Jump to content

Recommended Posts

Hello I am posting on behalf of an elderly relative who is not very technically literate. They called me a few days ago and played me a voice message they received when they turned their computer on which said something a long the lines of "This is Microsoft tech support your computer is infected and poses a threat to our network so we have disabled it please call us on (number) to remove the infection"

Now, personally I know this to be a scam I have heard about it before so I told them not to call the number and ignore it as I assumed what they meant was it was just a web pop up that has no effect to the system unless the user unwittingly acts on it. Except the problem is the computer won't boot to the desktop its just a black screen. I have taken the computer off them to attempt some recovery on it but having no luck.

 

Here is what I have done so far:

  • Tried to do start up repair but it said it couldn't do it.
  • ran Microsoft Windows Malicious Software Removal Tool from command line which said there were 6 infections but appears to have done nothing as the computer still wouldn't boot to desktop (I was away from the computer at the time and when I returned it had finished the scan but didn't tell me what the infections were.)
  • Tried system restore even though the only restore point was after the problem arose. It failed the restore anyway.
  • Booted in to Safemode and noticed their desktop wasn't the same as usual (not sure if this is normal?) but it seemed like a generic Win10 desktop with cortana toolbar that they never had before and firefox desktop icon was gone along with shortcuts to websites. Couldn't even find the Antivirus F-Secure or FireFox in add/remove programs they had a program called Facebook Gamesroom but it wouldn't let me remove it.
  • created and ran a bootable ISO of AVIRA Rescue System which found 1 infection (PUA/InstallCore.Gen7 vlc-setup.exe) which it renamed.
  • On restart after the AVIRA scan Windows performed a CHKDSK repairing the C: Drive but after it finished I was left with the same black screen as the first time.

 

Thanks for any help

Link to post
Share on other sites

Hello zipzap and welcome to Mawarebytes,

Probably bets option now is to run FRST via the recovery environment, continue with the following:

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Next,

Boot your PC and let it go as far as it can, Now hold down the Shift key and re- boot your PC. Windows should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Advance Options" from there select  "Command Prompt" ensure to plug the flash drive into an open USB port...

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...
Link to post
Share on other sites

I've attached the txt file to my reply

I just noticed the text file says to get a complete scan to run FRST in safe mode if possible. You may be able to identify the problem without safemode. If not I can always do another if required. Thanks.

Also noticed at the end of the text file it has quite a few more restore points than what is available on the system restore menu interface why is that?

FRST.txt

Edited by zipzap
Link to post
Share on other sites

Thanks for that log, continue with the following:

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the system will boot to Normal mode, if not try Safe mode... Either way see if FRST will run again as follows:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin...

 

fixlist.txt

Link to post
Share on other sites

Very odd, all we have done is restore registry hives to known good backups... Continue with he following:

Boot your PC and let it go as far as it can, Now hold down the Shift key and re- boot your PC. Windows should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Advance Options" from there select "Startup Repair"

If that fails go through that process again, this time select "System Restore" from there follow the prompts to run System Restore to any date prior to this issue happening..

If those all fail go through same process again, from Troubleshoot select "Command Prompt" ensure to plug the flash drive into an open USB port...

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...

 

Link to post
Share on other sites

Hi

Start up repair failed (has done since encountering this problem)

I tried System Restore but the only dates available are 26th March and 23rd but the problem started before then. However I did try to do one regardless and I couldn't go any further than what you see in the image attached.

Have also attached FRST log and on reading I noticed at the top theres a few lines that have "ATTENTION" on them, the first log before performing a Fix didn't have this.

Thanks

FRST.txt

sysrestore.jpg

Edited by zipzap
Link to post
Share on other sites

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
 
See if your PC will boot to either Normal or Safe mode, if not run another scan from RE and post fresh log...

fixlist.txt

Link to post
Share on other sites

Still not booting into safe mode or normally, every time I try safe mode or a normal start I just get the message that WIndows is trying to diagnose then fix the PC after which I get the message that it failed and enters recovery mode. I don't understand because as I said I could previously get into safe mode despite the problem.

I've noticed since applying the first fixlist.txt you gave me the new FRST logs have "ATTENTION: Could not load system hive." now in the top part of the log (this one attached has it and the one before it)

I think it may have made things worse? Would I be better just wiping the drive and starting over? They had nothing of importance on it really and it's starting to turn in to more hassle than it is worse. I would have like to have known what caused it though...

Thanks

 

Fixlog.txt

FRST.txt

Edited by zipzap
Link to post
Share on other sites

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if your PC will boot to either Normal or Safe mode

 

fixlist.txt

Link to post
Share on other sites

No progress. Fixlog says could not restore (see attached)

FWIW I've now formatted the machine and installed Zorin OS, a Linux distribution. My hope is that they will be okay with it as it will require less maintenance in the long run from me. They don't really install anything they mostly stick to browsing, email and facebook. Windows' only benefit in this scenario is familiarity.

Thanks for your help in trying to fix the problem though.

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.