Can't boot computer; PC is disabled after running avastclear.exe

Hello, looking for some assistance.

I was unable to open Avast or uninstall it…was receiving a message that only the system administrator would be able to however I am the administrator. Was suspicious of a virus anyway so I installed the Avast Uninstall Utility (avastclear.exe) and ran it. I clicked ‘Yes’ to restart the computer and boot into Safe Mode.

The computer never booted up and I only saw a black screen. I rebooted multiple times hitting F8 to boot up in Safe mode but nothing. The monitors (I have dual monitors on this pc) just had the light on the bezel that blinked when the PC is in sleep mode. I’ve tried connecting just a TV to the pc but no connection to the TV either. I’ve tried connecting only one monitor, swapping cables, reseating the video card to no avail.

This is a Dell desktop pc with Windows 8. Does anyone have any suggestions. Thank you in advance.

Not quite the right way to do it… Is this a 32 or 64bit system and is it win8 or 8.1

Also you will need a USB to copy some programmes to

Thank you for the quick reply. It is a Windows 8 64 bit system.

OK I will PM the links for the RC

If windows 8 does not work I will include the 8.1 link

Download the following three programmes to your desktop :

  1. Rufus

For 64bit systems
2. Windows 8.1 64bit RC
2. Windows 8 64bit RC
3. Farbar Recovery Scan Tool x64

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

Windows 8 screen shots

When you reboot you will see this.

Select the language on this screen and keyboard on the next

https://dl.dropbox.com/u/73555776/select%20language8.JPG

Select the Trouble shoot option

https://dl.dropbox.com/u/73555776/Select%20option8.JPG

Select Advanced option

https://dl.dropbox.com/u/73555776/advanced8.JPG

Select Command prompt

https://dl.dropbox.com/u/73555776/command%208.JPG

At the command prompt type the following :

https://dl.dropbox.com/u/73555776/notepad.JPG

The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

I have downloaded the programs to a USB but the problem I’m having is trying to set to boot from the USB. When I start up my pc, I get nothing on my screen so I don’t even see a boot menu.

Are you able to access the BIOS ?

After some additional troubleshooting, I have gotten my monitors out of sleep mode and I can start up my pc again.

So going back to my original issue, when I try to open the Avast program, I receive the message:

“Your system administrator has blocked this program. For more information, contact your system administrator.”

Thanks again for your assistance.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Logs are attached.

You have been hit by an encrypting ransomware virus

Do you have an image backup of your disc ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION CreateRestorePoint: CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML" CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG" CMD: del /F /Q /S "C:\HELP_DECRYPT.URL" HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\AVAST Software\Avast <====== ATTENTION HKU\S-1-5-21-2894973126-3539593760-2125796197-1001\...\Run: [Optimizer Pro] => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe [135160 2014-01-28] (PC Utilities Software Limited) C:\Program Files (x86)\Optimizer Pro CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION URLSearchHook: [S-1-5-21-2894973126-3539593760-2125796197-1006] ATTENTION ==> Default URLSearchHook is missing. S2 CouponarificService64; C:\Program Files (x86)\0892CCEA-3029-46F2-BD98-F3177431F5F8\xtloowpkjv64.exe [186368 2014-11-19] () [File not signed] C:\Program Files (x86)\0892CCEA-3029-46F2-BD98-F3177431F5F8 R2 updater; C:\Program Files (x86)\mediainformationaccess\updater.exe [679936 2014-12-02] () [File not signed] C:\Program Files (x86)\mediainformationaccess 2015-04-06 20:36 - 2014-10-11 07:57 - 00000112 _____ () C:\ProgramData\32ooCT.dat Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Logfiles from FRST and AdwCleaner are attached. Avast program immediately began to work after running the FRST fix. Things are looking better.

Have you lost any files to the ransomware ?

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Not sure…still checking to see if any files lost.

Farbar Service Scanner Version: 17-01-2015
Ran by (administrator) on 13-04-2015 at 22:07:40
Running from “C:\Users\Downloads”
Microsoft Windows 8 (X64)
Boot Mode: Normal


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Policy:

Action Center:

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: “”%ProgramFiles%\Windows Defender\MsMpEng.exe"".

Windows Defender Disabled Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
“DisableAntiSpyware”=DWORD:1

Other Services:

File Check:

C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

Did you turn off windows updates and security centre ?

How is the computer behaving now

I did not turn off windows updates however, I have fixed it and turned on windows updates. The computer has been behaving fine.

I did notice that I am unable to open pictures & videos saved on my pc. In each of the folders, there is a HELP_DECRYPT-Notepad.

Unfortunately there is no way to recover them, any further problems ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: del /F /Q /S "C:\HELP_DECRYPT.txt" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thats all I see right now. Log generated has been attached.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Appreciate all of your help. Thanks again!!!

:slight_smile: