Hi,

Just got a client’s laptop in the office.
It is installed with Windows 7.
the problem is that a white screen popup is covering the whole desktop.
desktop is shown i fail safe boot.

need help cleaning it up.

BR
John

Hi as you can access safe mode could you run the following programme

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Hi,

I was wrong, in fail safe, the pc reboots itself.

BR
John

Do you have the recovery console installed on the system…

On the safe mode menu will be the option repair my computer
If that option is not present do you have a windows 7 CD
If no CD let me know and I will provide a link for the ISO and instruction on how to create it

Is this a 32 or 64bit system ?

Hi,

I managed to enter a command promt under the repair menu.
the version is 6.1.7600(is that 64bit?)

BR
John

OK unfortunately that will not help so you will need to download both the 32 and the 64 bit to the USB

So download FRST both 32 and 64 to a USB Farbar Recovery Scan Tool

Using the recovery console go to the command prompt

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe (FRST.exe for the 32 bit version) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

I was able to run the program from the repair menu command promt.
is the log usefull or do I have to run the tool again from a recovery console from the win cd?

BR
John

Nope that is good enough to work with

Download the attached fixlist.txt to the same usb as FRST
Run FRST as before then press Fix
On completion reboot to normal windows

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

OTL logs…

That does not look to bad, are you experiencing any problems ?

I don’t think so, it is not my own labtop, it is from a client, but every thing seems fine now…

BR
John

Could you zip the FRST quarantine folder please and upload to a file sharing site for me to collect as you had a new variant

here you go.
https://dl.dropboxusercontent.com/u/21107621/FRQuarantine.zip

Thank you very much I now have it :slight_smile:

Run OTL and press the cleanup button to remove it and its associated files/folders

and that should be it all?

BR
John

Unless you have any further problems … I am now submitting the undetected parts of this malware to Avast

great.
and once again you saved one of my clients, you are the best.

BR
John

My pleasure :slight_smile: