Help! Can't boot even to safe mode. Can't re-install OS. 0xc000

  • Thread starter Thread starter dlevy
  • Start date Start date
D

dlevy

Hi all,

I'm hoping some experts are on the discussion group here because I am
getting close to a dead end. I am trying to help a friend restore his
Windows XP installation. It's a real doozie. He has a very expensive CAD
program on it and wants to avoid at all costs wiping the hard drive clean and
losing the program -- for which he has no installation software... (I know,
that was a dumb thing to lose the installation software, but it's been my
experience that it's all too common among the non-geek population...)

--This is a Dell laptop, but there is no recovery partition on the hard
drive, as far as I can tell. My friend said the OS was re-installed on it a
while back by a non-Dell technician. The disk info says 'volume created
3/25/09', so that sounds like it's what happened. It's a Dell Inspiron 6400
laptop, running Windows XP Pro, Spanish language version, purchased in
Argentina.
--The computer will not boot normally, nor to safe mode. In either mode, it
generates two pop-ups, both of which say: "The application failed to
initialize properly (0xc0000006). Click on OK to terminate the application"
(the equivalent of that, in Spanish). After clicking 'okay', the Windows
desktop appears but there are no icons or taskbar. The only thing I can do
is pull up the task manager, which shows about a dozen processes running.
Needless to say, explorer.exe is not one of them...
--I ran a short Dell diagnostics program before the BIOS POST. It threw up
a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).
But I think that's a red herring. I've read that the msg only means that the
log files shows an event.
--I ran CHKDSK using my own copy of the Win XP installation CD. It found an
error on the first check, then found no errors on the next two checks. So,
as far as I can tell, the hard drive is not failing.

I have looked over this article
"How to recover from a corrupted registry that prevents Windows XP from
starting"
http://support.microsoft.com/kb/307545

This seems like the direction I want to head in. But my questions are:

--Given the symptoms, would it make sense that the problem might be a
corrupted Windows registry?
--The MS support article says off-handedly, "This registry [that you are
restoring] was created and saved during the initial setup of Windows XP.
Therefore any changes and settings that occurred after the Setup program was
finished are lost." Well, that's a BIG problem. The whole point is to save
my friend's CAD program. If I am rolling back the system to the day it came
off the factory floor, then I might as well re-install the OS. Is there a
way to just roll back the system to a restore point, say a month or two ago?

Thanks in advance to thoughtful and well-informed replies.

Sincerely,

David Levy
Washington, DC
 
dlevy said:
Hi all,

I'm hoping some experts are on the discussion group here because I am
getting close to a dead end. I am trying to help a friend restore his
Windows XP installation. It's a real doozie. He has a very expensive CAD
program on it and wants to avoid at all costs wiping the hard drive clean and
losing the program -- for which he has no installation software... (I know,
that was a dumb thing to lose the installation software, but it's been my
experience that it's all too common among the non-geek population...)

--This is a Dell laptop, but there is no recovery partition on the hard
drive, as far as I can tell. My friend said the OS was re-installed on it a
while back by a non-Dell technician. The disk info says 'volume created
3/25/09', so that sounds like it's what happened. It's a Dell Inspiron 6400
laptop, running Windows XP Pro, Spanish language version, purchased in
Argentina.
--The computer will not boot normally, nor to safe mode. In either mode, it
generates two pop-ups, both of which say: "The application failed to
initialize properly (0xc0000006). Click on OK to terminate the application"
(the equivalent of that, in Spanish). After clicking 'okay', the Windows
desktop appears but there are no icons or taskbar. The only thing I can do
is pull up the task manager, which shows about a dozen processes running.
Needless to say, explorer.exe is not one of them...
--I ran a short Dell diagnostics program before the BIOS POST. It threw up
a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).
But I think that's a red herring. I've read that the msg only means that the
log files shows an event.
--I ran CHKDSK using my own copy of the Win XP installation CD. It found an
error on the first check, then found no errors on the next two checks. So,
as far as I can tell, the hard drive is not failing.

I have looked over this article
"How to recover from a corrupted registry that prevents Windows XP from
starting"
http://support.microsoft.com/kb/307545

This seems like the direction I want to head in. But my questions are:

--Given the symptoms, would it make sense that the problem might be a
corrupted Windows registry?
--The MS support article says off-handedly, "This registry [that you are
restoring] was created and saved during the initial setup of Windows XP.
Therefore any changes and settings that occurred after the Setup program was
finished are lost." Well, that's a BIG problem. The whole point is to save
my friend's CAD program. If I am rolling back the system to the day it came
off the factory floor, then I might as well re-install the OS. Is there a
way to just roll back the system to a restore point, say a month or two ago?

Thanks in advance to thoughtful and well-informed replies.

In the Task Manager click on File -> New Task (Run...) and from there
you can try to launch programs or commands, try to launch Explorer.exe
from there and see what happens. From the same location you can launch
the Event Viewer (Eventvwr.msc) and see if there is anything useful in
the System Log.

John
 
Hi all,

I'm hoping some experts are on the discussion group here because I am
getting close to a dead end.  I am trying to help a friend restore his
Windows XP installation.  It's a real doozie.  He has a very expensive CAD
program on it and wants to avoid at all costs wiping the hard drive cleanand
losing the program -- for which he has no installation software...  (I know,
that was a dumb thing to lose the installation software, but it's been my
experience that it's all too common among the non-geek population...)

--This is a Dell laptop, but there is no recovery partition on the hard
drive, as far as I can tell.  My friend said the OS was re-installed onit a
while back by a non-Dell technician.  The disk info says 'volume created
3/25/09', so that sounds like it's what happened.  It's a Dell Inspiron6400
laptop, running Windows XP Pro, Spanish language version, purchased in
Argentina.
--The computer will not boot normally, nor to safe mode.  In either mode, it
generates two pop-ups, both of which say:  "The application failed to
initialize properly (0xc0000006). Click on OK to terminate the application"
(the equivalent of that, in Spanish).  After clicking 'okay', the Windows
desktop appears but there are no icons or taskbar.  The only thing I can do
is pull up the task manager, which shows about a dozen processes running. 
Needless to say, explorer.exe is not one of them...
--I ran a short Dell diagnostics program before the BIOS POST.  It threw up
a "DST Short Status Test fail, error code 1000-0146" (DST=drive self test).  
But I think that's a red herring.  I've read that the msg only means that the
log files shows an event.
--I ran CHKDSK using my own copy of the Win XP installation CD.  It found an
error on the first check, then found no errors on the next two checks.  So,
as far as I can tell, the hard drive is not failing.

I have looked over this article
"How to recover from a corrupted registry that prevents Windows XP from
starting"http://support.microsoft.com/kb/307545

This seems like the direction I want to head in.  But my questions are:

--Given the symptoms, would it make sense that the problem might be a
corrupted Windows registry?
--The MS support article says off-handedly, "This registry [that you are
restoring] was created and saved during the initial setup of Windows XP.
Therefore any changes and settings that occurred after the Setup program was
finished are lost."  Well, that's a BIG problem.  The whole point is to save
my friend's CAD program.  If I am rolling back the system to the day itcame
off the factory floor, then I might as well re-install the OS.  Is there a
way to just roll back the system to a restore point, say a month or two ago?

Thanks in advance to thoughtful and well-informed replies.

Sincerely,

David Levy
Washington, DC

Malicious software likes to trick you into thinking you need to
reinstall XP by making the simplest things not work - like no desktop,
unable to login, Safe Mode, System Restore, google.com, Task Manger,
regedit, cmd, etc. It is just trying to annoy you by breaking little
things.

You need to get your desktop working first, then you can resolve your
potential malware issue. I would also recommend to stop trying things
that might work maybe. You need to be fixing things. KB307545 is NOT
a good idea for your symptoms (or any symptoms).

From your background image, press CTRL-ALT-DEL and open Task Manager.

Look at the Processes tab and if the explorer.exe process is not
running, launch it.

Click File, New Task and in the box enter:

%windir%\explorer.exe

Click OK and see if you get your desktop back.

If explorer.exe is already running, it is likely the object of the
affliction and may need to be replaced (not hard).

It explorer.exe is already running, End the Process anyway and launch
a new one as indicated above.

If you are able to then get on the Internet, do this:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

Report back your situation after these steps.
 
hi all,

many thanks to jose and john--the men in the white hats--for taking the time
to post some helpful advice! running explorer.exe from the task manager did
indeed work. i can now boot, after getting the aforementioned error
messages. but the system is still somewhere between molasses-slow and
i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple
times. MBAM found and deleted many infected objects. after i ran MBAM a few
times, SAS found a few more infected objects but would crash before it could
delete them. detailed log here at bottom. the system still won't boot
normally*. what's really annoying is that other aps, including the
hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

i also tried to use 'system restore' (SR). there were dozens of restore
points available, going back 3 months:
1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and
said it could not restore.
2. in safe mode, roll back to a different restore point (4/14/10), SR
stopped again, but got a lot farther in the progress bar than the first time.

so, it looks like malware was responsible for the damage. i can only think
that the malware corrupted the restore points without deleting them and that
is why SR keeps failing. i'm not going to bother running HijackThis, at this
point, until requested. i assume that MBAM got rid of the active malware,
but now there's damage to the system files that i need to fix.

more informed and thoughtful comments are most welcome.

