Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't boot in safe mode and can't complete a system restore


  • This topic is locked This topic is locked
51 replies to this topic

#1 cmrisner

cmrisner

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 08 March 2011 - 04:21 PM

Hello,

A friend of mine gave me her computer saying that she can't logon to Windows. I suspected a virus so I downloaded malwarebytes onto a usb drive in order to run on her laptop. Unfortunately, I have not yet been able to boot Windows in either normal or safe mode. In both boot-up processes the computer hangs just before Windows gets to the welcome screen. The screen is dark but the mouse cursor appears and can be moved, but Windows does not boot past here.

I also tried the 'repair your computer' option from the F8 menu. I tried a system restore with 3 different restore points and none worked. I also tried the startup check option and it said there were no problems with Windows startup. I've also tried the 'last known good configuration option' from the F8 menu but that didn't work either.

Interestingly, when I tried the 'repair your computer' option the administrator account was disabled, but I was able to login under another account with admin privileges.

I'm not sure if the laptop has a virus, but it seems likely. I'm also not sure how to get into safe mode. I've learned a lot from this forum about removing viruses/malware, and I have cleansed many computers from what I have learned, but I'm stuck here. Can anyone help?

I don't know the full specs for the laptop, but these are the base specs I got when I googled it:

HP Pavilion dv2415nr running Vista (service pack unknown)
1.8 GHz AMD Turion64 Dual Core
1GB RAM
160 GB HD

I'm also not sure if there was any anti-virus protection.

Thanks
Chad

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,673 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:03:35 PM

Posted 08 March 2011 - 04:24 PM

Why do you suspect a virus?

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 08 March 2011 - 04:29 PM

Hello cmrisner,

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#4 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 08 March 2011 - 04:53 PM

I followed your suggested steps, however I only get sda1 and sda2 when I expand the mnt folder. There are no other subfolders. I'm assuming these represent the HD. Suggestions?

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 08 March 2011 - 04:54 PM

Yes, indeed. Try to plug out the USB drive once you are in xPUD and then plug it back in. Does it show under mnt now (it can take a minute before it shows up).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 08 March 2011 - 05:10 PM

Here is the mbr file

Attached Files

  • Attached File  mbr.zip   554bytes   2 downloads


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 10 March 2011 - 01:27 PM

Please boot in the Recovery Environment (F8 > Repair Windows).

Open a command prompt and type the following commands. Press enter after each line.

c:

bootrec /scanos


Let me know what comes back.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 10 March 2011 - 02:35 PM

It said:

Successfully scanned Windows installations.
Total identified Windows installations: 0
The operation completed successfully.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 10 March 2011 - 02:43 PM

Before we continue, I'd like to know if you have a Windows 7 DVD at hand. We have to try some steps that possibly could lead to the F8 Repair option to become inaccessible.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 10 March 2011 - 02:47 PM

Unfortunately I don't. The OS on the laptop is Vista, but I don't have a disk of that either :(

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 10 March 2011 - 02:59 PM

We can do it without the DVD too, in case the following does not work, we have a backup of BCD that we can place back using xPUD.

Please start the Recovery Environment and open a command prompt. Type the following lines in the given order and press enter after each line. If one command does not work, do not continue, instead post back here!

bcdedit /export C:\BCD_Backup

c:

cd boot

attrib bcd -s -h -r

ren c:\boot\bcd bcd.old

bootrec /RebuildBcd


Now reboot your computer and let me know what happens.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 10 March 2011 - 03:27 PM

I tried the steps you suggested. After I entered the last line I was prompted whether I wanted to use this installation to boot from and I entered 'y' (assuming that was the correct choice). I rebooted the computer in both normal and safe modes however the results were the same as I indicated in my first post--hangs at a black screen with the mouse cursor and doesn't boot any further.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 10 March 2011 - 03:34 PM

Yes, that was the right choice, sorry, I should have made a note of that.
Do you still have the Repair Windows option in the F8 menu? If not, we'll restore the backup.

  • download driver.sh to your USB drive
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD.
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 cmrisner

cmrisner
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 10 March 2011 - 04:01 PM

Here is the text file:

Sat Jan 4 00:24:44 UTC 2003
Driver report for /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtsp64.sys has NO Company Name! /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspl64.sys has NO Company Name! /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspx64.sys has NO Company Name!

e0af52a80fa12202bd6e91fd3d03005c /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtsp64.sys
Symantec Corporation

f29be5027b6fd3459fc7818d463b3dd8 /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspl64.sys
Symantec Corporation

8d8f19162c6191a8829d0bbde659a20b /mnt/sda1/SwSetup/Inetsec/US/Suport64/SRTSP/SRTSPx64/System32/Drivers/srtspx64.sys
Symantec Corporation

Driver report for /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers/srtspl.sys has NO Company Name! /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers/srtsp.sys has NO Company Name! /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers/srtspx.sys has NO Company Name!

c70a2581e35e03c85f29aa1bc723659a /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers/srtspl.sys
Symantec Corporation

ed5e9f3bf11d0bb770f652b22ec26465 /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers/srtsp.sys
Symantec Corporation

05f2db228922e6b8a001ed83ee4d1153 /mnt/sda1/SwSetup/Inetsec/US/Support/SRTSP/SRTSP/System32/Drivers/srtspx.sys
Symantec Corporation

Driver report for /mnt/sda1/System Volume Information/SystemRestore/FRStaging/Windows/System32/drivers

ec839ba91e45cce6eadafc418fff8206 monitor.sys
Microsoft Corporation

Attached Files



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,629 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:35 PM

Posted 10 March 2011 - 04:27 PM

Can you verify that the following folder exists: /mnt/sda1/windows/system32/drivers?

It appears that the script does not see that folder.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users