Solved Computer won't boot after using Defender offline

[friedpasta]

Well, it seems this is a common problem. I'm mildly tech savvy, but this has me beat.

Kid's college computer got Alureon, ran Defender Offline from a USB which appeared to work to remove the virus, but now it's in the start cycle of black and white Acer screen, a quick flash from a blue screen, repeats this once or twice more, then into the system repair and then recovery. None of these worked. Trying not to do a total factory reset due to college things saved. No Windows discs. We were sure to reset the BIOS for the hard drive to boot first after using the Defender USB.

The (previously, I hope) infected computer is an Acer Win7 home premium 64 bit. Clean computer is a Vista home premium 32 bit which appears to have issues downloading some 64 bit things to a USB because it's "not compatible".

School starts again in a few days and we REALLY cannot afford the expense of a new laptop suddenly if I can get around this somehow. I'm not a super tech person but I can follow instructions! Any help on where to start is much appreciated, and I apologize in advance for much of my tech ignorance.

 

[VistaKing]

friedpasta welcome to SevenForums

Run the tool below inside the command prompt in System Recovery

   Warning

You will need a

USB FLASH DRIVE

   Tip

Download the Tool from a non infected PC

Farbar Recovery Scan Tool

Choose one that goes with your OS bit version . Save the file to a USB Flash drive

32-bit Version OS :ar: Farbar Recovery Scan Tool

64-Bit Version OS :ar: Farbar Recovery Scan Tool x64

   Note

Click the rb: button and right-click Computer .Select Properties . Look for System Type: which will say 32-bit Operating System or 64-bit Operating System

Plug the flash drive into the infected PC.

Enter System Recovery Options.

:ar: To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select Repair Your Computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

:ar: To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

:ar: On the System Recovery Options menu you will get the following options:

• Startup Repair

• System Restore

• Windows Complete PC Restore

• Windows Memory Diagnostic Tool

• Command Prompt

Select Command Prompt

In the command window type X:\FRST.exe (for x64 bit version type X:\FRST64.exe) and press Enter

   Note

Replace letter X with the drive letter of your flash drive.

   Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file

Upload the FRST.txt file

   Note

FRST.txt file will be inside the root of the USB Flash Drive

 

[friedpasta]

Probably a dumb question - the clean computer is 32 bit and the infected is 64. Do I download the 32 version on the clean and it will be okay to use on the infected 64 bit?

 

[VistaKing]

Download the 64-bit version save it onto a USB flash drive . Plug the USB flash drive into the infected PC . Boot to the System Recovery as it says to do select command prompt . Inside the command prompt find your USB drive letter by using Diskpart ( see above instructions ) then go from there .

 

[friedpasta]

Never mind, got it saved. Thanks.
*********************
Thank you. My Vista 32 bit will download the 64 bit but won't save it to the USB drive, says the version is "not compatible". Is that normal? Maybe I'm missing something. Sorry for my ignorance.

 

[VistaKing]

I Downloaded FRST64.exe on a 32 bit OS . You could download it but not run it . Plug your USB flash drive into the 32bit PC . Open the downloads folder right click on FRST64.exe and select Send To choose removable disk . Should work . Downloading works running the program won't on a 32 bit .

 

[friedpasta]

Thank you, it worked. Here are the results.

 

[VistaKing]

ON the 32 BIT OS . Open Notepad . Inside notepad paste the highlighted text below


start
HKLM-x32\...\Run: [PCFixSpeed] - C:\Program Files (x86)\PCFixSpeed\PCFixTray.exe [384088 2013-03-20] (Crawler.com)
HKU\Brian\...\Run: [trident] - C:\Users\Brian\AppData\Roaming\trident\Installer.exe [454144 2012-12-21] ()
HKU\Default\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid} [x]
HKU\Default User\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid} [x]
AppInit_DLLs: [0 ] ()
AppInit_DLLs-x32: c:\progra~3\browse~1\261519~1.190\{c16c1~1\browse~1.dll [2691536 2013-07-26] ()S2 BrowserDefendert; C:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe [2847696 2013-07-26] ()
S2 IBUpdaterService; C:\Windows\system32\dmwu.exe [1455408 2013-04-07] ()
2013-08-12 18:41 - 2013-08-12 18:42 - 00003436 _____ C:\Windows\System32\Tasks\BrowserDefendert
2013-08-08 16:37 - 2013-08-12 13:06 - 00000000 ____D C:\Users\Brian\AppData\Roaming\BabSolution
2013-08-08 16:37 - 2013-08-12 13:06 - 00000000 ____D C:\Program Files (x86)\24x7Help
2013-08-08 16:37 - 2013-08-09 16:38 - 00000000 ____D C:\Users\Brian\AppData\Roaming\PCFixSpeed
2013-08-08 16:37 - 2013-08-08 16:37 - 00000000 ____D C:\ProgramData\PCFixSpeed
2013-08-08 16:37 - 2013-08-08 16:37 - 00000000 ____D C:\ProgramData\BrowserDefender
2013-08-08 16:37 - 2013-08-08 16:37 - 00000000 ____D C:\Program Files (x86)\PCFixSpeed
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.
C:\Users\Brian\0.5656880535661928.exe
TDL4: custom:26000022 <===== ATTENTION!
ATTENTION: Malware custom entry on BCD on drive y: detected.
end


Click on File select Save As

Save to : USB Flash drive

File Name : Fixlist.txt

Save as type : All Files

click on the Save button inside Notepad.

Unplug the USB Flash drive from the 32-bit PC plug back into the 64-bit PC Open FRST64.exe like you did before . This time click on the [Fix] button . Once done it will create a new log called Fixlog.txt it will be in your USB Flash drive.

Restart the PC and see if you could login to your Desktop on the 64-bit PC.

 

[friedpasta]

Yes! It logged on and is to the desktop. But it was verrrry slow to get to the desktop, took several minutes to go from the login password screen to a black screen to the desktop. Desktop seems to be okay after it finally loaded.

 

[VistaKing]

Sweet. Run the next tool . We are not done cleaning the PC

TDSSKILLER

download link :ar: TDSSKiller

Save to the Desktop

Right-click the program and select

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System

Click: OK


Press: Start Scan


If a suspicious object is detected, the default action is Skip, leave it as is, and click on: Continue
If malicious objects are found, they show in the Scan results.
Ensure Cure (the default) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)


When done, the tool outputs its log to the disk with the Windows Operating System, normally C:\


Logs have a name like:
C:\TDSSKiller.X.X.X_12.04.2013_15.31.43_log.txt


Please post the TDSSKiller log in your reply.

 

[friedpasta]

Thanks! I have to step away from the computer for a little awhile, will run it when I return and post that log. Thanks for your patience.

 

[VistaKing]

You're welcome. Take your time.

 

[friedpasta]

So sorry, I'm afraid I was away much longer than expected. I've run the TDSSkiller. I had to split it and paste into more than one post.

******************************

(removed log)

 

[friedpasta]

*edit*

 

[friedpasta]

I'm sorry, this just isn't working well! And is too long for so many cut and paste actions. Do you know how I might get it to attach as a file? The attachments button doesn't activate and I've tried all the tricks I know. Sorry for my ignorance about such details

 

[VistaKing]

To Upload the file do this

Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

 

[friedpasta]

Trying again...

 

[VistaKing]

Rerun TDSSKILLER


on

20:31:48.0441 6140 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
20:31:48.0441 6140 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Change it from Skip to Delete

It will ask you to restart the PC to remove . Once you're back onto your desktop download the tool below and run them one at a time

AdwCleaner

Click here AdwCleaner

:ar: Click on Download Now button

:ar: Save to the Desktop

:ar: Right-click on AdwCleaner.exe and choose

:ar: Click on Delete and confirm the prompt.

:ar: Your computer will be rebooted automatically. A text file will open after the restart.

Upload the log : The log file is at C:\AdwCleaner[Sn].txt

Download Junkware Removal Toolkit

Click here Junkware Removal Tool to download

Drag the JRT.exe from the Downloads folder to your Desktop

Right click JRT.exe and choose

Once done upload the JRT.txt file

 

[friedpasta]

Just to be clear - do you mean on the "threats detected" page, which comes up after the scan? It says on that page

TDDS File System
Physical Drive:\Device\Harddisk0\DR0
Suspicious object, medium risk

-with the dropdown beside it to choose skip, copy to quarantine, or delete. Change that to delete and continue?

 

[VistaKing]

Exactly change it from Skip to Delete on the drop down menu and click on Continue .