Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system plugin scam


  • Please log in to reply
14 replies to this topic

#1 btm

btm

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 24 April 2011 - 10:11 PM

I'm new at this so please help I got a screen on my decktop that says System plugin at address 0x00874324 got critical error please follow these steps and to call one of 6 numbers wait for an answer and get a id number can anyone help.

Edited by Blade Zephon, 25 April 2011 - 01:26 AM.
Moved from XP to AII. ~BZ


BC AdBot (Login to Remove)

 


#2 dont realy know what

dont realy know what

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 25 April 2011 - 05:07 AM

I'm new at this so please help I got a screen on my decktop that says System plugin at address 0x00874324 got critical error please follow these steps and to call one of 6 numbers wait for an answer and get a id number can anyone help.

I Had this problem I had to do a complete system reboot and install to get rid of it, Dont realy know why it passed through my anti virus tho . I found out it was the Ransom Trojan Virus It dont let you onto windows to do anything and blocks you from the desktop until you call 00 263778289408 OR 00 2392216542 among other telephone numbers DO NOT CALL THESE!!!!
Instead try to run an anti-virus on the partition by installing another system like linux and then select a partition to scan (select the infected OS) you can always delete linux after the virus has gone, Or re-format and reinstall windows or your main OS system.

Sorry I dont know of any Easy fixes..

#3 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,257 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:54 PM

Posted 25 April 2011 - 06:38 AM

This sounds like Trojan-Ransom.Win32.Rector, a ransom-ware trojan; we need some specialized tools to kill this.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

#4 btm

btm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 25 April 2011 - 11:22 PM

I can't do anything but start my pc and then when xp boot up the screen comes up and I'm stopped from doing anything else.I have tried safe mode all of them I don't know what to do.I don't know much about pcs

Edited by btm, 25 April 2011 - 11:24 PM.


#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,257 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:54 PM

Posted 26 April 2011 - 01:14 AM

Let's see if we can force the desktop to load up:

When you boot the computer and get to the screen that is blocking you, press the Control, Alt and Delete keys. This will hopefully launch the Windows Task Manager. From the Task Manager's File menu, select New Task (Run...):
Posted Image

This will pop open a new box. Type in explorer and click OK:
Posted Image

If the malware hasn't interfered then you should be brought to your desktop. If so, please create the logs and post them. If not, post back here and let me know.

#6 btm

btm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 April 2011 - 01:51 PM

That did not work. It poped up but went away it just blinked.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,928 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 26 April 2011 - 02:54 PM

Hi, do you have an XP CD at hand we can use?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,257 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:54 PM

Posted 26 April 2011 - 03:00 PM

Elise is much smarter than I am, so I'll just watch. :)

#9 btm

btm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 April 2011 - 03:39 PM

sorry I don't :wacko:

Edited by btm, 26 April 2011 - 03:44 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,928 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 26 April 2011 - 03:48 PM

Don't worry, we have still quite a few options. :)

Have you tried tapping F8 when starting up and when the Advanced Boot Options menu comes up, selecting Last Known Good Configuration? If not, please try that and let me know if the same thing happens.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 btm

btm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 April 2011 - 04:55 PM

I did that already.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,928 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 26 April 2011 - 11:17 PM

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download xpud_userinit_fix to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see xpud_userinit_fix that you downloaded and double click it to run it.
  • After it has finished a report will be located on your USB drive named userinitreport.txt
  • Remove the USB drive and insert it back in your working computer and navigate to userinitreport.txt

    Please note - all text entries are case sensitive
Copy and paste the userinitreport.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 btm

btm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 27 April 2011 - 10:56 PM

thanks for the help I broke down and took it to the computer store.I am glad there are people out there like you and if I need help I will try here again once again thank you.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,928 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:54 PM

Posted 28 April 2011 - 04:04 AM

Thank you for letting us know. I hope it will be up and running soon. :)

Happy computing!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 keboon

keboon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 06 May 2011 - 05:21 AM

Hello elise 025. I had the same problem with my computer about System plugin at address 0x00874324. I tried your instructions and this is what I got so far:


Remote Registry Userinit Report

Hive </mnt/sda1/WINDOWS/system32/config/software>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon> EDIT: <Userinit> of type REG_SZ with length 68 [0x44]
[ 0]: C:\WINDOWS\system32\userinit.exe,
-> newkv->len: 68

userinit.exe search results

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/dllcache/userinit.exe
24.0K Aug 3 2004
39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/userinit.exe
24.0K Aug 3 2004

winlogon.exe search results

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/system32/dllcache/winlogon.exe
490.5K Aug 3 2004
01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/system32/winlogon.exe
490.5K Aug 3 2004

explorer.exe search results

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/explorer.exe
1008.0K Aug 3 2004
a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/system32/dllcache/explorer.exe
1008.0K Aug 3 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users