Homeland Security Moneypack Ransomware Removal
Started by
skullkrusher78
, Nov 18 2013 06:48 AM
#16
Posted 21 November 2013 - 11:07 AM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
#17
Posted 21 November 2013 - 11:26 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Ok. Try running this script in the same way as the other one: link.
This is an exe file that must be downloaded to the USB drive and run from there, while still connected to your working computer. The exe file will write the script to the flash drive.
Then you can boot the problem computer and run the script in the same way, with this command:
bash hives.sh
You should see the screen below. Make sure the working directory is your USB drive (in this case /mnt/sdb1).
Type software at the prompt (lowercase) and let it do its thing. It will save the software hive to the usb as ntbsoft. I need you to upload this file for me to a sharing service, like dropbox. Make sure your USB has at least about 40 MB available.
This is an exe file that must be downloaded to the USB drive and run from there, while still connected to your working computer. The exe file will write the script to the flash drive.
Then you can boot the problem computer and run the script in the same way, with this command:
bash hives.sh
You should see the screen below. Make sure the working directory is your USB drive (in this case /mnt/sdb1).
Type software at the prompt (lowercase) and let it do its thing. It will save the software hive to the usb as ntbsoft. I need you to upload this file for me to a sharing service, like dropbox. Make sure your USB has at least about 40 MB available.
#18
Posted 22 November 2013 - 04:20 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
How's it going?
#19
Posted 24 November 2013 - 01:57 AM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
Sorry for the delay, I ran the computer normally for about 10 hours and it stayed on. I wasn't able to try the latest fix because I got a warning from my Norton about Suspicious.Cloud.7.EP when I tried to download it, so I didn't want to proceed without your input.
#20
Posted 24 November 2013 - 12:25 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
The link is safe. Norton is just flagging it as having suspicious behavior. It is a false positive.
#21
Posted 24 November 2013 - 04:07 PM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
Ok, good news & bad news. Good news: the computer didn't shutdown when I ran the script. Bad news: It didn't work. Here is what was displayed:
Current directory is /mnt/sdb1
Type the name of the hive
or type BOTH if desired:
software
Searching for hive . . . . please wait
/mnt/sda2/windows/system32/config/software /mnt/sda1/Minint/system32/config/software
Collecting SOFTWARE . . . . please wait
cp: cannot create '/mnt/sdb1/ntbsoft/software': No such file or directory
cp: cannot create '/mnt/sdb1/ntbsoft/software': No such file or directory
Collections failed!
sh-4.0#
I may have done something wrong. The only file that was created on the USB when I ran the ntbs.exe file was the hives.sh script. I got an error saying the software was not compatible with my system. Was there something else that was supposed to be created?
Since the system was stable, I also tried running the rst.sh script again and got the result: Done!. I know that was supposed to create some kind of log for you to look at so I will refer back to those instructions and get that to you.
Current directory is /mnt/sdb1
Type the name of the hive
or type BOTH if desired:
software
Searching for hive . . . . please wait
/mnt/sda2/windows/system32/config/software /mnt/sda1/Minint/system32/config/software
Collecting SOFTWARE . . . . please wait
cp: cannot create '/mnt/sdb1/ntbsoft/software': No such file or directory
cp: cannot create '/mnt/sdb1/ntbsoft/software': No such file or directory
Collections failed!
sh-4.0#
I may have done something wrong. The only file that was created on the USB when I ran the ntbs.exe file was the hives.sh script. I got an error saying the software was not compatible with my system. Was there something else that was supposed to be created?
Since the system was stable, I also tried running the rst.sh script again and got the result: Done!. I know that was supposed to create some kind of log for you to look at so I will refer back to those instructions and get that to you.
#22
Posted 24 November 2013 - 04:22 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Yes, for rst.sh you should have an enum.log on the flash drive. That would be the easier way to go.
#23
Posted 24 November 2013 - 04:22 PM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
enum.log results:
32.0M Nov 22 15:43 /mnt/sda2/windows/system32/config/software
16.0M
Nov 22 15:43 /mnt/sda2/windows/system32/config/system
31.9M
Nov 20 03:00 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1115/~SOFTWARE
31.9M
Jan 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1068/~SOFTWARE
31.9M
Jan 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1069/~SOFTWARE
31.9M
Jan 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1067/~SOFTWARE
31.9M
Jan 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1070/~SOFTWARE
31.9M
Jan 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1071/~SOFTWARE
31.9M
Feb 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1072/~SOFTWARE
31.9M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1073/~SOFTWARE
31.9M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1074/~SOFTWARE
31.9M
Feb 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1075/~SOFTWARE
31.9M
Feb 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1076/~SOFTWARE
31.9M
Feb 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1077/~SOFTWARE
31.9M
Feb 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1078/~SOFTWARE
31.9M
Feb 18 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1079/~SOFTWARE
31.9M
Feb 19 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1080/~SOFTWARE
31.9M
Feb 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1081/~SOFTWARE
31.9M
Feb 21 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1082/~SOFTWARE
31.9M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1083/~SOFTWARE
31.9M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1084/~SOFTWARE
31.9M
Feb 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1085/~SOFTWARE
31.9M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1086/~SOFTWARE
31.9M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1087/~SOFTWARE
31.9M
Feb 25 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1088/~SOFTWARE
31.9M
Feb 26 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1089/~SOFTWARE
31.9M
Feb 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1090/~SOFTWARE
31.9M
Feb 28 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1091/~SOFTWARE
31.9M
Mar 1 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1092/~SOFTWARE
31.9M
Mar 2 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1093/~SOFTWARE
31.9M
Mar 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1108/~SOFTWARE
31.9M
Mar 3 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1094/~SOFTWARE
31.9M
Mar 4 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1095/~SOFTWARE
31.9M
Mar 5 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1096/~SOFTWARE
31.9M
Mar 6 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1097/~SOFTWARE
31.9M
Mar 7 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1098/~SOFTWARE
31.9M
Mar 8 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1099/~SOFTWARE
31.9M
Mar 9 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1100/~SOFTWARE
31.9M
Mar 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1101/~SOFTWARE
31.9M
Mar 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1102/~SOFTWARE
31.9M
Mar 12 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1103/~SOFTWARE
31.9M
Mar 13 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1104/~SOFTWARE
31.9M
Mar 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1105/~SOFTWARE
31.9M
Mar 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1106/~SOFTWARE
31.9M
Mar 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1107/~SOFTWARE
31.9M
Nov 13 07:18 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1109/~SOFTWARE
31.9M
Nov 15 10:22 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1110/~SOFTWARE
31.9M
Nov 18 04:45 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1111/~SOFTWARE
31.9M
Nov 17 08:48 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1112/~SOFTWARE
31.9M
Nov 17 12:10 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1113/~SOFTWARE
31.9M
Nov 19 13:11 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1114/~SOFTWARE
15.9M
Nov 20 03:00 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1115/~SYSTEM
9.8M
Jan 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1068/~SYSTEM
9.8M
Jan 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1069/~SYSTEM
9.8M
Jan 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1067/~SYSTEM
9.8M
Jan 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1070/~SYSTEM
9.8M
Jan 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1071/~SYSTEM
9.8M
Feb 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1072/~SYSTEM
9.8M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1073/~SYSTEM
9.8M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1074/~SYSTEM
9.8M
Feb 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1075/~SYSTEM
9.8M
Feb 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1076/~SYSTEM
9.8M
Feb 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1077/~SYSTEM
9.8M
Feb 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1078/~SYSTEM
9.8M
Feb 18 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1079/~SYSTEM
9.8M
Feb 19 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1080/~SYSTEM
9.8M
Feb 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1081/~SYSTEM
9.8M
Feb 21 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1082/~SYSTEM
9.9M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1083/~SYSTEM
9.8M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1084/~SYSTEM
9.8M
Feb 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1085/~SYSTEM
9.8M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1086/~SYSTEM
9.8M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1087/~SYSTEM
9.8M
Feb 25 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1088/~SYSTEM
9.8M
Feb 26 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1089/~SYSTEM
9.8M
Feb 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1090/~SYSTEM
9.8M
Feb 28 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1091/~SYSTEM
9.8M
Mar 1 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1092/~SYSTEM
9.8M
Mar 2 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1093/~SYSTEM
9.8M
Mar 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1108/~SYSTEM
9.8M
Mar 3 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1094/~SYSTEM
9.8M
Mar 4 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1095/~SYSTEM
9.8M
Mar 5 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1096/~SYSTEM
9.8M
Mar 6 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1097/~SYSTEM
9.8M
Mar 7 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1098/~SYSTEM
9.8M
Mar 8 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1099/~SYSTEM
9.8M
Mar 9 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1100/~SYSTEM
9.8M
Mar 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1101/~SYSTEM
9.8M
Mar 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1102/~SYSTEM
9.8M
Mar 12 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1103/~SYSTEM
9.8M
Mar 13 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1104/~SYSTEM
9.8M
Mar 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1105/~SYSTEM
9.8M
Mar 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1106/~SYSTEM
9.8M
Mar 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1107/~SYSTEM
11.7M
Nov 13 07:18 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1109/~SYSTEM
15.5M
Nov 15 10:23 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1110/~SYSTEM
15.5M
Nov 18 04:45 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1111/~SYSTEM
15.9M
Nov 17 08:48 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1112/~SYSTEM
15.9M
Nov 17 12:11 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1113/~SYSTEM
15.9M
Nov 19 13:11 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1114/~SYSTEM
32.0M Nov 22 15:43 /mnt/sda2/windows/system32/config/software
16.0M
Nov 22 15:43 /mnt/sda2/windows/system32/config/system
31.9M
Nov 20 03:00 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1115/~SOFTWARE
31.9M
Jan 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1068/~SOFTWARE
31.9M
Jan 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1069/~SOFTWARE
31.9M
Jan 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1067/~SOFTWARE
31.9M
Jan 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1070/~SOFTWARE
31.9M
Jan 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1071/~SOFTWARE
31.9M
Feb 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1072/~SOFTWARE
31.9M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1073/~SOFTWARE
31.9M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1074/~SOFTWARE
31.9M
Feb 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1075/~SOFTWARE
31.9M
Feb 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1076/~SOFTWARE
31.9M
Feb 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1077/~SOFTWARE
31.9M
Feb 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1078/~SOFTWARE
31.9M
Feb 18 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1079/~SOFTWARE
31.9M
Feb 19 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1080/~SOFTWARE
31.9M
Feb 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1081/~SOFTWARE
31.9M
Feb 21 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1082/~SOFTWARE
31.9M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1083/~SOFTWARE
31.9M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1084/~SOFTWARE
31.9M
Feb 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1085/~SOFTWARE
31.9M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1086/~SOFTWARE
31.9M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1087/~SOFTWARE
31.9M
Feb 25 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1088/~SOFTWARE
31.9M
Feb 26 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1089/~SOFTWARE
31.9M
Feb 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1090/~SOFTWARE
31.9M
Feb 28 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1091/~SOFTWARE
31.9M
Mar 1 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1092/~SOFTWARE
31.9M
Mar 2 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1093/~SOFTWARE
31.9M
Mar 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1108/~SOFTWARE
31.9M
Mar 3 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1094/~SOFTWARE
31.9M
Mar 4 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1095/~SOFTWARE
31.9M
Mar 5 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1096/~SOFTWARE
31.9M
Mar 6 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1097/~SOFTWARE
31.9M
Mar 7 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1098/~SOFTWARE
31.9M
Mar 8 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1099/~SOFTWARE
31.9M
Mar 9 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1100/~SOFTWARE
31.9M
Mar 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1101/~SOFTWARE
31.9M
Mar 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1102/~SOFTWARE
31.9M
Mar 12 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1103/~SOFTWARE
31.9M
Mar 13 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1104/~SOFTWARE
31.9M
Mar 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1105/~SOFTWARE
31.9M
Mar 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1106/~SOFTWARE
31.9M
Mar 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1107/~SOFTWARE
31.9M
Nov 13 07:18 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1109/~SOFTWARE
31.9M
Nov 15 10:22 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1110/~SOFTWARE
31.9M
Nov 18 04:45 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1111/~SOFTWARE
31.9M
Nov 17 08:48 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1112/~SOFTWARE
31.9M
Nov 17 12:10 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1113/~SOFTWARE
31.9M
Nov 19 13:11 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1114/~SOFTWARE
15.9M
Nov 20 03:00 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1115/~SYSTEM
9.8M
Jan 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1068/~SYSTEM
9.8M
Jan 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1069/~SYSTEM
9.8M
Jan 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1067/~SYSTEM
9.8M
Jan 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1070/~SYSTEM
9.8M
Jan 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1071/~SYSTEM
9.8M
Feb 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1072/~SYSTEM
9.8M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1073/~SYSTEM
9.8M
Feb 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1074/~SYSTEM
9.8M
Feb 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1075/~SYSTEM
9.8M
Feb 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1076/~SYSTEM
9.8M
Feb 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1077/~SYSTEM
9.8M
Feb 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1078/~SYSTEM
9.8M
Feb 18 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1079/~SYSTEM
9.8M
Feb 19 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1080/~SYSTEM
9.8M
Feb 20 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1081/~SYSTEM
9.8M
Feb 21 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1082/~SYSTEM
9.9M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1083/~SYSTEM
9.8M
Feb 22 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1084/~SYSTEM
9.8M
Feb 23 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1085/~SYSTEM
9.8M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1086/~SYSTEM
9.8M
Feb 24 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1087/~SYSTEM
9.8M
Feb 25 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1088/~SYSTEM
9.8M
Feb 26 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1089/~SYSTEM
9.8M
Feb 27 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1090/~SYSTEM
9.8M
Feb 28 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1091/~SYSTEM
9.8M
Mar 1 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1092/~SYSTEM
9.8M
Mar 2 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1093/~SYSTEM
9.8M
Mar 17 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1108/~SYSTEM
9.8M
Mar 3 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1094/~SYSTEM
9.8M
Mar 4 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1095/~SYSTEM
9.8M
Mar 5 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1096/~SYSTEM
9.8M
Mar 6 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1097/~SYSTEM
9.8M
Mar 7 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1098/~SYSTEM
9.8M
Mar 8 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1099/~SYSTEM
9.8M
Mar 9 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1100/~SYSTEM
9.8M
Mar 10 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1101/~SYSTEM
9.8M
Mar 11 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1102/~SYSTEM
9.8M
Mar 12 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1103/~SYSTEM
9.8M
Mar 13 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1104/~SYSTEM
9.8M
Mar 14 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1105/~SYSTEM
9.8M
Mar 15 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1106/~SYSTEM
9.8M
Mar 16 2013 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1107/~SYSTEM
11.7M
Nov 13 07:18 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1109/~SYSTEM
15.5M
Nov 15 10:23 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1110/~SYSTEM
15.5M
Nov 18 04:45 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1111/~SYSTEM
15.9M
Nov 17 08:48 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1112/~SYSTEM
15.9M
Nov 17 12:11 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1113/~SYSTEM
15.9M
Nov 19 13:11 /sda2/System Volume Information/_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}/rp1114/~SYSTEM
#24
Posted 24 November 2013 - 04:38 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Okay, let's try going back to Jan 15. Run the script again like this:
bash rst.sh -r
Then type 1067 and press enter when prompted.
If it runs successfully, try booting the computer.
bash rst.sh -r
Then type 1067 and press enter when prompted.
If it runs successfully, try booting the computer.
#25
Posted 24 November 2013 - 05:48 PM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
Restore was successful. Rebooted computer in normal mode. Virus still appears and locks computer. I feel like we are making progress though!!
#26
Posted 24 November 2013 - 06:06 PM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
Well, that was the oldest restore point I think. Before we try NTBR again, let's try this script. It may just be a userinit value starting the ransomware.
Download this script to the flash drive: http://noahdfear.net...UD_userinit_fix
This one can just be double-clicked in xPud to run it.
Post the resulting log, UserinitReport.txt .
By the way, how much free space was left on the flash drive when you ran hives.sh?
Download this script to the flash drive: http://noahdfear.net...UD_userinit_fix
This one can just be double-clicked in xPud to run it.
Post the resulting log, UserinitReport.txt .
By the way, how much free space was left on the flash drive when you ran hives.sh?
#27
Posted 24 November 2013 - 06:27 PM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
7.56GB left on the USB. Ran the script, running into the shutdown issue again. I don't know if this means anything, but when these shutdown issues occur, there is a 30sec-1min period where I am unable to power up the computer again unless I disconnect it from the power supply and then reconnect. I will keep trying to run the script in the mean time.
#28
Posted 25 November 2013 - 12:16 AM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
I got the script to run. Here are the results:
Remote Registry Userinit Report
Hive </mnt/sda2/windows/system32/config/software>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon> EDIT: <Userinit> of type REG_SZ with length 68 [0x44]
[ 0]: C:\WINDOWS\system32\userinit.exe,
-> newkv->len:
68
userinit.exe search results
a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/windows/system32/userinit.exe
25.5K Apr 13 2008
39b1ffb03c2296323832acbae50d2aff /mnt/sda2/windows/$NtServicePackUninstall$/userinit.exe
24.0K Aug 10 2004
a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/windows/ServicePackFiles/i386/userinit.exe
25.5K Apr 13 2008
29a1877f2d0eacff20b6507a3c00f31b /mnt/sda1/Minint/system32/userinit.exe
25.5K Mar 25 2005
winlogon.exe search results
ed0ef0a136dec83df69f04118870003e /mnt/sda2/windows/system32/winlogon.exe
496.0K Apr 13 2008
01c3346c241652f43aed8e2149881bfe /mnt/sda2/windows/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 10 2004
ed0ef0a136dec83df69f04118870003e /mnt/sda2/windows/ServicePackFiles/i386/winlogon.exe
496.0K Apr 13 2008
325fd6d25fc1d77c363e87b445c8b023 /mnt/sda1/Minint/system32/winlogon.exe
497.0K Mar 25 2005
explorer.exe search results
7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/windows/$hf_mig$/kb938828/sp2qfe/explorer.exe
1009.0K Jun 13 2007
97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/windows/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/windows/explorer.exe
1009.5K Apr 13 2008
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/windows/ServicePackFiles/i386/explorer.exe
1009.5K Apr 13 2008
Remote Registry Userinit Report
Hive </mnt/sda2/windows/system32/config/software>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon> EDIT: <Userinit> of type REG_SZ with length 68 [0x44]
[ 0]: C:\WINDOWS\system32\userinit.exe,
-> newkv->len:
68
userinit.exe search results
a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/windows/system32/userinit.exe
25.5K Apr 13 2008
39b1ffb03c2296323832acbae50d2aff /mnt/sda2/windows/$NtServicePackUninstall$/userinit.exe
24.0K Aug 10 2004
a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/windows/ServicePackFiles/i386/userinit.exe
25.5K Apr 13 2008
29a1877f2d0eacff20b6507a3c00f31b /mnt/sda1/Minint/system32/userinit.exe
25.5K Mar 25 2005
winlogon.exe search results
ed0ef0a136dec83df69f04118870003e /mnt/sda2/windows/system32/winlogon.exe
496.0K Apr 13 2008
01c3346c241652f43aed8e2149881bfe /mnt/sda2/windows/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 10 2004
ed0ef0a136dec83df69f04118870003e /mnt/sda2/windows/ServicePackFiles/i386/winlogon.exe
496.0K Apr 13 2008
325fd6d25fc1d77c363e87b445c8b023 /mnt/sda1/Minint/system32/winlogon.exe
497.0K Mar 25 2005
explorer.exe search results
7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/windows/$hf_mig$/kb938828/sp2qfe/explorer.exe
1009.0K Jun 13 2007
97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/windows/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/windows/explorer.exe
1009.5K Apr 13 2008
12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/windows/ServicePackFiles/i386/explorer.exe
1009.5K Apr 13 2008
#29
Posted 25 November 2013 - 09:02 AM
Buddierdl
-
- Malware Removal
-
- 2,524 posts
Trusted Helper
That ran, but it looks like userinit wasn't the loading key for the malware. You could give it a shot in normal mode just to be sure.
If it didn't fix it (and it probably didn't), let's try to get hives.sh working. I have modified hives.sh in order to work on you computer. This fix is only for this computer, it could render another computer an expensive doorstop. If you are reading this thread trying to fix your own computer, please start your own thread to get specific help.
Please replace the current hives.sh on your flash drive and try running this new version. Hopefully you will get the hive to upload for me.
If it didn't fix it (and it probably didn't), let's try to get hives.sh working. I have modified hives.sh in order to work on you computer. This fix is only for this computer, it could render another computer an expensive doorstop. If you are reading this thread trying to fix your own computer, please start your own thread to get specific help.
Please replace the current hives.sh on your flash drive and try running this new version. Hopefully you will get the hive to upload for me.
Attached Files
-
hives.sh.zip 1.12KB
542 downloads
#30
Posted 25 November 2013 - 02:26 PM
skullkrusher78
- Topic Starter
-
- Member
-
- 34 posts
Member
Ok I got the result "Software Collected". Which files was it supposed to create for me to upload to you? My guess was soft.txt.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
