Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP & Trojan.Win32.Safis.eixw & ransomware lock


  • This topic is locked This topic is locked
5 replies to this topic

#1 trinitas

trinitas

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 03 December 2015 - 06:53 PM

On 11-19 ransomware screen popped up and locked the XP machine (sp3). Immediately tried to reboot and it would then without hesitation the lock screen again.

 

Next tried safemode boot and it just loops back to the selection menu and starts regular windows boot as default.

 

Then got updated version of Kaspersky Rescue 10 and boot it from CD drive, scanned and the result was:

 

Trojan.Win32.Sasfis.eixw      object:    sda2/windows/servicepackfiles/i386/rpct.dll

 

Kaspersky could not delete or quarantine due to permissions being read only by owner. this seems to be the case with everyfile now. Not encrypted,  just hijacked.

 

Could not do all of the prelim scans etc. as requested for new topic due to boot loop and lock.

 

Could the ransom and sasfis be one in the same or are there two issues.

 

have other machines so I just left it until now when I could come back and work on it.

 

Also there does not seem to be any encryption as the file extensions remain unchanged and I can preview the jpeg's while running the Kaspersky.

 

Any suggestions?

 

Thanks,

 

Trinitas

 

 

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:10 AM

Posted 08 December 2015 - 02:47 PM

Greetings Trinitas and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run the following for me.

===================================================

Kaspersky WindowsUnlocker Using a CD

--------------

To complete this process you will need a USB device and a blank CD.
  • Insert the Kaspersky Rescue Disk and your USB device into the infected computer
  • Reboot the infected computer
  • As the computer boots up gently tap F12 and choose to boot from CD/DVD (or something similar) (you may need to tap a different key like Del, Esc, F2.....)
  • When the Kaspersky Rescue Disk screen appears press any key within 10 seconds

krd_4470_2_en.png

  • Press Enter on English which should be highlighted by default
  • Press 1 to accept the agreement
  • Press Enter on Kaspersky Rescue Disk. Graphic Mode which should be highlighted by default
  • Once the program loads click Exit on the Scan your computer screen, then click Yes on the warning pop up window
  • Click the krd_8005_03_1_en.png button in the bottom left hand corner of the screen
  • Select Terminal
  • At the command prompt type windowsunlocker and press Enter

krd_8004_01_en-1.png

  • On the root: windowsunlocker screen press 1 (Unlock Windows) and press Enter

krd_8005_05_en.png

  • The program will clean the registry and display the results in the window

krd_8005_06_en.png

  • Now press 2 (Save boot sector copies) and press Enter

krd_8005_07_en.png

  • Type 0 then press Enter
  • If the window does not close type Exit and press Enter
  • On the desktop double click File manager
  • Click on Custom Path located just above the C: folder
  • Double click the Var folder
  • Double click the kl folder
  • Make sure the WUnlocker 1.0 file is present

krd_8004_04_en.png

  • Close the window
  • Click the krd_8005_03_1_en.png button in the bottom left hand corner of the screen
  • Select Shutdown then click Yes
  • Remove the USB device and attempt to boot your computer into Normal Mode
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • Did your computer successfully boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 trinitas

trinitas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 10 December 2015 - 03:49 PM

Thanks for all of this info and procedure. will do this before this weekend is out and get you the results.

 

I will begin checking the forum daily from here out, but it may as I have said take a couple of days to get back to you.

 

Again, thanks so much for the reply!



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:10 AM

Posted 10 December 2015 - 03:59 PM

Thanks for touching base. No worries, post when you get a chance.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:10 AM

Posted 14 December 2015 - 10:37 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:10 AM

Posted 16 December 2015 - 11:48 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users