Vista Start Issue / Post Removal Problem

[Chris1701]

A friend of mine gave me his notebook computer which runs Vista Home Premium and had apparently been infected by some type of virus / malware.

In this case it appeared to be the "Privacy Center" virus. I was able to take the hard drive out of the notebook and attached it to one of my computers and scan and remove the virus infected files.

After this I can start the system and log it in but no matter if it's in normal or safe mode I can never get to the desktop. In a normal startup it just sits at a blue backgroup screen and I've left it like that for six hours and the desktop never comes up. I've tried Googling on this problem and there where some information that indicated that the winlogon / shell and userinit registry values may have been changed. I was able to start the system up in safe mode with a command prompt and run regedit. I searched and checked all winlogon registry values and there was one shell registry value that had been altered and I changed it back to "explorer.exe" as it was supposed to be and still have the same problem on restart.

I've also tried to use the system restore option to go back to the earliest available restore point but still the same problem.

Can anyone make a suggestion or two on what to do in order to fix this?

Thanks,

Chris

 

[dilettante]

Maybe when the virus cleanup was done some important file(s) got removed but not replaced by correct one(s)?

There is also the possible issue of files properly restored but now with SIDs that are not valid in the original system.

 

[Chris1701]

That may or may not be the case, but according to the virus scanner log these were the files that were detected and removed:

E:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGTNDXBL\bee[1].png » NSIS » script.nsi - Win32/Adware.PrivacyCenter application - was a part of the deleted object
E:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGTNDXBL\bee[1].png » NSIS » pc.exe - Win32/Adware.PrivacyCenter application - was a part of the deleted object
E:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NGTNDXBL\bee[1].png » NSIS » agent.exe - Win32/Adware.PrivacyCenter application - was a part of the deleted object
E:\Users\<username>\AppData\Local\Temp\security_update_install.exe » NSIS » script.nsi - Win32/Adware.PrivacyCenter application - was a part of the deleted object
E:\Users\<username>\AppData\Local\Temp\security_update_install.exe » NSIS » pc.exe - Win32/Adware.PrivacyCenter application - was a part of the deleted object
E:\Users\<username>\AppData\Local\Temp\security_update_install.exe » NSIS » agent.exe - Win32/Adware.PrivacyCenter application - was a part of the deleted object
E:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\16cbe8ee-30fedbef » ZIP » myf/y/AppletX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
E:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\16cbe8ee-30fedbef » ZIP » myf/y/LoaderX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
E:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\16cbe8ee-30fedbef » ZIP » myf/y/PayloadX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
E:\Users\<username>\AppData\Roaming\PC\agent.exe - Win32/Adware.PrivacyCenter application - cleaned by deleting - quarantined [1]
E:\Users\<username>\AppData\Roaming\PC\pc.exe - Win32/Adware.PrivacyCenter application - cleaned by deleting - quarantined [1]

at the moment the only access I have to the machine is in safe mode with command prompt. If I try and start the system in either normal or safe mode all I get is a blank desktop and with no icons or taskbar. While I can get the security screen by pressing Alt-Ctrl-Del, if I click "Task Manager" the task manager refuses to open and so I'm unable to run or install any other programs from this state.

I've managed to install SpyBot Search & Destroy and manually run the latest includes and scan and remove some minor Spyware but this hasn't improved the situation. I can't seem to install HiJackThis! or any anti-virus software, the anti-virus software most likely because the windows installed service is not running. I've also managed to run MSConfig but disabling all startup services also did not appear to help the problem either.

 

[Chris1701]

Sorry, I accidentally hit submit on that last post before I was finished editing.

I'm not entirely certain that the current problem is even related to a virus problem but may be in fact the infamous "Black Screen" on bootup that's been plaguing windows vista lately. Googling on that has turned up at least a dozen different things that are causing that.

So I haven't been able to do anything to improve the situation. Can anyone make a suggestion here on something to do or try to fix or correct this problem?

Thanks,

- Chris

 

[linney]

Startup Repair.

Startup Repair is a Windows recovery tool that can fix certain problems, such as missing or damaged system files, that might prevent Windows from starting.

http://windowshelp.microsoft.com/Wi...809f-ed90-415f-a83f-89b42108b3551033.mspx#EFF

You can try ChkDsk c: /r from the Safe Mode Command Prompt, or from the Recovery Environment Command Prompt.

How to use the Command Prompt in the Vista Windows Recovery Environment

http://www.bleepingcomputer.com/tutorials/tutorial147.html

You might be able to create a new user via the Safe Mode Command Prompt or enable the built-in Administrator account and test with them.

Adding a new user through command prompt

http://answers.google.com/answers/threadview/id/187228.html

Enable the (Hidden) Administrator Account on Windows 7 or Vista

http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/

What recovery and repair options come with your installation? If you have a retail DVD some of the following might benefit you. If you are an OEM customer then you probably only have the option to restore to factory defaults after saving your data "off machine".

The method to perform a Repair Install is outlined in this thread. Just make sure you are repairing the correct ServicePack version with any repair media that you use. Good idea to make a backup of the whole partition first.

"set association troubles in vista"

http://social.answers.microsoft.com...e/thread/7d8343ea-b3ea-47f5-8a23-c128a733afd1

Or this one.

How To Perform a Repair Installation For Vista

http://www.vistax64.com/tutorials/88236-repair-install-vista.html

Repair Installation:

You may reinstall your copy of Vista while keeping your files, settings, and programs by performing a repair installation or an in-place upgrade with the following steps: (Note: This does not always resolve all issues, especially if the corruption was caused by a 3rd party program or service, you might need to do a clean installation if this is unsuccessful.)

 

[Chris1701]

Thanks so much for the reply.

I tried the startup repair tool but is says that it can't detect a problem. Likewise, chkdsk C: /r does run a disk check on reboot but it doesn't repair the problem.

I tired enabling the hidden administrator account but attempting to login had the same problem as the single user account, i.e. just a blue background with a mouse cursor and no icons or taskbar.

However, I created a new user account through the command line and tried to login with that in a normal startup and I was able to get to the desktop with icons and the taskbar and start button. However it appears that there is a problem, when I attempt to install any program the installer hangs. First thing I tried was to install an anti-virus program and that hung on "Preparing to install", likewise HiJackThis! hung during installation as well.

I just don't understand what is going on here?

As you had guessed this is a Toshiba laptop and the only option is a restore to the factory default which is not an option. I really need to figure out what the problem here is and repair it, also repair the regular user account as my friend has a lot of important documents that he needs to retrieve.

Thanks,

- Chris

 

[linney]

Avira presents a FREE data recovery rescue CD

http://www.avira.com/en/company_news/rescue_cd_.html

Avira AntiVir Rescue System
The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Avira AntiVir Rescue System
Date: 04 Aug 2009 - Version : 20090804174618

http://www.avira.com/en/support/support_downloads.html

 

[Chris1701]

I gave that a try but a scan did not find any additional infected files.

Unfortunately I've checked and the DVD that comes with the machine does not have an option to do a repair install of the operating system. Can anyone tell me, how hard is it to get a legitimate DVD copy of the operating system (Vista Home Premium x32) from Toshiba or Microsoft? (short of going out and buying a full copy)

Also as a side note, I had previously stated that I'd managed to create a new user account and login with that and get the desktop and taskbar. I just tried that again (I was going to see if I could run SFC) but now I'm just getting the black screen and mouse cursor, aka the black screen of death. In this mode I also can't get the task manager with alt-ctrl-del, nothing happens.

Any ideas?

Thanks,

- Chris

 

[linney]

Even a Retail DVD does not have a Repair option (like you had in XP). The workaround is to Upgrade the current Vista by using the current Vista install media, depending on the OEM recovery/install media, this might not be possible other than with a Retail DVD/CD.

That Avira Rescue Disk (I believe) allows you to get your data off the machine. With that saved you could then do Toshiba's recovery/reinstall procedure.

If you were to borrow a Retail DVD for an upgrade (repair) you might still run into problems with your own Product Key being an OEM one when it became time to enter it.

 

[tlcscousin]

Have you tried to check the permissions on the drive and ensure system and your user have full access?

 

[Chris1701]

I'm sorry to say that my friend was getting a little nervous and not willing to let me work through this. So he's taking the system to BestBuy to let the GeekSquad work on it, against my advice but what can you do.

Thanks to everyone who replied to this thread.

- Chris