Jump to content

Recommended Posts

Wife's computer infected with FBI ransomware. Toshiba Laptop, Windows 7, 32 bit. It may be a coincidence, but immediately after the Ransomware Screen showed, I rebooted in safe mode, tried to run MalwareBytes, but only got as far as windows log in screen, when I attempted to log in with the password it was not accepted as being correct.  Several attempts led to same results.

 

Have tried several work-arounds to get past the inability to log in to no avail. I have downloaded the FRST.exe to a mem. stick, but can't get past the log in problem.  Any attempts to bypass with F8 key to (Repair your computer, Safe Mode(s) etc. all take me to log in screen with the same results with password being "incorrect". 

 

Have tried to boot from Windows 7 disk, Kapersky rescue disk,and Trinity Rescue Kit IO disks to no avail, same blockage at the login screen.(I did not use any of this software to attempt a scan). I used Kapersky only to see if I could get by the login problem.   I am stuck....any ideas?

Link to post
Share on other sites

  • Root Admin

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.

     

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

    Startup Repair

    System Restore

    Windows Complete PC Restore

    Windows Memory Diagnostic Tool

    Command Prompt

    Select Command Prompt

     

  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Link to post
Share on other sites

RE:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

This is where I get "locked out"....I'm presented with log in screen, and then my Password is rejected as being "incorrect"....

Link to post
Share on other sites

Try the Administrator account (though its probably disabled - which by default is normal)

The "admin" account is what I'm locked out of with the "password" issue, have one other user account on the machine, but without "admin" access, so it doesn't do me any good....

Link to post
Share on other sites

  • Root Admin

Well normally you cannot use or logon with the Administrator account as it is disabled right off the bat and you have to typically read up on how to even use that account for most users and not a good thing to do as you now see.

 

Let me see if I can locate any free software to reset the account password or not and get back to you.  In the event that we cannot do that then how experienced are you with computers as far as file and data management?  Do you have access to another computer to download software and burn a CD / DVD ?

Link to post
Share on other sites

Well normally you cannot use or logon with the Administrator account as it is disabled right off the bat and you have to typically read up on how to even use that account for most users and not a good thing to do as you now see.

 

Let me see if I can locate any free software to reset the account password or not and get back to you.  In the event that we cannot do that then how experienced are you with computers as far as file and data management?  Do you have access to another computer to download software and burn a CD / DVD ?

Thanks....I am "ok" with file and data management....I've been down this trail with my better half's computer before, but this one has me stumped so far, thus my reach out for assistance.  Re-read my original post, I've tried quite a few angles today to find a work around for the admin pwd problem....

Link to post
Share on other sites

  • Root Admin

Okay if you don't already have a bootable recovery DVD for Windows 7 then please create one just in case.  We may be able to do this from within the normal RE but want to have access to a bootable DVD just in case.   I'll write up some instructions for you later tonight.

Link to post
Share on other sites

Was able to create a Windows repair disk & boot from it, ran the Frst scan, results attached.  These look a tad "sketchy"

FRST scan08132013.txt

2013-08-12 06:23 - 2013-08-12 06:23 - 00160256 _____ (TivDevelop Software Group) C:\Users\Sheila\mstsc.exe

2013-08-12 06:23 - 2013-08-12 06:23 - 00160256 _____ (TivDevelop Software Group) C:\Users\Sheila\csrss.exe
Link to post
Share on other sites

  • Root Admin

If you look at the following article you'll see that this entry is no longer valid. 

I can manually remove it but might be best to double check and review it in the Registry yourself for removal.

 

   Winlogon Notification Packages Removed

Winlogon\Notify\ScCertProp: wlnotify.dll [X]

There is nothing wrong with Spybot - Search & Destroy but the version on the computer is very old.
If you wish to continue to use it then once we're done here you should look at uninstalling it and installing the latest version.

There is a temporary installer for SUPERAntispyware but it should be gone after a reboot but the logs show its there so I would recommend uninstalling SAS if it's still there.
Then as with Spybot if you want it then when done go ahead and reinstall the program.

For now though please do not do anything else, just run the FIX for FRST below and post back the log.
 
 
 
Please download the attached fixlist.txt file and save it to a USB stick to use in the Recovery Environment.

NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

fixlist.txt

Link to post
Share on other sites

Many thanks, i was able to find a work around for the password/log in problem, after that I ran Malwarebytes which removed the Ransomeware files. I shall heed your advice re Spybot, etc.

 

thanks again for your help.  

 

PS: purchased & installed  the latest version of malwarebytes for the mrs. computer. 

Link to post
Share on other sites

  • Root Admin

I would still highly recommend that you run the FIXLIST.TXT file I posted and then let us run some other scans to make sure the system is clean and up to date.

Wouldn't want it to happen again, or get one that's worse.  There are some out there that encrypt the data and you cannot get it back.  So regardless of where we go from here you should make it a practice to backup all your important data to an external source (and don't leave it connected all the time to prevent it from becoming infected) - if the computer appears to be infected then get it cleaned and never connect your backup drive to the computer until you get the computer cleaned.

Link to post
Share on other sites

  • Root Admin

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


 

 

Thanks

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.