Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't boot into windows or even re-install


  • Please log in to reply
13 replies to this topic

#1 agilulf

agilulf

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 December 2010 - 05:26 PM

One of my friends PC (windows XP home) got a virus and when he rebooted, it is like there is no boot partition... he cannot do anything, but go into the bios and boot menu.

His hard drive passes diagnostics, I can boot into Linux from a USB key and see that all his data is there, but when I tried to boot from an XP disk to repair, I just get a BSOD, and it has some Session 3 error. I know that his hard drive is good, because I can see all his data, but if I can't re-install OS without BSOD, or repair without BSOD I am not sure how to try and fix this PC


I believe that he has a virus that has corrupted his boot sector, but I am not sure what to do

Can anyone help me with this?

BC AdBot (Login to Remove)

 


#2 fred3

fred3

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 15 December 2010 - 05:33 PM

Have you tried booting to a Windows XP CD?
Do that.
Select R, Recovery Console
When the command prompt comes up you'll need to select and log into a Windows install to work on.
Run
fixboot

Then see if you can boot from the hard drive.

Do the same but run
fixmbr

Then see if you can boot from the hard drive.

It's arguable whether running chkdsk this way is best to do first or last....

#3 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 December 2010 - 05:41 PM

Yes I booted from an XP CD but the installer gives me a Blue Screen before I can do anything, it crashes when the drivers are still loading so I never get to a repair screen.

#4 fred3

fred3

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 15 December 2010 - 06:01 PM

Then I would suggest using a live boot CD like UBCD4WIN32 and run those things from that platform. I believe the necessary tools are there.

#5 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 December 2010 - 06:20 PM

I am trying to figure out how to boot and repair the mbr I'll give it a shot.

I know that computer works because it runs ubuntu just fine in memory and shows me all the files so the file system looks okay too but not being able to run the windows repair sux :(

#6 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 December 2010 - 07:49 PM

I cant figure out how to use the UBCD4WIN32 dang it and the messed up PC doesnt recognize my USB floppy drive this is so freaking frustrating

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:21 PM

Posted 15 December 2010 - 09:22 PM

The reason that you can't boot with the XP installation CD, is most likely due to having a SATA HDD. The XP CD does not have SATA drivers, and so will BSOD with a STOP: 0x7B error.

Do the following and you will be able to boot with the XP installation CD:
Enter the BIOS Setup Menu and find the HDD configuration setting, which will read something like "RAID on", and change it to "RAID autodetect/ATA or IDE compatible" or words to that effect. "Save and exit" the Setup Menu allowing the computer to boot from the XP CD. Success?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 16 December 2010 - 07:45 AM

Hey thanks for the SATA reply, the PC does have a SATA hard drive let me try that or see if I can find a driver that I can load during startup, thanks again

#9 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 16 December 2010 - 10:46 PM

Okay so I was able to run Fdisk /mbr and get the computer to boot into windows but it's all infected with System Tool and who knows what else. I have booted into safemode and ran malwarebytes with latest ref file but I think that this is a boot sector virus because it keeps coming back after any cleaning.

I think I am going to need some help getting rid of this. I am going to try to run the fsecure rescue disk to see if that helps but any help or suggestions would be appreciated,

Thanks

#10 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:21 PM

Posted 17 December 2010 - 12:22 AM

Do you see the name of the malware as "System Tool" or "SystemTool" or as "System Tool 2011"?

Please follow the removal guide at the following link:
Remove System Tool and SystemTool (Uninstall Guide)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Please post the log and let us know how the system is running now.

It may be best to hold off on running a bootable rescue disk to clean the system (that is a "last resort"), as you might end up back where you started with an unbootable system again; and no, it is not necessarily a "boot sector virus" just because it "keeps coming back". There may well be other infections present on the system causing problems, so we need to do some more investigation and get some more information to determine what is necessary to fix it.

Edited by AustrAlien, 17 December 2010 - 12:25 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 17 December 2010 - 06:49 PM

Okay,

Here is the log from Malwarebytes the first time I ran it in safemode. I installed it from a USB key and moved the rules.ref file over from clean PC that I was using to access the internet so that it would have the latest reference file.

After I ran Malwarebytes I ran combofix but the infected PC wasnt on connected to the internet and combofix wanted to updated the recovery files for that PC but was unable to do that, so it cleaned what it could

after Combofix ran and rebooted the PC, i scanned again with malwarebytes and it found 8 more items...

The log file below is from the first malwarebytes scan in safe mode


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/16/2010 9:52:00 PM
mbam-log-2010-12-16 (21-52-00).txt

Scan type: Quick scan
Objects scanned: 217522
Time elapsed: 18 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\program files\microsoft security adviser (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Steve\local settings\temporary internet files\Content.IE5\IM03OY0H\exe[1].php (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\kwotw42g.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\Steve\application data\Adobe\plugs\kb2051180531.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Steve\application data\Adobe\plugs\kb2051220593.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Steve\Desktop\system tool 2011.lnk (Rogue.SystemTool) -> Quarantined and deleted successfully.

#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:21 PM

Posted 18 December 2010 - 12:53 AM

Note the warning in blue at the top of the page: "ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer."

FYI: MBAM is best run with Windows running normally (not in Safe Mode).

Run the following on-line scan to clean up any remnants.
ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Note 1: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.

NOTE 2: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE 3: In some instances if no malware is found, there will be no log produced.

Please post the Eset log and let us know how the computer is running now. Any signs of malware? Are you able to access the internet? Do you see any re-direction when clicking on Google search links?

Edited by AustrAlien, 18 December 2010 - 12:55 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 18 December 2010 - 08:42 AM

I did also run malwarebytes in normal mode with yesterdays update... and it found 8 more infections, and then I ran another scan in normal mode and it found the PC to be clean. I am just now going to try hooking up the PC to the internet now and will run the Eset scanner

#14 agilulf

agilulf
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 18 December 2010 - 03:45 PM

All Eset found 2 zip files infected with WinBagle32, that were already in quarentine by spybot search and destroy, the were my web search folders.

I think the PC is cleaned up it seems to be acting more normal. I will post the log in a minute




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users