Ransomeware leads to endless boot loop

[kuttus]

Hi,
I will be taking over your thread as Fiery will be away for a next couple of days.


Please follow this steps to do a repair installation. Steps here

If you are getting a different screen please don't proceed further. It may be because of a different Version of Windows XP CD you have....

 

[geezermetal]

Hi Kuttus, Thanks
I do have the Windows XP Home edition CD (and that's what my PC is/was running) so that is the setup screen I am getting. Can I proceed with that?

 

[kuttus]

Sure... Please proceed...

 

[geezermetal]

OK - following instructions I got to the screen after the user agreement but it was different than the instructions. As with everything except the Kaspersky rescue disk - the XP install CD doesn't recognize windows on my C drive. (Actually Kaspersky didn't recognize windows but finally could get to a point of seeing C and D and letting me access the files but not start windows.) Hopefully the attachment comes through with a photo of the screen. Did the maleware somehow delete my file directory table? Some critical, deep part of Windows start up has been wiped out it appears - but that's beyond my knowledge.

[attachment=4576]

 

[kuttus]

Download and burn Partition Wizard Boot Disc.

• Boot infected machine from CD you just burn.
• Push enter to choose Boot from Partition Wizard Boot Disc.
  
  
• Be patient and wait.
• On the left panel select Partition Recovery Wizard.
  
  
• On first screen, cilck Next.
• Select your hard drive, then click Next.
  
  
• On two next screen don't change anything, just click Next.
• Now the most important part:
  • Select only 100MB partition (Windows 7 files are on hidden partition) and your partition/s - look the size column.
  
• Click Finish.
• Click on disk, on left panel choose Rebuild MBR
• Click Apply on up.
• When done click X on up right corner to reboot. Remove Partition Wizard Boot Disk.
• When done click X on up right corner to reboot. Remove Partition WIzard Boot Disk.

 

[geezermetal]

Thanks Kuttus, I'll try this - one quick check - you said "Windows 7 files are on hidden partition" - I am trying to recover Windows XP, does that change anything?

 

[kuttus]

No..... You can proceed..

 

[geezermetal]

No..... You can proceed..

Kuttus,
My partition recovery choices looked different than your example: you said,

"Now the most important part:
Select only 100MB partition (Windows 7 files are on hidden partition) and your partition/s - look the size column."

and so I don't want to get this wrong. Attached is a screen pic of my two choices. Thanks

 

[kuttus]

Select both of them and press on Finish.......

 

[geezermetal]

OK, I ran the partition wizard, it appeared to complete it's task OK, but when I tried to boot normally there was no difference, I am still in an endless boot loop that gets as far as the black screen to "Start Windows Normally" then it resets and begins again. I tried the full scan in the partition wizard but no change. I went back to try some of the previous methods in case the partition wizard helped but no luck. The Recovery console on the PC still led to a BSOD, the XP installation disks still said there was an error when enumerating the C drive, and Insert said for sda1: "Attempting to correct errors...FAILED Failed to startup volume: Invalid argument Volume is corrupt. You should run chkdsk". Interestingly for SDA2 it failed to mount the volume but went on to correct and say that partition was processed successfully. All of these responses to the previous repair methods are identical except perhaps the results for Insert (cant recall for sure) which is why I added in the detail in case it helps.

 

[kuttus]

Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

 

[geezermetal]

Lets create a bootable HitmanPro Rescue Disk and run a scan:

Tried it but it would not run - I got the error shown at the top of the screen in the attachment - couldn't open drive when it tried to boot.

[attachment=4672]

 

[kuttus]

Try 1

 

[geezermetal]

I did and that screen shot was the result. For some reason it put the response message at the top of the screen instead of the bottom. So to be clear - I get the "USB boot options 1, 2, or 3 Please enter your choice" display, I hit "1" and it says "HitmanPro.Kickstart booting, MBR Read, churns for a few seconds, then gives the three line error message shown at the top of the screen starting with "Couldn't open drive..."

 

[kuttus]

Okay.. Boot your computer from the Windows XP Disk and Select the option Repair using Recovery Console...

You will get a Black Command Prompt window in the Recovery Console.... In that one type the following command and hit on Enter.....

sfc /scannow /offbootdir=d:\ /offwindir=d:\windows

if this one not working try

sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

After that you need to do this step also

chkdsk c: /r

 

[geezermetal]

It says it does not recognize the sfc command. When I type help to see a list of available commands sfc is not there. I am using the Windows xp sp3 disk. (note - I did try the full string you listed, but when I got the error message I tried just the command)

[attachment=4687]

 

[kuttus]

Okay. In this case it seems we need to do a fresh installation....

 

[geezermetal]

Oh no! I really wanted to do everything possible to save this - and it seems so close! If the sfc command is part of the Win XP command set why isn't in on my install disks - do I need a newer version - or is there some other way to get this command onto my boot disk? Is there some other way to manually find and replace bad windows elements? We have been trying so long I don't want to give up now...

 

[geezermetal]

Kutus, Fiery - Is there something else to try - some way for me to get the sfc command on XP??

 

[kuttus]

Hi.

it seems we need to do a fresh installation on the computer...