Windows booting into startup repair - virus

pledgeX

I somehow managed to get a virus today. It looked like one of those applications that mimicked a spyware removal tool, can't remember what it was called I'm afraid. I knew it was a virus so went to run malware antibytes but it blocked that, it also closed down MSE and blocked cltr+alt+del.

I rebooted the computer and put it into safe mode, but as soon as I selected safe mode, it shows the 'windows is loading files' bar along the bottom and the runs windows startup repair. It will search and then say its found an error but can't fix it.

I then booted from the windows 7 disk and tried running the startup repair. That completed and found no errors. I also tried system restore, but as soon as I select a boot option (safe mode, normal, last known good configuration etc) it runs the startup repair again.

I'm thinking that the startup repair tool it runs is immediately after selecting a boot mode is part of the virus and not the genuine tool considering I get a different result when running it form the disk.

Is there anything I can do apart from a full format to get round this? If I could get into windows then I might be able to start running scans etc.

I imagine the only other thing I could do is run from the disk and run the command prompt and perhaps disable something from running???

Thanks for any help.

RussJK

Perhaps try a bootdisc antivirus if you can:
forums.moneysavingexpert.com/showthread.php?p=41653210

If it's nothing serious, then at worst you can do a repair install.

If it is something serious, have you got backups?

pledgeX

Thanks Russ. I'll give those recovery discs a go, but I have to wait until I can get a PC that will burn the image.

Isn't the repair install the same thing I'm running when I insert the win7 disc? See here for what I've been running.

I have got backups of all my important data, its just the hassle of re-installing about 100GB of programs and setting everything up again. Unfortunately I don't have an image I can backup from.

RussJK

Repair install is a non-destructive install over the top of an existing installation; it keeps programs and personal documents intact.
http://www.sevenforums.com/tutorials/3413-repair-install.html

If I had a virus, I'd try sorting it out (to understand how I got it), but ultimately reinstall.

Another reason to try to fix the virus first is so you can (more safely) backup the settings of programs (e.g. appdata/roaming), but don't backup drivers. After reinstalling, you can make a clone of a 'fresh install' i.e. even before an antivirus is installed, then one after absolutely everything is installed, secured and set up. Only access backups after the machine is secured, and after scanning them.

You mightn't have to think about any of that if the bootdisk antiviruses sort things out themselves - or let Startup Repair or a Repair Install help.

pledgeX

Managed to get it fixed in the end with no need for a format/re-install. Not sure exactly what fixed it, probably just the last item in this list, but it may have needed one of the prior items in the list.

- Run startup repair from win 7 disk
- Use Fedora LiveCD to backup any data on the C: (just in case it all goes wrong)
- Run Avira bootdisc antivirus
- Run chhdsk -r from command prompt on win7 disk (didn't show any errors)
- Run bootrec /fixmbr and bootrec /fixboot from command prompt on win7 disk

Now I've booted it up happily and am running an abundance of disk cleanups and virus/malware/spyware scanners. When that's done I'll create a system image so hopefully this doesn't happen again!

waddler_8

There's a loot of bootkits about so it's highly possible the last step fixed it.

BUT, a caveat with FIXMBR, if this was an OEM (Original Equipment Manufacturer) computer that came with windows pre-installed it's possible it has a hidden recovery partition that contains the files necessary to restore the computer back to it's "factory" or "shop bought" state.
Access to this method of recovering your computer can be done by pressing a function key combination at boot up. The PC has custom OEM code in the MBR to recognise this.
The fixmbr command writes default Windows code to the MBR, so access to the hidden recovery partition would unlikely be available without restoring the original OEM MBR code.

There are tools available that may be able to fix any infection that alters the MBR by possibly restoring the original MBR (Avast/GMERs aswMBR for one).


Of course, if the computer had Default Windows MBR code in the first place, then the caveat is a moot point.

RussJK

Probably not an issue for him if he uses a Windows 7 disc.

Some manufacturers leave the tools to restore the OEM specific MBR on the hidden recovery partition, e.g. Acer recovery partitions contain the mbrwrwin.exe/mbwrdos.exe tools, with rtmbr.bin as the source.