Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Vista infected with GEMA virus (ransomeware)


  • Please log in to reply
16 replies to this topic

#1 GeorgiK

GeorgiK

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 05 April 2012 - 07:50 PM

Hi!

Earlier today, my desktop computer was infected with a virus. The relevant information:

- My computer runs Windows Vista. I have a subscription to the Sophos antivirus program.

- Upon login, a screen appears, with the GEMA logo, informing me (in German) that my computer access has been blocked, because I have pirate music and videos; and that I must pay 50 euros, via a paysafecard, to have my computer access restored. I tried lots of things, but I could not go beyond that screen.

- Most importantly, I tried to boot on "safe mode with command prompt", but this did not help. The screen appears again but without any information. Again, I cannot go beyond that screen; in particular, I cannot access the task manager.

- I believe that this screen acts like an internet browser window. After clicking on "ctr + O", I was able to browse my folders and locate two suspicious files, at C:\Windows\System32\config\systemprofile\AppData\Roaming, with names 6816C279.exe and oqogqdpm.exe. I deleted them but nothing positive came out of it.

- Apparently this virus is quite common in Germany, where I live. However, my German is rather poor, so, I prefered to ask for help in an English speaking forum.

Any help will be greatly appreciated!

Thanks,
George


PS:
It looks like another user has faced a similar problem (but with Windows 7) in the recent past:

http://www.bleepingcomputer.com/forums/topic442736.html/page__p__2598223__hl__gema__fromsearch__1#entry2598223

Edited by GeorgiK, 06 April 2012 - 01:54 AM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 06 April 2012 - 12:19 AM

Welcome to BC, GeorgiK!!

Ransomware just gets trickier with every new creation.

Let's see if we can get a hold of this computer...

Do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?

If you do not have the option above, do you have a Windows Vista installation CD/DVD available?


Also, do you know if the Vista system is 32-bit, or 64-bit?

And last, do you have a USB flash drive available, and do you have access to another computer?

Old duck...


#3 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 06 April 2012 - 01:53 AM

Hi!

Thank you for your quick response!

To answer your questions:

- The "Repair your Computer" option does not appear in the "Advanced Boot Options" menu.

- I am pretty sure that I have a copy of the Windows Vista cd; but I will need to check again later, as this is my office desktop.

- Not sure whether this is a 32-bit or 64-bit system. Does the address where I located the two suspicious files, C:\Windows\System32\config\systemprofile\AppData\Roaming, indicate that this is a 32-bit system?

- I have a usb flash drive as well as access to another computer with a cd burner.

Best,
George

Edited by GeorgiK, 06 April 2012 - 01:58 AM.


#4 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 06 April 2012 - 04:08 PM

Adding to my previous reply:

- I have checked and I have a copy of the Windows Vista cd; it is not the one used to install the infected system (instead, it is the copy for my laptop), but it should do the job.

- I am still not sure whether it is a 32-bit or a 64-bit system; but I would expect it to be a 32-bit one.

- Everything else remains as reported.

Looking forward to your help...

Thanks,
George

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 06 April 2012 - 09:51 PM

On the following:

...this is my office desktop.


Oh, oh... :huh:

Is this a workplace computer in a a business environment?

If this is your personal computer, and not in a business environment, would be glad to help.

However, our assistance is not intended for a workplace computer, nor to replace a company IT department or outsource staff.

It is not possible to anticipate any alterations or configurations made to a business computer, or how it will interact with the tools commonly used in the removal of malware. The tools we use may create a possible loss of company information.

In addition, many of the tools we use have specific instructions from their authors that they not be used in a business environment.

We regret your circumstances, but, please refer your request to your company IT staff, or to the service the company uses to address computer problems.

Old duck...


#6 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 06 April 2012 - 11:33 PM

On the following:

...this is my office desktop.


Oh, oh... :huh:

Is this a workplace computer in a a business environment?


No,

This is my own desktop. I am simply a student, so, my computer has nothing to do with business, it is for my own personal use. In particular, the computer is not part of a network.

I hope this solves the "business environment" issue. Please let me know.

Thanks,
George

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 06 April 2012 - 11:49 PM

So, when you say:

...this is my office desktop.


Do you mean it is in a room in your home that you call an 'office', or what is the situation?

Edited by Aaflac, 07 April 2012 - 12:06 AM.

Old duck...


#8 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 07 April 2012 - 12:19 AM

So, when you say:

...this is my office desktop.


Do you mean it is in a room in your home that you call an 'office', or what is the situation?


Thank you for your quick response, I appreciate.

Well, to clarify:

This is the desktop computer that I have for my study, at my university office. It is my own, I am the only one using it, it is not part of any computer network. Finally, since you seemed concerned about it in an earlier post, no IT department is responsible or available to support me; unlike USA, such support is highly restricted here - it is available only for equipment owned by the university. (Otherwise, I would not need to appeal to an outside source to help me solve the problem.)

Again, I hope this resolves the issue to your satisfaction. Please let me know.

Thanks,
George

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 07 April 2012 - 12:37 AM

Thanks for clarifying.

Let's press on...

To find out whether the computer is 32-bit or 64-bit, see if the following works for you:

Right-click the TaskBar at the bottom of the screen on the Vista system

Select the option:
Toolbars > New Toolbar

In the New Toolbar prompt, click on the [+] to the left of My Computer
Click on Contol Panel, and press: OK

On the TaskBar, look for Control Panel
Click on the >> to the right of it

From the list, select: System

For a 64-bit version operating system: 64-bit Operating System appears for the System type under System.
For a 32-bit version operating system: 32-bit Operating System appears for the System type under System.

After looking up the info, right-click the Control Panel entry on the TaskBar, and select: Close



Next, you will need a USB flash/pen drive and access to a clean computer for the procedure outlined below.

Also, you may want to print these instructions for easier access to them.


Let's get started...

Please plug a flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.

Now, if the system is 64-bit, download Farbar Recovery Scan Tool x64
Save the program to the >> USB flash/pen drive.

For 32- bit systems download Farbar Recovery Scan Tool.
Save the program to the >> USB flash drive.

Next, plug the flash drive into the infected computer.

To enter System Recovery Options using the Windows Vista Installation Disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click: Next
  • Select the Operating System you want to repair, and then click: Next
  • Select your user account and click: Next

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
[*]Close out of Notepad.
[*]Click the Command window.
[*]For 64-bit Vista version, type g:\frst64.exe (for 32-bit Vista version, use: g:\frst.exe), and press: Enter
Note: Replace the drive letter g with the drive letter of your flash drive!
[*]The tool will start and prepare to run. Follow the prompts.
[*]Click Yes to the disclaimer.
[*]Press the Scan button.
[*]The program saves the FRST.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Back at the System Recovery Options, press: ShutDown[/list]
Please remove the USB flash drive from the infected computer, plug it into the clean computer, and copy/paste the FRST.txt in your reply.


We have several hours of difference in time, and it is late here. Will get back to you later in the day. This time zone is Central USA (Illinois), probably 6 or 7 hours difference between here and Deutschland.

Old duck...


#10 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 07 April 2012 - 12:54 AM

Fantastic, thanks!

A bit of a problem right at the start:

There is no TaskBar where I can right click. The ransomeware screen covers everything and blocks all access I can try to have. The only way to access something is via clicking "ctrl + O", so as to get a small menu where I can "choose a folder or type an internet address"; there I can browse the folders and even open some html documents - but I cannot get through the blocking screen.

Anything else I can do? Perhaps can I search for some files the presence of which will allow us to distinguish the system?

Finally, regarding the time difference, I will be happy to accommodate any time preference you may have. (My own preferences are actually better fitting the US times :-))

Thanks,
George


PS:
I tried lots of things, I can only open web documents on the ransomeware screen.

Edited by GeorgiK, 07 April 2012 - 01:30 AM.


#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 07 April 2012 - 12:07 PM

Try the following:

Press these keyboard keys in sequence: Alt Ctrl Delete

Windows Task Manager should open.
Press: New Task...

In the Create New Task prompt, where it says Open, type in: Control Panel
Click: OK

Can you get access to the Control Panel, and select System?


If the above does not work, what happens when you press the Windows key?
Does it open the Start menu, from which you can access the Control Panel?

If none fo the above work, what kind of computer is this (Brand name and model)?
If you go to the manufacturer's website, does it tell you whether Vista 32 bit or 64 bit is installed on that model?

Edited by Aaflac, 07 April 2012 - 12:18 PM.

Old duck...


#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 07 April 2012 - 12:20 PM

Also, look at the Vista install CD/DVD. Does it identify as 32 or 64 bit?

Old duck...


#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:14 AM

Posted 08 April 2012 - 10:03 PM

Any progress here?

You can try finding the Program Files folder, which contains 64-bit programs, or the Program Files(x86) folder, which contains 32-bit programs...


To enter System Recovery Options using the Windows Vista Installation Disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click: Next
  • Select the Operating System you want to repair, and then click: Next
  • Select your user account and click: Next

On the System Recovery Options menu you get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors
Command Prompt
  • Select Command Prompt
  • In the Command window, at the bliking cursor type wmic os get osarchitecture and press: Enter

You will get the following:

Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Aaflac>wmic os get osarchitecture
OSArchitecture
64-bit

or, 32-bit

After making the determination, then proceed with the instructions provided in the FRST Post #9, above.

Edited by Aaflac, 08 April 2012 - 10:46 PM.

Old duck...


#14 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 09 April 2012 - 07:31 PM

Hi!

Actually quite a bit of progress, but in a manner other than the one suggested. It looks like I have managed to remove the virus - but I still have problems with registry changes. I am explaining below.


First, being worried of the possibly abrasive effect of running the FRST program (and since I was unable to access any info identifying my windows vista as 32- or 64-bit), I asked a friend (who is CS student) if he could help me (at least, to identify the windows). We (to be fair, my friend) managed to do the following:

0. We started at safe mode with command prompt.

1. We accessed the Task Manager. This was a bit tricky, as it kept opening behind the front screen. One had to press "ctrl + O; then to select "browse"; and then "ctrl + alt + del" would the task manager in front of everything.

2. At Task Manager, we identified (educated guesswork) the process "setup.exe" as being the one causing the problem. We closed it.

3. After a little search, we found the location of the temporary files the virus had created; and we deleted them.

4. After that (or after step 2 - I am not remembering well), the blocking screen would no longer appear. But there would not be any desktop or menu bar showing up. This was corrected by finding some of the registry modifications that the virus had made and undoing them.


Now, I can use the computer (in fact, I am writing in it), but I still have a few problems. For example:

- Right click on the desktop does not work.
- "Ctrl + R" does not work.
- At the control panel, I cannot alter the security settings of the computer, especially, activate the Windows Defender or Firewall (which the virus had deactivated). (I have a Sophos subscription.)

Obviously, the virus has made some registry changes beyond what was undone in step 4 described earlier.


Finally, my current question:

Is it possible / reasonably easy to undo the registry changes made by the virus without a repair installation of the system? And if it is not possible, how shall I proceed, especially, what precautions to take (like making a disk image, etc)?

Overall, the virus does not seem to have done lots of damage; thus my search for a lighter approach to undoing the various registry modifications. For this reason, I am also hoping to avoid the complete system re-installation.


Again, thank you for all your help so far, even if I eventually acted differently. I will be glad to hear any further advice you may wish to offer.

Best,
George

#15 GeorgiK

GeorgiK
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 09 April 2012 - 08:30 PM

Hi again,

Let me add that I am now able to right-click on the desktop (or inside explorer menus) by finding the registry modification that was responsible for disabling it (and undoing it).

But when I try to initialize Windows Defender, I get this message:
"Application failed to initialize: 0x80070006. The handle is invalid."

As for the windows security center, it "can't be started".

Finally, the windows firewall is "unable to do the requested updates".

Thanks,
George




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users