Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't boot after virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 donnar

donnar

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 13 April 2011 - 02:01 PM

My friend has an HP desktop running win xp pro. Had one of the virus' that warns of an infection. The window kept popping up hiding anything I tried to do. With msconfig window, I could see that the process causing the popup was btf.exe, but could not keep it closed long enough to perform any scans. Actually, anytime i clicked on any antivirus, the window popped back up. This happened in regular boot AND in Safe Mode.

I finally booted with an Anti-Vir boot disk, ran the scans and fixed several things. Now the computer will only boot to an Administrator login screen. There is no box to type in and there is no mouse action or cursor of any kind. I get this at normal startup and at Safe Mode start up. I have also run chkdsk and fixmbr. No change. If I try to start up safe mode with command prompt, it lets me and I type in the information to do a system restore, but I get a message that system restore is unable to help me at this time.

I removed the hard drive and connected it via USB to another computer and ran Spybot, Malwarebytes and AVG antivirus. Cleared up some more files, but when I reinstall the hard drive, it once again goes to the Administrator logon window with no cursor. I tried just hitting Enter, I get a message it is loading my settings, then flashes back to the Administrator logon window.

BTW, this all means that there is no way that I can run HiJack or any kind of software to supply a logfile, yet. I'm just trying to figure out how to boot up the computer!

Any ideas?

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 10:44 AM

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 01:05 PM

Thanks for taking the time to respond. I am attaching the file you requested, but you probably need to know that I booted with UBCD4Win and attempted to repair the MBR, so that might make a difference in what you see.

Am still unable to get into the computer. Any of the Safe Modes produces the same result...welcome, then the Administrator logon screen with NO box to type password and NO cursor. Pressing Enter key, the computer says it is loading settings, then flashes and returns to the Administrator logon with no space for text entry and no cursor. A regular boot gives the same results.

Here is the zipped .bin file you requested.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 01:11 PM

Hi again,

  • download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • Type userinit.exe and press enter.
  • After it has finished a report will be located on your USB drive named filefind.txt
  • Remove the USB drive and insert it back in your working computer and navigate to filefind.txt

    Please note - all text entries are case sensitive
Copy and paste the filefind.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 01:40 PM

Okay, here's the file content:

Search results for userinit.exe

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/ServicePackFiles/i386/userinit.exe
25.5K Apr 14 2008

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/$NtServicePackUninstall$/userinit.exe
24.0K Aug 4 2004

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 01:46 PM

Looks like your userinit.exe file is missing.
Using xPUD, navigate to the following file: /mnt/sda1/WINDOWS/ServicePackFiles/i386/userinit.exe <-- right click this file and select Copy.

Now navigate to /mnt/sda1/windows/system32, right click in this folder in an empty space and select Paste.

Now the Userinit.exe file should be pasted in the System32 folder. Restart the computer normally and let me know how things are.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 02:01 PM

You are awesome! I am back in business. Do you think I can assume this was a result of a virus (I've removed several from this machine) or did I do something in all the various removals that might have caused this? I've cleared many computers of malware, spyware and virus' but never had this result.

Thanks for getting me up and running. I'm going to do some more scans and updates and check things out very carefully.

I really appreciate your help.

dr

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 02:08 PM

Sometimes this file is involved in an infection and certain tools might erroneously include this file for removal. Windows can not start without this file, so this file should never be removed by any tool, only replaced if necessary.

Let me know if you need any other help. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 02:24 PM

Might have gotten excited too soon. I have no cursor or mouse action. I've tried the usb mouse I have used before on this computer and also shut down and plugged in a standard old ps2 mouse. Neither works. In standard or in safe boot. In safe mode, I was able to use the windows key on the keyboard to move around some, but there is evidence that I'm also now suffering from that aftermath of a virus where I've lost the ability to run .exe files.

I've read some about that and I know there's a way to fix that. Can that be corrected with your "magic" xPUD cd?

dr

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 03:03 PM

Can you bring up the Run box by pressing Windows key + R?
If not try Ctrl + Alt + Del to bring up the task manager, press Alt, press Down Cursor, highlight New Task and press enter.

Type devmgmt.msc and press enter.

Highlight Mice and other Pointing Devices (to change windows, press Tab). Press right cursor to expand the category and see if your mouse is showing up there. You can push the button that is located left from the right control key on your keyboard to bring up the context (right click) menu. Select Update Driver.

Let me know if that makes any difference.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 03:15 PM

I can bring up the Run box, but when I type devmgmt.msc the window that opens is totally empty. I attempted this in regular mode and in safe mode.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 03:30 PM

Sounds like there is more wrong than only one missing file. Do you have an XP CD at hand?

Try executing sfc /scannow from the runbox and let me know if that fixes anything.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 03:41 PM

yes, there appears to be many issues here. Attempting to run sfc /scannow gives me a message that (since sfc is an executable) I must choose the program I want to use to run it. I need to re-establish the association for .exe files. I think that has to be done through regedit, but I'm not sure how to do that...and not sure if it will even run.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:24 AM

Posted 17 April 2011 - 03:49 PM

Download fixexe.reg and run it. That should fix the .exe file associations.

When plugging in your flash drive, if if doesn't open automatically, type the path in the runbox (for example: e:\fixexe.reg).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 17 April 2011 - 05:25 PM

I was able to get the .exe files working. Still no mouse action. I'm running sfc for the second time. Although the computer recognizes my Windows XP cd, as sfc runs and asks for files, it keeps popping up to retry as if it doesn't recognize the files. Not sure what to think about that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users