Okay, so someone who works at my university brought their laptop to my instructor, and to sort of test us my instructor asked if anybody in the class wanted to work on it. I jumped on the chance, and I have no idea what the hell is wrong with this thing.
When I boot it up, [B]POST runs with no trouble[/B], [B]Windows 7 loads just fine[/B], and [B]as soon as the user account is logged in[/B], there is [B]nothing but a white (sometimes black) screen with the mouse cursor[/B]. On a hunch I pushed [B]Ctrl+Alt+Del[/B] and [B]logged the user off[/B]. Sure enough, I was able to[B] see the interactive desktop[/B]. An instant later, I saw a [B]message prompting to force close[/B] a running application, but it went by way too fast.
I created a [B]Hiren's boot CD[/B], booted into Windows XP mode and[B] scanned with MBAM[/B]. It detected several infections and cleaned them, but the [B]problem was still there[/B]. I attempted to boot into [B]Safe Mode[/B] to run a scan, but as soon as Windows booted into Safe Mode, the system [B]shut down[/B] almost instantaneously. [B]I tried Safe Mode with Command Prompt, and that seemed to work just fine, [/B]so apparently, this problem only occurs [B]when[/B] [B]explorer.exe is running.[/B]
I then booted into [B]Windows RE[/B], and attempted a [B]startup repair[/B]. The startup repair [B]could not find any problems[/B], and it suggested a [B]system restore[/B]. I tried this option as well. Before the system restore could finish, it [B]encountered an unexpected error[/B] and I was prompted to send an error report. I rebooted the laptop, and performed the same task of logging the user off. This time, I [B]managed to push Cancel on the prompt[/B]. This stopped the log off process and I [B]was able to use the computer normally[/B]. Assuming it was a [B]startup program[/B] causing issues, I performed a [B]clean boot[/B], and after that I was [B]incapable of restoring control over the interactive desktop[/B] after a reboot.
Seeing as how I was pretty much out of options, I hooked up an external hard disk, booted into Windows PE, and prepped for a wipe-and-load migration. Tomorrow, I am going to perform a fresh install of Windows 7, and migrate all the files back over.
Before I do this, I was wondering if any of you had any ideas on how I could still salvage this. I've exhausted all possible options that I can think of. Mind you, I did extensive googling of this issue, and most people managed to fix it by opening task manager at the unresponsive white screen and running explorer.exe. However, this is not an option for me. Task Manager simply won't launch. When I had control over the desktop, I checked the Event Viewer and sure enough, there were log entries stating that taskmgr.exe failed to open.
The cause of that white screen is one of those ransomeware applications, I've seen it before. The reason the screen is white is because the ransomware can't connect to the server it needs to show its crap. They're a real pain to remove and MBAM can't get rid of it by itself. You'll need to use one of those antivirus live CDs to scan the drive. The same ransomware that's causing the white screen also makes Windows shut down when you try to start it in safe mode.
I forgot which one I used to clear the problem, but I think it was the KAV LiveCD. IIRC it took several hours to install new definitions before it scanned anything: [url]http://support.kaspersky.com/4162[/url]
Thanks for posting a solution. This has been bothering me all week. I'll try this out when I'm in class tomorrow. I'll let you know if your solution works.
Also, something else I noticed. I believe that this particular ransomware infection is encrypting files. All data backups seem to hang indefinitely around 0.03/0.06GB, with the "estimated time remaining" clock going into thousands of hours. The only time it didn't was when I bit the bullet and decided to use xcopy to pick specific files and folders. (To confirm this theory I ran a diskcheck, and everything went by just fine. The hard drive itself seems to be in perfect working order, with the exception of some fragmentation.)
[editline]24th July 2013[/editline]
Is there any way that I can download and install the updated definitions for this without actually servicing a computer? I'd like to have a copy of it ready to go before I go into class tomorrow. I don't want to waste all class period waiting for it to update.
Safe mode with networking?
[QUOTE=haloguy234;41580966]Also, something else I noticed. I believe that this particular ransomware infection is encrypting files. All data backups seem to hang indefinitely around 0.03/0.06GB, with the "estimated time remaining" clock going into thousands of hours. The only time it didn't was when I bit the bullet and decided to use xcopy to pick specific files and folders. (To confirm this theory I ran a diskcheck, and everything went by just fine. The hard drive itself seems to be in perfect working order, with the exception of some fragmentation.)[/QUOTE]
This can happen for two reasons.
1) The hard drive is failing (bad sectors, trouble reading or the connector is loose.)
2) Volume Shadow Copy.
VSC is probably the shittiest backup software I've ever seen. VSC is responsible for system restore points and writes older copes of files to a hidden system directory on the root drive. basically why scanning/copying/defragging files takes years is because VSC writes [B]thousands[/B] of tiny files (1-4 kb) that take up to 30% (sometimes more) of the drive. You can remove VSC backups, but you need access to an administrative command prompt on the machine.
If you want to disable VSC, you need to get into an administrative command prompt like I said and type the following:
vssadmin Resize ShadowStorage /for=C: /on=C: /MaxSize=4G
This removes nearly all of the VSC backups and limits the volume shadow copy to 4 GB of drive space, which fixes nearly all of the painfully slow disk access problems.
[editline]24th July 2013[/editline]
[QUOTE=haloguy234;41580966]Is there any way that I can download and install the updated definitions for this without actually servicing a computer? I'd like to have a copy of it ready to go before I go into class tomorrow. I don't want to waste all class period waiting for it to update.[/QUOTE]
There might be a way to store the updates or update it beforehand, but I haven't tried because I've never used the recovery CD more than once. There may be some forum post somewhere on the kaspersky forum about how to do it.
[QUOTE=djjkxbox360;41582183]Safe mode with networking?[/QUOTE]
Safe mode doesn't work, the ransomware forces the machine to shut down when you try and enter safe mode.
[QUOTE=GiGaBiTe;41582192]This can happen for two reasons.
1) The hard drive is failing (bad sectors, trouble reading or the connector is loose.)
2) Volume Shadow Copy.
VSC is probably the shittiest backup software I've ever seen. VSC is responsible for system restore points and writes older copes of files to a hidden system directory on the root drive. basically why scanning/copying/defragging files takes years is because VSC writes [B]thousands[/B] of tiny files (1-4 kb) that take up to 30% (sometimes more) of the drive. You can remove VSC backups, but you need access to an administrative command prompt on the machine.
If you want to disable VSC, you need to get into an administrative command prompt like I said and type the following:
vssadmin Resize ShadowStorage /for=C: /on=C: /MaxSize=4G
This removes nearly all of the VSC backups and limits the volume shadow copy to 4 GB of drive space, which fixes nearly all of the painfully slow disk access problems.[/QUOTE]
Okay cool, thanks. I am aware of the Volume Shadow Copy service but I didn't know it could cause that much of an impact.
Your recommended solution worked perfectly. I'm marking this thread as solved. Thanks for your help.
Sorry, you need to Log In to post a reply to this thread.