--d.

*i don't think it matters at this point, but i think i failed to notice, in
the 0xc0000006 error msgs that there is a file associated with each of them:
"gStart.exe" and "PCSuite.exe". also, after booting, notepad.exe fails to
launch and gives the same message. but wordpad and MS word will run.

_________
Log:

1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected
registry keys, 3 reg values, 3 reg data items and 16 files. Worm.Magania,
trojan.frethog, spyware.online.games, hijack.controlpanelstyle,
disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,
trojan.backdoor. all were quarantined and deleted.
2. after reboot, normal mode, MBAM quick scan--no infected objects
3. normal mode, quick scan, SAS--found 15 infected objects, including
Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the
'continue' button or any other button. Looks like it was in an endless loop
b/c task manager showed it consuming 10-20% of cpu time for two hours before
i killed the process. i couldn't 'end task' using task manager, had to 'end
process' instead. there were no logs in 'docs & settings\application
data\SAS' that were human readable.
4. safe mode, quick scan, SAS--found infected objects but then froze, same
as above.
5. safe mode, full scan, MBAM--found 137 infected files.
'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'. Only files were
infected, nothing else--registry, memory, etc.--found infected.
6. normal mode, full scan, SAS--Found 2 infected objects, both
"Trojan.RootKit/Gen" but then froze, same as above.
7. safe mode, full scan, MBAM--found 13 infected infected files, all
"Spyware.Online.Games", all 'quarantined and deleted'.
 
hi all,

many thanks to jose and john--the men in the white hats--for taking the time
to post some helpful advice!  running explorer.exe from the task manager did
indeed work.  i can now boot, after getting the aforementioned error
messages.  but the system is still somewhere between molasses-slow and
i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple
times.  MBAM found and deleted many infected objects.  after i ran MBAM a few
times, SAS found a few more infected objects but would crash before it could
delete them.  detailed log here at bottom.  the system still won't boot
normally*.  what's really annoying is that other aps, including the
hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

i also tried to use 'system restore' (SR).  there were dozens of restore
points available, going back 3 months:
1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and
said it could not restore.
2. in safe mode, roll back to a different restore point (4/14/10), SR
stopped again, but got a lot farther in the progress bar than the first time.

so, it looks like malware was responsible for the damage.  i can only think
that the malware corrupted the restore points without deleting them and that
is why SR keeps failing.  i'm not going to bother running HijackThis, at this
point, until requested.  i assume that MBAM got rid of the active malware,
but now there's damage to the system files that i need to fix.

more informed and thoughtful comments are most welcome.

--d.

*i don't think it matters at this point, but i think i failed to notice, in
the 0xc0000006 error msgs that there is a file associated with each of them:
"gStart.exe" and "PCSuite.exe".  also, after booting, notepad.exe failsto
launch and gives the same message.  but wordpad and MS word will run.

_________
Log:

1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected
registry keys, 3 reg values, 3 reg data items and 16 files.  Worm.Magania,
trojan.frethog, spyware.online.games, hijack.controlpanelstyle,
disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,
trojan.backdoor.  all were quarantined and deleted.
2. after reboot, normal mode, MBAM quick scan--no infected objects
3. normal mode, quick scan, SAS--found 15 infected objects, including
Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the
'continue' button or any other button.   Looks like it was in an endless loop
b/c task manager showed it consuming 10-20% of cpu time for two hours before
i killed the process.  i couldn't 'end task' using task manager, had to'end
process' instead.  there were no logs in 'docs & settings\application
data\SAS' that were human readable.
4. safe mode, quick scan, SAS--found infected objects but then froze, same
as above.
5. safe mode, full scan, MBAM--found 137 infected files.  
'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'.  Only files were
infected, nothing else--registry, memory, etc.--found infected.
6. normal mode, full scan, SAS--Found 2 infected objects, both
"Trojan.RootKit/Gen" but then froze, same as above.
7. safe mode, full scan, MBAM--found 13 infected infected files, all
"Spyware.Online.Games", all 'quarantined and deleted'.

That is a lot of junk, but you're doing good.

To me, it does not make sense to run quick scans with MBAM or SAS,
especially if you think you have a problem. Things are skipped that
you might not want to skip, so do the most thorough scan that is
offered unless you are in some really big hurry for some reason (this
is my opinion).

MBAM does also not recommend running in Safe Mode, but SAS seems to
suggest it sometimes "if you have problems in Normal Mode". I think
if you want an efficient scan, you should run full in Normal - always,
but you have to do what you have to do sometimes to get things to at
least sort of work.

Anywho, you should really want the full scans to run clean. Some
malicious software recognizes mbam.exe and superantispyware.exe (and
regedit.exe, taskmgr.exe, cmd.exe, rstrui.exe, etc., etc.) as a
running process and just will not allow them to run, so you have to
fool it, but you sound like you are getting past that point.

You could rename/copy the executables to something the malicious
software will not recognize - like superantispyware.exe --> dlevy.exe
and run dlevy.exe instead. The malicious software will not recognize
that. I do think some will recognize jose.exe though. This is very
annoying to me.

What is your other anti-whatever environment? Avira!, AVG, Norton,
McAfee, MSE, etc. I would disable any stuff like that temporarily and
let MBAM and SAS work unfettered.

When you say MBAM and SAS found things, are you letting it fix the
things they find? I know it sounds like SAS is having some problem.

Is your explorer.exe/desktop working now or do you still need to fix
that? Here is how you can replace your explorer.exe if you think or
even suspect it is corrupted:

Look in Task Manager and if explorer.exe is running, terminate it,
then from TM browse to c:\windows\system32 and rename the explorer.exe
to something you can remember (just in case) so explorer.exe is now
"missing". Windows File Protection should replace it quickly and
silently with a backup copy from c:\windows\system32\dllcache or just
manually copy the one from dllcache over to c:\windows\system32, then
launch it again or reboot. There are probably several copies of
explorer.exe on your system. You can't do this if explorer.exe is
running.

Posting Hijackthis logs is inappropriate for this forum, but somebody
will tell you the correct place to send them for analysis if you want
to do that. If I had one here I would first look at you startup items
(the 04s), but we can see all that stuff another way.

Download and install CCleaner from here:

http://www.piriform.com/ccleaner

Launch it and save the Startup information to a text file. Click
Tools, Startup, Save to text file... and save the startup information
to your desktop (or someplace you can find it) open the file with a
text editor, select all and paste the contents back here for analysis.

I have zero startup items, so you could disable all or some of yours
from CCleaner (this does not uninstall anything), and reboot and see
how that goes.

Uninstall CCleaner later if you don't like it (most people seem to
like it for it's other features).

I would not trust or worry about your Restore Points just yet. System
Restore is not a time machine. With all that junk, after I got all
cleaned up, I would whack them all anyway - just because they might be
corrupted or afflicted, maybe. Don't take any chances like that -
just whack them all when you are running again.
 
hi all,

many thanks to jose and john--the men in the white hats--for taking the time
to post some helpful advice!  running explorer.exe from the task manager did
indeed work.  i can now boot, after getting the aforementioned error
messages.  but the system is still somewhere between molasses-slow and
i-will-shoot-myself-if-i-stare-at-this-screen-any-longer slow...

i ran malwarebytes anti-malware (MBAM) and superantispyware (SAS) multiple
times.  MBAM found and deleted many infected objects.  after i ran MBAM a few
times, SAS found a few more infected objects but would crash before it could
delete them.  detailed log here at bottom.  the system still won't boot
normally*.  what's really annoying is that other aps, including the
hard-to-replace CAD ap, also won't run--same 0xc0000006 error msg.

i also tried to use 'system restore' (SR).  there were dozens of restore
points available, going back 3 months:
1. in normal mode, roll back to 3/6/10, SR stopped, rebooted the system and
said it could not restore.
2. in safe mode, roll back to a different restore point (4/14/10), SR
stopped again, but got a lot farther in the progress bar than the first time.

so, it looks like malware was responsible for the damage.  i can only think
that the malware corrupted the restore points without deleting them and that
is why SR keeps failing.  i'm not going to bother running HijackThis, at this
point, until requested.  i assume that MBAM got rid of the active malware,
but now there's damage to the system files that i need to fix.

more informed and thoughtful comments are most welcome.

--d.

