Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Netbook Will Not Boot After Infection With AntiMalWare Doctor and Friends


  • This topic is locked This topic is locked
19 replies to this topic

#1 JohnnyTopQuark

JohnnyTopQuark

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 21 July 2010 - 12:24 PM

Okay, first of all, forgive me if I make any "computer-help-forum" faux pas' as I am new to this scene.

About a year ago I purchased a Toshiba NB205-N311/W Netbook with XP Home. I have never had a problem with spy/ad/malware (I think thanks in large part to me being alert) until last Friday. I noticed a mysterious "anti-malware" program that I did not install giving me the usual bullsh*t: "You have malware, give us money!" So, as I muttered obscenities to myself I proceeded to look up some info on this particular group of softwares (antivirus pro and antimalware doctor or something similar). I came across one site that had a program to kill the processes so that MBAM could be run to fix the problem. I did this. MBAM said I needed to restart as some things couldn't be removed. I was VERY wary because ever since I got my first computer the main "cause" of near total devastation almost every time was a reboot (I know it's not the direct cause...) Even to this day I use hibernate and sleep most often--I hardly ever reboot. Anyway, this reboot proved to be a fatal mistake--or at least a severely wounding one.

The BIOS loaded and the computer went through the POST motions but as soon as the BIOS screen (the one that gives you the F button options) went away and the HDD was about to be initialized, all I got was a solitary, blinking, white, underscore-type cursor in the top left of a black screen. SHEEEEEEEEEEEEEIIIIITTTTT! I exclaimed in a high pitched shriek. The large hand of an endless stay-up-all-night-computer-repair-sausagefest was eyeballing my junk--and not in a good way. At this point I knew I was standing knee deep in a watery puddle of human feces, figuratively speaking.

I went to Home Depot to get the T6 STAR BIT that Toshiba, in their infinite wisdom and mercy, decided to use as the screw-head type for the HDD/WiFi access panel. I got it open. I took out the HDD (the original one from the Laptop--160 GB) and connected to a SAS to USB circuit board that I had taken from a Toshiba 2.5" drive enclosure. I connected it to another computer at work. Windows XP detects and installs it but it won't show up under My Computer (mass storage device is installed under device manager). If I put the original hard-drive in that came in the enclosure, it works and I can see it. Ohhhh no... The 160 GB doesn't start spinning like the 500 when I connect it. I sure hope it simply isn't getting enough power from the bus like the 500; but why would they be THAT different (they are literally the same HD just a different capacity) Or perhaps different file systems?

Also, I put the 500 GB (that had no OS on it) into the laptop and, not surprisingly, the exact same thing occured. So, either there is a problem with the BIOS or the OS, right? But why can't I access the 160 from the SAS to USB connector? That fact right there is very disconcerting.

If there is any other information you need, please, let me know ASAP. Thanks in advance for your help!

P.S.

This netbook has no CD/DVD drive. Yes, I know this is a huge disadvantage (just reinstall Windows/ boot from CD; I wish).

BC AdBot (Login to Remove)

 


#2 abauw

abauw

  • Members
  • 951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kebun Kelapa
  • Local time:02:09 AM

Posted 21 July 2010 - 01:29 PM

do you open T6 screw in your laptop or on you hardrive???
I think its a rare thing that laptop use T6 screw...
but hardrive is often use T6 screw...if you open the screw without knowing anything and the risk...it will fry your hardrive...




:guitar: Take me to a place where time is frozen
You don't have to close your eyes to dream :busy:
You can find escape inside this moment :smash:
And I will follow  :whistle:


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:09 PM

Posted 21 July 2010 - 01:42 PM

I've asked one of the BC Malware Team to take a look at your situation.

Please be patient.

Louis

#4 JohnnyTopQuark

JohnnyTopQuark
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 21 July 2010 - 02:10 PM

QUOTE
do you open T6 screw in your laptop or on you hardrive???
I think its a rare thing that laptop use T6 screw...
but hardrive is often use T6 screw


I know the difference between a laptop and a hard drive. I understand that you probably get people on here often that don't (or can't) but I am not one of them. There are two T6 screws that must be removed to get to the HD bay/area. Yes, they are the same screws that are used on the HD itself.

QUOTE
...if you open the screw without knowing anything and the risk...it will fry your hardrive...


So, opening a HD without knowing anything about it (which I do, mind you) automatically causes it to "fry"? Interesting...

Although I am obviously being facetious, I really do appreciate your attempt to help. Thanks.


#5 abauw

abauw

  • Members
  • 951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kebun Kelapa
  • Local time:02:09 AM

Posted 21 July 2010 - 02:27 PM

does you hardrive is SATA..
if its SATA you can plug it to mainboard without any bay...and see if read or not...
and one more thing...there a hidden partition on the hardrive that toshiba make for recovery...please dont make any change on it...just to make sure that partition cant be use later for recovery...

about opening a HD cant make "fry"
its quite hard to tell it in english...but if you have wrong putting it back and not intentionally cover up something...its will burn you hardrive...

but lets wait BC Malware Team arrived here...

