[BrianDrab]

OK, now that you are at the h:> prompt. Go ahead and type fix.bat and hit enter.

[Advertisements]

Brian,

I tried that. Please check my previous post, unless I've made a mistake...

Edited by carolinachris, 06 September 2015 - 07:41 PM.

[carolinachris]

Brian,

I tried that. Please check my previous post, unless I've made a mistake...

Edited by carolinachris, 06 September 2015 - 07:41 PM.

[BrianDrab]

previously you typed h:\fix.bat.

 

This time, now that you should be at the h:> prompt, I just want you to type fix.bat and hit enter.

[carolinachris]

OK, now that you are at the h:> prompt. Go ahead and type fix.bat and hit enter.

Brian,

 

OK, the cmd line has H:\> (not H:>) so I ran h:\>fix.bat & enter; and received this output:

 

h:\>reg delete "HKEY_LOCAL_MACHINE\Temp_Hive\ControlSet001\Control\Session Manager\Memory Management" /f /v VerifyDriverLevel

ERROR: The system was unable to find the specified registry key or value.

 

h:\>reg delete "HKEY_LOCAL_MACHINE\Temp_Hive\ControlSet002\Control\Session Manager\Memory Management" /f /v VerifyDriverLevel

ERROR: The system was unable to find the specified registry key or value.

 

h:\>reg delete "HKEY_LOCAL_MACHINE\Temp_Hive\ControlSet001\Control\Session Manager\Memory Management" /f /v VerifyDrivers

ERROR: The system was unable to find the specified registry key or value.

 

h:\>reg delete "HKEY_LOCAL_MACHINE\Temp_Hive\ControlSet002\Control\Session Manager\Memory Management" /f /v VerifyDrivers

ERROR: The system was unable to find the specified registry key or value.

 

H:\>

Edited by carolinachris, 07 September 2015 - 08:11 AM.

[BrianDrab]

Thanks. I was hoping two of those would have found something. Please type each of the following lines one at a time and hit enter after each.

 

REG ADD "HKLM\Temp_Hive\CONTROLSET001\CONTROL\CRASHCONTROL" /f /V AutoReboot /t reg_dword /d 0

REG ADD "HKLM\Temp_Hive\CONTROLSET002\CONTROL\CRASHCONTROL" /f /V AutoReboot /t reg_dword /d 0

 

Let me know if it says they were successful. Please note, not avoid confusion, after the last quotation mark there is a space then the forward slash and an f and then a space and then a forward slash and a V and then a space and then the word AutoReboot and then a space and a forward slash and a t and then a space and then the word reg_dword and then a space and then forward slash and d and then a space and then a zer0.

[carolinachris]

Brian,

 

I received:

 

"The operation completed successfully."

 

as output for both of your commands...

[BrianDrab]

Good. Let's do the remaining steps.

 

10. At the command-prompt, please copy/paste or type the following and hit enter.

reg unload HKLM\Temp_Hive

 

11. You should receive a message that it was successful.

12. Remove the USB drive and reboot your computer.

 

Let me know if you get to the desktop.

[carolinachris]

Brian,
 

f:\>reg unload HKLM\Temp_Hive

ERROR: The parameter is incorrect.

 

x:\windows\system32>reg unload HKLM\Temp_Hive

ERROR: The parameter is incorrect.

 

X:\ is the boot drive...

Edited by carolinachris, 07 September 2015 - 12:32 PM.

[BrianDrab]

Unloading the hive is not necessary since we are modifying it offline so we can skip that step. Go ahead and reboot your computer. If your computer blue screens (crashes), hopefully the crash information will stay on the screen now and not automatically reboot. That way you can record the information on the screen.

 

Reboot and let me know what happens.

 

Thanks.

[carolinachris]

Brian,

 

Do you want me to remove the USB and reset the bios to not boot with the f drive first?

 

With the USB still in, it wants to boot from the f drive and when I remove the USB (and not change the bios boot origin) it does the same as before; 

It won't boot up. It just loops over and over from the the Samsung (F2 for setup and F4 for Recovery) screen, to a black screen, then it adds a blinking curser at the top left, then it goes back to the Samsung screen.

 

Also, F8 doesn't work anymore to boot into safe mode.

Edited by carolinachris, 07 September 2015 - 05:17 PM.

[BrianDrab]

No, let's just do the following.

 

Go To Restore Point

1. Insert the USB Drive into your Sick computer.
2. Ensure the power is off on this computer.
3. Ensure that your system is configured to boot 1st from the USB Drive before your main hard drive. There are variations on how to do this depending on what machine you have
    however a couple links that show the general steps can be found here and here.
4. Once the BIOS is set to boot from the USB Drive, when you boot your machine with the USB Drive plugged in you should get a message asking you to hit any key to boot from the USB.
    Go ahead and do this.
5. The first screen that will appear should be asking for your keyboard layout. Go ahead and click Next.
6. The next screen will attempt to locate your Windows 7 Installation. If it was successful it will be highlighted and you will be able to click Next. Go ahead and do this.
7. You will have several System Recovery Options to choose from. Please click on "System Restore".

8. Click Next on the introductory System Restore screen and you should be presented with a few dates/times that you can restore to. Let me know what date/times you have available here.

[carolinachris]

Brian,

 

The restore points are:

1.  9/1/2015 8:08:52 AM - Windows Update - Install

2.  8/31/2015 5:47:18 AM - Windows 7 Service Pack 1 - Install

 

When I first started having problems I tried system restore a few times with dates back from 7/2015, but they never worked. In fact, after doing so all the restore points PRIOR to the infection were erased...

[BrianDrab]

Try going to 9/1/2015. Let's see how it goes.

[carolinachris]

Brian,

 

The restore points are:

1.  9/1/2015 8:08:52 AM - Windows Update - Install

2.  8/31/2015 5:47:18 AM - Windows 7 Service Pack 1 - Install

 

When I first started having problems I tried system restore a few times with dates back from 7/2015, but they never worked. In fact, after doing so all the restore points PRIOR to the infection were erased...

Brian,

 

So far (booting through the USB), the system recovery restore point says it completed restoring drive c successfully, but when it reboots through the USB it loops back into system recovery options again...

Edited by carolinachris, 08 September 2015 - 08:20 AM.

[BrianDrab]

OK. Not surprised. The good news is that I was able to cripple this malware on another thread I was working on so once we can boot back up I know what to do. It's a nasty one.

 

Since System Restore won't work we'll have to repair this manually. Please boot back up to the USB and get to a command-prompt. I'll provide next instructions in a few minutes.