Computer won't boot after using Defender offline

friedpasta · 13 Aug 2013

Well, it seems this is a common problem. I'm mildly tech savvy, but this has me beat.

Kid's college computer got Alureon, ran Defender Offline from a USB which appeared to work to remove the virus, but now it's in the start cycle of black and white Acer screen, a quick flash from a blue screen, repeats this once or twice more, then into the system repair and then recovery. None of these worked. Trying not to do a total factory reset due to college things saved. No Windows discs. We were sure to reset the BIOS for the hard drive to boot first after using the Defender USB.

The (previously, I hope) infected computer is an Acer Win7 home premium 64 bit. Clean computer is a Vista home premium 32 bit which appears to have issues downloading some 64 bit things to a USB because it's "not compatible".

School starts again in a few days and we REALLY cannot afford the expense of a new laptop suddenly if I can get around this somehow. I'm not a super tech person but I can follow instructions! Any help on where to start is much appreciated, and I apologize in advance for much of my tech ignorance.

VistaKing · 13 Aug 2013

friedpasta welcome to SevenForums

Run the tool below inside the command prompt in System Recovery

Warning

You will need a

USB FLASH DRIVE

Tip

Download the Tool from a non infected PC

Farbar Recovery Scan Tool

Choose one that goes with your OS bit version . Save the file to a USB Flash drive

32-bit Version OS

Farbar Recovery Scan Tool

64-Bit Version OS

Farbar Recovery Scan Tool x64

Note

Click the

button and right-click Computer .Select Properties . Look for System Type: which will say 32-bit Operating System or 64-bit Operating System

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select Repair Your Computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

In the command window type X:\FRST.exe (for x64 bit version type X:\FRST64.exe) and press Enter

Note

Replace letter X with the drive letter of your flash drive.

Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Code:

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file

Upload the FRST.txt file

Note

FRST.txt file will be inside the root of the USB Flash Drive

friedpasta · 13 Aug 2013

Probably a dumb question - the clean computer is 32 bit and the infected is 64. Do I download the 32 version on the clean and it will be okay to use on the infected 64 bit?

VistaKing · 13 Aug 2013

Download the 64-bit version save it onto a USB flash drive . Plug the USB flash drive into the infected PC . Boot to the System Recovery as it says to do select command prompt . Inside the command prompt find your USB drive letter by using Diskpart ( see above instructions ) then go from there .

friedpasta · 13 Aug 2013

Never mind, got it saved. Thanks.
*********************
Thank you. My Vista 32 bit will download the 64 bit but won't save it to the USB drive, says the version is "not compatible". Is that normal? Maybe I'm missing something. Sorry for my ignorance.

VistaKing · 13 Aug 2013

I Downloaded FRST64.exe on a 32 bit OS . You could download it but not run it . Plug your USB flash drive into the 32bit PC . Open the downloads folder right click on FRST64.exe and select Send To choose removable disk . Should work . Downloading works running the program won't on a 32 bit .

friedpasta · 13 Aug 2013

Thank you, it worked. Here are the results.

VistaKing · 13 Aug 2013

ON the 32 BIT OS . Open Notepad . Inside notepad paste the highlighted text below

start
HKLM-x32\...\Run: [PCFixSpeed] - C:\Program Files (x86)\PCFixSpeed\PCFixTray.exe [384088 2013-03-20] (Crawler.com)
HKU\Brian\...\Run: [trident] - C:\Users\Brian\AppData\Roaming\trident\Installer.exe [454144 2012-12-21] ()
HKU\Default\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid} [x]
HKU\Default User\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid} [x]
AppInit_DLLs: [0 ] ()
AppInit_DLLs-x32: c:\progra~3\browse~1\261519~1.190\{c16c1~1\browse~1.dll [2691536 2013-07-26] ()S2 BrowserDefendert; C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe [2847696 2013-07-26] ()
S2 IBUpdaterService; C:\Windows\system32\dmwu.exe [1455408 2013-04-07] ()
2013-08-12 18:41 - 2013-08-12 18:42 - 00003436 _____ C:\Windows\System32\Tasks\BrowserDefendert
2013-08-08 16:37 - 2013-08-12 13:06 - 00000000 ____D C:\Users\Brian\AppData\Roaming\BabSolution
2013-08-08 16:37 - 2013-08-12 13:06 - 00000000 ____D C:\Program Files (x86)\24x7Help
2013-08-08 16:37 - 2013-08-09 16:38 - 00000000 ____D C:\Users\Brian\AppData\Roaming\PCFixSpeed
2013-08-08 16:37 - 2013-08-08 16:37 - 00000000 ____D C:\ProgramData\PCFixSpeed
2013-08-08 16:37 - 2013-08-08 16:37 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-08-08 16:37 - 2013-08-08 16:37 - 00000000 ____D C:\Program Files (x86)\PCFixSpeed
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.
C:\Users\Brian\0.5656880535661928.exe
TDL4: custom:26000022 <===== ATTENTION!
ATTENTION: Malware custom entry on BCD on drive y: detected.
end

Click on File select Save As

Save to : USB Flash drive

File Name : Fixlist.txt

Save as type : All Files

click on the Save button inside Notepad.

Unplug the USB Flash drive from the 32-bit PC plug back into the 64-bit PC Open FRST64.exe like you did before . This time click on the [Fix] button . Once done it will create a new log called Fixlog.txt it will be in your USB Flash drive.

Restart the PC and see if you could login to your Desktop on the 64-bit PC.

friedpasta · 13 Aug 2013

Yes! It logged on and is to the desktop. But it was verrrry slow to get to the desktop, took several minutes to go from the login password screen to a black screen to the desktop. Desktop seems to be okay after it finally loaded.

VistaKing · 13 Aug 2013

Sweet. Run the next tool . We are not done cleaning the PC

TDSSKILLER

download link

TDSSKiller

Save to the Desktop

Right-click the program and select

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System

Click: OK

Press: Start Scan

If a suspicious object is detected, the default action is Skip, leave it as is, and click on: Continue
If malicious objects are found, they show in the Scan results.
Ensure Cure (the default) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool outputs its log to the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_12.04.2013_15.31.43_log.txt

Please post the TDSSKiller log in your reply.