We help IT Professionals succeed at work.

Can't Boot Virus Infected PC

1,180 Views
Last Modified: 2013-11-22
I am trying to recover a computer running XP Pro that is infected with virus(es). When booting in normal mode I get a black screen with a mouse pointer and when trying to boot in safe mode I get a blue screen that says to check for viruses. Ive connected the drive via USB as an external drive and scanned with Trend Micro and MalwareBytes Anti-Malware  but with no success. Infected files were found and removed but I still cant boot. I appreciate any help with recovering this PC without having to reinstall the OS.
Comment
Watch Question

Try running an anti rootkit first -- download from a clean computer:  http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

After running the rootkit (it will proload in DOS), load in safe mode and run ful MBytes scans and Trend scans.

Let us know of your progress.
CERTIFIED EXPERT

Commented:
Your situation is exactly what the free F-Secure boot CD is supposed to help with:

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/rescue-cd/index.html

Author

Commented:
MagicFarmer, adahan,

Thank you for your responses. I will try these asap and let you know how it turns out. I have spent hours and hours on this, with several programs and several boot from CD tools. I tried an F-Secure boot CD and got a strange message when it loaded saying that my monitor frequency was out of range(?). I'm not sure what that meant except it seemed that maybe it didn't have a driver to work with my monitor. I'll try to recreate the F-Secure CD from the link you gave me.

I also tried UBCD4Win but couldn't get it to read the hard drive. I figured it might be the driver for the hard drive, so I placed the image of the existing hard drive onto a different hdd made by a different mfr and it still didn't recognize the hard drive. It may be that I don't quite understand the driver/mfr/mainboard relationship.
Top Expert 2009

Commented:
If you had a copy of ERD commander it may recognise the hard drive to perform system restore
Give the Sophos RootKit a try (Kapersky also makes a good one) -- I have had boot sector problems that crashed my F-Secure program and was forced to find other alternatives.

Author

Commented:
Thanks for all the suggestions. I tried these things and this is what I have now:

I booted with ERD Commander 2008(?) and saw some programs in Autorun that were virus files and I deleted them from autorun. I ran the Sophos Anti-rootkit and it found these same files hidden and I had it delete them. I ran F-Secure and it did not find any more viruses. When I try to boot I get a black screen with a large white mouse pointer and nothing else.

The good news(?) is that it doesn't blue screen when I try to boot in Safe Mode, but I only  get a black screen and large mouse pointer and it says "Safe Mode" in the corners of the screen.

I'm wondering if, at this point, the virus(es) are not really affecting the PC but OS files are damaged. I tried placing an (XP) installation CD into the drive to see if I could perform a system repair. It didn't give me an opportunity to "repair" the OS - I thought I had done that before on a different PC. Instead it opened up a command line window and asked me which partition to log in to as admin. I selected the bad partition and ran fixmbr and tried booting from the bad partition again. I still get the same results.

.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks akahan,

I will try that today as soon as I can get to the PC.

Author

Commented:
Thanks again for the suggestions. Last night I went in to setup and selected Repair. After it ran completely, I rebooted and an icon appears for logging into the administrative account. When I click on it, it says,"Loading ... settings..." for about half a second, then "Saving ... Settings ..." for about a half a second. Then it just shows the login for the administrative account as if I didnt click anything. It won't let us log in. It doesn't show the original profile either - just the admin account. I definitely selected the R option and it was saying that it was upgrading but it looks like it tried to create a new installation. I tried rebooting and clicking on the icon several times.

I'm wondering if, when I tried to fix the mbr, it lost the pointer to the FAT or something(?).
Top Expert 2009

Commented:
Try and boot into safe mode or safe mode with networking and re/install Internet Explorer 8. May fix that issue
http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx

Author

Commented:
Optoma,

Thanks for the suggestion, I'm not able to log in with safe mode either, though.
Top Expert 2009

Commented:
Will it log into safe mode with command prompt? Forgot to mention that one!

