Go Back   Tech Support Forum > Microsoft Support > Windows XP Support

User Tag List

[SOLVED] Stuck in Windows Repair after Trojan

This is a discussion on [SOLVED] Stuck in Windows Repair after Trojan within the Windows XP Support forums, part of the Tech Support Forum category. I couldn't decide whether to post this in the Virus forum or this one. I chose this one because my


Closed Thread
 
Thread Tools Search this Thread
Old 02-08-2012, 10:41 AM   #1
Registered Member
 
Join Date: Feb 2012
Posts: 6
OS: XP SP2



I couldn't decide whether to post this in the Virus forum or this one. I chose this one because my primary issue at the moment is that I cannot complete a Windows XP Repair; I'm stuck in the process and cannot get into the OS at all (I'm on a different computer right this moment). Usually I try to fix issues like this one on my own, and I've had success doing so before, but this time I'm afraid I've screwed things up royally. I'd very much like to avoid Formatting if I can.

The long of it (much of this is from memory, and it's a little hazy; I apologize for that):

Yesterday I found that my computer was infected with a Trojan. My first indication was slower internet speed and new tabs opening in Firefox with ads (a form of pop up I guess). Malwarebytes was not able to locate anything. TDSSKiller showed an infected Redbook.dll and an infected sptd.dll (Daemon Tools), which I instructed it to delete (I also uninstalled Daemon Tools). AVG identified a Trojan named psw.agent.A###; I can't recall the exact name, but it was none of the ones that a Google search shows. An AVG scan showed a few files infected with this Trojan and moved them to the vault. One of these files was one of AVG's dll files, so I suppose the Trojan attacked AVG. It also showed Netbt.dll was infected, but that file was whitelisted and could not be removed. Because AVG seemed to be compromised, I downloaded and ran Trojan Remover (yeah, I know the intro post says I shouldn't be running all this stuff without consulting this forum first, but I've usually been able to eliminate Trojans on my own, so I've never used this forum before). Trojan Remover found a threat within Prios (not even sure what this is), so I instructed it to remove that. After all of this, I restarted the computer to see if there was any progress.

After the restart, all hell had broken loose. AVG started up, but many of its functions were missing and all of its remaining functions were disabled (possibly caused by the infected AVG dll file). Also, my CD Rom drive had suddenly disappeared from the My Computer screen, and I could not load up any CD's. I started to panic at this point, wondering if the Trojan was targetting other systems. When I probably should have decided to seek help here then, I decided to see if I could boot up with my Windows XP disc and possibly reinstall.

I restarted and loaded up the Boot Menu. The CD Rom drive was available and I could boot from the XP CD. Using advice I searched for online, I used XP's recovery console to replace the infect netbt.dll as well as cdrom.dll with clean versions from the XP disc. This did not solve the problem of the CD Rom drive failing to load within Windows. Figuring I was screwed and that a Windows reinstall would probably be the only way to clean up any infections, I again restarted into the Boot Menu and the XP Setup.

I selected the Windows XP repair option, figuring I could keep things mostly in tact but possibly replacing any bad system files. Within the DOS interface everything proceeded smoothly. I saw it deleting files than adding replacements, so I got encouraged. Unfortunately, after the DOS setup program finished this, it launched into the OS to complete the setup, and this is where my main problems right now started (what follows is the important stuff that I'd like to get fixed; any remnants of the Trojan I can deal with later) ...

Within the OS, I got the Windows Installation screen with the 'Preparing for Installation' step completed. Almost immediately, though, I got a dialogue box asking for the Windows XP CD. At this point I knew I was really in trouble. The DOS phase of the setup had not repaired the issue of the CD Rom drive not loading within the OS (which was what really prompted me to begin the XP repair in the first place), and without the CD Drive, I could not point the Installation program to the files I needed. I hit 'Cancel' to try to back out, but the computer simply restarted and it launched right back into the Installation program. I cannot get around it.

Seeking help online, I learned that I could bring a command prompt up with Shift+F10. From there, I ran the task manager, and from that I can open up any file or program on my computer (though without the Windows services running, functionality is limited). I learned that my Portable Flash drive was working when I plugged it in (the F: drive appeared immediately in the My Computer screen).

One of the first steps I took to try to get around the installation was using another computer to transfer the contents of the Windows XP CD to the flash drive. With my Windows XP Flash Drive, I was able to get the installation going. It asked me to point it toward several files it needed, and I simply pointed it to the F: Drive. It seemed to be going well. At one point it asked me for a file in an old Nvidia installation (NVClock.exe or similar). Not knowing where I could find a copy of that and figuring it wasn't important, I selected 'Cancel,' and it was okay; the installation simply skipped it and continued.

Unfortunately, when I got to about 34 minutes left and the green progress bar was about halfway full, I was asked for a file called hdaudbus.sys. The dialogue box said it was for Microsoft UAA Bus Driver for High Definition Audio and asked me to insert Installation Disk #1. I don't even know what Disk it's referring to. I couldn't find this file on my XP disc or my Dell drivers disc. The only copy I could find was already in my System32/Drivers folder. Easy enough -- either cancel installing this file as well or point it to the Drivers folder, right? The problem -- my USB ports have become nonfunctional at this point. I can't use my mouse or my keyboard. Anything else I plug into a USB port fails to work. I'm assuming the USB devices being disabled is part of the install process, but it's leaving me with no means of responding to the dialogue box!

When I went through this process a second time, I kept the Device Manager open and watched it as it approached the hdaudbus.sys point. As it got close, the Device Manager kept flickering, as if it was repeatedly refreshing. I also kept moving my mouse. At one point, the mouse became unresponsive for several seconds, but then popped back on. A minute or so later, it became unresponsive once again, and it did not come back up before I was aksed for the hdaudbus file.

When I check the CD Rom Drive in Device Manager, I get a Code 41 (driver found but the hardware device cannot be found). I've since learned that if I uninstall the Drive, then Scan for Hardware Changes, the CD Rom Drive works! I can now once again access CD's, and thus use the Windows XP CD normally. Two problems, though. One, every time I restart the CD Rom Drive again becomes non functional and requires the reinstall. Two, even after the reinstall, the XP installation asks for the files within 'GLOBALROOT\DEVICE\CDROM0\' rather than 'D:\'. Even after I get the D: drive working, instructing it to search for the files within 'GLOBALROOT...' does not work. It simply keeps asking for the file. If I replace the 'GLOBALROOT...' with D:\, it works. This was how I originally used the Flash Drive, replacing that directory line with F:\.

To summarize the problems I'm having:

-The D: drive does not function properly when I start up. I need to Uninstall it in Device Manager and scan for it. Even after doing this, though, the XP Install program is asking for the disc in GLOBALROOT\DEVICE\CDROM0\ instead of D:\. That seems rather strange. Isn't it supposed to be asking for a CD in D:\ ? Or is the D: drive not being present when I start up the OS confusing the Install program?

-By pointing the install at any alternate location that has the files it needs (either the reinstalled D: or the flash drive in F:), I can fudge my way through the install process. But it eventually disables my USB devices, then asks for another file. Without my mouse or keyboard working, I cannot point it to the file or cancel.

I've done some registry editing as advised by internet searches. I've done the Microsoft suggested fix of going into HKEY_LOCAL_MACHINE\etcetc and deleting the LowerFilters key (there is no UpperFilters key). This fixed nothing; still no CD Rom Drive when I restart.

Going through my TDSSKiller logs, I realized that Redbook.sys and its associated Registry keys were all deleted. When I got my CD Rom drive back up in Device Manager, I used the 'Update Drivers' function. First I tried updating from the Windows XP disc. Later I tried updating from my CD Rom drive disc. In both cases, Redbook was completely restored (including the registry entries). As soon as I restart, however, the Redbook registry entries are gone again. I'm not even sure if this should be considered odd, but I'm trying to be thorough in reporting what I'm seeing.

What I can do:

I can bring up the Command Prompt with Shift+F10, open the Task Manager, and use the Run New command to open up anything. From within the Browse window, I have complete access to all the contents of my hard drive. I can read text files, run programs (many of them fail without a proper windows startup). As an example, I can open a movie file in VLC player or media player, it takes about five minutes to start, and it plays normally; I can open a browser, but without any of the network services running I cannot get online. I can delete files and directories, create new ones, and move anything to my Flash Drive with the Send To function. I can also access anything on my Flash Drive. If anyone instructs me to download something and run it on the affected computer, I can try to do so; though without a proper Windows start, I can't guarantee anything will work. I can also transfer any log files to the Flash Drive and relay their contents here. There is a great deal that I can do from within that Browse window, but I remain stuck in the XP Install.

What I would like to accomplish:

a) Figuring out some way to finish the Windows XP install smoothly. Maybe getting the CD Rom drive acknowledged properly from startup is the key to this? Maybe if this happened properly, there would be no other hitches?

b) Figuring out how to point to or cancel the install of any files it's asking me for when my USB drives have been disabled. Is there any way to avoid the USB drives being disabled? Is there any way to get the Install program to skip the hdaudbus.sys file (and any other files it asks for when the mouse and keyboard are not working)?

c) Figuring out a way to back out of the Install progress altogether. I've seen on several internet sites that it's inadvisable to back out of an XP reinstall. What about a Repair? Is there any way? Would I be able to recover from it?

Failing all of the above, my next step may be trying a Reinstall instead of a Repair. Is this even possible while a Repair is unfinished? And what are my chances that I wouldn't run into the same issues anyway?

Formatting is my last resort. I very much want to avoid it. Considering how much progress I managed to make in the XP Install program, it seems like things aren't too far gone that I'm forced to start from scratch. There are clear obstacles I need to get past here -- the CD Rom drive not loading properly on restart, the USB devices being disabled when I need them to interact with the dialogue boxes. I need help from experts here on how I could accomplish either of those things.

There may be things I've forgotten to mention. I'm ready to answer any questions about specifics, but keep in mind that a lot of the specifics of yesterday (the order I did things, the exact files that were affected, etc) may be hazy.

Thanks in advance for any assistance!
Kosh is offline  
Sponsored Links
Advertisement
 
Old 02-08-2012, 03:41 PM   #2
Registered Member
 
Join Date: May 2010
Location: Los Angeles
Posts: 40,641
OS: Windows 10 64 bit

My System


You can spend a lot more time on this or you can cut your losses. Backup any personal files you can't live without to a USB drive and then boot off of the XP CD and Format the Partition, Create a new Partition, and Format the Partition NTFS, and Install Windows. That would be the cleanest option. Other then that you are going to run into problems in the future.;
spunk.funk is offline  
Old 02-09-2012, 07:41 AM   #3
TSF Team, Emeritus
 
JackBauer_24's Avatar
 
Join Date: Sep 2011
Location: New York, USA
Posts: 5,566
OS: Windows 7 Ultimate 64bit/Ubuntu 14.04 LTS 64bit

My System


I agree here. No matter what you do to solve the issue removing infections you will still have many problems in the future. What ever infections you have or had already compromised Windows and clearly it is too late to fix. As Spunk.punk mentioned a clean reinstall of Windows is your best option. Back up all important files make sure to scan your media that you back up the files to from (do not open or run any files in the backup media drive) an off site pc with a good to great AV program so you do not spread any potential infections to your newly reinstalled Windows.
__________________

Virus Help
Ubuntu Live CD
PC Running Slow?
Memtest
UBCD
Remember dust buildup in your PC can be a killer!!
JackBauer_24 is offline  
Sponsored Links
Advertisement
 
Old 02-09-2012, 09:13 AM   #4
Registered Member
 
Join Date: Feb 2012
Posts: 6
OS: XP SP2



I'm not so sure the infection is to blame for my immediate problems, though. I suspect that something I did to combat the infection is preventing the Windows Repair from completing. If anything remains of the infection, I can head to the Trojan forum and take further steps there, but right now I just want to get past this Repair process. Does the GLOBALROOT path it keeps dislaying instead of D:\ indicate what could be wrong with my D: drive? And is there any way around that last dialogue box once my USB devices have been disabled by the Repair program; any way to prevent it from disabling my USB devices (unfortunately, my computer only has USB ports, so using an older keyboard and mouse is out of the question)?

I've already ordered an external HD (I was thinking of doing so anyway before all this), so I'm ready to backup files if I decide to start from scratch. Would using my Dell's Factory Reset (Ctrl+F10 at startup; I've already tested and it works) be a suitable alternative to going through a Formatting process? I've never formatted a drive or created a new drive partition or anything like that, and I worry that I might do something to cause further harm or not get all the proper system files installed. Does the Dell Reset have just as good a chance of repairing any damage?
Kosh is offline  
Old 02-09-2012, 09:17 AM   #5
TSF Team, Emeritus
 
Old Rich's Avatar
 
Join Date: May 2007
Location: Houston, Texas
Posts: 54,258
OS: XP, Win 7



The Dell Factory reset will format the drive before it restores the image . .that sould gake care of any infection you may have.

At that point, the system will be exactly like it was shipped . . Blood, Guts and Feathers, so you will have to uninstall the junkware it comes with and reinstall Service Packs and Windows Updates . . and any applications you installed since you got it

See this for how it works:

Dell - Technical Support
Old Rich is offline  
Old 02-11-2012, 12:04 PM   #6
Registered Member
 
Join Date: Feb 2012
Posts: 6
OS: XP SP2



Well, I got the hard drive, but very discouragingly, I cannot get it recognized properly on the affected computer. I've tried copying the driver files from the HD and burning them to a CD on another computer. The drivers install, the devices all show up in the Device Manager, but the HD is not appearing in the My Computer window. Sure enough, if I restart, all the devices disappear from the Device Manager and I have to reinstall, so it's malfunctioning just like the CD Rom Drive. This is not happening with my Flash Drive, which is working just fine on the affected computer; I cannot understand why the HD won't work just as well. :|

So my only option now is to back up everything to the other computer using the Flash Drive, which means 16 gb increments and slower transfer speeds. I cannot imagine what is going on on this computer that could be causing all these drive problems. In any event, it's going to be a long weekend ...
Kosh is offline  
Old 02-11-2012, 12:37 PM   #7
Registered Member
 
Join Date: May 2010
Location: Los Angeles
Posts: 40,641
OS: Windows 10 64 bit

My System


Put the new external drive on another computer and go to Start/Run and type diskmgmt.msc and press enter. In Disk Management, make sure the drive is recognized and has a partition that is formatted NTFS, if not make it so. If the drive has a power adapter be sure to use it and plug it directly into a wall socket and not a surge protector or extension cord as this weakens the power. Be sure to plug the USB cable into the Back USB port of the troubled computer and not the front or through a hub as these ports are weaker.
spunk.funk is offline  
Old 02-12-2012, 01:02 PM   #8
Registered Member
 
Join Date: Feb 2012
Posts: 6
OS: XP SP2



No, the hard drive was working fine on another computer. I just couldn't get it to show up in My Computer on the affected computer. I just performed the data backup with the flash drive; took longer and more trips but it got it done. I've now performed the system recovery and everything's back to the default. No problems, no missing drives, no trojans. Only problem is that I couldn't restore my browser settings; they were in a hidden folder that I missed. So I'm starting from scratch there, but everything else is back to normal. Thanks for the replies everyone!
Kosh is offline  
Old 02-12-2012, 01:17 PM   #9
Registered Member
 
Join Date: May 2010
Location: Los Angeles
Posts: 40,641
OS: Windows 10 64 bit

My System


You are welcome! Glad you got it sorted. Please Mark this thread Solved in the Thread Tools at the top.
Attached Images
 
spunk.funk is offline  
Old 02-12-2012, 08:33 PM   #10
Registered Member
 
Join Date: Feb 2012
Posts: 6
OS: XP SP2



Hmm, those three items aren't dropdown menus for me. Clicking one takes me to the thread options at the bottom of the page and there's no 'Mark this thread as solved' down there. Same thing on Firefox (with lots of script blocking) and IE (with virtually none).

Edit: Never mind. Refreshing the window fixed it.
Kosh is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bad Image Errors
I'm trying to get rid of some bad image errors and rundll errors during start-up on my windows xp computer. I ran the HiJackThis program and here is the log. I don't know which ones to delete. Please help. How do I avoid this in the future? Logfile of Trend Micro HijackThis v2.0.4 Scan...
Generalpork12 Resolved HJT Threads 15 02-16-2012 03:52 PM
Please check my post for honeybe [Resolved]
https://www.techsupportforum.com/forums/f50/virus-blocking-internet-access-621713.html After removing XP Antispyware 2012,I can no longer connect to the internet.It just says "acquiring network address". When I do ipconfig it says "RPC server is unavailable".There's nothing wrong with the...
woosh Resolved Back Me Up Threads 28 01-10-2012 04:05 AM
Help! - 12-11 Malware Viruses & Trojans
Hello, I have exactly the same problems as I'm In Trouble by Clark76. The only differene is that I'm running XP. Here are my logs: DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18 Run by Owner at 20:39:29 on 2011-12-11 Microsoft Windows XP...
susannyc Resolved HJT Threads 64 12-28-2011 08:26 PM
Some kind of redirect on computer (Monster Marketplace)
I don't know how this happened, but something has gotten into my computer that constantly redirects anything I click on. If I enter a search in the box, that does OK, but whenever I click on anything, there's a high likelihood that what I've clicked on won't come up - quite often, Monster...
Calgirl Resolved HJT Threads 198 05-23-2011 06:01 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:20 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts