XP reinstall major problems black screen

Hello,

I have a problem with a friends PC - here goes...

The PC was riddled with trojans - the desktop theme had been changed to a flashing skull & crossbones saying infected - somewhat of a clue! Anyway I suggested a reinstall with windows XP. To hinder my efforts when I boot in normal mode the desktop appears but no icons, no menu, no nothing. I am unable to right click and my Task Manager says it has been disabled by the adminstator - I am of the suspicion that the trojan or one of the trojans has done this?

So in order for me to read the install disk I have to boot into safe mode! When I do this I have only a black screen and the four corners 'safemode'. Whilst in safemode I can access the Task Manager and create a new task 'explorer' which gives me access to the HD and the start menu...

I then access the CD successfully and start the install - I input the product key and the CD initialises a pre-install check - everything so far so good! However, once the initial check is complete the PC is re-booted in oreder to complete the remainder of the installation - this is where the problems start!

I then get a black screen with a small white element flashing in the top left hand corner and there it stays, hanging!!!!

I have tried everything I can think of but it seems to me that everything that I do try the trojan/virus has pre-empted and stops me? I have run msconfig and tried to deselect the drivers/services and do a clean boot. However, once again access is denied, even thought I am the administrator?

I am fast running out of options - if anybody can shed any light on this or are experiencing the same problems??

Also, am I right in thinking that I cannot install and run anti-virus software whilst in safemode? Have tried but failed?

Many thanks in advance

Your frustrated

Nig

 

Hi nigelallen,

Is it possible for you to take your friends HDD out and plug it into your system as a slave drive?

You're not going to boot from it, but you can run as many anti-spyware, anti-virus apps as you want on his HDD from your HDD.

Just, for heavens sake, do not copy anything from his HDD to yours.

 

Thanks for the response guys

I'll give both suggestions a go if I can?

How do I set the bios to boot from CD? Do I hold down F2? Where will I find the option to format the drive?

Thanks in advance, your help much appreciated.

N

 

Hi Arie

I have since got into the bios - or a least I think I have - I went to the boot menu and told it to boot from CD as a priority?

The PC does indeed attempt to boot from CD, however, it returns to the black screen with a small white line flashing in the top left hand corner?

Any ideas?

Thanks in advance

N

 

Hi

CD is original copy and not sure if it recognises HD - how would I tell?

I boot into safe mode but get no icons, menu - nothing. I have tried all options from the boot menu i.e. last successful congig, safe mode, network safe mode etc etc. all of which take me to a black screen.

To make matters worse I am unable to use Task Manager and create a new task because it says 'adminstrator has disabled it'! As the PC won't boot from CD I can't even fix the task manager?

I think it may be time to get out the lump hammer?

Thanks

N

 

Hi Nigel,

When you're at the desktop, can you access "Run "? (Start, Run)

If so, insert the OS CD, hold down the shift key so it won't autorun, then in the "run" window type in: sfc /scannow (note the space between the "c" and the "/ ").

If no joy, then you may have to reformat the drive with the OS disk and do a clean install: as long as your friend knows that everything he had will be wiped out.

If that's unacceptable, then hook his drive up as a slave and run the anti-malware tools. You can also do a chkdsk on his drive, too; there might be bad clusters.

If still no joy, then have him list what he wants to keep (photos, docs, etc.) and write them to a CD then do a reformat and install.

I seem to remember that smitfraud caused similar problems and there's a fix for it — I just don't know if it can be run from a CD.

 

JP Chris

Many thanks for your advice. Unfortunately I cannot access my desktop no matter what I do - always appears blank in normal or safe mode!

I am going to try and hook it up as a slave HD as per your suggestion. I have a clean PC that runs F-Secure that (touch wood) has never had any problems. I am hoping to run my F-Secure on the slave and clean it as best I can to see if this rectify's the problem.

If I hook up the problem HD as a slave - can I then format it so that it is clean - accepting that this will delete ALL data - and then try and reinstall XP when back in it's original PC Case?

As you might have guessed, I'm a novice when it comes to PC's so your advice is much appreciated.

Thanks for taking time out to respond

Nigel

 

Hi Nigel,

Yes, you can format his drive from your computer. In Windows Explorer, right click on "his" drive and select "format ".

However, I'd suggest using the XP CD for the formatting.

And, since you're a novice, don't forget to set the jumper to "slave ". Also, you might need the MotherBoard's installation CD for some drivers.

