Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W7 rootkit removal left pc unable to reboot


  • Please log in to reply
6 replies to this topic

#1 b.groves

b.groves

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 03 March 2014 - 02:44 PM

Techs:

I have struggled on this for 2 days.   I had a Dell Precision T1600 W7 desktop that got infected with the Rootkit.Boot.Harbinger.a virus. User does not want to format and reinstall apps. 

I booted from a Kaspersky Rescue CD and ran a scan which reported the virus and flagged the file C:\windows\system32\rpcss.dll as part of the problem.  I continued the default options thru the Kaspersky cleanup and rebooted.  The Windows splash screen comes up and the  pc hangs on the black screen with the Cursor in the middle of the screen.  The mouse does move the cursor. 

I have the W7 Install dvd available.

Here is what I have done to correct the issue:

1. Boot from W7 install cd. 

2.Open Command Prompt x:\ sources net start trusted installer

3. sfc /scannow /offbootdir=d:\ /offwindir=d:\windows   .  This runs for a while and then comes back with error 

"Windows Resource Protection could not perform the requested operation".  still no W7 boot up.

4. Boot from W7 CD.  No System Image Recovery files found.

5. Boot from W7 CD.  Run StartUp Repair tool.  It says that it does not find any problems. 

6. Boot from W7 CD.  Run System Restore tool.  There are several older images.  None that are prior to Rootkit infection.  I believe that Kaspersky deleted all the rpcss.dll it found and corrupted all the Restore Images.

7.  bootrec /FixMBR and FixBOOt ran.  still no W7 boot up.

 

Booted from Kaspersky Rescue CD and added explorer.exe to HKLM\Software\Microsoft\Windows\CurrentVersion\run\ and also copied to Startup folder.  Saw where if explorer.exe got loaded, pc would finish boot?

 

I can't get W7 up so, I can't do an Upgrade install. 

 

What would you try?

Thanks,

Brian

 



BC AdBot (Login to Remove)

 


#2 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:01:42 AM

Posted 03 March 2014 - 02:52 PM

Have you tried safe mode?  With networkng


Edited by OldPhil, 03 March 2014 - 02:52 PM.

Honesty & Integrity Above All!


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,562 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:42 AM

Posted 03 March 2014 - 03:31 PM

Repair Install Win 7

 

Louis



#4 b.groves

b.groves
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 03 March 2014 - 04:37 PM

Safe Mode , Safe Mode with networking, Command Prompt all three end up with the same black screen with cursor hang.

 

As I read the page for the W7 Reinstall, it says

  • " You can only do a repair install from within Windows 7."   I  can't windows 7 up.  I did ignore that and booted from the W7 cd and try the install but it stops me and says , reboot, and run setup.exe from the CD.

Thanks,

Brian



#5 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:01:42 AM

Posted 03 March 2014 - 05:37 PM

Try what I had to do just a few minutes ago as I had a lock up.  Shut the machine down by switching off the PSU or pulling the power cord.  Re plug it and start with luck it will go to the automated repair screen, it got my tower to do a clean boot hopefully it will work on your end !

 

Phil


Edited by OldPhil, 03 March 2014 - 05:38 PM.

Honesty & Integrity Above All!


#6 JohnC_21

JohnC_21

  • Members
  • 24,846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 AM

Posted 03 March 2014 - 06:34 PM

Kaspersky may have deleted the virus but left something in the registry that keeps the computer from booting. Using the Kaspersky registry editor look at the following keys for anything that is suspicious.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

       Under the Winlogon key make sure you have the following

 

       Userinit   Reg_SZ   C:\Windows\system32\userinit.exe,



#7 b.groves

b.groves
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 03 March 2014 - 10:56 PM

Contributors:

I had to make a call this afternoon, so I went and got a new hd.  Reloaded W7.  Reinstalled drivers.  Remounted old hd as F:\ .  Still copying files. 

Thank you for the advice and I apologize that this one may remain a mystery.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users