My PC has been infected with this. If I start in Safe Mode it just reboots as soon as it loads. Please help.
Thank you very much for the reply. I have read the information. I am running Windows Vista 64 bit.
You need to have a Flash Drive.
Yes I have one of those.
I will be out for a couple of hours
Read Slowly and all of it.
Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ You need to download the 64 bit version.
Transfer it on to the Flash Drive.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:
On the System Recovery Options menu you will get the following options:
Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt
I miraculously managed to get Task Manager on top. I haven't closed anything, but does this help?
Oh so you are trying things against the guidelines and warnings, Cool one less for me to deal with.
I don't have time for users who ignore the instructions and or the guidelines, I infect my system with the likes of ICE and figure out why some instructions don't work, and why for users removing the file Windows still does not load properly. So FRST also got updated for the registry keys to fix.
Not to have users just go about (even after reading) doing their own thing creating a waste of time.
No, that's how my PC was when I came here.
My Advanced Boot Options does not have "Repair your Computer". It has:
Enable Boot Logging
Last Good Configuration
Directory Services Restore Mode
Disable automatic restart
Disable driver signature enforcement
Sart Windows normally
I know your time is valuable. I have done everything you asked. Please help.
So what you are saying is that I have no other option except to go to another company and their products/support for help?
What did I say in a previous message
Looks like this user is not reading properly, Message after message while I was out, even though I stated I was to be so.
Do you have your Windows Repair CD (disc)??
No, I don't have one unless it's on a partition of the HDD. If it is I don't know how to access it.
This should give me the registry entries required
Download hxxp://oldtimer.geekstogo.com/OTLPENet.exe to your desktop (change the xx to tt)
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD for you ready.
Instead on the Flash drive we need the 32 bit version of FRST not the 64 bit version that can be removed.
have the Flash Drive plugged into the computer.
a) Reboot your system using the boot CD you just created. OTLPE.
Note : If you do not know how to set your computer to boot from CD follow the steps here
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads , it's all to do with system speed and hardware.
b) Your system should now display a Reatogo desktop. It looks sort of like you have loaded Windows XP but you are actually using the bootCD.
Note : as you are running from CD it is not exactly speedy
c) (done already)
d) Locate the flash drive and run FSRT, Like you would with XP and using My Computer (Computer) to find the Flash drive, or any connected drive. It may ask which Operating system to scan, choose your Vista OS.
e) The tool will start to run. When the tool opens click Yes to disclaimer. (if it appears)
f) Press Scan button. It will make a log (FRST.txt) on the flash drive. ,
You can either use the loaded OTLPE to be able to get to this forum over the net, or use which ever way you are getting to the net.
Thank you for trying to help.
I have found it and I see you have PUP's to, I will break the stubborn PUP service (had fun with that one recently) but will get the rest later once back in Windows.
I just have to create a script for FRST to use, I did note of interest this
Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Cyrus\AppData\Local\Temp\nawsrhvwfbkktlnwd.exe [ 2013-07-09] (NVIDIA Corporation)
Ransomware with what looks like a legit Company name to try and fool users
I greatly appreciate any help you provide. This PC has been on the net for 4-5 years with nothing but Norton 360 and Spybot S&D. I've had several infections before but not to the point of not being able to access the computer. I've had one similar to this one before but they only wanted $40 I think and it didn't lock out safe mode.
For future reference are there any Norton/Windows/IE settings that will block the likes of ICE? Or another compatible software even that can block it?
That is just the way Malware is and continuing to evolve, Yours is not the worst I have dealt with.
I don't like Norton and Spybot S&D together due to Spybot's realtime Teatimer and SDhealper.
I don't use those parts of it. I only use it to scan when Norton misses something. I prefer not to have other things taking up RAM, plus I don't know what might conflict with Norton so it's largely on it's own. Is there anything you know of that is compatible with Norton that can be memory resident? Or do you know of anything preferable to Spybot that I can use as a backup for scanning?
Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive next to FRST.exeNOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemUse the CD to load again and start FRST.exe (like before when creating the log)But this time press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply
Your OS is still running on my PC. Do I need to reboot?
Reboot the PC and load to OTLPE like you did last time to create the FRST.txt log. Except the fix instructions are slightly different above as I am having FRST use the fixlist.txt to do as I ask it to do.
It came from that stinking .exe file didn't it?
