Latest Window Update=Big Problem

[bozo]

I Dl'd & installed the latest windows updates this AM, and upon reboot, I get to a "check disk" screen wanting to check partition "H:" (this is not the OS partion). Problem is, there is NO countdown to abort, and the disk check immidiately goes to 53%...then hangs.

I have tried to start in "Safe Mode", but the safe mode drivers load & then hangs.

I have a "Barts PE" bootable CD that I put in & reboot (note: this is WITHOUT changing the bios boot order), and I get to the "check disk" window WITH the 10 second countdown, so I am able to "abort", and windows starts normally. It is very strange that merely having Barts PE CD in the drive that changes the "disk check countdown"

On one occasion, I did change the bios boot order, to boot from CD first, & launched "Bart PE CD", from there I was able to "disk check" partition H:, and it reported NO errors on the disk. I also ran a virus scan, & 2 spyware scans...nothing.

While I have windows open (leaving the CD in the drive to do so), I also tried a "System Restore" rollback to yesterday. It went through and said the rollback was sucessful, but on reboot the same problem occurs.

I am at a total loss as to how to get by this "check disk" hang.

[Panama Red]

Anything in any of these?

http://support.microsoft.com/search/...artup&srch=sup

[bozo]

Quote:

Originally Posted by Panama Red Anything in any of these? http://support.microsoft.com/search/...artup&srch=sup

I did not see anything specific to my problem

[GaryRouth]

Did you check in on the Registry key & value mentioned in this? ->

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
3. On the Edit menu, click Modify.
4. Type autocheck autochk *, and then press ENTER

[This is from one of the MSKB articles Panama linked to, article 831426]

You mentioned you ran a diagnostic on partition H. Just to see, try a diagnostic from the hard drive manufacturer & do a thorough (or "Full") diagnostic run.

When it's corruption in the Registry, a repair reinstall will often fix it, if you are tired of trying to find the exact damaged values, and expecially if you have an XP disk with SP2 on it already (saves a lot of time).

Should be interesting to see how it comes out.
. . . Gary

[bozo]

Thanks for the input Panama & Gary...I have read that MSKB article, and may persue that later.

I found a clue yasterday as to what may be the problem, when I went to Defrag the problem partition "H:", it returned an error pointing to a program file.

The program is "NVU", a web page design program recently downloaded. I became more suspecious of this program when I went to open the program, the computer would hang (can't even bring up "task manager"). I then went to control panel>add remove programs, and attempted to "remove"...computer would hang. Reboot and search explorer for the program...open the folder, and there is an "uninstall" file, so I click on it...computer hangs. Reboot, and do a file by file delete in explorer. There is one sub-folder left "NVU\res" that I cannot delete...when I right click on it...the computer hangs. Reboot, and this time I open a program called "Sure Delete" ( a brute force file deleter that I have gotten rid of pesky files before), navigate to this sub-folder...click on it ...computer hangs.

I no longer think "Windows Updates" had anything to do with this, since the updates are DL'd, but have NOT been installed. I am pretty sure my problem lies within this sub-folder.

How can I get rid of this sub-folder???

[Panama Red]

Couple thoughts. First try renaming the folder and then deleting it. If that doesn't work, try the same thing in Safe mode. Still no luck, try removing with Move on Boot available here:

http://www.snapfiles.com/get/moveonboot.html

[bozo]

I can't "rename" it in explorer...if I right click the sub-folder the computer locks.
Safe Mode will not complete loading.

I DL'd the "Move On Boot" program, and using that program when I navigate to the NVU\res sub-folder...the computer still locks at that point.

In general, whenever I click (right or left) on this sub-folder in any app I've tried so far, the computer locks (no task manager), requiring a hard reboot from the restart button on the case.

I'm pretty sure there is a way to delete a file from the command line, but I am not up to speed with that.

Any other ideas???

[GaryRouth]

If you have pretty good backups of your personal data, it might be the safest & sanest course to zero-write & start fresh. Not much can survive that.

I think Recovery Console only allows you to delete within the system folder of the current installation, and the root folder. I would guess that the folder you want to be rid of is likely in the "Program Files" folder. If your Safe Mode was working, then you could probably be successful deleting from there. Just to cover the bases, does "Safe Mode command prompt only" (or whatever the exact wording is) work?

There is a tool called KillBox linked to often on sites specializing in hard-to-cure malware infections (like TomCoyote's webpages - which include tips on the HiJackThis program, and forums with HJT log-evaluating experts helping identify and destroy the various pests). I don't know much about the program beyond the name (haven't had a chance to try it yet). But you might be able to research that tool a little & see if it's worth a try.

