Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Urausy FBI Ransomware Infection


  • Please log in to reply
13 replies to this topic

#1 foggyblue

foggyblue

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 19 March 2013 - 10:08 PM

My machine has been hijacked by this terrible virus and making matters worse, it has completely prevented me from starting my machine in Safe mode.   Can not access Safe mode w/ command prompt or with networking and can not even access Safe mode by itself.  Each time I try the Safe mode options, the machine blue screens and reboot.

 

I would love to try the removal guide for this awful virus that is posted on this site, as it appears very straightforward but I feel like I'm stuck in the mud and going nowhere fast.

 

Do i need a bootable flash or CD to get jumpstarted towards recovery?

 

Any assistance that your great team can provide would be greatly appreciated.

 

Foggy and definitely feeling blue.

 

 



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:09 AM

Posted 19 March 2013 - 10:09 PM

what is your operating system?



#3 foggyblue

foggyblue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 19 March 2013 - 10:46 PM

Windows XP Professional... Sorry.  Kind of an important piece of information.



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:09 AM

Posted 19 March 2013 - 10:50 PM

Will report to malware response team helpers.

 

good luck



#5 foggyblue

foggyblue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 20 March 2013 - 10:53 AM

Thanks.  Fingers crossed.



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,411 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 23 March 2013 - 04:43 PM

Hello,

Can you please disconnect the computer physically from the internet (unplug LAN cable or power down router) and see if you can boot in normal mode then?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 foggyblue

foggyblue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 25 March 2013 - 09:39 AM

I was not able to boot in normal mode even after disconnecting the router.  I get the BSOD in all safe modes as well as normal mode.no matter what i try.  The computer reboots automatically after the BSOD and does it so fast that I can't even make out the error code information.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,411 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 25 March 2013 - 10:03 AM

Does normal mode BSOD as well or just show the ransom screen?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 foggyblue

foggyblue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 25 March 2013 - 10:16 AM

BSOD in normal mode as well.  Normal mode was previously being locked out by the ransom screen but it has evolved to the BSOD, just like all safe modes.



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,411 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 25 March 2013 - 10:44 AM

Okay, in that case lets try it a bit differently.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
  • This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 foggyblue

foggyblue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 25 March 2013 - 12:02 PM

Thanks for your thorough reply.  I have PointSec for PC encryption software on the infected machine.  Will the potential success of the above process be impacted by the encryption software?



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,411 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 25 March 2013 - 12:19 PM

Do you know which variant of PointSec you have? The problem is, if the whole disk is encrypted it is possible there isn't much we can do to fix the issue outside of windows.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    advancedoptions.png
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    bsod_c.jpg
  • Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 foggyblue

foggyblue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 25 March 2013 - 01:53 PM

It's PointSec 6.1.3 (2006-12-04 17:49:12 Build 1122)

2006 Pointsec mobile technologies

 

BSOD Information:

 

Stop: 0x0000007B (0xF78A6524, 0xC0000034, 0x00000000, 0x00000000)

 

It does not give me any additional info about the error of driver file(s).



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,411 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:09 PM

Posted 25 March 2013 - 02:37 PM

In that case, please try the steps in post #10 in this topic. If encryption isn't allowing it, we'll see soon enough. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users