Sec19Row53
Lap cheong
Level: 88
   
Posts: 1525/1753
EXP: 6443356
For next: 207334
Since: 2.1.02
From: Oconomowoc, WI
Since last post: 14 hours
Last activity: 14 hours
|  #1 Posted on 6.11.13 1242.08
Reposted on: 6.11.20 1245.06 | Thanks to my 16 yo son, I have an infected PC. A ransomware has been installed mimicing a National Security Administration page. I haven't spent much time on getting rid of this, yet. The computer is worthless at the moment, as the ransomware has assumed complete control.
I tried booting in Safe Mode once, but got nowhere. Has anyone run accross anything like this, and if so, what did you do?
PS - Given the nature of the software, I thought the pirate icon worked ;-) | Promote this thread! |             | thecubsfan
Scrapple
Moderator
Level: 151
Posts: 4776/6203
EXP: 42952032
For next: 344544
Since: 10.12.01
From: Aurora, IL
Since last post: 533 days
Last activity: 530 days
| #2 Posted on 6.11.13 1319.06
Reposted on: 6.11.20 1319.40 | A friend had something similar on his computer, and I spent half of Saturday trying to get it out. I think I did, but their existing antivirus was still pretty screwed up when we called it a night.
See if you can get to msconfig (start->run->msconfig). That'll give you access to what comes up when you boot, and this software is one of those things running. Click over to Startup tab, and uncheck anything that looks suspicious. The malaware startup programs were easy to spot for me - random characters as file names, all located in the user's directory. I tracked those files down and deleted them.
(This is also a good time to clear out the recycle bin, and clear out any temporary files you can find. It might also be worth looking thru the Services tab to see if anything pops out as being strange.)
After I made those changes, I rebooted and ran Malwarebytes to find everything I didn't. That still didn't fix the existing antivirus - the ransom-ware ingeniously changed the permissions so no one could access it - but it cleaned up the new problems. | DJ FrostyFreeze
Scrapple
Level: 118
Posts: 3339/3466
EXP: 17913570
For next: 469398
Since: 2.1.02
From: Hawthorne, CA
Since last post: 1411 days
Last activity: 592 days
| #3 Posted on 6.11.13 1354.15
Reposted on: 6.11.20 1354.52 | Originally posted by Sec19Row53
Thanks to my 16 yo son, I have an infected PC. A ransomware has been installed mimicing a National Security Administration page. I haven't spent much time on getting rid of this, yet. The computer is worthless at the moment, as the ransomware has assumed complete control.
I tried booting in Safe Mode once, but got nowhere. Has anyone run accross anything like this, and if so, what did you do?
PS - Given the nature of the software, I thought the pirate icon worked ;-)
SCARY! I had to look up what the heck ransomware was. Never even heard of it!
Any idea where your son got infected?
CUBS - Once you made the msconfig changes and ran Malwarebytes, could you then uninstall and re-install the compromised antivirus program? | thecubsfan
Scrapple
Moderator
Level: 151
Posts: 4777/6203
EXP: 42952032
For next: 344544
Since: 10.12.01
From: Aurora, IL
Since last post: 533 days
Last activity: 530 days
| #4 Posted on 6.11.13 1518.41
Reposted on: 6.11.20 1523.37 | Nope. Most of my time was spent trying to reinstall the program - Microsoft Security Essentials - and getting error codes which didn't mean anything. It was only hours in when I realized it was a permissions error. There was a trip to look at getting a new computer - they needed one anyway - to take up some of the time.
Googling around - the malwarebytes.org forum comes up a lot in search and is worth creating an account to ask for help if you get stuck, Sec19Row53 - I found and used something called Farbar recovery scan which scanned thru and found more stuff (including the stuck folders), but figuring out how to get it to fix stuff was a guessing game. I go it to work to delete the stuck files, but by then everyone was falling asleep and I decided I should be going. | Sec19Row53
Lap cheong
Level: 88
Posts: 1526/1753
EXP: 6443356
For next: 207334
Since: 2.1.02
From: Oconomowoc, WI
Since last post: 14 hours
Last activity: 14 hours
| #5 Posted on 6.11.13 2031.00
Reposted on: 6.11.20 2031.48 | Well, I can't even get Windows to start up in Safe mode -- the virus causes it to shut down so that I can't access anything. If I start in normal mode, I don't have access to the computer long enough to get into Task Manager.
I'll try over at malwarebytes. Wish me luck, my kid's gonna need it :-)
ETA - Frosty - He's a 16 yo boy. Take a guess what he was doing (while he was 'working on homework').
