Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty ransomware disables system


  • Please log in to reply
3 replies to this topic

#1 William Dorr

William Dorr

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 30 March 2010 - 07:04 PM

A coworker of mine alerted me to a window claiming that she was infected with trojans/viruses/malware, and if you buy now, your system will be cleansed! It appeared to have launched itself following a visit she made to a .gov domain. I immediately recognized that it was not AVG, which is our installed AV of choice, and pulled the network cable from the back of the system. I am afraid I do not remember the name of the program, other than it was something like "Antivirus XP" or some other generic security sounding name. Using Process Explorer, I found, I think it was called aup.exe, in the C:\Documents and Settings\usernamehere\Local Settings\Application Data directory. Just a single exe file, sitting there, today's date stamp (3-30), time matching roughly when the window appeared. I stopped the process and deleted the exe, and it never came back. What did happen is a bit more annoying. It seems to have removed the system's ability to run any programs, as well as deleted some vital system tools like msconfig, regedit, and the help center. I tried doing a manual system recovery (rolled it back to Monday morning) from the XP install CD recovery console, but that didn't appear to restore any functionality. Obviously this makes it difficult to run any tools such as MBAM or hijackthis, but I think at the same time it may also be preventing the malware from loading up again. At present the system does boot up, but no startup programs, either in the start menu group or in the registry load. There is very basic functionality, like task manager and Windows Update will work, but trying to run something like Notepad just gives me the "what program do you want to use to open this file" dialog box. I really don't want to reinstall the whole thing, but it's looking like I may have to if you guy don't have any ideas on how to get this computer back on track. Whatever this thing is, it got past the most recent version of AVG, so it's either new or it's a new variation on something else.

I'm just about to leave work now, so I won't see or be able to respond to any replies for the next 2 hours or so. Any ideas would be appreciated.

BC AdBot (Login to Remove)

 


#2 William Dorr

William Dorr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 30 March 2010 - 09:50 PM

An update on this issue.

I went browsing through the Spyware Removal pages here, and I found one that matched what I have. It is the XP Security Tool 2010. I'm working the steps to remove it now. Luckily, I did not empty the recycle bin after I had deleted the nasty exe, so I was able to restore it, and became able to run MBAM, which is scanning now. I do want to note, that this copy of MBAM was unable to update it's files since I did not plug the network cable in, but since it is a newly downloaded copy, it shouldn't be a problem, right?

Anyways, keeping my fingers crossed here that this goes well.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 30 March 2010 - 09:57 PM

You can "manually" update Malwarebytes using this file:

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Download the file, copy it over to the problem computer then double-click it to install the updates.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 William Dorr

William Dorr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 30 March 2010 - 10:58 PM

You can "manually" update Malwarebytes using this file:

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Download the file, copy it over to the problem computer then double-click it to install the updates.


Thanks, but it looks like the installed one did the trick, as the system no longer is plagued by that stupid thing. Just to be sure, once the system rebooted from the repair, I plugged in the cable, updated MBAM, and ran a 2nd scan that came back clean, so I guess this topic can be closed. I love this site. Who needs Google when you've got bleepingcomputer.com.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users