Ransomware

:frowning: Got an instant hit by the DOJ ransomware stating my computer is locked until I go to CVS and pay $300. Also; something to do with child porn…
I immediately restarted in the safe mode and ran a full Avast virus scan with no indications of a bug.
Returning to the regular boot-up, I attempted to get online again. Firefox 23, Win7 32bit. Same problem.
Thinking only the browser was affected, I uninstalled FF.
I’m using the Avast safe browser now.
When I attempt to re-install FF I get “XPCOM not found”. I believe this is a DLL.
Right now I’m using the laptop (affected machine) and have a desktop at home to get any necessary downloads. It seems anything I attempt to download in this browser stays in it, and I am unable to access the download when the browser is closed.
Any suggestions?
Also, Avast AV never even noticed all that was going on!?

I would help you, but I’m not allowed to given my Age and stuff. Nor am I certified.

You do need to follow these Directions… http://forum.avast.com/index.php?topic=53253.0

Adwcleaner, MBAM, OTL, AswMBR

With the safe zone browser you are unable to save anything as it is totally isolated from the rest of the system

Could you run this programme from safe mode

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

This the only log that appeared (attached). I did nothing else but run the scan.

This is a new variant as I can see no sign of ransom malware there

So I would like to run another programme

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please attach: All RKreport.txt text files located on your desktop.

Ran RK, one suspicious file>deleted. Fixed shortcuts. Log attached…
BTW - Shortly I will be returning to home base and using the desktop. Any suggestions on avoiding
this ransomware in the future?

When you boot to normal mode are you still getting the ransom screen ?

No. All is normal now. When I saw the Dept of Justice ransom page, I turned off the computer manually (couldn’t shut down normally). Rebooting in the safe mode I then removed FF with Revo uninstaller. No problems after that, except that I didn’t have FF for a browser anymore; and couldn’t download a new copy using the Avast safe zone browser.
Now I am back on my desktop and have got a copy of FF on a thumb drive to load into the laptop the next time I use it.
Thanks for all your help.

Intriguing, that is something I need to bear in mind if it is now working from Firefox instead of the normal method(s)