Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A "Boot Loop" of Sorts


  • Please log in to reply
3 replies to this topic

#1 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:31 AM

Posted 13 June 2018 - 03:47 PM

It has been a long time since I've been dealing with Windows 7 on a regular basis.  But today I had a client call who had 2 Windows 7 machines that he had allowed "fake Microsoft support" to touch, and where he called said support himself by not being careful in vetting the results of a web search before dialing.

 

In any case, on one machine they uninstalled Microsoft Office 2013 and Project 2010, installing some seemingly tweaked version of Office 2016 in place of 2013.  You can't even get the Outlook to accept e-mail account information [which was probably a blessing].  That machine is well on its way back to normalcy.

 

The second machine, though, is more of a mystery to me.  It was set up with a single account with admin privileges and no password.  The machine would boot all the way in to the desktop and then, after about 5 seconds or so, go to black screen and begin rebooting again.  I tried creating a second account just to see if it could have been user profile corruption and, no dice, same behavior.  Then I tried a clean boot, also no dice.  Since this machine is an old Pentium box I did not want to take way more time than a replacement machine would cost trying to figure out what was at the root of this yet I remain curious, not having encountered this exact situation in the past.  I'm just curious if anyone has any ideas as to what might be going on here.  At this point I advised the client (after backing up his data) that his likely only chance at normalcy again would be wiping the HDD and reinstalling Win7, but that this is throwing good effort after bad given the age of the hardware.  

 

If there's something obvious that I missed either through abject ignorance or that whatever it is has now moved into the mists of memory I would love to know what's up with "machine number two."

 


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,019 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:31 AM

Posted 13 June 2018 - 03:53 PM

Does it do a boot loop in Safe Mode? Are there any Restore Points? If not replace the Registry Hives in C:\Windows\System32\config with the ones in C:\Windows\System32\config\Regback if the hives in Regback have a date before the problem and they are not zero bytes. This needs to be done offline using a Windows boot disk and the command prompt or using a live linux disk. 

 

BC member jenae explained it well here.


Edited by JohnC_21, 13 June 2018 - 03:55 PM.


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 14 June 2018 - 10:16 AM

You might try approaching the problem from another angle.  From watching YouTube videos of techs messing with the MS support scammers, I know the fakers change some simple settings while they have remote access in revenge for when potential victims back out of paying or just get cold feet.  Usually it is a way to lock the user out of their own computer, like setting a system password using Syskey, but maybe this time they set the computer to a boot loop.  So the question is how would someone go about doing that. 

 

So far, in researching that answer the only thing I see is a simple prank hack of creating a shutdown shortcut copied to the startup folder of the user's start menu.  I wouldn't think that is the case here if you get the same behavior logged in to another account, tho.  Unless they found a way to copy it to the All Users folder(?) But I suppose it's worth a shot to log into safe mode to see if the shortcut is there.  However it was done, it seems to be a case of more sophistication than the system password lockout.  Just saying you might research or ask around for other ways to put a system in a boot loop--anyone here know?

 

 

Just before posting this, reading the description in this video, you might try this if it is a startup shortcut. 

Youtuber ricsto also commented that holding shift after the startup tone in Windows will disable the restart trick, so you don't have to boot in safe mode!

 


The thing about people

is they change

when they walk away.--Mipso


#4 Ghostwalker

Ghostwalker

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:31 AM

Posted 28 June 2018 - 04:15 AM

If you can get into:

Safe Mode with networking,

I'd just try the go to scanners:
>HitmanPro for the trial period that will remove infections and discrepancies.
>Malwarebytes free

Safe Mode without networking:

Download and update from another machine and transfer via usb and i would put each of these into thier own folders to contain them:
>Emsisoft Emergency Kit
>Zemana portable
>Norton Power Eraser (read the warning)
>aswmbr
>adwcleaner

 

Check the hosts file and DNS for hijacking.
Then for sure autoruns from sysinternals to see what is starting up.

All these ran as Administrator and run autoruns as whatever user and NTAUTHORITY\SYSTEM

Hope this helps


Edited by Ghostwalker, 28 June 2018 - 04:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users