Xp with flashing cursor.

[Kitten Kong]

Hi there, can anyone help me with this please.

I have a clients Asus EEE pc in at the moment. Last week, she had the thinkpoint virus on it, which I removed. Installed MSE, and all well.

This afternoon, she rings me up, saying that she ran MSE, it found something, she pressed clean, and then the screen went black.

Each time she attempts to boot the netbook, a flashing cursor appears in the top left hand corner, and simply hangs there.

My diagnosis, is a failing hard drive, together with issues within windows; but would love a second opinion.

Things I have done:
Removed the drive, and slaved to my main machine. Scanned it complete with MSE, and MBAM.
Removed 4 rammint viruses, and 3 security alerts.

Loaded the drive back into the netbook, boot up, flashing cursor.

Netbook, does not even let me get to safemode, or last working config.

Slaved back to main machine, tested drive, found a number of bad sectors.
Repairs some of the bad sectors.

Currently trying a repair with chkdsk /r/f

Client is insisting that me installing MSE, is causing this problem, as 'it was working fine, before you installed that program'

any other thoughts?

thanks if you can assist.

 

[ATTech]

Run hard drive diagnostics on it if you suspect it to be a bad drive. It's going to be difficult to convince her of a bad hard drive, and that it is coincidence that it failed right after MSE scanned, without showing her something that says the hard drive is bad.

 

[mraikes]

Have you booted from a disk/usb and tried a restore point prior to her MSE cleaning?

 

[iptech]

Use an external boot medium to write a new Master Boot Record. Every Thinkpoint infection I've encountered was also accompanied by an MBR virus.

 

[shamrin]

Use an external boot medium to write a new Master Boot Record. Every Thinkpoint infection I've encountered was also accompanied by an MBR virus.

I agree, Thinkpoint --> MBR virus. As of last week, MSE was not able to properly remove it (shows up as BOO/Alureon.A I think in Avira). When you slave the drive again, run TDSSKiller and see if maybe it picks up something.

 

[iptech]

I agree, Thinkpoint --> MBR virus. As of last week, MSE was not able to properly remove it (shows up as BOO/Alureon.A I think in Avira). When you slave the drive again, run TDSSKiller and see if maybe it picks up something.

Yes, definitely scan the drive again, the rootkit will draw down all manner of secondary infections. Thinkpoint actually does us a favour in preventing the user from using the computer on an active internet connection as it prevents these secondary infections being downloaded until it is removed/circumvented.

 

[TechguyUK]

I'm finding Ramnit is particularly nasty at the moment and my bet is its sure to get worse - my guess is that its at the root of your current issue.

I've had two customers with it in the last week alone, both have required an N&P due to significant system file corruption. One of these customers was running mcafee which had over 65000 infected files in its quarentine folder !!

 

[Kitten Kong]

Currently scanning the drive with seagate diagnostics - see what that brings up.

Chkdsk, found and fixed a number of errors. Exiting this, reboots the netbook as normal, flash screen with the aus logo, then again nothing... cursor top left.

I've not booted with another disc to try anything yet, will try shortly.

Will reply with more shortly. Thanks for the tips everyone

 

[Ccomp5950]

Mash F8 when the computer is booting, select safe mode. If it stops on isapnp.sys than it's a piece of a bad rootkit that is halfway cleaned up.

Slave the hard drive into another computer

pull up \windows\system32\drivers\ folder

look for files that are zero bytes, delete them.

 

[stro]

Currently scanning the drive with seagate diagnostics - see what that brings up.

I have never been a huge fan of seagate diag. I have seen it pass a hard drive that was proven bad with other tools.

I would test it with Powermax. If the drive is bad, it is bad.

While there are a couple of exceptions, I am always pretty firm with customers that on a PC, generally software and viruses do not damage hardware. Stand your ground on this. I have had to explain to people in the past in similar situations, that a computer in normal operation is always accessing the same smaller areas on the drive all the time, but a virus scanner accesses/checks all areas of the drive, so if bad areas on the drive exist, filesystem scanning software and defrag programs are more likely to trigger problems areas on a hard drive if they exist.

 

[ATTech]

Edit: Nevermind. It appears the the "PBR" just provides alternate boot access to the recovery partition. It can be repaired with the normal MBR repairs, you'll just lose recovery partition boot capabilities. Theoretically, you can take an image of the system, restore to factory settings, back-up the MBR, restore the image, restore the MBR. That should essentially "fix the MBR" without disabling the recovery partition.

 

[Kitten Kong]

right, here goes..

Apols for the late reply, I left it on scan all night, whilst it was doing its things..

Seagate, tested the drive on a long generic pass, and came back clean, but will test with other tools too.

Attempts at running TDSS KIller, I couldnt point it to the slave drive..
MSE found 2 infections. these being win32.advantage, and win32.hideproc.c
MBAM found 20 infections 3 x tdss rootkits, 15 x trojan startpage, and 2 x adware widgitoolbar.

back again shortly.

thanks everyone for the tips, this one has been doing my ruddy head in.

 

[Kitten Kong]

Now im getting extremely p133ed. Just had a call off my client, asking if the netbook is ready. I explained to her, that I am working on it, as we speak, and I will give an update, as soon as I know one.

She then goes on to tell me, that she contacted another repair company. I won't give the name here in a open forum. Tell them, whats happened, how I put MSE on it last week, how she ran a scan yesterday, and as soon as she pressed clean, the screen goes black. To be told, that she shouldnt of pressed clean, it could of been doing a system scan. They dont think its the hard drive at fault, as it would of been causing issues other than this.

So then I explain, that I have scanned, it with different tools, removed x no of vlruses, and malware, am attempting everything I can to get this working. She tells me, she needs it for work.

I then explain, that some fixes, can be done literally straight away, others can take a little time. This one unfortunately is one of the times, it takes some time; if you would like to take it elsewhere, then by all means, you are well within your perogative to do so.

She then tells me, that when she spoke to this other company, if they could fix it, they said to her, that because I have been working on it, since the black screen, they won't touch it, as I could of made the damage worse!

My client is raving, thinking I have caused this problem!

I mean come on..

/rant

 

[B Trevathan]

After you've remove all the malware if it still doesn't load windows you may want to try this, there was a post on here recently about the black screen with the blinking underscore at boot up and they fixed it by slaving the drive and defragmenting it followed by chkdsk.

I'm guessing that you have everything unplugged from the computer like USB cables.

 

[Kitten Kong]

Last update, before I throw this across the workshop floor.

Roughly one in ten boots, will actually boot, to the asus flash screen, and then allow me into bios etc. The remaining boots, as soon as I power up, the cursor in the top left appears, and stays.

Removing the hard drive, allows the netbook to boot complete. Replace the drive, and same thing, flashing cursor. Therefore, not able to boot from cd, and do a fixmbr etc.

Replace the drive, with one of my spares, and it boots up, and cd rom will start spinning..

Slaved it back to the main pc, and am running a chkdsk /f/r from cmd prompt
I ran a defrag on it last night, and left it to run.

Will post more shortly.

 

[red12049]

Now im getting extremely p133ed. Just had a call off my client, asking if the netbook is ready. I explained to her, that I am working on it, as we speak, and I will give an update, as soon as I know one.

She then goes on to tell me, that she contacted another repair company. I won't give the name here in a open forum. Tell them, whats happened, how I put MSE on it last week, how she ran a scan yesterday, and as soon as she pressed clean, the screen goes black. To be told, that she shouldnt of pressed clean, it could of been doing a system scan. They dont think its the hard drive at fault, as it would of been causing issues other than this.

So then I explain, that I have scanned, it with different tools, removed x no of vlruses, and malware, am attempting everything I can to get this working. She tells me, she needs it for work.

I then explain, that some fixes, can be done literally straight away, others can take a little time. This one unfortunately is one of the times, it takes some time; if you would like to take it elsewhere, then by all means, you are well within your perogative to do so.

She then tells me, that when she spoke to this other company, if they could fix it, they said to her, that because I have been working on it, since the black screen, they won't touch it, as I could of made the damage worse!

My client is raving, thinking I have caused this problem!

I mean come on..

/rant

Customers are fun, aren't they?

Just because your customer left her common sense in her netbook, don't lose yours. Sounds like either the partition is hosed, or the drive is going bad. If you haven't already, image the drive with your software of choice. Then, Recovery console, "fixboot", then "fixmbr." That "may" bring it back to life.

Next, try and establish what happened. Since you recently cleaned the machine, and it is infected again, check her browsing history with IEHV or MHV. to try and determine whether you missed something last time, or she re-infected herself. If she re-infected herself, be sure to print out the relevant trail.

Here's where it gets sticky. The boot problem may be caused by the infection, or it may be indicative of a bigger problem (hard drive). Sort of have to trust your gut here. If it performs well, then give it back to her with the proviso that no testing software is perfect, and that if she has further problems, it is time to replace the hard drive. If it performs poorly, time to replace the drive now. I've never found test software I could really trust. Have a drive here that I replaced recently, after three visits to fix the flashing cursor problem. Each visit fixed it for a week or so, then problem reoccurred. Replaced the drive, problem went away. Still have the old drive, and it STILL tests good.

Good luck, and let us know how you get on.

Rick

 

[B Trevathan]

Have you tried running SuperAntiSpyware on the slaved drive?

 

[atlanticjim]

XP Blinking cursor - Most likely suspect is corrupt MBR.

Blinking cursor on boot on a windows XP machine usually indicates a MBR error as the corrupt MBR is looking to boot from a partition either without an OS such as a recovery or diagnostic partition or more likely a combination of that with the OS partition not set as active.

Do you have access via a live disk such as UBCD4Win? If this is a netbook without a CD drive, use a USB CD drive or bootable USB thumbdrive and press ESC as you power the unit on. This will give you boot location options. You can use any of a number of tools to correct the settings of the MBR.

Caveat: If this ASUS machine uses a proprietary MBR (like the Dell PBR) you might not be able to get the tools to properly correct the error and will be backed into the position of N/P. If you are, I would suggest that you review the article by Bryce on N/P and buy a copy of Fab's Autobackup.

edit: Using fixmbr on a proprietary mbr will often change settings that will make the computer unbootable with a blinking cursor as described. Fixmbr is only to be used on a standard MBR.

 

[red12049]

Blinking cursor on boot on a windows XP machine usually indicates a MBR error as the corrupt MBR is looking to boot from a partition either without an OS such as a recovery or diagnostic partition or more likely a combination of that with the OS partition not set as active.

Do you have access via a live disk such as UBCD4Win? If this is a netbook without a CD drive, use a USB CD drive or bootable USB thumbdrive and press ESC as you power the unit on. This will give you boot location options. You can use any of a number of tools to correct the settings of the MBR.

Caveat: If this ASUS machine uses a proprietary MBR (like the Dell PBR) you might not be able to get the tools to properly correct the error and will be backed into the position of N/P. If you are, I would suggest that you review the article by Bryce on N/P and buy a copy of Fab's Autobackup.

edit: Using fixmbr on a proprietary mbr will often change settings that will make the computer unbootable with a blinking cursor as described. Fixmbr is only to be used on a standard MBR.

Question.... I've used "fixmbr" on many Dells with a PBR, and all I lost was the recovery partition function. Systems booted to the OS fine. Are other brands different?

Rick

 

[Kitten Kong]

Finally this thing is fixed.

Only option was to install another drive, and basically start afresh. Client still isnt happy, as she claims because this other company have said the drives ok, then I shouldnt of had to install a new drive!. This other co, havent even seen the machine, and are only going off what they were told!.

All manu tests of the drive show it as working, but ive gone with my gut on this one, and simply replaced it. I won't be charging my client for the drive, just will give it a no warranty item. So now, im transferring all her docs n settings back over, and installing the programs.

I know she wont be happy, with this, but right now, im past caring. I initially quoted her £145 for the drive, installation and backup, or £120 without the backup.

She came back to me, saying shes gone to the bank, withdrawn £70 and is there any way she could have a new drive, with her data on it for that?, ' i wouldnt be bothered its just my sons pictures'.

So I replied with I can save your data, inc pics, and put them on a dvd, as a matter of course, then you can take the pc elsewhere to be fixed. I wont charge for this.

Reply was, but then I wont have a laptop which i need.

So i'm in a no win situation here. This is one client I will be glad to see the back of..