Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop not starting after Ransomware


  • This topic is locked This topic is locked
14 replies to this topic

#1 Pietzki

Pietzki

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 06 January 2013 - 09:00 AM

Hi all,

Background info:
I'm trying to help a friend fix a laptop running windows 7 professional 64bit. He got stung by a classic ransomware, unfortunately I don't know which one. It did the usual thing of showing pop-ups and changing the wallpaper demanding payment. Unfortunately my friend ignored it, until the laptop would not boot anymore. I can get into the BIOS and startup repair, but safe mode is not working. The only other thing I can get access to is the command prompt. Unfortunately we do not have a disc of windows, as the installation files are just saved on a separate partition.

I have tried:
  • System restore (Failed with several restore points)
  • Startup repair (failed for 'unknown reason')
  • Windows Defender Offline from USB (does not find any threats)
  • I've been able to copy some files onto USB via command prompt, but it's tedious work so I'm trying to avoid this.

Even if I managed to back up all the files, I don't know what the windows product key is, as the sticker on the laptop has faded beyond readability. I know I could find out if I could somehow boot into safe mode, but like I said - that's not an option. So even a clean install of windows would require purchasing a new license, correct?

Does anybody have any other ideas?

Edited by Pietzki, 06 January 2013 - 09:01 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:53 PM

Posted 06 January 2013 - 03:12 PM

I'll report this topic to appropriate helpers.
Hold on...

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 06 January 2013 - 06:34 PM

:welcome:

Lets give it a try. You will need a USB Flash drive.

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:53 PM

Posted 06 January 2013 - 07:32 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Pietzki

Pietzki
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 07 January 2013 - 11:40 AM

Thanks JSntgRvr, here's the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012 (ATTENTION: FRST version is 8 days old)
Ran by SYSTEM at 08-01-2013 19:36:15
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-24] ()
HKLM\...\Run: [IntelPROSet] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PROSet/Wireless [1934608 2010-12-22] (Intel® Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [112408 2011-08-08] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1398440 2011-12-13] (Ask)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [296056 2012-05-01] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-16] (Sun Microsystems, Inc.)
HKU\LJ\...\Run: [InstallIQUpdater] "C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun [1179648 2011-10-10] (W3i, LLC)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
Tcpip\..\Interfaces\{736E2CA9-1749-487C-B320-E5DFE94E7540}: [NameServer]217.171.132.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Update Agent.lnk
ShortcutTarget: Update Agent.lnk -> C:\Program Files (x86)\3\3Connect\AutoUpdateSrv.exe (Birdstep Technology)

==================== Services (Whitelisted) ===================

2 BrcmMgmtAgent; "C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe" -service [158720 2010-06-28] (Broadcom Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 O2SDIOAssist; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-17] ()
2 tcsd_win32.exe; "C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1633280 2011-02-16] ()
2 ZcfgSvc7; C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe [992256 2010-12-22] (Intel® Corporation)

==================== Drivers (Whitelisted) =====================

3 massfilter; C:\Windows\SysWow64\Drivers\massfilter.sys [9216 2009-09-07] (ZTE Incorporated)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
3 ZTEusbmdm6k; C:\Windows\SysWow64\Drivers\ZTEusbmdm6k.sys [119680 2009-09-07] (ZTE Incorporated)
3 ZTEusbnmea; C:\Windows\SysWow64\Drivers\ZTEusbnmea.sys [119680 2009-09-07] (ZTE Incorporated)
3 ZTEusbser6k; C:\Windows\SysWow64\Drivers\ZTEusbser6k.sys [119680 2009-09-07] (ZTE Incorporated)
3 CtClsFlt; C:\Windows\System32\DRIVERS\CtClsFlt.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-08 19:36 - 2013-01-08 19:36 - 00000000 ____D C:\FRST
2013-01-07 15:50 - 2013-01-07 16:29 - 00000000 ____D C:\Windows\Microsoft Antimalware

==================== One Month Modified Files and Folders =======

2013-01-08 19:36 - 2013-01-08 19:36 - 00000000 ____D C:\FRST
2013-01-07 16:29 - 2013-01-07 15:50 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-01-07 12:25 - 2012-11-15 13:19 - 00000000 ____D C:\Windows\Minidump
2013-01-07 12:25 - 2012-05-01 15:54 - 00000000 ____D C:\Users\All Users\Real
2013-01-07 12:25 - 2012-04-28 15:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-01-07 12:25 - 2012-04-01 13:38 - 00000000 ____D C:\Users\All Users\Birdstep Technology
2013-01-07 12:25 - 2012-03-22 03:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-01-07 12:25 - 2012-03-20 21:48 - 00000000 ____D C:\users\LJ
2013-01-07 12:25 - 2010-11-20 23:17 - 00000000 ____D C:\Windows\ShellNew
2013-01-07 12:25 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-01-07 12:25 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2013-01-07 12:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-01-07 12:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2013-01-07 12:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-01-07 12:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-01-07 12:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-01-07 12:19 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1499709749-1564367878-2468480014-1000\$7d0265fb388aa3338b665d0193afa9cb

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-10 13:59:17
Restore point made on: 2012-09-14 02:50:08
Restore point made on: 2012-09-16 01:14:35
Restore point made on: 2012-09-19 14:50:30
Restore point made on: 2012-09-20 16:42:16
Restore point made on: 2012-09-24 23:32:24
Restore point made on: 2012-09-30 14:16:07
Restore point made on: 2012-10-04 09:25:43
Restore point made on: 2012-10-09 06:17:31
Restore point made on: 2012-10-11 12:39:16
Restore point made on: 2012-10-17 01:06:07
Restore point made on: 2012-11-11 01:07:53
Restore point made on: 2012-11-11 03:53:56
Restore point made on: 2012-11-14 15:47:39
Restore point made on: 2012-11-18 13:10:30
Restore point made on: 2012-11-21 15:56:55

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3976.9 MB
Available physical RAM: 3269.49 MB
Total Pagefile: 3975.1 MB
Available Pagefile: 3249.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:297.74 GB) (Free:252.74 GB) NTFS
3 Drive f: (Globe) (Removable) (Total:0.98 GB) (Free:0.94 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.35 GB) (Free:0.31 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 1000 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 356 MB 1024 KB
Partition 2 Primary 297 GB 357 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 356 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 297 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 999 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Globe NTFS Removable 999 MB Healthy

=========================================================

Last Boot: 2012-11-09 11:20

==================== End Of Log =============================

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 07 January 2013 - 12:02 PM

Download the enclosed file.

Save it next to FRST64.

Run FRST64 as you did before, except that this time around, click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Attempt to boot in Normal Mode and let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Pietzki

Pietzki
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 07 January 2013 - 12:35 PM

Thanks for the quick reply! Here's the fixlog. I still cannot boot into normal mode.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-08 20:32:25 Run:1
Running from F:\

==============================================

C:\$Recycle.Bin\S-1-5-21-1499709749-1564367878-2468480014-1000\$7d0265fb388aa3338b665d0193afa9cb moved successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value deleted successfully.
HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater Value deleted successfully.

==== End of Fixlog ====

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 07 January 2013 - 12:51 PM

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive replacing the existing one.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Pietzki

Pietzki
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 07 January 2013 - 01:05 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-08 21:03:06 Run:2
Running from F:\

==============================================

MBRDUMP.txt is made successfully.

========= bcdedit /enum all /v =========


Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=Y:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {3e5a0a3a-2699-11e1-8157-846229bf1488}
resumeobject {3e5a0a39-2699-11e1-8157-846229bf1488}
displayorder {3e5a0a3a-2699-11e1-8157-846229bf1488}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {3e5a0a3a-2699-11e1-8157-846229bf1488}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {3e5a0a3b-2699-11e1-8157-846229bf1488}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {3e5a0a39-2699-11e1-8157-846229bf1488}
nx OptIn

Windows Boot Loader
-------------------
identifier {3e5a0a3b-2699-11e1-8157-846229bf1488}
device ramdisk=[C:]\Recovery\3e5a0a3b-2699-11e1-8157-846229bf1488\Winre.wim,{3e5a0a3c-2699-11e1-8157-846229bf1488}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\3e5a0a3b-2699-11e1-8157-846229bf1488\Winre.wim,{3e5a0a3c-2699-11e1-8157-846229bf1488}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {3e5a0a39-2699-11e1-8157-846229bf1488}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=Y:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {3e5a0a3c-2699-11e1-8157-846229bf1488}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\3e5a0a3b-2699-11e1-8157-846229bf1488\boot.sdi

========= End of CMD: =========


==== End of Fixlog ====

Attached Files



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 07 January 2013 - 01:44 PM

Let me consult these results. Will post soon.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 07 January 2013 - 02:30 PM

All seems clear.

Lets restore the registry to the last time the computer was booted.

Download the enclosed file.

Save it next to FRST64 overwriting the existing one.

Run FRST64 as you did before, except that this time around, click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Attempt to boot in Normal Mode and let me know the outcome.

Edited by JSntgRvr, 07 January 2013 - 02:31 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Pietzki

Pietzki
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 07 January 2013 - 09:48 PM

Hi JSntgRvr,

no luck, I get a brief BSOD right after the BIOS loads, then the laptop restarts. On a positive note, I did manage to get a hold of the product key. It was on a different sticker under the battery. After the fixes we attempted, I also managed to back up my friend's files by connecting his hard drive to my pc via a dock. So we could try a clean install if that makes things easier. The only problem is that I don't have another pc running Windows 7 x64, so I cannot create a bootable USB using the windows 7 usb download tool. http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool

Let me know what you think, like I said I'd be happy to just do a clean install, but may need some guidance.

Here's the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-09 05:36:49 Run:3
Running from F:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

Edited by Pietzki, 07 January 2013 - 11:05 PM.


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 08 January 2013 - 11:44 AM

Is this a known brand computer? If so, post the brand and model.

:step1:

Lets take a look at the BlueScreen error message.

  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:

    Posted Image

  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
Posted Image

Please post me the Stop error message.

:step2:

In the other hand, lets check the contents of the minidump files.

Download the enclosed file.

Save it next to FRST64 overwriting the existing one.

Run FRST64 as you did before, except that this time around, click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

:step3:

Also, re-scan with FRST and post he new FRST.txt log.

Edited by JSntgRvr, 08 January 2013 - 11:44 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Pietzki

Pietzki
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 08 January 2013 - 01:09 PM

Hi again, I couldn't write down anything from the BSOD, because it only lasted around half a second.

I ended up going ahead with a clean install of windows, it was all starting to be more hassle than the alternative. Thanks a bunch for your help, I really appreciate it :)

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:53 PM

Posted 08 January 2013 - 02:03 PM

Thanks for the feedback.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users