Author

Commented:
I tried to log in with command prompt. It still displayed the log in screen and behaved the same way. Thanks for the idea, anyway. When I first started working on the computer it was infected with viruses and wouldn't boot. I backed it up with Acronis True Image before I did anything else. So yesterday I put a spare hard drive into the PC and restored the image to that so I could retry.

My plan is to try to do the system Repair as akahan explained again before anything else. Then do these as needed:
1. The Sophos rootkit fix
2. Try the system repair again
3. Scan with Trend Micro and MalwareBytes Anti-malware
4. Try the system repair again
5. I'm not sure what to do next...

If anyone has any other suggestions, especially for something that would be more effective, it would be greatly appreciated. It's very inconvenient for the owner of this PC to hunt down all the disks and product keys for their installations.
Top Expert 2009

Commented:
Good idea having an image before any removal.
You could quickly try using Ubcd4win to see if you can system restore the image

Commented:
Try this:

1. Boot up your computer with the windows CD.
2. When the Windows XP setup screen appears, press R to enter Recovery Console.
3. When asked for which windows installation to choose press 1 (I assume you only have one installation)
4. Enter admin pass
5. type bootcfg /rebuild
5.1 bootcfg will now scan your hdd for windows installations
6. When asked for "Add installation to boot list?" press Y
7. Next enter load identifier, type Windows XP or something similar
8. When asked for enter OS load options type /Fastdetect
8.1 The /fastdetect switch is used often for security reasons.
9. All done, reboot and now it should work

Author

Commented:
Thank you, optoma,  melojazz,  I will give  these a try...

Author

Commented:
Thanks for  all the  suggestions. I've tried everything so  far. I ended  up having  to restore to another  hard drive. I think one of  my spare hard drives was bad because  I  had a lot of corrupt files. So now, after running a boot fix  and registry fix from UBCD4Win  I get a black screen in safe mode with  safe mode written in each corner. I tried bootcfg  /rebuild    again  and  I  get this error:

Failed to successfully scan disks or  windows installations. This  error  may be caused by a corrupt file system, which would prevent  Bootcfg  from successfully scanning . Use chkdsk to detect  any disk errors.

When i run chkdsk I get: The volume appears  to  be in good condition and  was not checked. Use /p if you  want to  check the volume anyway.

I  ran  chkdsk /r   and  I   got "fixed one  or  more  errors".   I  rebooted and tried  bootcfg /rebuild again and  it still   get the  same error.

One thing  I noticed  that   I   might be doing  wrong is I  have three windows installations to choose from:
1.  c:\miniNT
2.  c:\i386
3.  D:\Windows

I selected 3 because  I  think   the other 2  are   on the recovery  partition.

Author

Commented:
Thanks for all the help with this. I finally recovered this PC and Id like to outline the resolution to help someone else with a similar situation:

The PC was running XP Pro and had approximately 200 virus infected files. When we tried to boot, we appeared to get only a blank screen with a large cursor. We later found that if we waited an hour or so, it would actually boot but we couldnt log in and it was so slow that it was virtually nonfunctional.

After trying several things this is the process that developed:
We connected the hard drive externally to a PC via USB and scanned it with MalwareBytes Anti-Malware and Trend Micro, removing several infected files. We reinstalled the hard drive and repaired the OS as suggested by akahan.

After that we could boot but not log in. When we tried to log in it would immediately log us back out. We, then, replaced the userinit.exe file in c:\windows\system32\ with a good copy from the installation CD by booting from the installation CD and going into the recovery console. Then, we could log in.

To complete the repair, we installed and scanned with MalwareBytes Anti-Malware and Trend Micro, then updated the service packs. We checked out all the applications and they appear to be working fine. I suspect that somewhere down the line, something might not work quite right because the viruses may have corrupted some files used by an application. But for the users purposes, they shouldnt have any significant problems.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.