"ntfswcdd.iso is a another version of the bootable cd. It includes cdrom
drivers so before you burn it one can add files to the .iso that you
may want to copy to your ntfs drive. The files you add will be seen in
Drive R: "
Looking at the documentation again I found the above. could you try again. Boot with cd and use the same path but substitute the a:\ with r:\
xcopy(space)r:\ntoskrnl.exe(space)c:\windows\system32(enter)
It’s a strange error as xcopy is a dos command
I wonder if the copy command would work better than xcopy. Copy is an internal comand while xcopy is external, and that may make a difference under these circumstances.
He can try it. I was just going by the documentation. The author said xcopy worked better.
@BSL
try the dir command again after you boot with the cd. Maybe booting it loads some of the program.
Ok, let’s try this one more time.
Sorry but the brain was getting foggy last night. I had my morning coffee, better now.
I should have gotten you to reboot with the new cd. I think not doing so accounts for the 0 bytes with the dir \p command and the program cannot run…error. The program that was trying to run was probably the program on the cd. It didn’t even get to the xcopy command.
so restart the computer with the new boot disk, at the command prompt
type
copy(space)a:\ntoskrnl.exe(space)c:\windows\system32(enter)
If you get file not found error, try r:\ as the source drive as per documentation.The boot disk program may have created a r:\ partition on it.
Ok will do…
I tried you recommendations but it still won’t work. I think the problem is bootcd. The original one (without the ntoskrnl.exe file) booted up fine with no problems. The second CD (with the ntoskrnl.exe. file) did not boot. I tried using the original bootdisc (so I could get into DOS) and then I replaced it with the second bootdisk to see if it would work. I ran dir but it still read 0 files. I doublechecked the file on the second bootdisk on my computer and all the files were listed on the CD (including the ntoskrnl.exe file)
I do not know why the dir command would not recognize the files.
I tried copy instead of xcopy and it said that 0 files copied (instead of cannot do this in DOS)
I tried the r drive and it did not recognize it.
I am fairly certain that I can borrow a copy of XP sometime next week. That might be the best route.
I just don’t want to waste you or Mauserme’s time. I do appricate all the help though.
You are not wasting anybody’s time. We’re here because we want to help, and learn. Right now its a learning experience. We’ll get back to helping in a while 
I’m inclined to recommend a repair install of the operating system at this point unless oldman has other ideas. Besides ntoskrnl.exe we know chkdsk.exe was reported missing and you were getting errors prior to starting the malware removal. If reinstalling ntoskrnl.exe could have been a quick fix that would be one thing, but apparently its not going to be that easy.
A repair install will require an XP disk and product key, but let’s wait for oldman’s input.
Overinstallation can solve the problem and you won’t lose your programs, settings, data, files, etc.
Just choose ‘Repair’ installation of Windows and install ‘over’ the old installation.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058
http://www.webtree.ca/windowsxp/repair_xp.htm
After that, visit Windows Update and install ALL security patches/updates.
I echo mauserme’s sentiments. It’s a learning experience for everyone no matter if things seem to be going south. That happens sometimes. But even then something is learned. I thought perhaps we’d stumbled on to something here, how to get around some of windows security. The access denied error.
Anyway, an overinstall may be the route to go given the number of errors you had before and who knows how deep the problem goes. That’s the nice thing about xp, you can over install without losing your data.
What about the nasty critters living on the hard drive now? Will they wreck havoc with an over install? I once had an experience with sasser that let you think you where running the restore discs.
I’m going to look at the documentation for the bootcd again. There should have been a version of check disk included.
Stay tuned, we’re still ready to assist.
Ok, I appreciate it! I will post as soon as I do the overinstall, and thanks for the microsoft links Tech™
@ BJS
I looked at the documentation again and it looks as follows
ntfsboot.txt is the documentation
ntfsboot.exe is for making a bootable floppy (maybe accounts for the a:\ drive)
ntfsboot.iso is a boot disc
ntfswcdd.iso is also a boot disc if you want to add files you would use this one. It has cd drivers so you can copy files to your hd. The files have be added to the iso file itself, not just to the disc.
So you can make a bootdisc using either file.
I see the instruction for adding files to ntswcdd.iso using Ultraiso, but none for nero. The file, in this case,ntoskrnl.exe, should show up as being on R:. So if you know how to add files in nero this the file to burn.
If you are still willing to continue, and your files are still usable, I suggest the following
Open nero and burn ntfsboot.iso We know either windows security or a critter is preventing access to the driver cache folder, but you could at least run checkdisk chkdsk(space)c: if mauserme thinks it worthwhile. there some switches that can be used to fix,report,etc
If you can figure out how to add a file to an .iso with nero, then ntfswcdd.iso would be the way to go.
I think the reason the author says xcopy may work better is that it is capable of copying a o byte file where copy is unable to do so. The author states that the iso file doesn’t change size when files are added to it.
There is a free trial version of ultraiso available, the only limitation I see for it is file size. Can’t seem to find what the sixe is.
As to why the second disk didn’t work, I’d say if you put all the files on the cd, ntoskrnl may be trying to run.
It looks like you are going the over install route. That’s okay, it’s probably is the best choice. What we where doing may or may not have worked. Once I get my xp machine going, I intent to try what you where doing. It’s mostly curiosity to see if one can do quick patch jobs, just to get going again.
Any way for what’s it’s worth, the above post is my take on what the files are.
I think its going to come to this in the end, so we might as well make it the plan now.
@Tech™ - Since when did you get trademarked? ;D
I hate imitations ;D
Once I get my xp machine going, I intent to try what you where doing. It's mostly curiosity to see if one can do quick patch jobs, just to get going again.
Oldman, I could send you the files for the bootdisk if you want to try it out…
Thanks, I’d appreciate that. I’d like to try it out and see just how much you can do from dos. There might be a something there for people caught like you. I’m in the same boat, xp, but the disk(used) looks like it was used for a coaster or a frisby.
Can you just email them please? I’ll pm my address. Thanks again and let us know when you get the disk.
I found this thread through a Google search whilst dealing with a terribly infected PC with this rootkit you are dealing with here. First of all, thanks all of you for the log files in this thread. They really helped me figure out what was going on. I was called out to fix a computer that crashed while booting (just like the system discussed here) and kept on rebooting automatically in safe boot (regardless of the do-not-automatically-reboot option being on or off).
I found all these bogus drivers like srosa.dll/sys and other files, just in the log files. I use this Utility CD by a guy called ASM51 as an emergency boot cd (the Utility CD can be found on the forums of sharevirus.com or generally on the edonkey network). With that I managed to remove those files and registry entries beloning to the rootkit. But all to no avail, the system kept on crashing.
Until it hit me, ntoskrnl.exe wasn’t deleted in this case. I could find it in windows\system32 but when I went to check the dates on the file, I saw it was created/modified on august the 14th, the day the PC got infected. Bull’s eye.
Luckily there were other copies of ntoskrnl.exe on the harddrive, because of service pack updates and corresponding backups done earlier. Using the Utility CD interface, I copied one of those ntoskrnl.exe to the windows\system32 folder after renaming the infected file et voila, the systeem started up like normal! Hope it may be of some help to others with similar problems!
Thank you Badr, and welcome to the forum.
Can you post direct links?
Thanks!
If you’re referring to the Utility CD, I can post links, just don’t know if it’s allowed:
ed2k://|file|UTILITY%20CD%208cm%20(asm51)%20v11.30%20ISO.zip|163954088|961803D3205658917520F36D635EF9F1|/
I’ve been using it since the earlier versions, it always comes in handy. I do believe however the same can be accomplished with BartPE, WinPE or similar boot-of-the-cd solutions. The Utility CD uses Winternals ERD Commander 2005, which is no longer sold as such since being taken over by Microsoft.
ed2k://|file|UTILITY%20CD%208cm%20(asm51)%20v11.30%20ISO.zip|163954088|961803D3205658917520F36D635EF9F1|
Is this edonkey link is infected or of a pirated file, better not posting it here…