BleepingComputer.com: system plugin scam

I'm new at this so please help I got a screen on my decktop that says System plugin at address 0x00874324 got critical error please follow these steps and to call one of 6 numbers wait for an answer and get a id number can anyone help.

This post has been edited by Blade Zephon: 25 April 2011 - 01:26 AM
Reason for edit: Moved from XP to AII. ~BZ

btm, on 24 April 2011 - 10:11 PM, said:

I Had this problem I had to do a complete system reboot and install to get rid of it, Dont realy know why it passed through my anti virus tho . I found out it was the Ransom Trojan Virus It dont let you onto windows to do anything and blocks you from the desktop until you call 00 263778289408 OR 00 2392216542 among other telephone numbers DO NOT CALL THESE!!!!
Instead try to run an anti-virus on the partition by installing another system like linux and then select a partition to scan (select the infected OS) you can always delete linux after the virus has gone, Or re-format and reinstall windows or your main OS system.

Sorry I dont know of any Easy fixes..

This sounds like Trojan-Ransom.Win32.Rector, a ransom-ware trojan; we need some specialized tools to kill this.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

I can't do anything but start my pc and then when xp boot up the screen comes up and I'm stopped from doing anything else.I have tried safe mode all of them I don't know what to do.I don't know much about pcs

This post has been edited by btm: 25 April 2011 - 11:24 PM

Let's see if we can force the desktop to load up:

When you boot the computer and get to the screen that is blocking you, press the Control, Alt and Delete keys. This will hopefully launch the Windows Task Manager. From the Task Manager's File menu, select New Task (Run...):


This will pop open a new box. Type in explorer and click OK:


If the malware hasn't interfered then you should be brought to your desktop. If so, please create the logs and post them. If not, post back here and let me know.

That did not work. It poped up but went away it just blinked.

Hi, do you have an XP CD at hand we can use?

Elise is much smarter than I am, so I'll just watch.

sorry I don't

This post has been edited by btm: 26 April 2011 - 03:44 PM

Don't worry, we have still quite a few options.

Have you tried tapping F8 when starting up and when the Advanced Boot Options menu comes up, selecting Last Known Good Configuration? If not, please try that and let me know if the same thing happens.

I did that already.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Next download xpud_userinit_fix to your USB drive
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Confirm that you see xpud_userinit_fix that you downloaded and double click it to run it.
  
• After it has finished a report will be located on your USB drive named userinitreport.txt
  
• Remove the USB drive and insert it back in your working computer and navigate to userinitreport.txt
  
  Please note - all text entries are case sensitive

Copy and paste the userinitreport.txt for my review

thanks for the help I broke down and took it to the computer store.I am glad there are people out there like you and if I need help I will try here again once again thank you.

Thank you for letting us know. I hope it will be up and running soon.

Happy computing!

Hello elise 025. I had the same problem with my computer about System plugin at address 0x00874324. I tried your instructions and this is what I got so far:


Remote Registry Userinit Report

Hive </mnt/sda1/WINDOWS/system32/config/software>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon> EDIT: <Userinit> of type REG_SZ with length 68 [0x44]
[ 0]: C:\WINDOWS\system32\userinit.exe,
-> newkv->len: 68

userinit.exe search results

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/dllcache/userinit.exe
24.0K Aug 3 2004
39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/userinit.exe
24.0K Aug 3 2004

winlogon.exe search results

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/system32/dllcache/winlogon.exe
490.5K Aug 3 2004
01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/system32/winlogon.exe
490.5K Aug 3 2004

explorer.exe search results

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/explorer.exe
1008.0K Aug 3 2004
a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/system32/dllcache/explorer.exe
1008.0K Aug 3 2004