Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Not activated error Now have Blank Screen with just cursor


  • Please log in to reply
12 replies to this topic

#1 bruceyfamily

bruceyfamily

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 07 July 2017 - 01:57 PM

Please could someone help me.

I have a Toshiba laptop & while using Chrome over the last couple of weeks I had a pop up window saying I had Critical Chrome Update which I now believe was a virus as the pop ups were bizarre urls.

 

2 days ago my wifi would not then connect & the laptop had an error says my Windows was not activated. I have had the laptop for 3 years and it came with windows. I was running Windows 10 and had not changed anything.

I tried to restore it back to a backup at the end of June but this has failed. Now all I have is a blank screen but with a movable cursor.

Not really sure where to start so would appreciate some help. Thank you.

 

Toshiba Satellite C50-B

 



BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 07 July 2017 - 02:33 PM

Boot into Safe Mode and roll back your system from a previous System Restore point.

 

http://www.pcworld.com/article/2984712/windows/how-to-enter-windows-10s-safe-mode.html

 

Then, do the following malware checks and post the logs...

Download and run AdwCleaner -

https://www.bleepingcomputer.com/download/adwcleaner/

Download and run Malwarebytes Anti-Malware -

https://www.malwarebytes.org/antimalware/

Download and run the portable version of Zemana Anti-Malware

https://www.zemana.com/en-US/Download

Download and run Junkware Removal Tool -

https://www.bleepingcomputer.com/download/junkware-removal-tool/

Create a System Restore point first.
 


Edited by jwoods301, 07 July 2017 - 02:36 PM.


#3 bruceyfamily

bruceyfamily
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 10 July 2017 - 04:02 PM

Thanks. I will try that tomorrow. 


Edited by bruceyfamily, 10 July 2017 - 04:03 PM.


#4 bruceyfamily

bruceyfamily
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 11 July 2017 - 11:37 AM

Hi I managed to get it to boot in safe mode & then tried system restore which failed. Tried again using an earlier date but this failed also & I received this message:

System restore did not complete successfully. Your computer's system file setting were not changed.
 

Details:
System Restore failed to extract the original copy of the directory from the restor point.
Source: %ProgramFiles%\WindowsApps

Destination: AppxStaging
An unspecified error occurred during System Restore. (0x80070017)



#5 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 11 July 2017 - 12:07 PM

Continue with running the malware checks.



#6 bruceyfamily

bruceyfamily
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 11 July 2017 - 12:16 PM

Thanks. Will do. 



#7 bruceyfamily

bruceyfamily
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 11 July 2017 - 02:14 PM

Right I have run the malware checks all in safe mode apart from Zemana. I also only created the system restore point just before I ran this as realised I hadnt done it.
 

# AdwCleaner v6.047 - Logfile created 11/07/2017 at 18:20:46
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-10.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Mum - DESKTOP-B39791U
# Running from : C:\Users\Mum\Downloads\AdwCleaner (1).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Mum\AppData\Local\Chromium\User Data\Default\Web data] - yahoo! powered
 
[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [3337 Bytes] - [11/05/2017 10:28:03]
C:\AdwCleaner\AdwCleaner[C2].txt - [1446 Bytes] - [28/06/2017 10:06:09]
C:\AdwCleaner\AdwCleaner[S0].txt - [2431 Bytes] - [11/05/2017 10:27:03]
C:\AdwCleaner\AdwCleaner[S1].txt - [1729 Bytes] - [28/06/2017 09:37:47]
C:\AdwCleaner\AdwCleaner[S2].txt - [1567 Bytes] - [11/07/2017 18:20:46]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1640 Bytes] ##########

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/07/2017
Scan Time: 18:36
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2017.07.11.07
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Mum
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296512
Time Elapsed: 25 min, 51 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Zemana AntiMalware 2.74.2.76 (Portable)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/7/11
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Pentium® CPU N3530 @ 2.16GHz
BIOS Mode              : UEFI
CUID                   : 12C6C343C8B6FA87CF5ADA
Scan Type              : System Scan
Duration               : 12m 49s
Scanned Objects        : 58377
Detected Objects       : 2
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
Fake Chrome Shortcut
Status             : Scanned
Object             : %appdata%\microsoft\internet explorer\quick launch\chromium.lnk
MD5                : 6ED0A20A512D7F5A5224089807F3A928
Publisher          : -
Size               : 2333
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Fake Chrome Shortcut
                File - %appdata%\microsoft\internet explorer\quick launch\chromium.lnk
 
wrc@avast.com
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\quvo2wd0.default\extensions\wrc@avast.com.xpi
MD5                : 985627CB8FEDB032E6F19161B6DFB696
Publisher          : -
Size               : 694121
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Repair
Related Objects    :
                Browser Extension - wrc@avast.com
                File - %appdata%\mozilla\firefox\profiles\quvo2wd0.default\extensions\wrc@avast.com.xpi
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 2
Reported as safe      : 0
Failed                : 0
 
*** JRT runs best with administrator privileges ***
 
If you wish to run with administrator privileges, please close this window and run as an administrator.
 
If you wish to run without administrator privileges, please hit any key to continue.
 
Press any key to continue . . .
Checking for update
 ================================================================
 [                                                              ]
 [         Junkware Removal Tool (JRT) by Malwarebytes          ]
 [                  Version 8.1.3 (04.10.2017)                  ]
 [         Information about this tool can be found at          ]
 [                     www.malwarebytes.com                     ]
 [                                                              ]
 [           This software is free to download and use          ]
 [                                                              ]
 [      Please save any unsaved work before proceeding as       ]
 [  the program will terminate most applications during cleanup ]
 [                                                              ]
 [                                                              ]
 [                       ** DISCLAIMER **                       ]
 [                                                              ]
 [           This software is provided "as is" without          ]
 [        warranty of any kind. You may use this software       ]
 [                       at your own risk.                      ]
 [                                                              ]
 [     Click the [X] in the top-right corner of this window     ]
 [                if you wish to exit. Otherwise,               ]
 ================================================================
 
Press any key to continue . . .
 
Requesting restore point... FAILED 0x8007043C
 
Restore point creation encountered an error.
If you would like to continue anyway,
Press any key to continue . . .
 
(*       )  Processes
(**      )  Startup - Logon
(***     )  Startup - Scheduled Tasks
(****    )  Services
(*****   )  File System
(******  )  Browsers
(******* )  Shortcuts
(********)  Preparing Report
 
JRT has successfully been run. Please review the report in JRT.txt.
 

 

 

 


#8 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 11 July 2017 - 02:18 PM

Please post the contents of JRT.txt



#9 bruceyfamily

bruceyfamily
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 11 July 2017 - 02:24 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64 
Ran by Mum (Limited) on 11/07/2017 at 20:00:48.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/07/2017 at 20:03:00.44
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#10 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 11 July 2017 - 02:29 PM

Does the issue still persist?



#11 bruceyfamily

bruceyfamily
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 12 July 2017 - 03:31 AM

I have just rebooted in normal mode all ok & windows is showing as activated. So fingers crossed it appears to be working.

Thanks for your help.



#12 Cyberluddite

Cyberluddite

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Florida
  • Local time:05:05 AM

Posted 09 August 2017 - 05:04 PM

I've had that "Activate Windows" watermark since the Tech Support scam pop-up virus in August 2016 (one year ago), and I'm running Windows 8.1 on a 2013 Gateway laptop.  Here's what I've figured out, while trying to permanently remove it:

 

  1. It's a trojan malware named "Powessere.D", which Microsoft lists as "severe / widespread".
  2. On Microsoft forums, the only responses are "You were using an unregistered or expired software license."
  3. "Powessere.D" appears to be designed to corrupt activated software license keys, as the activation section says "Your license is no longer activated.  Please visit the Microsoft Store to purchase a new key." (Emphasis mine.)
  4. The watermark varies in opacity, bold/regular, full/sectional opacity changes, and can be temporarily terminated with heavy anti-malware removal programs.
  5. "Powessere.D" cannot be permanently removed, it is likely a bootdisk (or zero-disk) trojan.
  6. My software license was activated when I bought my laptop, otherwise I would've seen the watermark every day for the past 4 years.
  7. The only way I was able to determine the problem was by using malware-terminating programs, Zemana, HitmanPro.Alert, and then RogueKiller.  After that, Windows Defender was able to detect and log it (but not remove it; upon reboot, it reactivated.  Sometimes it takes a day or two before it shows up again.)
  8. It does not appear to be transferable via external storage devices, but that's highly uncertain and will need additional sources for verification.
  9. I also got "Powessere.D" from a "really urgent update".

Something doesn't add up.  There's been nothing in the news about this, Microsoft's blaming users of OS versions that are being phased out, and the company's pattern of behavior since 2015 makes it extremely difficult to rule them out as a potential source.  I got this with Windows 8.1, a year after Windows 10 was released. If you're getting this on Windows 10, then it means that Windows Server is about to be released.

 

Can't say for sure, but this is what I know.  I'll let you take it from here, and look forward to seeing what you come up with.  Thanks again.



#13 Cyberluddite

Cyberluddite

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Florida
  • Local time:05:05 AM

Posted 10 August 2017 - 07:12 PM

Good evening, bruceyfamily!

 

I think I might have found the problem.  Your Windows license key is still activated and valid, so you're clear there.  One of the reasons I was only able to temporarily terminate the malware process is because of AM_Delta_Patch.  Microsoft developed it as an update for Windows Defender (which is part of the "Anti-Malware Service Executable" process, found in Task Manager.)  That appears to have been in the "urgent update" that caused the watermark.  Your antivirus is the virus -- which, again, makes no sense.

 

You can turn off the malware process with RKill, but it'll just turn back on when Windows updates, that's the bad news.  The good news is that you may be able to completely halt AM_Delta_Patch, but it means turning off Windows Updates -- I only recommend this if you can get a solid antivirus program that can effectively replace Windows Defender.

 

Note: If you turn Windows Update back on, there's a good chance of being re-infected with AM_Delta_Patch.

 

1. Download TDSSKiller by Kaspersky (BleepingComputer)

 

A) Click on the "EXE Version" button to download the program onto your computer.  After download finishes, double-click the icon (or right-click on the icon, and choose "Open") to start.

 

B) If prompted by your computer, allow TDSSKiller permission to continue.

 

C) Accept the Terms of License, and allow TDSSKiller to finish initializing.

 

D) On the main screen, click the link that says "Change Parameters".  On the following screen, check the box marked "Detect TDLFS file system" and then "OK". (NOTE: Do not change any other settings, otherwise it may cause unexpected issues.)

 

E) Click "Scan", and allow to finish.  Resolve any threats that TDSSKiller detects.  Do not reboot your computer, the malware process will restart if you do.

 

2) Download RKill (BleepingComputer)

 

BleepingComputer has a list of different-named copies of RKill available on the page, because certain malware will terminate filenames they recognize.  Just go down the list, one by one, and follow the instructions.

 

A) Click on the filename you wish to download.  When finished, double-click the icon (or right-click on the icon and select "Open") to start.

 

B) If prompted by your computer, allow RKill permission to continue.

 

C) When the popup window appears, press any key to begin the scan.  RKill may fail to create a restore point the first time, but that's okay; it shouldn't have any issues after that.  The scan results log will appear as a text file on your desktop.  Do not reboot your computer, the malware process will restart if you do.

 

D) Again, do this with each file version in BleepingComputer's list.  Windows Defender detects AM_Delta_Patch as the trojan variant "Behavior:Win32/Powessere.D", so other system areas may be infected.  Do not reboot or turn off your computer each time.

 

3) Download HitmanPro by Sophos (Sophos)

 

A) Click on "Free 30-Day Free Trial (Remove Malware Now)", and allow download to finish.  When finished, double-click the icon (or right-click on the icon and select "Open") to start.  NOTE: there are two versions -- HitmanPro.exe (for 32-bit Windows) and HitmanPro_x64.exe (for 64-bit Windows).

 

B) Click "Next" to begin.  At the HitmanPro setup screen, you will be asked if you want to install the 30-day free trial; click "Yes, create a copy of HitmanPro so I can regularly scan this computer (recommended)."  After you have completed your selection, click "Next" to continue.

 

C) HitmanPro will begin scanning, please allow to finish.  The RKill file versions will likely flag as "Trojans", this means you were successful (RKill terminates malware processes, so these files are now safely deactivated.)  It may also detect malware that isn't related to AM_Delta_Patch, make sure the actions are set to "Quarantine" (or "Delete", if possible).

 

D) Cick "Next" to begin removal, and reboot your computer to finish.

 

4) Turn off Windows Update

 

NOTE: THIS WILL TURN OFF WINDOWS DEFENDER -- DO THIS ONLY IF YOU ARE INSTALLING A REPLACEMENT ANTI-VIRUS SOFTWARE IMMEDIATELY AFTER THIS STEP!!  (Using a computer without any anti-virus software is not recommended.  BleepingComputer and I are not responsible for any issues that may arise from not installing a replacement anti-virus software, and no guarantees are made regarding the quality or effectiveness of the anti-virus software you use.)

 

A) In your computer's Control Panel, select "System and Security" > "Windows Update" > "Change Settings".

 

B) On the "Important Updates" drop-down box, select "Never check for updates (not recommended)".

 

C) Uncheck the other notification boxes, and click "OK".

 

D) If prompted, verify your changes.  Windows will still try to search for new updates, but it won't download or install them (due to settings change).  Just close the window.

 

E) Immediately install your preferred replacement anti-virus software, and make sure it works properly.

 

I apologize if these instructions are a bit messy, it's the first time I've ever written a technical how-to.  For additional assistance in any of the above-listed programs, please consult a seasoned BC member.  Hope this helps you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users