Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware


  • This topic is locked This topic is locked
55 replies to this topic

#1 jonno5088

jonno5088

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 07 December 2010 - 05:13 AM

Hi,

I've picked up some virus from what I thought was a facebook thread and its completly blocked me out of my computer. it comes up with a box with the following
Attention!
Your computer has been blocked because of violating internet usage rules.
To unblock it you have to pay $100 to the U4752418 account of the Liberty Reserve payment system. After the payment you'll be provided with the code of automatic unblock.
In case of payment refusal, all of the information on your computer will be deleted without ability to restore.
Attempt of avoiding the blocked state without using the code will lead to full erase of the information stored on your computer.

Then there is a box for the unblock code.

I have tried following instrutions posted here yesterday with another computer and a usb and cd but can not reboot my laptop with with f9 f11 or f12
can anyone help me please I have a Dell Latitude e5500

Ta
Jonno

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 07 December 2010 - 06:08 PM

Hello there,

Can you please tell me what kind of OS you have? This is brand new, so we need to know. :)

Thank you!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 09 December 2010 - 01:25 PM

Hello,

I see you were here this morning. I need to know if you'll be back. I have a fix for you, but no need to post it unless I know you'll be back. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 10 December 2010 - 07:30 AM

Morning Tea,
Sorry Im running windows Vista Business !I've tried the instruction you posted for inqwire but it hasn't worked I get to restarting my laptop in safe mode and after I've put my password in it comes up with the same screen telling me My computer is blocked.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 10 December 2010 - 09:59 AM

Good morning, and welcome back :)

Yes, the reason it didn't work for you is because what you have is a different version of the ransom. You need to run a different script for this one, still using Xpud just like you tried to do with the other.

we need to prepare the USB, It doesnt necessarily need to be formatted, but might help if it is >
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Next download Shellfix.exe by noahdfear to your USB drive. Also download ComboFix and save it to your USB
  • Run shellfix.exe on the usb, before removing it from the working computer, to extract the shellfix.sh script
  • Remove the USB and insert it into the infected computer
  • Boot the infected computer with the Xpud CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear > select your language
  • When xPUD opens > Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD
  • sdb1 is likely your USB
  • Expand your USB (sdb1)
  • Confirm that you see the file shellfix.exe that you previously downloaded
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type bash shellfix.sh
  • this should only take a brief moment to complete.

    You should see the message "Finished! Close this window then restart the computer. Logon in safe mode then run ComboFix"

    Follow the prompts and let ComboFix complete. It may ask to restart your computer, so let it.
  • If the script was successful, your machine should now be booting normally

Please post the ComboFix report in your reply. :)

Thanks,
tea

Edited by teacup61, 11 December 2010 - 10:53 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 10 December 2010 - 01:07 PM

Hi again Tea,
I got to the point were I type bash shellfix.exe and it comes up with shellfix.exe: shellfix.exe: cannot execute binary file sh-40#
What have I done wrong ?

#7 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 10 December 2010 - 01:21 PM

Hi Tea,
If I type bash shellfix.sh, it goes into searching for hive...... please wait
then it comes up with
Backing up /mnt/sda2/windows/system32/config/SOFTWARE to /mnt/sda2/windows/syste
m32/config/SOFTWARE.ntb
Editing /mnt/sda2/Windows/System32/config/SOFTWARE

Finished! Close this window then restar the computer
logon in safe mode then run ComboFix
sh-40#
but when I follow the instructions it comes back with the screen after i put my password in an before I can run combofix !
Dontkno if this helps or I'm just wasting time !

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 10 December 2010 - 01:38 PM

How many times did you try this? Just the once? If so, then try the whole thing over again.

Don't worry about "wasting time". This is nasty stuff, and I'm glad you've gotten as far as you have so far. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 10 December 2010 - 01:53 PM

Right you are ! I'll just keep typeing it
Thanks and I'll let you know when I'm in !
Ta ra for now

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 10 December 2010 - 02:25 PM

Well, only try once more....if it hangs up again, let me know. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 10 December 2010 - 02:35 PM

Oops ! Sorry Tea I must remember to keep checking here for more posts !
yeah it just keeps hangin up !
I'm doing bash shellfix.sh tho not bash shellfix.exe cos that one does nowt !
sorry !!
j

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 10 December 2010 - 03:10 PM

Okay....

Assuming the Terminal window is still open in xPUD and displaying 'Editing/mnt/sda1/windows/system32/config/software', press Ctrl+Z. That should stop the execution of the script and return to a command prompt. Close the terminal window and reboot.

Now, please delete the shellfix.sh script in the sdb1 folder (or whichever sd* folder represents the usb device).
Open another terminal window and execute the following command.

wget http://noahdfear.net/downloads/beta/shellfix.sh

You should see wget progress quickly while it downloads a new script (that's assuming the internet connection is working in xPUD). When complete, execute bash shellfix.sh once again. If it hangs again, after waiting for at least a minute, kill the script and see if there was a log.txt file created. If so, please remove the usb and attach the log here.


*If the internet is not working in xPUD, download the new script to the usb from your working computer.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 10 December 2010 - 03:16 PM

Hi Tea'
when i click on your link it says page cannot be found ! is there another ?

Edited by jonno5088, 10 December 2010 - 08:59 PM.


#14 jonno5088

jonno5088
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kendal, The Lake District
  • Local time:10:38 PM

Posted 11 December 2010 - 10:35 AM

Hello, can anyone help me with this issue please ?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:38 PM

Posted 11 December 2010 - 10:53 AM

Apologies for not working 24/7. :(

Delete everything off the USB except ComboFix.

Then download a new Shellfix.exe to the USB. While still on the working machine, please run shellfix.exe to extract the contents. Then transfer the USB and follow the original directions for running the script. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users