• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

[FIXED] Mandiant USA Cyber Security ransomware

Hi all,

New here and looking for some help.

I picked up the USA Cyber Security ransomware in a laptop running 64 bit  Windows 7 Home Premium. 

When I try to start up in Safe Mode with Networking, it appears as if on track to move into Safe Mode but suddenly shuts down and restarts. 

The only thing I can get access to is Safe Mode with Command Prompt shich honestly, I dont have much knowledge on.

I am hopeful in picking up some help and direction from someone here.

In looking at some of the other threads here, I was prompted to read the guidelines.  I am good with them.

Thanks in advance.

Hopkins

Replies

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

[Instructions are for the thread starters system only, Not another users system]

Please Read  http://community.norton.com/t5/Malware-Discussion/Malware-Discussion-Board-Guidelines/td-p/961409

This is to make sure the user has seen the Guidelines before starting.  

Even other Malware Removal forums state like

"you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean."

Users have to realise these tools used can cause problems anyway, and if instructions are not followed, bigger problems can occur from deleting something that shouldn't be, the program has caused the system to freeze, the program jammed during the restart etc etc.  and so we use instructions to allow the tools to be in the correct location (so we also know) settings given so that items won't be automatically deleted, other programs disabled so things can be done without detection or conflict.

When the user follow instructions and things still go a little haywire, and it does happen, it is up to us to sort the extra problem out.

Comfirm you have read the guidlines etc. in a reply

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Yes, I have read the guidelines and agree to follow all directions.

Thanks again.

Hopkins

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Does your system have more than one account you can log into??

For instance,

Account   kids  is infected

Account   parents loads to desktop, Not afeected by the Ransomware

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Hi,

No, unfortunately there is only one account.

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

You need to have a Flash Drive.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Hi Quads,

Ready to go with a flash drive

Hopkins

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

64 bit  Windows 7 

 

Read Slowly and all of it to make sure you select the correct options below.

Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/   You need to download the 64 bit version.


Transfer it on to the Flash Drive. Plug the Flash Drive into the infected system

 

Now you have Safe Mode with Command Prompt available,  So there are 2 ways we could do this, one is easier for you then the other but at my end with scripting.

Not a Rookt or Bootkit, so lets try this way first.

Once you have loaded  Safe Mode with Command Prompt.  in the CMD windows  type

explorer.exe    and press enter

Does the Taskbar etc. load OK??

Quads

 

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Please help me confirm the correct path to take here prior to doing something silly and idiotic.

While I said I was using 64bit W7 and downloaded the 64 bit file as directed, when I booted into safe mode command prompt, the command line shows:

c:\windows\system32

Does this indicate 32 bit W7 ?

If so, my apologies.  I have not initiated any actions whatsoever.  Please direct me.

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Maybe not that is just the path that it has when CMD is run as Administrator.

At the end of \system32> type explorer.exe  and then press enter or another way of stating it, In the  Windows Command Prompt  type explorer.exe and then press Enter on your keyboard

So it looks like,

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>Explorer.exe

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Taskbar with icons is up and running

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Go into your Flash Drive and start  FRST64.exe,  this is where we will tell if we have the wrong version.

The tool will start to run.

When the tool opens click Yes to disclaimer. It may not do this

Press Scan button.  And just wait for the scan to finish

It will make a log (FRST.txt) on the flash drive.

 

Attach the log back here in a message

 

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Here is the log.

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

You are Rooted also with 2 variants of Zeroaccess,  which is better using the other way, but I will try this way  You have PUP's also but deal with them later.

Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive, so that fixlist.txt is next to FRST64.exe on the Flash Drive

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST like before and it will will start to run again.

When the tool opens click Yes to disclaimer. If it does

This time press the Fix button just once and wait.  FRST will use my script to do as I ask

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply (attach).

Quads

[Removed the script so others trying the instructions against the warnings can't use it]

Edited by Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Silly question:  In order to get the fixlist.txt file next to the FRST64.exe file, is it acceptable to delete the other two .txt files on the flash drive?

Also, I would assume the system is 64 bit?

Thanks for indulging.  Just want to do this correctly.

Hopkins

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Yes it is 64 bit  (Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US))

as long as the fixlist.txt is in the same location as FRST64.exe it will find it.  In your case your Flash Drive is seen as E:\ drive.

So as long as you have  E:\FRST64.exe and E:\fixlist.exe  (same location) it will work..

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Thanks for clearing up the questions.

Here is the log

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Now if you Boot Windows Normally, like you would every day  Your desktop should load without the Ransomware loading to.

We still have to deal with the rest of what Zeoaccess does and PUP's, plus whatever else is found later on.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

You certainly know of which you speak.

Normal type desktop showing.

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Download the attached .txt files, and remove the .txt extension so that you have the files end in .reg  (So from ZAfix1.reg.txt to ZAfix1.reg)

Then click to run the files and then the system should ask if you want the data added to the registry, answer = yes.  A cofirmation message should them appear saying that the data has been added..

The other way is to right click the file and choose "Open With" from the menu, and you should see Registry Editor as an option to choose.

After the data has been added, restart the system.  

Quads

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Another goofy question:

Can I download the files using the system we've been working on since it booted to the desktop or should I continue to use the secondary PC / flash drive?

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

You can stay on the system we are working on.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Mr. Q,

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Mr. Q,

Finally got the files saved as .reg

Went through the screens, clicked 'yes' when the Registry Editor asked.

I got (for ZAfix1 and ZAfix2) : Cannot import ZAfix1 (and 2).reg:  Not all data was successfully written to the registry.  Some keys are open by the system or other processes.

I have not done anything further.

Hopkins

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

That's OK restart the system.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

OK.  Up and running on a restart.

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

The Bin variant so, time to check the services

Download FSS to you desktop  http://www.bleepingcomputer.com/download/farbar-service-scanner/

Run FSS.exe, ( Disable Norton if need be) Tick all the boxes before running the scan and post back a log.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Here you are.

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

That is all good

This is a very poweful tool, so

Please read carefully Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix  

  • Ensure that Combofix is saved directly to the Desktop <--- Very important  (Not in the Download(s) or Temp folders)

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more. Not until the next restart option.
  • Close any open browsers and any other programs you might have running

Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Combofix did its thing.  Here is the txt file.

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

That should be Zeroaccess dealt with.  Now the PUP's

Read carefully

Download Adwcleaner http://general-changelog-team.fr/fr/downloads/view.download/2   The Green Arrow  on to your desktop like OTLand run a scan (Search Button).  It will create a log after.

ONE SCAN ONLY

Attach the log back here.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Adware log

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

I have checked the log,  this time start Adwcleaner and click the delete button the PC will be restarted at the end,

Once Only

Adwcleaner will create a new log. Adwcleaner[S1].txt To attach back

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Adwcleaner log

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Download this and run it on the desktop.   http://www.bleepingcomputer.com/download/junkware-removal-tool/

It will create a log after, called JRT.txt

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Here you are, sir.

Can JRT and Adwcleaner be used on a regular basis without ill effects on a system by a guy like me?

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Not really as they can list legit items.

On with step 4,  Complete system check and cleanup.

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan.

 

Take note of the NO tick in the Remove found threats setting below

 

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on  to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the  icon on your desktop.
  • Check 
  • Click the  button.
  • Accept any security warnings from your browser.
  • Under scan settings, check  and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Attach the resulting log in your next reply


 The scanner screen gives me the option of downloading the results to a .txt file as part of the options after the scan has finished.  Screenshot of part of the finished scan dialog box by ESET showing the options.

 


 

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

That took a little while to get done.

Here is the log.

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Now just have to cleanup all the items, folder and programs used and all placed into one folder.

Download OTL http://www.bleepingcomputer.com/download/otl/   On to the Desktop

 

Click on the Blue Button on the download page

Download Now

@ Authors Site

 

Disable Norton / Symantec for say 30mins 

Start OTL,  (Right click and from the menu choose "Run as Administrator")

Click the Scan All Users checkbox.

Change file age to 60 days

 

Press the 

An OTL.txt  and extras.txt will be created. To attach back in a post

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Here you are!

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Ok, Start  Adwcleaner and click  Uninstall and Uninstall   ESET Online Scanner V3  listed in the control panel - Programs. and just delete JRT.exe

 

I just have to use the ESET  and OTL logs to create a script to clean this all up using OTL.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Completed.  OTL is left on the desktop.

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Disable Norton for say 30 minutes or more

 

Start OTL (like before),   under   Copy and paste the custom script attached which you open in for instance in Notepad, (include the : at the start of :OTL and all the way to the end / bottom)  and run the script. (Red Run Fix Button)

The output log, (opens with Notepad) should be placed in the  C:\_OTL\MovedFiles folder after, to attach back here.

Quads

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Quads,

Here is the output file from your script.

Hopkins

File Attachment: 
Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

How is your system running now??

All going well, one more step.

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Running like a Swiss watch

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Disable Norton

Start OTL again but this time click the Black CleanUp button,   then make sure the C:\_OTL folder is deleted.

After that you are free to go on your merry way.  You are now fixed / Solved.

 

 

Quads

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

Will do.  Before I go, I want to thank you for the time, energy, effort, etc.  If we were to ever meet up, I'd likely buy you more than a few beverages if you were so inclined.

Thanks again

Hopkins

Kudos0

Re: [FIXED] Mandiant USA Cyber Security ransomware

No Problem

Thread will be locked in a couple of Hours, System is now fixed

Quads

Replies are locked for this thread.