Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

have ransomware. HitmanPro-Kickstart, and Sidekick. Hangs right after cd start.


  • This topic is locked This topic is locked
31 replies to this topic

#1 tractionengines

tractionengines

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 23 April 2014 - 09:00 PM

My pc got infected with ransomeware. I can not boot from USB, so i have CD, with sidekick and USB wit HitmanPro kickstart. The Bios is set to boot from CD. The Hitman Pro.Sidekick 2.3 hangs right after it accesses the CD.. (see photo)...
It seems to me this ransomeware is locking out the keyboard. Early in the bootup the numlock and capslock buttos work. at the same time that the bootup hangs they quit working too.
Any ideas? Please help.

Mike
Sent from my Samsung Epic 4G

BC AdBot (Login to Remove)

 


#2 tractionengines

tractionengines
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 23 April 2014 - 09:08 PM

Can't get photo to load from my phone.... sorry. Here is what is on screen
.
.
.
Boot from CD:
1. HD System Type-(0b)

HitmanPro.Sidekick 2.3 - © 2012,2013 SurfRight
(Blinking curser below H, bottom left of screen)

I am running Windows XP Pro 64bit edition.

Mike

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 28 April 2014 - 09:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/532125 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 tractionengines

tractionengines
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 29 April 2014 - 08:42 AM

Here is the current information:

System Details:

    Custom Built Computer.
 
    Abit mother-Board
        -SIL3132 SATA RAID
        -ULI SATA RAID
 
    Total Drives:
        -IDE PRIMARY:
            Seagate HDD used for Swapdrive, Termporary internet files, pagefiles, etc.
        -IDE Secondary:
            DVD/CD ReWritiable
            DVD/CD ROM
        SATA 1 thru 4
            RAID 0+1 Array for main Windows Drive
        SATA 5&6
            Not used, not enabled in BIOS
 
    Operating System: WINDOWS XP 64bit OEM (have CD)
    Microsoft Office PRO OEM (have CD)
 
Note: There is no internet availalbe until I open the Wireless Adapter and Select which of my networks I want to log into.  (So if the the programs are trying to check for updates, etc. there is no network available until after we get past the Ransomware.)
 
I tried to use the F8 during boot-up and it will not work. So I can't run in safe-mode, or go back to a Resore Point.
 
1st, things I did. [ I was in contact with Surfright.  They sent me a ISO image for a "speical" boot CD that should allow access to RAID ]
 
I had the HitmanPro Kickstart USB drive connected, and loaded the Special Sidekick boot CD which I had burned the ISO image sent to me.  Then power down and on Start-up, set the BIOS to boot from CD.
 
    -With a 'cold' boot the system went thru its normal BIOS and hardware startup.
    -Then it came up "Boot from CD"
    - The Kickstart menu came up with 3 options.
        1) press 1 for Bypass MBR Boot. (Default)
               * Line of text shows "MBR Read".
               * Then screen goes blank (completely) and sits there.
                    ** I watched CD Drive LED, USB Drive LED, and HDD LED.
                    ** No activity for 10 minutes on any LED's
                    ** Power off.
 
    -With a 'cold' boot the system went thru its normal BIOS and hardware startup.
    -Then it came up "Boot from CD"
    - The Kickstart menu came up with 3 options.
        1) press 2 for Regular boot.
               * Line of text shows "MBR Read - Starting Boot Code".
               * Then screen goes blank (completely) and sits there.
                    ** I watched CD Drive LED, USB Drive LED, and HDD LED.
                    ** No activity for 10 minutes on any LED's
                    ** Power off.
 
    -With a 'cold' boot the system went thru its normal BIOS and hardware startup.
    -Then it came up "Boot from CD"
    - The Kickstart menu came up with 3 options.
        1) press 3 for Legacy Boot.
               * Line of text shows "MBR Read".
               * Goes right to WINDOWS XP 64Bit "logo screen".
               * Lots of HDD activity and CD ROM activity
               * Get my Account log-on screen
               * Select my profile.
                    ** Lots of normal "Loading" stuff then Ransomware Screen
                    ** Lots of  USB Drive LED flashing, then HDD LED flasing, then more USB activity.
                    ** After about 5 min. activity stops.
                        -- No activity for 10 minutes on any LED's
                        -- Ransomware still covers desktop.
                    ** Wait a few more minutes, with no activity.
                    ** Power off.
 
2nd, things I did. [ Use my other computer to build a BartPE boot disk with my SATA and RAID drivers ]
 
I made a BartPE boot disk (WINDOWS XP 32bit Version from my other computer) with all the added drivers needed to start my main system into a PE session.  Kickstart USB Flash-drive was attached, and BartPE in CD Drive, also attached is a USB External HD.
 
    - The Bart PE system loaded.
    - Use the file manager included in BartPE to "look around"
        * Can access my main SATA_RAID drive.  It is complete and functioning.
        * Can access USB HDD.
        * Can access USB Flashdrive with HitmanPro
    - Copied my Outlook PST files, and other "data files" which I know are not (or) feel may not be up to date in my backup.
    - Tried to run HitmanPro from USB drive while in BartPE desktop.
        * I get an C++ runtime error, and note to contact program vendor.
 
Current Situation:
 
Still get ransomeware screen when loged on and can not clean.
 
Have sent a follow up e-mail to support at Surfright.  (Have not heard back)
       
Please let me know if you have any other options based on my information above:
   1)  I can burn another BOOT CD if you think you can get something to work.
   2)  Since I can get to the drive thru BartPE:
        a) Can you supply a ransomware removal version that will run under the BartPE system
        B) Can you supply another program that will clean this from within the BartPE.
        c) If you need to "see" files, and can let me know where to find them, I can extract files from the Ransomed Drive.
        d) Do you have any of your LOG creation programs that will run this way.  (I can not run anything under Normal windows startup.)
 
Let me know if you want any other information


#5 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 29 April 2014 - 01:35 PM

Let's see if we can do this.

 

FRST should run in a PE environment. I believe you should run the 32-bit version since your PE is 32 bit. Try this. If it doesn't work, we have alternatives.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
  • Copy FRST to the root of your flash drive.
  • Boot to PE and double-click FRST to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. -> This log may not be produced in PE.

  • If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #6 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 29 April 2014 - 09:24 PM

    FRST didn't run. Gave error that normaliz.dll was not found.

    I did save a copy of the "prefetch". ".ini" file, if that would help. But can't load it from my cell phone (how on-line now). If you want to see it let me know and I will post it at work tomorrow.

    Mike

    #7 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 30 April 2014 - 07:54 AM

    Let's try RogueKiller first. This should also run in PE.

     

    • Download RogueKiller and save it on your flash drive.
    • Boot to PE.
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
     
    RGKRScan.png.pagespeed.ce.QGZsQEjUHM.png
     
    • Wait for the end of the scan.
    • The report has been created on the flash drive.
    • Let me review the log before we delete anything.

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #8 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 30 April 2014 - 09:04 AM

    Please send a link to the 32 bit version.  The PE environment is 32bit. 

     

    Mike



    #9 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 30 April 2014 - 09:15 AM

    :oopsign:  RogueKiller x86


    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #10 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 30 April 2014 - 07:43 PM

    Nope.... "this application has failed to start because normaliz.dll was not found. Re-installing the application may fix this problem."
    Same error that I vot trying to run FRST under the PE environment. can you send me the normaliz.dll they are looking for and I will add it to the BartPE CD and see if that works. If it is the only dll missing it may work. (or) it may just tell us the next file that is missing.
    Mike

    #11 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 30 April 2014 - 08:01 PM

    I tried one more thing. i copied the Normaliz.dll from my HDD (from windows\system32\ ) to the flash drive. i then tried to run FRST and RogueKiller. both pop up a warning "The application or DLL E:\Normaliz.dll is not a valid Windows image. Please check this against your installation diskette."
    Mike

    #12 Bud_91

    Bud_91

    • Malware Response Team
    • 438 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 01 May 2014 - 07:48 AM

    System 32 will contain the 64-bit DLL. Do you have a normaliz.dll in the windows\SYSWOW64 folder?


    Edited by Bud_91, 01 May 2014 - 07:49 AM.

    If I have not responded to your log in 36 hours, feel free to send me a PM.

    If you would like to make a thank-you donation, please click here: btn_donate_SM.png

     

    A.K.A. Buddierdl @ GeeksToGo.com


    #13 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 01 May 2014 - 04:34 PM

    The BartPE disk is 32 Bit that is why I copied the 32bit version to the flash-drive.  Why would the 64bit verison be in the System 32 directory....?  There is a Nornaliz.dll version in the SYSWOW64 folder, and one in the system32.

     

    The Flash-drive has 32bit versions of the FRST and RougeKiller apps, and now the 32bit normaliz.dll I thought.

     

    Mike.



    #14 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 02 May 2014 - 07:22 AM

    OK.... I did get the DLL's that were needed copied to the Flash-Drive one-by-one until they ran.  I will post the logs from FRST & RougeKiller in the next 2 e-mails.  (Also, I will post a 3rd message with an Idea I came up with that I want to run past you as a way to speed this up, and not be such an exotic system.  MAYBE....

     

    Thank you.

    Mike



    #15 tractionengines

    tractionengines
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:12:43 PM

    Posted 02 May 2014 - 07:23 AM

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-04-2014
    Ran by SYSTEM on MININT-JVC on 02-05-2014 06:30:11
    Running from F:\
    WIN_XP (X86) OS Language:
    Boot Mode: Recovery
    Attention: Could not load system hive.

    Error:  The system was unable to find the specified registry key or value
    Attention: System hive is missing.


    The only official download link for FRST:
    Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
    Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
    See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    ATTENTION: Software hive is missing.
    ATTENTION: Software hive is not loaded.
    ATTENTION: System hive is not loaded.

    ========================== Services (Whitelisted) =================


    ==================== Drivers (Whitelisted) ====================


    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2014-05-02 06:29 - 2014-05-02 06:30 - 00000000 ____D () C:\FRST

    ==================== One Month Modified Files and Folders =======

    2014-05-02 06:30 - 2014-05-02 06:29 - 00000000 ____D () C:\FRST

    ==================== Known DLLs (Whitelisted) ============


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
    C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\rpcss.dll IS MISSING <==== ATTENTION!.
    C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

    ==================== Restore Points (XP) =====================


    ==================== Memory info ===========================

    Percentage of memory in use: 9%
    Total physical RAM: 2046.47 MB
    Available physical RAM: 1851.75 MB
    Total Pagefile: 1893.11 MB
    Available Pagefile: 1855.9 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1998.56 MB

    ==================== Drives ================================

    Drive b: (RAMDisk) (Fixed) (Total:0.03 GB) (Free:0.03 GB) FAT
    Drive c: (Swapdrive) (Fixed) (Total:74.53 GB) (Free:64.53 GB) NTFS
    Drive d: () (Fixed) (Total:465.76 GB) (Free:65.59 GB) NTFS ==>[Drive with boot components (Windows XP)]
    Drive e: (Seagate Expansion Drive) (Fixed) (Total:931.51 GB) (Free:608.59 GB) NTFS
    Drive f: (HITMANPRO) (Removable) (Total:0.23 GB) (Free:0.22 GB) FAT32
    Drive x: (BartPE) (CDROM) (Total:0.23 GB) (Free:0 GB) CDFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 75 GB) (Disk ID: 07047A17)
    Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 242 MB) (Disk ID: C7448428)
    Partition 1: (Active) - (Size=235 MB) - (Type=0B)

    ========================================================
    Disk: 2 (Size: 932 GB) (Disk ID: C8D7F0B0)
    Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 4 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: A30DA30D)
    Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

    ==================== End Of Log ============================
     






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users