Computer Hope
Software => Computer viruses and spyware => Topic started by: jdavidwik on October 11, 2011, 01:44:17 PM
-
I have a problem restarting after Malwarebytes found 2 Trojan horses; restart was prompted after the removal, with the result of the restart blue screening, then restarting ad infinitum. The Dr. Web Live CD procedure did not help. I then tried the OTLP CD solution after mounting that .ISO image and burning, etc., but I could not get to the "Remote registry" screen which was the suggested route. Double clicking the OTLP icon after loading from the OTLP CD gave a prompt for which drive to scan, and then "No Windows Components" indicated after C drive is indicated. I am using Windows Vista OS, on a Toshiba Satellite notebook. The problem now is that after exiting from and removing the OTLP disc, the booting-up after the Windows screen gives a black screen with message "A disk read error occurred Press Ctrl+Alt+Del to restart". I re-attempted Dr. Web (Default), scan finished, but this still results in the same black screen with message as just indicated. Pressing Ctrl/Alt/Del just results in the Windows screen followed by the aforementioned message. I had someone fix this issue for me in the past (i.e. the restart after a scan, ostensibly to "completely" remove malware, resulting in this loop), wanted to DIY-it but stuck...
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Ok. From what I understand, your computer won't boot in Normal Mode. How about Safe Mode?
-
Hello SuperDave,
It will not boot in safe mode. When I chose safe mode, it would cyclically restart in the same manner as normal mode booting attempts were. Currently I cannot even get to the screen to choose safe or normal mode.
-
Go to this link to create a Rescue CD (http://evilfantasy.wordpress.com/2009/05/06/rescue-cds/) or to this site to create a Rescue USB (http://evilfantasy.wordpress.com/bitdefender-rescue-usb/). Carefully follow all the instructions for whichever method you choose.
-
I dont seem to be able to open anypage to download the software help
-
Super Dave,
There has been A LONG GAP IN TIME because I brought the notebook to my university's IT help dept., but they could not help. I am running the Dr. Web default scanner now and I know that it takes some time, ca. 24 hours. My IT dept. says that there is an indication of a missing partition,as the hard drive apparently cannot be accessed, based on their diagnostic tests. I will post again when the scan is finished.
-
OK less time required than the advanced Dr. Web scan, already finished...no threats detected or neutralized, nothing malicious, suspicious or infected...however 11 files "Unable to scan", 2 due to "scanning of this object is aborted (No such file or directory)" and 9 due to"cannot get file attributes with error: No such file or directory".
-
OK ran Dr. Web advanced scan...On Scan report, "Scanned" indicates "13"...this would jibe with statement that there is a missing partition...although when i ran this scan over a week ago, before i ran the OTLP(E) boot-up disk, it took roughly 20 hours...so did my aforementioned attempt with the OTLP(E) disk create a problem?
-
When I use the "Handy Recovery" tool on REATOGO-X-PE, it quickly analyzes the B RAMDisk drive but indicates that the C drive has "Novalidsupported file system present on the volume", which would explain the quick scan with Dr. Web in that the latter was actually only analyzing RAM in that scan. This tool is on the OTLP recovery disk.
-
Please run this tool. I need to see the log.
We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.
Download the OTLPE Standard REATOGO Windows Recovery Environment. - Place a blank CD-R disc in to your CD burning drive.
- Download OTLPEStd.exe (http://oldtimer.geekstogo.com/OTLPEStd.exe) and double-click on it to burn to a CD using an ISO Burner. One can be found here. (http://iso-burner.com/)
- Reboot your system using the boot CD you just created.
- Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- Your system should now display a REATOGO-X-PE desktop.
- Double-click on the OTLPE icon.
- When asked "Do you wish to load the remote registry", select Yes
- When asked "Do you wish to load remote user profile(s) for scanning", select Yes
- Ensure the box "Automatically Load All Remaining Users" is checked and press OK
- OTL should now start. Change the following settings
- Change Drivers to Non-Microsoft
- Press Run Scan to start the scan.
- When finished, the file will be saved in drive C:\_OTL\MovedFiles
- Copy this file to your USB drive if you do not have internet connection on this system
- Please post the contents of the OTL.txt file in your reply.
