Windows Defender used and now can't start up my computer properly

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by viviene18328, Dec 30, 2012.

  1. viviene18328

    viviene18328 Private E-2

    We will start with I know little about fixing things on the computer. My daughter picked up the Alureon virus/worm/whatever it is called. We kept getting the blue screen of death. I did some searching on the internet and started with removing AVG and installing Microsoft Security Essentials. I was able to install this and then rebooted the computer. When Security essentials tried to update itself the computer shut down and again gave us the lovely blue screen of death.

    I read some more and downloaded Windows Defender to remove what Security Essentials said it could not. I followed the instructions and everything looked pretty good after that. Then I re-booted the computer and what I get is a flashing _ command prompt.

    I presume from what I've ready here (why of why didn't I come here first!) that I've botched things up.

    I did make a recovery disc on my other Windows 7 computer and tried to use that to fix things but it is not allowing me to make a repair. I know I don't want to do a system restore because if I read correctly this will just wind up restoring the virus/trojan/worm as well. The computer did not come with an installation disc (DH purchased it at Walmart) or I would just re-install the software.

    HELP!
    :(
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Do you mean you rean Windows Defender Offline as in the below?

    http://blogs.technet.com/b/security/archive/2012/09/19/microsoft-s-free-security-tools-windows-defender-offline.aspx

    If so ,you really should be sending your problem to Microsoft because they really should not be removing required system files even when offline. Do you know what it removed? Was it the C:\windows\system32\services.exe file? This file is commonly infected when people have Alureon detections. The file cannot be deleted. It must be replaced by a clean copy. And then there are more things to cleanup too.


    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

      After attaching the above log, perform the below search with FRST.

      Boot to System Recovery Options and run FRST again.
      Type the below bolded text in the edit box after "Search:".

      services.exe

      Then click the Search button.

      It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
     
  3. viviene18328

    viviene18328 Private E-2

    Yes it is windows defender offline.

    I have now downloaded Farbar Recovery Scan Tool X64 onto a flash drive. I put the flash drive in the affected computer. I turned the computer on. What first comes up on the screen is:

    Del: Enter setup F12: Boot menu

    So I know that what should be coming up in order for me to be able to tap F8 to get to the advanced boot options.

    I did change the advanced bios features to make the computer boot from the cd/dvd as the first boot device per the instructions for being able to run windows defender offline. I am guessing that this has not helped the situation I am in.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not necessary for this as you are not booting from the USB driver or CD. You need to do exactly what was stated
    See the below for additional info.

    http://www.sevenforums.com/tutorials/666-advanced-boot-options.html
     
  5. viviene18328

    viviene18328 Private E-2

    As soon as the computer fired up I started pushing F8 and continued to do so for several minutes. The Del: Enter setup F12: Boot menu comes up and unless you make a choice of either of these two you get a blinking prompt. I continued to push F8 and nothing changed.

    I did push del and then looked at the advanced bios and saw that the computer is set for quick start and quiet start.

    I do not believe that I am seeing what I should at all on startup and since that isn't happening pushing F8 isn't working. I did read the directions and also read the link that you posted. I just don't believe what should be coming up in order for this to work is coming up on the screen.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then your PC vendor may not have installed the System Recovery Options which is really important to have especially if they did not give you a Win 7 Bootable DVD. Did they provide you with a Win 7 system bootable DVD? If so you could try that.


    Do you remember what Windows Defender removed? Also does it put things into a quarantine so that changes can be undone? Since I don't recommened using this program, I have never tested it to see everything it can do. I believe it does have a quarantine option and also a delete. Hopefully quarantine was used.
     
  7. viviene18328

    viviene18328 Private E-2

    They did not provide us a Win 7 system bootable dvd.

    The only thing I know that Windows Defender said it removed was the alureon virus. Since I can't get into the computer now I can't see if it quarantined it so that changes can be made.

    I did make a recovery disc from the computer I'm using to write this note from. It is also Windows 7 64 bit. I was able to get the recovery screen from using that in the dvd/cd drive (drive D). It did not allow me to fix anything though.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you see an option where you can get to a command prompt?
     
  9. viviene18328

    viviene18328 Private E-2

    It didn't give me an option for a command prompt.

    What I have done is put the windows defender offline cd back in. This allowed me to look at what was removed and what was quarantined.

    It showed that nothing was quarantined. It also allows you to see allowed items and there was nothing in the list of allowed items. Then there is detected items. What was detected was Trojan.Dos/AlureonJ. This is what I selected to remove. It shows nothing else that was removed.

    I'm just letting that computer sit with that information on the screen and won't touch it again until I hear from you. I know you have other things to do and I very much appreciate all your help. I should have left this alone. Hindsight is 20/20 of course.

