Police Ransom Virus

[TorpedoJones]

Hi

Have read extensively so ran both scans for OTL & ASW. I have attached the data for both. However when running OTL I only got one log for OTL.txt. Nothing for EXTRAS.txt or a 2nd screen popping up after OTLPE scan was done

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Are you able to start the computer in Safe mode now?

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:Files
C:\Documents and Settings\Dell Laptop\Local Settings\Temp\frqetuoddcz.exe
C:\WINDOWS\23456789ABCDEFGH
C:\Documents and Settings\All Users\Application Data\6816D423B3FE2207000068166C1529E9
C:\Documents and Settings\All Users\Application Data\ljypzatytugsxbi
C:\Documents and Settings\Dell Laptop\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:OTL
O20 - HKU\Dell_Laptop_ON_C Winlogon: Shell - (C:\DOCUME~1\DELLLA~1\LOCALS~1\Temp\frqetuoddcz.exe) - C:\Documents and Settings\Dell Laptop\Local Settings\Temp\frqetuoddcz.exe (Microsoft Corporation)

:Commands
[EmptyTemp]
[EmptyFlash]
[EmptyJava]
[Reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1. OTL Log
2. Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>

<hr />

 

[TorpedoJones]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Are you able to start the computer in Safe mode now?

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:Files
C:\Documents and Settings\Dell Laptop\Local Settings\Temp\frqetuoddcz.exe
C:\WINDOWS\23456789ABCDEFGH
C:\Documents and Settings\All Users\Application Data\6816D423B3FE2207000068166C1529E9
C:\Documents and Settings\All Users\Application Data\ljypzatytugsxbi
C:\Documents and Settings\Dell Laptop\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:OTL
O20 - HKU\Dell_Laptop_ON_C Winlogon: Shell - (C:\DOCUME~1\DELLLA~1\LOCALS~1\Temp\frqetuoddcz.exe) - C:\Documents and Settings\Dell Laptop\Local Settings\Temp\frqetuoddcz.exe (Microsoft Corporation)

:Commands
[EmptyTemp]
[EmptyFlash]
[EmptyJava]
[Reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1. OTL Log
2. Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>

<hr />

 

[TorpedoJones]

Hey Kittus,

Thanks for replying so quick. Firstly how do I access "Safe Mode". If it does work in safe mode do I then run copy/paste script you have given me by still re-loading my cd and still going into reatogo screen then re-running OTL? Or do I run OTL within safe mode screen if I have access?

I am clearly a technophobe!

TJ

 

[TorpedoJones]

Hey Kittus,

Thanks for replying so quick. Firstly how do I access "Safe Mode". If it does work in safe mode do I then run copy/paste script you have given me by still re-loading my cd and still going into reatogo screen then re-running OTL? Or do I run OTL within safe mode screen if I have access?

I am clearly a technophobe! Also How can I back up files if I have no access to the infected computer? Can you guide me through the back-up procedure?

TJ

 

[kuttus]

Hi TJ,

If you are able to start the computer in safe mode run it in safe mode. Otherwise run the OTL from the same way you did before...

<h3>Steps to Start your computer in Safe Mode with Networking</h3>
<ol><li>Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
<li><>Press and hold the F8 key as your computer restarts</>.Please keep in mind that you need to press the F8 key <>before the Windows start-up logo appears</>.
<em>Note</em>: With some computers, if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", <>tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
<li>On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
<hr />

 

[TorpedoJones]

Cheers Kittus,

Ok I will do that when I am back home. What about backing up files within my infected laptop. is it possible to do that? If so how?

TJ

 

[kuttus]

Cheers Kittus,

Ok I will do that when I am back home. What about backing up files within my infected laptop. is it possible to do that? If so how?

TJ

Run OTL Tool with Scripts after that we can boot the computer back to Normal mode.. You can take the back up from reatogo Desktop... You can take the back up to a External Hard Drive...

 

[TorpedoJones]

Kittus,

No joy i'm afraid. Couldn't run on safe mode so had to use Reatogo CD again. Ran OTL fix & copied/pasted script ran OTL fix which said "fixed" and I loaded log into c drive. Then shut down computer rebooted but nothing has changed, the virus screen continues to lock me out. What now?

 

[kuttus]

Please run the above OTL Scrips once again and save the Log Files into your Flash Drive and Send me those Log file also so that I can see what's happening in the Scan..

 

[TorpedoJones]

[attachment=3241]

Please run the above OTL Scrips once again and save the Log Files into your Flash Drive and Send me those Log file also so that I can see what's happening in the Scan..

Kuttus,

Here is the log which was result of the fix scan. Attached.

TJ

 

[TorpedoJones]

Kuttus,

Ignore last post with attachment, this script is the one you want after running fix copy/paste on OTL.

========== FILES ==========
File\Folder C:\Documents and Settings\Dell Laptop\Local Settings\Temp\frqetuoddcz.exe not found.
File\Folder C:\WINDOWS\23456789ABCDEFGH not found.
File\Folder C:\Documents and Settings\All Users\Application Data\6816D423B3FE2207000068166C1529E9 not found.
File\Folder C:\Documents and Settings\All Users\Application Data\ljypzatytugsxbi not found.
File\Folder C:\Documents and Settings\Dell Laptop\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini not found.
========== OTL ==========
Registry value HKEY_USERS\Dell_Laptop_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\DOCUME~1\DELLLA~1\LOCALS~1\Temp\frqetuoddcz.exe deleted successfully.
File C:\Documents and Settings\Dell Laptop\Local Settings\Temp\frqetuoddcz.exe not found.

OTLPE by OldTimer - Version 3.1.48.0 log created on 01222013_211410


TJ

 

[kuttus]

Okay... Please try the following steps for me...

Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

 

[TorpedoJones]

Okay... Please try the following steps for me...

Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

Hi Kuttus,

I will run Hitman.pro again as you wish. However the reason I came to you was that this didn't work either. Once Hitman failed (I tried about 10 times) I was looking for another solution. So then I emailed you...

I will run again and let you know the outcome. In the meantime can you provide another option if Hitman fails again?

TJ

 

[kuttus]

If HitmanPro Rescue Disk fails try Norton Bootable Recovery Tool...

Stage -1

• Download Norton Bootable Recovery Tool from this link.
• Save the Norton Bootable Recovery Tool on your computer Desktop.
• After completing the Download Open the File that you saved on the Desktop. It will start the Norton Download Manager as shown below.
  
  http://123pcworld.com/MalwareTips/DownloadManager.PNG
  
• When the download finishes, the Norton Bootable Recovery Tool Wizard starts automatically.
• In the Norton Bootable Recovery Tool Wizard, click Agree & Install to accept the User License Agreement.
  
  If you want to change the default install location, click Install Options, and then click Browse to locate the new install location.
  
• Follow the on-screen instructions to create the Norton Bootable Recovery Tool on a CD/DVD media or USB key.
  
  http://123pcworld.com/MalwareTips/NBRT.PNG
  
• It will by Default Select your CD/DVD Writer , if it is not select your CD/DVD Writer and click on Next...
  
  http://123pcworld.com/MalwareTips/NBRT-2.PNG
  
• Now you have to Insert a Blank CD/DVD into your CD/DVD Writer and press on Ok. It will take some time to complete the Bootable Recovery Drive Creation.
  
  http://123pcworld.com/MalwareTips/NBRT-3.PNG
  

Stage -2

• Insert the recovery media in the infected computer and start your computer from the recovery media. The recovery media can be a Norton Bootable Recovery Tool CD, DVD, USB key.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Read the License Agreement, type your product key, and then click I Agree. (I will send you product key in PM )
• In the Norton Bootable Recovery Tool window, click Norton Advanced Recovery Scan.
• Click Start Scan.
• When the scan finishes, remove the recovery media from the drive or USB port, and restart your computer.

<hr />

 

[kuttus]

Hi,

May I know the current status of your computer?

 

[TorpedoJones]

Hi,

May I know the current status of your computer?

I have not run Norton yet but will that help my JPEG retrieval? Mainly the computer now works but pictures are still not coming up

 

[kuttus]

This infection locks the images, ms office files and pdf files on the computer.. To unlock it we have to try some tools...


Try

1. ftp://ftp.drweb.com/pub/drweb/tools/te94decrypt.exe
2. http://www.sophos.com/en-us/support/knowledgebase/117669.aspx
3. http://www.pandasecurity.com/homeusers/support/card?id=1675&IdIdioma=1