I ran power eraser on my Vaio because it had a google redirect virus based on an article in PC magezine. It removed a few files (I did not record what these files were), and now the computer will not reboot in any boot mode. I ran FRST64.exe. The log is attached. What do I do next?
Hi,
please try this first:
1. Before the Windows logo press F8 until you see a list
2. On that list find the options Restore to the last good configuration
3. Hit enter on that
Now windows should restore itself to the last working state if there's a good system restore point.
If this do not works, you can try to do a very similar, but better restore method what is available on the Windows 7 setup DVD:
When the setup is loaded on the first screen there's an option to Repair your computer. Click on that and try out the system restoring function of it.
Let us know the results.
PapauZ,
That doesn't work as B_Chicago found out and then I had tio script to stop windows loading the startup repair and System Restore after I broke the infection and repaired.
Don't try things people have found don't work and make things harder.
Quads
System restore did not help, nor could I boot in safe mode, debug mode or any other mode.
Greg Ward
a) what made you use NPE, did Norton detect anything??
b) due to doing other proceedures your previous log is now null and void as things have been done since.
Quads
The computer had (has) a google redirect virus. I ran all the regular norton utilities and scans and the problem persisted. I read on a google blog and a PC mag article that norton power eraser could remove such malware that the regular norton utilities would not be able to remove. So, since I have norton utilities and trust it, I decided to give it a try. I realize now that I was way to casual about running it.
Power eraser came back higlighting 3 files. It claimed it was going to repair at least one of them and remove one or two. I made no record of which files which was a mistake. Norton power eraser first created a restore point before it removed the files so I thought I was covered. When I tried to recover from this point (and a previous point as well) it failed. No attempt to boot the computer in any mode has been successful. System restore has not helped. The computer memory and disk checks all indicate the hardware is fine.
It fails during boot up at the same place every time. WIndows is about to launch, and then a quick blue screen flash that is too quick to read, and then the system tries to boot up in repair mode. Repair mode runs but cannot fix the problem.
So, here I am. Since I saw similar posts here that were ultimately successful I thought this was my chance to get the computer running again.
Is there a log somewhere I can access of what NPE did?
Thank you,
Greg
Because of " System restore did not help, nor could I boot in safe mode, debug mode or any other mode." since you did the FRST.txt log, I need you to make a new FRST log, to look for any small changes that I may have to stop first before going in for the Kill (so to speak).
I dso see what wrong (well at least half of it).
People like me, run Malware on our systems to see what happens and also take note of what happens when others on the web do this or that and end up with like "Windows doesn't boot" problems and why tha cause, also then take note of what has been tried even a month or more ago and find it useless so remember that.
I will await a new FRST.txt.
Quads
OK. Here the new file is attached.
Thank you,
Greg
This won't get your PC to boot yet, just to get more info and to remove some items
Download the fixlist.txt
Save it in the Flash Drive, next to FRST.exe
Run FRST as you did before, except that this time around, click on the Fix button and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
To others:-
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Quads
Attached is the fixlog file.
Thank you,
Greg
New script attached
Quads
It just booted up perfectly. Thank you so much.
I'm not sure if you want the new fixlog file, but it is attached.
Is there anything else that needs to be done to address the original problem, or does this take care of it?
Thank you again,
Greg Ward
All I did was stop what I didn't want to start, then get Windows to boot again, no other bits that might be left over.
In NPE's history what did it remove??
Download TDSSkiller from http://support.kaspersky.com/faq/?qid=208280684
Click on the TDSSkiller.exe link on that site to download and run, In the change paramaters select Detect TDLFS file system, click OK and scan.
Don't have it fix anything, just see if it detects anything.
Quads
TDSSKiller found no threats.
Where would I find the NPE history file. I have searched, but found nothing.
Thank you,
Greg
Start NPE, at the main window go to History . Look at the repair point and click Next, it will show what was removed.
You can click on the Link for each item to see the exact file path.
Do Not Run a scan or Undo .
You can also remove / delete from the flash drive the files etc. to do with FRST.
Quads
The history says it removed:
Oasis2serice.exe
PhysicalDrive0
rikvm 9EC60124.sys
Thanks,
Greg
OK, NPE (with FixTDSS inside) detected the boot sector thinking I would say that it thought it's TDL4 that it was designed for. Except it looks like you had Boot.Pihar which is NOT TDL4 but a mod or clone. So incorrect cleaning and BOOM can't start Windows NPE is not designed for Pihar and the BCD.
Now a good second free scanner to go with Norton is Malwarebytes (MBAM) Free (no realtime protection) use that.
Other than if MBAM finds anything, you are then Solved and free to go.
Quads
Malware bytes found no threats.
Thank you so much for working on this. It is a brand new computer and I am really happy to have it working again.
Thany you,
Greg Ward
You may have to install again the Vaio messenger. (that's if you want it)
Quads
For info purposes, Just found a thread where the users system had Pihar and they downloaded FixTDSS and ran it, it fixed the redirects but caused BSOD, for this system it was every 15mins
Items noted that were created after infection,
2012-03-08 19:33:59 -------- d-----w- C:\Users\[username]\AppData\Roaming\FixTDSS
2012-03-08 19:33:58 27256 ----a-w- C:\Windows\System32\drivers\FixTDSS.sys
Quads