    I forgot the most important thing. The item it shows that was removed is:

    boot:\\.\PHYSICALDRIVE0\PARTITION0 (Type 27)

    then it has below that:

    http://go.microsoft.com/fwlink/?linkid=142185&name=Trojan:DOS/AlureonJ&threatid=2147658331
     
    Last edited: Dec 31, 2012
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is part of the Alureon infection which likely impacted your Master Boot Record and or partition table which is probably why you cannot boot up now. The MBR, partition table etc likely need to be repaired which is what I wanted to do with FRST. Also if we could get to the command prompt, we could run a few commands from there.

    Do you know anyone who you can borrow a Windows 7 x64 Boot DVD from so that we can try to boot from it to get to the System Recovery Options menu.
     
  11. viviene18328

    viviene18328 Private E-2

    Okay I made a system recovery disk from my other computer and I put it in the dvd/cd drive. So on the screen right now I have system recovery options. I selected keyboard input method US and clicked next. It scanned the computer and said windows found problems with your computer's start up options. Do you want to apply repairs and restart your computer?

    I clicked on the "view details." Under repair details it states:

    The following startup options will be added:

    Name: Windows 7 Home Premium (recovered)
    Path: Windows
    Window Device: Partition=D: (703014MB)

    Name: Windows Recovery Environment (Recovered)
    Path: Recovery\f6ad2642-6c24-11e0-a9e4-bf6c8fea6384\Winre.wim
    Windows Device: Partition=D: (703014MB)

    I have not done anything else.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let it do the startup fix and let's see what happens.
     
  13. viviene18328

    viviene18328 Private E-2

    Okay I let it do its thing. I got a pop up screen that said, "Startup repair cannot repair this computer automatically." Sending more information can help Microsoft create solutions. Then you can click on send information about this problem (recommended) or don't send. I had already done this yesterday and sent the information to Microsoft so I did not do it again.

    There is also a clickable phrase "Problem Details." So I clicked on that and it showed this:

    Problem signature:

    Problem Event Name: StartupRepairOffline

    Problem Signature01: 6.1.7600.16385
    Problem Signature02: 6.1.7600.16385
    Problem Signature03: unknown
    Problem Signature04: -1
    Problem Signature05: External Media
    Problem Signature06: 1
    Problem Signature07: NoOSInstalled
    OS Version: 6.1.7601.2.1.0.256.1
    Locale ID: 1033

    After that it's just some junk about their privacy statement online

    I also still have the option of viewing advanced options for system recovery and support. I have not clicked on that option yet. If I cancel this screen I still have the Choose a recovery tool option. I can do:

    Startup Repair (didn't work)
    System Restore (didn't do this)
    System Image Recovery (didn't do this)
    Wimdows Memory Diagnostic (didn't do this)
    Command prompt (didn't do this)
    Recovery Management (didn't do this)
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then use the command prompt option from System Recovery Options and refer back to message number 2 where I posted instructions for FRST and continue with the part where the below text is
     
  15. viviene18328

    viviene18328 Private E-2

    Okay. Here's the first file FRST.txt
     

    Attached Files:

  16. viviene18328

    viviene18328 Private E-2

    Here is the second file search.txt
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now power down your PC for a few minutes then power back up and see if you can boot into normal Windows

    Attach the new Fixlog.txt no matter what.
     
  18. viviene18328

    viviene18328 Private E-2

    Here is fixlog.txt

    I have powered down the computer and will wait a few minutes.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's not going to work. You were not on the correct drive that has boot configuration info when FRST ran the fix. When you boot to the command prompt, what drive letter shows?
     
  20. viviene18328

    viviene18328 Private E-2

    M drive was where the flash drive was. The flash drive only has the FRST65, FRST, Search and fixlog files on it. The drive where the recovery disc was is the G drive.

    I'll go back and follow everything you have here and do it all over again. Going back and forth between these computers is insane!
     
    Last edited: Dec 31, 2012
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay at the command prompt type in C:
    and hit enter. Does the prompt change to show the C drive?
    Type in dir
    and hit enter. Do you see your files listed and do you see a folder named boot
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also from the command prompt, run the below command and tell me what you get:

    bootrec /ScanOs
     
  23. viviene18328

    viviene18328 Private E-2

    I could not edit the last post again due to time constraints. I am still trying to make sure that I have the right drive noted. BB in a bit.

    Okay I did what you said.

    The prompt changed to show the C drive. I typed in dir and entered. What came up is:

    Directory of C:\

    12/30/2012 09:32 PM <DIR> Temp
    0 File(s) 0 bytes
    1 Dir(s) 71,401,472 bytes free

    Then I ran bootrec /ScanOs

    I got:

    Scanning all discks for Windows installations.

