Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Screen goes eggshell after login, safe mode restarts after login


  • Please log in to reply
20 replies to this topic

#1 Wado

Wado

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baltimore, MD
  • Local time:03:50 AM

Posted 22 August 2013 - 06:44 AM

I can't get to the OS to run anything. When I log in, it goes blank (eggshell color). When I Ctrl+Alt+Del and tell it to shut down I see the desktop just before it logs off. When I try going into safe mode it restarts after login. This is on an Emachines ET1331G-07 4gig ram Win 7 64bit, off the network.

 

Wado,

Fred


Edited by hamluis, 22 August 2013 - 12:17 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:50 AM

Posted 22 August 2013 - 08:55 AM

When did problem begin?

 

Any indications that system was/is infected...prior to your post here?

 

Any changes to system made prior to problems?

 

Louis



#3 Wado

Wado
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baltimore, MD
  • Local time:03:50 AM

Posted 22 August 2013 - 11:08 AM

My friend's daughter was doing a report on China it when the screen went ransom ware. They are pretty computer illiterate so I am pretty sure it is an infection. It looks like their Norton expired at some point. I see the expired screen just before it shuts down.

I see that I should have posted this  in the Security section. Can you move it? I see no way to do it myself.


Edited by Wado, 22 August 2013 - 11:46 AM.


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:50 AM

Posted 22 August 2013 - 12:16 PM

I'll move this to the proper forum, thanks :).

 

Louis



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 AM

Posted 22 August 2013 - 08:27 PM

Can you run anything?

What type of Ransomeware did it hint at? Did you see anything like FBI, E-Crime.... any type of name?

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Wado

Wado
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baltimore, MD
  • Local time:03:50 AM

Posted 23 August 2013 - 05:02 PM

She said it was the FBI virus, but I don't know for sure. I get a blank screen after login. From the guest account I made a new admin, removed Norton (expired) and rebooted, ran RKill, installed Avast! & did a full scan. 

19 infections reported and all at a "High" threat level, as well as a LONG list of errors. I moved them to the chest.  I did a boot scan and found pdfreader\uninstall\uninstall.exe infected with win:32:installcor-eq. I will verify before deleting.

 

Thank you,

Fred


Edited by Wado, 23 August 2013 - 06:27 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 AM

Posted 23 August 2013 - 07:44 PM

Ok, ths is going to take some work...

Follow the steps in this Removal Guide

 

Reboot

Run RKill again post that log.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Peter2013

Peter2013

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 24 August 2013 - 02:17 AM

This "removal guide" has expired and needs update.

 

It might be that some are still infected by the old FBI virus that gives you the opportunity to "select" a safe mode options - but the scumbags who made this virus have figured that out long ago and closed this window.

 

Besides some of the tools suggested on this site does only bring mailware along - but no cure. Be aware !


Edited by Peter2013, 24 August 2013 - 02:18 AM.


#9 Wado

Wado
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baltimore, MD
  • Local time:03:50 AM

Posted 24 August 2013 - 07:52 AM

Thank you Peter.

 

The scumbags disabled the safemode for the "infected" user. I am having to to use the Admin I created after the infection to do the scans. So far Avast! found 19 infections, boot scan another 3 before I switched to EEK and EEK has found 9 (one that it could not move or delete). I am scanning with EEK again before I move on in the directions.

 

Fortunately, it is not my computer, so I can scrub it, scan it, and run it through the ringer until Boopme and I (Thank you Boopme) are satisfied that it is clean.

 

The infected computer has the Guest active and the primary account is the Admin, used by the entire family (single mom and her teenage kids). The kids will be very upset when there are no games on the computer and their Admin privileges are taken away. WHAHahahaha! And my kids wonder why they have to use Ubuntu with Office Libre for their computers. My philosophy: NO BRAINSUCKING DOWNLOADED GAMES ON THE PC! Schoolwork and research, educational games only. Well thanks for the outlet to ramble on I'm gonna make some tea and finish waking up.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 AM

Posted 25 August 2013 - 09:55 PM

This link works

http://www.bleepingcomputer.com/virus-removal/remove-fbi-online-agent-ransomware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Peter2013

Peter2013

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 26 August 2013 - 07:06 AM

Good luck :warrior:



#12 Wado

Wado
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baltimore, MD
  • Local time:03:50 AM

Posted 29 August 2013 - 04:10 PM

Here is my Rkill log. I am currently scanning with Secunia and then I will be going through the startup list and looking for redirects and PUPs.
 
Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 08/29/2013 04:41:15 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * C:\Users\aweaver\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe (PID: 1260) [UP-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * No issues found.
Checking Windows Service Integrity:
 * No issues found.
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * No issues found.
Program finished at: 08/29/2013 04:44:04 PM
Execution time: 0 hours(s), 2 minute(s), and 49 seconds(s)

Edited by Wado, 29 August 2013 - 06:01 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 AM

Posted 29 August 2013 - 06:59 PM

Did you run EmiSoft from the Removal Guide link I posted?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Wado

Wado
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Baltimore, MD
  • Local time:03:50 AM

Posted 29 August 2013 - 07:14 PM

Yes, I did.

 

I ran Secunia, now 98%. I have a security update that will not install (Security Update for Windows 7 for x64-based Systems (KB2813170)


Edited by Wado, 29 August 2013 - 07:30 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:50 AM

Posted 29 August 2013 - 07:48 PM

I would like you to try this next . I believe it's no longer a malware, but a Registry issue.

Download Windows Repair (All in One) from this site

Install the program then run it.

NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.


Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

p22002979.gif



Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

p22002980.gif


Go to Step 4 and under "System Restore" click on Create button:

p22002982.gif


Go to Start Repairs tab and click Start button.

Leave all checkmarks as they're.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.

Click on Start button.

p22003030.gif

Post Windows Repair log (_windows_repair_log.txt) which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users