Hacker fixed his wagon

[Ngolem]

My friend got sucked in by the fake Microsoft service company from India when they phoned him saying his computer was sending out an alarm. Of course, he told me about it next day after he agreed to pay the $250 and then did not wire the money. He said he was ok and the computer ran fine. Well they retaliated by entering his computer again the next day and now when he tries to boot the computer (even in safe mode) the moment it tries to boot Windows XP pro the computer shuts down....now he calls me over {sigh}

I am not that familiar with XP Pro and the only thing I can think it could be is that they replaced the XP equivalent of Autoexec.bat with a line to shut down the computer immediately.

That is the guess on my part. Any ideas on how to fix this thing...the computer is an old Toshiba laptop with a cd-rom available...I tried to do a fresh install of XP home addition but as I said it shuts down as soon as it starts to do this. How can I help him? Other than smacking him upside the head for doing something dumb

Jim Broadbent

 

[xwb]

If your friend has nothing important on the disk,

1) Block access from external ports on your router
2) Get a copy of DBAN from

http://www.dban.org/

3) Create a CD and wipe his disk using DBAN
4) Install XP
5) Create 2 users - one admin and one local. Tell him to only use the admin for installing and to always use the local.

 

[goombawaho]

Don't give up and format. That way, the creeps win.

Create and boot from a BARTPE disk or the Ultimate Boot CD for Windows and then you can edit the registry of the hard drive and see what is in the following locations. Wipe out any bad stuff that might be there (i.e. trying to run or shut down the PC).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs


............................OR.................

You could manually restore the registry files when you have booted up to one of those CDs from a date BEFORE the problem happened using the following method. Much LESS complicated than it looks. Some content taken from this site, though now you have to login to view. Link

You can usa the CMD prompt from BartPE or Ultimate Boot CD for windows to do this, though the GUI file explorer tool is much easier for copying the files with the long file names.
• Navigate to the C:\Windows\System32\config folder. You can use the command cd C:\Windows\System32\config
• You can use the dir command to see a listing of the files in the directory.
• Rename your corrupted registry files. I would rename all of them and replace all of them.
rename SYSTEM SYSTEM.bak
rename SAM SAM.bak
rename SECURITY SECURITY.bak
rename DEFAULT DEFAULT.bak
rename SOFTWARE SOFTWARE.bak

Inside the C:\System Volume Information folder you will see another hidden folder named something like: _restore{C6E9847C-AEF5-4523-BE1B-5E7A365553E6). Open it and view everything by date modified. Each of the folders (Labeled RP followed by a number) are different restore points in which to restore from. Choose a folder you would like to restore from and open it. Each RP* folder is different, except for a snapshot folder. Open the Snapshot folder and you will see several registry files.

Copy the following files from the folder:

_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

Browse to \\Windows\\System32\\config in the corrupted HDD. Paste these files in this folder. Now rename the files to:

DEFAULT
SECURITY
SOFTWARE
SYSTEM
SAM

REBOOT - All is well.


"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.