[lordoxford]

I have C, D and E "Drives" on the HDD on my main PC. All downloaded stuff goes initially into "E:\downloads". This contains hundreds of files downloaded over the years and I recognise most of their titles. Three days ago I saw a ".htm" file I didn't recognise and hit it. A lot of indecent stuff appeared on screen. As I attempted to close this screen a banner asked me if I really did want to leave this screen. I hit the "Leave" option and got a screen which accused me of violating at least one of a number of laws from a list which included Fraud, Accessing pornography, Music theft and many more . . . . and that my machine had been "Locked" and the police informed and that any attempt to unlock the machine would result in the instant deletion of all "Pictures, data files and programs . .".
I immediately shut down and tried setting the "Previous settings that worked" option in the power-up. I got the same screen. In a panic I shut down and removed the HDD. I'm writing this on my wife's old PC. I've shifted the 1TB USB drive from my machine to this one.
I need some advice here!!
I've got a USB cage into which I've slotted the damaged HDD. I can run my "Disk-less" machine from a linux USB stick. Now I really need some advice!
Cheers!
lox.

[Advertisements]

lordoxford:
I forgot to mention that further down the threatening page appeared:
Pay (us) £100.00 to unlock your machine.

The page was signed something like "The EURO POLICE ..."
Clearly a scam - but a frightener no less".
lox.

[lordoxford]

lordoxford:
I forgot to mention that further down the threatening page appeared:
Pay (us) £100.00 to unlock your machine.

The page was signed something like "The EURO POLICE ..."
Clearly a scam - but a frightener no less".
lox.

[Buddierdl]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Please note that I am currently in training as a GeekU Senior. My posts must be reviewed by an instructor, so there may be a slight delay.

I will have some instructions for you soon.

[Buddierdl]

Can you tell me what OS you are running and whether it is 64-bit or 32-bit?

[lordoxford]

Hello! I replied at about 17.40 hrs but, I guess, in the wrong place 'cos it didn't turn up here!
Anyway I'm using XP home, 32 bit but, of course, I'm loath to put the disk back in under the threat of complete deletion by the malware.
I imagined I could use the usb linux to work through the filestores and find the offending file (by date-time, perhaps) but I've no clue as to where to start.
lox.

[Buddierdl]

Hi lordoxford,

You have to put the HDD back in the computer for us to be able to clean it. If you boot from the CD as instructed below, the malware shouldn't be able to run. We'll be booting to an alternate recovery OS. You can also back-up files in that OS if you wish.

Please print these instruction out so that you know what you are doing. Burn the CD on your clean computer.

• Download OTLPEStd.exe to your desktop.
• Ensure that you have a blank CD in the drive
• Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[lordoxford]

Hello M.Buddier,
Thanks for your help. I have a 2GB USB drive with this stuff on it from an earlier problem (in the event I didn't have to use it):

Directory of G:\

12/06/2011 19:50 167 winbom.ini
04/08/2004 02:07 260,272 ntldr
04/08/2004 02:07 47,564 ntdetect.com
24/03/2006 12:06 53 AUTORUN.INF
12/06/2011 19:50 <DIR> minint
12/06/2011 20:04 <DIR> PROGRAMS
12/06/2011 20:05 <DIR> SFX
09/03/2011 13:38 0 WIN51IP
09/03/2011 13:38 0 WIN51IP.SP2
16/07/2005 22:36 240,128 reatogoMenu.exe
09/03/2011 13:44 1,052 reatogoMenu.ini
12/06/2011 20:05 <DIR> [BOOT]
03/05/2011 01:16 271 scan.txt
11/03/2013 21:18 891 fred.txt
10 File(s) 550,398 bytes
4 Dir(s) 1,713,733,632 bytes free

Can I use this?
More importantly - will the malware detect
(a) the sudden presence of the HDD and
(b) our attempt to restore command to the resident OS?
The implication being the "Unlocking" of the system triggering their destruction.
What about my copying the whole 50GB from the infected HDD to the 1TB drive using the linux drive first. I know I'm acting scared but I'm an OAP and cannot afford to lose 5 years' work!!
Sorry to be a wimp"
lox.

[lordoxford]

Hi there!
Using the stuff on the previous USB stick: I get:
Starting reatogo -X-PE
loads
then:
Blue screen
A problem has been detected .... windows shut down .... to prevent damage ....
If this is the first time .... restart .... if this screen appears again ....
Check for viruses ... (a lot of guff including using CHKDSK /F - all irrelevant of course)
*** STOP: 0X0000007B (4HEX addresses)

Should I try to get past this?
Cheers!
lox.

[Buddierdl]

Hi lordoxford,

Can I use this?
More importantly - will the malware detect
(a) the sudden presence of the HDD and
(b) our attempt to restore command to the resident OS?

It shouldn't do this, because we are not loading windows but a recovery OS. If you feel more safe, you can back up the hard drive data to another drive, but only back up safe data like documents, pictures, music, etc. and not executable files to avoid transferring the virus.

That blue screen is usually caused by a setting in BIOS that we need to change. Do you know how to enter BIOS? If you can, please look for a setting named something like SATA Controller Mode and set it to Compatibility, ATA, or IDE. (The choices depend on what motherboard you have; any one of them should work.) If you don't know how to enter BIOS or you need more specific instructions, please send me the brand and model number of your computer.

Once you change this setting, you should be able to boot from the USB and follow the instructions above.

[lordoxford]

Hello M. Buddier,
My machine is an Acer Travelmate 4150 unmodified. I've removed the HDD and
inserted the linux stick.
Before the linux USB is read I can access the CMOS which has very limited facilities.
Under the "Main" heading it currently shows: LCD autodim, Quiet boot & D2D recovery all
activated and Network boot & F12 boot menu not activated.
Under "Security" it shows: Set passwords Sup & User activated, Lock HDD not activated.
Under "Boot" there's the usual floppy,HD & CD setting options.
Not a lot of facility there!

Its HDD is currently attached to this machine's USB.
Somewhat ominously, this machine has not detected it!

I'll try to mount it back on my machine and transfer as much as I can using linux although I'd have preferred to use XCOPY under MSDOS on this machine since I can
then exclude executables.
Vye
lox.

[Buddierdl]

Hi lordoxford,

Could you please try burning a CD, (following the instructions above). Sometimes a CD will work when a USB doesn't.

[lordoxford]

Hi M. Buddier,
OK - I'll do that. This old machine cannot burn CDs - my wife's can!
Incidentally I ran the Acer up with its HDD in place under linux and looked for files modded after midnight last Sunday (when the malware struck). Only two names appeared: hiberfil.sys and pagefile.sys.
I shrank from examining them.
Any clue here?
Regards,
lox.

[Buddierdl]

Let me know when you get the scan.

Please don't mess with those two files; they are vital windows components. Sometimes malware will have faked dates (modified/created).

[lordoxford]

Hi, I'm juggling a lot of iffy hardware here. Wife's engine can't burn CD. I've now got the .ISO on a second USB stick (stick 2). The linux burner on stick 1 needs buffer space. The burner tries to use spare space on stick 1 and crashes. I cannot remember the syntax to direct the burner to use space on "sdb1", the mounted 1TB USB drive. I'm fading fast as yet another midnight approaches!
I'll look out my unix bible in the loft.
Cheers!
lox.

[lordoxford]

Hi M. Buddier,
I now have an "OTL.txt" file, how should I send it to you?
lox.