Cannot open safe mode by F8 for my window 7 64

[la642236]

Sorry, not so much time to take care of this issue right now, will back to discussion around 7 PM pacific time, kindly help me check the following 2 attachment files. 

I did run chkdsk c:/f/r/x, "failed to transferred~" (Sorry did not write sown full description), still cannot boot in safe mode.

Thanks for your help in advance.

[Firefox]

Hello and Welcome!

Well we would really like to help you further if we could but since the logs show that this computer has entries designed to steal and/or pirate software (from Microsoft) we will not be able to assist you without you removing any pirated software.

This topic will be closed due to evidence of cracked or pirated software on this system.

Piracy Policy

Thank you

[la642236]

Thanks for your help.

I have no clue which software was not legally installed, and how could I remove it right now?

I could not boot my computer at all.

Could you let me know which software(s) and how to remove it?

Thanks.   

[AdvancedSetup]

You need to delete this software

 

2015-02-27 21:14 - 2014-06-02 14:02 - 00000266 _____ () C:\Windows\Tasks\AutoKMS.job

 

Thank you

[la642236]

Hello:

My PC could not start up Windows 7 in safe mode by F8, but copied all the files from "users\*\appdata\" into a flash drive. I scanned those files by a laptop with Malwarebyte,  the following message was found:

Registry Keys: 1

PUP.Optional.Babylon.A, HKU\S-1-5-21-3273284751-2539587986-2503909828-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}, , [5e4b36ec12784aec3f0bb85d6a99c63a], 

 

From "regedit", the HKEY_user, only could find s-1-5-20, could not find s-1-5-21-XXX-~.

How could I manually remove this malware or Babylon?

 

I am quite sure my PC was infected by virus or malwares, not because of hardware damage.

I could scan my infected PC with malwarebytes if this PC could start up in the safe mode,

or I need unplug this infected HD from infected PC, plug into a docking station and scanned 

by another computer (hopefully have a better way, I don't have a docking station).

 

I did post Frst.txt before, but could not get any solutions.

 

Any other suggestions for booting the infected PC in safe mode? Will the restore CD be helpful for booting the infected PC in safe mode? I don't have it, but could buy one from ebay if needed.

Also, I don't mind manually removing all infected virus found with malwarebyte by another computer , but I need know which directories should be checked, how to find the virus and remove it.

 

My laptop is 32-bit Windows 7 starter, and my infected PC is 64 bit Windows 7 Home premium.  The files in "system32\config" from Window 7 starter will be also good for windows 7 home premium.

 

Thanks very much for your help in advance. 

[AdvancedSetup]

Please see my reply #4 above. You need to remove all pirated software if you wish to obtain support.

 

Thank you

[la642236]

Thanks, I will follow your advice.

After removing the software you mentioned, do I need post the new Frst file again? 

[la642236]

I deleted that file already.

Thanks.

[la642236]

Registry Keys: 1

PUP.Optional.Babylon.A, HKU\S-1-5-21-3273284751-2539587986-2503909828-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}, , [5e4b36ec12784aec3f0bb85d6a99c63a], 

 

From "regedit", the HKEY_user, only could find s-1-5-20, could not find s-1-5-21-XXX-~.

How could I manually remove this malware or Babylon?

The pirated software was deleted. 

Thanks.

[AdvancedSetup]

If you've removed the drive and placed it into another computer to scan then we're not able to scan the registry file and that is a scan from the local computer you're using.

 

If anything try running a disk check against the affected drive. If as an example it is the E: drive then you would run the following from an elevated admin command prompt.

 

CHKDSK E: /R

 

If the drive is the D: or other drive you would change the drive letter to use for that command.

 

Then put it back into the original computer and try to start in Normal if possible or Safe if possible and let me know.

[la642236]

Thanks for your reply.

I did not remove the infected HD,  the files of "user/*/appdata" were copied and scanned by another laptop.

The registry file as you mentioned was from the laptop.

I did try chkdsk r/f, and got the message as follows" failed to transfer logged messages to the event log with status 50". no bad sectors.

 

I will try to reboot my PC. 

Thanks.

[AdvancedSetup]

Here are some guidelines on how to do the full disk check for different OS.

 

 

Please run a Full Disk Check on your system drive.  If needed here are some links on how to run a Disk Check.

On Windows XP the disk check log is in the Event Logs under Application with a heading source of  Winlogon
On Windows 7 the disk check log is in the Event Logs under Application with a heading source of  Wininit
On Windows 8 the disk check log is in the Event Logs under Application with a heading source of  Chkdsk

How to Run a Chkdsk Function on Windows XP

How to view and manage event logs in Event Viewer in Windows XP

How to Run Disk Check in Windows 7

How to Run Check Disk at Startup in Vista or Windows 7

How to Check a Drive for Errors with "chkdsk" in Windows 8

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 

[la642236]

My system is Windows 7, and I will check the reference you suggested.

I accidentally delete files of *.bak in system32\ config, and all files in system32\config\regback.

After this accident, no Microsoft windows logo shown, only "Microsoft cooperation".

My computer still cannot start up.

Thanks.

 

[AdvancedSetup]

You would need to issue the following command to see. What you're showing is a special recovery environment and not the main OS.

 

DIR /a /s  C:\Windows\System32\Config

 

This should show the files but it's possible due to NTFS permissions that all may not be shown but the key important ones will be shown. As for *.bak that folder structure should not have any *.bak files so not sure what you really have going on there.

 

Do you have any backups?

Have you run FRST before this happened ?

What about ERUNT or Combofix ?

 

If you've run one of those tools within the past month we may be able to recover from there. If not then you're really looking at reinstalling Windows.

[la642236]

I do have FRST,txt, but no back up.

Kindly check attachment. 

[AdvancedSetup]

That is FRST from the Recovery Environment it looks like. Do the following please from a command prompt.

 

 

DIR /A /S C:\FRST\Hives

 

Then post back the results please.

[la642236]

Sorry, I don't quite understand what is C:\ FRST, I did run FRST from flash drive and save the text file in my flash drive, So FRST/Hive will be in my PC or flash drive?

I did run dir/a/s C:\~, and seems those files still in somewhere of my PC. I accidentally deleted those files in "config" on 2/28 night.

Thanks.

[la642236]

I did create backup directory, but deleted later.

[AdvancedSetup]

Actually you might be in luck. Please run the following and save it to your flash drive (not sure which drive it is but change the driver letter to match your flash drive to save it)

 

DIR /A /S D:\Windows\System32\Config > E:\MyHiveFiles.txt

 

In my example I'm using E: as your flash drive. You need to verify that yourself though and change the command to reflect the correct driver letter.

 

You have some backup files from iObit that we can maybe use from last year.

 

Another possible option is to remove the drive and slave it to another computer and attempt to do a data recovery for the files (very unlikely to work at this point but you could try)

[la642236]

Here is FRST\Hives

[la642236]

Those files from "FRST\Hives seems even better than iobit, could I paste them back to "system32\config".

Waiting for your guideline.  Thanks.

[la642236]

Hives Files.  Thanks.

[la642236]

Still no Microsoft windows logo, only Microsoft cooperation.

[AdvancedSetup]

You need to follow direction exactly as provided or we won't be able to fix this. If you make a mistake you can make things worse and we may not be able to undo it.

 

I'm falling asleep here so I'm going to get some rest but I would like to get the list of files and not just a screen shot if at all possible.

 

 

DIR  /A /S D:\FRST\Hives

 

I'll check back on you again sometime tomorrow

[la642236]

Thanks so much for your helps.

Take care.

I will follow your advice carefully.

What do you mean the list of files? Do you mean a new Frst.txt?

Thanks.