Lexington Computer Repair Blog

I am working on a customer’s computer here that has a fairly serious virus infection. Thinking I had cleared the virus, when I put the HDD back into her machine it would just log me out as soon as I logged in. Things went downhill from there and I ended up having to restore her disk back to the way it was when she brought it in and start all over again. After clearing the viruses for a second time (this time correctly), the machine would not boot. When I turned it on, all I got was a black screen with a blinking cursor.

I tried booting to the XP installation disc (after breaking the Admin password using EBCD from here) and using FIXMBR and FIXBOOT but this was to no avail. I checked the BOOT.INI file which was OK and I tried restoring her drive both with its original MBR and the standard Windows XP MBR – no dice. Then I remembered a tool I had used a while back for a mysteriously unbootable computer that was giving me the “NTLDR missing” error. In this case I was not getting any error message, just the black screen blinking cursor, but the two problems felt the same to me. Sure enough my NTDLR fix CD repaired the problem on the first try. You can download the black screen blinking cursor fix from here.

The author, Mike Comer, does a nice job of explaining how this works technically so I won’t repeat it here. I will recommend that if this fixes your problem that you make a small donation to Mike as I have for his excellent help.

Edit 26 August 2010: I have had a couple of Dell computers here this week with the same problem. I am convinced that it has to do with a failing hard drive. If I am right, the fix for this problem of course is to replace the hard drive. One work-around that has been reported to work is to remove the hard drive and do a defrag on it, then put it back in the problem machine (be sure to run CHKDSK /F both prior and after the defrag). Another work-around is to reformat and re-install. Both of these have worked but I have some doubts about whether they are good long-term solutions. Possibly worth a try though.

After clearing up a virus, it’s not too unusual that you still can’t connect to the internet through your browser even though your computer is connected just fine to its network. For example if you open a command window, and type “ipconfig” you will see that you have a proper ip address (like 192.168.1.x). You can even ping sites, I usually use Yahoo for testing, by typing “ping www.yahoo.com” but still the browser returns something like “Internet Explorer cannot display the webpage”. Frustrating.

I had this problem tonight on a customer machine and what was more frustrating was that my normal quick-fix didn’t work. Normally on an XP machine I can just run LSPFIX and the problem is solved, that works 90% of the time. If that doesn’t work, then I have used another Winsock Fix you can find here. Tonight though neither of those worked. Just as that bastard little voice in the back of my head was starting to tell me I was going to fail at fixing this machine, I remembered one really simple little trick that these viruses play – proxies.

As the little voice became louder and louder, “Steve, you’re not smart enough, you’re going to have to call your customer and admit it, everyone will think you’re a loser, your wife will leave you and your children will despise you…”, I opened Internet Explorer and did the following:

Tools/Internet Options/Connections/LAN settings

On the bottom half of the window, sure enough “Use a proxy server for your LAN” was checked and the LAN traffic was being proxied to port 555 on the laptop. I unchecked the proxy server and viola! this machine was back on the grid and that little voice was getting a fail enema.

As anyone who has had this problem and consulted Google can attest, there are a lot of reasons why a PC may boot to a black screen with a blinking cursor. I have a list of 15 fixes that I use when I get a Vista computer with this problem (I’ll publish it some day). I recently wrote a post about  solving the blinking cursor problem in Windows 7 and wanted to follow it up with another solution that is pretty simple to implement and worth trying if you have this problem in XP, Vista or Windows 7.

This morning I was testing a composite video to USB connector on my Windows XP laptop. I needed to copy some files from a USB thumb drive over to the laptop. I rebooted the machine after installing the drivers and accidently left the USB thumb drive connected. Normally this wouldn’t be a problem but this particular thumb drive is a boot drive for Ubuntu Linux and so my machine accidentally booted into that instead of back into XP. To make a long story short, I got impatient with the shut-down process in Ubuntu and hit the power switch before it was completely shut down. The result was that my trusty Thinkpad would no longer boot, it just sat there with a blinking cursor. I got a similar result trying to boot to Safe Mode.

