Re: [H] Reveton ransomware

2013-04-01 Thread Bobby Heid
I had told my brother-in-law to take it to a local shop.  He took it to Best
Buy, they wanted $300 ($100 or so for some sort of warranty).  The then took
it to a local shop.  They basically did a system restore from the menu that
you get to when pressing F8 from a boot.  This cleared it up.  I am not sure
I have ever noticed the restore command from there.

No, I did not know about the tip that Jeff talks about below.  Good thing to
know for next time.

Thanks for all of the suggestions!

Bobby

-Original Message-
From: hardware-boun...@lists.hardwaregroup.com
[mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Jeff Lane
Sent: Sunday, March 31, 2013 11:09 PM
To: hardw...@lists.hardwaregroup.com
Subject: Re: [H] Reveton ransomware

Have you tried opening the Command Prompt via F8 and run rstrui.exe to run
system Restore at an earlier date. The current one will probably be
infected, so he should go back a bit if he can. Good luck.

Jeff

You're six is clear, just put your nose on the horizon and enjoy the
sunrise.

 
Jeff


Thanks Julian.  I tried to get him into safe mode.  He cannot do anything
there.  He gets the same ransom screen in safe mode as regular mode.

Bobby


He can reboot his computer in safe mode and look at both the StartUp items
and the run entries in the registry (might be best for him to run msconfig
to do this) and find the name of the software.  It will be random
letters.exe.  Delete the places in reg/startup where it is and then go 
lettersand
delete the file.


Julian


On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote:

 Hey,



 My brother-in-law just called me,  He is apparently infected with the 
 reveton ransomware by citadel.  He has the one with the FBI warning 
 that all of his communications are being monitored by the FBI.  It 
 says he needs to pay $300 for them release his pc back to him.  I 
 tried to get him into
safe
 mode (with networking), but the ransomware has that blocked also.



 My quick research online basically says we need to download stuff and 
 burn an image onto a CD/DVD/USB.  I am 300 miles away from him and 
 they are not technically able to do what is needed to clean it.



 Anyone have any insights into this malware so that I might help them?  
 I basically told him he needs to take it somewhere locally to have it 
 cleaned.



 Thanks,

 Bobby








Re: [H] Reveton ransomware

2013-03-31 Thread Julian Zottl
He can reboot his computer in safe mode and look at both the StartUp items
and the run entries in the registry (might be best for him to run msconfig
to do this) and find the name of the software.  It will be random
letters.exe.  Delete the places in reg/startup where it is and then go and
delete the file.


Julian


On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote:

 Hey,



 My brother-in-law just called me,  He is apparently infected with the
 reveton ransomware by citadel.  He has the one with the FBI warning that
 all
 of his communications are being monitored by the FBI.  It says he needs to
 pay $300 for them release his pc back to him.  I tried to get him into safe
 mode (with networking), but the ransomware has that blocked also.



 My quick research online basically says we need to download stuff and burn
 an image onto a CD/DVD/USB.  I am 300 miles away from him and they are not
 technically able to do what is needed to clean it.



 Anyone have any insights into this malware so that I might help them?  I
 basically told him he needs to take it somewhere locally to have it
 cleaned.



 Thanks,

 Bobby




Re: [H] Reveton ransomware

2013-03-31 Thread Bobby Heid
Thanks Julian.  I tried to get him into safe mode.  He cannot do anything
there.  He gets the same ransom screen in safe mode as regular mode.

Bobby

-Original Message-
From: hardware-boun...@lists.hardwaregroup.com
[mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Julian Zottl
Sent: Sunday, March 31, 2013 8:41 PM
To: hardw...@lists.hardwaregroup.com
Subject: Re: [H] Reveton ransomware

He can reboot his computer in safe mode and look at both the StartUp items
and the run entries in the registry (might be best for him to run msconfig
to do this) and find the name of the software.  It will be random
letters.exe.  Delete the places in reg/startup where it is and then go and
delete the file.


Julian


On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote:

 Hey,



 My brother-in-law just called me,  He is apparently infected with the
 reveton ransomware by citadel.  He has the one with the FBI warning that
 all
 of his communications are being monitored by the FBI.  It says he needs to
 pay $300 for them release his pc back to him.  I tried to get him into
safe
 mode (with networking), but the ransomware has that blocked also.



 My quick research online basically says we need to download stuff and burn
 an image onto a CD/DVD/USB.  I am 300 miles away from him and they are not
 technically able to do what is needed to clean it.



 Anyone have any insights into this malware so that I might help them?  I
 basically told him he needs to take it somewhere locally to have it
 cleaned.



 Thanks,

 Bobby






Re: [H] Reveton ransomware

2013-03-31 Thread Christopher Fisk
The fake FBI virus is annoying, do you know if his user account had admin
rights?  Generally you can create a new user account and clean it from
there.  I like to yank the hard drive and scan from a known clean system,
but you can also just make a backup of his current profile and delete the
existing one and recreate/restore data.



On Sun, Mar 31, 2013 at 9:46 PM, Bobby Heid bh...@sc.rr.com wrote:

 Thanks Julian.  I tried to get him into safe mode.  He cannot do anything
 there.  He gets the same ransom screen in safe mode as regular mode.

 Bobby

 -Original Message-
 From: hardware-boun...@lists.hardwaregroup.com
 [mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Julian
 Zottl
 Sent: Sunday, March 31, 2013 8:41 PM
 To: hardw...@lists.hardwaregroup.com
 Subject: Re: [H] Reveton ransomware

 He can reboot his computer in safe mode and look at both the StartUp items
 and the run entries in the registry (might be best for him to run msconfig
 to do this) and find the name of the software.  It will be random
 letters.exe.  Delete the places in reg/startup where it is and then go and
 delete the file.

 
 Julian


 On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote:

  Hey,
 
 
 
  My brother-in-law just called me,  He is apparently infected with the
  reveton ransomware by citadel.  He has the one with the FBI warning that
  all
  of his communications are being monitored by the FBI.  It says he needs
 to
  pay $300 for them release his pc back to him.  I tried to get him into
 safe
  mode (with networking), but the ransomware has that blocked also.
 
 
 
  My quick research online basically says we need to download stuff and
 burn
  an image onto a CD/DVD/USB.  I am 300 miles away from him and they are
 not
  technically able to do what is needed to clean it.
 
 
 
  Anyone have any insights into this malware so that I might help them?  I
  basically told him he needs to take it somewhere locally to have it
  cleaned.
 
 
 
  Thanks,
 
  Bobby
 
 





Re: [H] Reveton ransomware

2013-03-31 Thread Jeff Lane
Have you tried opening the Command Prompt via F8 and run rstrui.exe to run
system Restore at an earlier date. The current one will probably be
infected, so he should go back a bit if he can. Good luck.

Jeff

You're six is clear, just put your nose on the horizon and enjoy the
sunrise.

 
Jeff


Thanks Julian.  I tried to get him into safe mode.  He cannot do anything
there.  He gets the same ransom screen in safe mode as regular mode.

Bobby


He can reboot his computer in safe mode and look at both the StartUp items
and the run entries in the registry (might be best for him to run msconfig
to do this) and find the name of the software.  It will be random
letters.exe.  Delete the places in reg/startup where it is and then go 
lettersand
delete the file.


Julian


On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote:

 Hey,



 My brother-in-law just called me,  He is apparently infected with the 
 reveton ransomware by citadel.  He has the one with the FBI warning 
 that all of his communications are being monitored by the FBI.  It 
 says he needs to pay $300 for them release his pc back to him.  I 
 tried to get him into
safe
 mode (with networking), but the ransomware has that blocked also.



 My quick research online basically says we need to download stuff and 
 burn an image onto a CD/DVD/USB.  I am 300 miles away from him and 
 they are not technically able to do what is needed to clean it.



 Anyone have any insights into this malware so that I might help them?  
 I basically told him he needs to take it somewhere locally to have it 
 cleaned.



 Thanks,

 Bobby