Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Urausy FBI Ransomware removal


  • Please log in to reply
11 replies to this topic

#1 jttpo

jttpo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 22 March 2013 - 02:13 PM

I am trying to remove Urausy FBI Ransomware.  I have been following the instructions on your site.  I have started the infected laptop and tapped f8 which has put me in the screen that offers the safe mode with command prompt and clicked enter.  That puts me to another screen that starts with 'We appologize for the inconvenience but windows did not start successfully.  A recent hardware change........  That screen offers the safe mode with command prompt again.  When I select that it just goes around in a circle and offers the same thing again.  Help!


Edited by hamluis, 22 March 2013 - 02:47 PM.
Moved from Malware Removal Logs to Am I Infected, no logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:43 PM

Posted 22 March 2013 - 04:39 PM

What is the operating system?



#3 jttpo

jttpo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 22 March 2013 - 05:43 PM

The operating system is Windows XP Professional.



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:43 PM

Posted 22 March 2013 - 11:34 PM

Please follow the instructions given here

 

http://support.kaspersky.com/8005

 

You need either a DVD or flash drive.Please follow the instructions.After scan finishes,restart the PC and see if that helps.If you can boot into normal mode we can use other scans to make sure system is clean.



#5 jttpo

jttpo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 24 March 2013 - 02:05 PM

Success!  I think this has worked.  The screen locker is gone and I am able to open my software.  The computer seems to be a bit slow, but maybe thats just my imagination.  Thank you very much for your help.



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:43 PM

Posted 24 March 2013 - 08:58 PM

We need to make sure system is clean

 

 

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run
  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply
  • Due to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient

===================================================

RKILL

  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

===================================================

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    esetsmartinstaller_enu.png

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button

===================================================

Junkware Removal Tool by thisisu

  • Please download Junkware Removal Tool
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • RKILL log
  • ESET log
  • Junkware removal tool log

Edited by narenxp, 27 March 2013 - 10:00 PM.


#7 jttpo

jttpo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 26 March 2013 - 05:35 PM

Here are the last few lines of the scan results as requested.  Looks like it is clean. 

 

 

 

16:15:28.0281 1952  [ D30B03EDB557026F6F06602A9D04D61B ] C:\Program Files\Java\jre6\bin\deploy.dll
16:15:28.0281 1952  C:\Program Files\Java\jre6\bin\deploy.dll - ok
16:15:28.0281 1952  [ 788E5827A2887A87AEDBCB59CA9EA9EF ] C:\Program Files\Java\jre6\bin\fontmanager.dll
16:15:28.0281 1952  C:\Program Files\Java\jre6\bin\fontmanager.dll - ok
16:15:28.0296 1952  [ 3E37B65AB7AB61D8A61A70E8A3930A37 ] C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpAsDesc.dll
16:15:28.0296 1952  C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpAsDesc.dll - ok
16:15:28.0296 1952  ============================================================
16:15:28.0296 1952  Scan finished
16:15:28.0296 1952  ============================================================
16:15:28.0312 1924  Detected object count: 0
16:15:28.0312 1924  Actual detected object count: 0
16:26:06.0062 2908  Deinitialize success
 



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:43 PM

Posted 27 March 2013 - 12:47 AM

Other logs?



#9 jttpo

jttpo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 27 March 2013 - 10:32 AM

I wasn't entirely sure that I was to proceed past the first part.  However I did look at the RKILL section.  I tried to disable the anti-malware as described but I couldn't find any of the software on my computer that were similar to the examples provided in Kaspersky.  I bought the infected laptop computer from my employer and they are very careful about security, some of which I am sure is on the computer.   Looking around I found;

  • Microsoft Forefront Security Manager
  • HP protect Tools Security Manager
  • In the control panel I found Windows Security Center

The laptop is an HP Compaq nx7400



#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:43 PM

Posted 27 March 2013 - 10:36 AM

Skip disabling the security software.Run RKILL and other scans



#11 jttpo

jttpo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 27 March 2013 - 09:56 PM

Here are the logs for RKILL and JUNKWARE. I was unable to run ESET. When I held control down and clicked on this link, the 'ESET online Scanner' Button did not appear. Tried several times.

RKILL

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* System Restore Disabled

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* System Restore Service (srservice) is not Running.
Startup Type set to: Automatic

* System Restore Filter Driver (sr) is not Running.
Startup Type set to: Disabled

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 03/27/2013 01:47:48 PM
Execution time: 0 hours(s), 0 minute(s), and 44 seconds(s)



JUNKWARE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Microsoft Windows XP x86
Ran by jttpo on Wed 03/27/2013 at 15:08:51.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3825652754-3384504468-124824183-1770\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/27/2013 at 15:14:38.40
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:43 PM

Posted 27 March 2013 - 10:01 PM

I was unable to run ESET. When I held control down and clicked on this link, the 'ESET online Scanner' Button did not appear.

 

Try now

 

Malwarebytes

Please download Malwarebytes Anti-Malware and save it to your desktop. If you already have it installed launch the program and update the database.

  • Make sure you are connected to the Internet and double-click on the it to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

===================================================

Farbar's MiniToolBox
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the MiniToolBox.jpg icon to launch the program
  • Make sure the following options are checked:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices
    • List Users, Partitions and Memory size.

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply

===================================================

Farbar's Service Scanner

Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================

AdwCleaner by Xplode - Search for Adware
  • Please download AdwCleaner by Xplode onto your desktop.
  • Security softwares may flag it as malicious.This is a false positive and can be ignored.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • Click YES if you receive a warning for reboot
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================

Autoruns
 
  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply



  • Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Malwarebytes log
  • MiniToolBox log
  • Farbar's Service Scanner log
  • AdwCleaner log
  • Autoruns log






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users