Won't boot, normal or Safe Mode. xp

Windows XP
Lenovo R500 Thinkpad

I fell asleep watching a movie on my computer, when I woke up, my computer wouldn't boot up. It gets to the screen where it starts doing the POST, and just shows a flash white curser.

I tried booting into Safe Mode, same thing. I tried looking for the the 'thinkvantage' 3 second interlude where you can click on the blue icon and boot into the recovery partition, but that doesn't come up either. I can get into bios, no problem.

We figured at first somehow boot record got corrupted, but of course, they don't come with boot disks anymore. I did manage to download and run the latest Hiren's Boot CD 14.1, and we thought maybe we could fix mbr with that, but no luck so far. We first thought to look for malware, and ran malwarebytes from Hiren's disk--no updates/ubpgrades--and it did find some trojans. I tried to run combofix and it tried to run with no upgrades, but didn't seem to run.

When we tried SuperantiSpyware, and set it the way you say in malware removal, but it didn't find anything. I don't know what else to do. I thought of downloading and installing the drivers for the thinkvantage, but since I have malware, I don't know if I should do that first, or what.

Anyway, I'm out of ideas, and my friend said you guys are the champs, so here I am. I know I"m not supposed to post in the malware forum until I get into my OS, so I"m posting here first...if you do want me in malware, just say the word. Thankyou in advance!

obJames

 

Hi,

The blinking cursor is usually a sign of a bad MBR. You can write a new MBR using testdisk from the Hiren's CD but the problem with that is the new MBR will not have instructions on how to start the Lenovo recovery partition as they will be erased. So using that option is only a "good" choice if you are absolutely sure you can't get into the recovery partition.

What are the keystrokes to get into recovery? And have you repeatedly tried them?

 

I have been posting this for my friend, who has no access: I will find this out, but to answer your question, no, we are not sure yet that we cannot connect. We have tried running the built in hard drive test, and it passes, and from 'live disks' like linux ubuntu, we can see all his files. So far, no matter which key pressed, it goes just to bios. The main way going before to the backup partition, was to quickly 'catch' the thinkvantage which came up right before windows would kick in.

What you say, tho, is exactly our concern: we feel it is all there, just that something has been screwed up, probably due to the malware. I at first thought it was faulty mbr, but just last night, running malwarebytes, without backups, it found several trojans, so our hope of course, is that if we could run mbam with updates, or maybe even combofix, from the Hiren's DVD, we might al least boot

I will bring the computer over to my house tonite, as I am installed Hirens on my windows 7 computer--thru dvd--just to see if I could get online, and I can, thru ethernet, so I'll check again, and repost any new info. I do appreciate the help. Over the years you'all have helped many people in our little beach town to get their computers running again. I was actually surprised it was malware, don't know why, since tha'ts usually what it turns out to be...but I didn't know there was malware that just totally shuts down system like this, but he says there have been other indications: getting sent to other sites, and one of the trojans found was a fake av.

Again, I'll get back later, after he is connected.

 

I read through a bit of your manual and see that that is setup such that you get a thinkvantage button to click on. That is different then the usual "hit F9 or F10" to launch the system recovery partition so the pointer to the partition may be in BIOS rather than the MBR--I am not sure.

The MBR could have been corrupted by a sudden shutdown of the laptop. Not necessarily malware related.

Do try a few times to hit the thinkvantage button and let me know exactly what happens.

 

Well, weird thing...I ran malwarebytes and combofix from the flash drive, and mbam found a bunch of trojans. I finally got it connected, so I could run combofix also, and it immediately said it found a rootkit and had to reboot, but I was in that hiren's disk, and had to come back there, and of course, it's just running in memory, so CF was gone...*but* I tried booting back into harddrive, and with Hiren's disk, it gave option to boot to hard drive, and I was able to get on...

So once I got up, and online, I was able to run the other requested apps, Superantispyware, and malwarebytes and combofix, and combofix did find some more malware, tho the others now come up clean, tho I have my logs from first time...I figured I needed to get updates and run them again...but it still won't boot by itself. And we want to keep the added sector, all that lenovo stuff I guess. I'm going to try to reformat at this point, as now that computer will boot, I can access lenovo recovery, and see if it reformats and fixes boot drive...mainly posted all this so you wouldn't think I didn't appreciate the help. Hopefully this will work, if not maybe I try redownloading some lenovo drivers. Thankyou again!

 

Core corruption.

Fresh copy of Windows, Sach?