:guitar: Take me to a place where time is frozen
You don't have to close your eyes to dream :busy:
You can find escape inside this moment :smash:
And I will follow  :whistle:


#6 JohnnyTopQuark

JohnnyTopQuark
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 21 July 2010 - 02:53 PM

Yes, I am aware of this partition. Even if I wanted to change it right now I couldn't b/c I can't access the drive. I will try accessing the drive on my Vista laptop when I get home. Could it have something to do with the file system (on the 160 from the laptop)? Aren't they usually NTFS? Wait, that shouldn't matter... Ugh...

They are both SATA:

500 GB (Toshiba MK5059GSX) <--- This is the "external" HD
160 GB (Toshiba MK1655GSX) <--- This is the one that was inside the netbook

What do you mean plug it into the mainboard without any bay? If you mean simply connect the 500 GB drive to my netbook--I have already done that. Nothing (just the cursor) happens. Could you please clarify?

Edited by JohnnyTopQuark, 21 July 2010 - 02:55 PM.


#7 Guest_Joe C_*

Guest_Joe C_*

  • Guests
  • OFFLINE
  •  

Posted 21 July 2010 - 03:49 PM

if you reinstall the 160 gb drive back into the laptop you can go into the bios to see if it recognized, if it isn't then you have some issues

#8 JohnnyTopQuark

JohnnyTopQuark
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 21 July 2010 - 04:11 PM

No need to put it back in my computer, I remember vividly that the HD was/is still recognized.

#9 JohnnyTopQuark

JohnnyTopQuark
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 21 July 2010 - 04:15 PM

Okay, I figured out why I couldn't get the 160 recognized on the desktop as a USB HD. I had a password set on it. DUH! Now that I can access the HD, what should I look for?

#10 Guest_Joe C_*

Guest_Joe C_*

  • Guests
  • OFFLINE
  •  

Posted 21 July 2010 - 04:53 PM

you'll probably want to get your documents file from it

Edited by Joe C, 21 July 2010 - 04:54 PM.


#11 JohnnyTopQuark

JohnnyTopQuark
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 21 July 2010 - 05:00 PM

Okay guys, I really appreciate the help but the super obvious stuff is unnecessary with me, I assure you. Allow me to clarify:

What should I look for in terms of boot.ini, registry settings, MBR, partition tables etc... in order to determine what is wrong and get the hard drive booting again? For example, I compared my MBR to the desktop's MBR and they are identical.

Thanks...

Edited by JohnnyTopQuark, 21 July 2010 - 05:02 PM.


#12 Guest_Joe C_*

Guest_Joe C_*

  • Guests
  • OFFLINE
  •  

Posted 21 July 2010 - 07:21 PM

can't remember where I found this but you can try it. It is malware related
QUOTE
Boot using your winxp cd.
Enter recovery console.
at the command prompt go to

C:/windows/system32

next type:
Dir *.exe

If you find, it, type

copy userinit.exe wsaupdater.exe

Exit and reboot normally. You should now be able to logon.

Run regedit

Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right pane, you should see

C:\WINDOWS\System32\wsaupdater.exe,

Change it so that it reads:

C:\WINDOWS\System32\userinit.exe,

That should solve the problem, if the malware was the one that caused the issue.







2 options

either copy boot.ini from another computer copy over boot.ini on infected computer via copy command

or copy boot.ini from the recovery disc... copy d:boot.ini c:




HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Look in the right pane for a value under name called Userinit. The value
should read:

C:\WINDOWS\system32\userinit.exe,

Including the trailing comma. If it reads anything other then the above,
double click
the Userinit value and change it to the value above.


#13 hamluis

hamluis

    Moderator


  • Moderator
  • 56,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX

Posted 21 July 2010 - 08:23 PM

Quite honestly...this is not the forum...to attempt to be resolving malware issues.

Nor is it the forum to be taking unknown advice regarding overcoming unknown possible malware issues...that may or may not exist.

I am moving this thread to the Am I Infected forum.

Louis

#14 Guest_Joe C_*

Guest_Joe C_*

  • Guests
  • OFFLINE
  •  

Posted 21 July 2010 - 09:52 PM

My recommendation will not remove any malware, it will only get the pc to boot up. Cleaning will probably need to be done from there
I have personally used this method before to get a pc to boot up so I know this is good advise. I can not say if this will help the op but it won't hurt to try it

Edited by Joe C, 21 July 2010 - 09:54 PM.


#15 JohnnyTopQuark

JohnnyTopQuark
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 22 July 2010 - 10:58 AM

Remember, this is a netbook and does not have an optical drive of any sort. I can access my old hard drive now (the "bad" one) on my work desktop, though. So, I will try what you said by simply running REGEDIT on the desktop and opening the 160 GBs registry.

I found a reference to this by Microsoft. It has to do with the login but I think it couldn't hurt:

http://support.microsoft.com/kb/892893

Oh yeah, also, before I restarted my computer the malware would not allow any executables to... execute. Or it was "trying" to do this at least. It would give me a message that the file was infected and could not be run. Maybe it modified some code in Windows that has something to do with the execution of files and now, when I try to boot, the boot exec. can't run?

Remember, I am no super-programming-guru but this sounds at least plausible, right?

QUOTE
that may or may not exist.


Are you suggesting I'm making this up? Does that happen a lot on this forum?

Edited by JohnnyTopQuark, 22 July 2010 - 11:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users