Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Failed to Start After Virus!


  • This topic is locked This topic is locked
25 replies to this topic

#1 Caroline68

Caroline68

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 24 October 2012 - 08:23 PM

Hello everyone,

Recently my computer (Vista) has been acting strange, and after suspecting that there may be a virus causing this behavior, I scanned my computer with Malwarebytes. Malwarebytes found 8 trojans on my computer, and quarantined them. However, after all the infected files had been quarantined, I discovered that my Antivirus, Symantec, was not working (possibly corrupted due to virus?). After researching on the web, I came to the conclusion that I had to uninstall Symantec, which I attempted to do. Symantec told me to do a reboot to complete the uninstallation, and I obeyed.

However, now my computer would not startup, and I would get the error, "Windows failed to start," along with the options for me to do a “Startup Repair” or "Start Windows Normally." I have tried the "Startup Repair" option as well as the alternative "Start Windows Normally." None of the two worked. I can’t boot in safe mode either, as it would simply take me back to the "Windows failed to start" screen. I haven’t tried any of the other repair options yet, such as System Restore or Last Known Good Configuration, as I was not 100% sure whether those were the best options. They are irreversible, after all, and I didn't want to risk putting my files in jeopardy. My primary concern right now is making sure I don’t lose any of my files, as I don’t have them backed up. :(

I am not sure if the reason for my system’s failure to boot is the virus or something else. This didn't happen prior to Malwarebytes' quarantining of my infected files, so I'm guessing that has something to do with it. I would really appreciate it if someone could lend a hand or shed some light on this issue. Thank you!

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 25 October 2012 - 02:30 AM

Hello Caroline68 :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

Let's begin:

Posted Image Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Post the contents of FRST.txt into your next message for me to review.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:05 AM

Posted 25 October 2012 - 03:11 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 25 October 2012 - 10:13 PM

Thank you for responding. I am grateful for the help.

As instructed, I ran Farbar, and attached is the log.

#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 25 October 2012 - 10:23 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981656 2012-09-29] (Malwarebytes Corporation)
HKLM\...\Run: [nelfufyshato] C:\ProgramData\nelfufyshato.exe [79872 2012-10-23] ()
Unlock: C:\ProgramData\nelfufyshato.exe
File: C:\ProgramData\nelfufyshato.exe
C:\ProgramData\nelfufyshato.exe
HKU\Chinese\...\Policies\system: [LogonHoursAction] 2
HKU\Chinese\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\English\...\Run: [nelfufyshato] C:\Users\English\nelfufyshato.exe [79872 2012-10-23] ()
C:\Users\English\nelfufyshato.exe
HKU\English\...\Policies\system: [LogonHoursAction] 2
HKU\English\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Leisure\...\Policies\system: [LogonHoursAction] 2
HKU\Leisure\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
0 74ffa429cf607a04; C:\Windows\System32\Drivers\74ffa429cf607a04.sys [59776 2012-10-23] () ATTENTION =====> Rootkit?
Unlock: C:\Windows\System32\Drivers\74ffa429cf607a04.sys
File: C:\Windows\System32\Drivers\74ffa429cf607a04.sys
C:\Windows\System32\Drivers\74ffa429cf607a04.sys
2012-10-23 23:16 - 2012-10-23 14:28 - 00079872 ____A C:\Users\All Users\nelfufyshato.exe
2012-10-17 18:48 - 2012-10-17 18:48 - 00000196 ____A C:\Users\Public\Desktop\Play More Great Games!.url
2012-10-09 17:14 - 2012-10-09 17:14 - 00838524 ____A C:\Users\All Users\SPLEF7E.tmp
2012-10-09 06:19 - 2012-10-09 06:19 - 00845256 ____A C:\Users\All Users\SPL2409.tmp
C:\$Recycle.Bin\S-1-5-21-3344603516-3126932864-829872823-1000\$811a9e538eb60066c0618d295a5cce2f
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#6 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 25 October 2012 - 10:46 PM

Should I plug the USB drive with the fixlist on my computer before I follow these steps?

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 25 October 2012 - 10:48 PM

Should I plug the USB drive with the fixlist on my computer before I follow these steps?

Yes.

#8 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 25 October 2012 - 11:00 PM

Done. Attached is the fixlog.

Attached Files



#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 25 October 2012 - 11:17 PM

Now try to boot normally.

#10 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 26 October 2012 - 12:34 AM

Okay, I just tried to boot the normal way, and the computer started up properly this time! :) It's a miracle! Thank you so much!

#11 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 26 October 2012 - 12:49 AM

No problem.

You have traces of a few different infections. We should continue to search to make sure your PC is clean.

Please perform the following scans:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

__

Posted Image Please download and run TDSSKiller
  • VERY IMPORTANT: In the event that threats are detected, allow TDSSKiller to perform the default action by simply pressing the Continue button.
  • Do NOT change the default action on your own unless instructed by a malware helper! Doing so may render your computer unbootable.
  • If threats were detected, TDSSKiller will require a reboot in order to attempt to clean the system.
  • After the scan is complete, you can find the TDSSKiller log at the root of your C: drive.
    • Example: C:\TDSSKiller.2.8.10.0_29.09.2012_00.22.50_log.txt
  • Please post the contents of this file to your next message.

Edited by thisisu, 26 October 2012 - 12:50 AM.


#12 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 26 October 2012 - 11:52 PM

Attached DDS log.

TDSSKiller detected one suspicious object called “Akamai Netsession.” The default option was “skip.” For some reason, I wasn't able to locate the log for the scan. However, I *think* the file it was referring to was:

c:\program files\common files\akamai/netsession_win_5891ae0.dll

I saved this result a week back when I used TDSSKiller, when it also cited “Akamai Netsession” as a suspicious object.

#13 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 26 October 2012 - 11:57 PM

Don't worry about the Akamai Netsession service, it's legit.
Please attach the ATTACH.txt file that was also generated from DDS.

#14 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 27 October 2012 - 12:29 AM

Attached.

#15 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:05 AM

Posted 27 October 2012 - 12:56 AM

Posted Image From Programs and Features (via Control Panel), please uninstall the below:
  • Java™ 6 Update 33 (outdated)
  • Java™ SE Runtime Environment 6 (outdated)

__

  • Please download and install CCleaner Slim
  • Open CCleaner and click the Options button
  • Now choose Advanced
  • Uncheck everything here except for Skip User Account Control warning
  • Now click the Cleaner button and press the Run Cleaner button at the bottom right of the program.
  • If this is your first time running this program, a prompt may appear asking for confirmation to delete temporary files. Go ahead and proceed.

__

Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run. Right-click winlogon.exe and select "Run as administrator"
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • Please post the contents of the latest numbered RKreport.txt from your desktop to your next post.

__

Posted Image Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users