt, none work. The ERD comander got me into my C: and allowed restore to run but the problem appears to be not affected by the restore. I was booting and working before the Malwarebytes removed the malware, I wish I had written down what files they listed.

 

satrow sir the website for the disk "powersuite" is www.spotmau.com . I used it last year to help me out of a password problem and it has several other functions.

Thanks.

 

You may be able to see what was deleted by viewing the logs or the quarantine folder of malwarebytes. Using ERD commander use explorer to browse to these locations.

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

 

Cool I will find those logs. the deleted files may be meaningful to this forum.

Also I think the ACER drive may have a rescue partition. seems like there was another partiion visible in one of the ERD windows when I was looking to run the restore.

Thank you all so much
dc

 

This came from malwarebytes support:
---------------------------------------------------------------------
Hello Doc and welcome to the Malwarebytes' product support. Thank you for choosing Malwarebytes' Anti-Malware as your anti-malware security solution, my name is Chris and I'll be helping you today.

It sounds like the infection might have deleted certain window files when they were deleted. If you have the Windows XP CD then you can repair windows using the CD which will allow you to back into the windows screen.

Please let me know if you can do this solution.

----------------------------------------------------------------------

I could try that but ........ I'll wait a bit. I will see what steps you all think best.

dc

 

I am not sure but I think ERD commander will see a USB external drive that is connected. If there is any important data, you could retrieve it before you decide to do a rescue or restore.

Were you able to see anything in the Malwarebytes log or quarantine folders?

Doing the factory restore will wipe the drive and take it back to the day of purchase. Would you be willing to do that after retrieving your data?

satrow was correct in stating that doing an MBR fix on an OEM computer with a recovery partition is problematic so I would avoid doing any kind of fix unless satrow decides otherwise as he is very good regarding these issues.

 

Malware byte log ,
-----------------------------------------------------------

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.17.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sheryl Neely :: STATION1_01 [administrator]

Protection: Enabled

17/02/12 9:53:13 AM
mbam-log-2012-02-17 (09-53-13).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 289392
Time elapsed: 1 hour(s), 7 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\gtyxyjsc (Rootkit.Agent.BO) -> Delete on reboot.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|1Y5U7AYU9GXZYFVEJVTGJSICR (Trojan.Cryptbel.Gen) -> Data: C:\Fonts\6DFBBA77250.exe /q -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Fonts\6DFBBA77250.exe (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gtyxyjsc.sys (Rootkit.Agent.BO) -> Quarantined and deleted successfully.
c:\documents and settings\sheryl neely\local settings\temp\45.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\hqrevzzzd.exe (Spyware.Password) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.

(end)
--------------------------------------------------------
In the quarantine log there were 3 files with the date of failure on them , the are of this format.
2522493987.quar
6465327269.quar
2559714302.quar
"QUAR.file'

These did not open.

DC

 

I'll give a shout out to thisiu and sach2, they probably have more recent knowledge than I do about current methods of checking and fixing infected MBR's.

 

Ok, I've just had a reply.

It looks like the gtyxyjsc.sys driver may be preventing boot. You'll need to disable the driver from the Recovery Console; from your earlier description, it doesn't read like this is installed to your hard drive, so you'll need to create a Windows SP3 CD (see the 2nd link in #4) and use the Recovery Console from that .

Once you have booted to the CD and started the Recovery Console, the command to issue is:

Then exit and try to reboot normally from the hard drive.


@ tgell: is it possible to disable a driver by using the ERD Commander? I've not used it in years.

 

I never used ERD to disable a service but it does have the command window. I guess it would be worth a try to try the command with ERD before trying to slipstream the CD. Not sure if it will work as it is a live CD. I am going to try its command line using the net stop command and see if it stops a service.

Erd also has a service and driver manager. I will have to confirm if it can disable a service. I am pretty sure he may be able to disable it there.

Administrative Tools – Autoruns, Disk Management, Event Log, Reg Edit, Service and Driver Manager and System Information.

http://www.bujarra.com/imagenes2/winternals33.jpg


I came across this on Microsofts knowledge base. More details on the disable command.

http://support.microsoft.com/kb/310602

 

Past my 10 minutes.

I can confirm that the regedit uitlity remotely loads the hives of the computer allowing a person to remove malware entries. The Services and Driver manager lists all drivers and services. Any can be disabled by right clicking and selecting properties. Start-up entries can be deleted using the Autoruns utility. Too bad it is only a 30 day demo.

Use extreme caution when disabling or deleting services and drivers.

 

I am in ERD, it did recognize an external HD, via usb. after copying as much of my important documents pictures etc. i will try the above sequence to Regedit system drivers and attempt to disable the gtyxyjsc.sys . correct ? then reboot.

gtyxyjsc.sys is malware?

I really appreciate all the effort here.

 

I do not believe you have to get into regedit as long as you can disable gtyxyjsc.sys in the services and driver manager. You may also want to look for it in Autoruns.

Edit: Yes, gtyxyjsc.sys is malware. You deleted it with malwarebytes but the computer is still looking for the driver and that is probably a good reason why your computer keeps rebooting.

 

I was able to disable the gtyxyjsc driver. I did not see a service of same name.
computer still reboots in a loop.
I went into system32 folder and renamed the file gtyxyjsc to badgtyxyjsc.sys

no change

any other ideas?

 

I disabled the gtyxjsc
renamed, no change,

I followed recovery console to rebuild the boot.ini
during that process 2 insallations were identified for me to give a name to. then on reboot. I had to select from 3. one of which was the original windows home edition.

I have the recovery disks. I am out of time as this machine serves as a print server and tomorrow is monday. I repartiioned the hard drive and used the factory sytem restore. there will be alot of set up to do but .... learing experience thanks again.

 

Thanks for the feedback. Sorry we could not get you back up after the infection.