White screen

VistaKing · 14 Mar 2013

What command you trying to run ? The REGEDIT or the FRST ?

PattieO · 14 Mar 2013

Frst64

VistaKing · 15 Mar 2013

Lets see the registry first . Try this please

In the command prompt that shows
X:\Sources

Type in bcdedit | find "osdevice" include the quotes .

Note

the | is the key above Enter . Hold shift down and press the key with \ on it

Press the enter key after you input the command . It will tell you the drive letter of Windows . It might say its
os device partition=D:

ADDED

Note

You should be using the steps below in Safe Mode with Command Prompt

Open Registry inside command prompt . Type in REGEDIT and press Enter if that doesn't work type C:\Windows\System32\Regedit.exe and Navigate to

HKEY_LOCAL_MACHINE

SOFTWARE

Microsoft

Windows NT

CurrentVersion

Winlogon

In the right side of the window locate "Shell" and right click on it. Click on Modify.

Note

The default value data is Explorer.exe

If you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.

Restart the PC

PattieO · 15 Mar 2013

It isn't recognizing it an I am getting the same error message. I did get the D for the partition. Did you want me to try the other way that you were talking about in bold or was that just for shawn77.

VistaKing · 15 Mar 2013

Ok if you got the command saying its D . Type this command then
CD D:\Windows\System32\Regedit.exe see if that will open up the registry .

PattieO · 15 Mar 2013

That didn't work the response says "The system cannot find the path specified" I need to stop for tonight. Is it ok to stop at this point and try again tomorrow? I really appreciate all of the hard work you have put into helping me out.

VistaKing · 15 Mar 2013

Ok and you're welcome . Hopefully you're pressing the F8 to get to the command prompt and not the installation disc .

shawn77 · 15 Mar 2013

Hi Vistaking

Let me explain to you regarding ransomwares.Ransomware hooks entries in multiple locations.Winlogon and Run keys.Fixing both the keys using recovery console method will fail and user will just have a white screen because the ransomware is active.

If the user can't get into save mode the programs you're mentioning is useless .

Wrong.How did user try the system restore or access MSCONFIG in his previous steps?

Safemode with command prompt gives us a command window.Flash drive can be accessed and any security tools can be used to scan our system without launching the explorer window.

Safemode with command prompt or FRST are best way to fix it.Launching registry in recovery console is time consuming.

Jacee · 15 Mar 2013

You have what is known as "Ransomware".
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Also, make sure the 'proxy' setting is disabled....
Disable the proxy settings in Internet Explorer:
1) Under “Tools” in the browser tool bar select “Internet Options”.
2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
3) Click “LAN Settings” near the bottom of the “Connections” section.
4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
6) Click “Ok” to close the “Internet Options” window.
Reboot
Make sure "Proxy server" is still disabled under your LAN Settings.

Download FREE Malwarebytes anti-malware Malwarebytes : Free anti-malware download to your desktop

* Double-click mbam-setup.exe and follow the prompts to install the program.Right click to run as Administrator, using Windows 7 or Vista.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

cottonball · 15 Mar 2013

PattieO,

The Emsisoft Emergency Kit (Post #21 by shawn77) or HitmanPro.Kickstart are your best choices to access the computer, scan it for malware, and remove this infection.
HitmanPro.KickStart, in particular, targets the ransom-ware.

Can you access the Desktop?

If not, can you access Safe Mode with Networking? <<Per Post #22, looks as if you can. That is good!

Please confirm, and will do my best to guide you thru some simple instructions.