07-11-2012 04:38 PM - edited 07-11-2012 05:28 PM
My sincere apologies for not having replied to your query earlier. I have an observation regarding the problem you are facing.
I installed XP and also installed the recovery console. I ran a rootkit scan using NPE. NPE restarted the machine, the machine booted into XP installation; NPE started the scan. The scan completed successfully without any issues.
What's interesting is I did not find "Windows(default)" boot entry in the boot menu when the machine came up during restart. I had only two entries; 1 that of XP installation and the other one was the recovery console boot option.
Can you please shed light on the third entry that you have?
Nothing more than I originally stated. It was indeed one of the wierdest things I have seen in a while. The "Windows(default)" entry was the last line in the hosed boot.ini file. This was on my daughter's PC which is located 700 miles from where I am at presently. I can't remember if I saved the old boot.ini file but I don't want her messing around in the XP root directory.
Norton NIS 2011 and MBAM Pro was installed on the PC.
Since this has happened to others as posted in this forum, I appear not to be alone.
-Edit- This PC is a 7 year old Compaq Presario with two partitiions; C: where XP SP3 is installed and D: that contains a Compaq OEM image for system recovery. Norton Ghost 9 is also installed.
I also ran NPE with rootkit boot scan on my son in-law's PC with Norton Ghost 9 installed w/o issue. However. I built that PC and it does not have a OEM recovery partition. It does have a second parition that contains a Ghost image backup. Also Windows Recovery console is not installed on that PC.
Might be something with the Windows Recovery console installation and a OEM recovery patrition incompatiable w/ith NPE?
07-14-2012 01:55 AM
Thanks for your help to locate & install Boot.ini. I will try it on the infected PC. However, I'm out of town and won't return for about 4 weeks. The PC I'm using (out-of-town) is almost identical to the infected one, so I was able to locate the files on it according to your instructions. I will copy them and use them if they no longer exist on the infected PC.
I believe you said that the error message for HAL.dll is just bogus. The locations I found for it on the "out-of-town" PC are
If these look O.K. on the infected PC, then it's probably only the Boot.ini causing the problem.
I'll get back to you after I try the boot repair in 4 weeks.
P.S. I don't seem to be informed by e-mail when another post is made to this thread.
07-14-2012 12:53 PM
You have to rebuild your bootini. (apparently NPE can't handle a system with more that two operating systems or a modified bootini. The NPE program should make that clear when you are given the option to run the rootkit reboot).
Quads posted this in responce to a similar thread:
If this does not resolve the problem: Replace the "hal.dll" file
08-11-2012 09:27 AM
Hi donziehm -
I finally returned to town and checked out the HAL.DLL and also the boot.ini file (both in C:\). The HAL.DLL file was still there, but it was hidden. (I had to "unhide" the protected files to view it.) The boot.ini was there, also. However, I replaced the boot.ini file with the BOOT.INI from the good (out-of town) computer. Now start-up seems to work O.K.
08-11-2012 10:48 AM
Here's another question I forgot to ask. When I did a "System Restore", it reassigned the Hard Drive letters as follows:
Presario (C:) stayed the same
Second Hard Drive - was 80GB (G:) & now is 80GB (D:)
Compaq Partition on C: Drive - was PRESARIO_RP (D:) & now is PRESARIO_RP (E:)
Is there a way to get drive assignments back to normal?