 

Many thanks for the advice - sorry if I'm asking stupid questions but what is a jumper and how do I set it to slave? I guess it was a little niaive of me to think I could just plug and play

Thanks again

N

 

Hi Nigel,

First, since you're trying to solve a problem, your questions aren't dumb or naive: If you don't ask, you won't learn.

Anyway, once you have the HDD out, on the back there's three areas: the long row of recessed pins is where you plug the other end of the cable coming from your MotherBoard (usually it's gray)(the black end of the connector is hooked up to your main HDD); next to that is a row of 8-9 recessed pins. There should be a very small black "jumper" that's connecting 2 of the pins; next to that is a recessed area with 4 larger pins "” that's where you hook up the power (usually a white plug with 4 wires going into it.

Note: When removing the long connector it is very, very snug. Grasp it on both ends and gently "rock" it back and forth with even steady pressure until it's out. Do not move it up and down as this will bend the pins and don't yank on the wires, either. Also, when hooking up the plug, make sure the notch on the connector matches the recessed area on the HDD and firmly seat it.

Since the HDD is out, there's a legend showing how to hook it up as a "slave" drive. Or, go to the mfg.s website and type in "jumper settings ".

 

JPChris

Many many thanks for your help. I won't get chance to try this until Thursday at the earliest but will certainly let you know how I get on.

Really appreciate the advice, thanks again

Nigel

 

You're welcome. By the by, I forgot to mention to make a note of where the original jumper was set on your friends drive.

 

Many thanks will do!

 

See pic here:
http://img.tomshardware.com/de/2005/11/16/das_grosse_thg_stecker_kompendium/hdd_jumper_ma.jpg
mickzer.

 

Many thanks Mickzer - just waiting to get the connecting lead to connect HD to slave.

Thanks to everyone for all their help. I am checking my email etc periodically so please don't be offended if I don't respond immediately.

All your help and suggestions much appreciated.

Regards

N

 

update

Hi all

Just a quick update FYI

Partial success - so near yet so far.

I successfully hooked up the problem HD to my PC (and a big thanks to aeveryone for explaining the Jumper - that would definitely have stumped me).

From my PC I ran a full anti-virus scan using F-Secure. This flagged up a grand total of 66 yes sixty six viruses - all of which were disinfected and removed successfully.

I then thought I would chance my arm and put the HD back its original box and try booting up as normal. It runs through the process and takes me as far as the login page e.g. Select a user account. I select the only one that appears i.e. my friends account and it looks like it is going to work.

However, it says loading your personal settings, then, instead of taking me to the desktop it says 'Logging off' and promptly logs me off that user setting and I'm back to square 1. I have also tried to boot into safemode and the same thing happens. The only difference being that I now have the option to log on as an 'Administrator'. However, this does exactly the saem thing, goes through the motions then logs off??

Before I attempt to go the whole hog and go through the whole process again and format the HD and start afresh - is this a common problem i.e easy to fix - I am guessing not?

I will be away from the PC tomorrow but will resume Sat. Your comments/suggestions most welcome as always.

Thanks for all your advice to-date and I'll keep you posted.

N

 

Just in case it helps...

Here is the anti-virus report FYI.

Have just noticed that the viruses were renamed NOT disinfected - is this normal? And that a Registry Defender virus failed to be removed - Any suggestions? Thanks.

Report as follows...

