This is what happened on my lenovo win7 system:
i contacted my IT and followed the steps below:
i was able to access my data...
after performing the steps above, my hard-drive is not decrypted. but i see the following message when i tried to boot up:
it seems like my MBR is corrupted so i contacted my IT again and they gave me a .xml file and asked me to perform the following:
That should enable the rest of the buttons as well. Then click on Restore MBR button
i've followed the instruction but still seeing the issue.
then my IT team came back to me and asked me to perform the following:
after doing this, i'm still seeing the same error. while my IT team is doing their job to help me with it, just wanted to post this here to see if anyone has seen something similar? thanks!Message was edited by: mfang3 on 9/17/12 5:35:44 PM CDT
Odd - a remove ALWAYS clears the MBR. The only thing I can suggest is that you were browsing something and caught a TDSS rootkit. It's going to be tricky to kill, as it will protect itself quite well.
The best thing to do is copy your data off, and completely wipe the drive and start again.
You can confirm it's TDSS by booting off the ISO image, starting EETech, and loading Sector 0 into the workspace - you can compare it with online samples of TDSS's MBR.
I just found out that I have the following file in my computer:
Under C:\ProgramData folder, it was created around the time my computer stopped working.
I looked it up on google and verified it’s a virus.
is there anyway i can remove the file? can i just simply delete the file?
Which one of the 170,000,000 viruses is it ;-)
You can look it up on the McAfee site, and it will tell you how to get rid of it - http://home.mcafee.com/virusinfo/ and you can download the free Stinger tool and that should take care of it - http://home.mcafee.com/virusinfo/VirusRemovalTools.aspx
just deleting it is unlikely to help anything though.
i looked it up on google and it says:
RMGOYWJNIRMTJBK.EXE has been seen to perform the following behavior:
RMGOYWJNIRMTJBK.EXE has been the subject of the following behavior:
so, since that hard drive is not booting up, then do i just use the infected hard drive as a slave on a working PC to scan for it? will that help to fix the registry to load that program though? or can i simply use the EETech tool on the infected computer to modify the registry myself to stop loading it?
I would follow the advice of your IT department - they may not want you to try to repair your pc, they might want to just image it.
As it's a root kit, it has infected the boot sector of your drive, so it's not as simple as just deleting some files.