Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware


  • Please log in to reply
34 replies to this topic

#1 awhitesoxfan

awhitesoxfan

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 01 August 2013 - 01:06 PM

Computer locked

Fbi cybercrime division

 

Followed removal instructions guide

 

created HitmanPro .kickstart usb flash drive

 

executed guide steps #8,9,10,11

 

Infected computer scan results, NOTHING

 

 

Computer will not boot

Startup repair ran

Windows can not repair automatically

 

Please Help!



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 01 August 2013 - 01:14 PM

:welcome:

 

Let's try another workaround: 

 

USING THE RAR/ZIP ARCHIVE TO CREATE A USB BOOTABLE DEVICE

To create a USB flash drive variant of AVG Rescue CD, you will need to do the following:

  • Extract the archive downloaded from AVG web to your preferred location.
  • Double-click the extracted setup.exe file. It will guide you through the whole process. You will be able to select a USB drive from a listbox and setup will copy all necessary files to the selected USB drive and it will make the USB drive bootable.
  • Please be careful not to run the makeboot.bat file directly from hard drive of the computer! This would overwrite the boot record and make your system un-bootable.
  • After this process is finished (message will be displayed) you can close the window.

:step1: AVG Rescue:

 

Now plugin the USB-device with AVG-rescue on it.

 

1.  Reboot the computer and start the boot menu (F10 or F12). Then choose for the USB-device

 

2. At the Boot Menu: Choose AVG Rescue CD (1) and press Enter

3. Let it load, at the "Disclaimer Screen"... just choose I agree or not and press Enter

4. At the "Update Screen", choose Yes and press Enter

Next screen, Choose Update from Internet and press Enter

5. At the "Update Priority Configuration" window, choose Priority 2 Virus Database Update and press Enter

6. Let it update and when finished, Press any key to continue

7. You end up back at the "Update Screen", choose Return and press Enter

8. Your at the "Main Menu" screen, choose Scan, press Enter

9. "Scan Type Menu", choose "Volumes Scan - Selected Volumes" and press Enter

10. "Scan Volumes", choose "OK" and press Enter

11. "Scan Options", choose "OK" and press Enter

12. "Run Scan", choose "Yes" and press Enter

13. When scan is complete, Press any key to continue

14. "Info screen", choose "OK" and press Enter

15. To see the scan report, select "Report File" and press Enter
Please look over the list as some files can be crucial for the Windows system and deleting them can make it inoperative, if  in your not sure please Google the file or files.

16. "Scan Results Menu", use the up and down keys and choose "Select - Handle single or groups of infected files", press Enter
Go through the files and choose to Rename the infected file, don't choose Delete!
This is important....Rename<---

17. Read the "Warning Screen", "Yes" and Enter

18. Back to "Scan Results Menu", choose "Back or Return" to get to the "Main Menu" and then choose ---->Reboot System
Don't forget to take out the rescue cd.

19. All the malware files will be renamed to "_INFECTED.arl", to find all of these files....
Go to Start > Search > All Files and Folders > type "_INFECTED.arl" and click search.
  Example: malware.exe would be renamed to malware.exe_infected.arl


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 02 August 2013 - 12:29 PM

Double click setup.exe

 

copy USB flash drive

 

Avg Rescue CD/Linux Setup error

 

Error

Operation failed:

 

Copy files 'log.txt->'F:\log.txt' failed with Win32 error '32':

The process cannot access the file because it is being used by another process.

 

Please help

 

 



#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 02 August 2013 - 12:39 PM

Try unpacking the ZIP you download it on your desktop to a folder. Then run setup.exe.


Edited by GodfatherKing, 02 August 2013 - 12:39 PM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 02 August 2013 - 01:09 PM

The AVG compressed zip is located in my downloads

 

Please give me detailed instructions on what I should do

 

Thanks



#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 02 August 2013 - 02:12 PM

:step1: Create a folder on the desktop.

 

:step2: Unpack the ZIP so it will be unpack to the folder you made in step  :step1: .

 

:step3: If double click on setup.exe doesn't work and it's Vista - 7 or 8, Run it as administrator.


Edited by GodfatherKing, 02 August 2013 - 02:13 PM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#7 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 03 August 2013 - 08:10 AM

The "run it as administrator" worked .

 

I rebooted the infected computer using the AVG rescue USB flash drive

 

The scan results: NO infected files

 

What should I do next?



#8 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 03 August 2013 - 08:33 AM

Did you try to first update it?

 

If you did that, it isn't finding that, it will be a new version of the Ransomeware. 

Let's try to see:

 

Disconnect the LAN-cable so the machine hasn't internet. Ten start up your infected machine. Is the ransomware now there?


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#9 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 03 August 2013 - 09:04 AM

Disconnected Internet

Turned on infected Computer

Blue Windows 7 screen

click user icon : black screen

control alt delete

click logoff

Desktop came up

#10 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 03 August 2013 - 09:18 AM

Are you able to run these tools: 

 

If necessary copy the tools with a flash drive. 

 

:step1: Run Rkill http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/

 

       Note: Sometimes AV's thinks Rkill is infected, this isn't true, it's just a false-positive. Just let it terminate the malware processes. 

 

:step2: Provide the Rkill log.

 

:step3: Download Emsisoft Emergency Kit

  • Open EmsisoftEmergencyKit by  double-click Start.exe.
  • A new window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Deep Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply

 

 

:step4:  Install and run MBAM

:step5:   Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


Edited by GodfatherKing, 03 August 2013 - 09:19 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#11 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 03 August 2013 - 09:29 AM

Should I try and connect the internet to the infected computer?

#12 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 03 August 2013 - 09:41 AM

I would transfer the tools with a flash drive. You can try to connect it back, but there's risk it can lockup again.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#13 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 03 August 2013 - 10:09 AM

Rkill 2.5.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/03/2013 11:01:36 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\Kelly\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (PID: 2776) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!


Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 08/03/2013 11:02:01 AM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)

#14 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 03 August 2013 - 11:12 AM

Are you able to run the scans?


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#15 awhitesoxfan

awhitesoxfan
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 03 August 2013 - 11:36 AM

Emsisoft Emergency Kit - Version 4.0
Last update: N/A
User account: Kelly-PC\Kelly

Scan settings:

Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\, Q:\

Detect Riskware: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 8/3/2013 11:58:59 AM

Scanned 499086
Found 0

Scan end: 8/3/2013 12:25:47 PM
Scan time: 0:26:48




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users