Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware!


  • This topic is locked This topic is locked
49 replies to this topic

#1 Flangehead

Flangehead

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 31 December 2010 - 07:51 AM

Hi folks,

My friends computer is showing the message below just after the password screen. I've run ransom.sh, drivers.sh and shellfix.sh to no avial. Any ideas?


Attention!
Your computer has been blocked because of violating internet usage rules.
To unblock it you have to pay $100 to the U4752418 account of the Liberty Reserve payment system. After the payment you'll be provided with the code of automatic unblock.
In case of payment refusal, all of the information on your computer will be deleted without ability to restore.
Attempt of avoiding the blocked state without using the code will lead to full erase of the information stored on your computer.

Edited by hamluis, 31 December 2010 - 09:32 AM.
Moved from Malware Removal Logs to Am I Infected (no logs) ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:15 AM

Posted 31 December 2010 - 11:18 PM

Hello Flangehead ,

Can you please verify something for me? You can get into Xpud all right? And, can you see the Operating System? It would be sda1 or sda2, or similar.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 01 January 2011 - 07:31 AM

yup. I can see both sda1 and sda2, xpud runs fine although bash shellfix.sh hung last time. I was able to follow the process through all the other steps in previous posts but it just didn't seem to work. I'm a bit stumped and want to avoid a reformat if possible. Thanks for your help and have a Happy New Year :)

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:15 AM

Posted 01 January 2011 - 12:02 PM

Hi there,

Not time to reformat :)

Let's have a look with this script : download this script to USB

Be sure to extract the .exe on USB and then execute the command bash query.sh in Xpud. The report will be in RegReport.txt. Please post the report in your reply. :)

Thanks,
tea

Edited by teacup61, 01 January 2011 - 12:12 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 02 January 2011 - 01:10 PM

Hi Tea,

I'm trying to run the report but it seems to be taking a long time. About how long should it take to generate the RegReport.txt file?

Thanks again,

Flangehead

#6 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 02 January 2011 - 03:22 PM

Hi Tea,

Here it is (impatience on my part meant I thought that query.sh had hung... it just needed time :thumbup2: )

Remote Registry Report

Hive </mnt/sda2/WINDOWS/system32/config/software>
** Block at offset 1f82980
seglen: 0, 0, 0x0
Whoops! FATAL! Zero data block size! (not registry or corrupt file?)
Buffer debugger. '?' for help.
.?
.:0006C 65 00 00 00 25 00 00 00 0C 00 00 00 47 00 00 00 e...%.......G...
:0007C F4 03 35 E1 29 00 00 00 0C 00 00 00 5A 00 00 00 ..5.).......Z...
:0008C 1C 04 35 E1 30 00 00 00 0C 00 00 00 44 00 00 00 ..5.0.......D...
:0009C E4 04 35 E1 3A 00 00 00 0C 00 00 00 55 00 00 00 ..5.:.......U...
:000AC A8 04 35 E1 40 00 00 00 0C 00 00 00 48 00 00 00 ..5.@.......H...
:000BC D0 04 35 E1 44 00 00 00 0C 00 00 00 03 00 00 00 ..5.D...........
:000CC 58 04 35 E1 4B 00 00 00 0C 00 00 00 56 00 00 00 X.5.K.......V...
:000DC 30 04 35 E1 4F 00 00 00 0C 00 00 00 58 00 00 00 0.5.O.......X...
:000EC 48 05 35 E1 54 00 00 00 0C 00 00 00 53 00 00 00 H.5.T.......S...
:000FC 0C 05 35 E1 5B 00 00 00 0C 00 00 00 53 00 00 00 ..5.[.......S...
:0010C 0C 05 35 E1 62 00 00 00 0C 00 00 00 52 00 00 00 ..5.b.......R...
:0011C 08 04 35 E1 69 00 00 00 0C 00 00 00 55 00 00 00 ..5.i.......U...
:0012C A8 04 35 E1 70 00 00 00 0C 00 00 00 57 00 00 00 ..5.p.......W...
:0013C 20 05 35 E1 74 00 00 00 0C 00 00 00 03 00 00 00 .5.t...........
:0014C 58 04 35 E1 79 00 00 00 0C 00 00 00 49 00 00 00 X.5.y.......I...
:0015C BC 04 35 E1 7D 00 00 00 0C 00 00 00 4C 00 00 00 ..5.}.......L...
.** Block at offset 1f82980

Hive </mnt/sda2/Documents and Settings/User/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
114 REG_SZ <fqapueef>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 1 subkeys and 3 values
<Run>
4 REG_DWORD <NoDriveTypeAutoRun> 36 [0x24]
4 REG_DWORD <LinkResolveIgnoreLinkInfo> 0 [0x0]
4 REG_BINARY <NoDriveAutoRun>
(...)\Windows\CurrentVersion\Policies\System> Node has 1 subkeys and 0 values
<Shell>
\Software\Policies\Microsoft\Windows\System> Node has 1 subkeys and 0 values
<scripts>

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:15 AM

Posted 02 January 2011 - 04:00 PM

Hello,

Well that explains why your other tries were unsuccessful. Let's try to find a good restore point :

Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Start back into Xpud like you have been
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 January 2011 - 04:17 AM

Here you go...

32.0M Dec 31 14:55 /mnt/sda2/WINDOWS/system32/config/software
5.0M Dec 31 15:14 /mnt/sda2/WINDOWS/system32/config/system

31.3M Dec 7 12:17 /sda2/~/RP1/~SOFTWARE
31.3M Dec 9 08:34 /sda2/~/RP2/~SOFTWARE
31.3M Dec 31 14:10 /sda2/~/RP3/~SOFTWARE
4.9M Dec 7 12:17 /sda2/~/RP1/~SYSTEM
4.9M Dec 9 08:34 /sda2/~/RP2/~SYSTEM
4.9M Dec 31 14:10 /sda2/~/RP3/~SYSTEM

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:15 AM

Posted 03 January 2011 - 07:47 AM

Excellent :thumbup2:

  • Boot into Xpud again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r
  • Type RP3
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 January 2011 - 12:31 PM

Hi Tea,

Ran as requested and got a "restore point not found" message for each restore point (I tried rp1, rp2 and rp3). Restore.log just says on each case rpx not found.

Hmmm

Thanks for the help,

AndyG

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:15 AM

Posted 03 January 2011 - 01:30 PM

Hi there,

rather than typing in RP3, just type in 3
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 January 2011 - 02:08 PM

Hi Tea,

Tried restore points 1 and 2 but both showed virus activity on reboot. Restore log shows

SOFTWARE hive restored from RP1
SYSTEM hive restored from RP1
SECURITY hive restored from RP1
SAM hive restored from RP1

Inbetween each restore I used xpud to run bash ransom.sh; bash drivers.sh and bash shellfix.sh; All completed sucessfully.

AndyG

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:15 AM

Posted 03 January 2011 - 02:17 PM

Why did you use those when I asked you to use 3? What happened when you executed Shellfix? Were you then able to follow the rest of those instructions, since you seem to have them handy? That is the only relevant one since that's the type of ransom you're dealing with.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 January 2011 - 02:24 PM

I used 1 and 2 as rp3 was some time after the virus infection had gone onto the computer. I'll try 3 now and get back to you. sorry to have been a hinderance here.

In answer to the questions: shellfix ran as expected and reported completing the process and suggesting rebooting in safe mode and running combfix

#15 Flangehead

Flangehead
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 January 2011 - 02:33 PM

now tried rp3. Got as far as login screen on safe mode before virus activity showed up




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users