OK, I admit that a little panic set in as I thought about all the un-backed-up pictures of my daughter on that drive, but I kept my cool (I ain’t no fool), let me tell you what happened then. I removed the drive from the laptop and attached it to a SATA-to-USB cable and connected to my Windows 7 machine and ran a CHKDSK on the drive. Sure enough, that was the problem, CHKDSK found a few errors in the file system, fixed them and upon reinsertion, the drive booted like a champ.

Conclusion: Quite often you can start to solve a compound problem by doing a CHKDSK on your boot drive. If your PC has recently had a BSOD or shut down abruptly, and then subsequently will not boot, it may have hosed the file system, run a CHKDSK. You don’t even have to take the disk out of the machine the way that I did to accomplish this. You can use your Windows XP installation disk to boot to the Recovery Console and run a CHKDSK from there. Vista and Windows 7 installation DVD let you boot to a pretty nice set of tools that allow you to open a recovery window as well (just open a Command Prompt). Just put your installation disc in the drive and turn on the computer, you might have to hit F12 to get the boot menu to force it to boot from the CD/DVD player.

Microsoft has recently introduced their latest iteration of virus protection called Microsoft Security Essentials (MSE). I have read reports, largely anecdotal, that it is a pretty good product and in fact it has got good ratings for its virus removal ability (NOT necessarily detection) from AV-Comparatives. I have been a fan of Avira Anti-Vir for some time now based both on their excellent independent test results and my own experience with cleaning up customers’ PCs. I expect I will continue to use Avira, but I’m having second thoughts about installing it on customer machines. The problem is that Avira has this nagware component on their free version. The nagware pops up every day suggesting that you buy the product, this is OK as far as I’m concerned but I believe that naive users may not be able to quickly distinguish between this legitimate advert and a pop-up for one of the nasty Fake Anti-virus products.

Yesterday I had a customer bring me a laptop infected with a very recent and particularly nasty set of viruses. The viruses prevented installation and/or execution of all of the key malware removal tools (for example, I installed Malwarebytes and while it was getting ready to run, the viruse(s) killed it and rendered it thereafter unusable – impressive). In addition, Task Manager was disable and Safe Mode disable (by BSOD).

I always start a virus removal by making an image of the drive I will be working on. That image can be mounted on my computer just as if the original drive was attached. I decided to use this image as a test to see what MSE would find on it compared to Avira and thereby get a datapoint for myself on just how good MSE is compared to what I consider the best antivirus program available.

Test Environment

The scans were run on a machine that dual boots between Windows 7 and Windows XP Pro. I have a licensed version of Avira AntiVir on the Windows 7 drive and MSE loaded on the XP Drive. I use ShadowProtect Desktop from StorageCraft Technology for imaging drives. The Avira scans were run with virus definitions from 3 November and the MSE using definitions from 4 November. The initial infection of the drive was reported to have occurred on 2 November with the machine having around 3 minutes of internet access on 3 November.

Baseline – Avira

During its scan, Avira identified 19 instances of malware, they were:

• TR/Agent AH.313 Trojan x2
• TR/FraudPack.yox Trojan x4
• TR/Crypt.ZPACK.Gen Trojan x3
• TR/Crypt.XPACK.Gen Trojan
• TR/Agent.AH.312 Trojan
• ADSPY/Wheatesbug.A adware
• TR/Agent.AH.337 Trojan x2
• TR/Agent.AH.319 Trojan
• TR/Crypt.ZPACK.Gen Trojan
• TR/Agent.AH.308 Trojan
• TR/Agent.AH.310 Trojan

Microsoft Security Essentials

Initially, I installed MSE on a laptop that is on the same network where the infected image resides. I then shared the image, gave the share a drive letter on the laptop and told MSE to do a custom scan on that drive letter. The scan ran for about 15 minutes and found nothing, zero, zilch, nada – YIKES! I was a bit surprised by this initial result but decided to consider it an unfair comparison as Avira was tested on the resident machine (but took note that an over-the-network scan by MSE is probably useless). I then installed MSE on the test machine’s XP drive so I could run a local apples-to-apples comparison.

On this second configuration, which took just over an hour to run, MSE found the following 22 items:

• Trojan:Win32Meredrop
• TrojanDownloader:Win32/Renos.JM x4
• TrojanDownload:Win32/Resno.JI x4
• TrojanDropper:Win32/Sirefef.A!dll (Avira missed this one)
• Trojan:Win32/Fakeinit
• Virus:Win32/Alureon.A
• VirTool:Win32/Obfuscator.HG x10

Conclusions

While my methodology contains at least one glaring flaw, that MSE had 1 day’s newer data, the comparison was still sufficiently valid for my purposes. Here is what I have drawn from the comparison:

• MSE found problems in 7 individual files that Avira did not (these details are not listed above)
• Avira found problems in 3 files that MSE did not (also not detailed above)
• While MSE had the advantage of 1 day over Avira which is a little unfair, it acquitted itself well in the test
• I would be comfortable installing MSE on customer computers

Errata

I have not taken into account the possibility of false positives in these tests. It’s possible that either of these scanners appear to be better than they really are because they are finding problems that aren’t really there. Generally I don’t concern myself with FPs as I would rather err on the safe side anyway. Having said this, MSE found ATAPI.SYS, EVENTLOG.DLL and LSASS.EXE to be infected, deleting these programs will pretty much screw your Windows installation so an FP here could be a problem. I also have concerns about MSE on a low-spec machine, it seams to command a lot of processor power even when it is doing nothing, it took 100% CPU cycles on my PIII laptop and virtually shut down the machine for 30 seconds when I merely tried to open Control Panel.

On the other hand, Microsoft, who can’t produce a secure operating system do seem to have a very good handle on finding the viruses and trojans that take advantage of their deficiencies (in a 1.0 version product no less). If I combine MSE’s excellent virus removal results with my quasi-scientific malware discovery results described here, I think it is a very recommendable product and I will keep an eye out for some more scientific studies from AV-Comparatives and others.

Addendum 12 May 2010: I am continuing to install MSE on customer computers. I like it because it is very easy to maintain and that’s quite important for many users. However, MSE does has its flaws that have come out in using it over time and I do not install it on every computer.

First, anecdotally, I do not think it finds all the viruses that Avira does. On occasion I have run MSE first, the Avira and Avira still found items or traces of virii. Secondly, MSE is not very good on a low-specification machine. If the computer has 500MB of RAM or less or it has a slow processor, I find that often MSE drags the machine to a crawl either by monopolising RAM or the CPU.

After cleaning up a virus infection a customer’s laptop came back to me because they could not install their Kodak ESP-3 printer on it. All attempts to install the printer resulted in failure with the cryptic error message being “the parameter is incorrect”. The only reference to a problem in the Event Log was an entry saying “KSDip.dll failed to unregister”, which I got each time after uninstalling the Kodak software (this error message turned out to be a red herring).

After a lot of wasted effort I finally came back to something that I was suspicious of from the beginning. The customer was a university student and apparently the university had loaded some software by Pharos Systems on the computer. The Pharos software, I guess, does some kind of tracking of print jobs, perhaps on shared printers – I’m not that sure exactly.

I should mention that I was suspicious of the Pharos software from the beginning because it would cause the system to make the “Windows Critical Error” bong every so often. To make a long story short, Pharos takes over the USB Monitor and Port functions and, it seems, keeps users from installing printers onto them.

This thread by another poor slob who could not install a USB printer gave some good hints as to where to look for the problem, and Microsoft was some help as well. The key, if you need to work around Pharos (which refused uninstallation on my computer) is to get the extra Pharos references out of the USB Monitor and Ports sections of the registry and to add the default keys back in.

When we get calls here from computer users, the three most common questions we get are:

1. How do I tell if I have a virus?
2. Should I buy a computer that runs Vista?
3. How can I speed up my computer?

I recently sent these tips about the last item to Hartland Computer Services customers (some suggestions on the first question can be found here, and the quick answer to the second question is “no”).

Speeding Up Your XP or Vista Computer

1. Add more memory -
When Windows runs out of RAM (Random Access Memory) it starts moving programs out of memory and onto the hard disk, this slows down the computer – often considerably. Here is a very general rule of thumb, if you are running Windows XP, use at least 1GB (one Gigabyte) of RAM, if you are running Vista, 2GB is normally sufficient. To find out how much RAM you have, go to the Windows Start Menu, open Control Panel then click on “System” (“System” may be under something like “Performance and Maintenance” depending on how your menus are set up). You’ll find your RAM listed there next to the speed of your processor.

2. Get rid of those dumb toolbars –
The latest trick of hardware and software manufacturers is to sneak a search toolbar into your browser. These toolbars, by Yahoo, Google, McAfee, Ask and others take up screen space and, if you get more than one of them, often fight with each other, slowing down your internet experience. To stop the madness, open your browser and go to “Tools” then choose “Add-ons” or “Manage Add-ons”, look for entries like “Yahoo Toolbar” and “Ask Toolbar”, highlight them and then click the “Disable” button. When you restart your browser they’ll be gone and quite often you will feel a noticeable improvement in browsing speed.

3. Ease up (a little) on security –
The level of security provided by many of the commercial software “suites”, for example Norton 360 and McAfee Security Suite, is quite high. The real-world equivalent might be like living in a gated community with 24-hour police patrols, door locks, bars on the windows, a moat a drawbridge, surveillance cameras, a helicopter above…well, you get the point. I’ve seen the processing overhead of these suites drag the performance of an otherwise decent computer to the ground. Personally, I prefer a just a good anti-virus program (most of my customers know I prefer Avira AntiVir, Kaspersky has a good reputation as well) and Windows Firewall (you should probably add an on-demand spyware checker like SuperAntiSpyware as well). Whatever you do, do not run two anti-virus programs on the same machine, they will tend to fight each other, miss viruses and slow your computer to a crawl.

4. Test your internet connection –
For most people, “slow internet” and “slow computer” are one in the same because they have the same impact on you as a user. It might be helpful to know if your slow computer is actually a problem with your internet service. For those with Insight Broadband, you can go to their test site, found here, to test the speed of your connection. Personally, I suspect that Insight’s test always tells you that your internet connection is great (and I have some evidence to back that up) so you might want to try an independent site like www.speedtest.net as well. If your results are less than say 9Mbps (that’s 9 Megabits per second) you might want to call Insight and have a chat with them (I’ve generally found them to be pretty responsive).

5. Scan for viruses –
No advice on speeding up your computer can be complete without a recommendation to scan for viruses. I won’t belabour this point here. Make sure your Antivirus program is up-to-date – that means virus definitions from today- and run a full scan of your computer (as per my last email to you, you should make sure you are not running a bogus Antivirus program as well).

I recently worked on a laptop here that had a serious virus problem. After getting rid over 1300 virus-related items on the machine I tested Windows Update to see if it was still working. This is usually a pretty good test to run after clearing viruses as they like to disable Windows Update.

Instead of being disabled on this machine, the viruses had fiddled with the registry causing the PC to apparently report that it was running Vista rather than Windows XP. Using IE and selecting Tools/Windows Update, the user was redirected immediately to a Windows Vista update screen that showed how to reach WU under Vista. It was not possible to get to the proper screen.

I found a number of instances on the web where people had this same problem but not a good proven solution until I found this site: http://www.winhelponline.com/articles/35/1/Windows-Update-page-says-Thank-you-for-your-interest-in-obtaining-updates-from-our-site.html.

Deleting the registry keys as described immediately fixed the problem. Be sure to back up the keys first as described before attempting this fix