Re: [H] Reveton ransomware
I had told my brother-in-law to take it to a local shop. He took it to Best Buy, they wanted $300 ($100 or so for some sort of warranty). The then took it to a local shop. They basically did a system restore from the menu that you get to when pressing F8 from a boot. This cleared it up. I am not sure I have ever noticed the restore command from there. No, I did not know about the tip that Jeff talks about below. Good thing to know for next time. Thanks for all of the suggestions! Bobby -Original Message- From: hardware-boun...@lists.hardwaregroup.com [mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Jeff Lane Sent: Sunday, March 31, 2013 11:09 PM To: hardw...@lists.hardwaregroup.com Subject: Re: [H] Reveton ransomware Have you tried opening the Command Prompt via F8 and run rstrui.exe to run system Restore at an earlier date. The current one will probably be infected, so he should go back a bit if he can. Good luck. Jeff You're six is clear, just put your nose on the horizon and enjoy the sunrise. Jeff Thanks Julian. I tried to get him into safe mode. He cannot do anything there. He gets the same ransom screen in safe mode as regular mode. Bobby He can reboot his computer in safe mode and look at both the StartUp items and the run entries in the registry (might be best for him to run msconfig to do this) and find the name of the software. It will be random letters.exe. Delete the places in reg/startup where it is and then go lettersand delete the file. Julian On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote: Hey, My brother-in-law just called me, He is apparently infected with the reveton ransomware by citadel. He has the one with the FBI warning that all of his communications are being monitored by the FBI. It says he needs to pay $300 for them release his pc back to him. I tried to get him into safe mode (with networking), but the ransomware has that blocked also. My quick research online basically says we need to download stuff and burn an image onto a CD/DVD/USB. I am 300 miles away from him and they are not technically able to do what is needed to clean it. Anyone have any insights into this malware so that I might help them? I basically told him he needs to take it somewhere locally to have it cleaned. Thanks, Bobby
Re: [H] Reveton ransomware
He can reboot his computer in safe mode and look at both the StartUp items and the run entries in the registry (might be best for him to run msconfig to do this) and find the name of the software. It will be random letters.exe. Delete the places in reg/startup where it is and then go and delete the file. Julian On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote: Hey, My brother-in-law just called me, He is apparently infected with the reveton ransomware by citadel. He has the one with the FBI warning that all of his communications are being monitored by the FBI. It says he needs to pay $300 for them release his pc back to him. I tried to get him into safe mode (with networking), but the ransomware has that blocked also. My quick research online basically says we need to download stuff and burn an image onto a CD/DVD/USB. I am 300 miles away from him and they are not technically able to do what is needed to clean it. Anyone have any insights into this malware so that I might help them? I basically told him he needs to take it somewhere locally to have it cleaned. Thanks, Bobby
Re: [H] Reveton ransomware
Thanks Julian. I tried to get him into safe mode. He cannot do anything there. He gets the same ransom screen in safe mode as regular mode. Bobby -Original Message- From: hardware-boun...@lists.hardwaregroup.com [mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Julian Zottl Sent: Sunday, March 31, 2013 8:41 PM To: hardw...@lists.hardwaregroup.com Subject: Re: [H] Reveton ransomware He can reboot his computer in safe mode and look at both the StartUp items and the run entries in the registry (might be best for him to run msconfig to do this) and find the name of the software. It will be random letters.exe. Delete the places in reg/startup where it is and then go and delete the file. Julian On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote: Hey, My brother-in-law just called me, He is apparently infected with the reveton ransomware by citadel. He has the one with the FBI warning that all of his communications are being monitored by the FBI. It says he needs to pay $300 for them release his pc back to him. I tried to get him into safe mode (with networking), but the ransomware has that blocked also. My quick research online basically says we need to download stuff and burn an image onto a CD/DVD/USB. I am 300 miles away from him and they are not technically able to do what is needed to clean it. Anyone have any insights into this malware so that I might help them? I basically told him he needs to take it somewhere locally to have it cleaned. Thanks, Bobby
Re: [H] Reveton ransomware
The fake FBI virus is annoying, do you know if his user account had admin rights? Generally you can create a new user account and clean it from there. I like to yank the hard drive and scan from a known clean system, but you can also just make a backup of his current profile and delete the existing one and recreate/restore data. On Sun, Mar 31, 2013 at 9:46 PM, Bobby Heid bh...@sc.rr.com wrote: Thanks Julian. I tried to get him into safe mode. He cannot do anything there. He gets the same ransom screen in safe mode as regular mode. Bobby -Original Message- From: hardware-boun...@lists.hardwaregroup.com [mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Julian Zottl Sent: Sunday, March 31, 2013 8:41 PM To: hardw...@lists.hardwaregroup.com Subject: Re: [H] Reveton ransomware He can reboot his computer in safe mode and look at both the StartUp items and the run entries in the registry (might be best for him to run msconfig to do this) and find the name of the software. It will be random letters.exe. Delete the places in reg/startup where it is and then go and delete the file. Julian On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote: Hey, My brother-in-law just called me, He is apparently infected with the reveton ransomware by citadel. He has the one with the FBI warning that all of his communications are being monitored by the FBI. It says he needs to pay $300 for them release his pc back to him. I tried to get him into safe mode (with networking), but the ransomware has that blocked also. My quick research online basically says we need to download stuff and burn an image onto a CD/DVD/USB. I am 300 miles away from him and they are not technically able to do what is needed to clean it. Anyone have any insights into this malware so that I might help them? I basically told him he needs to take it somewhere locally to have it cleaned. Thanks, Bobby
Re: [H] Reveton ransomware
Have you tried opening the Command Prompt via F8 and run rstrui.exe to run system Restore at an earlier date. The current one will probably be infected, so he should go back a bit if he can. Good luck. Jeff You're six is clear, just put your nose on the horizon and enjoy the sunrise. Jeff Thanks Julian. I tried to get him into safe mode. He cannot do anything there. He gets the same ransom screen in safe mode as regular mode. Bobby He can reboot his computer in safe mode and look at both the StartUp items and the run entries in the registry (might be best for him to run msconfig to do this) and find the name of the software. It will be random letters.exe. Delete the places in reg/startup where it is and then go lettersand delete the file. Julian On Sun, Mar 31, 2013 at 8:24 PM, Bobby Heid bh...@sc.rr.com wrote: Hey, My brother-in-law just called me, He is apparently infected with the reveton ransomware by citadel. He has the one with the FBI warning that all of his communications are being monitored by the FBI. It says he needs to pay $300 for them release his pc back to him. I tried to get him into safe mode (with networking), but the ransomware has that blocked also. My quick research online basically says we need to download stuff and burn an image onto a CD/DVD/USB. I am 300 miles away from him and they are not technically able to do what is needed to clean it. Anyone have any insights into this malware so that I might help them? I basically told him he needs to take it somewhere locally to have it cleaned. Thanks, Bobby
