Jump to content
shanhendo

Unable to Restart after Quarantine

Recommended Posts

I ran Malwarebytes to detect and quarantine the Chromium malware.  All of the quarantined files were PuP files.

Upon restart, I received a blue screen with the following message ": ( Your PC ran into a problem and needs to restart."  "Stop Code: PNP Detected Fatal Error."  At the Recovery Windows didn't load correctly"  I selected the Repair Options>Troubleshooting>Reset this PC tabs with the options to keep my files.  After entering my password, it went to through the reset process.  That did not work.

I then attempted some Advanced Options including:

1) System Restore  - received the message "PC ran into a problem" "Stop Code: Critical Process Died"

2) Go Back to Previous Version - received message "Your PC ran into Problems", try resetting  your PC (which I already did above)

3) Start Up Repair - received message "Automatic repair could not repair your PC" with the code Log file C:\WINDOWS\System32\Logfiles\Srt\SrtTrail.txt .  I googled this line and found the recommendations on the Microsoft help community:

4) Command prompt - I tried some boot.exe and chkdsk commands I found on the Microsoft help community in reference to the log file.  That did not work and am still receiving the same message as in 3.

I did not have a recent back up and am trying to find a way to fix this short of reinstalling my operating system.  Any input you could provide would be helpful.

 

Share this post


Link to post
Share on other sites

Hello shanhendo and welcome to Malwarebytes,

Which version of Windows do you have installed, do you have access to a spare PC and USB flashdrive 4gb or above..

Thank you,

Kevin..

Share this post


Link to post
Share on other sites

Windows 10 installed. I have access to a spare jump drive and can easily download to it via iMAC.

Share this post


Link to post
Share on other sites

Thanks for the update, continue:

On spare PC downoad and save FRST to the Flash drive, make sure to get the correct version, if you are unsure d/l and save both, only the correct one will run. Do not plug Flash Drive into sick PC until booted to Recovery Environment.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Next,

Boot sick PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

Next,

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

user posted image


From that window select "Troubleshoot"


user posted image


From the next window select "Advance Options"


user posted image


From that Window select "Command Prompt"

Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open......

Continue with the following:
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Leave the infected PC in Recovery mode, post the produced log from your flash drive via the spare PC....

Thank you,

Kevin..

Share this post


Link to post
Share on other sites

Thanks for that log, continue:

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot sick PC, any change...?

fixlist.txt

Share this post


Link to post
Share on other sites

Here are results. Afterwards, system still said I had an issue went into diagnosis mode.

Fix result of Farbar Recovery Scan Tool (x64) Version: 08.11.2018
Ran by SYSTEM (08-11-2018 16:24:33) Run:1
Running from G:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
start
HKLM\...\Winlogon: [Userinit] 
HKLM\...\Winlogon: [Shell]  [ ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [ ] () <=== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
HKU\Default\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-11] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-11] (Microsoft Corporation)
GroupPolicy: Restriction ? <==== ATTENTION
S2 0167231537409658mcinstcleanup; C:\WINDOWS\TEMP\016723~1.EXE -cleanup -nolog [X]
HKLM\...\.exe:  =>  <==== ATTENTION
HKLM\...\exefile\DefaultIcon:  <==== ATTENTION
HKLM\...\exefile\shell\open\command:  <==== ATTENTION
end
*****************

HKLM\...\Winlogon: [Userinit] => Could not restore
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => value restored successfully
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => value restored successfully
"HKU\Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\\WAB Migrate" => removed successfully
"HKU\Default User\Software\Microsoft\Windows\CurrentVersion\RunOnce\\WAB Migrate" => not found
C:\Windows\System32\GroupPolicy\Machine => moved successfully
C:\Windows\System32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\System\ControlSet001\Services\0167231537409658mcinstcleanup => removed successfully
0167231537409658mcinstcleanup => service removed successfully
HKLM\Software\Classes\.exe\\Default => value restored successfully
HKLM\Software\Classes\exefile\DefaultIcon\\Default => value restored successfully
HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully

==== End of Fixlog 16:24:33 ====

Share this post


Link to post
Share on other sites

Thanks for that log, continue:

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot sick PC, any change...?

fixlist.txt

Share this post


Link to post
Share on other sites

So, it states this is not compatible with this version (see attached screen shot). It had moved drive letter to F but no go...IMG_9034.thumb.jpg.f60a067628af6078ea36b1b16b3876e4.jpg

Share this post


Link to post
Share on other sites

So, if i ran FRST64 first, hit fix, then rebooted. You are saying do it again but with this fixlist file so it gives you more detail? Sorry, I am a bit dumb on this!

Share this post


Link to post
Share on other sites

Yes run this fix exactly as you did with the first fix. The current problem is "Userinit" key could not be restored, hence still not booting correctly. This current fix should correct that problem...

Also for the record you are definitely not dumb, you`ve managed ok in my opinion...;)

Share this post


Link to post
Share on other sites

You`ve used the first fixlist not the second one I attached to reply #8...

Share this post


Link to post
Share on other sites

Here are the results

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08.11.2018
Ran by SYSTEM (08-11-2018 17:20:54) Run:3
Running from g:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
start
LastRegBack: 2018-05-29 06:28
end
*****************

DEFAULT => copied successfully to System32\config\HiveBackup
DEFAULT => restored successfully from registry back up
SAM => copied successfully to System32\config\HiveBackup
SAM => restored successfully from registry back up
SECURITY => copied successfully to System32\config\HiveBackup
SECURITY => restored successfully from registry back up
SOFTWARE => copied successfully to System32\config\HiveBackup
SOFTWARE => restored successfully from registry back up
SYSTEM => copied successfully to System32\config\HiveBackup
SYSTEM => restored successfully from registry back up

==== End of Fixlog 17:20:55 ====

Share this post


Link to post
Share on other sites

Can you run a scan again, same as reply #4, need to have look at a fresh log see why your system will not boot...

Share this post


Link to post
Share on other sites

Thanks for that log, continue:

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.