[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Virus removal/Windows XP Service Pack 3 gone bad

Posted on 2009-12-28
30
Medium Priority
?
820 Views
Last Modified: 2013-11-22
I've been disinfecting a Win XP laptop from viruses and scareware. I used a UBCD4Win disc and the Superantispyware, Avira plugins, etc. When I had enough control over the desktop I upgraded IE to 8 and downloaded Malwarebytes, Superantispyware, and Avira.

I was finally getting clean scans and most symptoms were gone. THere were one or two browser redirects still active. As part of basic protocol I upgraded the computer to Service Pack 3 and that's when things started to go wacky.

After the restart and the Service Pack splash screen the computer started the regular splash screen with the moving blue bar and hung there (with the blue bar s-l-o-w-l-y creeping across the screen). I powered down the laptop and restarted; it hung again. I restarted the computer and went to safe mode.

It pauses after loading Mup.sys, a couple of seconds later it says "Press Esc to cancel loading d347bus.sys", which if you do so you get a blank, blue screen with a minimize and question icon in the upper left corner, and if you just let it load you come to a blue screen. A 0x0000007E STOP error.

I'm including pictures of the relevant screens.

What's my next step to try and fix this?
DSC-0152.JPG
DSC-0164.JPG
0
Comment
Question by:ssvarc
  • 11
  • 7
  • 4
  • +4
30 Comments
 

Expert Comment

by:KGG
ID: 26136121
Repairing would be only a solutions in this case as you are unable to launch safe mode too
0
 

Author Comment

by:ssvarc
ID: 26136128
KGG:

Repairing? How exactly?

Thanks.
0
 

Expert Comment

by:KGG
ID: 26136207
Please see more details for repairing OS - http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html

Hope this helps. Ensure you dont delete any particion as it will erase your data
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:CooGuru
ID: 26136226
The first step would be to boot the PC(s) from an XP install Disk.
When prompted, press "R" to load the Windows Repair Console.
When you see the C: (DOS prompt) type "CHKDSK /P /R"

*This will take some (okay, possibly a lot) of time.

once it is done, type "FixBoot" then exit the Repair Console by typing "Exit".

Download a fresh copy of "ComboFix" from BleepingComputer.com.
Download MalwareBytes from Download.com
Download CCleaner from Download.com

***BE VERY CAREFUL WHEN USING COMBOFIX
***Have installation media for your choice of Antivirus ready

Place ComboFix directly onto the desktop
Remove ALL antivirus
Run ComboFix, install the XP Recovery Partition when prompted (This negates the need for the XP disk in the future)
***DO NOT DO ANYTHING ELSE WHILE RUNNING COMBOFIX, IT WILL POP UP A .TXT LOG FILE WHEN IT'S DONE
Run MalwareBytes, remove everything/anything found
Run CCleaner to clean up all temp files (this will help the speed of the PC anyway)
Run CCleaner's registry cleaner
Re-Install Antivirus, ensure to update it completely
run all Windows updates

If this has not resolved the problem, please report status back (w/ HiJack This log file if you can boot up and run it)
0
 
LVL 9

Accepted Solution

by:
jeff_01 earned 1100 total points
ID: 26136283
Try removing SP3 from the recovery console.

Here are the steps to take.

http://windowsxp.mvps.org/spuninst.htm

After you get your system working again we can look at the other issue.

HTH
0
 

Author Comment

by:ssvarc
ID: 26136388
KGG:

I don't get an option for a Repair installation, even though I do get a Windows splash screen and Safe Modes boots until Mup.sys.

Ideas?
0
 

Author Comment

by:ssvarc
ID: 26136439
CooGuru:

This is a Dell laptop. My experience is that running "Fixboot" destroys that style of XP install due to the boot partition being separate from the regular partition (i.e. a small, hidden [can't be seen from Windows Explorer], partion for the boot).

Does this concur with your experience, and what would you suggest? Do you agree with jeff 01 to try and remove the Service pack?
0
 
LVL 93

Expert Comment

by:nobus
ID: 26136457
try a system restore as shown here :
http://support.microsoft.com/kb/307545
0
 
LVL 5

Expert Comment

by:Khalid Mehmood Awan
ID: 26136960
Repair screen option is available when you boot from your windows xp installation CD.
0
 

Expert Comment

by:KGG
ID: 26137577
Please boot with OS CD and you should be able to see repair options.
0
 
LVL 1

Expert Comment

by:CooGuru
ID: 26138445
I have performed this exact procedure on Numerous dell laptops with no problem at all.

You can try to remove the Service pack.  However, this is not going to help with booting, nor will it fix any corruptions that may have already occurred.

If the SP install itself was corrupted, which it sounds like it was, then removal of the SP would repair that. However, it seems that you have more problems then just that, simply based on the fact that you stated the issues prior to the SP install.  Either which way, you are going to need to get the computer functional in order to start repairing the OS, unless you decide to re-image it or do a repair install.
0
 

Author Comment

by:ssvarc
ID: 26138955
khalidmehmoodawan and KGG:

I have booted from the OS CD and I'm not getting Repair options. My earlier comment was to point out that a large part of the OS must still be there due to the partial boot and splash screens, but it still seems thoroughly corrupted.

Here are the screen shots of the options available through the OS CD.