-
Hello SuperDave,
I was able to execute your instructions up to and including the loading of remote registries. After that, I was prompted to choose drives to scan. Choosing C drive results in the message that the target must be Windows 2000 or later, and is indicated as not being present in this case. As I could scan C drive via the"Disk Investigator" desktop icon, I did so. Scan of RAMdisk (B drive), could be executed, showing 63 Mb size, File system NTFS, 59Mb free space, 131071 logical sectors, Media Descriptor 248 and Hidden sectors 63, etc., but scan of C Drive resulted in showing 0 Mb size, File system Unknown, 0 logical sectors and all "0"s, save for Media Descriptor 248 and Hidden sectors 63. Trying to "View cluster" results in "Error accessing disk". I could not access the internet through my wi-fi modem/router via the Reatogo desktop control panel, so I could not copy the log record and email it. I believe the log of the scan was not saved to C drive as I could not originally access the scanner as you indicated. As it seems that C drive cannot be accessed, I did not want to try to install the software for the printer for fear of disturbing/overwriting anything that could possibly be saved (?). Do the above scan results help? Should I try something else?
-
It appears that there is something wrong with the hard drive. You will need to slave that harddrive to another computer to run a diagnostic. Do you have an OS disk for that computer?
-
I have the OS disk but it is scratched, so I may have to order from Toshiba if that becomes necessary. I also ran TestDisk 6.11.3 thru REATOGO desktop and it indicates:
Disk/dev/sda - 120 GB / 111GiB - CHS 14594 255 63
Partition Start End Size in sectors
D HPFS - NTFS 0 1 1 14592 254 63 234436482
D HPFS - NTFS 0 32 33 14593 33 32 234436608
Structure: Ok.
I want to save the data if I can, so based on the scan results above does this seem possible?
-
I should have mentioned that I do have another Toshiba Satellite, different model, for slaving the hard drive.
-
I want to save the data if I can, so based on the scan results above does this seem possible?
It all depends on whether or not you can access your harddrive. You may need to slave it in order to get your data. You can save your important data to DVD's or an external harddrive. You will need to wipe the DVD's or external hardrive when you're finished with it so be sure there's not something else important on them. What OS are you running?
-
On this laptop it was Windows Vista Home premium
-
I also have an external harddrive as well as a DVD burner on the other notebook...
-
OK...I have the Vista Home premium disk which is spotless...the Toshiba Satellite P100 disk is scratched
-
You're getting me confused. Do you have the OS disk for the disfunctional computer?
-
yes
-
1/ Click the Start button.
2/ From the Start Menu, Click All programs followed by Accessories.
3/ In the Accessories menu, Right Click on the Command Prompt option.
4/ From the drop down menu that appears, Click on the Run as administrator option.
5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.
6/ In the Command Prompt window, type: sfc /scannow and then press Enter.
7/ A message will appear stating that the system scan will begin.
8/ Be patient because the scan may take some time.
9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.
10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.
11/ After the scan has completed, Close the command prompt window.
-
I am running this thru Reatogo-X-PE as that is the only option available to me as I described earlier(it has Windows XP as the OS). From Command Prompt, when I elect to Run As Administrator, it asks for a password which I have no knowledge of as this is Reatogo and nothing I set up. I tried some of the obvious passwords such as admin, guest, password and just "ok" sans a password, but none of them work. Any ideas?
-
What happens when you boot with your OS disk in?
-
After booting with the Windows Vista OS disk in, I chose Startup Repair. After searching for problems and then repairing problems, the computer restarted. It is now back to the original loop of Toshiba screen> Windows Error Recovery> Microsoft screen> blue screen, followed by Toshiba screen, etc..
-
Under Windows Error Recovery, when attempting Safe Mode or Safe Mode with Networking or Command Prompt, the Windows system 32 files and drivers are loaded then "Please wait..." is indicated for 30sec, followed by blue screen then loop resumes as indicated above. Last Known Good Configuration and Start Windows Normally result in Microsoft screen then blue screen, etc. as indicated above.
-
I'm going to check with my colleagues about this problem.
-
Startup Repair in the Windows Vista Home Premium disk fixed the issue.
-
Startup Repair in the Windows Vista Home Premium disk fixed the issue.
That's good news. So, everything is running well?
-
ran an ad-aware scan which found one high-level threat, removed and restarted w/ no issues; then ran a malwarebytes' scan which found one high level threat, removed and restarted successfully; Windows Defender scan run w/ no threats detected; so far, more than one day of running well with no issues; the Startup Repair on the full Vista OS disk was successful, whereas that of the Restore Only disk was not (initial attempt).