• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
seansmall

Can't access computer even in safe mode

Recommended Posts

My screen went white out of nowhere. Got a message on it now saying I've violated the law and need to pay a $300 fine to unblock. I know it's a virus but I can't even run a scan. And when I reboot in safe mode, the computer restarts every time I get back to my desktop. Not sure how to run a scan if I can't even access anything but this screen.

Share this post


Link to post
Share on other sites

Hi Sean,

 

The following instruction is for Windows Vista, 7 or 8. If you have XP, please tell me.

 

Please, download Farbar Recovery Scan Tool (FRST) on the computer you are using now and save it on a flash drive.
For 64 bits Windows: http://download.bleepingcomputer.com/farbar/FRST64.exe
For 32 bits Windows: http://download.bleepingcomputer.com/farbar/FRST.exe

You need to restart the infected computer and start a Command Prompt without starting all of Windows. There are two options to do this, and which one you should use depends on if you have an installation disc with Windows Vista or Windows 7, respectively.

Option 1 without Windows disc

When the computer starts, you press the F8 key repeatedly until the Windows Advanced Options Menu menu is displayed.
Use the arrow keys to highlight Repair your computer. Press Enter key.

Option 2 with Windows disc

Insert the installation disc.
Start the computer.
When asked if you want to start the computer from the installation disc, press any key.
If you don't see the question and the computer is started from the hard disc as usual, you need to change a BIOS setting to start from the disc.
When the menu on the installation disc is displayed, click on Repair your computer.

For both options

Select the correct keyboard layout and click on Next.
Select which Windows you want to repair, if there are several, select the infected one. Click on Next.
Select your user account and enter your password (if you don't have a password, press the Enter key).

The System Recovery Options menu is displayed and it starts with Startup repair and ends with Command Prompt.
Select Command Prompt.

Enter:
notepad
Press the Enter key.
The Notepad program starts.
Select: File menu -> Open
Select: Computer
Find your flash drive and write down its device letter, e.g. G:.
Exit Notepad.

In the Command prompt enter this command:
For 64 bits Windows: g:\frst64.exe
For 32 bits Windows: g:\frst.exe
but replace "g" with the device letter of your flash drive. Press Enter key.
FRST program will start to run.

Read the disclaimer and click Yes to accept it.
Click Scan button.
When done, FRST will make a log file, called FRST.txt, on the flash drive.

Move the flash drive to a working computer and open the log file in Notepad.
Please, copy its content and paste it into your reply.

Share this post


Link to post
Share on other sites

I don't see a Repair your computer option. I've got the 3 safe modes (regular, networking, command prompt). Then "enable boot logging", "enable VGA mode", "last known good configuration", "directory services restore mode", "debugging mode". If I click on any of these I get to choose between "Microsoft windows recovery console" and "Microsoft windows xp home edition".

 

Where do I start?

Share this post


Link to post
Share on other sites

As I wrote, the instructions were for Vista and later Windows versions. With XP it's more complicated due to fewer options in the menu.

In XP it's necessary to use both a CD and a flash drive.

Download and save this program on the desktop of the computer you are using now.
OTLPENet: http://oldtimer.geekstogo.com/OTLPENet.exe

Insert an empty CD.
Double-click on OTLPENet.exe.
The program will burn some files to the CD and make it usable as a boot device for the infected computer.

Move the CD to the infected computer.
Start the computer from the CD.
If Windows starts, you have to change a BIOS setting to give the CD higher priority than the hard disk. How to do this varies between different computer models, but usually it's written on the first screen displayed after power on, e.g. "Press Del to Enter Setup", "F12 = Boot order".

When the computer starts from the CD, it will take some time to load correct drivers etc. It's time for a cup of coffee.

When done, the Reatogo desktop is displayed.
Enter the flash drive with FRST.
Start FRST.

FRST program will start to run.
Read the disclaimer and click Yes to accept it.
Click Scan button.
When done, FRST will make a log file, called FRST.txt, on the flash drive.

Move the flash drive to a working computer and open the log file in Notepad.
Please, copy its content and paste it into your reply.

Share this post


Link to post
Share on other sites

I was able to get the computer to boot through the cd and get to the Reatogo desktop. However, every time I try to run the FRST64.exe from the flash drive I get the error "B:\Documents and Settings\Default User\Desktop\FRST64.exe is not a valid Win32 application." I tried to move it to my desktop and it still didn't work.

 

The FRST64 link on the flash drive works fine on the normal computer, allowing me to run a scan and everything. But on the infected computer, I keep getting the same message above.

Share this post


Link to post
Share on other sites

Ok, does that mean I should just change the name of the program from FRST64 to FRST? Would that make it work? (I'm not the most computer literate, as I'm sure you can tell!)

Share this post


Link to post
Share on other sites

Log is below.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-11-2013
Ran by SYSTEM on REATOGO on 16-11-2013 01:34:14
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [sigmatelSysTrayApp] - C:\WINDOWS\stsystra.exe [282624 2006-07-24] (SigmaTel, Inc.)
HKLM\...\Run: [iAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [151552 2006-07-06] (Intel Corporation)
HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] ()
HKLM\...\Run: [iSUSPM Startup] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [213936 2006-03-20] (Macrovision Corporation)
HKLM\...\Run: [iSUSScheduler] - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [79136 2008-10-24] (Macrovision Corporation)
HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [221184 2006-11-05] (Sonic Solutions)
HKLM\...\Run: [RoxioDragToDisc] - C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [1116920 2006-08-17] (Roxio)
HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [169984 2007-08-22] ()
HKLM\...\Run: [iSUSPM] - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [213936 2006-03-20] (Macrovision Corporation)
HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2007-11-15] ( )
HKLM\...\Run: [DellSupportCenter] - "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
HKLM\...\Run: [QuickTime Task] - C:\Program Files\VistaCodecPack\QT\QTTask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [WinampAgent] - C:\Program Files\Winamp\winampa.exe [36352 2008-08-03] ()
HKLM\...\Run: [Google Quick Search Box] - C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe [68592 2009-06-24] (Google Inc.)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-07-16] (RealNetworks, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1230704 2011-03-21] ()
HKLM\...\Run: [iSTray] - C:\Program Files\Spyware Doctor\pctsTray.exe [1287120 2010-05-27] (PC Tools)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\Administrator\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)
HKU\Default User\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)
HKU\Sean Pierce\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2007-03-15] (Gteko Ltd.)
HKU\Sean Pierce\...\Run: [DellSupportCenter] - "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
HKU\Sean Pierce\...\Run: [RegistryMechanic] - C:\Program Files\Registry Mechanic\RegMech.exe [ 2010-04-08] (PC Tools)
HKU\Sean Pierce\...\Run: [spotify Web Helper] - C:\Program Files\Spotify\Data\SpotifyWebHelper.exe [ 2013-06-14] (Spotify Ltd)
HKU\Sean Pierce\...\Run: [Google Update] - C:\Documents and Settings\Sean Pierce\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [ 2013-03-29] (Google Inc.)
HKU\Sean Pierce\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2007-09-02] (Google Inc.)
HKU\Sean Pierce\...\Run: [Messenger (Yahoo!)] - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [ 2012-05-25] (Yahoo! Inc.)
HKU\Sean Pierce\...\Winlogon: [shell] explorer.exe,C:\Documents and Settings\Sean Pierce\Application Data\Other.res [ 2010-12-09] () <==== ATTENTION
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Sean Pierce\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk -> C:\Documents and Settings\Sean Pierce\Local Settings\Application Data\Autobahn\nexdef.exe ()

========================== Services (Whitelisted) =================

S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2007-03-19] ()
S2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [671408 2012-11-07] (Juniper Networks)
S2 PCToolsSSDMonitorSvc; C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [632792 2010-04-08] (PC Tools)
S2 Protector by IB Updater; C:\Program Files\Protector by IB\ExtensionUpdaterService.exe [183808 2012-04-03] ()
S2 sdAuxService; C:\Program Files\Spyware Doctor\pctsAuxs.exe [366840 2010-03-11] (PC Tools)
S2 sdCoreService; C:\Program Files\Spyware Doctor\pctsSvc.exe [1142224 2010-03-15] (PC Tools)
S2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-13] (SupportSoft, Inc.)
S2 Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [24652 2007-01-04] (Viewpoint Corporation)
S3 WLSetupSvc; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [266240 2007-10-25] (Microsoft Corporation)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

==================== Drivers (Whitelisted) ====================

S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 BVRPMPR5; C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [49904 2007-05-23] (Avanquest Software)
S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2012-11-07] (Juniper Networks)
S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)
S0 gfibto; C:\Windows\System32\drivers\gfibto.sys [13560 2012-12-12] (GFI Software)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [24064 2006-06-05] (Intel Corporation )
S0 PCTCore; C:\Windows\System32\drivers\PCTCore.sys [218592 2010-03-29] (PC Tools)
S4 pctgntdi; C:\WINDOWS\system32\drivers\pctgntdi.sys [233136 2010-02-05] (PC Tools)
S4 pctplsg; C:\WINDOWS\system32\drivers\pctplsg.sys [63360 2010-04-08] (PC Tools)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1156648 2006-07-24] (SigmaTel, Inc.)
S3 USB_RNDIS; C:\Windows\System32\DRIVERS\usb8023.sys [12928 2013-02-11] (Microsoft Corporation)
S3 USB_RNDIS_XP; C:\Windows\System32\DRIVERS\usb8023.sys [12928 2013-02-11] (Microsoft Corporation)
S3 BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS [x]
S3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 TlntSvr;
S3 wanatw; system32\DRIVERS\wanatw4.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-11-16 01:30 - 2013-11-16 01:30 - 00000000 ____D C:\FRST
2013-11-12 00:50 - 2013-11-12 00:50 - 01723528 _____ C:\Documents and Settings\Administrator\Desktop\Adaware_Installer.exe
2013-11-12 00:48 - 2013-11-12 00:48 - 00014305 _____ C:\Windows\KB942288-v3.log
2013-11-12 00:48 - 2013-11-12 00:48 - 00000000 __HDC C:\Windows\$NtUninstallKB942288-v3$
2013-11-12 00:37 - 2013-11-12 00:37 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes

==================== One Month Modified Files and Folders =======

2013-11-16 01:30 - 2013-11-16 01:30 - 00000000 ____D C:\FRST
2013-11-14 00:01 - 2008-07-02 18:27 - 00000000 ____D C:\Program Files\Spyware Doctor
2013-11-14 00:01 - 2004-08-10 12:08 - 00032502 _____ C:\Windows\SchedLgU.Txt
2013-11-14 00:01 - 2004-08-10 12:02 - 01755689 _____ C:\Windows\WindowsUpdate.log
2013-11-13 23:24 - 2010-01-05 21:39 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-11-12 01:00 - 2008-10-14 13:51 - 00000000 ____D C:\Program Files\Registry Mechanic
2013-11-12 00:50 - 2013-11-12 00:50 - 01723528 _____ C:\Documents and Settings\Administrator\Desktop\Adaware_Installer.exe
2013-11-12 00:48 - 2013-11-12 00:48 - 00014305 _____ C:\Windows\KB942288-v3.log
2013-11-12 00:48 - 2013-11-12 00:48 - 00000000 __HDC C:\Windows\$NtUninstallKB942288-v3$
2013-11-12 00:48 - 2010-03-14 22:52 - 00406693 _____ C:\Windows\setupapi.log
2013-11-12 00:48 - 2004-08-10 11:57 - 02848605 _____ C:\Windows\FaxSetup.log
2013-11-12 00:48 - 2004-08-10 11:57 - 01369798 _____ C:\Windows\ocgen.log
2013-11-12 00:48 - 2004-08-10 11:57 - 01090442 _____ C:\Windows\tsoc.log
2013-11-12 00:48 - 2004-08-10 11:57 - 00819078 _____ C:\Windows\comsetup.log
2013-11-12 00:48 - 2004-08-10 11:57 - 00496742 _____ C:\Windows\ntdtcsetup.log
2013-11-12 00:48 - 2004-08-10 11:57 - 00445083 _____ C:\Windows\iis6.log
2013-11-12 00:48 - 2004-08-10 11:57 - 00142357 _____ C:\Windows\msgsocm.log
2013-11-12 00:48 - 2004-08-10 11:57 - 00136806 _____ C:\Windows\ocmsn.log
2013-11-12 00:48 - 2004-08-10 11:57 - 00001393 _____ C:\Windows\imsins.log
2013-11-12 00:48 - 2004-08-10 11:52 - 00000000 ____D C:\Windows\System32\mui
2013-11-12 00:47 - 2010-01-05 21:39 - 00055000 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-11-12 00:37 - 2013-11-12 00:37 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2013-11-12 00:29 - 2004-08-10 11:57 - 00441626 _____ C:\Windows\System32\PerfStringBackup.INI
2013-11-12 00:25 - 2007-09-02 16:11 - 00000278 ___SH C:\Documents and Settings\Sean Pierce\ntuser.ini
2013-10-29 11:02 - 2013-10-01 18:57 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-28 22:11 - 2012-04-29 14:46 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

Share this post


Link to post
Share on other sites

Please, start Notepad.
Copy all text that is in the box:

HKU\Sean Pierce\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Sean Pierce\Application Data\Other.res [ 2010-12-09] () <==== ATTENTION
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the flash drive.

On the infected computer, start FRST as last time, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the flash drive.
Please, paste the content of that file in your answer.

Please, check if the computer now can start in normal mode.
If yes, please follow the topic Read This Before You Post! and post the DDS logs to continue the cleaning process.

Share this post


Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-11-2013
Ran by SYSTEM at 2013-11-18 00:18:09 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKU\Sean Pierce\...\Winlogon: [shell] explorer.exe,C:\Documents and Settings\Sean Pierce\Application Data\Other.res [ 2010-12-09] () <==== ATTENTION
*****************

HKU\Sean Pierce\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this