    Please wait,since this may take a while....

    Successfully scanned Window installations.
    Total identified Windows installations: 1
    [1] D:\Windows
    The operation completed successfully.

    and I am now at the C prompt

    The flash drive is definitely M.
     
    Last edited: Dec 31, 2012
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay at the command prompt type in D:
    and hit enter. Does the prompt change to show the D drive?
    Type in dir
    and hit enter. Do you see your files listed and do you see a folder named boot
     
  25. viviene18328

    viviene18328 Private E-2

    I typed in D: and hit enter. It changed to show the D drive.

    I typed in dir and hit enter. I see my files listed and I do not see a folder named boot.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Type in the below command and hit enter. Note there are spaces before the -r, -h, -s and boot.

    attrib -r -h -s boot

    Now type dir and see if you see the boot folder
     
  27. viviene18328

    viviene18328 Private E-2

    I typed in "attrib -5 -h -s boot" and what came up was

    File not found - boot

    I do not see the boot file.

    I don't know if this helps or not, but when you had me go into the C directory and open up notepad and then open up computer there are 5 hard drives listed:

    System reserved (C:), eMachines (D:), Local Disk (E:), PQSERVICE (F:) and Boot (X:)

    If this does not help please disregard.

    Okay, I took it one step further and typed in X: and enter and then dir and enter.

    I did see a boot file.

    At the very end it said:

    X:\Windows\System32>

    If this means that this is 32, not 64, I am sorry. Since I don't use the computer I am trying to fix I went by what DH told me.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay at this prompt, type in dir x:\ and see if you see a boot folder. It is a folder not a file.

    Who is DH?
     
    Last edited: Dec 31, 2012
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry! I edited that last command to dir x:\

    I had c:\
     
  30. viviene18328

    viviene18328 Private E-2

    Okay typed in x:\ and entered.

    This is exactly what I see:

    Volume in drive X is Boot
    Volume Serial Number is D60A-0DC2

    Directory of X:\

    02/11/2011 07:14 PM 106,760 setup.exe
    11/20/2010 06:43 AM <DIR> Program Files
    07/07/2009 04:00 AM <DIR> RyTools
    02/11/2011 07:15 PM <DIR> sources
    11/20/2010 06:42 AM <DIR> Users
    07/07/2009 04:00 AM <DIR> WIM_TEMP
    02/11/2011 07:17 PM <DIR> Windows

    1 file(s) 106,760 bytes
    6 Dir(s) 30,474,240 bytes free

    So no boot file.

    DH= Dear Husband
     
    Last edited: Dec 31, 2012
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then from command prompt on drive X. What happens if you type in the below.. Note the spaces before /enum and all:

    bcdedit /enum all

    Then all type the below two commands.

    bootrec /fixmbr
    bootrec /fixboot


    Then try to reboot your PC normally and see what happens.
     
  32. viviene18328

    viviene18328 Private E-2

    Okay typed in the first command and the response was:

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    Then I typed in the bootrec /fixmbr and response was:

    the operation completed successfully.

    Then I typed in bootrec /fixboot and the response was:
    the operation completed successfully.

    I just shut down the computer. How long should I wait before I reboot?
     
  33. viviene18328

    viviene18328 Private E-2

    I restarted the computer and got the DEL and F12 thing again and didn't click on either. It went to a blinking _.
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then let's retry the C: drive.

    From the command prompt, get back to the C: drive and then enter the below

    bcdedit /enum all

    Does this give the same error message?
     
  35. viviene18328

    viviene18328 Private E-2

    It gives the same error message.
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! Not looking like we are going to get anywhere. Let's try the below from the C: drive

    bootrec /RebuildBCD
     
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh and another set of commands I want you to run from the C: prompt.

    diskpart
    list disk
    exit

    The diskpart command puts you into the diskpart program where the prompt will change.
    The list disk command should list the disk drives in your PC. The exit command exits diskpart. I want to know the output from diskpart.

    Also a couple questions:

    1) while you have been running all previous commands, has the USB drive that you were using to run FRST been plugged in or has it been unplugged?

    2) From the command prompt, what happens if you type Y: and hit enter?
     
  38. viviene18328

    viviene18328 Private E-2

    1) while you have been running all previous commands, has the USB drive that you were using to run FRST been plugged in or has it been unplugged?

    It has been unplugged.

    I have the system repair disc I made in the dvd/cd drive to be able to boot from the HL-DT-ST DVDRAM GH41N drive. I have not had the flash drive plugged in.

    Did bootrec /RebuildBCD from C drive. Got:

    Scanning all disks for Windows installations. Please wait as this may take a while...

