Lexington Computer Repair Blog

I had a computer here today that would not allow me to open the Windows Security Center even though it was showing up correctly in the notification tray. This was an XP machine that had had a virus, so I tried all the virusy things I know but they would not fix the problem.  I then found this post on Tech Support Forum that solved the problem. I’m happy to propagate it here. And yes, Bob is my uncle!

There are a lot of reasons (apparently) that Windows 7 might not resume from standby. Here is a fix to try but probably only if you are desperate and have these exact symptoms.

My customer brought in a Lenovo X200 laptop, a very nice laptop indeed, that would not boot. In fact after turning on the computer, the dash lights would like but the display would not even flicker, it was completely dead. If it weren’t for the fact that the computer wasn’t booting (and the customer insisted it had not been immersed in water) I would have thought the display had gone bad. However, I knew it wasn’t just a display problem because if it had been a) the machine would have continued to boot and b) we would have been able to see something by connecting an external monitor.

Interestingly, if I removed all the RAM, the machine would provide the beep codes associated with, “Hey stupid, you’ve removed all the RAM”. Replacing one stick at a time did not fix the problem, replace the HDD did not fix the problem. The machine does not have an internal CD, but if it did, replacing it would not have helped.

So, here is a summary of the symptoms:

• Black screen, no flicker or change in state
• Dash lights light but HDD light does not show sustained activity
• Bluetooth light illuminates and stays lit
• No POST
• No BIOS screen
• No beep codes (unless all RAM is removed)
• Same result with battery in and out

This looked like a dead system board and that’s what the repair manual indicated as well. But as it turns out, it was just a hosed CMOS. On this particular machine, the only way to reset the CMOS (that I could find) was to partly disassemble the computer, unplug the CMOS battery then put everything back together. Many machines have a simpler method that can be done using the power button (that did not work on this machine) or some other key combination. If you have a different machine, Google for “CMOS reset” and the model of your computer and you should find a way to do this.

What we have noticed over the last year or so is that the virus writers are making their viruses more and more difficult to extract. We have found that no single virus removal program can do the complete job. Moreover, the virus writers are making it so that an average user often cannot even get the computer booted into a state where they can start to work on it. If you want to give it a go, here are my suggestions.

Required items:

• 1 working computer (not the virused one)
• 1 flash drive

First, recognise that the bad guys have got control of your computer. They essentially are controlling it remotely over the internet so you need to make sure your computer is disconnected from the web. Pull the ethernet cable out of the back if you are connected by a wire. If you are wireless, you need to disable your wireless connection with a switch or button combination (if you are on a laptop) or, if you are on a desktop, by pulling the antenna off or pulling the card (NB: turning off your wireless router will not work as many viruses configure your computer to attach to any network they can find, like your neighbors).

Once the computer is off the internet, turn in on and see if you can boot into Safe Mode. To do this, start pressing and releasing the F8 key about twice a second as soon as you turn the power on to your computer. If you get it right, a text menu, white on black, will appear. If the Windows start screen appears, turn off the computer and try again. From the menu, select “Safe Mode” (no networking). You will see all the device drivers that your computer loads scrolling across your screen. If the computer asks you if you are sure you want to enter Safe Mode, say yes. If the computer seems to stall, give it a few minutes to boot, sometimes Safe Mode takes a while to load. If you are asked to log in, log in with your user name and normal password. If all goes well, you should get a screen with huge icons that looks a little like your desktop. If after 5 minutes you are still stuck on the black and white screen, Safe Mode is not going to work for you.

Once the computer boots into safe mode. Verify that you don’t have any virus pop-ups on your screen. If you do, you may have trouble with the next step but soldier on.

On the working PC, go to www.malwarebytes.org and download Malwarebytes, saving it on your flash drive. Next go to here, and download the latest security definitions for Malwarebytes and save those to your flash drive. Unplug the flash drive from the working computer and plug it into the one with the virus. Use My Computer or Computer or Windows Explorer to find your flash drive, then double-click on the Malwarebytes program to install it.

Proceed with the Malwarebytes installation (some viruses are smart enough to keep you from installing this program, if it won’t install, try changing the name of the file on your flash drive to something random, if that still doesn’t work, you may be beyond the scope of this procedure. When Malwarebytes asks you if you want to update and then run the program, uncheck both boxes (you don’t want to run it yet). After Malwarebytes completes its installation, go back to your flash drive and run the Malwarebytes update program you downloaded. When that completes, go to your desktop and double-click on the red Malwarebytes icon.

When the program opens, select “Perform Quick Scan” and press the Scan button. This will take 10-30 minutes to complete. When it’s done, review the items it has found (there may be quite a few) and tell it to fix the problems. You may be asked to reboot the computer, if so, answer yes, if not, reboot the computer anyway.

With the computer still physically disconnected from the internet, reboot the computer into “normal” mode. If you can log in to your desktop do a little dance, you are about 1/3 of the way home. Run Malwarebytes again, this time telling it to do a full scan, this will take an hour, maybe more. Again, tell it to fix any problems it finds. After it finishes, open the Control Panel, go to Add/Remove Programs and uninstall any security or antivirus programs you have been using – consider them broken. This is an important step, if you skip it, and proceed with these instructions you may render your computer unusable.

Now, on the working computer, go to www.free-av.com and download Avira AntiVirus and save it on your flash drive. Next, go here and download the Avira signature updates (keep that page handy because you will need the instructions after you install Avira on the virused computer). Move the flash drive to the virused computer and install Avira. Next, following the directions you found above for doing a manual update, update the Avira virus definitions. Now, double-click on the Avira icon on your desktop and tell Avira to do a full scan of your computer. Go fix dinner or a very large cup of coffee, this will take at least and hour.

When Avira finishes, tell it to repair any problems it found. Now, reconnect your computer to the internet. Start Malwarebytes again and go to the Update tab and tell Malwarebytes to do an update. When it finishes, run a Quick Scan and clean up any additional problems it finds. After that, tell Avira to update itself and run another full system scan. When that finishes, there is a 90% probability your computer is clear of viruses and trojans. You might want to download Hitman Pro and run it for a second opinion.

If these instructions fail

There could be a million reasons why the above procedures might fail. As I said, the virus writers are smart and often over-achieve with their destructiveness and stealth capabilities. Here are some good websites with helpful people that you might try:

• Major Geeks
• Broadband Reports
• Wilders Security

Your other options are:

• Save all your importat data to that flash drive and reinstall Windows
• Call a professional like Hartland Computer Services @ 859.536.4107

Good luck.

I am working on a customer’s computer here that has a fairly serious virus infection. Thinking I had cleared the virus, when I put the HDD back into her machine it would just log me out as soon as I logged in. Things went downhill from there and I ended up having to restore her disk back to the way it was when she brought it in and start all over again. After clearing the viruses for a second time (this time correctly), the machine would not boot. When I turned it on, all I got was a black screen with a blinking cursor.

I tried booting to the XP installation disc (after breaking the Admin password using EBCD from here) and using FIXMBR and FIXBOOT but this was to no avail. I checked the BOOT.INI file which was OK and I tried restoring her drive both with its original MBR and the standard Windows XP MBR – no dice. Then I remembered a tool I had used a while back for a mysteriously unbootable computer that was giving me the “NTLDR missing” error. In this case I was not getting any error message, just the black screen blinking cursor, but the two problems felt the same to me. Sure enough my NTDLR fix CD repaired the problem on the first try. You can download the black screen blinking cursor fix from here.

The author, Mike Comer, does a nice job of explaining how this works technically so I won’t repeat it here. I will recommend that if this fixes your problem that you make a small donation to Mike as I have for his excellent help.

Edit 26 August 2010: I have had a couple of Dell computers here this week with the same problem. I am convinced that it has to do with a failing hard drive. If I am right, the fix for this problem of course is to replace the hard drive. One work-around that has been reported to work is to remove the hard drive and do a defrag on it, then put it back in the problem machine (be sure to run CHKDSK /F both prior and after the defrag). Another work-around is to reformat and re-install. Both of these have worked but I have some doubts about whether they are good long-term solutions. Possibly worth a try though.

We’re huge Skype fans here. First we used it for international calling back to the US when we were living in the UK, then we loved it for its great video conferencing when we were in India. I’ve installed it on two Windows 7 implementations (both on the same machine) and have had problems with the sound card both times. Here’s the problem and fix:

Sometimes, when I would answer a call, instead of picking up, Skype would reject the call and give me a message that says: “No sound – There’s a problem with the sound card inside your computer. Try plugging in a USB headset for this call” It does this even though there is absolutely no problem with the sound card. The problem is intermittent but once it starts it’s hard to get rid of.

The solution I’ve found for this is as follows:

1. In Windows 7, right click on the little speaker in the notification area (lower right of desktop)
2. From the menu, select “Playback devices”
3. On the “Sound” window, disable any sound devices that you don’t have or don’t use then select the one you want to use for Skype, it probably is called simply “Speakers” with the name of your sound card underneath it.
4. Now click on “Properties”
5. Next click on the “Advanced” tab
6. Uncheck the box that says “Allow applications ot take exclusive control of this device” then click “Apply”, then “OK”
7. You should now be back at the “Sound” window, click on the tab that says “Recording”. Highlight the microphone that you use for Skype and click on “Properties”
8. Go to the “Advanced” tab and do the same thing you did for “Speakers”
9. From the “Sound” window, do the same thing for the other microphones on your computer
10. Reboot.

This should fix your Skype sound problem. Enjoy.

After clearing up a virus, it’s not too unusual that you still can’t connect to the internet through your browser even though your computer is connected just fine to its network. For example if you open a command window, and type “ipconfig” you will see that you have a proper ip address (like 192.168.1.x). You can even ping sites, I usually use Yahoo for testing, by typing “ping www.yahoo.com” but still the browser returns something like “Internet Explorer cannot display the webpage”. Frustrating.

I had this problem tonight on a customer machine and what was more frustrating was that my normal quick-fix didn’t work. Normally on an XP machine I can just run LSPFIX and the problem is solved, that works 90% of the time. If that doesn’t work, then I have used another Winsock Fix you can find here. Tonight though neither of those worked. Just as that bastard little voice in the back of my head was starting to tell me I was going to fail at fixing this machine, I remembered one really simple little trick that these viruses play – proxies.

As the little voice became louder and louder, “Steve, you’re not smart enough, you’re going to have to call your customer and admit it, everyone will think you’re a loser, your wife will leave you and your children will despise you…”, I opened Internet Explorer and did the following:

Tools/Internet Options/Connections/LAN settings

On the bottom half of the window, sure enough “Use a proxy server for your LAN” was checked and the LAN traffic was being proxied to port 555 on the laptop. I unchecked the proxy server and viola! this machine was back on the grid and that little voice was getting a fail enema.

Customers ask me quite often my advice on what brand of new laptop computer to buy. Personally I favour Thinkpads, I’ve been using them for almost 20 years and I’ve never had one fail me yet. I have 3 of them here in the house that are at least 7 years old and they are still going strong (OK, the X22 has some screen issues but it’s still very serviceable). Generally though I tell people to look for a good deal on a laptop, get one with a dual-core processor and 1 or 2 GB RAM and they should be OK whether it’s Dell or Toshiba or Gateway or whatever Best Buy happens to be selling at the time. I have now added to my advice the following – whatever you do, don’t get an HP laptop. Sure, all manufacturers have some problems and you’ll find no shortage on the internet of pissed-off owners of various kinds of laptops, but in my experience the consistency of problems with HP Pavillion laptops is unequaled.

I’m a small repair shop in a relatively small town. There are probably 30 other computer repair places here in Lexington and maybe 50 if you draw a bigger circle around the “Greater Lexington Area”. I figure I probably do about 10% of the repair business that Geek Squad gets and I’m probably right it the middle for the amount of business the average small repair shop handles. In the last two weeks, I alone have had a dozen, that’s 12, HP Pavillion owners come to me with the exact same problem. Right now here I have 2 DV2000, 2 DV9000, a TX 1000 and a DV6000 Pavillion here for repair. Now that sounds good for me but it’s bad for the owners. All of these computers suffer from the same design flaw that causes them to overheat and burn out the wireless card, the video chip and/or the power distribution chip. In each case, the fix is to replace the system board – a pretty expensive proposition. Now, if my little shop is seeing this many of these machines, many of which are only 2 years old, imagine how many of them are really out there!

Of course HP knows about this problem. To their credit, HP started a recall of these machines, well their term for it was “Limited Service Enhancement Program” a while back. Unfortunately, they didn’t cover all of the machines that appear to suffer from the problem and, I guess because they didn’t name it a “Recall”, the time period to report your machine for a deservedly free repair was limited. So, even if your machine was poorly designed and even if HP know about it, and even if they admitted it had a problem and offered to fix it for you, if you didn’t know about the offer or are a few days “late” in enquiring about it, you’re screwed. Pay them $260 to change the system board or go buy a new computer. That’s not right.

I called HP today on behalf of a customer and spoke over a very bad telephone line to one of HP’s agent’s who must have been in the Phillipines. As best I could tell his name was Debie, maybe it was Randie, it was a very bad line. He told me, “Mr. Hamrin, your machine is out of warranty but was covered under our Limited Service Enhancement Program. Unfortunately though, this extended program ran out in October.” Now, I explained to Debie/Randie that the machine actually had been broken since October, but it took the owner a couple extra weeks to report it (I was calling HP on 18 November). No dice says, Debie/Randie, it’s too late, you should have called in October. You have no recourse. Debie/Randie told me that he was the final authority on this.

Sorry HP, that’s not right. You sold a defective computer, you should fix it, period.

So if you have an HP Pavillion DV 2000, DV 6000, DV 9000, TX 1000, TX 2000 or any other HP Pavillion laptop that is showing any of the following behaviours, call HP at 1 800 HP INVENT right away and ask for a new system board:

• HP Pavillion Wireless card won’t turn on
• HP Pavillion won’t power on
• HP Pavillion graphics freeze

If your computer is either under warranty or just out of warranty, maybe you’ll still be under their program, I hope you are. If you aren’t, my advice is to get your files off your HP and take it as a lesson learned that you should never buy an HP laptop.

Edit (24/2/10): If you would like to get an idea of the scope of this problem and HP’s indifference to it or if you would like some instruction on taking HP to small claims court, go to this excellent HP problems site.

As anyone who has had this problem and consulted Google can attest, there are a lot of reasons why a PC may boot to a black screen with a blinking cursor. I have a list of 15 fixes that I use when I get a Vista computer with this problem (I’ll publish it some day). I recently wrote a post about  solving the blinking cursor problem in Windows 7 and wanted to follow it up with another solution that is pretty simple to implement and worth trying if you have this problem in XP, Vista or Windows 7.

This morning I was testing a composite video to USB connector on my Windows XP laptop. I needed to copy some files from a USB thumb drive over to the laptop. I rebooted the machine after installing the drivers and accidently left the USB thumb drive connected. Normally this wouldn’t be a problem but this particular thumb drive is a boot drive for Ubuntu Linux and so my machine accidentally booted into that instead of back into XP. To make a long story short, I got impatient with the shut-down process in Ubuntu and hit the power switch before it was completely shut down. The result was that my trusty Thinkpad would no longer boot, it just sat there with a blinking cursor. I got a similar result trying to boot to Safe Mode.

OK, I admit that a little panic set in as I thought about all the un-backed-up pictures of my daughter on that drive, but I kept my cool (I ain’t no fool), let me tell you what happened then. I removed the drive from the laptop and attached it to a SATA-to-USB cable and connected to my Windows 7 machine and ran a CHKDSK on the drive. Sure enough, that was the problem, CHKDSK found a few errors in the file system, fixed them and upon reinsertion, the drive booted like a champ.

Conclusion: Quite often you can start to solve a compound problem by doing a CHKDSK on your boot drive. If your PC has recently had a BSOD or shut down abruptly, and then subsequently will not boot, it may have hosed the file system, run a CHKDSK. You don’t even have to take the disk out of the machine the way that I did to accomplish this. You can use your Windows XP installation disk to boot to the Recovery Console and run a CHKDSK from there. Vista and Windows 7 installation DVD let you boot to a pretty nice set of tools that allow you to open a recovery window as well (just open a Command Prompt). Just put your installation disc in the drive and turn on the computer, you might have to hit F12 to get the boot menu to force it to boot from the CD/DVD player.

Microsoft has recently introduced their latest iteration of virus protection called Microsoft Security Essentials (MSE). I have read reports, largely anecdotal, that it is a pretty good product and in fact it has got good ratings for its virus removal ability (NOT necessarily detection) from AV-Comparatives. I have been a fan of Avira Anti-Vir for some time now based both on their excellent independent test results and my own experience with cleaning up customers’ PCs. I expect I will continue to use Avira, but I’m having second thoughts about installing it on customer machines. The problem is that Avira has this nagware component on their free version. The nagware pops up every day suggesting that you buy the product, this is OK as far as I’m concerned but I believe that naive users may not be able to quickly distinguish between this legitimate advert and a pop-up for one of the nasty Fake Anti-virus products.

Yesterday I had a customer bring me a laptop infected with a very recent and particularly nasty set of viruses. The viruses prevented installation and/or execution of all of the key malware removal tools (for example, I installed Malwarebytes and while it was getting ready to run, the viruse(s) killed it and rendered it thereafter unusable – impressive). In addition, Task Manager was disable and Safe Mode disable (by BSOD).

I always start a virus removal by making an image of the drive I will be working on. That image can be mounted on my computer just as if the original drive was attached. I decided to use this image as a test to see what MSE would find on it compared to Avira and thereby get a datapoint for myself on just how good MSE is compared to what I consider the best antivirus program available.

Test Environment

The scans were run on a machine that dual boots between Windows 7 and Windows XP Pro. I have a licensed version of Avira AntiVir on the Windows 7 drive and MSE loaded on the XP Drive. I use ShadowProtect Desktop from StorageCraft Technology for imaging drives. The Avira scans were run with virus definitions from 3 November and the MSE using definitions from 4 November. The initial infection of the drive was reported to have occurred on 2 November with the machine having around 3 minutes of internet access on 3 November.

Baseline – Avira

During its scan, Avira identified 19 instances of malware, they were:

• TR/Agent AH.313 Trojan x2
• TR/FraudPack.yox Trojan x4
• TR/Crypt.ZPACK.Gen Trojan x3
• TR/Crypt.XPACK.Gen Trojan
• TR/Agent.AH.312 Trojan
• ADSPY/Wheatesbug.A adware
• TR/Agent.AH.337 Trojan x2
• TR/Agent.AH.319 Trojan
• TR/Crypt.ZPACK.Gen Trojan
• TR/Agent.AH.308 Trojan
• TR/Agent.AH.310 Trojan

Microsoft Security Essentials

Initially, I installed MSE on a laptop that is on the same network where the infected image resides. I then shared the image, gave the share a drive letter on the laptop and told MSE to do a custom scan on that drive letter. The scan ran for about 15 minutes and found nothing, zero, zilch, nada – YIKES! I was a bit surprised by this initial result but decided to consider it an unfair comparison as Avira was tested on the resident machine (but took note that an over-the-network scan by MSE is probably useless). I then installed MSE on the test machine’s XP drive so I could run a local apples-to-apples comparison.

On this second configuration, which took just over an hour to run, MSE found the following 22 items:

• Trojan:Win32Meredrop
• TrojanDownloader:Win32/Renos.JM x4
• TrojanDownload:Win32/Resno.JI x4
• TrojanDropper:Win32/Sirefef.A!dll (Avira missed this one)
• Trojan:Win32/Fakeinit
• Virus:Win32/Alureon.A
• VirTool:Win32/Obfuscator.HG x10

Conclusions

While my methodology contains at least one glaring flaw, that MSE had 1 day’s newer data, the comparison was still sufficiently valid for my purposes. Here is what I have drawn from the comparison:

• MSE found problems in 7 individual files that Avira did not (these details are not listed above)
• Avira found problems in 3 files that MSE did not (also not detailed above)
• While MSE had the advantage of 1 day over Avira which is a little unfair, it acquitted itself well in the test
• I would be comfortable installing MSE on customer computers

Errata

I have not taken into account the possibility of false positives in these tests. It’s possible that either of these scanners appear to be better than they really are because they are finding problems that aren’t really there. Generally I don’t concern myself with FPs as I would rather err on the safe side anyway. Having said this, MSE found ATAPI.SYS, EVENTLOG.DLL and LSASS.EXE to be infected, deleting these programs will pretty much screw your Windows installation so an FP here could be a problem. I also have concerns about MSE on a low-spec machine, it seams to command a lot of processor power even when it is doing nothing, it took 100% CPU cycles on my PIII laptop and virtually shut down the machine for 30 seconds when I merely tried to open Control Panel.

On the other hand, Microsoft, who can’t produce a secure operating system do seem to have a very good handle on finding the viruses and trojans that take advantage of their deficiencies (in a 1.0 version product no less). If I combine MSE’s excellent virus removal results with my quasi-scientific malware discovery results described here, I think it is a very recommendable product and I will keep an eye out for some more scientific studies from AV-Comparatives and others.

Addendum 12 May 2010: I am continuing to install MSE on customer computers. I like it because it is very easy to maintain and that’s quite important for many users. However, MSE does has its flaws that have come out in using it over time and I do not install it on every computer.

First, anecdotally, I do not think it finds all the viruses that Avira does. On occasion I have run MSE first, the Avira and Avira still found items or traces of virii. Secondly, MSE is not very good on a low-specification machine. If the computer has 500MB of RAM or less or it has a slow processor, I find that often MSE drags the machine to a crawl either by monopolising RAM or the CPU.

Well, I’ve had my first Windows 7 problem. I did a clean install “upgrade” of a machine to Windows 7 Home Premium, tested the machine and turned it back over to the customer. He called me two days later when he experienced the infamous (Vista) KSOD. He described the symptom this way: the machine was working fine the night before, but when he turned it on in the morning, it came up with the BIOS screen then went straight to a black screen with a blinking cursor. Yikes, I thought, this is too close to Vista for my tastes.

The machine is a Toshiba Qosmio A45-411 laptop. I’m not actually positive that this is strictly a Windows 7 problem. It turns out that the issue has to do with the computer not finding the hard drive after it wakes up from hibernation. To fix the immediate problem, I removed the hard drive from the machine and turned it on. With no hard drive it the machine, it tries to boot from the network (for some reason it skips over the CD drive which is first on the list). After the unsuccessful network boot, I turned off the computer and re-inserted the hard drive. Hit the power switch and it will again try to boot from the network, then, after a moment, will successfully resume using the HDD.

This particular computer had some problems with SATA LPM (Linked Power Mode) which were supposed to be fixed with a BIOS update. I have a suspicion that this is where the problem lies but I don’t have the time right now to fully sort this. My workaround for the problem is to disable hibernation on this machine as the customer is OK with that. You can read about how to disable hibernation in Windows 7 here. If you use the GUI method Brink describes here, there is a setting for disk power that might be interesting to fool with if you have the time.

EDIT: I’ve added another simple solution for the blinking cursor problem that is not Windows 7 specific.