Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - Ransomware blocking Windows demanding $100


  • This topic is locked This topic is locked
9 replies to this topic

#1 Cudders

Cudders

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 06 December 2010 - 05:27 PM

Hi,

My antivirus told me I picked a trojan this evening and it was fixing it. However, then my computer was blocked by a piece of ransomware, description below. It blocks Windows completely meaning I cannot access my antivirus or remove any programmes via Windows.

Attention!
Your computer has been blocked because of violating internet usage rules.
To unblock it you have to pay $100 to the U4752418 account of the Liberty Reserve payment system. After the payment you'll be provided with the code of automatic unblock.
In case of payment refusal, all of the information on your computer will be deleted without ability to restore.
Attempt of avoiding the blocked state without using the code will lead to full erase of the information stored on your computer.

Then there is a box for the unblock code.

Do you please know if there is a known unblock code for this specific virus. Once I can get into Windows I can do a full scan and remove the offending programmes.

ANy advice is appreciated! :-(

I should also add I've tried safe mode etc but no luck.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 06 December 2010 - 05:40 PM

Hello Cudders ,

Posted Image

Let's fix it. :thumbup2:

You will need access to a working computer, a CD and a USB to do the following:

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
Now we need to prepare the USB, It doesnt necessarily need to be formatted, but might help if it is >
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Next download ransom.sh to your USB drive
  • Remove the USB and insert it into the infected computer
  • Boot the infected computer with the CD you just burned
  • The computer must be set to boot from the CD (varies from PC to PC > but generally F12, F11 or F9 will access the boot menu)
  • Follow the prompts
  • A Welcome to xPUD screen will appear > select your language
  • When xPUD opens > Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD > sda1 and/or sda2 may not be visible with this infection, > this is typical
  • sdb1 is likely your USB
  • Expand your USB (sdb1)
  • Confirm that you see the file ransom.sh that you previously downloaded
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash ransom.sh
  • You should see the message

    ransomware mbr code detected on /dev/sda
    repairing mbr on /dev/sda
    mbr code OK on /dev/sdb

  • A log file named log.txt will also be created on the USB
  • this should only take a brief moment to complete
  • Once completed > type exit to close the Terminal Window
  • Now go to Home > restart > remove the xPUD CD from the machine before it starts to reboot to allow the machine to reboot normally.
  • If the script was successful, your machine should now be booting normally

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Cudders

Cudders
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 07 December 2010 - 03:36 PM

Thanks for this.

I followed the instuctions and booted from CD on my infected computer. The xPUD language selection screen appears. Once selected, a black screen appears saying it is loading xPUD. However next another black screen appears with some writing which you can type commands into.

[ 6.709859] sd 0:0:0:0: [sdb] Assuming drive cache: write through
[ 6.713465] sd 0:0:0:0: [sdb] Assuming drive cache: write through
[ 6.727724] sd 0:0:0:0: [sdb] Assuming drive cache: write through
giving up
xinit: No such file or directory errno 2): unable t0 connect to X server
xinit: No such process (errno 3): Server error
xauth: (argv):1: bad display name "(none):0" in "remove" command
sh: no job contol in this shell
SH-4.0#

Do you please know how I could get around this?

Thanks again

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 07 December 2010 - 06:12 PM

Hello there,

Take out the USB and try to boot with just the CD....is the system bootable from USB? Try this : Turn off the computer, plug in the USB, tap F12 and you should get a boot option screen. If you can boot from USB, you'll know. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 08 December 2010 - 01:15 PM

Can you still not get into Xpud? We've found the problem, but need to confirm, if possible. This has nothing to do with the MBR, so the ransom.sh can be done away with.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Cudders

Cudders
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 12 December 2010 - 02:53 PM

Hiya

Tried booting from CD without the USB, and experienced the same problem. I can boot from USB from F12 but when I do try to boot from USB it wont load anything at all, just comes up with the black screen and some text saying check cable/network or something?

Thanks

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 12 December 2010 - 03:09 PM

Well hi there....welcome back. :thumbup2:

Okay....forget the CD all together.

Clear your USB (format)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer.

Then download an updated copy of the script : ransom.sh and run it in the same way in the directions in the previous post.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 18 December 2010 - 03:57 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 29 December 2010 - 11:55 AM

Hello,

Download the driver.opt package from here and save it to the xPUD usb in the opt folder, then see if xPUD loads properly. If so, then we also need to get the right script for it. Since you were here last we've determined that this was a different type of ransom and a new script was created just for it. So delete ransom.sh from the USB and put this one there instead. The new command is bash shellfix.sh Also download ComboFixto USB.

When the script is done running, you should see the message "Finished! Close this window then restart the computer. Logon in safe mode then run ComboFix"

Follow the prompts and let ComboFix complete. It may ask to restart your computer, so let it.

When it does, if successful, you should now be booting normally into Windows. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:54 AM

Posted 03 January 2011 - 02:30 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users