Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

White screen/ ransomware on xp


  • This topic is locked This topic is locked
33 replies to this topic

#1 petergriffen

petergriffen

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 06 August 2015 - 04:18 AM

When I log into windows I get a white screen I can't click out of, I can't use safe boot

I've tried kaspersky rescue disc windows unlocked and that didn't work

If anyone could please help it would be greatly appreciate

 

I ran OST and FRST both from reatogo-x-pe

Attached Files

  • Attached File  FRST.txt   538.54KB   8 downloads
  • Attached File  OTL.txt   1.16MB   6 downloads

Edited by petergriffen, 06 August 2015 - 05:31 AM.


BC AdBot (Login to Remove)

 


m

#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 07 August 2015 - 11:29 AM

Greetings petergriffen and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Have you received any Ransomware pop ups or do you believe you are infected with that because you can't boot?

Please run the following for me. Ultimately FRST.exe and Fixlist.txt must be saved in the same location, i.e. flash drive.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
RP: -> 2015-08-03 05:12 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1
  • Insert the USB device into your infected computer
  • Boot you computer as you did previously
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Reason you believe Ransomware
  • Are you able to boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 07 August 2015 - 04:04 PM

Below are the logs; no change since running that you gave me.

 

think it was ransonware because I once I get into windows I get a full screen white popup says police report telling me to do something that I cant close.  I cant get into any safemodes, I get a blue screen for those.

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:02-08-2015 01
Ran by SYSTEM (2000-01-02 22:07:50) Run:1
Running from D:\
Boot Mode: Recovery

==============================================

fixlist content:
*****************
RP: -> 2015-08-03 05:12 - 024576 _restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1
*****************

SAM hive was successfully restored from Restore Point.
SECURITY hive was successfully restored from Restore Point.
Software hive was successfully restored from Restore Point.
System hive was successfully restored from Restore Point.
Default hive was successfully restored from Restore Point.

==== End of Fixlog 22:07:58 ====



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 07 August 2015 - 07:52 PM

Greetings, please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
C:\Documents and Settings\Peter Gagyi\Local Settings\Application Data\{DB017D8E-D7F5-421B-8E1B-A28D92642197}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8592
O3 - HKLM\..\Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - Startup: C:\Documents and Settings\Peter Gagyi\Start Menu\Programs\Startup\AOL Desktop.lnk =  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: lJ1WSQCSUS = C:\Documents and Settings\All Users\Application Data\rgvmtkle\dsxcnodq.exe
C:\Documents and Settings\All Users\Application Data\rgvmtkle
O20 - AppInit_DLLs: (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll) -  File not found
C:\Documents and Settings\All Users\Application Data\Ask
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECF5194F
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:44DAF2F1
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
Folder: C:\Report
Folder: C:\Documents and Settings\All Users\Documents\Report
  • Insert the USB device into your infected computer
  • Boot you computer as you did previously
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
  • If your computer will not boot please run a fresh FRST Scan and post the results
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Computer boot?
  • FRST.txt (if necessary)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 07 August 2015 - 09:31 PM

thanks for the help so far, I had to attach the files

 

boots the same, gets into windows and then stuck at the white popup.

still no safemode

Attached Files


Edited by petergriffen, 07 August 2015 - 09:32 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 07 August 2015 - 10:48 PM

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------

Note: This fix will only work if your USB drive is the D: drive which is what it appears to be in your reports.
  • Download onto your USB device
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
cmd: regedit /s d:\Registry.reg
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlist
  • Can you boot?

Edited by Oh My!, 07 August 2015 - 11:13 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 08 August 2015 - 07:01 AM

still the same

 

Attached Files



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 08 August 2015 - 07:42 AM

Greetings,

One of the Registry fixes did not work. I modified it just a bit and we will try it again.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------

Note: This fix will only work if your USB drive is the D: drive which is what it appears to be in your reports.
  • Download onto your USB device
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
cmd: regedit /s d:\Registry.reg
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlist
  • Can you boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 08 August 2015 - 07:59 AM

The only way I can run everything is from reatogo-x-pe does that work?

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 08 August 2015 - 08:00 AM

However you did it the last way that is how we want to do it this time.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 08 August 2015 - 10:30 AM

should this say registry 2?

 

cmd: regedit /s d:\Registry.reg



#12 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 08 August 2015 - 11:23 AM

I tried it both ways; still the same white popup

 

Fix result of Farbar Recovery Scan Tool (x86) Version:02-08-2015 01
Ran by SYSTEM (2000-01-03 16:12:24) Run:5
Running from D:\
Boot Mode: Recovery

==============================================

fixlist content:
*****************
cmd: regedit /s d:\Registry.reg
*****************

=========  regedit /s d:\Registry.reg =========

========= End of CMD: =========

==== End of Fixlog 16:12:25 ====

Attached Files

  • Attached File  FRST.txt   543.52KB   1 downloads

Edited by petergriffen, 08 August 2015 - 11:24 AM.


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 08 August 2015 - 03:04 PM

Ooops, sorry.

Please redo the steps only using Registry2.reg. Following that run FRST again.

If nothing changes I would like you to describe exactly what you see when trying to boot into Normal Mode. Tell me how far the boot process gets and what the last thing is you see on the screen before it goes white.

Also, in Safe Mode, when you get the Blue Screen if there is any information you see, provide the description as indicated below.
 

bsod_c.jpg


Finally, please do this.

===================================================

MBR Dump Using Farbar's Recvovery Scan Tool

--------------------
  • If necessary, from a clean computer download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to yourUSB device
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
SaveMbr: Drive=0
  • Insert the USB device into your infected computer
  • Boot your computer with the disk you have been using
  • Run FRST as you did before using the correct USB drive letter.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the USB called (MBRDUMP.txt).
  • Attach the file to your reply. Do not attempt to open the file it must be attached
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Descriptions if applicable
  • Attached mbrdump.txt file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 petergriffen

petergriffen
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 08 August 2015 - 03:25 PM

I get into windows, I just get a popup that I can't close

Attached is the popup and what happens on safeboot

No change with the last reg run

Attached Files


Edited by petergriffen, 08 August 2015 - 03:26 PM.


#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:25 PM

Posted 08 August 2015 - 03:39 PM

Very good, thanks. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
CMD: bootrec /FixMbr
  • Insert the USB device into your infected computer
  • Boot you computer as you did previously
  • Run FRST as you did previously and press the Fix
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Does your computer boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users