The trouble is some of these are on a system in a way (like this one) so that even if you move or delete just the file(s) you will still end up with Windows not loading correctly etc. due to the registry entries are in a area where Windows is still loading them and wanting the file. like what happened here http://community.norton.com/t5/Malware-Discussion/I-ran-NPE-My-computer-does-not-load-properly-now/td-p/974163
Can you now load Vista to the desktop, and the Ransom won't load meaning you can now see all of your desktop like before the Ransom.
Yes! I am at the desktop!
And yeah. I hate to think of the condition of my registry. I can't edit it and don't know of a software that I trust to scan and fix it. I've had bad experiences with registry fixers. Norton does some but I don't think it does an extensive job.
Anyway, I'm ready for what's next.
Is your Vista with Service Pack 1??
I think it has SP2 but I may be wrong
OTLPE is not the correct disc for your system, but did enough to be able to run FRST although FRST was not the correct version for your system either.
Seeing as you do not have the "Repair your Computer" option on your Hard Drive(s) for safety sake and it will be available in future if something like this happens or worse, or after the use of our tools like combofix where something goes wrong during the can.
Do this http://community.norton.com/t5/Tech-Outpost/Creating-a-Repair-Disc-in-Windows-7-and-Vista-SP1-for-future-use/m-p/801962#M6004
The Recovery Disc created will be for your system and tools like FRST or listparts can be used also using the correct version of the tool for the installed OS. So then logs will be produced that are also correct.
You can put the disc(s) away for safe keeping.
We should be able to do the rest of your system from the desktop, but better do this before anything else so that you have that disc, seeing as you don't have the F8 repair feature.
No it is not working. I typed "system restore disc". It just turns up empty search result. Also during this process Explorer restarted.
I mean "system repair disc"
Do you have it via
Control Panel, clicking System and Maintenance, and then clicking Backup and Restore.
In the left pane, click Create a system repair disc,
No. I just have "Repair Windows using System Restore" and "Create a restore point or change settings"
I verified that I do have SP2.
maybe your system maker removes it (not very nice of them)
What is you make of system Dell etc.??
Yes that would be lovely. It's an ASUS.
Looks like Microsoft may have removed it from Vista, Heck.
17. Insert your retail Vista installation DVD into the CD/DVD drive, and click on Continue.
I made it this far. I don't have a retail DVD.
Probably should have used the original recdisc.exe
We will have to continue to use OTLPE in future if something goes wrong here, ,
The only other way is to find someone with Vista x64 and has the disc to make a copy or http://www.forum.probz.net/index.php?/files/file/20-windows-vista-recovery-environment-iso/
While you can create a system repair disc and be able to use it on any Windows Vista edition on any computer, it must be the same 32-bit or 64-bit system repair disc as the installed 32-bit or 64-bit Vista. You will not be able to use a 32-bit system repair disc on a 64-bit Vista, or a 64-bit system repair disc on a 32-bit Vista.
You also can't use the automated startup repair, or the windows system image, System Restore. However, you can use the command prompt to effect boot repairs or start other programs
I will give the next cleaning instructions next.
jstwebbrowsing wrote:Probably should have used the original recdisc.exe
The original does not work with SP2
I don't suppose a Windows 7 repair disc would be of any benefit for Vista. That's what's on my laptop. Of course, I don't have a retail disc for it either so I probably can't even make one for it.
This is a very poweful tool, so
Please read carefully Read all of this message first
Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix
Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.*EXTRA NOTES*
I disabled Norton AV and Firewall via the richt click menu in the system tray for five hours. I started ComboFix. After it installed it popped up a box saying Norton 360 AV and Antispyware are running. There is no context menu to turn off antispyware and the AV and Firewall show they are disabled.
Combofix says, "Please disable these scanners before clicking 'OK'".
As long as
are turned off you are good to go.
It took a little while. Here it is.
OK, More PUP items removed in amonst that lot, and some uninstall entries for folders I had moved with FRST.
Time for the proper PUP's checks
Download Adwcleaner http://general-changelog-team.fr/fr/downloads/view.download/2 The Green Arrow on to your desktop like OTLand run a scan (Search Button). It will create a log after.
ONE SCAN ONLY
Attach the log back here.
Here it is.
Man I bet my PC is gonna run better than it has in a long time. You are awesome!
Looks like I can't use the Adwcleaner delete junction unless you want to have Norton / Symantec reset inside the Chrome settings.
At least it gives me more data to look at.
Lets try this
Download this and run it on the desktop. http://www.bleepingcomputer.com/download/junkware-removal-tool/
The blue Button
@ Authors site
It will create a log after.
No, I don't even use Google Chrome. I don't even know why I still have it. It can be uninstalled if that will help.