XP won't start anymore

[Bill H.]

Oh, yeah, I searched through the entire registry. Just that one key.

It is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The Name is Svelokara
Type REG_SZ
Data is rundll32.exe "C:\WINDOWS\Kroduk.dll",e

--Bill

 

[Bill H.]

So how to fix? All the tools I've downloaded so far don't seem to do
anything with it, including sdfix. :-(

What is a "rootkit infection?"

--Bill

 

[db ·´¯`·.¸. .>]

perhaps, you might want
to search the disk and
also delete any files and
folders for those filenames.

also, you might want to
delete your prefetch folder.

 

[Bill H.]

I don't know what all the "leading scanners" are, but yes, I've tried
malwarebytes. It finds the registry key, removes it, but then on the
reboot, the key is back again, so I don't consider that as removing the
malware.

I've used AVG, SDFix, spybot, malwarebytes, windows defender, and combofix.
Even had a special script written just for me to use with combofix, and the
problem came back.

The good news is that the reg key tries to load that .dll, but the .dll is
not on the system and so far has not reappeared, so the worse seems to be to
dismiss the warning about windows not being able to find it, and just going
on. Of course, I wonder what would happen if that dll every did reappear.

 

[Bill H.]

Sounds good. Remind me where I find the prefetch folder?

Thx.

 

[Bill H.]

Update for this part of the thread.

Have been able to run in normal mode now for a couple of days, no problems,
except for the persistent appearance of the regkey that results in windows
file not found error when it first boots (can't find Kroduk.dll). I just
dismiss the box and windows takes off from there.

Have installed all the windows and office updates, except have not gone to
SP3 (the win cd I used for recovery console stuff is SP2, so since I've been
using that for help, such as installing any missing files in the dll cache,
I've not wanted to move to SP3).

The thing that seemed to help the most was running ComboFix, but I've been
doing other things as well, and maybe it's been the combination that's
helped the most.

Have also updated many programs, and found that Acrobat Reader had an "old"
auto downloader that they said could be a cause for concern. Have Windows
Defender, AVG (free version) and SpyBot now running on the system. Since I
have windows auto update turned off, I do get the warning about the system
not being "protected."

--Bill

 

[Gerry]

Bill

To see hidden files etc. Go to Start, Control Panel, Folder Options,
View, Advanced Settings and verify that the box before "Show hidden
files and folders" is
checked and "Hide protected operating system files " is unchecked. You
may need to scroll down to see the second item. You should also make
certain that the box before "Hide extensions for known file types" is
not checked. Next in Windows Explorer make sure View, Details is
selected and then select View, Choose Details and check before Name,
Type, Total Size, and Free Space.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[db.·.. >]

its in the windows
system folder and
you would simply
want to delete the
files inside it.

windows will rebuild
each file as time goes on.

its easier to simply delete
everything in it, instead of
trying to find which particular
prefetch may be targeting
the malware.
--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[db.·.. >]

ok, at this time create
a system restore point
to record this semi functional
state.

afterwards you may have to use
the find menu option in the registry
to locate all the keys with that file
name so you can delete
them.

it is likely that the file the
key is referencing, no longer
exists on the harddrive, hence
the registry nagging you about
that file.

in addition you might also want
to run:

http://onecare.live.com/site/en-US/article/registry_cleaner_why.htm

though the page above is
referring to the registry, the
button for full scan will also
sweep your disk for virus's.

so go ahead and run the
above after disabling your
installed a.v.'s first.

you only need one antiviral
running at any one time.

--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[Bill H.]

cleaned out prefetch, and removed the registry entry before rebooting.

Didn't help the Kroduk.dll wanting to start...

--Bill

 

[db.·.. >]

ok, so now click on
start>run>msconfig

and disable all your
startups and then go
to the services tab,
hide all microsoft and
disable what remains.

perhaps, you have done
the above already.

unfortunately, i haven't been
following the thread.

in any case reboot and see
what occurs.

--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[Bill H.]

Yes, I've done that a few times, generally using the Diagnostic startup
option, which turns of even more.

But I've not tried recently (since getting rid of the other malware and
installing updates, spybot, AVG, etc.), so here goes (after removing the
entry from the registry)...

Hm. It's not coming back. OK, let's start adding back in stuff to run.

Still not coming back, and msconfig is set to normal startup now. Several
reboots and power cycles later, it's still gone.

Now that's a mystery!

Hope I'm not celebrating too early (like, will it come back after nn number
of reboots/power cycles??)

--Bill

 

[db.·.. >]

well, it's not always
that the help we provide
is in real time.

the statement that sends
shivers down our timbers
is:

"OK, let's start adding back in stuff to run"

what needs to occur is
know exactly what the
stuff is.

what if one of the "stuffs"
is the culprit that is needing
that obscure file.

what if you discover one of
the stuffs which you think
is safe is no longer working
and you reinstall the problem?

perhaps, all your stuffs need
to be uninstalled totally.

maybe you can provide us
with a listing of these stuffs
so that we can help determine
their importance.

ps: make a restore point at
this time.

--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[Bill H.]

Yes...

I have made a few restore points, and at this point, I have returned the
computer to its owner, and we'll see how long it keeps working.

The last hurdle was that "something" was putting an entry back into the
registry that wanted to run Kruduk.dll on win logon.

The Kroduk.dll file is not there, and nothing put it back into the registry
after many reboots, power cycles, etc.

So, for now, we'll see...

 

[db.·.. >]

ok,

case of the
XP won't start anymore
is closed...

--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces

 

[mslovelessinga]

Hey, my stupid cousin went and got a virus on her pc and I had to clean it,
again. This time when I tried to re-install WIndows XP home all I got was
this black screen that says, "NTLDR is missing". What can I do to get
anywhere near the BIOS screen to start in another mode? Oh, I forgot to
mention that the pc was already cleaned prior to being given to her and the
original O/S was Windows Pro. I used Drive Erase Pro to get rid of everything
including the creepy virus.

 

[coolcreek]

I see it has been months since you addressed this issue. Here's my problem I
cannot start in Safe Mode, I cannot start in Last know Configuration. My
computer just keeps looping to the boot sequence. I had just gone to Restore
because my wife's icons had all disappeared (mine were still visible). Once
the computer went to re-bot with restore that's when windows quit starting.
The system goes to the first "Windows starting" screen the black one then the
screen flashes and goes back to tbooting sequence. Youhave no idea the
trouble I am in over this. Any help will be appreciated. Thank you

 

[Patrick Keenan]

I see it has been months since you addressed this issue. Here's my problem
I
cannot start in Safe Mode, I cannot start in Last know Configuration. My
computer just keeps looping to the boot sequence. I had just gone to
Restore
because my wife's icons had all disappeared (mine were still visible).
Once
the computer went to re-bot with restore that's when windows quit
starting.
The system goes to the first "Windows starting" screen the black one then
the
screen flashes and goes back to tbooting sequence. Youhave no idea the
trouble I am in over this. Any help will be appreciated. Thank you

Try this. Attach the drive to another system - you may need help with
this - and delete from the root, the file "pagefile.sys". Put the drive
back, and restart. You may need to restart twice.

It can happen that the pagefile becomes corrupted (a brief, repeated power
bounce can do this) and it can cause exactly the symptoms you describe.

HTH
-pk