Three times in the past week colleagues and I have been confronted with computers where the hardware was OK, but the software had been compromised to the point that the computer wouldn't boot. In one case, a re-installation of the operating system fixed the problem, but at a loss of some irreplaceable data.
Having had my fingers in all three of these, it seemed like a good time to make some notes. There are numerous other ways of dealing with this problem, but what I've written here is likely to work in a majority of cases, and is likely to preserve one's data in most cases. This method also uses tools that are accessible to almost everybody. (I guess I have to add that, while this has worked for me, these suggestions are presented without warranty; if any of these steps don't make sense to you, it is probably time to get help.)
I've added a couple of notes at the end about recovering from a lost Windows password, and what to do if a system screen, like "Help and Support," either won't open at all or opens to a blank screen.
Before trouble strikes...
Assemble a Crash Kit
Your "crash kit" should include:
- A USB-attached external hard drive
- A copy of the PING software or other partition image software
- A bootable Windows rescue disk
- The hardware manufacturer's Windows install disk, plus drivers, etc.
Get a little satchel for this stuff and keep it all together in one place. A plastic tackle or tool box from a hardware store is ideal. You will also want a "CD wallet" to hold the CDs so they don't rattle around loose in the box.
You are going to use the USB drive to make backup copies of data, so it needs to be about twice as big as the biggest hard drive you have. I've had good luck with Buffalo Drivestation brand drives, and colleague recently bought a 1 TB Drivestation for $114.
PING is a partition imaging program available here: http://ping.windowsdream.com/ It is free, but there's a way to make a donation. I encourage you to do so since this will be a part of your operational kit. I suggest 40 Euros, about $60. Make a PING disk and save the ISO image on your USB drive. (Make a "tools" directory for this stuff.")
It is easy to find instructions for making a rescue CD. One that I have tested, but not rigorously, is here: http://www.howtohaven.com/system/live-windows-rescue-cd.shtml Substitute "SP3" for "SP2" in the instructions. Test the disk that you make. Save an ISO image of it on your USB drive in the Tools directory.
Kaspersky, F-Secure, and BitDefender all provide free, bootable anti-virus rescue disks. You might want at least one, and maybe all three, in your crash kit. (Trouble is, something that gets by your own anti-virus might slip past those, too.)
I'm pretty sure you want a copy of Malwarebytes' Anti-Malware. There is a free license for personal use, and also technician and corporate licenses. I urge you to pay the appropriate license fee if it becomes a part of your regular procedures. Even if you use it only once, pay the $25 for the personal license and help keep these people in business.
You should get a copy of Secunia's Software Inspector. There's a free Personal Software Inspector for personal use and licensed versions for corporate use.
"Rip" ISOs of the manufacturers' disks onto your USB drive so that you have one for each flavor of machine you support, and also include physical CDs. (You make the Tools directory so that you can reproduce the CDs if something happens to one, not to use directly.)
Using the Crash Kit
When faced with a machine that won't boot, or won't operate as intended because of some kind of software problem, including virus or spyware infections, do these things:
1. Free up space on the USB drive: If you have used the USB drive previously, you may need to delete subdirectories from previous rescue operations to make space on the drive. You need about twice as much space as the space used on the drive being rescued.
2. Make a copy of the failed machine's disk: From a working computer, create a subdirectory to identify the computer being repaired. Example: for a Dell computer, create a subdirectory using the service tag number as the name. Make an "image" subdirectory below that. With the failed machine turned off, connect the USB drive and boot from the PING CD. (Having the machine off when you connect the USB drive guards your USB drive against malicious software on the failed machine.) Use PING to make a copy of the failed partition, usually C: in the new "image" subdirectory on your USB drive. Now you can get back to the starting point no matter what else happens.
PING can copy about 30 GB an hour, so allow some time for this step. The result is a series of binary files, each sized to fit on a CD. However, you can also use a working PC to restore the image files to a second USB drive. Now you can copy data files, etc. However, a USB-to-USB transfer will be very time-consuming, and it isn't time to do that yet. The PING copy is only for backup purposes at the moment.
Some people might prefer to make a "direct image copy" of the disk in the failed machine, and there are software products that do that, too. You'll have to use your USB disk a little differently if you go that route. You'll probably have to set up a "recovery" partition onto which to load the image.
3. Try to repair the boot records: If the computer won't boot at all, it may be as simple as a corrupt boot record. Boot from the manufacturer's Windows install disk, type R to get to the recovery console, provide the administrator password, select the proper partition, and type fixboot c: You might also attempt to repair the master boot record with fixmbr. Microsoft warns that one might corrupt the partition table if the MBR is infected with a virus and suggests running a virus scan before attempting to repair the MBR. You can list the partition table with the map command of the recovery console. Take some notes!
There is more information about the recovery console here: http://support.microsoft.com/kb/314058
If you can boot after repairing the boot records and everyting "looks OK," go to step 8.
4. Run anti-virus software: If the problem is known or suspected to be malicious software, you can run one (or more) of the bootable scanners. These take many hours (allow overnight) to run and may not really help because a virus that escaped the installed anti-virus program (you do have an installed anti-virus program, right?) may escape the bootable scanner, too. The good news is, that if one of these works, you're nearly through!
If running anti-virus corrects the problem and you are reasonably certain that any malicious software has been eradicated, go to step 8.
5. A. Boot from the rescue disk: After making the image, shut down the machine and boot from the rescue disk with the USB drive still attached. You can now "rescue" files by copying them to the USB drive in the directory for the machine being serviced. If the problem is malicious software, be careful not to copy executable-type files. See http://antivirus.about.com/od/securitytips/a/fileextview.htm for a list of files to worry about.
5. B. Copy files: Copy the files to be rescued to corresponding subdirectory names on the USB drive. You may want to copy the entire Documents and Settings subdirectory. Be sure you get the user.id file for Lotus Notes users. Talk to the user of the machine in trouble about what other files may need to be saved. (Remember, you still have an image of the whole disk. You can "back up" as long as that image exists on your USB drive, so a missing file isn't a disaster until you finally erase the image.)
6. Do a Windows upgrade/repair install: Boot from the manufacturer's Windows install disk and choose "install windows." The installer should detect the presence of the current Windows installation on the hard disk and ask whether you want to "upgrade" or perhaps "repair" the installation. That's the right answer unless you're trying to eradicate stubborn malicious software. The Windows repair/upgrade installation will replace Windows files and registry entries as necessary to get a bootable system, but will (try to) preserve data and installed programs, along with their registry entries.
If you can boot after the upgrade/repair install, go to step 8.
7. Do a fresh install of Windows: This has the effect of driving a stake through the heart of everything on the disk, good or bad, and burying it at a crossroads at midnight. This is a last-resort kinda thing to do. But, if the hardware is healthy, this is almost certain to get you back to a working machine. The possible exceptions are malicious software that has written to the computer's flash memory or to reserved areas on the disk. Those problems are beyond the scope of this article.
8. Update, virus scan, restore point: You're almost there! Run Windows Update repeatedly until it finds no high priority updates. Install and run F-Secure's Blacklight rootkit eliminator from here: http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html Install and run Secunia's Personal Software Inspector from here: http://secunia.com/vulnerability_scanning/personal/ or use the appropriate commercial version. Update any out-of-date software found by the PSI scan. Make sure virus definitions are up to date and run a full anti-virus scan. This will probably take overnight to complete. Create a system restore point and return the machine to service.
Blank "Help and Support" (or other) Screen
If you try to run Windows Update or System Restore from the Help and Support link, you may find that Help and Support will not start, or that it displays a blank screen. Several Microsoft (and other) programs use the Internet Explorer rendering engine to manage their displays. Remove IE using Add/Remove programs and reinstall it. Alternatively, just re-installing IE 8 from the Microsoft download page may fix this problem.
Lost Windows Password
PING can blank the local administrator password on a computer, allowing you to reset both administrator and user passwords.
No Network Access
If a computer is otherwise working as it should, but has either no network access at all or no Internet access, a possible problem is a failed uninstall of a Norton security product. This sympton can show up months or years after removing a Norton product if a remaining module is "tickled" by some other software change. If you are not currently using Norton products, download and run Symantec's Norton Removal Tool. Be sure you read the warnings, especially about ACT! and WinFax before you do this.