Result: 52 malware found
Trojan.Win32.Stuh.cvx (virus)
• H:\paret2.exe Action: renamed
• H:\paretz2.exe Action: renamed
Backdoor.Win32.IRCBot.ieo (virus)
• H:\pwz.exe Action: renamed
• H:\WINDOWS\lsasser.exe Action: renamed
Trojan-Spy.Win32.Zbot.gen (virus)
• H:\wlct.exe Action: renamed
• H:\WINDOWS\system32\sdra64.exe Action: renamed
Backdoor:W32/IRCBot.GTG (virus)
• H:\WINDOWS\fxsteller.exe Action: renamed
Trojan.Win32.Agent.carw (virus)
• H:\WINDOWS\kbdver32.dll Action: renamed
Trojan-Downloader.Win32.FraudLoad.vohb (virus)
• H:\WINDOWS\system32\kenahapu.exe Action: renamed
Trojan.Win32.Agent2.hln (virus)
• H:\WINDOWS\system32\krbclick1.exe Action: renamed
Trojan-Downloader.Win32.Mutant.bqt (virus)
• H:\WINDOWS\system32\WinCtrl32(10).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(11).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(12).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(13).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(14).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(15).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(16).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(17).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(18).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(19).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(2).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(20).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(21).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(22).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(23).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(24).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(25).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(26).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(27).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(28).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(29).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(3).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(30).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(31).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(32).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(33).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(34).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(35).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(36).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(37).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(38).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(39).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(4).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(40).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(5).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(6).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(7).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(8).dll Action: renamed
• H:\WINDOWS\system32\WinCtrl32(9).dll Action: renamed
Backdoor.Win32.NewRest.w (virus)
• H:\WINDOWS\system32\drivers\4036b494.sys Action: renamed
Trojan-Downloader.Win32.Mutant.aim (virus)
• H:\WINDOWS\system32\drivers\Winwd71.sys Action: renamed
Rogue:Win32/RegistryDefender.A (virus)
• H:\Program Files\Angle Interactive\RD Platinum v5.0\RDPlatinumv5.exe Action: FAILED
________________________________________
Riskware found
AdTool.Win32.MyWebSearch.cy (riskware)
• H:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
________________________________________
Statistics
Scanned:
• Files: 61682
• Not scanned: 21
Result:
• Viruses: 52
• Spyware: 0
• Suspicious items: 0
• Riskware: 1
Actions:
• Disinfected: 0
• Renamed: 51
• Deleted: 0
• Quarantined: 0
• Failed: 1
Boot Sectors:
• Scanned: 0
• Infected: 0
• Suspicious items: 0
• Disinfected: 0
Files not scanned:
• Cannot open file (click here for more info) H:\BOOT.INI
• Cannot open file (click here for more info) H:\NTDETECT.COM
• Cannot open file (click here for more info) H:\NTLDR
• Cannot open file (click here for more info) H:\PAGEFILE.SYS
• Cannot open file (click here for more info) H:\WINDOWS\TASKS\DISK CLEANUP.JOB
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CDDBCONTROLSON.DLL
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SAM
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\USERDIFF
• Cannot open file (click here for more info) H:\WINDOWS\REPAIR\DEFAULT
• Cannot open file (click here for more info) H:\WINDOWS\REPAIR\SAM
• Cannot open file (click here for more info) H:\WINDOWS\REPAIR\SECSETUP.INF
• Cannot open file (click here for more info) H:\WINDOWS\REPAIR\SECURITY
• Cannot open file (click here for more info) H:\WINDOWS\REPAIR\SOFTWARE
• Cannot open file (click here for more info) H:\WINDOWS\REPAIR\SYSTEM
• Cannot open file (click here for more info) H:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEAPORT.CAB
• Cannot open file (click here for more info) H:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEARCHBOXEXT.CAB
• Cannot open file (click here for more info) H:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEAPORT\SEASHADOW.CAB

 

Hi Nigel,

66!?! Tsk, tsk. With all the warnings over the past umpteen years your friend should have had at least 1 AV and 2 AS programs installed: Especially since there's some really excellent freebies out there.

The easiest route is to reformat the drive and reinstall the OS; as long as your friend knows he's going to have to reinstall all his programs as well.

I already know I'll get a lot of dissension on this, but what's worked for me for the past 7 years is to partition my HDD into 3 sections: "C:\" for the OS and all other programs that won't let me install elsewhere; "D:\" is where I have all my programs installed; and "E:\" is where I keep my pics, movies, excess stuff, etc. I've found that by doing this my virus scans, spyware scans and defragging go extremely quickly. Instead of having to scan an 80GB to 360GB drive, it only has to scan 7GB. Plus, even though it's 7GB, it's still has over 4GB free space. And, if you want to access any partition without a lot of clicking, I can show you how to amend Windows Explorer to open up directly to any partition you want.

Of course, this may not be a doable situation for your friend.

One last note, if you feel masochistic try downloading SpyBot Search & Destroy ( http://projects.securitywonks.net/projects/details.php?file=2 ); SuperAntiSpyware ( http://www.superantispyware.com/superantispyware.html); AVG Anti-Virus ( http://free.avg.com/download?prd=afe ) and AVAST Anti-Virus ( http://www.avast.com/eng/programs.html ). They're all free and do a really good job. And, someone else might recommend another one, too.

Anyway, like I said, if you're willing to break out the hair shirt and run these programs to see if they fix the problem, you're a braver man than I Gunga Din.