PDA

View Full Version : Acer Aspire won't boot



nofam
26-10-2010, 10:22 PM
Have an Acer Aspire here which apparently crashed when a printer tried to update a driver, and now won't boot (cycles through the startup repair function, but is unsuccessful - same on normal/safe boot).

I've slaved the drive, and NOD32 has found:


F:\Windows\System32\drivers\disk.sys - Win32/Olmarik.ZC trojan - error while cleaning

Strange it couldn't remove it, but I'm guessing the file is either fake, or a corrupted legit one, so what's the next step? Can I use the Vista Recovery CD to do a repair install on the system files? Or does that wipe things?

Will do a rebuild if I have to, but owner wants a fast turnaround (don't they always? :rolleyes:)

Speedy Gonzales
26-10-2010, 10:31 PM
Is it 32 or 64 bit Vista?? If you use Vista copy disk.sys to that folder

Scan it with this

http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

A removal tool for it. The file isnt fake, (its on this 64 bit Vista). Its probably infected

nofam
26-10-2010, 10:43 PM
Is it 32 or 64 bit Vista?? If you use Vista copy disk.sys to that folder

Scan it with this

http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

A removal tool for it. The file isnt fake, (its on this 64 bit Vista). Its probably infected

Cheers Speedy - it's 32-bit. . . . Problem I have is that I can't boot into the drive to run the removal tool, and there's no instructions on how to run it with a drive letter switch etc? Will disk.sys be on the recovery disk somewhere?

Speedy Gonzales
26-10-2010, 10:49 PM
Is MSE on the PC you connected it to? Looks like that should remove it. It looks like its a rootkit

Its actually Virus:Win32/Alureon.H. This also infects atapi.sys

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FAlureon.H. I have no idea if its on the recovery DVD or not, never had one. Its probably crashing because disk.sys is probably similar to atapi.sys ( its the main file for IDE hdd's / hdd's). You could try installing trojan remover. And scan the letter the hdd is on

nofam
26-10-2010, 10:51 PM
Will give that a try, thanks speedy

:pf1mobmini:

Speedy Gonzales
26-10-2010, 10:53 PM
No probs

nofam
28-10-2010, 09:29 AM
So I'm pretty much out of ideas for this - I've cleaned the slaved drive up as best I can with NOD/MSSE/MBAM, put the drive back in the Aspire and run Kaspersky's rescue disc, which found a few more infections, and have run a CHKDSK from the Vista recovery console.

But as I still can't boot into it to run any SFC commands, I'm not sure how to fix the drivers etc that have been damaged.

I've spent long enough on it, so will probably end up rebuilding, but is there anything else I can try (a la XP's repair install that will fix system file errors, but leave user profiles/apps intact?)

Speedy Gonzales
28-10-2010, 09:31 AM
How many files are/were infected?? If there's only a few, replace them

nofam
28-10-2010, 09:47 AM
I did replace disk.sys with a known working one as you suggested Speedy, and all the other infections were files in \windows\temp. . . .I guess I could replace every file in \system32\drivers, but that could just cause more problems that it would solve.

That's why I'd prefer an automated compare/replace system like sfc /scannow.

Speedy Gonzales
28-10-2010, 09:50 AM
Umm the recovery DVD you've got. Does it have an install.win file in it (in the sources folder)?? You can replace whatever if you open it with something like 7-zip. I think you need to find out WHAT version of Vista 32 was on it first

If it doesnt I could probably extract whatever and send it (hopefully its not too big) using teamviewer. I wouldnt worry about whats in the temp folder. Delete them

wainuitech
28-10-2010, 10:01 AM
Its a long shot, but run system restore back to before the problem started Via the Vista Recovery CD, it may at least get it booting, then you can fix it / remove any infections.

faith1806
28-10-2010, 03:04 PM
first scan your PC, and then install a proper OS, and good luck

nofam
29-10-2010, 11:14 AM
Its a long shot, but run system restore back to before the problem started Via the Vista Recovery CD, it may at least get it booting, then you can fix it / remove any infections.

As I suspected, no restore point were available - I ended up doing a rebuild from the factory restore partition via the boot/Alt+F10 method.

Just out of interest WT, do you use specific OEM Vista recovery discs when you rebuild Vista machines (assuming the recovery partition isn't available), or can you just use a generic Vista DVD?

And am I right that all the versions are actually the same on the install DVD, and the version you end up with is determined by your product key?