Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Ransomware


  • Please log in to reply
1 reply to this topic

#1 jackvaughn75

jackvaughn75

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 21 April 2013 - 10:31 AM

Hi all,

 

I've been trying to remove some Ransomware from a friends PC for about 24 hours now with little luck so I'm hoping someone might have a solution that I haven't thought of or found anywhere else.

 

The Ransomware is the typical "This is the Police, you've been a naughty boy so give us some money" rubbish. It appears we Windows starts up and can't be closed with Alt-F4, and task manager just gets hidden if you try and run it.

 

Obviously,  I would normally boot up in Safe Mode and then remove the Malware, but when Windows starts in Safe Mode, it just gives the message shutting down, and the machine restarts before anything can be done.

 

I followed the instructions in BleepingComputer to remove Ransomware using a Kapersky rescue disk, but for some reason it is refusing to work in graphical mode (it gives a "File Exists" error). Text mode worked and after giving it 8 hours to scan the machine, the Ransomware was still there!

 

I also tried doing a System Restore by going into the Windows Repair Mode, but that failed with an unspecified error (0x8000ffff). Someone suggested this may be down to corrupted files so I used the Command Prompt to run chkdsk /r

 

And that's where I've got to.

 

My next plan, assuming that system restore won't work and even if it does I'm not sure it will get me to a state where I can get into Windows to fix it properly, was to use the command prompt, and use

wmic startup get caption,command

in order to see if I can find and delete the program which is giving me grief.

 

If anyone can suggest a better method, I'd love to hear it.

 

Thanks,

Jack


Edited by hamluis, 21 April 2013 - 10:50 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 jackvaughn75

jackvaughn75
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 22 April 2013 - 09:10 AM

RESOLVED

 

It would appear that despite Windows saying that the rollback to previous restore point had not worked, it in fact actually had.

 

Although this did not remove the Ransomware when accessing Windows 7 under Normal Startup, it did give me access to under Safe Mode, allowing me to use MalwareBytes and Super Anti-Spyware to remove the offending item.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users