Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restart in Safe Mode auto reboots to blank screen?


  • This topic is locked This topic is locked
42 replies to this topic

#1 ddad62

ddad62

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 13 July 2013 - 03:37 PM

Hello,

 

I have a friend with an issue, got a ransome ware on his laptop, when i try to restart in safe mode, it auto-reboots, and then goes to a regular start, ending in a completely blank white screen...?

 

He is running Windows 7,

 

Thanks Dave

 



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 14 July 2013 - 05:58 AM

Hello, ddad62.
My name is etavares and I will be helping you with this log.
 
Here are some guidelines to ensure we are able to get your machine back under your control.
 
  • Please do not run any unsupervised scans, fixes, etc.  We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so.  Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned.  Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first.  There's no harm in asking questions!
  •  
     
     
    Step 1
     
    Please download Farbar Recovery Scan Tool and save it to a flash drive.
     
    Plug the flashdrive into the infected PC.
     
    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
     
    If you are using Vista or Windows 7 enter System Recovery Options
     
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  •  
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  •  
    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
     
    Select Command Prompt
     
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter 
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  •  
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #3 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 14 July 2013 - 01:01 PM

    Hmmm...when I do the above, get to the command prompt...I get the below...

    X:\windows\system32>I:frst
    The subsystem needed to support the image type is not present.

    David D

    #4 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:41 PM

    Posted 14 July 2013 - 02:14 PM

    Try this command instead:

    cd /d l:\frst.exe

     

    note the space bewteen cd and /d and l:\frst.exe

     

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #5 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 14 July 2013 - 02:37 PM

    Ok tried it...got message
    The directory name is invalid.

    There are not suppose to be any spaces in the one I tried first. I:\frst?

    #6 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 14 July 2013 - 03:43 PM

    Using the notepad directions I was able to drill down to and see the thumbdrive and other folders on it. So it is working, and finding it?

    #7 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 14 July 2013 - 05:34 PM

    Ok I restarted the process, and using the cd /d. I get the message "The system cannot find the drive specified."

    What's next.

    #8 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:41 PM

    Posted 15 July 2013 - 05:50 AM

    Is your drive letter L:\ in notepad for the flash drive?



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #9 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:41 PM

    Posted 20 July 2013 - 05:54 AM

    Hi, do you still need help?



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #10 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 20 July 2013 - 03:25 PM

    Ohh man sorry, This week my buddy was working extra shifts and is on Nights now, just not around.  I'll get into this again today.



    #11 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:41 PM

    Posted 20 July 2013 - 07:29 PM

    OK, thanks for the update!



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #12 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 21 July 2013 - 10:41 AM

    Ok....today I tried it, and it the thumb drive is h

     

    I get this message today.... 8(

    'h:\frst' is not recognized as an internal or external command operable program or batch file.

     

     

    I'll try resaving the frst on the thumb drive...I tried the cd /d also..



    #13 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 21 July 2013 - 10:51 AM

    ok no luck no change 8( 

     

    WTH is this system doing?  I await your next idea.

    David



    #14 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:09:41 PM

    Posted 22 July 2013 - 07:22 PM

    Hello, ddad62.
     
    OK, we have other tools we can use, but it'll be a bit more work for us.  Which ransomware do they have?  What agency do they claim locked down the computer?
     
    Step 1
     
    Try this guide to start:
     
    Let me know what HitmanPro finds and if you can boot after running it.
     
    If not, we have other courses of action.
     
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     


    #15 ddad62

    ddad62
    • Topic Starter

    • Members
    • 34 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:41 PM

    Posted 23 July 2013 - 07:55 PM

    Ok!!  Yea!  that worked! Hitman removed 4 threats...found like 220...

     

    removed these..

    skype.dat

    1701586049448426754934.exe

    ctfmon.Ink

    1skkkkkkk.exe

     

    What Ransomeware it was...unknown...my buddy states he recalls seeing a ransomware page, and it was using the in laptop camera to present a picture of himself, when he read it, but it would not come to a page after he restarted it.. it was only a blank page...

     

    ok so what next?   I updated AVG, and Malewarebytes as they asked to after being 97 days out of date..

     

    What else do you have in your bag of tricks to clean his thing out?  and ensure it will stay that way?

     

    Thanks,

    David






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users