Travel Technology - Repair XP Install After Virus Removal - No Disks

I'm working on a friend's XP system that went into continuous reboot mode. I managed to get it to boot Ubuntu from a live CD and pulled the important files off to an external HD, so that is a plus.

This is a home built system (not by me). The guy that built it apparently kept all the disks when he moved out of state, so I don't have a XP install disk. He did tell me there is supposed to be a recovery partition on the HD, but I don't see one.

I pulled the HD and hooked it up to my Vista system via usb. Ran a quick scan with Western Digital diagnostics and all was well (except the missing partition).

Ran AVG Free and found/removed 9 viruses:

Trojan horse Generic14.CAIC
Trojan horse Generic14.CAHX
Trojan horse Generic14.CAHQ (2)
Virus Found HTML/Framer
Trojan horse Downloader.Wimad.K (2)
Trojan horse Rootkit-Pakes.U
Trojan horse Generic14.CBHD

Could one of these have trashed the recovery partition? The disk diagnostic reported a partition of about 290 GB and unused space of 9 MB. This is a 320 GB disk.

Any hope to repair this installation without a reformat and reinstall of everything? Is there a way to get ahold of an XP disk without repurchasing? I believe she does have the license number.

First, if you have the space, create a copy of the disk image before proceeding further (in ubuntu, use the dd command to copy the drive (not indvidual partitions)... you can pipe the output through bzip2 for space savings.

Second, use fdisk to have a look at the partition table. You may see the recover partition present with a hidden code. If so, just change the type to the equivalent visible code. You can then mount and inspect the partition then fix boot.ini to include that partition.

If you don't see it, you CAN poke around the drive and see if the lost bytes contain a viable file system. If you can find it, you can dd those bytes from the drive to a new file; then fix the partition table to recreate the missing partition. Then you dd the file back to the partition (not drive).

In either case, redo the virus scan against the now-visible partition.

If you can't find it, then you'll probably have to purchase new XP disks. If you can borrow some, make sure they match the current license code.

One last point - if you do get new disks, you can make an attempt to recover applications by doing an upgrade install vs. a clean install. May not work in the end, but worth a shot.

No luck finding the missing partition. I tried ubuntu, Vista computer management, western digital diagnostics and a few other partition tools I downloaded. Looking at it again, it is reporting a single partition just under 300 GB, which is what my other 320 GB drive reports total across two partitions.

Giving up on it for the night. Any other ideas from the experts out there?

Get the license key for the system and then use whatever copy of XP you can (what's important is the license key, not the disk) lay your hands on that is the same version (home/pro, full/upgrade/OEM) as what's installed.


If you don't have the key download the Magic Jellybean keyfinder--you need version 2 to pull keys off something other than the boot drive. (The last time I needed to do this this was still a beta version.)

Get the license key for the system and then use whatever copy of XP you can (what's important is the license key, not the disk) lay your hands on that is the same version (home/pro, full/upgrade/OEM) as what's installed.


If you don't have the key download the Magic Jellybean keyfinder--you need version 2 to pull keys off something other than the boot drive. (The last time I needed to do this this was still a beta version.)

Actually it has to be the same basic type ... Retail vs. OEM Pro vs. not; sp3 vs. whatever. You can't for example, download an MSDN image and use a retail key.

Thanks for the info. I'm going to see if she can have the disks mailed up. Probably the easiest way to go.

Actually it has to be the same basic type ... Retail vs. OEM Pro vs. not; sp3 vs. whatever. You can't for example, download an MSDN image and use a retail key.

How are you contradicting me?

Is there a way to determine what version of disk the install was from by examining files on the drive? Is it recorded in the registry or some other log file? Might be easier than trying to track down the original disk.

How are you contradicting me?

Your original post:

Get the license key for the system and then use whatever copy of XP you can (what's important is the license key, not the disk) lay your hands on that is the same version (home/pro, full/upgrade/OEM) as what's installed....

There are different versions. The keys are not interchangeable across different types.

Examples: You cannot use a retail key for an OEM disk; you cannot use an OEM key with a retail disk; You can't use keys that came with a SP1 disk for an SP3 disk; etc.

What I'm saying is that the category/type of disk IS important, not the specific disk.

Is there a way to determine what version of disk the install was from by examining files on the drive? Is it recorded in the registry or some other log file? Might be easier than trying to track down the original disk.

In theory, it's coded in the registry: hklm\System\Setup\SystemPrefix

I don't have a list of the various codes. If you can get into the registry however, you can probably recover the system without re-installation or need to reenter the license.

If you have the license code, how about you just pick up an upgrade copy of Windows 7? The code should be enough to validate the upgrade.
... or get a mac... or just switch to linux :)

I think I answered my own question, well at least Google did.

I found the file C:\windows\system32\prodspec.ini which shows:

;
;Note to user: DO NOT ALTER OR DELETE THIS FILE.
;
[SMS Inventory Identification]
Version=1.0

[Product Specification]
Product=Windows XP Professional

Version=5.0
Localization=English
ServicePackNumber=0
BitVersion=40
[Version]
DriverVer=07/01/2001,5.1.2600.0


So will finding someone with a disk that says "Windows XP Professional Version 5.0" on it work?

I think I answered my own question, well at least Google did.

I found the file C:\windows\system32\prodspec.ini which shows:


So will finding someone with a disk that says "Windows XP Professional Version 5.0" on it work?

I don't think that file contains the fine grained details. You have narrowed things to the original WXP Professional... but could still be OEM, Retail, Academic or MSDN (maybe others as well).

Get whatever disk you can and try the license code - can't hurt.

In theory, it's coded in the registry: hklm\System\Setup\SystemPrefix

I don't have a list of the various codes. If you can get into the registry however, you can probably recover the system without re-installation or need to reenter the license.

I'm pretty sure that the registry can be mounted as a file (system.dat) from the non-bootable but mountable drive that the OP has. So it would be recoverable that way, assuming that file is sound.

I'm working on a friend's XP system that went into continuous reboot mode. I managed to get it to boot Ubuntu from a live CD and pulled the important files off to an external HD, so that is a plus.



I got this far, and that's all I needed. You've already determined that windows is trash. You have recovered the important files.

Most people really only care about internet, email, and maybe music/video playing. Unless you friend needs to do anything for business or that requires Windows based, my suggestion: Wipe the drive, install Ubuntu and show your friend the ins and outs of how to do the things they need to do.

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.

Rescue the system with Windows, and your friend is probably going to do the same things over again and it will end up being trashed by a virus or something else, again. And they are going to be calling you, again.

Convert them to Linux and you can both be happy. (And they will be amazed at how much faster things run!)

I got this far, and that's all I needed. You've already determined that windows is trash. You have recovered the important files.

Most people really only care about internet, email, and maybe music/video playing. Unless you friend needs to do anything for business or that requires Windows based, my suggestion: Wipe the drive, install Ubuntu and show your friend the ins and outs of how to do the things they need to do.



Rescue the system with Windows, and your friend is probably going to do the same things over again and it will end up being trashed by a virus or something else, again. And they are going to be calling you, again.

Convert them to Linux and you can both be happy. (And they will be amazed at how much faster things run!)

I'm actually thinking the exact same thing. Budget is an issue for her. The system only has 1 Gig of memory, which I see is the minimum for Win7, so I see additional upgrade cost there. I think she mainly uses it for the web, storing photos/music and some basic word processing / powerpoint - all of which OpenOffice can do. I'm thinking of starting to use Ubuntu, so it would give me a system that is already trashed to experiment with.

Your original post:



There are different versions. The keys are not interchangeable across different types.

Examples: You cannot use a retail key for an OEM disk; you cannot use an OEM key with a retail disk; You can't use keys that came with a SP1 disk for an SP3 disk; etc.

What I'm saying is that the category/type of disk IS important, not the specific disk.

And I said same version (home/pro, full/upgrade/OEM) as what's installed. Where's the difference?

There's no difference. He's arguing with you for nothing. Maybe he misunderstood your post, but it was clear to me.