Malware Removal - French Ransomware

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ixion, Jul 29, 2013.

  1. Ixion

    Ixion Private E-2

    A search for regmonstd.lnk brought me here. I appear to have picked up some kind of ransomware, which hijacks my laptop screen and camera at startup, displays a bunch of text in French, and demands payment.

    I am able to start my computer up in safe mode, however, when I start in safe mode + networking, I have no internet access. Attached you will find the logs for the diagnostic programs I was able to run. The link for downloading MGtools is blocked by the Trend Micro antivirus installed on the computer I am currently using (I cannot disable it without a password I do not have access to), so I could not run that one.

    Note that TDSSKiller detected no threats.

    Thank you in advance for any assistance you are able to provide.
     

    Attached Files:

    Ixion, Jul 29, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Whose PC is this that you do not have the password?


    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    chaslang, Jul 29, 2013
    #2
  3. Ixion

    Ixion Private E-2

    The computer is university-affiliated, and the Trend Micro software is the mandatory antivirus. I did not install it, and I cannot uninstall or modify it. It seems to arbitrarily block certain websites it considers harmful.

    I have attached the results of the Farbar scan, as well as the results of the TDSSKiller scan (I ran it again and got the log this time; it's still clean).
     

    Attached Files:

    Ixion, Jul 30, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download MGtools.exe onto another computer and then copy it to this PC to run it. Based on all your logs thus far, there are no signs of a ransomware infection or other infections.
     
    chaslang, Jul 30, 2013
    #4
  5. Ixion

    Ixion Private E-2

    Okay, here is the log.
     

    Attached Files:

    Ixion, Jul 30, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you install and do you use DropBox?

    Do you know what the below files on your Desktop are for?
    Code:
    "C:\Users\Alexander\Desktop\"
2013-0~1.xoj  Jun 30 2013       17520  "2013-06-30-Note-16-24.xoj"
activa~1.exe  Sep  2 2011     5013504  "ActivateWarranty.exe"
activa~1.htm  Aug 17 2011        3594  "Activate Warranty.html"
hitrik1.xoj   Jul  2 2013      173957  "hitrik1.xoj"
    I don't see any positive signs of an active ransomware infection. It would be better if we could get an MGtools log from normal boot mode which would be more informative. But the FRST log also showed no signs of the infection.

    What exactly happens when you try to run in normal bootup mode? Are you unable to get past a ransomware screen? Are you sure? Have you tried pressing CTRL-ALT-DEL to see if Task Manager will run?

    Let's try the below anyway.



    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\Alexander\AppData\Roaming\Microsoft\Windows\Start Menu\\Programs\Startup\regmonstd.lnk
C:\Users\Alexander\AppData\Local\Temp\*.*
           
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_ADE45C68FEF2280A34B6F5DB75C94C09"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"PRunOnce"=-
[HKEY_USERS\S-1-5-21-66404657-1619905089-965608288-1001\Software\Microsoft\Windows\CurrentVersion\run]
"GoogleChromeAutoLaunch_ADE45C68FEF2280A34B6F5DB75C94C09"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Alexander^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^regmonstd.lnk]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 2, 2013
    #6
  7. Ixion

    Ixion Private E-2

    Yes, I installed and use Dropbox.

    The .xoj files are files from the journal application Xournal (my laptop is a tablet). The ones referring to "warranty" are for activating the warranty on my external hard drive.

    I would like to add that in the intervening days I ran several antivirus programs, including Lavasoft's Ad-Aware, which caught (and removed) the malware Trojan.LNK.Ransom.aay (v). I don't know if that completely took care of the infection, but my computer can start normally again. I ran Malwarebytes and it came up clean. Attached is the MGtools scan that I got from the normal startup. Should I still run OTM (I think the antivirus took care of regmonstd.lnk)?
     

    Attached Files:

    Ixion, Aug 2, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You don't need to do this now since you already removed the problem.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 4, 2013
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds