Posted 10 May 2011 - 01:26 AM
You will need access to a working computer, a CD and a USB to do the following:
to the desktop of your clean computer
- Run GETxPUD.exe
- A new folder will appear on the desktop.
- Open the GETxPUD folder and click on the get&burn.bat
- The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
- Click on Start and follow the prompts to burn the image to a CD.
Now we need to prepare the USB, It doesnt necessarily need to be formatted, but might help if it is >
- Insert your USB drive
- Press Start > My Computer > right click your USB drive > choose Format > Quick format
- Next download ransom.sh to your USB drive
- Remove the USB and insert it into the infected computer
- Boot the infected computer with the CD you just burned
- The computer must be set to boot from the CD (varies from PC to PC > but generally F12, F11 or F9 will access the boot menu)
- Follow the prompts
- A Welcome to xPUD screen will appear > select your language
- When xPUD opens > Click on File
- Expand mnt
- sda1 or sda2 will usually correspond to your HDD > sda1 and/or sda2 may not be visible with this infection, > this is typical
- sdb1 is likely your USB
- Expand your USB (sdb1)
- Confirm that you see the file ransom.sh that you previously downloaded
- Press Tool on the top menu bar
- Choose Open Terminal
- Type bash ransom.sh
- You should see the message
ransomware mbr code detected on /dev/sda
repairing mbr on /dev/sda
mbr code OK on /dev/sdb
- A log file named log.txt will also be created on the USB
- this should only take a brief moment to complete
- Once completed > type exit to close the Terminal Window
- Now go to Home > restart > remove the xPUD CD from the machine before it starts to reboot to allow the machine to reboot normally.
- If the script was successful, your machine should now be booting normally
"Now faith is the substance of things hoped for, the evidence of things not seen."
Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome
Malware analyst @ Emsisoft