    Successfully scanned Windows installtions.
    Total identified Window installations: 1
    [1] D:\Windows
    Add installation to boot list? Yes (Y)/No(N)/All(A)

    Do you want me to add installation to the boot list?
     
    Last edited: Jan 1, 2013
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! At this point we have nothing to lose as we are approaching the point of a reinstall.
     
  40. viviene18328

    viviene18328 Private E-2

    I typed in yes and it said:

    The volume does not contain a recognized file system. Please make sure that all required file system drivers are loaded and that the volume is not corrupted.

    Then I typed in diskpart as you said to do and it said:

    MIcrosoft DiskPart version 6.1.7601
    Copyright (C)1999-2008 Microsoft Corporation.
    On computer: MININT-3D7UR7K

    it still shows me in diskpart> with a flashing cursor
     
    Last edited: Jan 1, 2013
  41. viviene18328

    viviene18328 Private E-2

    I just entered list disk. This is what came up:

    Disk ### Status Size Free Dyn GPT

    Disk 0 Online 698 GB 0B
    Disk 1 No media 0B 0B
    Disk 2 No media 0B 0B
    Disk 3 No media 0B 0B
    Disk 4 No media 0B 0B
    Disk 5 No media 0B 0B

    then I entered exit and I'm back at C
     
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    okay then now let's run the below commands using diskpart again.

    diskpart
    select disk 0
    detail disk


    tell me what you get.
     
  43. viviene18328

    viviene18328 Private E-2

    Disk ID: 59088479
    Type: ATA
    Status: Online
    Path: 0
    Target: 0
    LUN ID: 0
    Location Path: PCIROOT(0)#PCI(0800)#ATA(C00T00L00)
    Current Read-only State: No
    Read-only: No
    Boot Disk: No
    Pagefile Disk: No
    Hibernation File Disk: No
    Crashdump Disk: No
    Clustered Disk: No

    second part in next message
     
  44. viviene18328

    viviene18328 Private E-2

    Volume #### Ltr Label Fs Type Size Status Info

    Volume 1 C System Rese NTFS Partition 100MB Healthy
    Volume 2 D eMachines NTFS Partition 686 GB Healthy
    Volume 3 E RAW Partition 0 B Healthy Hidden
    Volume 3 E RAW Partition 0 B Healthy Hidden
    Volume 4 F PQSERVICE NTFS Partition 12 GB Healthy Hidden


    Before the first section I just gave you I selected Disk 0 and it replied: Disk 0 is now the selected disk. Sorry I didn't include that.
     
    Last edited: Jan 1, 2013
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Was there another column after the Status column the shows Info

    The Status column has Healthy under it but Info column should show one of the volumes to be a System volume.

    Something similar to below:
    Code:
      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
      Volume 1     C   HP           NTFS   Partition    453 GB  Healthy    System
      Volume 2     D   FACTORY_IMA  NTFS   Partition     13 GB  Healthy
    
    I would expect that your 100MB partition should be marked as a System partition
     
  46. viviene18328

    viviene18328 Private E-2

    In the info column (which moved over next to status) on volume 1, and 2 there is no information under the information column. On volume 3, 3 and 4 the info is "hidden."

    There is no System in the information column for any of the volumes.
     
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run the below commands

    select partition 1
    detail partition

    does this show volume 1 to be the 100MB partition and does it show it as Healthy and as System
     
  48. viviene18328

    viviene18328 Private E-2

    Okay selected partition 1 and detail partition.

    Under column Volume ### it says volume 3.
    Under Ltr it says E.
    Under Label there is nothing listed.
    Under Fs it says RAW.
    Under Type it says Partition.
    Under Size it says 0 B.
    Under Status it says healthy.
    Under Info it says hidden.
     
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That does not seem correct. Early you showed
    Thus this should be partition 1.
    Exist diskpart using the exit command and then reenter diskpart again. Then just run a list volume command. Does it run or does it say no disk is selected?
     
  50. viviene18328

    viviene18328 Private E-2

    It does say:

    Partition 1
    Type: 27
    Hidden: Yes
    Active: Yes
    Offset in bytes: 27136

    So now I've exited and re-entered diskpart. and typed in list volume

    It gave me this:


    Volume 0 G Repair disc UDF DVD-ROM 249 MB Healthy nothing in info column

    Volume 1 C System Rese NTFS Partition 100 MB Healthy nothing in info column

    Volume 2 D eMachines NTFS Partition 686 GB Healthy nothing in info column

    Volume 3 and 4 are the same as before.

    I also have info for Volume 5-9. What I see is that Volume 5, letter H, volume 6, letter I, volume 7, letter J, volume 8, letter K and volume 9, letter L are all listed as removable types, sizes are 0B, status is no media, and there is nothing in the info column.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds