loringdesign Posted April 1, 2014 ID:811906 Share Posted April 1, 2014 Hello, Could i please get some help in removing this malware?It would be greatly appreciated.ICE has locked my c drive. I still have access to slave and a remoteIn order to get online i have swtiched the slave to master but i know i need to switch back to repair.I have tried all 3 safe mode repair options to no avail. I cant slow the malware down enough to type even one wordI made a boot copy on a cd but nothing happens when i try to run but i am only inserting it because i cant open a control windowthat is where it is at ; (Possibly to make matters worse i reformatted my slave drive thinking it was backed up by my norton as i had requested.. but didnt check.I reformatted to install XP because this is the only computer i have running now. Well XP installed just perfect but i lost a lot work data in part because norton re installed virus protection. I ran one recovery software and saw bits & pieces of info. Im saying all this because if possible i hope to get some of the data back but getting malware off is #1 priority The computer is a Dell 2003 decktop running xp thank you for your time Link to post Share on other sites More sharing options...
MrCharlie Posted April 2, 2014 ID:812000 Share Posted April 2, 2014 Welcome to the forum. You can try and scan the infected drive with the "Kaspersky Rescue Disk and Unlocker" Instructions on creating one can be found at the link below: http://maddoktor2.com/forums/index.php/topic,55928.0.html MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 2, 2014 Author ID:812296 Share Posted April 2, 2014 Thank you for your reply. I think i have already made that disk but had trouble getting it to run. Please note: I am able to communicate on this forum because i have switched my C (master) and F (slave)drives. Am i correct that in order to rid the drive of malware it needs to be in the master position meaning i would switch the drives back to the way they were when i got the malware? Link to post Share on other sites More sharing options...
MrCharlie Posted April 2, 2014 ID:812309 Share Posted April 2, 2014 Yes, if you want to use the Kaspersky disk. MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 2, 2014 Author ID:812327 Share Posted April 2, 2014 can you please tell me how to run it as i think it needs to autorun since i have no way of prompting it when on the locked hard drive Link to post Share on other sites More sharing options...
MrCharlie Posted April 2, 2014 ID:812331 Share Posted April 2, 2014 You would have to set your BIOS to boot from your cd-rom: http://www.hiren.info/pages/bios-boot-cdrom MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 2, 2014 Author ID:812342 Share Posted April 2, 2014 i did that too Link to post Share on other sites More sharing options...
MrCharlie Posted April 2, 2014 ID:812346 Share Posted April 2, 2014 OK, you have the infected drive as master and the BIOS set to boot off the cd-rom. So what does it do?? MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 2, 2014 Author ID:812360 Share Posted April 2, 2014 nothing doesnt even begin to spin which it does do when i have drives the other way. Maybe i should try again. is there a sequence or can the cd go in the rom prior to powering up?anddoes it help if i tap F8 while cd trys to run or should it be left to do its thing solo Link to post Share on other sites More sharing options...
loringdesign Posted April 2, 2014 Author ID:812383 Share Posted April 2, 2014 you must be helping others but i need to go to an appointment now as well. I will check this when i return and hopefully work on the repair tonight. thanks again for your help Link to post Share on other sites More sharing options...
MrCharlie Posted April 2, 2014 ID:812384 Share Posted April 2, 2014 nothing doesnt even begin to spin which it does do when i have drives the other way. Maybe i should try again.is there a sequence or can the cd go in the rom prior to powering up?Yes, put the cd in and reboot the computer...it should now boot to the cd.does it help if i tap F8 while cd trys to run or should it be left to do its thing soloIf it doesn't boot to the cd, you can try that to bring up the boot menu.MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 3, 2014 Author ID:812830 Share Posted April 3, 2014 Good Morning, so i tried the CD but i only get to the F1 / F2 prompt that repeats but i also notice that it keeps showing "Diskette Drive 0 Seek Failure" at the cd drive locals Link to post Share on other sites More sharing options...
loringdesign Posted April 3, 2014 Author ID:812833 Share Posted April 3, 2014 google can not find the cd link when i click it. I was going to try a fresh copy Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812838 Share Posted April 3, 2014 OK, you have to be able to boot to the cd for any help. MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 3, 2014 Author ID:812850 Share Posted April 3, 2014 Really????I wasnt sure about that. And likewise arent you supposed to be helping me with that? I feel like im pulling teeth here day after day. Is this a fun joke to you, or do you like being condescending. Why couldnt you give me something to use like why doesnt your link work?? Im suffering here, my computer is broken, i cant do business, ive lost files and you arent helping. Give me something i can use or im outa here Link to post Share on other sites More sharing options...
MrCharlie Posted April 3, 2014 ID:812876 Share Posted April 3, 2014 Really????I wasnt sure about that. And likewise arent you supposed to be helping me with that? I feel like im pulling teeth here day after day. Is this a fun joke to you, or do you like being condescending. I've answered all of your replies almost immediately. You're swapping drives in the computers so I assume you have some computer knowledge. I haven't been condescending to you. Why couldnt you give me something to use like why doesnt your link work?? What link doesn't work? (first I've heard of this) Im suffering here, my computer is broken, i cant do business, ive lost files and you arent helping. As I said, you have to get the computer to boot off the cd or even a usb flash drive, not having the computer in front of me it's hard to say why it won't boot off the cd. Have you tried the cd in another computer?? Give me something i can use or im outa here What ever you want to do Link to post Share on other sites More sharing options...
loringdesign Posted April 4, 2014 Author ID:813383 Share Posted April 4, 2014 Really????I wasnt sure about that. And likewise arent you supposed to be helping me with that? I feel like im pulling teeth here day after day. Is this a fun joke to you, or do you like being condescending. I've answered all of your replies almost immediately. You're swapping drives in the computers so I assume you have some computer knowledge. I haven't been condescending to you. Why couldnt you give me something to use like why doesnt your link work?? What link doesn't work? (first I've heard of this)Im suffering here, my computer is broken, i cant do business, ive lost files and you arent helping. As I said, you have to get the computer to boot off the cd or even a usb flash drive, not having the computer in front of me it's hard to say why it won't boot off the cd. Have you tried the cd in another computer??Give me something i can use or im outa hereWhat ever you want to do Link to post Share on other sites More sharing options...
loringdesign Posted April 4, 2014 Author ID:813385 Share Posted April 4, 2014 Ok so the cd finally ran and opened window then it just about finished displaying the desktop and the malware took over covering the entire screen. I don't think I have instructions so I just let the cd run. There was never a prompt to run anything additional. I am now writing you from my iPhone with a frozen ICED computer in front of me Link to post Share on other sites More sharing options...
MrCharlie Posted April 4, 2014 ID:813420 Share Posted April 4, 2014 Ok so the cd finally ran and opened window then it just about finished displaying the desktop and the malware took over covering the entire screen. That shouldn't happen because you booted to the cd not windows...so something is not right. You should have the BIOS set to boot to the cd rom first Put the cd in and reboot the computer, it should now boot to the Kaspersky cd and follow the instructions below. Below is my tutorial on the virus. I thought you had another computer that you put the infected drive into. If you don't make out with the Kaspersky scan, if you could set the infected drive as slave in another computer and be able to navigate around in it, it's possible that we could manually delete the malware enough to get it going. By chance did you have ERUNT installed to back up your registry every day or so? Let me know +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ FBI MoneyPak, Ransomware virus removal For Vista, W7 and W8: (You'll need a usb flash drive) 1. Please download How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options: [1]Restart the computer. [2]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. [3]Use the arrow keys to select the Repair your computer menu item. [4]Select US as the keyboard language settings, and then click Next. [5]Select the operating system you want to repair, and then click Next. [6]Select your user account an click Next. Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used. To make a repair disk on Windows 7 consult: HERE To enter System Recovery Options by using Windows installation disc: [1]Insert the installation disc. [2]Restart your computer. [3]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. [4]Click Repair your computer. [5]Select US as the keyboard language settings, and then click Next. [6]Select the operating system you want to repair, and then click Next. [7]Select your user account and click Next. 3. On the System Recovery Options menu you will get the following options: *Startup Repair *System Restore *Windows Complete PC Restore *Windows Memory Diagnostic Tool *Command Prompt Select Command Prompt Once in the Command Prompt: [1]In the command window type in notepad and press Enter. [2]The notepad opens. Under File menu select Open. [3]Select "Computer" and find your flash drive letter and close the notepad. [4]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive. [5]The tool will start to run. [6]When the tool opens click Yes to disclaimer. [7]Press Scan button. [8]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For XP and XP Pro: These methods may help remove this malware: (XP is a little harder to work on) This will work if you have a good system restore point and can get to the Command prompt: (If it doesn't work the first time keep trying...you may be able to get it) Step 1: Use F8 to Boot to SafeMode With Command Prompt or Command Prompt Step 2: Type the word "explorer" in black screen > enter Step 3: Then Navigate to: Win XP: C:\windows\system32\restore\rstrui.exe and press Enter Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe) Step 4: Restore Computer to Date you know you were virus free Step 5: See if it boots up normally.....post on the forum so we can ensure the computer's clean Here's a little trick that may work: You need to select the “Safe Mode with Command Prompt” option and then hit the Enter key. This will boot the computer with minimal drivers, and no startup programs will run except cmd.exe. <=====><=====><=====><=====><=====><=====> Use Kaspersky Rescue Disk and Unlocker:Download Kaspersky Rescue Disk (iso)Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO BurnerKaspersky Unlocker can also be loaded on to a USB flashdrive: http://support.kaspersky.com/8092The Kaspersky Disk also has a Registry Editor that can be used to delete or modify the registry entries responsible for the hijack if Unlocker doesn't work. If you need guidance please ask.Kaspersky WindowsUnlocker to fight ransom malware TutorialConfigure your computer to boot from CD/DVDNote : If you do not know how to set your computer to boot from CD/DVD follow the steps HEREOnce you have the cd/DVD created, boot the computer up using itPress any key to enter the menuSelect your languagePress 1 to accept the End User License AgreementSelect Kaspersky Rescue Disk. Graphic ModeClick on the Start button located in the left bottom corner of the screenRun Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus Note: If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > EnterWhen it's done, click on the Start button and start Kaspersky Rescue Disk utilityClick on My Update Center tab and press Start to download the latest updateNext, select the Object Scan tabPut a check next to C:\ and any other local drivesThen click Start Objects Scan Quarantine any malware foundRestart your computer and see if it boots up normally <=====><=====><=====><=====><=====><=====> Sometimes HitmanPro.Kickstart will work: http://www.bleepingcomputer.com/virus-removal/remove-computer-crime-intellectual-property-section Good Luck.....MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 5, 2014 Author ID:813722 Share Posted April 5, 2014 Sorry I am just getting back to respond. When preparing to run from your cd I tap F12 til boot device menu comes and I pick #3 IDE CD ROMłNext I get to choose f1 to cont or F2. F1 usually just repeats the choices so I hit F2and recheck boot sequence. There I put CD Rom at top# 1 spot and hard drive next. Next Escape and save if asked. If I get F1 & 2 i try f1 when it repeàts I do a hard kill and then restart cputer. It ran the cd once so I thought but I got a windows screen. If you were saying I'm not supposed to get windows then I don't know what it was running. Currently it will not redo that scenario anyways just goes back to F1 and F2. I do not have ERUNT that I am aware of Link to post Share on other sites More sharing options...
loringdesign Posted April 5, 2014 Author ID:813735 Share Posted April 5, 2014 No just one computer. I thought I have been very clear about my setup. I am switching two hard drives within the same computer from master to slave. It works well. I ran through tutorial couple of days ago from an other users post Doesn't work Link to post Share on other sites More sharing options...
MrCharlie Posted April 5, 2014 ID:813817 Share Posted April 5, 2014 No just one computer. I thought I have been very clear about my setup. I am switching two hard drives within the same computer from master to slave. It works well. I ran through tutorial couple of days ago from an other users post Doesn't workThe master is infected..correctWhat's on the slave? an operating system??If you can get to the infected drive through the slave we might be able to manually delete the malware or scan it with MalwarebytesI ran through tutorial couple of days ago from an other users post Doesn't workWere you able to run Unlocker and scan the system??Did you try the registry editor.....can you get into the registry?Sometimes HitmanPro works:http://www.bleepingcomputer.com/virus-removal/remove-computer-crime-intellectual-property-section Link to post Share on other sites More sharing options...
loringdesign Posted April 5, 2014 Author ID:813970 Share Posted April 5, 2014 no but i dont know how to neither. th registry is definitely over my head. i have to leave right now but will check back. thank you sorry to keep leaving. but what about the manual extract. right now the malware is on the slave on this computer but i havent gone looking around in fear of making worse. check back in a few hours Link to post Share on other sites More sharing options...
MrCharlie Posted April 5, 2014 ID:813990 Share Posted April 5, 2014 1: Can you get to a command prompt with the infected computer??2: Not getting the malware out of the registry is going to be a problem.3: If you have Malwarebytes 2.0 on the good drive, we can run a Custom scan on the infected hard drive.This would be the first thing to do.4: Then access the infected drive and look for the malware files. (below are samples from past infections)The can be anywhere but usually in these locations.Of course the user names will be different:C:\Documents and Settings\mixael padilla\Application DataC:\Documents and Settings\mixael padilla\Local Settings\Application DataC:\Users\Test\AppData\RoamingC:\ProgramDataC:\Users\elvis\DocumentsHere's the samples:C:\Documents and Settings\mixael padilla\Application Data\ypjvdod.exeC:\Documents and Settings\mixael padilla\Local Settings\Application Data\8EVvll6gC\NrHXADuRdm.exeC:\Users\Test\AppData\Roaming\skype.iniC:\ProgramData\qci.padC:\Users\elvis\Documents\49d0e2d4.exeC:\Users\elvis\Documents\49d0e2d4.dllC:\ProgramData\2433f433C:\Users\Dmac33\AppData\Roaming\2433f433C:\Users\Dmac33\AppData\Local\2433f433C:\Users\Dmac33\Documents\595159d6.exeC:\ProgramData\Application Data\2433f433C:\Users\EKeenan\Local Settings\Application Data\2433f433C:\Users\EKeenan\Local Settings\2433f433C:\Users\Tracey\AppData\Local\z4GlKA07\KDpGL2ymZE.exeC:\Users\Administrator\AppData\Local\DRMPhdmi\4KU6ofZfGb.exeC:\Users\Tracey\AppData\Local\z4GlKA07\KDpGL2ymZE.exeC:\Users\Administrator\AppData\Local\DRMPhdmi\4KU6ofZfGb.exeC:\Users\Tracey\AppData\Local\z4GlKA07C:\Users\Tracey\AppData\Roaming\gQPQ1aa9GvUC:\Users\Tracey\AppData\Local\vBRYW3g0C:\ProgramData\ITM5CRaqYC:\Users\Tracey\AppData\Local\z4GlKA07\KDpGL2ymZE.exeC:\ProgramData\hash.dat Link to post Share on other sites More sharing options...
loringdesign Posted April 7, 2014 Author ID:814761 Share Posted April 7, 2014 hello, I would like to set a block of time today or when you are able to work on this so that i can give it my full attention and make use of the valuable help you are offering. By coming and going so sporadically i don't mean to be unappreciative or difficult. I was being pulled in many directions but now its more manageable. So i will address your four points as best I can and then if you would be kind enough to let me know when you can work on this again i will try to shift my schedule accordingly. if we could hit it first thing monday morning that would probably be best. So if you are 3 hrs ahead and are able to help me around 8 or 9 (east coast time) I plan to up early and prepared. if the morning doesnt work my next opening would be late afternoon my time. Lastly, would it be helpful to start with a phone call if you even work that way? if so im at 3107708114 anytime. Ok I will address the 4 points below in orange font: 1: Can you get to a command prompt with the infected computer??if i understand the quick answer is "no" but i have to ask 2 questions backA) is a command prompt very particular as in "safe mode with command prompt" or is it anywhere Im able to type words like start menu "run" or "search"?B) Does "infected computer" refer to the infected drive only or literally the unit with desktop and multiple drives If i understand; i tried to run the infected drive set as master in all 3 safe modes and from the cd using all your suggestions and tricks only to end up on the ICE page`2: Not getting the malware out of the registry is going to be a problem.3: If you have Malwarebytes 2.0 on the good drive, we can run a Custom scan on the infected hard drive.This would be the first thing to do.4: Then access the infected drive and look for the malware files. (below are samples from past infections)The can be anywhere but usually in these locations.Of course the user names will be different: Link to post Share on other sites More sharing options...
Recommended Posts