Ransomware Notification Today - Next Steps?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Allis_Chalmers, Apr 10, 2020.

  1. Allis_Chalmers

    Allis_Chalmers Private E-2

    I received a email demanding $XXX amount if I dont comply with a bitcoin deposit to an account within 24 hrs. They seem to know a password, which is ONE password I have. They claimed to have installed a keylogger.

    I am looking for some next steps to:

    1. What next "protection" steps I should take on the PC. I am using a separate PC for this forum and research
    2. In what order I should take on these steps
    3. Backup now, or later on the PC in question

    I am rapidly changing all passwords that they claim to know.

    Thanks in advance,
     
    Allis_Chalmers, Apr 10, 2020
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hopefully you are changing passwords using your other computer....in the meantime, please follow the Read and Run First steps using that computer that transfer the tools to your infected computer using a thumb drive. Once done, transfer the result back using a different thumb drive and attach them.
     
    TimW, Apr 10, 2020
    #2
  3. Allis_Chalmers

    Allis_Chalmers Private E-2

    Thanks Tim. Yes, I am using my "non-compromised" computer for this communication and password changes. I'm feeling better about my recent research on this and find the wording on the email containing 95% the same content/ransom that others have posted. The compromised password is old, and in combination with the email it arrived on, it limits where I believe I could be exposed on websites, etc.

    Off to back things up now.
     
    Allis_Chalmers, Apr 10, 2020
    #3
  4. Allis_Chalmers

    Allis_Chalmers Private E-2

    standby.....found the log file...
     
    Allis_Chalmers, Apr 10, 2020
    #4
  5. Allis_Chalmers

    Allis_Chalmers Private E-2

    I'm on Step 3, and the Malware portion has been running for 3 hours. The DOS window was progressing, I got past the GetMsrv.bat, then GetBrSet, bat and both finished. It seems to be stuck on Running analyse.exe for some time now.

    Should I continue to wait? Restart?
     
    Allis_Chalmers, Apr 10, 2020
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you running them from the thumb drive or did you slide them onto your desktop?

    And one additional question.....an observation. If you received an email....with a password, it is more than likely that they bought your email addy and password from someone who hacked a website where you had registered. Has any of your files extensions been changed? Possibly with a random number or letters?

    If MGTools is what is hung up....just attach what you now have and we may use a different tool.
     
    TimW, Apr 10, 2020
    #6
  7. Allis_Chalmers

    Allis_Chalmers Private E-2

    I did place them on the (believed to be compromised) PC, and ran them from the desktop. Guess I miffed that one. Here is what I have (attached). There are 105 files created by MG tools in that folder (partial screen shot attached). As I was closing a window, there was an MG Accept/Decline popup that was hidden behind a folder. Just now, I accepted it, and will see if that progresses the DOS screen.

    When you say file extensions changed, are you referring to the downloaded tools? No, those all look as they should be, .exe.

    I do appreciate this help.
     

    Attached Files:

    Allis_Chalmers, Apr 10, 2020
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The only thing that is of any use is the Malwarebytes log....which is clear. I need the other logs. RogueKiller, Hitman and now that you have made the agreement to Analyse.exe....you should be getting the MGLog.zip

    I was talking about your personal files extensions.
     
    TimW, Apr 10, 2020
    #8
  9. Allis_Chalmers

    Allis_Chalmers Private E-2

    Yep, got the MGlog zip file now, and progressing forward with RogueKiller, etc. Personal file extensions all seem to be in order. TY.
     
    Allis_Chalmers, Apr 10, 2020
    #9
  10. Allis_Chalmers

    Allis_Chalmers Private E-2

    Ok, I believe I have the needed files now.
     

    Attached Files:

    Allis_Chalmers, Apr 11, 2020
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. I am sure that the emails came from some list that is being sold with email addy's and passwords from a hacked site that you probably joined and may have forgotten about.

    Are you having any other issues?
     
    TimW, Apr 11, 2020
    #11
  12. Allis_Chalmers

    Allis_Chalmers Private E-2

    Great Tim, I slowly came to the same conclusion yesterday, so much of the "claims" they made were baseless, but your heart skips a beat when the combination of email addy and password was correct (at one time).

    I can't begin to tell you how appreciative I am of your help, and this website. It's been very resourceful over the years.

    Nope, no other issues. I'm calling this case closed.

    Have a most excellent weekend! :)
     
    Allis_Chalmers, Apr 11, 2020
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    3. If running Vista, Win 7 or Win 8, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    4. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. After doing the above, you should work thru the below link:
     
    TimW, Apr 11, 2020
    #13
  14. Allis_Chalmers

    Allis_Chalmers Private E-2

    The above was completed. Again, huge thanks.
     
    Allis_Chalmers, Apr 11, 2020
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.....safe surfing.
     
    TimW, Apr 11, 2020
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds