Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another 'Celas' ransomeware infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 worden

worden

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 15 April 2012 - 12:22 PM

Hi all,

I've also had my computer 'blocked' by the fake Celas music copyright infection.

In safe mode I get a blank screen at the point the 'Celas' page would normally appear.

Following advice from a similar Celas thread (topic449829) I ran the GETxPUD.exe process to generate the enum.log, which is as follows:

2.3M Dec 12 2010 /mnt/sda1/Windows/System32/config/SOFTWARE
45.3M Apr 14 18:17 /mnt/sda2/Windows/System32/config/SOFTWARE
1.8M Dec 12 2010 /mnt/sda1/Windows/System32/config/SYSTEM
19.5M Apr 14 18:17 /mnt/sda2/Windows/System32/config/SYSTEM

I then took a punt and followed the advice in reply #8 (Please open the terminal again from your USB device and type bash rst.sh -r[b/] Type [b]7 and press enter) and this did nothing.

As far as I know I'm running an up-to-date Vista 32-bit. I'm about as computer-savvy as a bar of chocolate so please talk to me like an idiot.

Assistance much appreciated!

Thank you!

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 16 April 2012 - 07:28 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

What you tried to do does not work with a Vista machine (only XP)

Please tell me what happens in normal mode. How does it block it? Are you able to boot the computer at all?
Posted Image
m0le is a proud member of UNITE

#3 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 16 April 2012 - 07:44 PM

Hi there,

I'm still here, and the problem remains!

All I've done since posting is run Kaspersky Rescue Disk 10, which found lots of other virus/malware but hasn't resolved the celas issue.

Thanks!

#4 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 April 2012 - 03:27 PM

From research this appears to be identical to the PRS and Metropolitan Police scam, whereby after booting up an information screen appears telling me my computer is blocked until I pay 50 via a pay point card to unblock it, as a fine for downloading illegal music. I can't get into the desktop past this screen. I've followed advice from other sites about getting around the PRS scam, but these don't work on vista it seems, only on xp.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 17 April 2012 - 04:22 PM

Okay, can you answer the questions I asked earlier.
Posted Image
m0le is a proud member of UNITE

#6 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 April 2012 - 04:54 PM

Well the computer does boot, hence getting through the boot sequence until the message appears, and that is in normal mode.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 17 April 2012 - 05:00 PM

hence getting through the boot sequence until the message appears,


That doesn't really tell me that the machine boots correctly though does it? Some ransomware blocks every attempt to boot past the fake screen the malware puts up.

Let's run FRST which avoids the normal boots sequence

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#8 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 April 2012 - 07:42 PM

I hit F8, select the option Repair Your Computer, but I do not get the futher options including startup repair, etc.

The machine eventually goes to a Vista-styled blue/green swirlie user logon screen, which is a lower resolution than normal, with an option to select a blank box in the middle, underneath which is written 'Other User'. When I click this it asks for a username and password, which I don't have and have never used on this PC.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 18 April 2012 - 05:37 PM

There doesn't seem to be any reason why you can't boot into the repair option - this does happen occasionally unfortunately. Please run OTL and let's see if we can get a standard scan

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#10 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 18 April 2012 - 07:15 PM

How should I run this if I can't get to the desktop? I get blocked by the ransomeware before I get to the desktop.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 18 April 2012 - 07:31 PM

Okay, so the ransomeware message blocks the normal mode. Got it. That's nasty that it blocks safe mode too. We go back to xPUD at this stage.

  • Download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
Posted Image
m0le is a proud member of UNITE

#12 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 18 April 2012 - 08:00 PM

From the list of drive options after F12 I get the USB drive showing up twce, regardless of what physical USB slot I use. Selecting the first in the list takes me to a message saying 'missing operating system', and the second just 'boots' the pc as normal to the ransomeware message screen.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 19 April 2012 - 05:05 PM

I hope you have a Windows 7 installation disc

1. Put the Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.
8. Type Bootrec.exe /FixMbr
9. Type Exit and reboot the machine

Can it now boot past the ransomeware message?
Posted Image
m0le is a proud member of UNITE

#14 worden

worden
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 19 April 2012 - 06:44 PM

Nope, because I'm on vista. I believe I have a similar disc somewhere so if the same rules apply then I'll give that a go.....

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:30 AM

Posted 19 April 2012 - 07:04 PM

Yes, sorry, the same thing applies for Vista.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users