I like the zero-write partly for peace-of-mind: not even a rootkit can survive a zero-write. [And that's pretty much the only sure way to be rid of a rootkit].

Best of luck
. . . Gary

[a couple of last-ditch ideas: 1) try to see if you can run a Restore to a point from before the NVU arrival 2) try a repair re-installation of XP, and see if Safe Mode then works long enough to try deleting the offending folder from there - If you go this route, & Safe Mode is operational & lets you delete the folder, also visit regedit while in Safe Mode & search the Registry for entries related to that software (especially any in the startup keys/values)]

[OK -- one last crazy idea: this under the "hair of the dog that bit you". You can download a newer version of NVU and see if that straightens anything out (or just puts Windows in a coffin) -- hey, we're close to Halloween, after all ]

[rjfvillarosa]

I just did a google search on "NVU/res" and all that came back were Linux applications of a web authoring program, is there some crazy way that you have managed to install a Linux program/application that Windows can see the file name of but cannot recognize the code for and therefore cannot delete it?
Quite honestly at this point I have to agree with Gary and go for a "nuke and pave"

[bozo]

OK..I finally got Safe Mode to open. both in regular safe mode & safe mode with comand promt. In Safe Mode when I try to delete this sub-folder I get this error "Cannot delete "res:". The request could not be performed because of an O\I device error". From the command prompt when I type "del H\My Name\NVU\res" It says cannot find file.

I am completely backed up, and could do either a a fresh install, or I could restore an Image of the OS, but I would rather use that as a last resort, since I am still able to opne windows, and it is fully functional. Should I do that I am unsure if the OS partition (C should be nuked or my program partition (H. It seems the trouble file is on the H: partition.

I am familiar with Hijack This, & could post a log if that may be helpfull.

[glc]

Can you delete the parent folder with MoveOnBoot?

[bozo]

Quote:

Originally Posted by glc Can you delete the parent folder with MoveOnBoot?

I have tried to delete the parent folder this AM...by dragging & dropping the sub-folder, rather than navigation to it, MoveOnBoot would accept the sub-folder for delete on next boot. It dosen't work...the file remains in the H: program folder. I am going to try that again dragging the files in "res".

I went to PC Pitstop & ran their "full" test, and everything came back excellant, but when I ran their "disk" test only...all of my other partitions (10) tested fine, but my H: drive would not test at all.

While there I also DL'd "Spyware Doctor", and ran it. It was close to finishing (90%) then the computer hung, and guess what file it hung on???
H:\MyName Programs\Nvu\res

Gary, in a post above mentioned "KillBox"...does anybody know where to find that, or any other file killers.

Also I ran a "Rootkit" detection & removal tool...came back clean.

[glc]

You may have to copy the data you need off that partition and reformat it.

[GaryRouth]

If you want to try to kill the folder before you reformat the partition (which seems like a pretty nice alternative to re-doing everything) - here's a link to a page with a little blurb on how to use Killbox, plus a link to downloading the program itself (it arrives in a .zip file). Certainly scan the download before using it: I haven't any experience with this site, so I can't vouch for it's safety: http://www.bleepingcomputer.com/files/killbox.php

You mentioned you are familiar with HiJackThis: the TomCoyote forums are where I see the references to Killbox the most (now in a version called "Pocket Killbox"). I haven't needed to try the tool myself yet, so unfortunately I can't give feedback personally. It seems to be well-received by many techs specializing in malware removal.

Good luck - if you find a tool that works, perhaps you could recommend it here.
. . . Gary

[bozo]

Update...Got 'er fixed without a format & re-install!
Bart'sPE (a bootable cd with some utilities) did the job.

I tried several methods to remove the Nvu program to no avail...so I ran HD diagnostics from Maxtor, and sure enough it reported the drive failing.

I procastinated, since I was still able to open Windows (as long as I had *any* CD in the drive...I'll never figure out why) until a couple of days ago. Then I was locked out for good.

I dug out the "BartsPE" I made some time ago, and ran some diagnostics from that program. Under this shell I was able to run "checkdisk" on the offending partition ( I had tried this before & the drive came up clean)...this time it picked out the "Nvu" as being corrupt, and repaired it. A reboot...and all is well now.

The "Nvu" was still listed in the programs folder, so I clicked on the "un-install" file...it said the file was corrupt, so I did a "file by file" deletion, and now I was able to completely remove the program.

Thanks for all who offered sugestions!

Kudo's to BartsPE

[GaryRouth]

Nice work! Thanks for letting us know.