Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

United States Courts virus -- new iteration?


  • Please log in to reply
9 replies to this topic

#1 Dergule

Dergule

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 05 July 2013 - 09:40 PM

Hi, all!
 
I have a family member's computer that I think is running unupdated Windows 7, and it's picked up the United States Courts ransomware. Bleepingcomputer has a rundown on it here: http://www.bleepingcomputer.com/virus-removal/remove-united-states-courts-ransomware
 
Unfortunately, the version on my sister's computer is newer. One cosmetic difference: the background isn't the original desktop, but a fake set of UNIX-looking commands, black on white.
 
The functional difference is that whenever I boot in safe mode or safe mode with networking, the computer automatically logs off and resets before I can enter any commands. I was able to run RKill once, but it didn't find the right processes and the lock screen showed up right after it terminated. I am also under the impression that the virus can play sound, but that might just be paranoia.
 
I'm trying very hard to get my sister to give up on her (fairly small) amount of data -- I have reinstall CDs and am itching to use them because this virus is such a pain. But I'd like to grab her files if possible; they might even be small enough to send via email, if I could get a couple of minutes of functionality out of the system.
 
What do you folks think? Any tips? Thanks very much in advance!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 05 July 2013 - 09:55 PM

You may be able to access the drive if you attach it as a slave.

We also can get in and clean this if you want. Let me know.

This is an XP machine?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dergule

Dergule
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 05 July 2013 - 10:10 PM

I'm concerned about connecting the infected computer to a functioning computer --- would it be able to infect the master computer? I would make a USB boot disk, but I don't have a 4 GB flash drive on hand -- maybe after the holiday.

 

I'd be interested in letting you look at it. How would that work?

 

I am pretty sure the computer is running Win 7, although I can't check which service pack etc. is installed.

 

Thanks for the quick reply!



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 05 July 2013 - 10:22 PM

I will post this in the Non booting computer list. We have some people ha straighten these out. It will be a few days as we have several Machines in line.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Dergule

Dergule
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 05 July 2013 - 10:25 PM

Great -- that's an appropriate move, and thanks for the advice!



#6 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 PM

Posted 06 July 2013 - 03:35 AM

You could try seeing if you can boot from a Linux distro like Puppy, if so, then provided there's no problem with the hard drive, and it's not encrypted, you should be able to recover your sister's personal files. No guarantees, but it's worth a try.

 

I wrote a brief article on how to do this at ... http://malwareremoval.com/forum/viewtopic.php?f=4&t=61065

 



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:58 AM

Posted 06 July 2013 - 09:04 AM

You can also try HitmanPro.Kickstart. Instructions for using it can be found in this guide for a different ransomware:

http://www.bleepingcomputer.com/virus-removal/remove-your-computer-has-been-locked-ransomware

Please let me know if that works for you.

#8 Dergule

Dergule
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 06 July 2013 - 09:07 PM

Hi, Lawrence!

 

I made a HitmanPro.Kickstart flash drive as directed by your intro. On this 64bit Toshiba C655, it hit the "USB Boot Options" menu and then wouldn't accept a numerical key entry, and wouldn't automatically forward to the next menu after ten seconds. Repeated keystrokes caused a long system beep.

 

I'm trying a Puppy distro now -- if you've got more advice, let me know. Thanks very much for your suggestion!



#9 Dergule

Dergule
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 06 July 2013 - 11:00 PM

Hi, Gary!

 

Contrary to what the "United States Courts" virus says, nothing on the drive was encrypted and I retrieved all the data using Slacko Puppy 5.5 PAE. I'll reformat tomorrow morning and all this will be done! Thank you all for your support and input -- this is a great community!



#10 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 PM

Posted 07 July 2013 - 12:50 AM

You're welcome :) , glad you were able to recover your sister's personal files and folders.

 

With quite a few of these ransomware infections the disk is not actually encrypted, it's just locked out. Of course some of them do encrypt the disk, in which case you're scuppered, but it's always worth a try, and I'm glad to hear that in your case it was successful.

 

Good luck with your reformat.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users