Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oldie virus, Personal. Please Help. (Vista Ransomware)


  • Please log in to reply
7 replies to this topic

#1 BrianMaii

BrianMaii

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 22 June 2015 - 03:05 PM

Help, I'm having problems with my parent's vista system. It was infected by a virus around 2012 (FBI i believe) Ransomware, at the time I was deployed overseas and couldn't help before their PC locked up. they lost all their data with no backups. I am wishing to recover all data if possible, So far I've started the system and looked at it... The entire computer is functional but slow, the programs that were on it are frozen and hidden. No ICONs or startbar. Desktop Screen is black and the only thing that is on the screen is the mouse. I've enter the taskbar and was able to start a new task of explorer.exe and that made the startbar and trashcan appear but that is about it, there were no programs and it seems like the login is a user account (no access to computer functions, Devmgmt.msc, Compmgmt.msc, Event Log, Control Panel) CMD is accessible and Task Manager. Processes that are running are csrss.exe, explorer.exe, rundll32.exe taskmgr.exe and winlogin.exe. I know thats not enough information to give reasonable solutions and I do believe I could do a system restore. But i would like to see if anybody here and any success on recovering data or removing the virus before I restore.

 

 

Thank you and appreciate any ideas or advice.   


Edited by hamluis, 22 June 2015 - 03:13 PM.
Moved from Vista to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Guest_Wizizard_*

Guest_Wizizard_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2015 - 03:25 PM

Hi Brian,

 

Since we're dealing with a serious ransomware virus and the possibility of restoring files, I would say more advanced help is required.

 

Please create a new topic in the Virus, Trojan, Spyware and Malware Removal Logs forum, where a qualified expert will be able to help.

 

Wizizard  :thumbup2:



#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands

Posted 22 June 2015 - 04:29 PM

Hello,

The FBI ransomware that you mentioned is a screenlocker ransomware, which means that it does not actually encrypt your data.

Do you see any ransom notes? Are there any extra extensions appended to the files?

You might want to look in My Documents for suspicious documents or pictures that crypto ransomware dropped.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 22 June 2015 - 05:58 PM

We have self-help guides for removing common malware with step by step instructions...How to Remove FBI MoneyPak Ransomware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 BrianMaii

BrianMaii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 28 July 2015 - 10:12 AM

Hello everybody just giving an update, as I've been working on My parents' PC. Safe Mode is not accessible. when you try to use safe mode it logs in then before you can see the desktop, it reboot the computer and put it back in the normal settings. CMD.exe through new task on task manager was able, just not in elevated command.

 

tho, Bleepin' Dark Ranger gave me a idea of being a screenlocker. (cause I had no idea what that was) but i slaved it to another PC and was able to access the data and view pics, documents, and other items. I ran avast and malwarebytes to clean the drive before I start transfering data. Any other Ideas on what I could do?

 

After I retreive the data I will reformat this drive and use it as a clone for another PC build.

 

I will follow up with the links on removal and will be back. 

 

ALSO: I was not able to see the message if there was a message because I was deploy at the time of the beginning of the infection


Edited by BrianMaii, 28 July 2015 - 10:15 AM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:30 AM

Posted 28 July 2015 - 11:21 AM

A screenlocker ransomware is one that displays a message saying that you did something illegal and you must pay a fine, and you cannot get through that message by conventional means. In contrast, a crypto ransomware encrypts your data and leave behind ransom notes - documents and/or pictures telling you that your files are encrypted and that you must pay a fee in Bitcoins to get your data back.

Good luck with the removal.

#7 BrianMaii

BrianMaii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 July 2015 - 12:10 PM

Yep, it is a Screenlocker. after the scans the PC was infected with Win64:Reveton-A and JS:Tracur-C along with several other Trojans. I do believe it was removed but I would like some other ideas to make sure it was removed. Should I still run Hitman Pro on Boot? Appreciate the clarity on the screen- and crypto- locker Dark Ranger. 



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:30 AM

Posted 28 July 2015 - 12:13 PM

Reveton is one of the more common screenlocker ransomware out there.

You can run other scanners to make sure that it is clean.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users