Here is a screenshot of what the misleading "System plugin at address 0x00874324 got critical error" looks like:
Update, 3:55 a.m. PDT: a new variant of this Trojan has been released. The fake warning is pretty much the same as it was before, only the error text is different: "System process at address 0xE4783995 have just crashed, please follow these steps to deactivate it from your system." We will post the new code as it becomes available. Meanwhile, please follow the alternate removal instructions.
Update, 5:40 a.m. PDT: yet another version of this Trojan Ransomware. Fraudulent error text: "System process at address 0x3BC3 have just crashed, please follow these steps to deactivate it from your system."
More about the scam:
"This is an international number via satellite. It is very difficult to counter this phenomenon because these numbers are beyond the laws of Switzerland, "says Caroline Sauser, spokesman for the Federal Office of Communications (Ofcom). "The number is 0088 213 affiliated with the company Telespazio, but there is no evidence that the company is behind the scam. Indeed, Telespazio acquires thousands of numbers in the block, it is very likely that it then distributes them to different customers."
"System plugin at address 0x00874324 got critical error" removal instructions:
1. You can use this code to unlock your computer:
2. If the above code doesn't work, please follow the general Ransomware removal guide.
3. You can repair your computer if you have Windows CD. Video tutorials:
- http://www.youtube.com/watch?v=KNOQ0sCYY8s (Windows XP)
- http://www.youtube.com/watch?v=fHrgIAdc_Co (Windows Vista/7, choose Startup Repair from the Windows recovery menu)
- Kaspersky Rescue Disk 10 (CD/DVD version, USB device version)
- Dr.Web LiveCD
- AVG Rescue CD
- Avira AntiVir Rescue System
6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
Associated "System plugin at address 0x00874324 got critical error" files and registry values:
Files:
Windows XP:
- C:\Documents and Settings\[UserName]Application Data\svchost.exe
- C:\Documents and Settings\[UserName]Application Data\delself.bat
- C:\Documents and Settings\[UserName]Application Data\svchost.tmp_time
- C:\ProgramData\svchost.exe
- C:\ProgramData\delself.bat
- C:\ProgramData\svchost.tmp_time
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit= "
138 comments:
Long Live Anti-Malwere Force !
thk your information
thanks, I can access my PC now!
however, should I delete the following files to prevent it happens again?
[UserName]Application Data\svchost.exe
[UserName]Application Data\delself.bat
[UserName]Application Data\svchost.tmp_time (cannot find this)
thanks!
Hey just wanted to thank you for your information here, it was very helpful in me getting rid of my viruses. Thanks again I appreciate it
thank u so much for the information. really did help a lot. like teak said should i delete the files that he mentioned?
Yes, you should delete those files.
Thanks for you help.
I have just delete all files. I hav't find the Regitry value.
Philippe - Fr
thx
thanks a lot for valuable information..
now i get everything goes smoothly... thanks again
Thanks a lot, this info has been quite helpful.
Kimatu.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit= "
Empty the value of Userinit??
thank you for these information , it help me very much thanksssssss..............
Q: Empty the value of Userinit??
A: It changes the default value of Userinit. You have to change it back. It should be:
C:\WINDOWS\system32\userinit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit=C:\WINDOWS\system32\userinit.exe"
thnx for the codes it works!!
by the way i cant find this file.. what does it means??
C:\Documents and Settings\[UserName]Application Data\svchost.exe
C:\Documents and Settings\[UserName]Application Data\delself.bat
C:\Documents and Settings\[UserName]Application Data\svchost.tmp_time
and i found this but the value is Userinit=C:\WINDOWS\system32\userinit.exe,
the only difference was the comma on the .exe
Registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit= "
is this mean that no other file of malware was added on my computer??tnx for reply...
When you enter the code the trojan removes itself. You won't find those files if you use the code. Your userunit value is correct, it should be with the commma. To mame sure that your computer is clean, please run a full system scan with your antivirus software or any other anti-malware software. I usually use Hitman Pro: http://www.surfright.nl/en/hitmanpro
Good luck!
THANK YOU, THANK YOU, THANK YOU!!!!!!
You are a life saver!!!
I was going to call my tech. Guy...
And after closing the program, AVG deleted bunches of windefender.exe files and registry entries too!
thank you for information
Thanks admin you are the best thanks a lot.
Thank you so much...you are a hero indeed!!!!
Long Live Anti-Malwere Force !!!!
THANK YOU, THANK YOU, THANK YOU!!!!!!
From Romania !!!!!!!!!!!!!1
Thank you for helpful information
BIG THANKS! You are the best! :)
Благодаря ви!
thanks, enter the code 2 -7 - 4-9 -6. And I could access my PC. A million of thanks.
thank u admin
i got rid of the problem
from india
thanks man, you are the best, thanks for the information
THANK U THANK U U SAVEM MY $1000 INSTANTLY.THANK U SOOOOOOOOOOOOOOO MUCH........
thank u thank u sooooooooooooo much u saved me my $10000 thank u soooooooooooo much
You know what? you're life saviour man,thank you millions of times
thank you so much...mauliate godang...
thanks you man. excellent post.
Thank you very much,the code worked like magic yay!!
from Egypt :)
Hi there!
Thanks! the code worked for me, however the
svchost.exe
svchost.exe.tmp
Are in my C:\WINDOWS\system32
I try to delete them but as i put them in the tresh they do appeare again..
So how can i get rid of them???
Do not delete C:\WINDOWS\system32\svchost.exe, it's a Windows OS file. If you think that your computer is still infected, run a full system scan with anti-malware software. I usually use Hitman Pro and Malwarebytes Antimalware. Good luck!
Thanks for the code. It helped me a lot. And saved me from rebooting my PC. ^^,
thanks a lot.... good stuff bro.. TC ^_^
fantastic solution problem solved successfully thanks a lot
N.Senthil Kumar
Muito obrigado!!
Fui salvo!! Esse virus é novo?
Good man thx a lot . Cheers
Thank you very much. You're one of the good guys on the net.
Russ from Glasgow, Scotland
sergio from argentina
thank you so so much
my computer can not use that code if there is another code ..? tertuliskan wrong code! try again ..? help me ..
Much Appreciated. Thanks A Lot!! The code you posted worked. Take Care.
it's a good utility
thanks
i was going reinstall OS
Eu consegui retirar a tela do vírus, entrei no regedit apaguei o HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon "Userinit =" e limpei todos os arquivos infectados com o Hitman depois ele pediu para reiniciar para completar o processo, mas quando tento efetuar Login e senha ele tenta abrir a tela do windows mas que consiga ele efetua logoff sozinho intermitentemente, sempre que coloco a senha. Poderiam me ajudar?
-------- -------------
I managed to pull the fabric of the virus, I went into regedit deleted the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon "Userinit =" and cleaned all infected files with the Hitman after he asked to reboot to complete the process, but when I try to log in and password it tries to open the display windows but that alone can he logs off intermittently, whenever I put the password. Can you help me?
Thank you, this has been a Godsend. I was ready to haul my computer off to the local shop because nothing I tried worked, including safe mode and trying to start from a boot disk. My anti-malware program (Malwarebytes) found all three files and eliminate them after I was able to actually use it again by putting in the code numbers you said to use. Thanks again, very very much!
hey, 27496 doesnt work for me. and i cant start it in the safe mode, it gives me the same error in any mode. please help!
hi Admin!
i have entered the 27496 but it doesn't work.
Then i try to use the 2nd method entering the safe mode, but again when it comes into the windows, this screen appear again which mean i still can;t access my computer, nor saying to perform any further process....
i have only one computer.....anyone other method that you can suggest to remove the virus?
They have probably changed the code. I will post the new code as it becomes available. Meanwhile, please follow the alternate removal instructions.
thank u
i entered 27496 too .. so nothing happen . i ve tried many times and it doesnt work. please help
thanks! look forward for the new code.
Thank you Admin!! wait for your good news! I think it's only you can save my life now...btw I am the one posting on May 6, 2011 8:56AM. Thank you very much!!!
the code above which is the 27496 doesn't work in my computer....
Is there news about the code yet? I'm in desperate need to access my computer!
Use bootable disk with command prompt.. then find this path -> C:\Users\user\AppData\Roaming\svchost.exe
anyway i'm using windows 7..
This is the updated Trojan/Ransom-ware.
Thank you admin for sharing this very important knowledge..
My Windows XP netbook got this trojan. and its ask 5 field codes. 27496 is not worked though, perhaps the code should be type on numpad? (since netbook got no numpad).
But there is a way to get rid this trojan (got this after search on google)
here it is .. Flood the system with the task manager pop up.
- in the blue screen press and hold CTRL ALT DEL long enough to launch multiple task managers. the task manager should appears. just wait
- on the task manager application tab, close the blue screen application. it's named "Guide Window Tour Guide ..." or something like that, since there is only one application found open on application tab. you will see blank screen after this.
- create a new task. type explorer.exe .. you will see your desktop screen back
- search and delete svchost.exe on C:\Documents and Settings\[UserName]Application Data\svchost.exe
- run regedit and change the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit= " to C:\WINDOWS\system32\userinit.exe
- try to restart and see if this work (its work for me)
Thank you Untara! This indeed might work. I don't have the new code yet. By the way, you can repair your computer if you have Windows CD. Here's a good video for Windows XP users: http://www.youtube.com/watch?v=KNOQ0sCYY8s.
Another video for Windows Vista/7 users: http://www.youtube.com/watch?v=VI51eq4m_qQ.
Good luck!
Huge thanks Untara!!! Flooding the system with task manager worked.
Hello admin.
Some netbook came with no Windows CD and I am lazy enough to create a 'rescue disk' .. *facepalm*, going to create one after this. thanks a lot for your valueable information
Hi, Annon.
Glad to see its work. don't forget to find and delete those infected files on My Document And Setting. since I unable to enter the code. then I only found scvhost.exe .. hope that's the only one fil
woohoo! the solution with the task manager worked well, but the svchost.exe is not locateable on my windows xp...even not under "my documents an setting"
hello admin,
firstly, thanx for sharing the info. i also having the same probe. the activation key and the other manual process posted here hasn't worked to me.
hello untara,
also i have followed ur procedure. there u said to hold ctrl alt del. but i didn/t get any diff over there, just i got the blue screen only. there i selected task manager but it is invisible in fraction of sec's. what can i do...
plz help me.....
Annon.
perhaps its hidden, set folder view to show all hidden files
Pradeep-29
press repeatly or hold CTRL ALT DEL (10 - 20 seconds) *LONG ENOUGH* to make the system launch multiple task managers windows. just wait they will be appears (in my case, I got more than 100 task managers opened. Good God!)
This trojan is annoying! hope Admin found the new code to unlock
thanks admin...
i followed the process of windows repair to my PC(WINDOWS 7). there i selected the "startup repair"(1ST OPTION) and restarted my system. amazingly the blocked blue screen was gone and blank screen appeared. then i hit ctrl alt del and created new task "explorer.exe" to get my desktop. and the rest process done as said by untara to solve the issue.
A SPL THANX TO UNTARA........
THANK YOU BRO.........
pradeep,
I had the same problem re: tsk manager not sticking around and thought of two other ways to solve the trojan problem. Both, unfortunately, require some degree of technical competence. I should have persevered and kept hitting CTRL ALT DEL!
1) use boot cd to bypass windows, delete the infected file/s and edit the registry.
Research showed several utilities that could do that, but it involved a lengthy download (for me) and burning a cd and I wasn't sure I even had a blank disc!
2) remove the infected drive and slave it to a second PC.
