Jump to content
topangajack

Win 7 won't boot after IDriveEService.exe removal

Recommended Posts

My trusty old desktop-to-cloud backup program, IDrive, has again been flagged as ransomware. MWB instructed me to reboot to delete the infected file. My HP Win7 system will no longer boot. :( It gets as far as a blue screen with a cursor. No dialog boxes, etc.  Cannot get a command prompt.  I've tried HP repair disc - nothing happens. HP Recovery discs - nothing happens. Reset the CMOS jumpers to orig bios - no change.

The file in question is C:\IDrive\IDriveEService.exe

Edited by topangajack

Share this post


Link to post
Share on other sites

Hi topangajack,

Sorry to hear that this happened. We'll need some additional information to prevent this from happening in the future.

Please answer the following:

Where did you download iDrive? Can you provide the website here please? We can try to replicate the issue.

Do you have your Windows 7 installation disc? The HP Recovery Disc may also work for this. Just look for something that will lead you to a list of recovery options, with Command Prompt being one of the items. For example, see below using the Windows 7 Installation disc.

If you boot from the disc, you should see screens similar to the below:

w7recovery.png.34e8543e85aed9bf4278d7ff1219778e.png

If you can get here, click "Next"

w7recovery2.png.c1cf397cc15a6fa4690ed97a3a5d095a.png

Click "Repair your computer"

You should see screens similar to the below:

w7recovery3.png.21d480143f85500c4168c9d64a1acbd0.png

If your Windows 7 installation is found, highlight it by left mouse clicking it once and selecting "Next"

w7recovery4.png.48888f63f93e2b42bf439465de15150e.png

This is ultimately the screen we want to be able to get to. From here we can run some diagnostics to see what happened. Let me know if you are able get this far and I'll provide further instructions in the next post.

Regards

Edited by thisisu

Share this post


Link to post
Share on other sites

Hi, thanks for your advice. I downloaded the IDrive file 3.4.4.0 long ago at https://www.idrive.com/online-backup-download [now it says, "Downloads for accounts created prior to 11-23-2011 - WINDOWS"]

I have a set of HP Recovery Discs that I made when I first got the PC. Unfortunately, running them never results in any usable dialog screen, message, and no progress bar. The best I get is a blue screen with pretty sun-rays and a mouse cursor. Nothing else appears. Running windows repair, system recovery, and startup repair brings up the same blue screen with no hard drive activity indicated by the light on the case.  

I can find no way to get past this.  This was a stable system prior to MWB trying to delete the suspect file.

 

Share this post


Link to post
Share on other sites
16 hours ago, topangajack said:

Hi, thanks for your advice. I downloaded the IDrive file 3.4.4.0 long ago at https://www.idrive.com/online-backup-download [now it says, "Downloads for accounts created prior to 11-23-2011 - WINDOWS"]

Hi, Thanks I tried this version as well and so far haven't been able to reproduce the detection.

Some additional questions so I can better assist you.. what's the model of your HP computer? Is it a laptop or desktop? Do you know if you have Secure Boot enabled or not? Do you have a flash drive?

16 hours ago, topangajack said:

The best I get is a blue screen with pretty sun-rays and a mouse cursor.

Can you find or take a picture of this particular screen?

Edited by thisisu

Share this post


Link to post
Share on other sites

Model? HP Pavilion p6610f - a desktop.
Secure Boot enabled? Not sure. I made no changes (that I am aware of) concerning this since purchasing the computer.
Flash Drive? Yes, I have a 32gb usb flash drive

Photo attached.

IMG_5087.JPG

Share this post


Link to post
Share on other sites

Thanks for answering those questions. Yes this looks like a generic detection from our anti-ransomware module. The file that was quarantined in your case is most likely different than the one offered at their website now (using the 11-23-2011 installer) which is why I haven't been able to reproduce the detection. Unfortunately we require the exact file that was quarantined in order to fix these types of false positives.

More importantly, let's focus on getting you back into Windows. Have you already tried booting into Safe Mode or Safe Mode with Networking? If not, try that first. There's a thorough guide on how to enter Safe Mode here: https://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/#windows7

You should also start to prepare additional recovery discs. It seems the one you have with HP isn't fully loading. Maybe the CD-ROM drive is defective or the disc itself is damaged. If you haven't done so already, allow it 10 - 15 minutes to load. If it still stays on that screen, most likely there's an issue with one of the above.

Try to follow these directions using your Windows 7 product key in order to create an installation disc. We're not going to reinstall, but the disc should have some recovery tools on it similar to your HP recovery disc -- https://www.microsoft.com/en-us/software-download/windows7

If you need a software to burn the .iso to DVD, I recommend ImgBurn.

Let me know if have any questions.

Share this post


Link to post
Share on other sites

Safe mode does not fully load. It hangs... see photo of hang when "Safe Mode with Command Prompt" is selected.

hang - Safe Mode with Command Prompt.JPG

Share this post


Link to post
Share on other sites
16 minutes ago, topangajack said:

I have oem version of windows, so Microsoft will not give me a installation download. refers me to HP. HP no longer offers win7!

I also tried recovery disks from near identical HP pc and they did not work either. No response

My cd/dvd drive is in good shape. Fully functioning. 

 

 

Edited by topangajack

Share this post


Link to post
Share on other sites

From the F8 menu, try "Last Known Good Configuration (advanced)".

If that doesn't work, then select "Disable automatic restart on system failure". Take a picture of the BSOD screen too if you don't mind.

Share this post


Link to post
Share on other sites

I've tried Last Known Good configuration several times. No luck. I'll try Disable auto Restart... now.  

FYI - see post No. 5 for photo of BSOD screen

Share this post


Link to post
Share on other sites
14 minutes ago, thisisu said:

Disable automatic restart on system failure

It gets this far and stops. No activity on hard drive per indicator light

Hang - starting windows.jpg

Share this post


Link to post
Share on other sites

In the meantime, I think I found a copy of the old installer file for the IDrive program that produced the Ransomware quarantine.

CAUTION: I changed the .exe extension to .doc so I could attach it here for you.  You will need to change it back to .exe if you want to test it (carefully, of course)

IDriveSetup.doc

Edited by topangajack

Share this post


Link to post
Share on other sites

thisisu, I will check back in later.

I hope we can avoid having to buy and install a new copy of windows. Thanks for your assistance

Share this post


Link to post
Share on other sites
4 hours ago, topangajack said:

FYI - see post No. 5 for photo of BSOD screen

This isn't a BSOD. That looks more like your HP recovery environment loading. Blue screen of death looks like this, with an error code that may help determine what the issue is:

windows-xp-bsod-error-56a6fb0d3df78cf772

 

Another question, do you have an external USB CD/DVD ROM you can try? Just wondering if you are able to get any bootable disc content to load? You should be seeing a screen similar to this when attempting to boot from a CD/DVD.

bootcd.png.30d39124dd59b6241b27aaa129722b22.png

Can you verify if you're seeing this or not?

I think we can still at least restore that file for you eventually but when you mention LED lights from HDD off and you aren't actually receiving any errors, it is starting to sound more like a hardware issue to me. I'll try to at least restore the file for you though back to its proper location so we can find out though ;)

I need some more time to review your other posts. Thanks for submitting the additional installer. I will review it as soon as I can.

Edited by thisisu

Share this post


Link to post
Share on other sites

I took a look at the installer. The file that was previously detected is now whitelisted.

C40DC510D061B03EEA2AFC407CC3350C

Edited by thisisu

Share this post


Link to post
Share on other sites
4 hours ago, thisisu said:

Just wondering if you are able to get any bootable disc content to load? You should be seeing a screen similar to this when attempting to boot from a CD/DVD.

Can you verify if you're seeing this or not?

Yes, I can get that screen asking to boot from CD or DVD, but it will go no further. It is not able to boot. It just hangs and does nothing.

Thank you for white listing the file, but I am more concerned about my HDD being totally disabled after MWB instructed me to re-start in order to delete the file.   I do not know how I can recover my system or even reinstall windows under these circumstances.....

Share this post


Link to post
Share on other sites

Hi,

Few more suggestions here...

  • Remove any USB drive, or external hard drive from the computer. Make sure they are not plugged in. Try rebooting normally
  • If you have multiple monitors hooked up, unplug all but one and try booting normally.
  • If there is a CD or DVD in the tray, remove it and try to boot normally.
Edited by thisisu

Share this post


Link to post
Share on other sites

No external devices plugged in except wireless mouse. 
Just 1 monitor.
No CD or DVD in tray.
Still will not boot.

Are there any tools that you recommend that I can download (I have a laptop available - using now) that might get the desktop to boot and repair windows? Or, do you think I will have to remove the hard drive and reformat (it in another PC?)  What do you suggest?

Thanks

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.