?
Solved

Dell Inspiron N7110 infected with too many viruses. Windows 7 HP

Posted on 2012-09-14
13
Medium Priority
?
1,600 Views
Last Modified: 2016-11-23
I have a laptop here that has been infected with an almost record amount of viruses I've ever seen on one computer, to the point to where when you turn on the computer you just get a blinking cursor. I've removed the hard drive and I've used msse to remove all it found. I've tried to boot to a backup registry I found on the computer. Nothing works.

I simply deleted the OS partition and left the recovery partition on there (since using the repair option doesn't seem to work)

Now when I turn on the computer it says Windows is loading files like you would normally see when booting to the recovery partition, but it keeps cycling over and over back to the Dell logo then the recovery partition, as if something might have corrupted the recovery partition too.


What would you guys do from here?

I'm starting to think I should go find my Dell Windows 7 install disk and say screw the recovery partition.
0
Comment
Question by:E J Pope
  • 8
  • 4
13 Comments
 
LVL 31

Expert Comment

by:Frosty555
ID: 38401020
If you've already deleted the OS partition, I would probably just re-install from scratch. There's no way to tell if the recovery partition has been compromised, or whether it relies on the original partition still existing to work. I've frequently had stupid issues with the manufacturer's "recovery" techniques.

Don't even use a Dell CD, just install a fresh OEM copy of Windows 7 Home Premium SP1 64-bit. Then install the drivers from Dell's website overtop of that. You can avoid some of the bloatware that way.

If you don't have an installation ISO for Windows 7 Home Premium SP1 64-bit OEM, I think you can actually find downloads for it on SoftPedia and a few other semi-legitimate places if you look around.
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38401078
Chances are that your MBR is infected, and this is most likely why you are having issues.  Slave the drive to a different computer and run a scan with TDSSKiller.
http://support.kaspersky.com/faq/?qid=208283363

Go ahead and recreate the partition while your hard drive is slaved, leaving the recovery partition intact.  Once you have removed the MBR infection, install the hard drive back into the computer and use a boot CD to boot to the recovery partition.  UBCD is a great bootable CD that will give you options to be able to boot to the recovery partition.
http://www.ultimatebootcd.com/download.html

I usually use the Smart Boot Manager and then from there choose Partition 1 off HDD 0.

Let me know if TDSSKiller finds anything.

Also, if you need further assistance in reloading from your recovery partition, be don't hesitate to ask.
0
 

Author Comment

by:E J Pope
ID: 38409709
I thought a OEM CD (which I have a nice stock of) would not work with the Dell license key that comes with the computer?


I still have the recovery partition data.

It looks like I've removed the viruses but it still does this.


Perhaps there is a way to take the recovery data I've copied, and completely format the drive and copy the recovery data back to a recovery partition I make myself however dell needs it? Anybody know how to do that?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:E J Pope
ID: 38412485
I've used dism to mount the base.wim 8GB file from the recovery partition and it loads what looks to be a "partition" of files of a fully installed drive of windows 7. Any idea how I can copy those to the laptops hard drive and mark it as the source to boot from?
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38412495
Download Windows AIK, or just imagex.exe.  Put it in the same file as the .wim and run the following command in the directory.

imagex.exe /apply Factory.wim 1 C:\

where factory.wim is your wim name and C:\ is the partition you want to extract the files.

The system will boot from that partition now.  If not, use UBCD to choose the partition to boot.
0
 

Author Comment

by:E J Pope
ID: 38412566
I'm using a workstation and accessing this hard drive I've removed from this laptop. When I use imagex.exe with that command, is it going to screw up my workstation? Or is it applying that to the disk in question?


What I don't get is there are a couple wim files in this recovery partition
\Dell\Image\Factory.WIM
\preload\Base.WIM

Whats the difference? The factory.wim is slightly bigger .
0
 

Author Comment

by:E J Pope
ID: 38412607
I made a winpe usb boot drive and booted to that. I also added the factory.wim to the c:\ of the laptops hard drive, along with all the aik tools including imagex.

I ran that command you said above and I get "Error opening file [c:\factory.wim]. The data is invalid :( What now?
0
 
LVL 8

Assisted Solution

by:Scott Thompson
Scott Thompson earned 880 total points
ID: 38413806
Okay, it's probably because you were not in the directory that contains Factory.wim.  Yes, whatever drive is C:\ is what you will be extracting the data to.  So, you can slave it and save it to any partition.  For example.  You are in the E:\Dell\Image\ directory.  Run the command

imagex.exe /apply factory.wim 1 F:\

where F: is the partition you want to copy to.  Make sure imagex.exe is also in that folder.
0
 

Author Comment

by:E J Pope
ID: 38413848
Ok now I have to figure out what sort of bcdedit command to use?
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38413996
You shouldn't have to run bcdedit.  The .wim contains and extracts a BCD file that should contain the correct information.  If it's not booting to that partition, either use a disc like UBCD to select the partition, or boot from a Vista/7 disc and it will generally fix the issue with Startup Repair.
0
 

Assisted Solution

by:E J Pope
E J Pope earned 0 total points
ID: 38419779
Yea you have to run windows startup repair after extracting the wim file. The computer is fixed now off the factory.wim file. Wish I knew a command line to fix it without booting into a windows 7 start up disk. I'm sure there is a command, maybe something like bootrec or such.

Anyone know?
0
 

Accepted Solution

by:
E J Pope earned 0 total points
ID: 38551438
I actually solved this using bcdedit, then completely forgot how I did it and found another thread where a guy typed this:

bcdboot c:\windows /s c:
bootsect /nt60 C:

and I did that and it also works. :) I will close this now.
0
 

Author Closing Comment

by:E J Pope
ID: 38564953
Reason is cause its the answer...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question