Pop Quiz #2

cruelsister · Aug 9, 2014

A real easy one today, but important to know.

Scenario:

You use Windows 7 and are checking your email; you see a message with the heading Sexy Girls that comes with an attachment "sexy-girls.jpg.exe". Being male you have a Genetic Imperative to explore further, so you run the file. Surprise! Instead of images you now have a variety of FBI ransomware that locks you out. No problem, right? Boot into safe mode and remove it. However when either Safe Mode or Safe Mode with networking are tried you still are presented with the nasty ransom screen.

Being a member of MT this presents no issue to you as you know that Ransomware won't prevent you from using Safe Mode with Command Prompt. So you Safe Boot to the Command prompt, get presented with the Command box (C:\Windows\System32) and type a command. Your Desktop now appears behind the Command Window. You now get to work and remove the malware.

What Command did you type?

FreddyFreeloader · Aug 9, 2014

Help!

Deleted member 21043 · Aug 9, 2014

"sexy-girls.jpg.exe" - Yes, the title is making me unable to resist exploring!

... However, if I saw a file with a extension added into the name and then a second extension I would be pretty cautious about it. I would insist running it in a Virtual Machine or Sandbox before using it properly... Unless im feeling crazy of course

Anyway, as for the command, I would say explorer is the closest (for the desktop)... In fact, I don't even know the other ones. Are they faked? Either way, me and CMD doesn't match very well...

WinXPert · Aug 9, 2014

Explorer, what else?

Dang double extensions sexy-girls.jpg.exe. First, chances that I'll read this email is remote because these types gets directly to my Spam folder, in case this one was able to squeeze in, I'll just ignore it. Or maybe out of curiosity download the file and play with it. Okay change of plan, PC won't boot in Safe Mode for some unknown reasons, heard the saying "when it rains it pours". Next course of action is to boot with Linux and trash the FBI, NSA, CIA, IRS whatever ransomware. After that I'll reward myself by watching Ransom by Mel Gibson. What a way to start a day.

Chromatinfish 123 · Aug 9, 2014

I don't think it's any of them, if it's one, it's explorer. However, I would simply type in rstrui.exe in the cmd prompt and restore my system...

KaptainBug · Aug 9, 2014

type explorer.exe and you get the desktop.

WinXPert · Aug 9, 2014

Chromatinfish 123 said:
I don't think it's any of them, if it's one, it's explorer. However, I would simply type in rstrui.exe in the cmd prompt and restore my system...

What if System Restore is disabled, not by the FBI Ransomware but by something else. An what if you have known that the email came from a cow? hypothetically speaking of course.

Chromatinfish 123 · Aug 9, 2014

kram7750 said:
"sexy-girls.jpg.exe" - Yes, the title is making me unable to resist exploring! ... However, if I saw a file with a extension added into the name and then a second extension I would be pretty cautious about it. I would insist running it in a Virtual Machine or Sandbox before using it properly... Unless im feeling crazy of course

Anyway, as for the command, I would say explorer is the closest (for the desktop)... In fact, I don't even know the other ones. Are they faked? Either way, me and CMD doesn't match very well...

I think the exe won't be displayed so it will only say jpg, as Windows automatically takes away the extension. Thats their way of cheating. I've seen filed that say .jpg or .gif that are really .7z/.zip/.exe files...

WinXPert · Aug 9, 2014

I have show extensions of known file type on by default

Deleted member 21043 · Aug 10, 2014

Chromatinfish 123 said:
I think the exe won't be displayed so it will only say jpg, as Windows automatically takes away the extension. Thats their way of cheating. I've seen filed that say .jpg or .gif that are really .7z/.zip/.exe files...

Yeah, that's true. But, I don't "run". I save the files. Then I check the extension before running.

McLovin · Aug 10, 2014

I'm just gonna say that I wish I didn't run that file.

If I ever get that sort of emails that get past Trend's Antispam, I add it to the block list and just delete it. For one single click can turn into, hours, maybe even weeks of restoration.

Thingol · Aug 10, 2014

I think the answer is Explorer. Can't see what help the others would be in that scenario.

Most on the forums would not be fooled I hope

but it's a good example of why I use SBIE and AppGuard though. IMO you need to restrict threat-gates like browsers/mail clients. AG would have blocked it and SBIE would likely not let it run either in my set-up but if it did likely contain it and flushed it away.

In the real world if anything got passed my security stuff I'd likely boot into the IFW recovery consul or use the bootable media to restore a back-up. No telling if the ransomware also dropped something that will cause you further issues later.

Cheers

cruelsister · Aug 10, 2014

You guys are smart- the answer is indeed “Explorer”. This will bring up the Desktop behind the Command Prompt Window and analysis and removal of the malware can be done. Assuming that you hadn't uninstalled Malwarebytes and/or HMP to make room for the Porno, malware remediation can be done with either of these with efficiency; but even if you didn't have either installed, a quick look at what is scheduled to start with Windows (via MSCONFIG or similar) will lead you to the malware which could be manually deleted (further registry changes can be corrected after this),

Notice that I specified Window 7 in the original question. The reason I didn't include Windows 8 is that getting into the Boot Menu in 8 can present problems. As the startup routine is more RAM intensive than with previous builds of Windows, the ease at which the F8 will lead to the Boot menu is inversely proportional to the speed of your computer (basically no way). So to make things easier there is a tweak that can be done in Windows 8.1 restore the legacy boot menu; at the command prompt type:

bcdedit /set {default} bootmenupolicy legacy

to reverse the above change:

bcdedit /set {default} bootmenupolicy standard

Behold Eck · Aug 31, 2014

What about the porn do we get that back as well ?

Great quiz this could be the very thing if called upon to remedy my sons computer with.

Love it.

Regards Eck

Search

Pop Quiz #2

What command should be typed to get to the Desktop?

Bitsadmin

Cacls

Endlocal

Explorer

Ksetup

I wish I didn't run that file

cruelsister

Level 42

FreddyFreeloader

Level 32

Deleted member 21043

WinXPert

Level 25

Chromatinfish 123

Level 21

KaptainBug

Level 12

WinXPert

Level 25

Chromatinfish 123

Level 21

WinXPert

Level 25

Deleted member 21043

McLovin

Level 76

Thingol

Level 1

cruelsister

Level 42

Behold Eck

Level 15

Similar threads