*i don't think it matters at this point, but i think i failed to notice, in
the 0xc0000006 error msgs that there is a file associated with each of them:
"gStart.exe" and "PCSuite.exe".  also, after booting, notepad.exe failsto
launch and gives the same message.  but wordpad and MS word will run.

_________
Log:

1. normal mode, MBAM quick scan--it found 24 infected objects: 2 infected
registry keys, 3 reg values, 3 reg data items and 16 files.  Worm.Magania,
trojan.frethog, spyware.online.games, hijack.controlpanelstyle,
disabled.securitycenter, hijack.help, hijack.system.hidden, worm.autorun,
trojan.backdoor.  all were quarantined and deleted.
2. after reboot, normal mode, MBAM quick scan--no infected objects
3. normal mode, quick scan, SAS--found 15 infected objects, including
Trojan.Agent and Trojan.RootKit but then froze, so i could not hit the
'continue' button or any other button.   Looks like it was in an endless loop
b/c task manager showed it consuming 10-20% of cpu time for two hours before
i killed the process.  i couldn't 'end task' using task manager, had to'end
process' instead.  there were no logs in 'docs & settings\application
data\SAS' that were human readable.
4. safe mode, quick scan, SAS--found infected objects but then froze, same
as above.
5. safe mode, full scan, MBAM--found 137 infected files.  
'Spyware.Online.Games', 'Worm.Taterf', 'Worm.Magania'.  Only files were
infected, nothing else--registry, memory, etc.--found infected.
6. normal mode, full scan, SAS--Found 2 infected objects, both
"Trojan.RootKit/Gen" but then froze, same as above.
7. safe mode, full scan, MBAM--found 13 infected infected files, all
"Spyware.Online.Games", all 'quarantined and deleted'.

Oh yeah- this will not hurt if you have not done it already:

Boot into the Windows Recovery Console using a bootable XP
installation CD, or create on a bootable XP Recovery Console CD.

This is not the same as any recovery disks that might have come a
store bought system. If you are not sure what kind of bootable CD you
have, make a bootable XP Recovery Console CD and be sure.

You can create a bootable XP Recovery Console CD when no XP media is
available by following the directions in this link:

http://www.bleepingcomputer.com/forums/topic276527.html

For each of your hard disk partitions, you should then run:

chkdsk /r

For example, from the Recovery Console prompt, enter:

chkdsk c: /r

You can create a bootable XP Recovery Console CD when no XP media is
available by following the directions in this link:

http://www.bleepingcomputer.com/forums/topic276527.html
 
hi jose,

thanks for all your thoughtful comments. i have talked with the friend who
owns the laptop. he says he is going to try to get another copy of the CAD
installation software from Argentina. so, for the moment at least, the
pressure is off. if there were a silver bullet solution, i would take the
time to try it, but it looks like there is a lot more work to do. i might
try your recommendations, though, just out of curiosity and sheer cussedness.
what i have distilled from your posts is the following plan:

1. run both MBAM and SAS in normal mode until they are clean, if possible.
2. rename explorer.exe and let win xp create a new copy
3. update CCleaner (already installed), post startup items to forum.

i will post again, once i get more information from my friend about whether
he will be able to get the software from argentina or not.

thanks again to the man in the white hat!

--david levy
washington, dc
 
okay, i got a confirmation from my friend. he's getting replacement software
from argentina, so i'm just going to wipe the hard drive and re-install the
OS.

i did run MBAM in normal mode, full scan, it found no infected object. but
i think the damage was already done and it would have been pretty complicated
re-building the system files, keys, etc. while i would have liked to fix the
existing OS just as a challenge, it would have been too time consuming.
all's well that ends well.

thanks again, jose. so, there really are people in the world wearing white
hats.

"hi-yo silver away!"

"who was that masked man, anyway?"

The Lone Ranger's Creed
"I believe.....

That to have a friend, a man must be one.[24]

That all men are created equal and that everyone has within himself the
power to make this a better world.

That God put the firewood there, but that every man must gather and light it
himself.

In being prepared physically, mentally, and morally to fight when necessary
for that which is right.

That a man should make the most of what equipment he has.

That 'this government of the people, by the people, and for the people'
shall live always.

That men should live by the rule of what is best for the greatest number.

That sooner or later...somewhere...somehow...we must settle with the world
and make payment for what we have taken.

That all things change but truth, and that truth alone, lives on forever.

In my Creator, my country, my fellow man."

http://en.wikipedia.org/wiki/The_Lone_Ranger
 
Back
Top