Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Russian Ransomeware Trojan! HELP, please !


  • Please log in to reply

#1
theresact

theresact

    New Member

  • Member
  • Pip
  • 8 posts
Hi, I really need to know whats going on, and I cannot find any info on this virus/malware anywhere. It is very similar to the Trojan.Ransomlock, a Russian ransomware (http://www.symantec....nsomware-threat) which orders owner of computer to send money to a number to unlock their windows. Mine is slightly different as there are TWO codes/numbers to fill in instead of one. I took time to translate it but it just says the same as Trojan.Ransomlock. I have listed below the russian text here along with pictures i took with my camera of the screen considering, I cannot use any program with this on my comp. Help please?? I am trying to fix it before I have to spend $90 on virus repair, so...if ANYONE can help--I really need it!
Theresa


This is what the screen reads in Russian blocking my access to Windows:

Установлена Нелицензионная OC Windows!

Для активации необходимо отправить SMS с тексом

CASH

На номер

7122

Полученныи код:

(insert code?)

Номер мобильного телефона:

+7xxxxxxxxxx

Внимание! Следует вводить номер мобильного телефона, с которого отправлялся SMS, иначе активация не Завершится успешно!


После нажатия на кнопку “Подтвердить” наш робот автоматическм проверит платеж и актирует версию OC Windows



OK well apparenty i cant upload this picture, but the screen looks just like the one in the link for trojan.ransomlock, but it takes up the whole screen instead of just a portion of it

Edited by Transience, 21 July 2009 - 04:19 PM.

  • 0

Advertisements


#2
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hi theresact and welcome to Geeks to Go. I'm Dave and I'll be helping you out.

First let me ask you a couple questions -

When does this screen appear? Is it immediately upon bootup, or are you able to log in? If you can let me know what triggers its appearance that will help a lot.

Are you still able to perform any tasks with the computer or does the screen stop you from doing anything? Does it occur when you attempt to boot into safe mode? Are you posting from a different computer or can you still access the internet on the infected one?

Just answer my questions for now and we'll go from there.

Cheers,
Dave
  • 0

#3
theresact

theresact

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Dave! well, let me take a look to give you specifics:

there is no lo-in screen anymore--it simply goes to my desktop for me.
the desktop shows first, then icons, then mcafee starts to load, and then bam within a minute or so, the big blue screen appears blocking me from seeing any other window or using any other program.

yes I have tried safe mode (F8 right?, if i am wrong let me know and ill try again!)

and i am posting this from another computer because the infected one is not allowing me to access.

i'm thinking maybe theres something i can do either in the minute before the blue screen appears, or during the start up of the comp. even though it seems to be either skipping steps, or just not showing steps of start up that it normally does.

i really hope this helps and isn't just nonsense. thank you so much
  • 0

#4
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
First a couple basic things you can try: Boot up and open another program, doesn't matter which, something like notepad is fine. When the blue screen appears try pressing Alt+F4 which might work to close it. If that doesn't work, try pressing Ctrl+Alt+Delete and see if you can access the task manager, this should allow you to at least minimize the screen and see your desktop, and potentially end the process that is creating it using the task manager. Finally, also try pressing Alt+Tab which will switch to the other window you have open, that could also work to minimize the blue screen.

If any of these work for you and you're able to navigate your desktop normally for a reasonable amount of time, give this a shot:

1. ComboFix

Please download ComboFix from here and save it to your desktop.

Visit this webpage for instructions on how to properly run the tool:

http://www.bleepingc...to-use-combofix

Please download ComboFix from one of the links at that site and save it directly to your desktop. Be sure that you read ALL of the instructions on that page very carefully before proceeding and follow them closely. Of particular importance is remembering to disable all your protection programs before running ComboFix because this will help to ensure a smooth run. If you need further help figuring out how to disable a specific program look here. Installing the recovery console if you're running an XP machine is another critical step not to be skipped over. By following the instructions at that site closely, you give ComboFix the best chance at a successful run and minimize the likelihood of having potentially serious problems occur after an attempted removal of malware.

Once the program has finished running its log will pop up automatically in notepad and save itself to C:\ComboFix.txt. Please include the complete contents of that log in your next reply.

Let me know if you have any success with this in your next reply.

Cheers,
Dave

Edited by Transience, 14 July 2009 - 01:38 PM.

  • 0

#5
theresact

theresact

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I guess I forgot to mention that ctrl+alt+del has not worked, and neither has tab+alt, those are the only things that usually help me get out of a windows I don't want open.
let me try...
so i tried alt+f4 which hasnt done anything after i opened wordpad b/c it was the most accessibe. The blue screen seems to just flash when i use buttons to try to get away from it....
  • 0

#6
theresact

theresact

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
so I guess there is only a portion of a minute available to do anything before the screen pops up :)

Edited by theresact, 14 July 2009 - 05:46 PM.

  • 0

#7
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Alright so the source of that blue screen is actually one very simple registry setting which we're going to try to fix. The best possible way of doing this would be to create the .reg file per the instructions below on a different computer and then transfer it to the desktop of the infected PC by some removable storage (CD, USB drive, etc.) and then run it from there. If it takes you multiple boots to get the file onto the infected PC and then to run it by whatever means you can that's fine, don't worry about it.

1. Registry Fixes

We're going to use a registry file to make the some changes to your registry. Please copy the complete contents of the box below to a new notepad file (Start > Programs > Accessories > Notepad). Ensure that the code in notepad looks exactly as it does in the box, with no blank lines before the first line of text. Please click on File > Save. In the Save as type: box click the drop-down menu and change the save as type to All files. Then please save the file to your desktop, naming it fix.reg (this name is important and should not be changed).

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\System32\userinit.exe"

Now please doubleclick on fix.reg. Your computer will ask you if you are sure you would like to merge this file with the registry, click Yes. The registry fix will then be imported into your registry.

It may be that the screen is gone now. If you still get the screen after importing that reg fix, reboot your PC into normal mode and let me know if it still happens. If the screen is indeed gone, please do this for me:

2. OTM

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    %Temp%/don*.tmp
    
    :Commands
    [Purity]
    [EmptyTemp]
    [Start Explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, navigate to the open C:\_OTMoveIt\MovedFiles folder. Open the newest .log file present in notepad and post its contents in your next reply.

Let me know how everything went once you've given that a try.

Cheers,
Dave

Edited by Transience, 14 July 2009 - 08:09 PM.

  • 0

#8
theresact

theresact

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Okay I was about to do this but i want to be clear before i try. where does the CD come into play so that I can transfer storage from one comp to the infected? i need to know this since i cannot use my PC and know that if im dealin with registry i should be careful
thanks, theresa
  • 0

#9
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
On a different computer that you can access, go through the instructions for creating and saving the fix.reg file. When you go to save it, save it to some type of removable storage - CD, USB drive, etc. Then plug the removable storage into the infected PC, boot it up, move the fix.reg file from the removable storage to the desktop of the infected PC and double click it to run it.

- Dave
  • 0

#10
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP