Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dept of Justice ransomware, HitmanPro.Kickstart Error, "#3,Volume"


  • This topic is locked This topic is locked
49 replies to this topic

#1 ND_Fan

ND_Fan

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 13 September 2014 - 02:25 PM

Hello --

 

I'm attempting to follow the instructions to remove the Dept of Justice ransomware posted in my previous post here:

 

http://www.bleepingcomputer.com/forums/t/546330/fake-dept-of-justice-warning-unable-to-proceed-plse-help/?hl=%2Bnd_fan.

 

When I attempt to create the the HitmanPro.Kickstart USB flash drive, I receive the following error: 

 

"An error ocurred while creating the HitmanPro.Kickstart USB flash drive. #3, volume"

 

My memory stick is brand new, 4GB storage capacity, so I'm surprised to see a volume error.

 

Can someone please advise how I may proceed from this step?

 

Thanks,

ND_Fan


Edited by hamluis, 13 September 2014 - 02:31 PM.
No logs, moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 14 September 2014 - 12:48 PM

Hi ND_Fan,

 

What operating system is on the infected machine (XP, Vista, 7, 8, 8.1)?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 14 September 2014 - 01:05 PM

Hi xXToffeeXx,

 

The infected machine is running Windows 7 - 32 bit.

 

Please let me know if you need any more info. 

 

I seem to be stuck and unable to proceed passed this error.  Please advise.

 

Thanks,

ND_Fan



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 14 September 2014 - 01:09 PM

Hi ND_Fan,
 
Lets see if another tool will work instead, as it seems that HitmanPro does not want to play nice.
 
FRST Scan from RECOVERY Environment on Vista, 7, and 8:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 16 September 2014 - 10:07 PM

Hi xXToffeeXx -

 

Thanks for the reply.  This step worked.  Below is my FRST log.  Please review and advise on next step.

 

Thanks,

ND_Fan

 

--------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by SYSTEM on MININT-6LGRME3 on 16-09-2014 22:01:36
Running from f:\
Platform: Windows 7 Home Premium (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WinPatrol] => C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [384232 2012-07-12] (BillP Studios)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 EaseUS Agent; C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe [68168 2013-05-10] (CHENGDU YIWO Tech Development Co., Ltd)
S3 Guard Agent; C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe [23624 2013-05-10] (CHENGDU YIWO Tech Development Co., Ltd)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
S3 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2011-06-02] ()
S0 EUBAKUP; C:\Windows\System32\drivers\eubakup.sys [51272 2013-05-10] (CHENGDU YIWO Tech Development Co., Ltd)
S0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [41544 2013-05-10] ()
S1 EUDSKACS; C:\Windows\system32\drivers\eudskacs.sys [15944 2013-05-10] (CHENGDU YIWO Tech Development Co., Ltd)
S1 EUFDDISK; C:\Windows\system32\drivers\EuFdDisk.sys [186952 2013-05-10] (CHENGDU YIWO Tech Development Co., Ltd)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-24] (Microsoft Corporation)
S3 STAC97; C:\Windows\System32\drivers\STAC97.sys [273168 2005-03-10] (SigmaTel, Inc.)
S3 VSTHWICH; C:\Windows\System32\DRIVERS\VSTICH3.SYS [242176 2009-07-13] (Conexant Systems, Inc.)
S2 5762; \??\C:\Users\Steve\AppData\Local\Temp\5762.sys [X]
S5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 cpuz135; \??\C:\Users\Steve\AppData\Local\Temp\cpuz135\cpuz135_x32.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-16 22:01 - 2014-09-16 22:01 - 00000000 ____D () C:\FRST
2014-08-30 11:11 - 2014-08-30 11:51 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-08-29 14:29 - 2014-08-29 14:29 - 00000036 _____ () C:\Users\Steve\Documents\IL License Plate 2014.txt
2014-08-27 19:52 - 2014-08-22 17:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll
2014-08-27 19:52 - 2014-08-22 16:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-08-27 19:25 - 2014-05-14 08:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2014-08-27 19:25 - 2014-05-14 08:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2014-08-27 19:25 - 2014-05-14 08:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2014-08-27 19:25 - 2014-05-14 08:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\System32\wups2.dll
2014-08-27 19:25 - 2014-05-14 08:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\System32\wups.dll
2014-08-27 19:25 - 2014-05-14 08:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2014-08-27 19:25 - 2014-05-14 08:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2014-08-27 19:24 - 2014-05-14 06:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2014-08-27 19:24 - 2014-05-14 06:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\wuapp.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-16 22:01 - 2014-09-16 22:01 - 00000000 ____D () C:\FRST
2014-08-30 12:47 - 2010-04-12 19:25 - 01482158 _____ () C:\Windows\WindowsUpdate.log
2014-08-30 12:40 - 2009-07-13 20:34 - 00022576 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-30 12:40 - 2009-07-13 20:34 - 00022576 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-30 12:30 - 2012-07-07 17:48 - 00036332 _____ () C:\Windows\setupact.log
2014-08-30 11:51 - 2014-08-30 11:11 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-08-29 14:29 - 2014-08-29 14:29 - 00000036 _____ () C:\Users\Steve\Documents\IL License Plate 2014.txt
2014-08-28 21:32 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache
2014-08-28 19:53 - 2009-07-13 20:33 - 00417864 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-08-22 17:46 - 2014-08-27 19:52 - 00305152 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll
2014-08-22 16:42 - 2014-08-27 19:52 - 02352640 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-08-18 01:38 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-08-17 21:28 - 2014-05-05 23:39 - 00000000 ___SD () C:\Windows\System32\CompatTel

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1089155279-2339593571-1851886300-1000\$1c92cf55fbb8c233387e4e2b6ed37bd6

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$1c92cf55fbb8c233387e4e2b6ed37bd6

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2011-07-01 15:13] - [2014-03-04 01:17] - 0850944 ____A (Microsoft Corporation) 1413D85A8B26A961AFA25A64E1FA0DA2

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-08-16 21:40:54
Restore point made on: 2014-08-17 21:21:46
Restore point made on: 2014-08-21 21:05:56
Restore point made on: 2014-08-26 18:22:38
Restore point made on: 2014-08-27 19:23:59
Restore point made on: 2014-08-27 21:24:05

==================== Memory info ===========================

Percentage of memory in use: 39%
Total physical RAM: 1023.44 MB
Available physical RAM: 618.44 MB
Total Pagefile: 1023.44 MB
Available Pagefile: 618.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.42 GB) (Free:36.56 GB) NTFS
Drive f: (HITMANPRO) (Fixed) (Total:3.71 GB) (Free:3.71 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=74.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: E0D7874B)
Partition 1: (Active) - (Size=3.7 GB) - (Type=0B)

LastRegBack: 2014-08-27 00:40

==================== End Of Log ============================



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 17 September 2014 - 10:54 AM

Hi ND_Fan,
 
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------

We need to search for a file with FRST:

  • Double-click on FRST.exe/FRST64.exe on your desktop to open it, in the search box, type the following: User32.dll
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Search.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 17 September 2014 - 11:40 PM

xXToffeeXx --

 

Thanks for the reply and info.  Yikes, this does not look good.

 

I read the links to the articles you provided.  I can confirm that I do personal financial transactions on this machine, therefore I'm inclined to be conservative and reformat and re-install.  If you were in my situation, would you agree with that approach?

 

Also, would you or some other Bleeping Computer expert be willing to help support me through this resolution process?

 

I'm very concerned about this issue, and would appreciate your expert advice and support to please help me resolve this dangerous situation.

 

Please consider and advise on next steps. 

 

Thanks,

ND_Fan



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 18 September 2014 - 02:21 PM

Hi ND_Fan,

 

I would probably reinstall to be on the safe side, unless there was a specific reason not to. Changing your passwords on a clean computer is something I definitely recommend however, no matter what you choose.

 

I would be willing to help you reinstall, the first thing to think about is what files you want to backup. Roughly how many files would this be and do you have enough room on a usb/external drive/cd?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 PM

Posted 18 September 2014 - 04:41 PM

...I'm inclined to be conservative and reformat and re-install.  If you were in my situation, would you agree with that approach?

I agree with xXToffeeXx.

In fact, many experts in the security community believe that once infected with such malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 19 September 2014 - 12:03 AM

xXToffeeXx and quietman7 -

 

Thanks for the replies and vote of confidence for the best course of action.

 

With your help, I'm ready to proceed with the re-format and re-install process.

 

I have an external drive, which already includes a back-up copy of my system and files from a few months back.  However, I'm uncertain if my back-up copy is also infected?  I would suspect it's clean, but is there a way for us to verify just to be sure?

 

In any event, I have access to a clean machine, and external drive, and ready to proceed with your detailed instructions.

 

Thanks!

ND_Fan



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 19 September 2014 - 10:08 AM

Hi ND_Fan,

 

Your backup is likely clean, but plug it into the clean machine and then run your antivirus on that computer. Anything malicious should be detected.

 

You have everything backed up you want, correct?

 

Do you currently have a Windows 7 disk?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 21 September 2014 - 03:06 PM

Hi xXToffeeXx -

 

I ran Malwarebytes on my external drive, and it found and removed 3 objects.  Now it looks clean.

 

Unfortunately, when I looked at my back-up files on the external drive, I confirmed I do not have all the files I need backed-up from the infected machine.  There are still some important files I need to recover from the infected machine before I'm comfortable wiping out the infected hard-drive.  Given that, does that mean we need to proceed with cleaning the infected machine first, before we re-format and re-install?  If yes, can you please advise on those specific next steps?

 

Also, I've been looking all over the house, and unfortunately I cannot locate my Windows 7 disk (sigh).  I looked all over and I'm frustrated I cannot locate it.  If I cannot find it, what options do I have to proceed with the re-format and re-install?

 

(Sorry for all the negative info in my replies.  Feels like I'm not in a good spot here, and could really use the help.)

 

Thanks for your patience and understanding as you help me through this mess.

 

ND_Fan 



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 22 September 2014 - 10:10 AM

Hi ND_Fan,
 
We can either clean the computer or backup from a linux environment (will need a blank CD). I am okay with either, whatever you prefer.
 
No worries on the windows CD, we can make a new one as long as you have a blank CD.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 26 September 2014 - 04:48 PM

Hi xXToffeeXx --
 

Thanks for the reassurance I have options here.  

 

I'm willing to try to clean the infected machine first, in attempt to retrieve some of the remaining files I need to save to a clean external drive.  If successful, then we can proceed with the full re-format and re-install of the infected machine.  Sound like a plan?

 

I have plently of blank CDs.  I'm ready to proceed. 

 

Thanks,

ND_Fan 



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 PM

Posted 27 September 2014 - 11:52 AM

Hi ND_Fan,
 
Lets get on with the cleaning first and then we will make the disk afterwards. Once that is done, we can reformat and reinstall :)
 
--------------
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive (if you already have FRST.exe saved on the USB then skip this step).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • In the search box, type user32.dll
  • Press Search File(s) button.
  • It will make a log (Search.txt) on the flash drive. Please copy and paste it to your reply.

--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Search.txt log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users