Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom bug on my wife's laptop


  • This topic is locked This topic is locked
35 replies to this topic

#1 Quiggy45

Quiggy45

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 15 August 2013 - 10:33 PM

How do i remove the ransom bug on the laptop?

I have a CD running REATOGO-X-PE from a previous attempt provided by an other security service as well as the FRST scan report. At that point the other tech service dropped me because the laptop did not have their security system installed.

So, now i'm stuck.



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:57 AM

Posted 16 August 2013 - 03:38 PM

What tech service would that be?

 

What are the exact issues with the computer?


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 16 August 2013 - 06:35 PM

NIS

 

OK,

The Laptop boots to a ransom screen, asking to pay $300.00 to unlock the computer. Cant do nothing other then enter a code from a green money card I suppose to buy at a store.



#4 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 16 August 2013 - 06:44 PM

NIS will not support my wife's laptop because I have not down loaded the internet security software to it. The support guy said this is against their policies.

Even dough I have paid for the service and just have not installed the software on her laptop. I not done with them yet, I will argue with his supervisor about it later. He did however recommend your service to fix the problem.

If you need me to send you the text file from the scan, i can do so.

Thanks in advance for your help.



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:57 AM

Posted 16 August 2013 - 06:45 PM

The Laptop boots to a ransom screen, asking to pay $300.00 to unlock the computer

In that case...

 

I'll report this topic to appropriate helpers.

Hold on there....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 16 August 2013 - 10:29 PM

Thanks



#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:57 AM

Posted 22 August 2013 - 10:59 PM

Hello Quiggy45, and welcome to the forums!
 
I apologize for the delay! The forums can get busy at times, but now that I've picked up your topic I'll give you my best.

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

Just FYI, I have moved this topic to the Malware Removal Logs forum where it will stay, and I will stay with you until we sort your issues out! :)

==========

A few things to keep in mind while we are working together:
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Please do not run any other tools without my instruction to do so!
==========

In your first post, you mention you have a FRST scan report? Great to hear that, so yes, please post the FRST.txt in your next reply. Then we'll formulate the plan to tackle the infection.

...Again, sorry for the delay!

bloopie

#8 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 23 August 2013 - 08:51 AM

Hello Bloopie,

Thanks for trying to help me with that problem.

To answer your questions;

Problem is not solved

No original CD/DVD available

I did not worked on laptop since first contacted this forum.

My question;

I noticed the time you responded to my request. Do we have a time zone issue/delay?

I'm located in US eastern zone.

Just wondering if I should be answering/performing your instructions right away.

Quiggy45 

 

Attached File  FRST.txt   39.75KB   5 downloads

 



#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:57 AM

Posted 23 August 2013 - 02:19 PM

Hello again,
 

Thanks for trying to help me with that problem.

It's my pleasure! :)
 

I noticed the time you responded to my request. Do we have a time zone issue/delay?
I'm located in US eastern zone.

I'm also on US Eastern time...I just happened to be up a bit late last night, that's all.  :wink:
 

Just wondering if I should be answering/performing your instructions right away.

Yes, you may follow the steps as soon as I post them. :)
 
 
==========
 
Okay, lets get down to business!
 
First, I must issue you a warning:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

==========

Okay, now please download Attached File  fixlist.txt   4.8KB   6 downloads and save it to the same location as FRST.exe <--Important!!

  • Now run FRST on the infected machine just as you did before, but this time instead of scan, press the Fix button just once and wait for the tool to do it's job.
  • Once finished it will create a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste that log in your next reply (please do not attach unless instructed otherwise).

==========

In addition to the fixlog, please let me know if the computer is booting normally now!

bloopie



#10 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 23 August 2013 - 08:06 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-08-2013 01
Ran by SYSTEM at 2013-08-23 21:58:17 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtectAll => Value deleted successfully.
C:\Program Files\SearchProtect\bin\cltmng.exe => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.
C:\Program Files\Ask.com\Updater\Updater.exe => Moved successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\LocalService\Software\Microsoft\Windows\CurrentVersion\Run\\ApplicationHistory => Value deleted successfully.
HKU\LocalService\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\LocalService\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\NetworkService\Software\Microsoft\Windows\CurrentVersion\Run\\ApplicationHistory => Value deleted successfully.
HKU\NetworkService\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\NetworkService\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Run\\WebCake Desktop => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Run\\ApplicationHistory => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Run\\hosts Update => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe CSS5.1 Manager => Value not found.
HKU\HKU\slbosshard\...\Policies\Explorer\Run: [eeebebad] - C:\Documents and Settings\slbosshard\Local Settings\Application Data\50e417e0-e461-474b-96e2-077b80325612ad\eeebebad.exe [ 2013-08-12] ()\Software\Microsoft\Windows\CurrentVersion\Run\\eeebebad => Value not found.
HKU\slbosshard\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\eeebebad => Value not found.
HKU\slbosshard\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
WebCakeUpdater => Service deleted successfully.
C:\Program Files\Movdap\WBDesktop.Updater.exe => Moved successfully.
C:\Documents and Settings\slbosshard\Application Data\Web Cake => Moved successfully.
C:\Program Files\Web Cake => Moved successfully.
C:\Documents and Settings\All Users\Application Data\madefender.exe => Moved successfully.
C:\Documents and Settings\All Users\Application Data\74DF.tmp => Moved successfully.
C:\Documents and Settings\slbosshard\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\ApplicationHistory\dnieoh.dll => Moved successfully.
C:\Documents and Settings\slbosshard\Local Settings\Application Data\50e417e0-e461-474b-96e2-077b80325612ad\eeebebad.exe => Moved successfully.
C:\Documents and Settings\slbosshard\ctfmon.exe => Moved successfully.
C:\Documents and Settings\slbosshard\flashplayer.exe => Moved successfully.
C:\Documents and Settings\slbosshard\jucheck.exe => Moved successfully.
C:\Documents and Settings\slbosshard\msconfig.exe => Moved successfully.
C:\Documents and Settings\slbosshard\mstsc.exe => Moved successfully.
C:\Documents and Settings\slbosshard\notepad.exe => Moved successfully.
C:\Documents and Settings\slbosshard\rundll32.exe => Moved successfully.
C:\Documents and Settings\slbosshard\Application Data\skype.dat => Moved successfully.
C:\Documents and Settings\slbosshard\Application Data\skype.ini => Moved successfully.
C:\Windows\Tasks\{3F1CC9F7-42A0-4B7D-A3DE-E1A6587FF4C4}.job => Moved successfully.
C:\Windows\Tasks\{7E6C8811-23C6-46A0-A16E-D125108236BC}.job => Moved successfully.

========================= File: C:\WINDOWS\Installer\{43F2AC19-52A5-448B-B079-BFBBA965EA34}\_203F468F29E79FF825746D.exe ========================

MD5: ce8ee64c66e92bbb46231b1be06aba22
Creation and modification date: 2011-11-18 09:34 - 2011-11-18 09:34
Size: 0010134
Attributes: ---RA
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======


========================= File: C:\WINDOWS\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico ========================

MD5: 85ab6c3089bee58999b434e114e8a64c
Creation and modification date: 2008-02-08 11:34 - 2008-02-08 11:34
Size: 0006144
Attributes: ---RA
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======


==== End of Fixlog ====



#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:57 AM

Posted 23 August 2013 - 09:06 PM

Hello again, and good work!

Please let me know if you are able to boot normally now!

If not, please let me know what happens or any error messages you encounter!

bloopie

#12 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 23 August 2013 - 09:36 PM

Hi,

It does boot up normal,

no error message!!!!

Thanks



#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:57 AM

Posted 23 August 2013 - 10:27 PM

Glad to hear that! But we're not done yet!

I'll be back with your next instructions tomorrow! :wink:

bloopie

#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:57 AM

Posted 24 August 2013 - 08:58 AM

Hello again,
 
Okay, let's get a couple of more logs:

Step :step1:

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

Step :step2:

Run RogueKiller

Download RogueKiller from here or here and save it to your desktop.
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", just close the program (don't fix anything!).
  • Please copy and paste the log that opens into your next reply. The log can also be found on your desktop.
==========

Please post both requested logs in your next reply, and let me know how the machine is running now!

bloopie

Edited by bloopie, 24 August 2013 - 08:59 AM.


#15 Quiggy45

Quiggy45
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Georgia
  • Local time:06:57 AM

Posted 25 August 2013 - 09:14 AM

Hello Bloopy,

Do I connect the laptop to the internet to download ComboFix?

Or can i copy with flash drive from my PC?


Edited by Quiggy45, 25 August 2013 - 09:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users