All steps were chosen in accordance to this guide here http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html.
DSC-0165.JPG
DSC-0166.JPG
DSC-0167.JPG
0
 
LVL 93

Expert Comment

by:nobus
ID: 26139013
you should pick the NTFS partition for repair..
0
 

Author Comment

by:ssvarc
ID: 26139203
Nobus:

There is no Repair option, as I've already said now a couple of times. Choosing the NFTS partion brings me to the third screenshot.
0
 
LVL 93

Expert Comment

by:nobus
ID: 26139622
died you try the system restore AS i suggested ?
0
 

Author Comment

by:ssvarc
ID: 26139654
Nobus:

No, as I'd rather try the other less "destructive" options first. At least I think they are.

What are your thoughts on those options:
1) Uninstalling the service pack.
2) Running CHKDSK and FIXBOOT

Thanks!
0
 
LVL 93

Expert Comment

by:nobus
ID: 26139755
destructive?   where did you get that ?   nothing is "destructed"...
0
 

Author Comment

by:ssvarc
ID: 26139822
Nobus:

From your link.
"This article describes how to recover a Windows XP system that does not start because of corruption in the registry. This procedure does not guarantee full recovery of the system to a previous state; however, you should be able to recover data when you use this procedure.

Warning Do not use the procedure that is described in this article if your computer has an OEM-installed operating system. The system hive on OEM installations creates passwords and user accounts that did not exist previously. If you use the procedure that is described in this article, you may not be able to log back into the recovery console to restore the original registry hives."

The laptop is a Dell, so it appears it will be "destructive". Your experience?

As well, I'm not seeing any of the associated error meassages.

"Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM
Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE
Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate
System error: Lsass.exe
When trying to update a password the return status indicates that the value provided as the current password is not correct."

It does appear to be a bad service pack installation. What are your thoughts on 1) Uninstalling the service pack and 2) Running CHKDSK and FIXBOOT?

Thanks!
0
 

Author Comment

by:ssvarc
ID: 26143307
jeff 01:

I uninstalled the service pack using the information from your link (http://windowsxp.mvps.org/spuninst.htm) and from this KB article (http://support.microsoft.com/kb/950249).

The computer now boots! I went into Add/Remove Programs and completely removed Service Pack 3 (as per the info).

Now, "After you get your system working again we can look at the other issue.", is here. Any thoughts on the next step?



 
0
 
LVL 93

Expert Comment

by:nobus
ID: 26143743
ok - good to hear it boots again !   what problems do you have left ?
0
 

Author Comment

by:ssvarc
ID: 26143819
Well,
1) There is a Symantec Corporate Antivirus that can't be uninstalled. I tried Add/Remove Programs, Revo Uninstaller, the Norton Removal Tool (which won't run - asking instead to use Control Panel), manual uninstall instructions from Symantec's website - I'm not sure it's for the correct version, which I have no way of checking (a real nightmare!).

2) ComboFix warns about the Symantec Antivirus and reports rootkit activity.

This is starting to become painful. :-(
0
 
LVL 93

Assisted Solution

by:nobus
nobus earned 500 total points
ID: 26144580
imo - you need to clear up any Rootkit problem before going further
try these :
http://www.malwarebytes.org/mbam.php                         MBAM
http://download.bleepingcomputer.com/sUBs/ComboFix.exe            Combofix
http://www.spychecker.com/program/hijackthis.html                                       download
http://www.hijackthis.de/index.php?langselect=english              check the log
0
 
LVL 5

Expert Comment

by:Khalid Mehmood Awan
ID: 26144598
when you boot from CD,

the very first or second option displayed correspond to recovery option  , i think F6 key
0
 

Expert Comment

by:KGG
ID: 26144709
In the first screen it say "Press R" for repairs.that is the screen.
0
 
LVL 1

Expert Comment

by:CooGuru
ID: 26146035
I agree with mobus that the Root Kit should be the first thing to attack.

Here is some great info and steps for rootkit removal:

http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1176076,00.html
0
 

Author Comment

by:ssvarc
ID: 26148114
KGG:
Doing that is for the Recovery Console. That is clearly written on the screen and is explicit in the link (http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html) that you gave.

Besides, after following jeff01's advice of uninstalling the Service Pack the computer boots now, so there is no need for a Recovery install.
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 400 total points
ID: 26148726
To remove that rootkit, you can use what has been described as the best; the Sophos Anti-Rootkit Free rootkit detection and removal tool:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Then follow it with another Malwarebytes scan using the link supplied by nobus.
0
 
LVL 9

Assisted Solution

by:jeff_01
jeff_01 earned 1100 total points
ID: 26152097
Glad your PC is booting again  :P

Did you download the Uninstaller from the Symantec website?

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

If you cant get that to work you may need to contact Symantec support and ask them for a utility called CleanWipe. It is only available via Symantec support.    mysupport.symantec.com

0
 

Author Comment

by:ssvarc
ID: 26152217
To answer yor question, here is what I wrote above, "1) There is a Symantec Corporate Antivirus that can't be uninstalled. I tried Add/Remove Programs, Revo Uninstaller, the Norton Removal Tool (which won't run - asking instead to use Control Panel), manual uninstall instructions from Symantec's website - I'm not sure it's for the correct version, which I have no way of checking (a real nightmare!).

So, yes I tried that, plus many other steps. I spotted that utility, but I'm focusing now on  the rootkit. I have indications from ComboFix, Backlight, Sysinternal, and Sophos that there is possible rootkits. I've sent the files to Sophos for further help and am waiting now for their response.
0
 
LVL 93

Assisted Solution

by:nobus
nobus earned 500 total points
ID: 26152263
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question