(edited by Sec19Row53 on 6.11.13 2032) | EddieBurkett
Boudin blanc
Level: 102
Posts: 2256/2488
EXP: 10894225
For next: 195780
Since: 3.1.02
From: GA in person, NJ in heart
Since last post: 89 days
Last activity: 2 days
| #6 Posted on 6.11.13 2050.53
Reposted on: 6.11.20 2055.45 | | Do you have access to another profile? If you can log into safe mode under an uninfected profile, you should be able to start running some scans. | Big G
Landjager
Level: 66
Posts: 640/923
EXP: 2364554
For next: 97310
Since: 21.8.03
From: the people who brought you Steel Magnolias....
Since last post: 9 days
Last activity: 3 hours
|  #7 Posted on 7.11.13 0217.21
Reposted on: 7.11.20 0219.36 | Originally posted by Sec19Row53
...
ETA - Frosty - He's a 16 yo boy. Take a guess what he was doing (while he was 'working on homework').
(edited by Sec19Row53 on 6.11.13 2032)
Format C:
It's the only thing I do with an infected PC these days. 9/10 times you'll be up and running faster.♦♠
And if the kid experiences a little bit of pain in the loss of his save games and 'stash', it might help him learn. 
| StaggerLee
Scrapple
Level: 159
Posts: 5974/7105
EXP: 51631896
For next: 178974
Since: 3.10.02
From: Right side of the tracks
Since last post: 523 days
Last activity: 523 days
| #8 Posted on 7.11.13 1042.56
Reposted on: 7.11.20 1043.09 | Ubuntu that sucker.
| DJ FrostyFreeze
Scrapple
Level: 118
Posts: 3341/3466
EXP: 17913570
For next: 469398
Since: 2.1.02
From: Hawthorne, CA
Since last post: 1411 days
Last activity: 592 days
| #9 Posted on 7.11.13 1159.59
Reposted on: 7.11.20 1200.23 | | If you remove the infected hard drive, can you use it as an external and connect it to another computer via USB? Then you can use that computer's antivirus and run a scan on the "external" HDD, or just pull essential files from it then reformat like Big G said. Would that work? | Guru Zim
SQL Dejection
Administrator
Level: 151
Posts: 5916/6190
EXP: 42819651
For next: 476925
Since: 9.12.01
From: Bay City, OR
Since last post: 20 days
Last activity: 1 day
| | ICQ: |  |
| | Y!: |  |
|
| #10 Posted on 7.11.13 1250.31
Reposted on: 7.11.20 1252.11 | | You can also look for a bootable CD that has a recent AV installed on it. I think Trend Micro used to offer something like this. Good luck. | theremin
Boerewors
Level: 39
Posts: 274/338
EXP: 394271
For next: 10504
Since: 31.1.12
Since last post: 1794 days
Last activity: 1794 days
| #11 Posted on 7.11.13 1649.02
Reposted on: 7.11.20 1652.44 | Yeah, once every 6 months I get something bad (a couple months ago, I was installing software and I told my brain not to click next, but my finger did).
Honestly, with any of this stuff it's just easier/quicker for me to just slap a new hard drive in the c slot and pull the data off the fucked one.
Going to do that tomorrow after dealing with visualbee for the last couple weeks. | Sec19Row53
Lap cheong
Level: 88
Posts: 1527/1753
EXP: 6443356
For next: 207334
Since: 2.1.02
From: Oconomowoc, WI
Since last post: 14 hours
Last activity: 14 hours
| #12 Posted on 11.11.13 2140.54
Reposted on: 11.11.20 2141.10 | | With thanks to thecubsfan, I've gotten a bootable CD with a Kaspersky antivirus/recovery program on it. Trying to clean things right now. It's been a busy week. I hope to have good news later tonight. | Guru Zim
SQL Dejection
Administrator
Level: 151
Posts: 5917/6190
EXP: 42819651
For next: 476925
Since: 9.12.01
From: Bay City, OR
Since last post: 20 days
Last activity: 1 day
| | ICQ: | |
| | Y!: | |
|
| #13 Posted on 11.11.13 2147.45
Reposted on: 11.11.20 2148.32 | | Good Luck! | Sec19Row53
Lap cheong
Level: 88
Posts: 1528/1753
EXP: 6443356
For next: 207334
Since: 2.1.02
From: Oconomowoc, WI
Since last post: 14 hours
Last activity: 14 hours
| #14 Posted on 13.11.13 0813.25
Reposted on: 13.11.20 0813.26 | With thanks to thecubsfan, I have a functional PC again. The Kaspersky Rescue CD allowed me to boot from CD, and to run their cleaning tool immediately thereafter.
First item on the to-do list - backup to the externalhard drive. DONE! | | ALL ORIGINAL POSTS IN THIS THREAD ARE NOW AVAILABLE |
| | | | | | | | | | | | | | |
