Inactive Acer V5-571P-6642 no boot to Bios/UEFI/Windows/USB/CD ''' Neshta A Trojan, rootkit, virus''

Neshta

TS Rookie
I had neshta A virus and used avg neshta to remove it. I wanted to make sure it was gone so I used diskpart; grabbed my acer windows 8 CD recovery. Then I switched boot in bios to legacy and boot priority to CD and reinstalled windows. During the installation I was fighting the virus. It would click, to the extent I see black dots where it clicks and kept bringing up OSK and randomly typing. Previously the laptop upgraded to windows 10 and used UEFI. Neshta A is a UEFI rootkit. I managed to install windows, boot into safe mode and run avg Neshta removal tool. Virus seemed gone. Windows defender identified it as Neshta A Trojan Virus. The next day my laptop powered off while using it; and I get the message "no operating system found", it also gave me the Acer logo that I would get before booting into windows 10 that used UEFI. There is no grey bar at the bottom displaying f2 and f12 options now. I've tried holding the power button down to make sure it was off. I used alt+f10, f2 , f12, Del, shift+f8, holding esc,f2,or del while powering up don't work. I can't boot to bios or windows. It won't boot from USB or CD. Took ram and battery out. Held power button for over 30 seconds and let my laptop sit unplugged without battery or ram for 24 hours. Still only boots to Acer logo. Where it goes to operating system not found black screen. I can ctrl+alt+del go back to Acer screen or restart manually. What can I do to install an operating system and remove the virus?
 

Broni

Malware Annihilator
Well, since it won't boot from USB or CD there is not much I can check here.
I suggest new topic in Windows forum.
 
  • Like
Reactions: Neshta

Neshta

TS Rookie
I know on some acers ,you could function +esc + power with formatted fat32 USB and bios. To flash and install original. But I don't know or can't find the fuction. Any ideas, welcome.
 

Neshta

TS Rookie
I was able to get it to boot windows setup, from USB formatted to fat32. Used media creation tool for windows 10, and setup booted. I can't get into bios, but set up is running now, like the first time, virus present.
 

Neshta

TS Rookie
OK. Let me know where you end up. Windows installed eventually?
Windows is installed. I have run Nesta removal avg tool this time, it won't remove it. I have minimal control.when I boot to windows cmd it also is x:sources not windows/system32
 

Broni

Malware Annihilator
NOTE 1. Use another working computer to download Farbar Recovery Scan Tool and save it to USB flash drive.
NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 10 If you're having problems accessing System Recovery Options create Windows 10 USB or DVD as described here: http://betanews.com/2015/07/29/how-to-download-windows-10-and-create-your-own-installation-usb-flash-drive-or-dvd/ and boot from it.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note:
    Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
  • Like
Reactions: Neshta

Neshta

TS Rookie
Yes it's installed.
NOTE 1. Use another working computer to download Farbar Recovery Scan Tool and save it to USB flash drive.
NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 10 If you're having problems accessing System Recovery Options create Windows 10 USB or DVD as described here: http://betanews.com/2015/07/29/how-to-download-windows-10-and-create-your-own-installation-usb-flash-drive-or-dvd/ and boot from it.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note:
    Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 

Neshta

TS Rookie
Sorry. I have been locked out. I wanted to update you with the steps I took. When I ran a stand alone update downloaded from windows update. My computer functions like there's no virus. Though when I go into recovery , same issue with clicking and osk. My computer is functioning now but I know the virus is still there. I will run Farbar and upload frst and addition
 

Neshta

TS Rookie
You know what. Just close the topic. I spent an hour being locked out and still can't log into these forums to give you the results. I signed up through facebook on my phone and it's not letting me log in on a computer. When I tried to reset password it says invalid captcha, but doesn't even display one. During the update it, the virus seemed stopped but once I restarted I can again do nothing. This is a horrible virus, I wish it upon no one. If someone has this problem; buy a new computer and smash your old one to peices.
 

Neshta

TS Rookie
Well. I know it's rare; but I have a uefi virus. It will always come back even after formatting drive and new installation. The last thing I'm going to try: is use the self extracting uefi bios exe from acer, and grab the fd file out of it with 7zip. Holding fn + esc and the power button for 2 seconds on my laptop, is suppose to flash and reinstall the bios if I format my USB to fat32 and copy the fd file to it. Acer support forums say anyway. Anything I do in windows, farbar, avg, gmer, neshta remover, spy hunter... won't work because the virus is burned into my bios. Windows standalone update fixed it until I reboot. It's very rare and isn't much information on how to fix it... . I'll make one last attempt here. If you know of any successful methods to remove this ; whether it fix's mine or not I would be interested in reading about it.
 

Neshta

TS Rookie
OK. I once again think I'm fixed. So just to make sure I run sfc /scannow. In my CBS log I see. Could not reproject corrupted file \??\c:\programdata\microsoft\windows\start menu\programs\administration tools\\win def firewall with advanced security.ink; source file in store is also corrupted. ( does the \??\c:\ before c: mean that my bios is still infected ... Ugh I just know Im gonna restart and all work will be lost again. So I'll leave it running until someone reply's.
 

Neshta

TS Rookie
2019-02-17 11:09:20, Info CSI 00004143 Warning: Overlap: 1 directory duplicate ownerships detected.
2019-02-17 11:09:20, Info CSI 00004144@2019/2/17:17:09:20.715 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 00004145@2019/2/17:17:09:20.727 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 00004146@2019/2/17:17:09:20.742 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 00004147@2019/2/17:17:09:20.755 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 00004148@2019/2/17:17:09:20.768 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 00004149@2019/2/17:17:09:20.781 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 0000414a Warning: Overlap: Duplicate ownership for directory \??\C:\Windows\SysWOW64\hu-HU in component Microsoft-Windows-Cdosys.Resources, version 10.0.17763.1, arch x86, culture [l:5]'hu-HU', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2019-02-17 11:09:20, Info CSI 0000414b Warning: Overlap: 1 directory duplicate ownerships detected.
2019-02-17 11:09:20, Info CSI 0000414c@2019/2/17:17:09:20.858 Primitive installers committed for repair
2019-02-17 11:09:20, Info CSI 0000414d Warning: Overlap: Duplicate ownership for directory \??\C:\Windows\SysWOW64\pt-PT in component Microsoft-Windows-Cdosys.Resources, version 10.0.17763.1, arch x86, culture [l:5]'pt-PT', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2019-02-17 11:09:20, Info CSI 0000414e Warning: Overlap: 1 directory duplicate ownerships detected.
2019-02-17 11:09:20, Info CSI 0000414f@2019/2/17:17:09:20.934 Primitive installers committed for repair
2019-02-17 11:09:21, Info CSI 00004150 Warning: Overlap: Duplicate ownership for directory \??\C:\Windows\SysWOW64\pl-PL in component Microsoft-Windows-Cdosys.Resources, version 10.0.17763.1, arch x86, culture [l:5]'pl-PL', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2019-02-17 11:09:21, Info CSI 00004151 Warning: Overlap: 1 directory duplicate ownerships detected.
2019-02-17 11:09:21, Info CSI 00004152@2019/2/17:17:09:21.09 Primitive installers committed for repair
2019-02-17 11:09:21, Info CSI 00004153@2019/2/17:17:09:21.022 Primitive installers committed for repair
2019-02-17 11:09:21, Info CSI 00004154@2019/2/17:17:09:21.035 Primitive installers committed for repair
2019-02-17 11:09:21, Info CSI 00004155@2019/2/17:17:09:21.048 Primitive installers committed for repair
2019-02-17 11:09:21, Info CSI 00004156 Warning: Overlap: Duplicate ownership for directory \??\C:\Windows\SysWOW64\es-ES in component Microsoft-Windows-Cdosys.Resources, version 10.0.17763.1, arch x86, culture [l:5]'es-ES', nonSxS, pkt {l:8 b:31bf3856ad364e35}
 

Neshta

TS Rookie
2019-02-17 11:09:47, Info CSI 0000448c [SR] Verify complete
2019-02-17 11:09:47, Info CSI 0000448d [SR] Repairing 1 components
2019-02-17 11:09:47, Info CSI 0000448e [SR] Beginning Verify and Repair transaction
2019-02-17 11:09:47, Info CSI 0000448f Hashes for file member [l:52]'Windows Defender Firewall with Advanced Security.lnk' do not match.
Expected: {l:32 ml:4096 b:3e1712555149a5bae1aef79193e576d220f6513e68e2dc1029f1aa28e6d0b3d4}.
Actual: {l:32 b:9d8ebead9dd45891d097b652f6b47c3a027b10cebe4d4eb6df235ad93fa266cd}.
2019-02-17 11:09:47, Info CSI 00004490 [SR] Cannot repair member file [l:52]'Windows Defender Firewall with Advanced Security.lnk' of Networking-MPSSVC-Shortcut, version 10.0.17763.1, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2019-02-17 11:09:47, Info CSI 00004491@2019/2/17:17:09:47.272 Primitive installers committed for repair
2019-02-17 11:09:47, Info CSI 00004492 Hashes for file member [l:52]'Windows Defender Firewall with Advanced Security.lnk' do not match.
Expected: {l:32 ml:4096 b:3e1712555149a5bae1aef79193e576d220f6513e68e2dc1029f1aa28e6d0b3d4}.
Actual: {l:32 b:9d8ebead9dd45891d097b652f6b47c3a027b10cebe4d4eb6df235ad93fa266cd}.
2019-02-17 11:09:47, Info CSI 00004493 [SR] Cannot repair member file [l:52]'Windows Defender Firewall with Advanced Security.lnk' of Networking-MPSSVC-Shortcut, version 10.0.17763.1, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2019-02-17 11:09:47, Info CSI 00004494 [SR] This component was referenced by [l:125]'Microsoft-Windows-Client-Desktop-Required-Package031021~31bf3856ad364e35~amd64~~10.0.17763.1.5a1ca5294ee9849e5ddf690ea248c9f3'
2019-02-17 11:09:47, Info CSI 00004495 Hashes for file member [l:52]'Windows Defender Firewall with Advanced Security.lnk' do not match.
Expected: {l:32 ml:4096 b:3e1712555149a5bae1aef79193e576d220f6513e68e2dc1029f1aa28e6d0b3d4}.
Actual: {l:32 b:9d8ebead9dd45891d097b652f6b47c3a027b10cebe4d4eb6df235ad93fa266cd}.
2019-02-17 11:09:47, Info CSI 00004496 Hashes for file member [l:52]'Windows Defender Firewall with Advanced Security.lnk' do not match.
Expected: {l:32 ml:4096 b:3e1712555149a5bae1aef79193e576d220f6513e68e2dc1029f1aa28e6d0b3d4}.
Actual: {l:32 b:9d8ebead9dd45891d097b652f6b47c3a027b10cebe4d4eb6df235ad93fa266cd}.
2019-02-17 11:09:47, Info CSI 00004497 [SR] Could not reproject corrupted file \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\\Windows Defender Firewall with Advanced Security.lnk; source file in store is also corrupted
2019-02-17 11:09:47, Info CSI 00004498@2019/2/17:17:09:47.288 Primitive installers committed for repair
2019-02-17 11:09:47, Info CSI 00004499 [SR] Repair complete
2019-02-17 11:09:47, Info CSI 0000449a [SR] Committing transaction
2019-02-17 11:09:47, Info CSI 0000449b Creating NT transaction (seq 1)
2019-02-17 11:09:47, Info CSI 0000449c Created NT transaction (seq 1) result 0x00000000, handle @0xe10
2019-02-17 11:09:47, Info CSI 0000449d@2019/2/17:17:09:47.303 Beginning NT transaction commit...
2019-02-17 11:09:47, Info CSI 0000449e@2019/2/17:17:09:47.485 CSI perf trace:
CSIPERF:TXCOMMIT;181810
2019-02-17 11:09:47, Info CSI 0000449f [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired
2019-02-17 11:11:50, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2019-02-17 11:11:50, Info CBS TiWorker signaled for shutdown, going to exit.
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: ExecutionEngineFinalize
2019-02-17 11:11:50, Info CBS Execution Engine Finalize
2019-02-17 11:11:50, Info CBS Execution Engine Finalize
2019-02-17 11:11:50, Info CBS Ending the TiWorker main loop.
2019-02-17 11:11:50, Info CBS Starting TiWorker finalization.
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: ManifestCacheFinalize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: ExecutionEngineFinalize
2019-02-17 11:11:50, Info CBS CBS Engine already deativated
2019-02-17 11:11:50, Info CBS CBS Engine already deativated
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: ComponentAnalyzerFinalize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: PackageTrackerFinalize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: CoreResourcesUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: SessionManagerFinalize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: CapabilityManagerFinalize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: PublicObjectMonitorFinalize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: Enter vCoreInitializeLock
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: WcpUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: DrupUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: CfgMgr32Unload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: DpxUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: SrUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: CbsEsdUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: CbsTraceInfoUninitialize
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: CbsEventUnregister
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: AppContainerUnload
2019-02-17 11:11:50, Info CBS CbsCoreFinalize: WdsUnload, logging from cbscore will end.
2019-02-17 11:11:50, Info CBS Ending TiWorker finalization.
2019-02-17 11:11:50, Info CBS Ending the TrustedInstaller main loop.
2019-02-17 11:11:50, Info CBS Starting TrustedInstaller finalization.
2019-02-17 11:11:50, Info CBS Ending TrustedInstaller finalization.
 

Neshta

TS Rookie
No program is getting it. I have absolutely no control of my mouse and osk spams. Laptop is touch screen and acts like your tapping it all over.
 

Broni

Malware Annihilator
I'm not aware of any undetectable infections.
if we can't detect it how would we know there is some infection.
Your issues must be caused by something else.
 

Neshta

TS Rookie
I posted it at bleeping. Hope someone can help there. If anyone wants to follow along there; I made user account Help35