Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 25, 2014 15:50:17 GMT -8
"I went to download the recovery tool for the 32bit version. warning bar opened: "FRST.exe is not commonly downloaded and could harm your computer." I selected:"run anyways" message box opens (user account control): "make changes to computer?" I selected "Yes" message box (Farbar Recover scan tool): this version is not compatible with your OS. please use FRST64"
Our tools are always updated and that is the problem AV's and Browsers see that they are new(ish) so don't want to let it though
When you did "I selected:"run anyways"" You have instead FRST run on the system you are using to download and transfer to Flash Drive.
You need the Save option NOT Run, sometimes it is in the little arrow on the right hand side of where the warning is in the Browser.
You could try another browser
Quads
|
|
|
Post by htgawm on Oct 25, 2014 16:41:26 GMT -8
|
|
|
Post by htgawm on Oct 25, 2014 16:47:02 GMT -8
I didn't do this part tho, " restart the system and load Windows " you want me to restart my computer?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 25, 2014 16:49:33 GMT -8
I have found it, and it uses a Windows Service but instead of pointing to the Windows file, it points to the RansomLock.
I have to looks up 2 entries
Also all I want to do is break the Ransomware so that we can load to your Desktop, so that we can get the full logs in Normal mode.
ADDED The Answer to Question
NO
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 25, 2014 18:11:42 GMT -8
The Windows Management Service is actually point to the Ransomware (ICE) instead of what should be the Windows file(s). This should be enough to break the Ransom and take part of Zeroaccess, but files will still be on your system and the rest has to be dealt with but at least we should be able to get to your Desktop in Normal Mode after to be able to carry on Download the script attached, needs to be the same file name as well ( fixlist.txt), Copy across to flash drive, so that fixlist.txt is next to FRST64.exe on the Flash Drive, DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.) NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Do Like previously to start FRST without Windows loading like we did when we first used FRST on the Flash Drive. ( there is a difference stated further down) In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select " Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst.exe or e:\frst64.exe and press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. (If it still gives the disclaimer) Press the Fix button just once and wait. The tool will make a log on the flashdrive ( Fixlog.txt) Please attach the log in your reply back, Or with this forum you can paste the log into a message as some logs are already for bb code Quads Attachments:fixlist.txt (1.1 KB)
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 26, 2014 9:09:04 GMT -8
Did that work??
Quads
|
|
|
Post by htgawm on Nov 12, 2014 13:59:52 GMT -8
hi quads. sorry I have been out of town. I have finished the last step and have attached the fixlog document
Fixlog.txt (2.54 KB)
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 12, 2014 14:05:38 GMT -8
Now you should be able to boot normally and have the Desktop back??
I have hopefully done enough to get us to that point.
Quads
|
|
|
Post by htgawm on Nov 12, 2014 14:13:02 GMT -8
yes desktop has loaded
|
|
|
Post by htgawm on Nov 12, 2014 19:45:00 GMT -8
is there anything else I need to do?
|
|