:banghead

 

Well, I went ahead and ran all the malware forum requirements, and it certainly did have malware. And now, we *can* get into the OS, by using the Hiren's boot disk, After post, it shows all the Hiren's options, one of which is 'Boot From Hard Drive' and then it boots up...but that's the *only* way it boots. If not, just get that little blinking cursor. If we click on thinkvantage, the start interrupt, it gives us 3 options:
1) Escape to resume normal startup
2) F1 to enter the bios utility
3) F12 to chose a temporary startup device. Only 2 and 3 work, and they just give me bios, or menu, which it will boot from dvd, but won't boot hard disk.

It ran fine until that night: my friend fell asleep, and when he awoke, it wouldn't boot: I didn't think it was malware, but went thru the Read and Run me, anyway, and all kinds of stuff: malwarebytes, log included, and Combofix, log included. Combofix found a rootkit on the first run, but I couldn't complete because I was running from Hiren's Boot disk, but it seemed to have done the trick, because it will boot now, but only using the Hiren's Boot Disk. I ran combofix again, once I could get into the OS, so I could get a complete log. And it did find malware, just don't know if it showed the rootkit, or if I need to look for the first combofix log, if there even was one

Of course I've no Lenovo disks: they don't provide them anymore. I've tried reformatting, as I can get to Lenovoe restore, but it won't let me go that way. Wish I could fix boot record, but with all the malware, I figure that caused it....do you'all think I should go ahead and post in the malware forums, since I can get to the OS, in a raggedy way....Can malware have scrwed up this so I can't boot correctly?

As always, thankyou for help.

 

It just gives those same 3 choices, it doesn't give the recovery partition, and the hard choice, just gives the blinking cursor...no movement to booting at all...and bios is the other choice. I use the hiren's dvd to boot.

 

I agree, never fail. I did include here the first mbam log, which is more indicative of the type of malware on this machine, than the other one. I think if no one has any better ideas, I should probably just go to the malware forums, and start a malware thread, just to make sure that the corrupted boot record, isn't still being screwed by some rootkit or another.

I know sometimes, the correct combofix script will fix the boot, and it will go back to what it was...not sure, but at least I'd know I tried. I can get to the recover boot, and it's tempting to just do a fixmbr, but when I go into disk management, I can still see the recovery portion, and I fear that if I fix the mbr it will all be gone, and it's my friend's computer and he does want to save that...

I've been unable to find the lenovo disks for recovery. Even if you buy them, which I've done for acer and asus, u can usually find them somewhere, but I've not found lenovo. have found on their site, some pcdoctor iso, that you can burn and maybe fix it, but obviously I'm grasping for straws...

 

I think malware might be a good choice since you have already done the logs and they are experienced at reading them.

If you want to write a new mbr hiren's includes testdisk which has that function. I only hesitate because sometimes starting the recovery functions are part of the manufacturer's mbr. In your case I don't think they are because it shows as part of the Lenovo/BIOS screen.

Since you can boot into XP, check under Start menu>All programs and see if you have any Lenovo program that allows you to burn the recovery discs. That way you have a failsafe way to start the recovery function and can just write a new mbr to get passed the blinking cursor and the need for hiren's.

 

thankyou so much for your help with this. I'm sorry for the delay in responding: there is kind of two of us working on this, and I want to make sure we both are on the same page.

I think it's probably best--as you say--to go ahead and post on the malware forums since we do have all the scans run, and I know from past experience, sometimes just getting rid of all the malware will fix the problem. It's been true for OS's tho I have a feeling maybe *not* so true for infected boot records.

Sure seems rude on lenovo's part that they seem not to provide any boot disks, not even for money, at least none I've found. The presumption that lenovo software installed can take care of any problem just seems so arrogant, and obviously, wrong. Here I've got a guy ready and willing to reformat lenovo, and there is no access to his reformat partition. We've tried what we can, but even using just a plain xp pro disk doesn't fix it.

I can go into boot management and see the 6gb paritition, sitting there, I believe...but can't access it, so far....thankyou again, if my friend hasn't had any better luck, we'll post in malware area, see if remaining malware is causing this, but I'm not real hopeful...

 

Definitely take a look at installed programs that have Lenovo in the name like ToolKit or ThinkVantage that run under XP. There should be one that will allow one copy of Recovery discs to be burnt. (I believe it is mandatory that all OEM computers be provided the opportunity.)

****
If the discs were already burnt/lost then writing the new MBR will fix the immediate problem since the recovery button doesn't seem to work anyway.

We could always try setting the recovery partition to active to try and boot into it to see if runs the recovery software but I am unsure if this actually works because I haven't had a computer with a recovery partition in several years to test and reading various threads on the issue are inconclusive.