10ClayMan Posted September 22, 2013 ID:733268 Share Posted September 22, 2013 Have the NSA/FBI Ransom Hijacker.Have read in the forum. using F8 does not work but created a rescue disk for Win7-32 on another laptop. Able to go to CMD line and open Notepad to use the DDS tool as well as the FRST tool. I have uploaded to the two files. Looks like the entire registry is removed. Thank you for your help.FRST.txtattach.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 22, 2013 ID:733269 Share Posted September 22, 2013 Appears you didn't do it correctly: Welcome to the forum, here's how we deal with that malware:Please download Farbar Recovery Scan Tool and save it to a flash drive. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC.If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used. To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt Select Command Prompt Once in the Command Prompt:In the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" and find your flash drive letter and close the notepad.In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.The tool will start to run.When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.MrC Link to post Share on other sites More sharing options...
10ClayMan Posted September 22, 2013 Author ID:733271 Share Posted September 22, 2013 see log below:Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-09-2013Ran by SYSTEM on MININT-BAPONF2 on 22-09-2013 10:19:12Running from E:\WIN_7 Service Pack 1 (X86) OS Language: English(US)Boot Mode: RecoveryAttention: Could not load system hive.Attention: System hive is missing.==================== Registry (Whitelisted) ==================Attention: Software hive is missing.ATTENTION: Software hive is not loaded.========================== Services (Whitelisted) ===================================== Drivers (Whitelisted) ======================================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ============================ One Month Modified Files and Folders =========================== Known DLLs (Whitelisted) ================================ Bamital & volsnap Check =================C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.==================== EXE ASSOCIATION =====================HKLM\...\.exe: <===== ATTENTION!HKLM\...\exefile\DefaultIcon: <===== ATTENTION!HKLM\...\exefile\open\command: <===== ATTENTION!==================== Restore Points ============================================= Memory info ===========================Percentage of memory in use: 10%Total physical RAM: 4021.85 MBAvailable physical RAM: 3586.93 MBTotal Pagefile: 4020.14 MBAvailable Pagefile: 3586.02 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1932.19 MB==================== Drives ================================Drive e: () (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS==================== MBR & Partition Table ==========================================================================Disk: 0 (Size: 149 GB) (Disk ID: A05CECBD)Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)========================================================Disk: 1 (Size: 4 GB) (Disk ID: 0696579C)Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)==================== End Of Log ============================ Link to post Share on other sites More sharing options...
MrCharlie Posted September 22, 2013 ID:733288 Share Posted September 22, 2013 Is this drive encrypted? If not....... I suggest you create a Kaspersky Rescue Disk and Unlocker: http://maddoktor2.com/forums/index.php/topic,55928.0.html (towards the bottom of the post) Scan the system with it and see...... Let me know.....MrC Link to post Share on other sites More sharing options...
10ClayMan Posted September 23, 2013 Author ID:733565 Share Posted September 23, 2013 The drive is encypted, did not realize i could not boot from disk. Was able to remove the virus with malwarebytes once i was shown how to get the laptop to boot in safemode.Thank you for your help. No further help needed Link to post Share on other sites More sharing options...
LDTate Posted September 25, 2013 ID:734338 Share Posted September 25, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts