none
windows XP stops after boot - stucks with black screen

    Question

  • Hi!

    Quite many of my friends (10 yet) called me with this problem in the last 2 days. (Seperate cities and sub-cultures) And then I found many posts about this problem on other forums - without a solution.
    Their computers crashed, and the taskbar did not work. Only by the power off switch could they restart, but after this restart and the boot:
    the windows stuck with a black background. The cursor was moveable in all cases.

    Wide range of XP systems: some of them were SP2, but some SP3 too. (Some of them had the automatic update off, others had that "VERY" on - I mean they always install every microsoft update immediately.)(both English and Hungarian versions)
    Wide range of defenses: Avira, NIS, Agnitum outpost security, McAfee, Nod32, NOD 3, SAS, Kaspersky IS, windows integrated firewall etc...

    They tried these, without success:
    - Safe mode (just the same happens as in normal mode)
    - chkdsk
    - repair install
    - checked all of the files with antivirus and antispyware programs - but did not find anything (from a working xp)
    - unplugged internet, and other devices like printer, webcam, etc...
    - they had enough space on their drives... (all at least 5-10 Gbyte)

    So I am out of ideas.
    (I did not find any relation between the cases. I asked even their internet browsers type, but no coincidence... IExplorer, Opera, Firefox)

    I would appreciate every bit of help!
    (At the moment my computers are ok, but I would like to be up to date, and help them... This problem is spreading quite fast, as far as I can see.)
    Thursday, October 15, 2009 11:30 AM

All replies

  • I have had the exact same problem with three different PCs at three different locations over the past three days. Two have been reformatted, and I'm backing up the third now after working on it for six hours today. Here's what I've done so far:

    Safe Mode, any setting, you get a black screen and no logon. CAD x2 doesn't work. Can't pull up Task Manager.
    Chkdsk /p /r found an error on the third PC, but didn't fix the no logon issue.
    Repair Install on the 2nd PC - after initial file copy, it reboots to a blue screen with no logon prompt and just sits.
    Malware scan doesn't turn up anything.
    Disabled all onboard devices save video. Same issue.
    Plenty of hard drive space.
    Emptied all the autorun keys in the registry.
    Can't use RDP to connect. Network appears to never start; can't ping PC.
    Disabled NIC driver via Recovery Console.
    Disabled Server & Workstation services.
    Manual System Restore - oops, System Restore was turned off <scream>
    Replaced system files related to logon

    On PC #3, it happened around 2PM CDT 2009-10-14. User started getting network errors; eventually cut power to the system. When she turned it back on, wallpaper, pointer, no Log On To Windows box.

    Open to suggestions! I *really* don't want to reformat this particular PC.

    More info:
    I can find absolutely no similarity between the three PCs, except they were all running XP Pro. Two of 'em at SP3, one at SP2, though. Different apps, software, domain or workgroup, browsers, e-mail apps or webmail... I'm stumped.
    Thursday, October 15, 2009 9:22 PM
  • Is there any way for you to see if the "shell32.dll" is present. if it somehow became corrupted or deleted then the "shell" which is what your talking about there, wouldnt come up. if you can boot into recovery console, or even slave it, or, safe mode with command prompt, then you can use the copy out of "C:\Windows\Service Pack Files\i386"  to test and see if thats the problem
    Friday, October 16, 2009 12:32 AM
  • Hello,

    I have 3 computers in my shop to be repaired with this same problem. All were brought in on the same day (10/14/09). They have very little in common. Two are running XP Media Center. The other is XP Pro. I don't know their automatic update status. I don't have any help to offer but am hoping this additional information will help someone figure this thing out. I can't help wondering if Windows updates are to blame, though, due to the fact that about 13 new updates were just released on Tuesday (10/13).

    I am new to the forum. Hope I am not committing any social errors by jumping in.

    Friday, October 16, 2009 12:59 AM
  • We are a computer repair company and have the same issue with two different computers, one yesterday and one today.  We have done the same steps as you and not been able to get any progress.  We even renamed the "Documents and Settings" folder and it still showed up with the black screen with the mouse cursor, no errors at all.

    We have also tried copying the registry files from C:\Windows\repair to C:\Windows\System32\Config which made no difference either.

    Booting into either Ubuntu or Bart PE via cd works fine so it seems like one or more of the recent Windows updates have cause the issue.
    Friday, October 16, 2009 1:15 AM
  • can any of you check for the "shell32.dll" ?
    Friday, October 16, 2009 1:21 AM
  • To securityguy14,

    Can't get to the computers at the moment. Will try this first thing in the morning and report back unless someone else beats me to it.

    Friday, October 16, 2009 1:25 AM
  • well even if its present, try and see if replacing it with the copy from "C:\Windows\Service Pack Files\i386" helps, even if present it could be corrupt, if that can be either verified or ruled out either one.
    Friday, October 16, 2009 1:32 AM
  • Sorry, I forgot to say that I did copy the shell32.dll from the System32 folder from another machine as the problem PC didn't have a Service Pack Files folder.  The machine I copied it from was a SP3 machine whereas the one I copied it to was SP2 but it didn't make any difference at all.
    Friday, October 16, 2009 1:37 AM
  • then can anyone check for the following registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" within that there should be the following

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Desktop REG_EXPAND_SZ %ALLUSERSPROFILE%\Desktop 

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Start Menu REG_EXPAND_SZ %ALLUSERSPROFILE%\Start Menu
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Programs REG_EXPAND_SZ %ALLUSERSPROFILE%\Start Menu\Programs 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Startup REG_EXPAND_SZ %ALLUSERSPROFILE%\Start Menu\Programs\Startup
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData REG_EXPAND_SZ %ALLUSERSPROFILE%\Application Data 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Templates REG_EXPAND_SZ %ALLUSERSPROFILE%\Templates 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Favorites REG_EXPAND_SZ %ALLUSERSPROFILE%\Favorites 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Documents REG_EXPAND_SZ %ALLUSERSPROFILE%\Documents  

    Friday, October 16, 2009 2:24 AM
  • I checked the registry entries via Bart PE cd and they are all there, although via Bart PE it is "HKLM\SOFTWARE_ON_C \Microsft\Windows\CurrentVersion\Explorer\User Shell Folders"
    Friday, October 16, 2009 2:40 AM
  • This may be of help:

    http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx - MS Security Bulletin for October 2009

    http://arstechnica.com/microsoft/news/2009/10/microsoft-patch-tuesday-for-october-2009-13-bulletins.ars - Same thing @ Ars Technica, basically

    I wonder if the SMB fix is involved in this somehow, since none of the PCs get an IP and can't be pinged. Will look in the morning.
    Friday, October 16, 2009 3:00 AM
  • if your still on there with Bart PE, check within the following, it should list the "shell" items
    "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"     that one should have information something like this

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData REG_SZ C:\Documents and Settings\All Users\Application Data
      
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Programs REG_SZ C:\Documents and Settings\All Users\Start Menu\Programs 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Documents REG_SZ C:\Documents and Settings\All Users\Documents 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Desktop REG_SZ C:\Documents and Settings\All Users\Desktop 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Start Menu REG_SZ C:\Documents and Settings\All Users\Start Menu 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders CommonPictures REG_SZ C:\Documents and Settings\All Users\Documents\My Pictures
      
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders CommonMusic REG_SZ C:\Documents and Settings\All Users\Documents\My Music 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders CommonVideo REG_SZ C:\Documents and Settings\All Users\Documents\My Videos 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Favorites REG_SZ C:\Documents and Settings\All Users\Favorites 
     
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Startup REG_SZ C:\Documents and Settings\All Users\Start Menu\Programs\Startup 
     

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Templates REG_SZ C:\Documents and Settings\All Users\Templates 

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal REG_SZ C:\Documents and Settings\user-name

    Friday, October 16, 2009 3:03 AM
  • Yes all of those registry entries are there plus "Common Administrative Tools".  Is the "Personal" one the last logged on user?
    Friday, October 16, 2009 3:24 AM
  • how about the HKCU key then, see if these entries are there, it might be a corruption of that key

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData REG_EXPAND_SZ %USERPROFILE%\Application Data 
     
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Desktop REG_EXPAND_SZ %USERPROFILE%\Desktop 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Favorites REG_EXPAND_SZ %USERPROFILE%\Favorites  

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders NetHood REG_EXPAND_SZ %USERPROFILE%\NetHood 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Personal REG_EXPAND_SZ %USERPROFILE%\My Documents 
     
    HKCU\Software\Microsoft\Windows\CurrentVersion\Expl

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Programs REG_EXPAND_SZ %USERPROFILE%\Start Menu\Programs 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SendTo REG_EXPAND_SZ %USERPROFILE%\SendTo 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Start Menu REG_EXPAND_SZ %USERPROFILE%\Start Menu 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup REG_EXPAND_SZ %USERPROFILE%\Start Menu\Programs\Startup 
     
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Templates REG_EXPAND_SZ %USERPROFILE%\Templates  

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders My Pictures REG_EXPAND_SZ %USERPROFILE%\My Documents\My Pictures 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Local Settings REG_EXPAND_SZ %USERPROFILE%\Local Settings  

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Local AppData REG_EXPAND_SZ %USERPROFILE%\Local Settings\Application Data
      
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache REG_EXPAND_SZ %USERPROFILE%\Local Settings\Temporary Internet Files 
     
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies REG_EXPAND_SZ %USERPROFILE%\Cookies 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History REG_EXPAND_SZ %USERPROFILE%\Local Settings\History  




    now,,those also should be enumerated under

    "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
    with the same subkeys as the other ( ie.,  Application Data ,Desktop ,Favorites  , etc.)

    Friday, October 16, 2009 3:38 AM
  • if you check that then also check for the same key path in HKU, that more than likely wouldnt be a problem since it mostly is just a mount point for HKCU and some in HKLM
    Friday, October 16, 2009 4:02 AM
  • if you check that then also check for the same key path in HKU, that more than likely would be a problem since it mostly is just a mount point for HKCU and some in HKLM

    that was supposed to be "wouldnt" and it wouldnt let me edit it  LOL
    Friday, October 16, 2009 4:04 AM
  • Update:
    Here's what I have tried so far...
    Scanned for malware
    Turned off all auto-run items (Startup folders, registry "Run" items, etc.)
    Repaired Windows from the installation CD
    Checked all of the Regsitry entries as suggested by securityguy14
    Copied these files from a working system:
    NTOSKRNL.EXE
    SMSS.EXE
    WIN32K.SYS
    CSRSS.EXE
    WINLOGON.EXE
    LSASS.EXE
    MSGINA.DLL
    SERVICES.EXE
    SHELL32.DLL
    I copied these files as I think all of them are involved in the initial boot up process. Have done all of this work with the hard drive attached as a slave on a working system. So far no luck. Browsing through other forums also and no one seems to have a solution.
    Friday, October 16, 2009 2:03 PM
  • If anyone has the means and wants to try an uninstall of the lastest updates to see if that will help, the following is the uninstall directories

