Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fake Police Notice & Unable to Safe Boot


  • This topic is locked This topic is locked

#1
PCplodder

PCplodder

    New Member

  • Member
  • Pip
  • 1 posts
Whilst browsing the internet over the weekend, I was suddenly re-directed to a website displaying 'Adult' content. Almost immediately, my screen was filled with a fake Police Notice, stating that the pc had been locked because it had been used for one or more 'illegal' purposes. It also stated that to unlock my pc, I would need to pay a 'fine'. Needless to say, I immediately disconnected the internet connection and then tried to close the window. This was not possible, despite trying numerous key combinations, so I had to switch-off by pressing and holding the 'Start' button. A restart proceeded normally until getting to the desktop, which was then immediately replaced with the fake notice again.

I then re-started again, using an alternative account. I was then able to run 'Malwarebytes Anti-Malware' which reported 5 infections: Trojan.Agent.RDN (2 x Registry Keys); Trojan.Agent.RDN (File); Trojan.Agent.TPL (2 x Files). The software offered the option to delete these, which I selected and did a re-start as instructed.

I then re-started again using my normal (‘administrator’) log-on account. Unfortunately, I was eventually greeted with the fake notice again! I then used the alternative log-in with the intention of deleting the offending files. However, I could not gain access to the ‘User’ folder or delete the relevant Registry Keys as they were all protected by the ‘administrator’ password.

I then tried to boot-up in ‘Safe Mode’ but during the scrolling display of drivers being loaded I was presented with the instruction: “Press Esc to cancel loading SPTD.SYS”. Regardless of my choice, the pc just kept recycling back to the same point and I realised that I would not be able to solve the problem in this way either.

I should point out that I have had this particular virus once before and was able to delete the relevant files and registry keys, after finding their location with 'Malwarebytes Anti-Malware'.

Consequently, I have now run out of ideas and respectfully ask for some help.

My problem requires two answers:-

1. How can I delete the ‘protected’ offending files;

2. What do I need to do to get ‘Safe Mode’ to work.

The operating system is Windows XP Pro SP3, having 2 log-in profiles – one with ‘Administrator Rights’. There are also 3 external hard-drives for data storage only. At the time of the infection, 'Malwarebytes Anti-Malware' & ‘AVG’ were running.
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,037 posts
Hi, :)

:welcome:

Lets give this a try throughout an External Environment. You will need a CD to burn and a flash drive to move information from the troubled computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.
  • Download OTLPEStd.exe to your desktop. NOTE: This file is 93.5MB in size so it may take some time to download.
  • Once downloaded, insert a blank CD in your burner and click on OTLPEStd.exe.The executable includes the OTLPE_New_Std.iso and a copy of imgburn, a program to burn .iso files. When executed, the application will extract both and start the burning process automatically.
  • Once the CD is burned, boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Standard Registry to All
  • Under the Custom Scan box paste this in

    Dir /s /a:l c:\* /c

  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive in the root directory of your hard drive, usually C:\.
  • Copy this file to your USB drive.
  • Please post the contents of this file in your reply.

  • 0

#3
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,037 posts
Due to the lack of feedback this Topic is closed. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,037 posts

Hello JSntgRvr / ‘GloMo’ (Global Moderator)

Please accept my sincere apologies for not having replied earlier to your posting re: my problem. There has been a family bereavement and I have not had chance to respond accordingly.

However, I did manage to find a solution and am writing to explain how, so that anyone else in a similar situation might benefit.

Shortly after posting my problem on the ‘Geeks to Go’ forum, I came across a posting on another website where someone had been unable to get beyond the desktop because his pc would immediately shutdown and reboot for no apparent reason. He went on to explain that he had eventually managed to get past this point by repeatedly pressing the ‘Delete’ key while Windows was starting. This started me thinking, and as I had remembered that during my attempts to get into ‘Safe Mode’, there had been a message stating that to prevent the ‘SPTD.SYS’ file being loaded, I should press the ‘Esc’ key.

With my brain now going into ‘lateral thinking’ mode and using simple logic, I deduced that it would be worth trying to reboot using my normal user account (the one with the problem) and pressing the ‘Esc’ key repeatedly during windows start-up. To my surprise, this actually worked and Windows loaded the desktop screen, albeit without icons & taskbar, but more importantly, without the Fake Notice. Still in ‘lateral thinking’ mode, I then tried pressing ‘Crtl-Alt-Delete’ and was duly greeted by the good old ‘Windows Task Manager’. This enabled me to look at the running processes and terminate a few ‘suspicious’ ones, although I should point out that I could not say if any of them were the culprit or not. However, I then proceeded to explore ‘Task Manager’ and I came across a menu item for “New task (Run)”. I selected this and a ‘dialogue box’ opened and I found that I could then ‘browse’ to the folder where I knew the Trojan-infected files were residing. This information had been provided in a report generated by the ‘Malwarebytes – Anti-malware’ software, which I had run from the ‘Guest’ user account a few days earlier. I found that I could delete the offending files using the ‘Task Manager – New Task’ dialogue box and also browsed to the ‘Regedit’ executable file, so that I could delete the associated registry keys (also identified by the ‘Malwarebytes’ program). So far, so good.

I then restarted Windows using my normal account again, but without hitting the ‘Esc’ key. The desktop loaded, again without icons and the taskbar, but this time, there was an open DOS dialogue box indicating that the system was trying to find something. I assumed that something in the registry was causing this to appear, so I ran ‘Glary Utilities’ from the ‘Task Manager – New Task’ dialogue box to find the associated registry key. I eventually found it and deleted it. Another re-start as before. This time the desktop loaded, again without icons and the taskbar, but this time, there was no dialogue box. Not quite there, but still more progress!

So I then ran the ‘Malwarebytes – Anti-malware’ software again. This time, it found a different anomaly – another registry key – “PUM.Shell.CMD”, which I promptly deleted. Another re-start and everything was back to normal – Hooray!

Now, a few words of caution. The procedures described above were spread over 2 days and took a total of about 8 hours – Well I am a novice! Before deleting anything from the registry, I did export the relevant keys to a ‘back-up, location.

To date, I have not been able to resolve the ‘Safe Mode’ problem. This seems to be a separate issue that will need further investigation when time permits.

Finally, I would like to thank JSntgRvr / ‘GloMo’ (Global Moderator) for his VERY PROMPT response and apologise once again, for my delay in replying.

I have copied your posting, in case I need to refer to it again in the future. THANK YOU – VERY MUCH APPRECIATED.

You may post some or all of this message if you think it will be of any use.

LINK TO ORIGINAL POSTING :– http://www.geekstogo...48#entry2305148

Kind regards, Geoff Waldron (UK)



I am going to open the topic and see if I can help you with the other issues.
  • 0

#5
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,037 posts
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Download aswMBR.exe ( 511KB ) to your desktop. If you already have this application, this is a new version I need you to download.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

The tool will also produce a copy of the mbrdump labeled MBR.dat. Please upload that file here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP