Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Police Central e-crime Unit scam blocks safe mode


  • This topic is locked This topic is locked
79 replies to this topic

#1 Michael Carter

Michael Carter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 22 September 2012 - 08:45 PM

I have an XP SP3 box (Pentium Ci5, 4GB RAM) which is infected with the Police Central e-crime Unit scam. I have read the removal instructions on this page:

http://www.bleepingcomputer.com/virus-removal/remove-police-central-e-crime-unit-reveton-ransomware

Unfortunately the computer will not boot in safe mode or safe mode with networking. If I select either option, the computer just restarts before loading Windows.

I should be very grateful if anyone knows of a fix which can be run from a bootable thumb drive.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 24 September 2012 - 12:24 PM

Hello, do you have the possibility to boot from a CD as well or only a flashdrive?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 24 September 2012 - 09:34 PM

Hello Elise, thank you for your reply.

Yes I can boot from a CD drive.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 25 September 2012 - 05:36 AM

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download the following file and save it to your USB drive: http://noahdfear.net/downloads/shellfix.ndf
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Doubleclick on shellfix.ndf and let it run.
  • Exit xPUD and remove the USB drive and insert it back in your working computer.

Post me the created log and let me know if you can get in Windows normally now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 25 September 2012 - 08:11 PM

Many thanks again.

I have followed your instructions, and the safe mode boot process now goes further than it did before. Files begin to load, filling up about a screen or so, but then the computer suddenly restarts again (I'm afraid I wasn't quick enough to note the name of the last file loaded). Safe mode with networking does the same, as does safe mode with command prompt. Debugging mode just restarts immediately. Normal mode goes to the white screen.

FYI The drive being used is sdb1. The other drive, sda1, is an old drive, retained only as a backup of user files from a previous system.

Here is the log:

Offline Shell value fix by noahdfear

Backing up software to software.orig
Backup Complete

Hive </mnt/sdb1/WINDOWS/system32/config/software>

(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe



Shell value is default


Hive </mnt/sdb1/WINDOWS/system32/config/software>

(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 5 values
size type value name [value if type DWORD]
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
0 REG_SZ <legalnoticecaption>
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]



Backing up software to software.orig
Backup Complete

Hive </mnt/sda1/WINDOWS/system32/config/software>

(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe



Shell value is default


Hive </mnt/sda1/WINDOWS/system32/config/software>

(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 5 values
size type value name [value if type DWORD]
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
0 REG_SZ <legalnoticecaption>
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 26 September 2012 - 05:57 AM

Could you please look at /mnt/sdb1/documents and settings/<your userprofile>/start menu/programs/startup and let me know what is present in that folder, if anything?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 26 September 2012 - 10:34 AM

Thank you again for your interest and time.

There is one file in that location: desktop.ini

The file contains just two lines:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 26 September 2012 - 10:51 AM

Lets query some settings using xPUD.
Please download ORST.ndf and save it to your flashdrive: http://noahdfear.net/downloads/beta/ORST.ndf

Next, on a working computer press Windows key + R, type notepad and press enter. Copy/paste the following text into notepad and save it as query.txt to your flashdrive (the name is very important!).
qsw;Software\\Microsoft\\Windows\\CurrentVersion\\Run
qu;Software\\Microsoft\\Windows\\CurrentVersion\\Run
qsw;Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
qu;Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce

Boot in xPUD and navigate to your flashdrive, make sure you see both ORST.ndf and query.txt
Double click on ORST.ndf to run it. Follow the prompts on screen and when done post me the contents of ORST.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 26 September 2012 - 08:59 PM

/mnt/sdb1/WINDOWS/system32/config/software

Software does not exist

/mnt/sda1/WINDOWS/system32/config/software
\\Microsoft\\Windows\\CurrentVersion\\Run

\Microsoft\Windows\CurrentVersion\Run| Node has 1 subkeys and 7 values

<OptionalComponents>
size type value name [value if type DWORD]
96 REG_SZ <MessengerPlus3>
68 REG_SZ <NeroCheck>
158 REG_SZ <Adobe Photo Downloader>
100 REG_SZ <SunJavaUpdateSched>
232 REG_SZ <EPSON Stylus C41 Series>
104 REG_SZ <QuickTime Task>
66 REG_SZ <AVG8_TRAY>



/mnt/sdb1/Documents and Settings/Gene/NTUSER.DAT
Software\\Microsoft\\Windows\\CurrentVersion\\Run

(...)\Microsoft\Windows\CurrentVersion\Run| Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
62 REG_SZ <CTFMON.EXE>
96 REG_SZ <IncrediMail>



/mnt/sda1/Documents and Settings/Lyn And John/NTUSER.DAT
Software\\Microsoft\\Windows\\CurrentVersion\\Run

(...)\Microsoft\Windows\CurrentVersion\Run| Node has 0 subkeys and 5 values
size type value name [value if type DWORD]
104 REG_SZ <MSMSGS>
76 REG_SZ <Internet Download Accelerator>
96 REG_SZ <IncrediMail>
62 REG_SZ <ctfmon.exe>
148 REG_SZ <swg>



/mnt/sdb1/WINDOWS/system32/config/software

Software does not exist

/mnt/sda1/WINDOWS/system32/config/software
\\Microsoft\\Windows\\CurrentVersion\\RunOnce

\Microsoft\Windows\CurrentVersion\RunOnce| Node has 0 subkeys and 0 values

Thanks again

MC :)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 27 September 2012 - 02:22 AM

That looks all good, could you repeat the process with the following script?

qsw;Microsoft\\Windows NT\\CurrentVersion\\Winlogon;userinit;shell;uihost;
qu;Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon;userinit;shwll;uihost

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 27 September 2012 - 05:38 AM

In your script I did replace shwll with shell.

The result was as follows:

/mnt/sdb1/WINDOWS/system32/config/software
ERROR! export command not valid
/mnt/sda1/WINDOWS/system32/config/software
ERROR! export command not valid
/mnt/sdb1/Documents and Settings/Gene/NTUSER.DAT
userinit value does not exist at Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon

/mnt/sda1/Documents and Settings/Lyn And John/NTUSER.DAT
userinit value does not exist at Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 27 September 2012 - 06:18 AM

Thank you for paying more attention than I did. :)

Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 27 September 2012 - 07:46 AM

Here is the log file contents:

21.5M Jun 24 2010 /mnt/sda1/WINDOWS/system32/config/software
22.8M Sep 26 00:14 /mnt/sdb1/WINDOWS/system32/config/software
9.0M Jun 30 2010 /mnt/sda1/WINDOWS/system32/config/system
4.8M Sep 26 00:14 /mnt/sdb1/WINDOWS/system32/config/system

22.3M Jun 25 11:06 /sdb1/~/RP612/~SOFTWARE
22.3M Jun 26 15:15 /sdb1/~/RP613/~SOFTWARE
22.3M Jun 28 10:00 /sdb1/~/RP614/~SOFTWARE
22.3M Jun 29 08:34 /sdb1/~/RP615/~SOFTWARE
22.3M Jun 30 14:03 /sdb1/~/RP616/~SOFTWARE
22.3M Jul 1 14:28 /sdb1/~/RP617/~SOFTWARE
22.3M Jul 2 14:55 /sdb1/~/RP618/~SOFTWARE
22.3M Jul 3 23:49 /sdb1/~/RP619/~SOFTWARE
22.3M Jul 4 13:33 /sdb1/~/RP620/~SOFTWARE
22.4M Jul 5 23:58 /sdb1/~/RP621/~SOFTWARE
22.4M Jul 7 00:25 /sdb1/~/RP622/~SOFTWARE
22.4M Jul 9 10:49 /sdb1/~/RP624/~SOFTWARE
22.4M Jul 10 15:28 /sdb1/~/RP625/~SOFTWARE
22.4M Jul 12 10:27 /sdb1/~/RP626/~SOFTWARE
22.4M Jul 12 12:33 /sdb1/~/RP627/~SOFTWARE
22.4M Jul 13 14:21 /sdb1/~/RP628/~SOFTWARE
22.5M Jul 14 14:34 /sdb1/~/RP629/~SOFTWARE
22.5M Jul 15 15:50 /sdb1/~/RP630/~SOFTWARE
22.5M Jul 17 00:26 /sdb1/~/RP631/~SOFTWARE
22.5M Jul 18 11:06 /sdb1/~/RP632/~SOFTWARE
22.5M Jul 19 14:29 /sdb1/~/RP633/~SOFTWARE
22.5M Jul 20 15:45 /sdb1/~/RP634/~SOFTWARE
22.5M Jul 22 05:20 /sdb1/~/RP635/~SOFTWARE
22.5M Jul 23 12:03 /sdb1/~/RP636/~SOFTWARE
22.5M Jul 24 12:50 /sdb1/~/RP637/~SOFTWARE
22.5M Jul 25 12:51 /sdb1/~/RP638/~SOFTWARE
22.5M Jul 26 14:27 /sdb1/~/RP639/~SOFTWARE
22.5M Jul 28 01:13 /sdb1/~/RP640/~SOFTWARE
22.5M Jul 29 16:15 /sdb1/~/RP641/~SOFTWARE
22.5M Jul 31 00:09 /sdb1/~/RP642/~SOFTWARE
22.5M Aug 1 00:54 /sdb1/~/RP643/~SOFTWARE
22.5M Aug 3 12:32 /sdb1/~/RP645/~SOFTWARE
22.5M Aug 5 05:45 /sdb1/~/RP646/~SOFTWARE
22.5M Aug 6 13:34 /sdb1/~/RP647/~SOFTWARE
22.5M Aug 7 13:38 /sdb1/~/RP648/~SOFTWARE
22.5M Aug 9 00:08 /sdb1/~/RP649/~SOFTWARE
22.5M Aug 10 15:47 /sdb1/~/RP650/~SOFTWARE
22.5M Aug 12 00:29 /sdb1/~/RP651/~SOFTWARE
22.5M Aug 13 11:02 /sdb1/~/RP652/~SOFTWARE
22.5M Aug 14 15:13 /sdb1/~/RP653/~SOFTWARE
22.5M Aug 16 23:33 /sdb1/~/RP654/~SOFTWARE
22.5M Aug 17 23:55 /sdb1/~/RP655/~SOFTWARE
22.5M Aug 19 01:25 /sdb1/~/RP656/~SOFTWARE
22.5M Aug 20 10:40 /sdb1/~/RP657/~SOFTWARE
22.5M Aug 21 13:46 /sdb1/~/RP658/~SOFTWARE
22.5M Aug 23 00:32 /sdb1/~/RP659/~SOFTWARE
22.5M Aug 24 14:36 /sdb1/~/RP660/~SOFTWARE
22.5M Aug 25 15:11 /sdb1/~/RP661/~SOFTWARE
22.5M Aug 26 23:54 /sdb1/~/RP662/~SOFTWARE
22.5M Aug 28 05:07 /sdb1/~/RP663/~SOFTWARE
22.5M Aug 29 13:41 /sdb1/~/RP664/~SOFTWARE
22.4M Jul 8 01:00 /sdb1/~/RP623/~SOFTWARE
22.5M Aug 2 11:50 /sdb1/~/RP644/~SOFTWARE
22.5M Aug 30 13:55 /sdb1/~/RP665/~SOFTWARE
22.5M Sep 1 00:43 /sdb1/~/RP666/~SOFTWARE
22.5M Sep 2 06:41 /sdb1/~/RP667/~SOFTWARE
22.5M Sep 3 12:02 /sdb1/~/RP668/~SOFTWARE
22.5M Sep 4 12:29 /sdb1/~/RP669/~SOFTWARE
22.5M Sep 5 13:03 /sdb1/~/RP670/~SOFTWARE
22.5M Sep 6 14:28 /sdb1/~/RP671/~SOFTWARE
22.5M Sep 7 15:07 /sdb1/~/RP672/~SOFTWARE
22.5M Sep 8 16:07 /sdb1/~/RP673/~SOFTWARE
22.5M Sep 9 16:30 /sdb1/~/RP674/~SOFTWARE
22.5M Sep 10 17:11 /sdb1/~/RP675/~SOFTWARE
22.5M Sep 12 11:11 /sdb1/~/RP676/~SOFTWARE
22.5M Sep 13 14:10 /sdb1/~/RP677/~SOFTWARE
22.5M Sep 14 14:43 /sdb1/~/RP678/~SOFTWARE
22.5M Sep 16 02:20 /sdb1/~/RP679/~SOFTWARE
22.5M Sep 17 14:45 /sdb1/~/RP680/~SOFTWARE
22.5M Sep 18 15:10 /sdb1/~/RP681/~SOFTWARE
22.5M Sep 19 23:37 /sdb1/~/RP682/~SOFTWARE
22.5M Sep 20 10:18 /sdb1/~/RP683/~SOFTWARE
22.5M Sep 22 13:11 /sdb1/~/RP684/~SOFTWARE
21.3M May 26 2010 /sda1/~/RP1627/~SOFTWARE
21.3M May 27 2010 /sda1/~/RP1628/~SOFTWARE
21.3M May 28 2010 /sda1/~/RP1629/~SOFTWARE
21.3M May 29 2010 /sda1/~/RP1630/~SOFTWARE
21.3M May 31 2010 /sda1/~/RP1631/~SOFTWARE
21.3M Jun 1 2010 /sda1/~/RP1632/~SOFTWARE
21.3M Jun 2 2010 /sda1/~/RP1633/~SOFTWARE
21.3M Jun 3 2010 /sda1/~/RP1634/~SOFTWARE
21.3M Jun 4 2010 /sda1/~/RP1635/~SOFTWARE
21.3M Jun 5 2010 /sda1/~/RP1636/~SOFTWARE
21.3M Jun 6 2010 /sda1/~/RP1637/~SOFTWARE
21.3M Jun 7 2010 /sda1/~/RP1638/~SOFTWARE
21.3M Jun 8 2010 /sda1/~/RP1639/~SOFTWARE
21.3M Jun 9 2010 /sda1/~/RP1640/~SOFTWARE
21.4M Jun 9 2010 /sda1/~/RP1641/~SOFTWARE
21.4M Jun 10 2010 /sda1/~/RP1642/~SOFTWARE
21.4M Jun 11 2010 /sda1/~/RP1643/~SOFTWARE
21.4M Jun 12 2010 /sda1/~/RP1644/~SOFTWARE
21.4M Jun 14 2010 /sda1/~/RP1645/~SOFTWARE
21.4M Jun 15 2010 /sda1/~/RP1646/~SOFTWARE
21.4M Jun 16 2010 /sda1/~/RP1647/~SOFTWARE
21.4M Jun 17 2010 /sda1/~/RP1648/~SOFTWARE
21.4M Jun 18 2010 /sda1/~/RP1649/~SOFTWARE
21.4M Jun 19 2010 /sda1/~/RP1650/~SOFTWARE
21.4M Jun 20 2010 /sda1/~/RP1651/~SOFTWARE
21.4M Jun 21 2010 /sda1/~/RP1652/~SOFTWARE
21.4M Jun 22 2010 /sda1/~/RP1653/~SOFTWARE
21.4M Jun 23 2010 /sda1/~/RP1654/~SOFTWARE
21.4M Jun 24 2010 /sda1/~/RP1655/~SOFTWARE
21.4M Jun 26 2010 /sda1/~/RP1656/~SOFTWARE
21.4M Jun 27 2010 /sda1/~/RP1657/~SOFTWARE
21.4M Jun 28 2010 /sda1/~/RP1658/~SOFTWARE
21.4M Jun 29 2010 /sda1/~/RP1659/~SOFTWARE
21.4M Jun 30 2010 /sda1/~/RP1660/~SOFTWARE
4.5M Jun 25 11:06 /sdb1/~/RP612/~SYSTEM
4.5M Jun 26 15:15 /sdb1/~/RP613/~SYSTEM
4.5M Jun 28 10:00 /sdb1/~/RP614/~SYSTEM
4.5M Jun 29 08:34 /sdb1/~/RP615/~SYSTEM
4.5M Jun 30 14:03 /sdb1/~/RP616/~SYSTEM
4.5M Jul 1 14:28 /sdb1/~/RP617/~SYSTEM
4.5M Jul 2 14:55 /sdb1/~/RP618/~SYSTEM
4.5M Jul 3 23:49 /sdb1/~/RP619/~SYSTEM
4.5M Jul 4 13:33 /sdb1/~/RP620/~SYSTEM
4.5M Jul 5 23:58 /sdb1/~/RP621/~SYSTEM
4.5M Jul 7 00:25 /sdb1/~/RP622/~SYSTEM
4.5M Jul 9 10:49 /sdb1/~/RP624/~SYSTEM
4.5M Jul 10 15:28 /sdb1/~/RP625/~SYSTEM
4.5M Jul 12 10:27 /sdb1/~/RP626/~SYSTEM
4.5M Jul 12 12:33 /sdb1/~/RP627/~SYSTEM
4.5M Jul 13 14:21 /sdb1/~/RP628/~SYSTEM
4.5M Jul 14 14:34 /sdb1/~/RP629/~SYSTEM
4.5M Jul 15 15:50 /sdb1/~/RP630/~SYSTEM
4.5M Jul 17 00:26 /sdb1/~/RP631/~SYSTEM
4.5M Jul 18 11:06 /sdb1/~/RP632/~SYSTEM
4.5M Jul 19 14:29 /sdb1/~/RP633/~SYSTEM
4.5M Jul 20 15:45 /sdb1/~/RP634/~SYSTEM
4.5M Jul 22 05:20 /sdb1/~/RP635/~SYSTEM
4.5M Jul 23 12:03 /sdb1/~/RP636/~SYSTEM
4.5M Jul 24 12:50 /sdb1/~/RP637/~SYSTEM
4.5M Jul 25 12:51 /sdb1/~/RP638/~SYSTEM
4.5M Jul 26 14:27 /sdb1/~/RP639/~SYSTEM
4.5M Jul 28 01:13 /sdb1/~/RP640/~SYSTEM
4.5M Jul 29 16:15 /sdb1/~/RP641/~SYSTEM
4.5M Jul 31 00:09 /sdb1/~/RP642/~SYSTEM
4.5M Aug 1 00:54 /sdb1/~/RP643/~SYSTEM
4.5M Aug 3 12:32 /sdb1/~/RP645/~SYSTEM
4.5M Aug 5 05:45 /sdb1/~/RP646/~SYSTEM
4.5M Aug 6 13:34 /sdb1/~/RP647/~SYSTEM
4.5M Aug 7 13:38 /sdb1/~/RP648/~SYSTEM
4.5M Aug 9 00:08 /sdb1/~/RP649/~SYSTEM
4.5M Aug 10 15:47 /sdb1/~/RP650/~SYSTEM
4.6M Aug 12 00:29 /sdb1/~/RP651/~SYSTEM
4.6M Aug 13 11:02 /sdb1/~/RP652/~SYSTEM
4.6M Aug 14 15:13 /sdb1/~/RP653/~SYSTEM
4.6M Aug 16 23:33 /sdb1/~/RP654/~SYSTEM
4.6M Aug 17 23:55 /sdb1/~/RP655/~SYSTEM
4.6M Aug 19 01:25 /sdb1/~/RP656/~SYSTEM
4.6M Aug 20 10:40 /sdb1/~/RP657/~SYSTEM
4.6M Aug 21 13:46 /sdb1/~/RP658/~SYSTEM
4.6M Aug 23 00:32 /sdb1/~/RP659/~SYSTEM
4.6M Aug 24 14:36 /sdb1/~/RP660/~SYSTEM
4.6M Aug 25 15:11 /sdb1/~/RP661/~SYSTEM
4.6M Aug 26 23:54 /sdb1/~/RP662/~SYSTEM
4.6M Aug 28 05:07 /sdb1/~/RP663/~SYSTEM
4.6M Aug 29 13:41 /sdb1/~/RP664/~SYSTEM
4.5M Jul 8 01:00 /sdb1/~/RP623/~SYSTEM
4.5M Aug 2 11:50 /sdb1/~/RP644/~SYSTEM
4.6M Aug 30 13:55 /sdb1/~/RP665/~SYSTEM
4.6M Sep 1 00:43 /sdb1/~/RP666/~SYSTEM
4.6M Sep 2 06:41 /sdb1/~/RP667/~SYSTEM
4.6M Sep 3 12:02 /sdb1/~/RP668/~SYSTEM
4.6M Sep 4 12:29 /sdb1/~/RP669/~SYSTEM
4.6M Sep 5 13:03 /sdb1/~/RP670/~SYSTEM
4.6M Sep 6 14:28 /sdb1/~/RP671/~SYSTEM
4.6M Sep 7 15:07 /sdb1/~/RP672/~SYSTEM
4.6M Sep 8 16:07 /sdb1/~/RP673/~SYSTEM
4.6M Sep 9 16:30 /sdb1/~/RP674/~SYSTEM
4.6M Sep 10 17:11 /sdb1/~/RP675/~SYSTEM
4.6M Sep 12 11:11 /sdb1/~/RP676/~SYSTEM
4.6M Sep 13 14:10 /sdb1/~/RP677/~SYSTEM
4.6M Sep 14 14:43 /sdb1/~/RP678/~SYSTEM
4.6M Sep 16 02:20 /sdb1/~/RP679/~SYSTEM
4.6M Sep 17 14:45 /sdb1/~/RP680/~SYSTEM
4.6M Sep 18 15:10 /sdb1/~/RP681/~SYSTEM
4.6M Sep 19 23:37 /sdb1/~/RP682/~SYSTEM
4.6M Sep 20 10:18 /sdb1/~/RP683/~SYSTEM
4.6M Sep 22 13:11 /sdb1/~/RP684/~SYSTEM
8.9M May 26 2010 /sda1/~/RP1627/~SYSTEM
8.9M May 27 2010 /sda1/~/RP1628/~SYSTEM
8.9M May 28 2010 /sda1/~/RP1629/~SYSTEM
8.9M May 29 2010 /sda1/~/RP1630/~SYSTEM
8.9M May 31 2010 /sda1/~/RP1631/~SYSTEM
8.9M Jun 1 2010 /sda1/~/RP1632/~SYSTEM
8.9M Jun 2 2010 /sda1/~/RP1633/~SYSTEM
8.9M Jun 3 2010 /sda1/~/RP1634/~SYSTEM
8.9M Jun 4 2010 /sda1/~/RP1635/~SYSTEM
8.9M Jun 5 2010 /sda1/~/RP1636/~SYSTEM
8.9M Jun 6 2010 /sda1/~/RP1637/~SYSTEM
8.9M Jun 7 2010 /sda1/~/RP1638/~SYSTEM
8.9M Jun 8 2010 /sda1/~/RP1639/~SYSTEM
8.9M Jun 9 2010 /sda1/~/RP1640/~SYSTEM
8.9M Jun 9 2010 /sda1/~/RP1641/~SYSTEM
8.9M Jun 10 2010 /sda1/~/RP1642/~SYSTEM
8.9M Jun 11 2010 /sda1/~/RP1643/~SYSTEM
8.9M Jun 12 2010 /sda1/~/RP1644/~SYSTEM
8.9M Jun 14 2010 /sda1/~/RP1645/~SYSTEM
8.9M Jun 15 2010 /sda1/~/RP1646/~SYSTEM
8.9M Jun 16 2010 /sda1/~/RP1647/~SYSTEM
8.9M Jun 17 2010 /sda1/~/RP1648/~SYSTEM
8.9M Jun 18 2010 /sda1/~/RP1649/~SYSTEM
8.9M Jun 19 2010 /sda1/~/RP1650/~SYSTEM
8.9M Jun 20 2010 /sda1/~/RP1651/~SYSTEM
8.9M Jun 21 2010 /sda1/~/RP1652/~SYSTEM
8.9M Jun 22 2010 /sda1/~/RP1653/~SYSTEM
8.9M Jun 23 2010 /sda1/~/RP1654/~SYSTEM
8.9M Jun 24 2010 /sda1/~/RP1655/~SYSTEM
8.9M Jun 26 2010 /sda1/~/RP1656/~SYSTEM
8.9M Jun 27 2010 /sda1/~/RP1657/~SYSTEM
8.9M Jun 28 2010 /sda1/~/RP1658/~SYSTEM
8.9M Jun 29 2010 /sda1/~/RP1659/~SYSTEM
8.9M Jun 30 2010 /sda1/~/RP1660/~SYSTEM

Thank you for the tip about posting from xPUD. I've never used it before and I couldn't find a text editor to open the log file. :wacko:

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,446 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 PM

Posted 27 September 2012 - 07:52 AM

Can you give me the date when the screenlocker first appeared on your computer?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:03:59 AM

Posted 27 September 2012 - 08:43 AM

Not an exact date - say 4-6 weeks ago. But no software has been installed for months and months, so the restore point could be 3-6 months ago, to be on the safe side.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users