    %Windir%\$NTUninstallKB975254$\Spuninst              %Windir%\$NTUninstallKB958869$\Spuninst
    %Windir%\$NTUninstallKB953295$\Spuninst              %Windir%\$NTUninstallKB953297$\Spuninst
    %Windir%\$NTUninstallKB953300$\Spuninst              %Windir%\$NTUninstallKB974417$\Spuninst
    %Windir%\$NTUninstallKB975467$\Spuninst              %Windir%\$NTUninstallKB971486$\Spuninst
    %Windir%\$NTUninstallKB969059$\Spuninst              %Windir%\$NTUninstallKB974571$\Spuninst
     %Windir%\$NTUninstallKB973525$\Spuninst             %Windir%\$NTUninstallKB974455$\Spuninst
    %Windir%\ie7updates\KB974455-IE7\spuninst           %Windir%\ie8updates\KB974455-IE8\spuninst
    %Windir%\$NTUninstallKB974112$\Spuninst              %Windir%\$NTUninstallKB975254$\Spuninst
    %Windir%\$NTUninstallKB969878_WM9L$\Spuninst     %Windir%\$NtUninstallKB954155_WM9$\spuninst
    %Windir%\$NtUninstallKB954155$\spuninst               %Windir%\$NtUninstallKB954155_WM10Lx64$\spuninst
    %Windir%\$NtUninstallKB954155_WM11x64$\spuninst        %Windir%\$NTUninstallKB975025$\Spuninst
    Friday, October 16, 2009 2:15 PM
  • I'm still backing up data on this PC; if it finishes before noon, I'll try this & let you know.
    Friday, October 16, 2009 2:46 PM
  • If anyone has the means and wants to try an uninstall of the lastest updates to see if that will help, the following is the uninstall directories

    %Windir%\$NTUninstallKB975254$\Spuninst              %Windir%\$NTUninstallKB958869$\Spuninst
    %Windir%\$NTUninstallKB953295$\Spuninst              %Windir%\$NTUninstallKB953297$\Spuninst
    %Windir%\$NTUninstallKB953300$\Spuninst              %Windir%\$NTUninstallKB974417$\Spuninst
    %Windir%\$NTUninstallKB975467$\Spuninst              %Windir%\$NTUninstallKB971486$\Spuninst
    %Windir%\$NTUninstallKB969059$\Spuninst              %Windir%\$NTUninstallKB974571$\Spuninst
     %Windir%\$NTUninstallKB973525$\Spuninst             %Windir%\$NTUninstallKB974455$\Spuninst
    %Windir%\ie7updates\KB974455-IE7\spuninst           %Windir%\ie8updates\KB974455-IE8\spuninst
    %Windir%\$NTUninstallKB974112$\Spuninst              %Windir%\$NTUninstallKB975254$\Spuninst
    %Windir%\$NTUninstallKB969878_WM9L$\Spuninst     %Windir%\$NtUninstallKB954155_WM9$\spuninst
    %Windir%\$NtUninstallKB954155$\spuninst               %Windir%\$NtUninstallKB954155_WM10Lx64$\spuninst
    %Windir%\$NtUninstallKB954155_WM11x64$\spuninst        %Windir%\$NTUninstallKB975025$\Spuninst
    Any advice on what means to use? Booting from a Windows (WinPE) CD for example???
    Friday, October 16, 2009 3:03 PM
  • you could do it that way,, just look for the "Spuninst.exe" within the subfolder of those directories.. if you wanted to try to narrow it down( if that ends up being the problem) then uninstall one at a time and see if it makes any difference afterward with each one
    Friday, October 16, 2009 3:07 PM
  • I havent seen it mentioned, can anyone bring up task manager (ctrl alt del)?
    Friday, October 16, 2009 3:33 PM
  • the reason I asked,, it really almost sounds like its a case that explorer.exe isnt running, and if the task manager will come up, then starting a new "explorer shell" should work
    Friday, October 16, 2009 3:42 PM
  • I mentioned it - you can't bring up TaskMan at all. Anything, in fact. It just sits there. You can move the mouse around all day, however, and the lock keys on the keyboard don't freeze either.

    Tried the update uninstalls, BTW; no joy.

    • Proposed as answer by Tesdall Friday, October 16, 2009 4:02 PM
    Friday, October 16, 2009 3:50 PM
  • ermm....has anyone tried a repair install?

    Friday, October 16, 2009 4:02 PM
  • yes, i think that was meantioned in the first post
    Friday, October 16, 2009 4:05 PM
  • Some more info...

    Just for grins, I tried putting "C:\Windows\system32\restore\rstrui.exe" into

    HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Shell
    -- and --
    HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit

    No change. Didn't really expect it to run System Restore but the interesting thing to me is that it didn't change the behavior at all. So Windows is not even getting to the point where it loads the shell, network connections, logon stuff, etc.
    Friday, October 16, 2009 4:37 PM
  • I have to reformat the one I'm working on, so I'm not going to be much more help unless I get a fourth one (and I hope I don't).

    Friday, October 16, 2009 4:43 PM
  • Some more info...

    Just for grins, I tried putting "C:\Windows\system32\restore\rstrui.exe" into

    HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Shell
    -- and --
    HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit

    No change. Didn't really expect it to run System Restore but the interesting thing to me is that it didn't change the behavior at all. So Windows is not even getting to the point where it loads the shell, network connections, logon stuff, etc.

    you mentioned in a previous post about trying to copy some system files (NTOSKRNL.EXE,SMSS.EXE, WIN32K.SYS, etc.) did you try the EXPLORER.EXE



    Friday, October 16, 2009 4:46 PM
  • Yes I copied explorer.exe. Looks like I left it off of the list in my previous post. Sorry for the oversight.
    Friday, October 16, 2009 4:52 PM
  • if you have another machine and can start the recovery console,, try "listsvc" and see whats running and whats not
    Friday, October 16, 2009 5:03 PM
  • you know,, looking back over everything that has been listed as being tried,, I cant see anything that isnt covered that might be the cause,, we might be taking the wrong approach here,, has anyone taken a look at the bios,, maybe the recent update put the bios firmware outdated,, if anyone wants to try and update that,, maybe flash the bios with the latest ones available
    Friday, October 16, 2009 5:13 PM
  • I found a fix for when booting Windows XP, the OS never fully loads up into Windows, and just sits there. The Fix is:

    "robbieart24-May-2005, 01:43 AM
    Just to let everyone know.... While surfing through the internet I found someone who solved this problem and has a way to fix it. There are 2 registry keys in the registry that are causing the problem. It affects the explorer.exe and iexplorer.exe files.

    This is the key that needs to be deleted...

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

    Once these keys are deleted the desktop and internet explorer should come back to life.

    Thank you whoever found this information and I hope this will be a benefit to someone else out there.

    Thanks."


    This solution actually worked for me, when replacing explorer.exe and a repair install didn't work. I even tried to reinstall SP2 to fix this one. I did the SP2 through still being able to run programs after Ctrl+Alt+Del using the task manager.

    Friday, October 16, 2009 5:24 PM
  • I found a fix for when booting Windows XP, the OS never fully loads up into Windows, and just sits there. The Fix is:

    "robbieart24-May-2005, 01:43 AM
    Just to let everyone know.... While surfing through the internet I found someone who solved this problem and has a way to fix it. There are 2 registry keys in the registry that are causing the problem. It affects the explorer.exe and iexplorer.exe files.

    This is the key that needs to be deleted...

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

    Once these keys are deleted the desktop and internet explorer should come back to life.

    Thank you whoever found this information and I hope this will be a benefit to someone else out there.

    Thanks."


    This solution actually worked for me, when replacing explorer.exe and a repair install didn't work. I even tried to reinstall SP2 to fix this one. I did the SP2 through still being able to run programs after Ctrl+Alt+Del using the task manager.


    Checked all 3 of the computers that I am having this problem with. None of them have these registry entries. It appears that Tesdall's problem was different from mine. I am trying a bios upgrade as suggested by securityguy14. Will report back later.
    Friday, October 16, 2009 6:00 PM
  • you know,, dealing with another post I thought about something,, if you can get to the update log in "C:\WINDOWS\Windowsupdate.log"  it might tell you something about something gone wrong with the update,, thats IF, its related to the update
    Friday, October 16, 2009 6:06 PM
  • BIOS upgrade did not help. I looked at the update logs and found no problems listed. But did find an intersting bit of information. One of the three computers I am dealing with indicates no updates installed after 10-11-09. Meaning that the updates released on Tuesday are probably not at fault here. I am at the point of giving up and reformatting these to get them working. But one of them belongs to a business and has a "mission critical" program installed. It was installed by a government agency and it will be difficult and time consuming to get it installed again. I am beginning to suspect malware even though scans found nothing. Does anyone have any other ideas?
    Friday, October 16, 2009 6:27 PM
  • boot to a bartpe boot disk and do a malware scan / antivirus scan from there. Maybe a rootkit microsoft rootkit revaler...

    doesn't make sense. The only thing in commen is you. Do you have something on their machines logmin or anything like that? secuirtyguy, your not allowed to steal from my thread :)
    Friday, October 16, 2009 6:48 PM
  • I have worked on one of these computers before. The other two are new to me. So they don't even have me in common. Scan from a bootable CD is a good idea and I will try that later. Right now I am going through the motions of Windows Repair on one of the systems. Yes, it has already been tried, but not since I copied files from another system and updated the BIOS.
    Friday, October 16, 2009 7:04 PM
  • boot to a bartpe boot disk and do a malware scan / antivirus scan from there. Maybe a rootkit microsoft rootkit revaler...

    doesn't make sense. The only thing in commen is you. Do you have something on their machines logmin or anything like that? secuirtyguy, your not allowed to steal from my thread :)

    LOL,, well im the one who mentioned it on YOUR thread  LOL
    Friday, October 16, 2009 7:08 PM
  • when i ment "you" i mean something you use in common. Logmein, pcanywhere, vnc. Tools that would allow you to get to their machines or something along those lines. Not you as a person :)

    Anyways, its just really weird to have 10 different systems have this happen to them all at once. A new spyware/malware or virus comes to mind or a patch. But you said this is happing to a machine that has not had updates for 1 year or so. Which would lead me back to spyware / malware / virus. i said rootkit somewhere before as well. May have a rootkit problem.
    Friday, October 16, 2009 7:10 PM
  • Tesdall: I cant see it as being a rootkit or malware related,, not when all of them seem to be right after the major update they just went through.

    someone mentioned that they had booted to Bart PE earlier, can someone try that and use the "Registry Repair Wizard" to see if it ANYTHING registry related. at least that way ALL registry issues can be ruled out
    Friday, October 16, 2009 7:19 PM
  • I just got my fourth one about a half-hour ago - this one is XP SP3 with Novell Client 4.91 SP3. So I'm back in the game! :D

    I'll try the registry repair wizard thingy if no one else has done it by the time I get there.

    EDIT: My first and second ones, I ran malware scans with VIPRE and MalwareBytes - the first one had a backdoor, the second was clean.

    • Edited by jfh2112 Friday, October 16, 2009 8:24 PM malware info
    Friday, October 16, 2009 8:24 PM
  • now I THINK that Bart PE has that,, I know that UBCD4WIN does,, it restores the the registry from restore points that it finds in "System Volume Information" the registry information from those points,, and it hits all 5 hives,, so if its anything at all registry related that should take care of it,, at least then the registry could be completely ruled out if it doesnt,, and if it does,, then just need to figured out where in there,, but that would do it till then
    Friday, October 16, 2009 8:29 PM
  • This happened to my machine this morning.  I can boot Safe Mode with Command Prompt and have a working command prompt window with working mouse curson.  All command line commands that I have tried work, including XCOPY.  My file system appears to be intact and CHKDSK reports no problems with C:  USB drives work and I can even transfer files to my thumb drive. 

    This definately was related to a Windows Automatic Update.  I have the WindowsUpdate.log from the machine on my thumb drive and can post the portion from the last update if that would help.  I'm new here.  Do I just paste it inline of is there a way to attach it?

    Cal
    Friday, October 16, 2009 8:56 PM
  • well the log would be pretty long,, you could post it, but if you could just upload it to somewhere like windows skydrive and post the link here
    Friday, October 16, 2009 9:02 PM
  • well the log would be pretty long,, you could post it, but if you could just upload it to somewhere like windows skydrive and post the link here

    I clipped out the portion for the fatal update, it's about 63kb.  I'll see if I can figure out how to use skydrive.

    Is there anything in particular in the log file that I should be Looking for?

    Cal
    Friday, October 16, 2009 9:06 PM
  • I have one of my 3 machines working.

    I found a backup copy of the registry on the original backup that we did when the computer arrived in the shop. (We pull all hard drives and make a backup before we start work on them.) I copied the backup of "Software" only to the config folder on the hard drive. And it booted! It started running Windows Setup. This could be for one of two reasons. 1) We had already tried to do a Windows repair on this computer so it may have been just finishing up that process, or 2) The backup file was quite old so it could be from the original Windows install. There are some programs that don't work but it is up and running.

    Keeping in mind that I already copied files from another computer and updated the BIOS, I still think this is a problem with the registry, specifically the Software subkey. And at this point I agree with Cal401. I think it is related to recent Windows updates. Update logs on this computer don't show any entries after last Sunday, but I don't trust the log file because I don't trust that the update process worked correctly. I am going to try this on the two other computers. Hopefully I will find a more recent backup of the registry. One of the two remaining computers has NOT had an attempt to do Windows Repair. I will let you know how it turns out.
    Friday, October 16, 2009 9:26 PM
  • And now I have my fifth one! This is getting ridiculous.
    Friday, October 16, 2009 9:27 PM
  • I havent went through the log much yet,, but can someone try this, copy "wuauclt.exe"  and  "wucltui.dll" from a good source,, I found a lot of warning references to it,, i just havent had time to look through the rest yet and try to decipher it
    Friday, October 16, 2009 9:45 PM
  • and "wuaueng.dll"
    Friday, October 16, 2009 9:50 PM
  • and "wuaueng.dll"

    that looks like the last one called on this log that it couldnt find and calls for a fatal shutdown afterward
    Friday, October 16, 2009 9:52 PM
  • I think I may have found something,, try this,, in recovery console "cd %windir%"   then "ren SoftwareDistribution SDTemp"  try that and see if it will work from a reboot,, and if not see if it will let you at least do a repair install afterward. I found a LOT of errors "0x80070002"  and thats the recommended action by Microsoft for that error
    Friday, October 16, 2009 10:06 PM
  • FWIW, this machine has been hanging after automatic updates for some time.  I'll come in and find it with a blank, black screen with only a movable cursor displayed.  The machine will not respond to Ctrl-Alt-Del.  The only option is to force it to power down by holding down the power button.  It the past it has booted normally after that.  The message from windows that an automatic update had been performed always displayes after one of these events.  That's what happened today, only it won't boot, except to Safe Mode Command Prompt.  I restarted the machine at 9:00 am today, if that helps with the log file.  The entire log only goes back to 9/16; I don't think I've had an automatic reboot in that time period.

    Has anyone else tried booting to Safe Mode Command Prompt?

    Assuming this is a problem with Windows Update, is there any way to make Microsoft aware of it?  Would they care if they knew?

    Cal
    Friday, October 16, 2009 10:15 PM
  • try renaming the "SoftwareDistribution" folder,, just before it calls for a forced reboot to finish the installation,, I THINK,,key word THINK,, that its trying to finish the install from that folder and having problems,, but from what I can make of it it keeps trying to finish the update installation and is stuck
    Friday, October 16, 2009 10:20 PM
  • FWIW, this machine has been hanging after automatic updates for some time.  I'll come in and find it with a blank, black screen with only a movable cursor displayed.  The machine will not respond to Ctrl-Alt-Del.  The only option is to force it to power down by holding down the power button.  It the past it has booted normally after that.  The message from windows that an automatic update had been performed always displayes after one of these events.  That's what happened today, only it won't boot, except to Safe Mode Command Prompt.  I restarted the machine at 9:00 am today, if that helps with the log file.  The entire log only goes back to 9/16; I don't think I've had an automatic reboot in that time period.

    Has anyone else tried booting to Safe Mode Command Prompt?

    Assuming this is a problem with Windows Update, is there any way to make Microsoft aware of it?  Would they care if they knew?

    Cal

    I think the reason that you actually do see todays date on there is that its trying to finish the update and failing with a error code of  "0x80070002"
    Friday, October 16, 2009 10:32 PM
  • Sorry I didn't see your first post about renaming the file, I guess it came in while I was composing my last message.

    I renamed the file and tried restarting.  Things don't look any different, that is, I still get stuck with a blank light blue screen and a working cursor after logon.  I discovered that I can run applications by starting them with File/New Task (Run...) from Task Manager.  I've tried notepad and MS Word.  While I was doing that a notification from McAfee popped up announcing that they had completed their update.  So the system is alive, just the GUI is not working.

    Cal
    • Edited by Cal401 Wednesday, October 21, 2009 1:19 AM
    Friday, October 16, 2009 10:48 PM
  • Sorry I didn't see your first post about renaming the file, I guess it came in while I was composing my last message.

    I renamed the file and tried restarting.  Things don't look any different, that is, I still get stuck with a blank light blue screen and a working cursor after logon.  I discovered that I can run applications by starting them with File/New Task (Run...) from Task Manager.  I've tried notepad and MS Word.  While I was doing that a notification from McAfee popped up announcing that they had completed their update.  So the system is alive, just the GUI is not working.

    Was this after renaming the folder?  how about trying to start the shell now ( file>new task> explorer.exe)
    Friday, October 16, 2009 11:02 PM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    C:\System Volume Information\_restore{xxx...xxx}\RPxxx\snapshot

    If you can't get into System Volume Information folder, change it's security temporarily so that you can.

    Choose a recent RPxxx folder and copy the files listed below to C:\windows\system32\config. But don't get files that are too recent. I suggest using files dated prior to the offending updates, 10/13/2009 in this case:

    _REGISTRY_MACHINE_SAM
    _REGISTRY_MACHINE_SECURITY
    _REGISTRY_MACHINE_SOFTWARE
    _REGISTRY_MACHINE_SYSTEM

    rename the existing hive files for safety's sake
    rename the copied files without the "_REGISTRY_MACHINE_" part
    Reboot and relax

    To securityguy14 and Cal401: Based on the symptom differences ("I can boot Safe Mode with Command Prompt and have a working command prompt window"), I don't think yours is the same exact issue. But I do believe both are resulting from the recent updates and therefor related. My fix may also work for you.

    One more thing, I also turned off automatic updates after I got them working. Perhaps later more information will come to light about this problem and a fix might appear that will allow me to turn auto-updates back on.

    Friday, October 16, 2009 11:06 PM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    that was why I suggested the registry restore wizard from either Bart PE or UBCD4WIN,, it restores every hive,,did you attempt to rename the distribution folder? im just trying to determine if that is something that will help in almost every case and possibly had anything to do with yours
    Friday, October 16, 2009 11:12 PM
  • Sorry I didn't see your first post about renaming the file, I guess it came in while I was composing my last message.

    I renamed the file and tried restarting.  Things don't look any different, that is, I still get stuck with a blank light blue screen and a working cursor after logon.  I discovered that I can run applications by starting them with File/New Task (Run...) from Task Manager.  I've tried notepad and MS Word.  While I was doing that a notification from McAfee popped up announcing that they had completed their update.  So the system is alive, just the GUI is not working.

    Was this after renaming the folder?  how about trying to start the shell now ( file>new task> explorer.exe)

    Yes, after renaming the folder.  But then I didn't think to try it before.  I was able to start TaskManager via Ctrl-Alt-Del before, but didn't think to try running anything.

    When I try to run explorer.exe or C:\WINDOWS\explorer.exe from TaskManager I get a pop up message:
         Windows cannot find 'C:\WINDOWS\explorer.exe' ...
    The file is there, file size 1,033,728 bytes.  Even if I select it with browse or try to run it from a cmd window, it still won't run.  

    Something like this has been going on for a while.  My windows explorer shortcut stopped working and I had to start it by right clicking the start button.

    By the way, Internet Explorer also runs.  I've been trying to figure out how to start Control Panel.

    I REALLY APPRECIATE YOUR HELP!

    Cal
    Friday, October 16, 2009 11:15 PM
  • I did not rename the distribution folder. Your suggestion about the BartPE gave me the idea to just copy the hive files from backups since the hard drive was already slaved to another computer.

    I knew the files were in there somewhere, just couldn't remember where to look. So I did some quick digging around and found them. Of course after I found them, it was one of those "Oh yeah, I knew that" moments. The older I get the more of those moments I have.
    Friday, October 16, 2009 11:19 PM
  • Yes, after renaming the folder.  But then I didn't think to try it before.  I was able to start TaskManager via Ctrl-Alt-Del before, but didn't think to try running anything.

    When I try to run explorer.exe or C:\WINDOWS\explorer.exe from TaskManager I get a pop up message:
         Windows cannot find 'C:\WINDOWS\explorer.exe' ...
    The file is there, file size 1,033,728 bytes.  Even if I select it with browse or try to run it from a cmd window, it still won't run.  

    Something like this has been going on for a while.  My windows explorer shortcut stopped working and I had to start it by right clicking the start button.

    By the way, Internet Explorer also runs.  I've been trying to figure out how to start Control Panel.

    Cal

    If you have some apps up and running,, see if you can use the hotkeys to open Control panel. winkey to open start, arrow keys to navigate,, enter to select,,   or even try winkey+E   see if that opens explorer,, I doubt it but try,, and f10 is right click winkey+pause  system properties,, you may can make some changes from there
    Friday, October 16, 2009 11:25 PM
  • I did not rename the distribution folder. Your suggestion about the BartPE gave me the idea to just copy the hive files from backups since the hard drive was already slaved to another computer.

    I knew the files were in there somewhere, just couldn't remember where to look. So I did some quick digging around and found them. Of course after I found them, it was one of those "Oh yeah, I knew that" moments. The older I get the more of those moments I have.

    Thats why I recommended the "Registry Restore Wizard" in Bart PE and UBCD4WIN,, its saved MY hide more times than one,, quite a few as a matter of fact
    Friday, October 16, 2009 11:30 PM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    that was why I suggested the registry restore wizard from either Bart PE or UBCD4WIN,, it restores every hive,,did you attempt to rename the distribution folder? im just trying to determine if that is something that will help in almost every case and possibly had anything to do with yours

    I'm not familiar with the registry restore wizard.  Can I run it from Task Manager or CMD window?

    I have another, bare bones install of Windows XP on a small partition, but it's not showing up on the boot screen and I don't see it in boot.ini.  Should I get that running and do a backup of C: before trying the restore wizard?

    Cal
    Friday, October 16, 2009 11:32 PM

  • I'm not familiar with the registry restore wizard.  Can I run it from Task Manager or CMD window?

    I have another, bare bones install of Windows XP on a small partition, but it's not showing up on the boot screen and I don't see it in boot.ini.  Should I get that running and do a backup of C: before trying the restore wizard?

    Cal

    No, its on either Bart PE or UBCD4WIN,, both,, you boot into the UBCD4WIN,, whichis the one I use,, and run it from there,, it uses backup hives to restore all 5 hives,, I think from "System Volume information" ,,, I THINK   try here and you can find it
    Friday, October 16, 2009 11:35 PM

  • I'm not familiar with the registry restore wizard.  Can I run it from Task Manager or CMD window?
    No, its on either Bart PE or UBCD4WIN,, both,, you boot into the UBCD4WIN,, whichis the one I use,, and run it from there,, it uses backup hives to restore all 5 hives,, I think from System Volume information

    OK. I don't have either of those.  I'll try PCS Tech's method after I get things backed up.

    Cal
    Friday, October 16, 2009 11:45 PM

  • No, its on either Bart PE or UBCD4WIN,, both,, you boot into the UBCD4WIN,, whichis the one I use,, and run it from there,, it uses backup hives to restore all 5 hives,, I think from "System Volume information" ,,, I THINK   try here and you can find it

    I'm a bit dense today and didn't see the link to UBCD4WIN the first time around.  I'll give that a try.

    Thanks again!

    Cal
    Friday, October 16, 2009 11:51 PM

  • OK. I don't have either of those.  I'll try PCS Tech's method after I get things backed up.

    Cal
    If you want it in the future,,,  tryright here believe me,,, its saved me a few times,, that and several other tools off there
    Friday, October 16, 2009 11:54 PM

  • If you have some apps up and running,, see if you can use the hotkeys to open Control panel. winkey to open start, arrow keys to navigate,, enter to select,,   or even try winkey+E   see if that opens explorer,, I doubt it but try,, and f10 is right click winkey+pause  system properties,, you may can make some changes from there

    I missed this the first time around too.  (One of those days I guess).

    The WinKey doesn't work.  Anything I can find a .EXE for I seem to be able to run, with the exception of explorer.exe.

    Cal
    Saturday, October 17, 2009 12:09 AM


  • The WinKey doesn't work.  Anything I can find a .EXE for I seem to be able to run, with the exception of explorer.exe.

    Cal
    see if you can copy from the one in "ServicePackFiles>i386"
    Saturday, October 17, 2009 12:11 AM


  • The WinKey doesn't work.  Anything I can find a .EXE for I seem to be able to run, with the exception of explorer.exe.

    Cal

    If you can start "cmd.exe" that would probably give you more choices and could get around the %win% folders easier
    Saturday, October 17, 2009 12:17 AM


  • The WinKey doesn't work.  Anything I can find a .EXE for I seem to be able to run, with the exception of explorer.exe.

    Cal
    see if you can copy from the one in "ServicePackFiles>i386"


    I copied the one in i386 to c:\WINDOWS and tried to run if from a cmd window.  I still get the message:

         "windows cannot find the file C:\WINDOWS\explorer.exe"

    It's wierd that I seem to have fully functional MS Word and can even bring up websites with Internet Explorer, yet the GUI won't start...

    Cal

    Saturday, October 17, 2009 12:20 AM
  • If you can start "cmd.exe" that would probably give you more choices and could get around the %win% folders easier
    cmd.exe works.  That's what I've been using for my "command window".

    Cal
    Saturday, October 17, 2009 12:23 AM


  •   Anything I can find a .EXE for I seem to be able to run, with the exception of explorer.exe.

    Cal
    It's wierd that I seem to have fully functional MS Word and can even bring up websites with Internet Explorer, yet the GUI won't start...

    Cal


    You know,, that could actually be a case of explorer being there and just not being registered,, this was a registry problem in part at least,, so if you can re-register the shell,, Im not sure all the DLL files involved with explorer,, but if you could get Dial-a-Fix on there it would do that for you
    Saturday, October 17, 2009 12:28 AM



  • You know,, that could actually be a case of explorer being there and just not being registered,, this was a registry problem in part at least,, so if you can re-register the shell,, Im not sure all the DLL files involved with explorer,, but if you could get Dial-a-Fix on there it would do that for you

    As a matter of fact,, I just thought about it, Dial-a-Fix is on UBCD4WIN, unless your in a BIG hurry,, it would probably help you a lot to download and make a dsik of UBCD4WIN,, then you could run Dial-a-Fix and re-register all the major DLL files
    Saturday, October 17, 2009 12:31 AM


  •   Anything I can find a .EXE for I seem to be able to run, with the exception of explorer.exe.

    Cal
    It's wierd that I seem to have fully functional MS Word and can even bring up websites with Internet Explorer, yet the GUI won't start...

    Cal


    You know,, that could actually be a case of explorer being there and just not being registered,, this was a registry problem in part at least,, so if you can re-register the shell,, Im not sure all the DLL files involved with explorer,, but if you could get Dial-a-Fix on there it would do that for you
    Is Dial-a-Fix part of UBCD for Windows?

    I'm still trying to get my C: drive backed up before I do too much to it. I've alread copied "Documents and Settings" to a USB drive using XCOPY.  But if I try to XCOPY the whole drive I get a sharing violation.

    I tried to boot my maintenance copy of Windows but it won't boot either.  I get an error on HAL.DLL.

    Any suggestions?

    Cal
    Saturday, October 17, 2009 12:35 AM
  • @cal:
    since Dial-a-Fix is free they've included it in UBCD4WIN in the last couple of versions,Ive been using UBCD4WIN through a LOT of versions .  I would try that and see if it registers any DLL's that need it,, it may give you more control, even if it doesnt fix the "shell" issue.  you shouldnt be getting a violation with xcopy, have you tried to clone or ghost the drive (clonezilla, nortons, etc.) theres some free and open source ones that are real good(ie.  clonezilla)
    Saturday, October 17, 2009 12:46 AM
  • I'm not sure what's going on.  My C: drive is a RAID array that mirrors everything to a second drive.  I managed to get the second copy of windows, which is a bare-bones install on a small partition on a different physical drive (another RAID pair) running.  I STILL can't copy the darned C: files without a sharing violation.  The first one it hits is an NTUSER.DAT file under "Documents and Settings".  The boot drive is now F:.  Nobody should be using C: for anything (unless it's not doing what I think it is)

    I thought I had Norton Save & Restore 2.0 loaded on my maint drive, but I guess not.

    Cal
    Saturday, October 17, 2009 1:03 AM
  • are you using a recovery pc (set up for recovery) ?
    Saturday, October 17, 2009 1:06 AM
  • No.  I have a laptop and the computer with the problem.

    I got confused on what was what when I tried to do the XCOPY using the maint copy of Windows.  (rookie mistake)  I forgot that the boot drive is alway C:, so the "real" C: drive is now F: when I'm working from the maint copy of XP.  I've got an XCOPY backup running now, 43Mb, it looks like it will be 20 minutes or so to finish.  (Not sure why the USB hard drive is so slow -- 10Mb per minute??? -- USB 2.0 as far as I can tell)

    I'll start downloading UBCD for Windows while it's cooking.

    Thanks again for the help!

    Cal
    Saturday, October 17, 2009 1:27 AM
  • you might want to try this , and this ,, to use for future imaging/cloning. and there are other good ones too
    Saturday, October 17, 2009 1:32 AM
  • After looking over the logs more, at least in the case of Cal401 who uploaded the log, the updates didnt complete and forced a reboot to complete, and when rebooted they looked for the final updates that they were rebooting for and couldnt find them, they checked to see if there was a connection to look online for the updates and continually tried to install the following updates

    " Update for Windows XP (KB968389)"
    "Update for ActiveX Killbits for Windows XP (KB973525)"  "Security Update for Windows XP (KB971486)"

    "Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (KB953297)
     
    Security Update for Windows XP (KB974571)" 
     
    " Cumulative Security Update for Internet Explorer 7 for Windows XP (KB974455)"

    "Security Update for Windows XP (KB975025)"      "Security Update for Windows XP (KB974112)"

    " Security Update for Windows Media Format Runtime 9, 9.5 & 11 for Windows XP SP 3 (KB954155)"

    "Security Update for Windows XP (KB969059)"  "Windows Malicious Software Removal Tool October 2009 (KB890830)"  "Security Update for Windows XP (KB958869)" 
     
    "Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP "

    at least in his case the machine became stuck in and endless loop to try to install those updates,, renaming the
    "C:\WINDOWS\SoftwareDistribution" folder and disabling automatic update was/Is  the solution for him,, but at least for him those were the updates that couldnt install, anyone else having the problem with XP may want to start with that information and see if thats also the case for them
    Saturday, October 17, 2009 5:28 AM
  • After looking over the logs more, at least in the case of Cal401 who uploaded the log, the updates didnt complete and forced a reboot to complete, and when rebooted they looked for the final updates that they were rebooting for and couldnt find them, they checked to see if there was a connection to look online for the updates and continually tried to install the following updates

    ...


    at least in his case the machine became stuck in and endless loop to try to install those updates,, renaming the
    "C:\WINDOWS\SoftwareDistribution" folder and disabling automatic update was/Is  the solution for him,, but at least for him those were the updates that couldnt install, anyone else having the problem with XP may want to start with that information and see if thats also the case for them
    I'm not really sure if renaming the folder was the key, but maybe the second log file indicates that it fixed the endless loop (it's all geek to me).  In any case, the system is still not up and running.  I'm able to run things from cmd.exe; I didn't actually try that before the folder rename.

    I took your advice and downloaded and built a UBCD4Win CD.  That's certainly a process!  Hopefully I did it correctly.  The built in CD burner failed and the CD burner on the laptop would not import an ISO image, so I copied the image to the damaged machine and used Sonic RecordNow to burn the image.  The disk boots to the startup screen at least.

    While that was going on I completed a backup of the damaged machine's C: drive and did a full virus scan; no viruses found.

    So, what do you recommend now?  Should I use Dial-a-Fix to try to straighten out the registry, or use the registry restore wizard to restore the registry from an earlier version?

    Cal
    Saturday, October 17, 2009 11:03 PM
  • use the registry restore wizard first,, at leasst in part it looks like this is registry related,, then use Dial-a-Fix to try to re-register the DLL file, you want to at least use the seciton on it for "Registration Center" those include the "Programming cores/runtimes" but,, it probably wouldnt hurt to hit everything with it,,all checked. but try the registry repair first
    Saturday, October 17, 2009 11:11 PM
  • I probably should mention that in order to use the registry repair wizard you have to enable "sharing" when the network setup starts, theres a tab on the network setup for that
    Saturday, October 17, 2009 11:18 PM
  • I think I started the network with sharing.  I can't find the menu option that I used now; the menu must have changed.

    I have Registry Restore Wizard running.  It has a text box that prompts "Specify your Windows", with Custom... as the only choice, and another box that says "If you selected custom, type the directory".

    When I run Explorer2 all I see are my two DVD drives and a RAMDISK.  My hard disks (2 physical, 3 logical) are not shown.

    The DVD sure takes a long time to load.  Probably around 10 minutes.  Is that normal?

    Cal
    Saturday, October 17, 2009 11:35 PM
  • I should have mentioned that when it first started I choose not to start the network.  I then used a menu command similar to start networking with sharing.

    Cal
    Saturday, October 17, 2009 11:37 PM
  • ok, well you have to have that started and enabled to be able to access the root of the HDD
    Saturday, October 17, 2009 11:39 PM
  • Do I need to reboot then?

    Looking at Control Panel > System Properties > Device Manager I see a bunch of "? Unknown Device" entries.  No drives listed.

    Cal
    Saturday, October 17, 2009 11:48 PM
  • ok to use that you have to boot to the disk,, out of the win32 enviroment,, reboot and let it boot to the disk not the HDD,, then after it boots start the network with file sharing,, in the menu you'll see "registry tools" and the restore wizard is there
    Saturday, October 17, 2009 11:55 PM
  • I rebooted (took 12 minutes). I'm sure I got the network started with sharing this time, but nothing seems to have changed. Still a bunch of "? Unknown device" entries and no drives shown in Device Manager. I built UBCD4Win on the laptop using the Win XP SP2 disk from the damaged Dell computer. Is it possible that it didn't load all the drivers I need?

    When I try to browse "Workgroup" under "My Network Places" in xplorer2 I get a "Workgroup is not accessible..." error popup.

    Cal
    Sunday, October 18, 2009 12:17 AM
  • can you see the C: drive? thats what your looking for with xplorer2,, or whatever the drive letter for the XP is
    Sunday, October 18, 2009 12:21 AM
  • No.  None of the hard drives are displayed (2 physical / 3 logical).  The only drives listed are a RAM drive and my two DVD drives.  And I don't see anything that looks like a drive on the Hardware Manager.

    Cal
    Sunday, October 18, 2009 12:28 AM
  • in the start menu,, "Programs>registry tools>registry repair wizard"  open it and see if it lists anything for  "windows"
    Sunday, October 18, 2009 12:35 AM
  • Same as before.  It just lists "Custom..." but I have no idea what to enter for the directory.

    Cal
    Sunday, October 18, 2009 12:39 AM
  • then somehow you dont have the file sharing enabled,, if you did it would at least see the drive and see that there was a windows directory,, go to "system>network>network setup wizard" and see if you can get it started from there, thats from the start menu again
    Sunday, October 18, 2009 12:43 AM
  • Network Setup Wizard failed.

    When I run System > Network > Show network components it lists ms_server under "Network Services" and says File and Printer sharing for MS Networks to the right.

    I don't know how this works under UBCD4Win, but shouldn't the drives show up in the hardware list under Device Manager?

    Cal
    Sunday, October 18, 2009 12:54 AM
  • If I go to Control Panel > PE Network Configurator and open the File Sharing tab it shows "File sharing service status" as "Started"

    Cal
    Sunday, October 18, 2009 1:04 AM
  • im not sure about that one,, you may just have to boot the system back up and try the Dial-a-Fix
    Sunday, October 18, 2009 1:16 AM
  • I really appreciate your help.  I wish there was some way to return it...

    I was able to boot to the damaged C: drive and run Registry Restore Wizard from the CD.  This time it found both the C: and E: Windows installs.  No joy, however.  It could not find any prior versions of the regitry to restore for C:.  For E: (my bare-bones maintenance install) it found one, but I have no reaseon to need to roll that one back.

    I tried Dial-a-Fix will everything checked.  No apparent change in system behavior.  explorer.exe still will not run; still getting the message:
        "The system cannot find C:\WINDOWS\explorer.exe"
    yet the file is there (as before).

    Any other ideas?

    Cal

    Sunday, October 18, 2009 2:09 AM
  • look under the "Disk Tools" in "Programs" ,, it almost sounds like theres damage to the partition,, it wouldnt recognize the drive off the disk,, and you couldnt find the registry information with the wizard,,, thats the only thing I can think of it being. try some of the tests on the drive,, see if it gives any errors, run some of the diagnostic tools,, you might want to start with HD Tune and look under the "Health" tab
    Sunday, October 18, 2009 2:25 AM
  • When I ran CHKDSK yesterday it didn't find any errors.  I'm running Emsa Disk Check right now, but it looks like it's going to take a while to finish.

    I was going to try PCS Tech's manual registry restore, but I can't get into C:\System Volume Information.  Even when I boot the maintenance copy of Windows and log is as Administrator I can't reset the permissions on the folder.

    attrib -s -h "System Volume Information" just gets me an access denied message.  Why can't I change the permissions?

    Also of note is the fact that Emsa Disk Check reports "Error accessing drive F:\System Volume Information\" during pre-scan.  (F: is the drive letter for the main install boot drive when I am running the maintenance install.)

    more later...

    Cal

    Sunday, October 18, 2009 2:56 AM
  • Ok,, these may help you then, this is Power Prompt,,it lets you run things as system,,not user or admin,,but you have to be careful running things as system,, and this is Home Own,, it lets you take ownership of any file and folder, just use the help switch to see the choices, both are command line tools
    Sunday, October 18, 2009 3:09 AM
  • I said that they were both command line tools,, but I should say that power Prompt "Owns" the command window,, you have to open it like any portable app, double click and IT opens the command prompt
    Sunday, October 18, 2009 3:15 AM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    C:\System Volume Information\_restore{xxx...xxx}\RPxxx\snapshot

    If you can't get into System Volume Information folder, change it's security temporarily so that you can.

    Choose a recent RPxxx folder and copy the files listed below to C:\windows\system32\config. But don't get files that are too recent. I suggest using files dated prior to the offending updates, 10/13/2009 in this case:

    _REGISTRY_MACHINE_SAM
    _REGISTRY_MACHINE_SECURITY
    _REGISTRY_MACHINE_SOFTWARE
    _REGISTRY_MACHINE_SYSTEM

    rename the existing hive files for safety's sake
    rename the copied files without the "_REGISTRY_MACHINE_" part
    Reboot and relax

    To securityguy14 and Cal401: Based on the symptom differences ("I can boot Safe Mode with Command Prompt and have a working command prompt window"), I don't think yours is the same exact issue. But I do believe both are resulting from the recent updates and therefor related. My fix may also work for you.

    One more thing, I also turned off automatic updates after I got them working. Perhaps later more information will come to light about this problem and a fix might appear that will allow me to turn auto-updates back on.


    SUCCESS!

    PCS Tech's method worked!  I had to use Power Prompt to get into System Volume Information and find/copy the registry files.  My first attempt, going back to a snapshot from 10/13 failed, the system still behaved as before.  So I went to a snapshot from about two months ago and it worked!  I walked away from the computer for about an hour an came back to find that another Windows Automatic Update with an automatic reboot had occurred.  This time the system was fine and starts normally.  McAfee complained about missing components and instructed me to reinstall.  Instead, I ran Dial-a-Fix (all options checked) and McAfee no longer thinks it has anything missing or needs to be reinstalled.

    NOW I AM ABSOLUTELY CERTAIN THAT THIS WAS VIRUS RELATED AND NOT A WINDOWS AUTOMATIC UPDATE PROBLEM.  Here is why I say that:

    About 9/24/09 I went to start a new instance of Windows Explorer (C:\WINDOWS\explorer.exe) and received a pop-up message from McAfee that "Generic.dx Trojan" had been "automatically blocked and removed".  I immediately ran a full virus scan and got NO items detected.  (I don't know if I did a system restart then or not.)  Nothing changed after the scan and trying to start Explorer resulted in the trojan message from McAfee each time.  The same thing happened if I ran C:\WINDOWS\explorer.exe by double-clicking it or from cmd.exe.

    I sent in a report to McAfee (virus_research@nai.com) and included C:\WINDOWS\explorer.exe in a ZIP file.  I immediately got back an automated reply that the attached file was virus-free, etc..  As far as I know, no human ever looked at my report and I never heard anything else from McAfee.  A few days later, after several McAfee and Windows automatic update cycles my Explorer icon stopped working and C:\WINDOWS\explorer.exe would no longer start when double-clicked or run from cmd.exe.  However, I could still start a new instance of Explorer by right-clicking the Start button.  I'm 99% sure that I have not restarted the system between that time and the automatic update that disabled the system on 10/16.  I think the fact that C:\WINDOWS\explorer.exe would not start WAS the problem and that the automatic reboot, caused by the automatic update, would have been no different than if I had rebooted the system myself.  That is, it was the reboot that caused the problem to manifest; the problem already existed many days and updates before.

    I can post the update log from today if it is of any interest.

    Now, this seems like something that both McAfee and Microsoft should be interested in knowing about.  How does one go about getting this in front of the proper people, both places?  It seems like they go out of their way to make sure they don't get reports from the great unwashed user community.

    Cal
    Sunday, October 18, 2009 8:54 PM
  • Im glad you finally got then taken care of, hopefully you wont have anymore problems out of it now. so the Power Prompt helped then,, well thats one I think you might want to hold on to. anyway good luck with it
    Monday, October 19, 2009 12:33 AM
  • PCS Tech, I had a system with the exact same problem. I followed your instructions. Backed up the latest system32\config files, renamed the ones from Snapshot on 10/13, and copied them to system32. The system atarted to boot, ran chkdsk, and then booted fine.
    Thank you
    Monday, October 19, 2009 4:12 AM
  • I am having the same exact problem.  Although I am computer capable, I have not performed this procedure before.  Can you please post a step by step?
    Monday, October 19, 2009 2:13 PM
  • I am having the same exact problem.  Although I am computer capable, I have not performed this procedure before.  Can you please post a step by step?

    can you open a command window?
    Monday, October 19, 2009 2:49 PM
  • Thank you for the reply.  Yes I can through the recovery console.
    Monday, October 19, 2009 2:57 PM
  • then type in this "cd C:\System Volume Information\_resto~1"  without the qoutes, then "dir" to see what points you have in there, look for the highest number, thats the closest point, but, you probably shouldnt choose that one, go back a few from it,then type "cd RPxxx\snapshot" where the x's are the number that youve chosen to restore to, then type "copy _REGISTRY_MACHINE_SYSTEM C:\Windows\System32\Config\System" then repeat the process with replacing SECURITY, SAM, SOFTWARE  in the place of SYSTEM in each spot, thats with the path your copying from, and too
    Monday, October 19, 2009 3:19 PM
  • Thank you.  I will try this and hope it works.

    What do you mean by "thats with the path your copying from, too"

    Does this mean that the command requires additional items or are you just explaining that the command you gave will copy from one directory to another?
    Monday, October 19, 2009 4:59 PM
  • no, i mean to replace that in the pathway from (copy _REGISTRY_MACHINE_SYSTEM ) and the pathway to(Config\System) replace the "SYSTEM" and "System"  in each case with the other
    Monday, October 19, 2009 5:10 PM
  • Ok, I understand now.  Thanks again!
    Monday, October 19, 2009 5:18 PM
  • Well, I thought I had everything straightened out, but I guess not.  After I reloaded the registry I received a message from my McAfee Security Suite that components were missing.  I ran Dial-a-Fix and the message went away for about 10 minutes then was back, telling me I needed to reinstall McAfee.  I have now tried to download McAfee from my ISP and directly from McAfee and I am never able to get to the download page.  The gal at McAfee support for my ISP thinks I have a virus that is blocking me.  A McAfee virus scans from my maint partition and from the main partition have come up clean using the latest signatures.

    I updated the virus files when I built the UBCD4Win disk.  I would like to try scanning with one of the virus tools on UBCD4Win.  The UBC4Win disk apparently does not have the right drivers to boot my machine, but I can run files from the disk using my maint install of Wn XP.  Which virus tool would you recommend?

    (I don't think this is too off topic for this thread, since the stuck at a blank screen symptom may be virus related)


    Cal
    Monday, October 19, 2009 5:41 PM
  • I would use a Rescue disk in that case,, something like Drweb livecd or f-secures rescue CD try one of those and see if that helps,, you just have to download them and burn them to disk, you can also try BitDefenderRescueCD that one has static updates so it updates before it scans

    • Proposed as answer by I-ONut Monday, October 19, 2009 6:45 PM
    Monday, October 19, 2009 5:53 PM
  • Hello all,

    I got a few people coming to me with the same issue. Symptoms:

    - windows boots to a black screen mouse is available
    - no task manager
    - windows just hangs
    - safe mode displays the same issues

    Unfortunately i didn't find a solution yet that works without a live cd.

    One solution to this problem is offered by PCS Tech earlier in this thread. His solution requires you to have system restore enabled (so you have a registry restore point).

