Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ransomware hijacked laptop


  • This topic is locked This topic is locked
27 replies to this topic

#1 INQWIRE

INQWIRE

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 07 December 2010 - 04:59 AM

last night my laptop detected a trojan , as I attempted to remove it the detections multiplied and my screen changed to black with a box in the middle that said

Attention!
Your computer has been blocked because of violating internet usage rules.
To unblock it you have to pay $100 to the U4752418 account of the Liberty Reserve payment system. After the payment you'll be provided with the code of automatic unblock.
In case of payment refusal, all of the information on your computer will be deleted without ability to restore.
Attempt of avoiding the blocked state without using the code will lead to full erase of the information stored on your computer.

underneath the text is a box for the password entry.

initially i attempted to login with a different account i also attempted to enter safe mode but the same screen appears the second I'm logged in.

i attempted the advice given in this thread as its the same thing: http://www.bleepingcomputer.com/forums/topic365283.html

however when I type bash ransom.sh it replies with

mbr code ok on /dev/sda
mbr code ok on /dev/sdb

I restarted but the problem persists. id be grateful if anyone can help. thanks in advance.

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum, as requested by Malware Removal Team member. ~ Animal

Edited by Animal, 07 December 2010 - 10:22 PM.
Moved from Vista to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 07 December 2010 - 09:32 PM

Hello INQWIRE,

It didn't work because this is a brand new version. Could you please verify that your OS is Vista?

Also, could a Mod please move this to malware removal? Thank you! :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 07 December 2010 - 09:37 PM

INQWIRE could you please tell me how far your computer boots up before the message comes up? Does it come up where you would normally see the desktop?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 07 December 2010 - 09:58 PM

yes, I am using windows vista, the message appears once I have entered my password to login, before the desktop can load the message appears immediately.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 07 December 2010 - 10:10 PM

Can you bring up the Task Manager using ctrl+alt+del?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 08 December 2010 - 04:29 AM

no that was the first thing I attempted to do when the virus struck, when i ctrl+alt+del it takes me to the usual screen with all the windows options and when I click "start task manager" it goes back to the message the task manager doesn't appear.

#7 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 08 December 2010 - 09:54 PM

i also forgot to mention the virus not only affects safe mode but other accounts on the computer too, dont know if that is of any help

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 09 December 2010 - 12:46 PM

Hello there,

Sorry for the delay. We were getting together something to make this easier for you. :thumbup2:

So you already have Xpud going.....all we need to do is get the proper script going, and you'll be familiar with the procedure since you already tried the other one.....except this one will work. :thumbup2:

we need to prepare the USB, It doesnt necessarily need to be formatted, but might help if it is >
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Next download Shellfix.exe by noahdfear to your USB drive. Also download ComboFix and save it to your USB
  • Run shellfix.exe on the usb, before removing it from the working computer, to extract the shellfix.sh script
  • Remove the USB and insert it into the infected computer
  • Boot the infected computer with the Xpud CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear > select your language
  • When xPUD opens > Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD
  • sdb1 is likely your USB
  • Expand your USB (sdb1)
  • Confirm that you see the file shellfix.exe that you previously downloaded
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash shellfix.exe
  • this should only take a brief moment to complete.

    You should see the message "Finished! Close this window then restart the computer. Logon in safe mode then run ComboFix"

    Follow the prompts and let ComboFix complete. It may ask to restart your computer, so let it.
  • If the script was successful, your machine should now be booting normally

Please post the ComboFix report in your reply. :)

Thanks,
tea

Edited by teacup61, 09 December 2010 - 07:05 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 09 December 2010 - 02:59 PM

thank you for your reply, sadly once i type "bash shellfix.exe" i get the following message
"shellfix.exe: shellfix.exe: cannot execute binary file"
im sure i have followed the instructions correctly too

Edited by INQWIRE, 09 December 2010 - 03:09 PM.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 09 December 2010 - 03:06 PM

"shellfix.exe: shellfish.exe: cannot execute binary file"

shellfish.exe?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 09 December 2010 - 03:08 PM

whoops typo my mistake "shellfix"

Edited by INQWIRE, 09 December 2010 - 03:08 PM.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 09 December 2010 - 03:13 PM

When you extracted it to the USB, was it as shellfix.sh?

And don't worry about the typo. I have to admit it looks like shellfish to me too! :lol:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 09 December 2010 - 03:21 PM

ah i see, the first time i downloaded the file it wasnt fully extracted, also the instruction was to type "bash shellfix.exe" im guessing im meant to do "bash shellfix.sh" instead?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:09 AM

Posted 09 December 2010 - 03:33 PM

Well, my instructions say to type shellfix.exe, but do try it shellfix.sh and see if that works. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 INQWIRE

INQWIRE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 09 December 2010 - 04:32 PM

gave it a try (using shellfix.sh )it appears to work but it appears to be stuck at "Editing/mnt/sda1/windows/system32/config/software" it hasnt moved from this in a while now. using the exe doesnt seem to work for some reason it will tell me " cannot execute binary file"

Edited by INQWIRE, 09 December 2010 - 04:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users