Then I could remove the file/s and I also learned how to edit the registry on the infected drive. Briefly;
* Connect drive (let's call it H: )
* Navigate to and delete H:\Documents and settings\[username]\Application Data\svchost.exe etc (if you've already activated the trojan then delself.bat will have done just that - deleted itself)
* Run regedit
* Select HKEY_LOCAL_MACHINE
* click File, Load Hive
* select H:\WINDOWS\system32\config\software
<- 'software' is a file with no extension.
* navigate to HKEY_LOCAL_MACHINE\[hive]\Microsoft\Windows NT\CurrentVersion\Winlogon
and change the registry value for userinit as ADMIN suggests.
* unload the hive, exit regedit, remove the drive, replace in original PC and press Go!
Worked for me, anyway :)
This trojan is definitely a nasty piece of work!
Matt
is still working 27496??
No, it doesn't work.
hi.... i had the same problem... and the codes doesn't work now....i have deleted the scvhost.exe in the C:/ and fix the registry as mentioned above.....do you think it's enough and it will work?... oh god ..I'm afraid to turn off and restart my computer....I'm afraid the blue screen would appear again..
i entered 27496 too .. so nothing happen . i ve tried many times and it doesnt work. please help
my name is richard
i have the same problem as you but the message is "System plugin at address 0x00874324 got critical error"
do you have any information about this problem? (i do not succeed in flooding the system with the task manager pop up)
thank you
please Admin, we urgently need of the new code !!!
Thank you !!!
27496 doesnt work anymore the critical error address change to 0xE4783995 Probably they change the code. Does anyone has the code to unlock. Admin please save us
same here.and this code didnt work>>>plz admin try to find us a solution
We have solved the problem under Vista using Kaspersky Rescue Disk 10 and so having the possibility to open the task manager... :D :D
Good Luck and Thank You ALL !!!
I got the 0xE4783995 error too
I did it and it helped:
1. Restart your PC and DO NOT maximize that activation screen. Let it minimized.
2. Press Ctrl+Alt+Del repeatedly until you get a Task Manager window (maybe behind the blue screen).
3. Finish a "svchost.exe" process which has a strange description (only that one!!! in my case the description was a profile name).
4. From the Task manager, execute "explorer". Windows will now open.
5. Then restore your system to two days before.
Solved! - if you have a backup, i hadn't :(
6. Use malwerbytes and dr. cureit.
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon this virus changed:
a) shell - it should be 'explorer.exe'
b) userinit - it should be 'userinit.exe' but the malwarebyte fixed all
Good day :)
I did it and it helped:
1. Restart your PC and DO NOT maximize that activation screen. Let it minimized.
2. Press Ctrl+Alt+Del repeatedly until you get a Task Manager window (maybe behind the blue screen).
3. Finish a "svchost.exe" process which has a strange description (only that one!!! in my case the description was a profile name).
4. From the Task manager, execute "explorer". Windows will now open.
5. Then restore your system to two days before.
Solved! - if you have a backup, i hadn't :(
6. Use malwerbytes and dr. cureit.
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon this virus changed:
a) shell - it should be 'explorer.exe'
b) userinit - it should be 'userinit.exe' but the malwarebyte fixed all
Good day :)
i have the new critical error address too "0xE4783995"
please i need help!!
i had the same error address, and helped what i wrote one post hihger
----
JacK
i can't access the task manager window...
i have the same error "0xE4783995".
I tried to download a crack for a software but i downloaded these executable: aqs.exe, aqq.exe, aqr.exe, asixya.exe.
I restarted my pc and i obtained the blu page
:(
i had the same problem when i logged to the user account which downloaded virus. try to logged to other account if you have active and then you open task manager window.
if you can boot system in safe mode with command prompt, write 'regedit' and clean if yourself. change In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon this virus changed:
a) shell - it should be 'explorer.exe'
b) userinit - it should be 'userinit.exe' (c:\windows\system32\userinit.exe)
you can restore your system win7 from backup when you boot system from cd if did it ealier.
to open you command promt you can you system cd too.
or
try to press ctr+alt+del few times but longer than 10 second. i founded this possibility somewhere but i didn't try it. i changed the user account and it helped.i can open task manager.
----
JacK
Thank you JacK!
I can't boot system in safe mode with command prompt and i don't have windows cd too.
So, i have only towait for the new code
thanks
to boot system in safe mode try press F8, i heard that sometimes F5. choose 'safe mode with command promt' and clean regedit. try to type 'explorer' and press enter. windows explorer opens.
its a few solution. if you can manage yourself you should wait for new code. sorry.
----
JacK
Thank you jack, but there's nothing that i can do.
F5 tell to press F8.
Fabio
can someone please help me with Kaspersky Rescue Disk 10 USB device version. a (how to) pls ty
I got hit with this too! How do I bring the Task Manager out from behind the blue screen?
Download a windows recovery disk at neosmart.com it will save u lots of headaches. It fixed my problem with this damn hijack virus!!
I really need the code. How many time you need again? Is there a way to get it?
-----
Fabio
done
with kaspersky rescue disk through USB device
now my pc works as before
fabio
nothing works for me :( does anyone have any idea how much it would cost to call the damn thing?
help! i cant work with this freaking virus!! its been an hour trying to get the task manager out
I'm glad you've got it sorted out Fabio.
Q: does anyone have any idea how much it would cost to call the damn thing?
A: It may cost 25Euros/35Dollars or even more.
Thanks. Kaspersky didn't work. Neither USB or CD but problem solved with AVG. I did not try with Avira and Dr. WEB.
thnk u lot admin for create diz blog. and i also wanna thnkz for untara. untara's method worked for me. thnk uu lott. guys try untara's method.
Hi,
I have Windows7, and when I try to open TaskManager, it appears for a moment and then the Blue Screen pops up again!!
I dont know what ylto do, please help me!!
Manny
i've attacked by 0xE4783995 and Ctrl alt del is work!!! when u start window in safe mode before the blue screen is open u have a time for 1-2 sec to use task manager if u can delete a files Guide.. or something like that u can enter to the desktop and u can fix it
I hope we can get the code asap, since nothing has worked so far.
Au
So, no new code ???
hi admin... did you find a new code for this trojan ransom locker? i think your code doesnt work anymore... please help me... thanks....
-ij-
Hi, no I didn't. Don't wait for the code. I need a copy of this virus to figure out what the code is.
I am tring AVG recue CD . But I don't know the exact steps. Will simply scanning the system will do ? or I need to do something else ?
Scanning with AVG rescue DC should be enough.
i also got same problem...try to get new code..plz help
Hi,
is there a new code available to be entered?
Many thanks!
Chris
Hi Admin, Thanks for your effort in finding solution to this issue. Please advise how to use the "AVG rescue" utility on USB. Cheers
Hi does anyone know if Panda will work? and what is this virus caled then maybe i can contact panda and ask them to create a antivirus or watever
"SOLUTION" FOR THE 4783995 error :
What i did on my windows 7 home premium was;
- press ctrl alt delete and select task manager when blue screen appears, repeat till taskbar of Windows shows up
- click on Windows button , And type : cmd
Then press Enter
- command prompt Will show up; type:
taskkill /F /im svchost.exe /t
Then press enter
- cmd Will end a couple of processes , also a couple wil be denied.
- now you can do a spyware/viruscan or whatever it needs to destroy that virus
R vd b / Holland
Thanks, this was a great help on removing this trojan.
Hello,
I'm working on my removal right now.
Couldn't get Windows to respond. CTRL+ALT+DEL did not work. The Task Manager wanted to popup but was blocked by the Trojan. In my bad mood I decided to dial the number. A slow computer voice (Indian?) called up the 3 digits per block very very slow. After 10 minutes on the phone I had the number, entered it and Yes! PC was available again. Off course there was a lot of Spam installed but now the heavy removal can start.
I received the code:
754-896-324-589-742
Maybee this works for you?
Rick, the Netherlands.
Thank you Rick! I'll post the code in the removal section.
gracias ha sido como magia,me ha salvado la vida y el bolsillo.
Rick, you saved me!
I am on holidays and yesterday, this malware hit my laptop.
Since I'm on holiday, I dont have a Win CD, or any way to create a rescue disk. I also called all the phone numbers yesterday, but I did not get any response on any of them.
But then you posted the code Rick, and it works!!
I am running a malwayrebytes scan right now.
Is there anything else I should be doing, so that I'm sure that this malware is completely removed from my laptop?
Kind regards, David
I'm glad you sorted it out David! Malwarebytes should be enough. I also recommend Hitman Pro:
http://www.surfright.nl/en/hitmanpro
Have a nice holiday David! Good luck!
754-896-324-589-742
thanks.. this one woked
I entered the code and it worked, thanks for that! Then I ran a Malawarebytes scan, it found 10 threads and removed them.
But then my computer still ran very slow! Especially on the internet. I ran a Hitman Pro scan and it still found some trojans.
Hitman Pro is the only program that can find these trojans, but the problem is that my 30 day trial is over :-( Does someone know a product key for Hitman Pro?
With the Hitman Pro scan it shows precisely the path where I can find those Trojans on my computer. I searched and I did find those files, but is it enough if I just delete those files?(will it be removed completely?) Or should I let Hitman Pro remove it (if I can get to a product key...)
thank you
Remove those files manually and run a full system scan with SUPERAntispyware. Also, update and run your antivirus software.
thank you very much it worked. God bless! :) -zaniboi
thanks god bless you
THANKS YOU very much!!!!
from PC nerd from the Netherlands!
Thank you man ; )
you're my life saver, Thank you so much!!!
YOU DID IT FOR ME THANK YOU GUYS
Thanks!! That helped a lot!!!!
Rick,
First i got hte page to call the numbers, ive inserted the code, but after that the computers doesnt do anything..
When i start ul in normal(and safe modus) it wont login to my administrator account.. It logs on and immidiately off.. Do you know what to do?
Dutch: ha Rick, ik heb de code ingevoerd, wat lukte maar wanneerik op de accounts druk geeft hij aan dat hij aanmeldt en direct afmeldt..
Weet jij wat ik kan doen?
Gr. Paul
Works great thanks a lot
I encountered the exact same problem as pointed out above. But, I somehow don't get the blue screen with the phone numbers anymore. When I try logging in with a user (also as admin), the profile logs out immediately.
p.s. I now see the problem description of Paul Verhulst (above, June 17). The problem he describes is exactly the same as mine... Please help.
Dutch: Paul, ik heb hetzelfde probleem. Inloggen heeft als direct gevolg dat het account automatisch weer uitlogt, welke user ik ook kies en welke opstart methode ik ook kies. Wat kan ik doen? HELP!
UNTARAAAAAAAAAAA!!!!!! U R D BEST EVAAAAA!!! THANKS A LOT!!!!
ohhhh crap,, i thought the ctl alt del thing wud work,, wen i restarted beep!! code thingy agen!! but thanks to RICK,,, im saved!!! the code worked man,, thanks a lot!!
754-896-324-589-742 worked thanks guys !!!
There should be good people like you in this cyber world man !!!
Good luck for your all future work
I faced the same problem.
I was not having access to internet at that time to read these valuable solutions so I decided to format C drive.
Now the situation is that "I am in middle of installation & my system is rebooting again & again."
I dnt knw wht to do now.
Admin: Can you help me in this situation?
thank u for the access code ;) ...thanks from malaysian ;) land below the wind
bunch of thanks from Egypt
thank u so much :D i was worried so much :DDDDD
Anyone got a new code? The old one ending 742 doesn't work anymore!! :-(
can this malware turn jpg files (no bigger than 1MB) to html?