    For those of you without system resotre active (no registry restore point) i did find is that all the computers with issues had these entries (or very similar ones) under HKLM:

    \Microsoft\Windows NT\CurrentVersion\Drivers32
    "midi9"="C:\\WINDOWS\\knaehig.old 2nCCPGNHED"
    
    \Microsoft\Windows NT\CurrentVersion\Windows
    "LoadAppInit_DLLs"=dword:00000001
    
    \Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
    "CLSID"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
    "Exec"="%windir%\\Network Diagnostic\\xpnetdiag.exe"
    "MenuText"="@xpsp3res.dll,-20001"

    Didn't spend too much time to figure out which of these is the cause (if one or all),but if you remove these keys you will be able to boot into windows again just fine without deleting, moving or altering other files.
    You should be able to do that by starting with BartPE, UBCD4Win etc and deleting the registry entries.

    I suspect that this is most probably the work of a virus so i guess there will be a fix soon from the AV companies.

    Hope this solves your problem. Good luck.

    Monday, October 19, 2009 7:01 PM
  • Hello all,

    I got a few people coming to me with the same issue. Symptoms:

    - windows boots to a black screen mouse is available
    - no task manager
    - windows just hangs
    - safe mode displays the same issues

    Unfortunately i didn't find a solution yet that works without a live cd.

    ...

    I suspect that this is most probably the work of a virus so i guess there will be a fix soon from the AV companies.

    Hope this solves your problem. Good luck.


    Check to see if you can use Ctrl-Alt-Del to start Task Manager from the "blank screen".  If so, you can use File > New Task (Run...) to start cmd.exe.  I don't know if you read my earlier post(s) but that worked on my system.

    As far as the AV companies being out there busily working on a solution--how do they know there is a problem?  I think this thing first manifested itself in late September.  I tried to report it then and apparently couldn't get past McAfee's automatic reply system (that is, my report went straight into the bit bucket after they sent me a automatic reply).  I've asked twice now, in this thread, how to report this problem and have been met by silence.  Maybe you know?

    Cal
    Monday, October 19, 2009 7:22 PM
  • Check to see if you can use Ctrl-Alt-Del to start Task Manager from the "blank screen".  If so, you can use File > New Task (Run...) to start cmd.exe.  I don't know if you read my earlier post(s) but that worked on my system.

    As far as the AV companies being out there busily working on a solution--how do they know there is a problem?  I think this thing first manifested itself in late September.  I tried to report it then and apparently couldn't get past McAfee's automatic reply system (that is, my report went straight into the bit bucket after they sent me a automatic reply).  I've asked twice now, in this thread, how to report this problem and have been met by silence.  Maybe you know?

    Cal
    Hey, no, the CAD combination does not work. Contacted some friends that work at an AV company, provided them the files and the cause for this seems to be a conficker worm http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99 has info on the virus. 

    In this case there should be at least 2 files in your system. The .old one (name found in the registry) under midi9 and a .dll file found in \windows\system32 .

    The idea is that once you have your system running again (using any solution provided before) you should run a full system scan with an up to date antivirus (please note that this type of virus prevents you from accessing security related web sites) with an aggressive heuristic setting.

    Ionut
    Monday, October 19, 2009 8:11 PM
  • thats why i like to use that rescue disk's when I have any question about it, that way the infection doesnt have a chance to become active, since the HDD isnt either, try the ones that I listed above, and theres some other good ones too, I keep quite a few in my "Tool box"
    Monday, October 19, 2009 8:17 PM
  • securityguy,

    I can't burn an ISO image on the laptop, as is.  And I'm a bit leary downloading anything from a website that comes up in Russian by default (Dr Web).  I have a working Recovery Disk from Norton Save & Restore 2.0.  Can I boot from that and then use one of the Anti-virus programs on UBCD4Win?  If so, which one?

    Ionut,

    If it's the conficker worm, which (according to the link you provided) is 7+ months old, it managed to sneak by McAfee Antivirus and they are indeed a poor solution.  Prior to the restart that made the system boot to the blank screen, McAfee was doing regular updates; one even came in while I was sitting at the blank screen looking at the cursor.  The night before the crash I started a full scan; I don't know if there is a log file for those scans.

    It was only AFTER I got the system to boot by using PCS Tech's instructions to restore the registry that McAfee indicated that it had missing components.  When I tried to reinstall I found links to McAfee download websites blocked.

    I have a maintenance copy of XP on another drive and it's copy of McAfee was/is fine.  No issue connecting to McAfee, etc.  (Also able to download and install AVG free from that install--scanning now.) A McAfee scan from there was clean, so McAfee is missing the virus, whatever it is.

    Cal
    Monday, October 19, 2009 10:05 PM
  • well DrWeb is a highly trusted AV provider, check out here where microsoft has them listed, but then again the other two I know you shouldnt have a problem with,, BitDefender and f-secure both are well known, so is DrWeb, but mostly in Enterprise class applications and product,, they dont aim thier product at the home owner, but, the rescue cd and their DrWebCureIT is free and works on any windows system
    Monday, October 19, 2009 10:16 PM
  • Well, the free version of AVG found one virus, "dropper.small" and removed it (there seem to be a lot of variants of it out there, but they didn't specify).  Rebooting the main windows install and reinstalling McAfee now proceeds normally.  (At this point I'm reinstalling McAfee just to verify that I had corrected that symptom--I highly doubt that McAfee and I will be together very much longer.)  "dropper.small" is an old virus, how in the world could McAfee fail to detect it?  Are the symptoms that I had consistent with it?

    So now I seem to be back in business, but what to do?  Obviously I need a new web browser, firewall and anti-virus software or I could easily be right back in the same state tomorrow...

    Thanks again to everyone who took the time to help.  If you have some suggestions as to how to proceed, I would appreciate them very much.

    Cal
    Tuesday, October 20, 2009 2:27 AM

  • For those of you without system resotre active (no registry restore point) i did find is that all the computers with issues had these entries (or very similar ones) under HKLM:

    \Microsoft\Windows NT\CurrentVersion\Drivers32
    "midi9"="C:\\WINDOWS\\knaehig.old 2nCCPGNHED"

    \Microsoft\Windows NT\CurrentVersion\Windows
    "LoadAppInit_DLLs"=dword:00000001

    \Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
    "CLSID"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
    "Exec"="%windir%\\Network Diagnostic\\xpnetdiag.exe"
    "MenuText"="@xpsp3res.dll,-20001"

    Didn't spend too much time to figure out which of these is the cause (if one or all),but if you remove these keys you will be able to boot into windows again just fine without deleting, moving or altering other files.
    You should be able to do that by starting with BartPE, UBCD4Win etc and deleting the registry entries.

    I suspect that this is most probably the work of a virus so i guess there will be a fix soon from the AV companies.

    Hope this solves your problem. Good luck.

    I've the same registry entries (except "midi9" one) and my XP loads correctly, they are system keys. I have the problem in another 3 computers (2 XP SP3 and 1 Vista ultimate) and I suspect that the origin is at this month's updates, it ain't systematic 'cause in other computers I've applied successfully the updates ... I've contacted Microsoft tech support and I'm waiting an answer.

    Regards,

    David
    Tuesday, October 20, 2009 11:19 AM
  • I've an answer from Microsoft Spain, I has been told to reinstall the operating system ... WTF??? Reinstallation doesn't solve the problem I can format the computers but I want to know which "hotfix" caused the situation!!!
    Tuesday, October 20, 2009 3:31 PM
  • I had two customers today, both with a blank screen and a moving mouse.

    I started the system with a BARTPE cd and I deleted the keys (as mentioned by I-ONut ):

    \Microsoft\Windows NT\CurrentVersion\Drivers32
    "midi9"="C:\\WINDOWS\\..xxxx.old xxxxxxxxx"

    and

    \Microsoft\Windows NT\CurrentVersion\Windows
    "LoadAppInit_DLLs"=dword:00000001

    Restart the system and everything is fine.
    It only took 12 hours to find/google the solution, so many thanks I-ONut .

    Marcel

    Tuesday, October 20, 2009 10:46 PM
  • I've the same registry entries (except "midi9" one) and my XP loads correctly, they are system keys. I have the problem in another 3 computers (2 XP SP3 and 1 Vista ultimate) and I suspect that the origin is at this month's updates, it ain't systematic 'cause in other computers I've applied successfully the updates ... I've contacted Microsoft tech support and I'm waiting an answer.

    Regards,

    David

    Hey, can you describe the problem with the other computers? How is it manifesting?
    I don't know what you have tried but here is a short list of what you should usualy do:
    1. If you have system restore enabled, press F8 at system boot and select "Last known good configuration" ... word of advice though ... it may result in loosing some installed programs.
    2. As suggested above, removal of the "SoftwareDistribution" folder within windows.
    3. Manual registry repair from the "System Volume Information" folder ... solution described above.
    4. Can you start task manager and manually start programs?
    5. Can you boot into safe mode?
    6. Try a live cd and check for the existence of the "midi9" registry key. If it exists, delete it.

    If you can do either 4 or 5 you may try to uninstall hotfixes one by one and see when the system boots up. If you cannot do that, under windows xp in the windows folder you have several folders  named $NtUninstallKB________$ (the ___ should be numbers)  these are the updates/hotfixes. You can take this list and search the net for the KB________ and rule out the obvious ones and maybe we can pick up from there.

    If none of these solutions works for you ...maybe you can post a boot.log file from one of those computers and see if we can pick something up from there.
    Good luck.
    Wednesday, October 21, 2009 7:46 PM
  • I had two customers today, both with a blank screen and a moving mouse.

    I started the system with a BARTPE cd and I deleted the keys (as mentioned by I-ONut ):

    \Microsoft\Windows NT\CurrentVersion\Drivers32
    "midi9"="C:\\WINDOWS\\..xxxx.old xxxxxxxxx"

    and

    \Microsoft\Windows NT\CurrentVersion\Windows
    "LoadAppInit_DLLs"=dword:00000001

    Restart the system and everything is fine.
    It only took 12 hours to find/google the solution, so many thanks I-ONut .

    Marcel


    I'm glad that i could help. As this is a virus (this is confirmed, it is a conficker worm) action you should do a full system scan with an up to date antivirus as the virus is still there and it also has a .dll file that, besides other things would prevent you from accessing security related sites. So you can check if you can resolve (try a ping from the command line) technet.microsoft.com or symantec.com if you cannot you still have some work to do.

    Ionut
    Wednesday, October 21, 2009 7:52 PM
  • If it's the conficker worm, which (according to the link you provided) is 7+ months old, it managed to sneak by McAfee Antivirus and they are indeed a poor solution. Prior to the restart that made the system boot to the blank screen, McAfee was doing regular updates; one even came in while I was sitting at the blank screen looking at the cursor. The night before the crash I started a full scan; I don't know if there is a log file for those scans. It was only AFTER I got the system to boot by using PCS Tech's instructions to restore the registry that McAfee indicated that it had missing components. When I tried to reinstall I found links to McAfee download websites blocked. I have a maintenance copy of XP on another drive and it's copy of McAfee was/is fine. No issue connecting to McAfee, etc. (Also able to download and install AVG free from that install--scanning now.) A McAfee scan from there was clean, so McAfee is missing the virus, whatever it is.
    Hello, The link I've sent was only for reference this means that i said that the virus it of that type. Just like human viruses in computer viruses there can be more than one virus that makes the same type of damage. This one is a conficker worm. The McAfee sites are blocked by the virus. There is still a dll file that is loaded into the system's memory that prevents you from accessing security related sites. If the antivirus still misses it ... well i would suggest changing antivirus. I would go for bitdefender of norton antivirus 2009 or newer. If changing is not an option for you ... you can try to be the antivirus your self and check ... here are two links that would aid you http://mtc.sri.com/Conficker/ and http://www.scamtypes.com/conficker-how-to-kill-dll-files-and-delete-registry-keys-and-values.html .

    Good luck
    Wednesday, October 21, 2009 8:07 PM
  • Hey People,

    I've been following this thread for a couple of days now because we have had about 6 machines in our company have similar aflictions since the most recent Microsoft Updates.  The first one, I still don't have fixed.  Two of them we were able to fix with the virus info.  It seems McAfee took the virus off the machine but left the registry entries.  Not sure why those particular entries could keep a machine from booting normally so I would love an explanation. 

    Two others did not have signs of the virus but they also went to a BSOD rather than just the black screen with cursor.  (all of the machines were various models of Lenovo laptops)  These two we were able to boot by turning on Compatibility mode on the SATA in the BIOS.  One was then fixed (a t61) by upgrading BIOS and storage drivers.  The other (a t60) was fixed by upgrading BIOS, storage drivers, and video driver.

    The difficult thing is that we've just encrypted the hard drives in all of our machines, so it is necessary to do all troubleshooting with an emergency boot disk with Safetech for safeboot.

    Since I've run out of ideas on the original problem machine, I'd like to ask for some advice.  It doesn't have the virus regkeys, I've tried the config file replacement to different dates prior to the incident, I've upgraded the BIOS, and put the new storage drivers on the machine via the Emergency Disk and I'm using the following switches in the boot.ini … /fastdetect /safemode /bootlog /sos /basevideo.   I've also compared the file changes from the updates that were successful and one that wasn't successful to make sure I didn't have any mismatched dll files.

    Any other suggestions would be appreaciated.  Such as, does anyone know of a utility to upgrade drivers or install apps using the emergency boot CD "Ultimate Bood CD for Windows v3.50.00?  Can't seem to get to the internet and uninstalls fail with an error.  Don't see the devices I need to see with the device manager so I wonder if I'm actually looking at the device manager for the cd os??

    Thanks in advance!
    Wednesday, October 21, 2009 10:53 PM
  • with UBCD4WIN you have to enable the file sharing during the network configuration to be able to access the root of the OS, have you tried renaming the software distribution folder? also if you have the UBCD4WIN try the registry repair wizard the I explained above. if you have boot logging enabled you might want to take a look at the log and see if theres anything listed there. also the update log.
    Wednesday, October 21, 2009 11:02 PM
  • I have a question for anyone that had this problem that will respond, how was the system(s) involved updated??
    Wednesday, October 21, 2009 11:40 PM
  • A contractor built my current UBCD4WIN with the SafeBoot WinTech program included so that I can get to the c:\ drive and registry.  I'm not sure what you mean by enabling file sharing during the network configuration, but I'll reboot in a few minutes to see if I see an option I missed.  I usually just click on Yes for the networking and DHCP, but I don't think it works.

    I had renamed the SoftwareDistribution folder to SD, as well as, deleted the Internet Cache of the main user of the machine, moved the Temp files and local temp files to a quarantined folder but have since moved them back since it didn't resolve the problem.  I also set the original configs back so that I could look for the virus entries.  I wanted to know what I do that actually fixes the problem and since none of those things fixed it, I wanted to keep it as close to it's original state as possible.

    I tried the Reg repair wizard and it may have done some things successfully but gave me alot of errors, which makes me worried that I have messed this one up worse.

    As to the boot log, it seems to loop through drivers it cannot load over and over again.  I assume it does this until I reboot the computer.  I'll try to summarize the devices because it mentions some several times in a row, network, bluetooth, audio, video, modem virtual miniports.....starting with ACPI Multiprocessor PC - it seems there might have been an update relating to ACPI.  I'm going to check into that right quick.

    Wednesday, October 21, 2009 11:45 PM
  • Theres a middle tab in the networking and DHCP configuration, if you click that it file sharing, that enables UBCD4WIN to share the root folders of the OS,, how was the machines in your situation updated??
    Wednesday, October 21, 2009 11:50 PM
  • We have automatic updates turned on for our company so that people in the field will get updated without dependency to VPN and our network.
    Thursday, October 22, 2009 12:20 AM
  • Is there a way to turn that on while already booted with the CD or do I need to reboot?
    Thursday, October 22, 2009 12:22 AM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    C:\System Volume Information\_restore{xxx...xxx}\RPxxx\snapshot

    If you can't get into System Volume Information folder, change it's security temporarily so that you can.

    Choose a recent RPxxx folder and copy the files listed below to C:\windows\system32\config. But don't get files that are too recent. I suggest using files dated prior to the offending updates, 10/13/2009 in this case:

    _REGISTRY_MACHINE_SAM
    _REGISTRY_MACHINE_SECURITY
    _REGISTRY_MACHINE_SOFTWARE
    _REGISTRY_MACHINE_SYSTEM

    rename the existing hive files for safety's sake
    rename the copied files without the "_REGISTRY_MACHINE_" part
    Reboot and relax

    To securityguy14 and Cal401: Based on the symptom differences ("I can boot Safe Mode with Command Prompt and have a working command prompt window"), I don't think yours is the same exact issue. But I do believe both are resulting from the recent updates and therefor related. My fix may also work for you.

    One more thing, I also turned off automatic updates after I got them working. Perhaps later more information will come to light about this problem and a fix might appear that will allow me to turn auto-updates back on.

    these problems seem similar to a problem i received during the same time. i am not a computer tech, just a normal user. could anyone walk me through this repair? or is it something i really need to get a professional to do?
    Thursday, October 22, 2009 3:15 AM
  • Is there a way to turn that on while already booted with the CD or do I need to reboot?

    Yes, you can enable that while booted up, just look in the start menu>system>network>network setup wizard
    Thursday, October 22, 2009 3:23 AM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    C:\System Volume Information\_restore{xxx...xxx}\RPxxx\snapshot

    If you can't get into System Volume Information folder, change it's security temporarily so that you can.

    Choose a recent RPxxx folder and copy the files listed below to C:\windows\system32\config. But don't get files that are too recent. I suggest using files dated prior to the offending updates, 10/13/2009 in this case:

    _REGISTRY_MACHINE_SAM
    _REGISTRY_MACHINE_SECURITY
    _REGISTRY_MACHINE_SOFTWARE
    _REGISTRY_MACHINE_SYSTEM

    rename the existing hive files for safety's sake
    rename the copied files without the "_REGISTRY_MACHINE_" part
    Reboot and relax

    To securityguy14 and Cal401: Based on the symptom differences ("I can boot Safe Mode with Command Prompt and have a working command prompt window"), I don't think yours is the same exact issue. But I do believe both are resulting from the recent updates and therefor related. My fix may also work for you.

    One more thing, I also turned off automatic updates after I got them working. Perhaps later more information will come to light about this problem and a fix might appear that will allow me to turn auto-updates back on.

    these problems seem similar to a problem i received during the same time. i am not a computer tech, just a normal user. could anyone walk me through this repair? or is it something i really need to get a professional to do?

    Do you have the installation disk for XP?
    Thursday, October 22, 2009 3:24 AM
  • Hi all, I think I may have the same thing going on with my PC. Last night, my computer was running slowly. I tried Ctrl-Alt-Del to bring up the Task Manager, which would not come up. I did a restart and now right after the Windows load screen all I get is a black screen with the mouse cursor. I tried Safe Mode (all 3) and Last Known Good Config, both give the same result. I don't have my original XP disc. Given that the consensus was that this is a virus I downloaded the BitDefender LiveCD and ran it last night. The only thing it found was a virus in a file I had downloaded over a year ago. Here's the tools that I have at my disposal: Ultimate Boot CD (the linux version, not the UBCD4WIN), Dr Web, F-Secure, and BitDefender Live CDs, SLAX Live CD and I downloaded the Win XP Service Pack 3 iso from Microsoft's website. When I put that in and boot the machine, it doesn't seem to do anything -- looks like it is just booting off the HD and I still get the black screen with mouse cursor. Any help is greatly appreciated.
    Thursday, October 22, 2009 12:35 PM
  • Hi all, I think I may have the same thing going on with my PC. Last night, my computer was running slowly. I tried Ctrl-Alt-Del to bring up the Task Manager, which would not come up. I did a restart and now right after the Windows load screen all I get is a black screen with the mouse cursor. I tried Safe Mode (all 3) and Last Known Good Config, both give the same result. I don't have my original XP disc. Given that the consensus was that this is a virus I downloaded the BitDefender LiveCD and ran it last night. The only thing it found was a virus in a file I had downloaded over a year ago. Here's the tools that I have at my disposal: Ultimate Boot CD (the linux version, not the UBCD4WIN), Dr Web, F-Secure, and BitDefender Live CDs, SLAX Live CD and I downloaded the Win XP Service Pack 3 iso from Microsoft's website. When I put that in and boot the machine, it doesn't seem to do anything -- looks like it is just booting off the HD and I still get the black screen with mouse cursor. Any help is greatly appreciated.
    Hey, sorry for your problem. If you do not have a UBCD4Win and cannot get your hands on/create one then:
    1. If you had system restore enabled in your windows machine you can try and boot up linux attach ntfs support to the kernel and copy the registry hives as described earlier in this post.
    2. You could use a linux based utility to edit the windows registry offline ... here is a link http://home.eunet.no/pnordahl/ntpasswd/ there are others. and look for the keys mentioned earlier in this thread.

    Let me know if you can manage or not and we'll try to solve your problem.

    Ionut
    Thursday, October 22, 2009 12:55 PM
  • Sir/Madam

    I am new to this thread, infact writing first time to any thread......As suggested above i had load the Software.sav hive from system 32>config folder of my Problematic Operating System and deleted

    \Microsoft\Windows NT\CurrentVersion\Windows
    "LoadAppInit_DLLs"=dword:00000001

    the above registry and did not found the below mentioned registry

    \Microsoft\Windows NT\CurrentVersion\Drivers32
    "midi9"="C:\\WINDOWS\\..xxxx.old xxxxxxxxx"

    But nothing happened when i booted from that OS but this time it is not showing the white cursor............

    Please have comment on this....


    Thursday, October 22, 2009 2:47 PM

  • Hey, sorry for your problem. If you do not have a UBCD4Win and cannot get your hands on/create one then:
    1. If you had system restore enabled in your windows machine you can try and boot up linux attach ntfs support to the kernel and copy the registry hives as described earlier in this post.
    2. You could use a linux based utility to edit the windows registry offline ... here is a link http://home.eunet.no/pnordahl/ntpasswd/ there are others. and look for the keys mentioned earlier in this thread.

    Let me know if you can manage or not and we'll try to solve your problem.

    Ionut
    FIXED!!!!!!  You guys totally rock!

    I booted up my Ubuntu 8.04 LiveCD and then tried mounting the drive.  But I got an error saying that the drive could not be mounted due to ($Logfile) and something about Windows not having been shutdown properly.  After a google search of the error message it turned up all I needed to do was run ntfsfix to allow the drive to mount.  At that point I tried booting back into Windows but still no dice.

    So, back into Ubuntu, ntfsfix (again) and then copy the registry hives from two days ago.  Reboot and, like magic, Windows came up.

    Thank you!
    Thursday, October 22, 2009 5:33 PM
  • After having tried most of the suggestions prior to yours, I used your suggestion and the system booted normally. Thank you, thank you, thank you. The six hours spent uselessly taught me a lesson. Your suggestion also taught me a lot about BUCD4Win. I'm going to run Malwarebytes now to make sure there is nothing lurking around.
    Thursday, October 22, 2009 9:48 PM
  • I have fixed all three of my computers !!

    The fix is to restore the registry hive files from a recent backup. If you don't have an actual backup see if you can copy them from a System Restore folder:

    C:\System Volume Information\_restore{xxx...xxx}\RPxxx\snapshot

    If you can't get into System Volume Information folder, change it's security temporarily so that you can.

    Choose a recent RPxxx folder and copy the files listed below to C:\windows\system32\config. But don't get files that are too recent. I suggest using files dated prior to the offending updates, 10/13/2009 in this case:

    _REGISTRY_MACHINE_SAM
    _REGISTRY_MACHINE_SECURITY
    _REGISTRY_MACHINE_SOFTWARE
    _REGISTRY_MACHINE_SYSTEM

    rename the existing hive files for safety's sake
    rename the copied files without the "_REGISTRY_MACHINE_" part
    Reboot and relax

    To securityguy14 and Cal401: Based on the symptom differences ("I can boot Safe Mode with Command Prompt and have a working command prompt window"), I don't think yours is the same exact issue. But I do believe both are resulting from the recent updates and therefor related. My fix may also work for you.

    One more thing, I also turned off automatic updates after I got them working. Perhaps later more information will come to light about this problem and a fix might appear that will allow me to turn auto-updates back on.


    The above solution fixed the problem on 2 machines which I received in the last 2 days.
    Friday, October 23, 2009 2:37 PM
  • I hope I am doing this right, new to the forum.  I have read through all the posts in this thread and am totally lost as to which direction to go in.  First off I do not believe it is a virus, but a problem with a recent windows update.  I tried chatting with a MS person, but all they did was refer me back here to the forums.  I spent over 4 hrs. last night and another 3 this morning and am no closer than I was to begin with.  I spoke on the phone to a MS tech but was told it would be a couple of days before someone could get back to me.  So I am hoping I can get help here.

    Here is the problem,  on reboot after the welcome screen and the blue lines showing windows loading, it loads to a black screen with only the cursor showing.  I have tried booting in safe mode and after selecting most all the options listed all I get is a black screen with 'safe mode' in each of the 4 corners of the screen and a string of text in the top center followed by SP3, can not get any further than this.  I do not have a boot disc, and the windows software came preloaded on the computer so can not use that.  As I said, none of the options on the opening safe mode screen have worked, tried them all.  The problem computer is running XP.

    I am currently downloading DR Web Live CD, but am not sure what to do next.  There have been so many answers on this thread, I can not figure out which may be the solution.  Any direction would be greatly appreciated as it is my hubbys computer and he is a bear to be  around with it not working!

    Thanks in advance
    Shy
    Friday, October 23, 2009 6:36 PM
  • PCS Tech rocks, I havn't had time to find a solution as workload was backing up do to to above problem. Temporaly re format was only solution tring to catch up. Thanks to your solution I have 6 repairs up in running in a short period of time.
    Again Thanks man.
    Monday, October 26, 2009 12:59 PM
  • Having read the above I believe that my problem would be stored by restoring the hive files.  Unfortunately I did not have the restore facility active and therefore have no restore point or a backup.  I have UBCD4WIN but do not seem to be able to get to my c:\windows directory to use the registry restore wizard.  Am at a bit of a loss as what to do next.  Any assistance appreciated.
    Thursday, October 29, 2009 12:10 AM
  • In explorer2 navigate to the Windows\System32 folder, then double click on the cmd application, when its open type in "C:\System Volume Information\cd_resto~1" to get to the folder, then "dir" to list the files in it, look for the highest number and thats the closest restore point, go back a few from that, with a smaller number, after you get the number type in "cd RPxxx\cd snapshot" where the x's are replaced by the number you chose, then "copy _REGISTRY_MACHINE_SYSTEM C:\Windows\System32\Config\System" then reboot.. try that and let us know if that does it
    Thursday, October 29, 2009 12:40 AM
  • Hi,

    I have the same problem, but at least Ihad Ubuntu also installed in my notebook, so I am still able to access all of my files (which I have in the drive D:), and can still use my notebook. You' re saying that I could repair my Windows XP registry from ubuntu, without having to create a UBCD4Win or getting a Windows CD with the Recovery Console.

    This would be much easier for me, so I would like to know how you copy the registry hives. Thanks for your help!!
    Friday, October 30, 2009 2:44 PM
  • you can try the same method that was recommended above, going to the system32 folder and starting the command prompt by double clicking cmd. if you get a command prompt just follow the instructions above exactly
    Friday, October 30, 2009 3:04 PM
  • Understood. I will try this and let you know.

    Thanks a lot, I´ve been following this post since october 16, and learning a lot!! Hope this will give me the final solution (it would be a very easy solution at the end!).

    Thanks a lot securityguy, I-Onut and PCS Tech, you`re helping a lot!!
    Friday, October 30, 2009 5:42 PM
  • securityguy

    cannot see my c: drive within xplorer2 lite (am running v3.2 of ubcd4win) and therefore cannot execute the commands you recommend.  All I see is a B: drive (RAMDisk - presume this is ubcd4win loaded to RAM) and X: drive which is the CD drive.  Can't help thinking I am missing something very obvious.

    Friday, October 30, 2009 10:52 PM
  • you have to enable file sharing, thats done during the network setup, as its booting up the network setup starts and you need to let that complete then before you close the wizard the middle tab is to setup the file sharing. enbling that is the only way to have access to the root of the C drive (or whatever the XP drive is)
    Friday, October 30, 2009 11:35 PM
  • I went to system32 folder using ubuntu and try then to start the command prompt by double clicking cmd.exe file, but it displays then the following error:

    [/media/disk/WINDOWS/system32/cmd.exe]
      End-of-central-directory signature not found.  Either this file is not
      a zipfile, or it constitutes one disk of a multi-part archive.  In the
      latter case the central directory and zipfile comment will be found on
      the last disk(s) of this archive.
    note:  /media/disk/WINDOWS/system32/cmd.exe may be a plain executable, not an archive
    zipinfo:  cannot find zipfile directory in one of /media/disk/WINDOWS/system32/cmd.exe or
              /media/disk/WINDOWS/system32/cmd.exe.zip, and cannot find /media/disk/WINDOWS/system32/cmd.exe.ZIP, period.

    Any other option to get the command prompt from ubuntu??

    Thanks!
    Saturday, October 31, 2009 7:52 PM
  • Securityguy

    Activated the file sharing but this still did not make the c: drive available to run the commands as you suggested.  Loaded up Puppy Linux so that I could at least get a look at the file system.  They are there but obviously trying to run cmd.exe within Linux is not posisble.  However, when going to the System Volume Information file I could only see 2 files; tracking.log and MountPointManagerRemoteDatabase.  Seem to be at another dead end so any further thoughts gratefully accepted.

    Thanks.
    Sunday, November 01, 2009 2:58 PM
  • I went to system32 folder using ubuntu and try then to start the command prompt by double clicking cmd.exe file, but it displays then the following error:

    [/media/disk/WINDOWS/system32/cmd.exe]
      End-of-central-directory signature not found.  Either this file is not
      a zipfile, or it constitutes one disk of a multi-part archive.  In the
      latter case the central directory and zipfile comment will be found on
      the last disk(s) of this archive.
    note:  /media/disk/WINDOWS/system32/cmd.exe may be a plain executable, not an archive
    zipinfo:  cannot find zipfile directory in one of /media/disk/WINDOWS/system32/cmd.exe or
              /media/disk/WINDOWS/system32/cmd.exe.zip, and cannot find /media/disk/WINDOWS/system32/cmd.exe.ZIP, period.

    Any other option to get the command prompt from ubuntu??

    Thanks!

    If you can navigate to the Windows folder, then try going to the system restore folder (System Volume Information) and finding the restore point and use copy and paste to do it, or you can try and delete the key ("HKLM midi9"="C:\\WINDOWS\\knaehig.old 2nCCPGNHED") and see if that helps, also since at least part of the affected systems seemed to be a virus related issue, try using one of the rescue disks listed above
    Monday, November 02, 2009 2:06 AM
  • Securityguy

    Activated the file sharing but this still did not make the c: drive available to run the commands as you suggested.  Loaded up Puppy Linux so that I could at least get a look at the file system.  They are there but obviously trying to run cmd.exe within Linux is not posisble.  However, when going to the System Volume Information file I could only see 2 files; tracking.log and MountPointManagerRemoteDatabase.  Seem to be at another dead end so any further thoughts gratefully accepted.

    Thanks.

    you can try to delete the key that was listed above ("midi9"="C:\\WINDOWS\\knaehig.old 2nCCPGNHED") under HKLM manually, or try using one of the rescue disks listed to scan with, since in at least part of the cases its turned out to be a malware problem, maybe that would help
    Monday, November 02, 2009 2:09 AM
  • Hi all!

    I found my personal solution for situation in first post of this topic - problem was in files, filled by zeros.

    c:\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.6001.22319.cat

    c:\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.6001.22319.Policy

    Renaming/Deleting/Replacing only ONE file "1.0.6001.22319.Policy" in my case totally solves "VERY VERY VERY BIG PROBLEM" - "Black Screen With Moving Mouse Cursor".

    thanks

    Thursday, January 14, 2010 5:02 PM
  • A problem with work computers brought me to the message boards today....still looking for the solution to that problem (appears to be related to recent windows update in Dec. 2009 and Jan. 2010)...BUT....I have been trying to fix my home computer for months (when I say months I mean a few hours here and there over the last few months) thinking my kids or husband downloaded something...but then I find this forum!  Unbelievable...gonna try to fix my home computer tonight!  Thankful for all of you struggling through and posting here!
    Thursday, January 14, 2010 8:06 PM
  • I was having the Black Screen of Death with mouser pointer and realised through Event Viwer (eventvwr.msc) that the explorer.exe crash was associated to the propsys.dll located in windows\system32 folder.

    So, I managed to emulate a mini WinXP via Hiren's Boot, loaded a "health" propsys.dll from my other Windows 7 system and overwrote the corrupted one. Problem solved to me!
    Tuesday, November 06, 2012 1:40 AM
  • Hello im new here and i have a question...
    I have a desktop pc windows xp.
    I turned on the computer and there pops out bios options advanced cpu memory and stuffs like that.
    I pressed f10 to save and exit,then it exited and loaded the screen with windows xp.
    Afther that a blue screen popted out and it says something like preparing to restart setup.......
    After 5 sec. a black screen popped out and i couldnt move my mouse on screen.
    I also tryed to put windows 7 ultimate cd for instaling but nothing showed.
    Any response?

    Wednesday, January 09, 2013 8:23 PM
  • Hello im new here and i have a question...
    I have a desktop pc windows xp.
    I turned on the computer and there pops out bios options advanced cpu memory and stuffs like that.
    I pressed f10 to save and exit,then it exited and loaded the screen with windows xp.
    Afther that a blue screen popted out and it says something like preparing to restart setup.......
    After 5 sec. a black screen popped out and i couldnt move my mouse on screen.
    I also tryed to put windows 7 ultimate cd for instaling but nothing showed.
    Any response?

    If you went into the BIOS and reset some things, it's likely that your hard drive controller chipset changed modes between AHCI and IDE. Whenever you change modes after Windows is installed, you get the blue screen.

    Thursday, February 28, 2013 1:41 PM