White screen

[shawn77]

No he will not be able to boot into safemode with networking.Shell value has been hooked.

Copy this tool to flash drive

Emsisoft Emergency Kit Download

Insert the flash drive,boot into command prompt.From command window launch this tool by navigating to flash drive

Finish the scan,remove the infections,reboot the system.

 

[PattieO]

I was able to download both of those program and I am running the scans now. The hitman is finished and there are 3 trojans and 1 suspicious called iefram.dll and the path is C:\\Windows\System32\. The rest of the items are ignore and tracking cookies.

 

[VistaKing]

   Note

You will need a USB Flash Drive for this

Download Farbar Recovery Scan Tool from the below link:
For x32 (x86) bit systems download http://download.bleepingcomputer.com/farbar/FRST.exe Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download http://download.bleepingcomputer.com/farbar/FRST64.exe Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
Now press the Search button
When the search is complete, search.txt will also be written to your USB
Type exit and reboot the computer normally
Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

 

[PattieO]

Should I remove the infected programs from the computer before I put in the usb?

 

[VistaKing]

Are you referring to the virus ? If not the flash drive should have the FRST file that you downloaded and placed inside the flash drive . Restart the computer to get to the command prompt and run the FRST PROGRAM.

 

[PattieO]

Yes, the Viruss

 

[VistaKing]

Remove it with HITMAN and then restart and launch the FRST using the tutorial I posted

 

[shawn77]

FRST log is not needed.You should able to access the desktop now.Run scans using tools like malwarebytes and TDSSkiller.

FRST logs are useful only in cases where system is unbootable.

 

[VistaKing]

If the user can't get into save mode the programs you're mentioning is useless .

The FRST will scan in recovery console mode . The virus is not loading the shell. We could fix that this way

Open Registry inside command prompt . Type in REGEDIT and press Enter if that doesn't work type C:\Windows\System32\Regedit.exe and Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right side of the window locate "Shell" and right click on it. Click on Modify.

   Note

The default value data is Explorer.exe

If you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.

Restart the PC

 

[PattieO]

Ok, when I get to the command promt is says
X:\Sources>
It won't let me erase it and when I type in either prompt it says that it is
not recognized as an internal or external command, operable program or batch file

 

[VistaKing]

What command you trying to run ? The REGEDIT or the FRST ?

 

[PattieO]

Frst64

 

[VistaKing]

Lets see the registry first . Try this please

In the command prompt that shows
X:\Sources

Type in bcdedit | find "osdevice" include the quotes .

   Note

the | is the key above Enter . Hold shift down and press the key with \ on it

Press the enter key after you input the command . It will tell you the drive letter of Windows . It might say its
os device partition=D:

ADDED

   Note

You should be using the steps below in Safe Mode with Command Prompt

Open Registry inside command prompt . Type in REGEDIT and press Enter if that doesn't work type C:\Windows\System32\Regedit.exe and Navigate to

:ar: HKEY_LOCAL_MACHINE
:ar: SOFTWARE
:ar: Microsoft
:ar: Windows NT
:ar: CurrentVersion
:ar: Winlogon

In the right side of the window locate "Shell" and right click on it. Click on Modify.

   Note

The default value data is Explorer.exe

If you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.

Restart the PC

 

[PattieO]

It isn't recognizing it an I am getting the same error message. I did get the D for the partition. Did you want me to try the other way that you were talking about in bold or was that just for shawn77.

 

[VistaKing]

Ok if you got the command saying its D . Type this command then
CD D:\Windows\System32\Regedit.exe see if that will open up the registry .

 

[PattieO]

That didn't work the response says "The system cannot find the path specified" I need to stop for tonight. Is it ok to stop at this point and try again tomorrow? I really appreciate all of the hard work you have put into helping me out.

 

[VistaKing]

Ok and you're welcome . Hopefully you're pressing the F8 to get to the command prompt and not the installation disc .

 

[shawn77]

Hi Vistaking

Let me explain to you regarding ransomwares.Ransomware hooks entries in multiple locations.Winlogon and Run keys.Fixing both the keys using recovery console method will fail and user will just have a white screen because the ransomware is active.

If the user can't get into save mode the programs you're mentioning is useless .

Wrong.How did user try the system restore or access MSCONFIG in his previous steps?

Safemode with command prompt gives us a command window.Flash drive can be accessed and any security tools can be used to scan our system without launching the explorer window.

Safemode with command prompt or FRST are best way to fix it.Launching registry in recovery console is time consuming.

 

[Jacee]

You have what is known as "Ransomware".
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Also, make sure the 'proxy' setting is disabled....
Disable the proxy settings in Internet Explorer:
1) Under “Tools” in the browser tool bar select “Internet Options”.
2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
3) Click “LAN Settings” near the bottom of the “Connections” section.
4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
6) Click “Ok” to close the “Internet Options” window.
Reboot
Make sure "Proxy server" is still disabled under your LAN Settings.

Download FREE Malwarebytes anti-malware Malwarebytes : Free anti-malware download to your desktop

• 
  * Double-click mbam-setup.exe and follow the prompts to install the program.Right click to run as Administrator, using Windows 7 or Vista.
  * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  * If an update is found, it will download and install the latest version.
  * Once the program has loaded, select Perform full scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
  * Be sure that everything is checked, and click Remove Selected.
  * When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

 

[cottonball]

PattieO,

The Emsisoft Emergency Kit (Post #21 by shawn77) or HitmanPro.Kickstart are your best choices to access the computer, scan it for malware, and remove this infection.
HitmanPro.KickStart, in particular, targets the ransom-ware.

Can you access the Desktop?

If not, can you access Safe Mode with Networking? <<Per Post #22, looks as if you can. That is good!

Please confirm, and will do my best to guide you thru some simple instructions.