I'm hoping to remove a ransomed virus from a computer at our office. The machine gave the user some kind of "You have violated US law" message. The machine was then powered off manually. At this point the machine will boot, but shortly after loading, the entire screen is greyed out and nothing can be done. The odd thing is that there are no more ransom demands, it just stays grey. So I have no idea on what this bug even is.
Windows XP SP3
Running NIS 2012
I've tried booting into safe mode, but I get a BSOD that says I need to verify the integrity of my harddrive (/chkdsk) and if that does not work that I may have a virus.
I've tried the Norton Power Eraser, but because the bug seems to have messed up my networking, the box to "Scan for Risks" is not active.
I also loaded the Norton Bootable Recovery Tool and used it to scan the machine, but nothing was found.
Any suggestions on what this virus might be, how to remove it and if I need to be on the lookout for it jumping to other machines on our network?
I used the Norton Bootable Recovery Tool on a different machine to create a boot disk. Also on the other machine, I downloaded NPE.exe and created another CD with NPE on it. I booted the infected machine from NBRT disc, which gave me the option to open a command prompt. I swapped in the CD with NPE on it and ran it from the command prompt.
ANY other user other than the thread starter is not to use any instructions, scripts or proceedures, The work though in cleaning a system is individual and only for that system due to a number of factors.
Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
If I ask a Question just answer it, don't run anything unless it states.
Major steps used:
1. Find
2. Break
3. Destroy
4. Cleanup (including system as a whole)
Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
Please download OTLPEnet Download hxxp://oldtimer.geekstogo.com/OTLPENet.exeto your desktop (change the xx to tt) (filesize 120,9 MB approx.)
When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop. Depending on your system hardware it can take a long time to load the CD
Double-click on the OTLPE icon.
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Change Services, Drivers, Standard and Extra Registry to All
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.
Depending on your type of internet connection, you maybe able to get online as well so you can access this Forum easily.
Thanks again for the reply Quads. Since I cannot access anything in Windows on the infected computer, I am planning to download the OTLPENet.exe on another computer (Windows 7 instead of XP) and will run it on the that other computer to create the boot disc. Is this OK? I have access to other XP machines if necessary. Also I will not be able to complete this tonight, but will tackle it first thing in the morning tomorrow. I gave up on it earlier tonight after spending several hours on it and came home to get some dinner and sleep. I appreciate your help with this and will post a reply as soon as I am able to. Dale
It is OK, as long as it is a PC that can burn CDs.
Then you will have a Bootable CD, XP machines just make things a little tougher nowdays as they don't have the Repair options on boot that Vista and Win 7 has for the use of FRST.
Remove hard drive from infected computer and connect it to another PC. Then run Norton AntiVirus or ... use a big weapon - ComboFix
OLT is for women, real men use ComboFix.
Yeah right, the amount of users that use Combofix or other tools and end up with Windows problems, then require us to try an repair the problem shows that you do not jump in with advanced tools, one user used a bootkit remover and the problem is still not fixed after like after 18 pages, due to using the tool.
I also see problems where people take out a Hard Drive without the likes of antistatic gear, Companies don't cover warranties when the correct gear was not used.
DDue to the fact it is an old version of OTL on the boot CD all I want to do is break the ransom, so we have Normal Mode available when booting Windows on the Hard Drive.
Start OTL, (OTLPE, using CD) under Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom) and run the script. (Red Run Fix Button)
The output log, should be placed in the C:\ _OTL folder after.
That fix seems to have worked, allowing me to boot into windows in normal mode. I am attaching the log if you need it. It is located in c:\_OTL\Moved Files and there is a 10525012_021757 folder in there as well with two files that seem to have been moved (irb700.exe and security.exe). What is the next step?
Please read carefully Read all of this message first
Already Downloaded.
Ensure that Combofix is saved directly to the Desktop <--- Very important (Not in the Download(s) or Temp folders)
Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
Close any open browsers and any other programs you might have running
Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)
Double click on TDSSKiller.exe to run the application,
Open the Change Parameters option and select the detect TDL File system
Click OK
Then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue.
Look for the Filesystem detection
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste into Notepad and attach back here. If a reboot is required, the report can also be found in your root directory, (usually C:\ ) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back.
)
Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom) and run the script. (Red Run Fix Button)
