Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Discuss: Ransomware Infections


  • Please log in to reply
7 replies to this topic

#1 RecklessX

RecklessX

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:22 AM

Posted 01 June 2013 - 07:31 PM

Hi Everyone,

 

Recently I have come over a huge amount of people infected with ransomware. Being in Canada we usually get the RCMP Ukash virus. At first it was no biggie, boot to safe mode and get it out but recently this ransomware has mutated into something NASTY.

 

It now kicks in safemode and completely disables any PC use. Even running explorer.exe in command prompt turns it on. The only solution outside of reformatting I have found is to perform a system restore via the command line, reboot the PC in safe mode, run malwarebytes and then reboot to run malwarebytes full scan again to remove it.

 

Has anyone else come up against this nasty mutation?

Have you been able to remove it outside of reformatting?

Also how can we educate people regarding this ransomware to help stop infections?

 

X



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:22 AM

Posted 01 June 2013 - 10:25 PM

We have info on Ransomeware Programs in the Virus, Spyware, & Malware Removal Guides section of this site.
 

A Ransomware Program is a program that literally ransoms the data or functionality of your computer until you perform an action, which is typically to purchase the program or send someone money.

What is Ransomware?

The site owner (Lawrence Abrams, aka Grinler) is constanting creating removal guides with step by step instructions such as the one shown here to assist our members.

Kaspersky Virus-fighting utilities includes several fix tools for some types of ransomeware such as:
  • XoristDecryptor (Trojan-Ransom.Win32.Xorist)
  • RectorDecryptor (Trojan-Ransom.Win32.Rector)
  • RannohDecryptor (Trojan-Ransom.Win32.Rannoh)
Kaspersky also has "how to" instructions such as:
How to confront malware of the family Trojan-Ransom.Win32.Xorist?
How to eliminate Trojan-Ransom.Win32.Rector

More information about this malware can be found in these articles::
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Mandala62

Mandala62

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 03 June 2013 - 05:27 PM

Hello All,

My partners computer is infected with the Department of Justice virus. He has an older computer and though I've tried to use both Kaspersky and Hitman neither have been successful. Kaspersky didn't find a virus(though his computer is completely locked up) and the other wouldn't even load. I'm fairly proficient at operating a computer, can follow directions well enough, but I don't speak the computers language and there is nothing more frustrating than looking at a screen that might as well be written in Swahili for as much as I understand.

I'm downloading the cures for his computer on a 64 bit and his is a 32. I wonder if this has something to do with my issue. Kaspersky scanned his hard drive and came up with nothing. What do I need to do?

#4 sikntired

sikntired

  • Members
  • 1,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:22 AM

Posted 03 June 2013 - 06:18 PM

Hi,

 

As qm7 suggested in his reply there are several tutorials that address this form of malware. However, IMHO you would be well-advised to solicit some assistance in the appropriate forum. Try posting inVirus, Trojan, Spyware, and Malware Removal Logs . There you will receive excellent guidance. I speak from experience IMA.

 

Good Luck



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:22 AM

Posted 03 June 2013 - 06:32 PM

Remove the Department of Justice Ransomware (Uninstall Guide)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 RecklessX

RecklessX
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:22 AM

Posted 03 June 2013 - 10:29 PM

I am aware of the info provided quietman7, I am just trying to get the input from people regarding this evolution of malware and how it has affected them. Like some people have posted this is not your typical malware.



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:22 AM

Posted 03 June 2013 - 11:15 PM

Hello RecklessX -

The "Ransomware Infection" is not like many others, but many other infections are not like the Ransomeware infection.

Each and every infection, from MyWebSearch Adware program to the Rootkits, or Fake Antivirus infections. These all have their own removal methods / tools, most of which are "reasonably" simple or available to the Malware Removal Experts here.

 

The infection was regarded as "unable to be removed" only in the first week it arrived, but after a week there was already solutions available from several Antivirus and Antimalware sections of the community.

 

Always remember that .......... From Wiki History (about 3 years ago)
"In 1985, there were 11 known computer viruses.  Today, there are more than 70,000 and new threats are detected every day."

 

Today it is another pest that can be removed with several tools and a small bit of work from you -

I think that covers the full gambit of this problem :)

 

Regards -



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:22 AM

Posted 05 June 2013 - 12:02 PM

Hi RecklessX, I have to agree Ransomware are becoming more invasive and difficult to remove as time goes on. I have been trying to stay on top of them for the virus removal section, but not 100% sure which one you are referring to.

The latest trick from Reveton is to hijack the Winmgmt servicedll, which starts the lockscreen whenever explorer starts, safe mode or not. You can start up in safe mode with command prompt, insert a usb key that contains a registry file that can reset the Winmgmt servicedll, then you should be able to start explorer without it starting.

It may also hijack the shell command to display a command prompt instead. That easily be fixed with another reg file.

You can find the default service registry files here:

http://download.bleepingcomputer.com/win-services/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users