Need an answer asap (before about 22 hours)

[Ann!b@l]

beware, there's different kind of ransomware.. Cryptolockers are the worst (yea, had to deal with such crap many times already)..

 

If the virus presents on your friend's pc is a non-encrypting ransomware, one of the anti-malware mentionned above might make the deal (still, even after the scan(s) & the cleaning check every place on the pc, files+folders hidden included and also uninstall the browser used, delete the files+folder left after uninstall, reboot and re-install it).

 

In case of encrypting ransomware, it might be more sensitive and hopeless. System files, text files, photos, videos, so on, all encrypted ("locked").. And in such a case, there's no way nor softwares able to help you recovering these datas without the password to unlock them. So, data is lost and OS must be reinstalled on the disk after formating.

 

 

tip: when you get such messages of warning due at a ransomware through your browser.. Most of the time your browser is stuck on such messages, you can't close it nor use your pc. DO NOT TURN OFF YOUR PC!! Because you gonna allow the ransomware to achieve its job and lock all the files. After my 2 first bad experiences, I have found a trick at the 3rd. Open Task Manager (use Ctrl+Alt Gr+Delete to open it), force Google to close (or whatever the browser you use) in killing the process. Uninstall straight the browser, delete all the folders and files left after uninstallation (those hidden included).. And then use Ccleaner and perform a standard and a registry cleaning. RevoUninstaller (for uninstalling) and CCleaner (for cleaning) are really usefull and handy for such things. Scan and clean your pc with Malwarebytes\Roguekiller\AdwCleaner and then reboot.

 

This tip will not help you to get rid of such crap once fully established on your pc but might prevent to happen if you react like it should in the beginning of its process whatever the type of ransomeware. In all cases, it always worked successfully for me so far.

Edited April 9, 2016 by Ann!b@l

[Vanaraud]

Fastest way: get Ubuntu(other linux USB\CD Live). Run Ubuntu, mount your drive, copy paste all necessary files. Make USB installer for Windows, install with full format. Clean PC with no time.

 

(I´ve heard rumors that some ransomware keys have been decrypted by security firms.)

I wonder, if the whole HDD is being encrypted, the PC must get real slow due to workload on CPU? Ppl don´t notice it?

[FireWienie]

beware, there's different kind of ransomware.. Cryptolockers are the worst (yea, had to deal with such crap many times already)..

 

If the virus presents on your friend's pc is a non-encrypting ransomware, one of the anti-malware mentionned above might make the deal (still, even after the scan(s) & the cleaning check every place on the pc, files+folders hidden included and also uninstall the browser used, delete the files+folder left after uninstall, reboot and re-install it).

 

In case of encrypting ransomware, it might be more sensitive and hopeless. System files, text files, photos, videos, so on, all encrypted ("locked").. And in such a case, there's no way nor softwares able to help you recovering these datas without the password to unlock them. So, data is lost and OS must be reinstalled on the disk after formating.

 

 

tip: when you get such messages of warning due at a ransomware through your browser.. Most of the time your browser is stuck on such messages, you can't close it nor use your pc. DO NOT TURN OFF YOUR PC!! Because you gonna allow the ransomware to achieve its job and lock all the files. After my 2 first bad experiences, I have found a trick at the 3rd. Open Task Manager (use Ctrl+Alt Gr+Delete to open it), force Google to close (or whatever the browser you use) in killing the process. Uninstall straight the browser, delete all the folders and files left after uninstallation (those hidden included).. And then use Ccleaner and perform a standard and a registry cleaning. RevoUninstaller (for uninstalling) and CCleaner (for cleaning) are really usefull and handy for such things. Scan and clean your pc with Malwarebytes\Roguekiller\AdwCleaner and then reboot.

 

This tip will not help you to get rid of such crap once fully established on your pc but might prevent to happen if you react like it should in the beginning of its process whatever the type of ransomeware. In all cases, it always worked successfully for me so far.

That's bad news, my friend closed his PC cuz he was scared something bad will happen. So I'm hoping it won't be an Cryptolocker. Also here's a video my friend sent me after he opened is computer as I asked him if he could send me a video/picture of the blue screen so I could read what it said.

 

 

Does this mean we are too late, or that all the files are encrypted and they did what they were trying to do?  I'm not sure as I've never had this virus before and also I cant see what the text says.

[SiD]

beware, there's different kind of ransomware.. Cryptolockers are the worst (yea, had to deal with such crap many times already)..

 

If the virus presents on your friend's pc is a non-encrypting ransomware, one of the anti-malware mentionned above might make the deal (still, even after the scan(s) & the cleaning check every place on the pc, files+folders hidden included and also uninstall the browser used, delete the files+folder left after uninstall, reboot and re-install it).

 

In case of encrypting ransomware, it might be more sensitive and hopeless. System files, text files, photos, videos, so on, all encrypted ("locked").. And in such a case, there's no way nor softwares able to help you recovering these datas without the password to unlock them. So, data is lost and OS must be reinstalled on the disk after formating.

 

 

tip: when you get such messages of warning due at a ransomware through your browser.. Most of the time your browser is stuck on such messages, you can't close it nor use your pc. DO NOT TURN OFF YOUR PC!! Because you gonna allow the ransomware to achieve its job and lock all the files. After my 2 first bad experiences, I have found a trick at the 3rd. Open Task Manager (use Ctrl+Alt Gr+Delete to open it), force Google to close (or whatever the browser you use) in killing the process. Uninstall straight the browser, delete all the folders and files left after uninstallation (those hidden included).. And then use Ccleaner and perform a standard and a registry cleaning. RevoUninstaller (for uninstalling) and CCleaner (for cleaning) are really usefull and handy for such things. Scan and clean your pc with Malwarebytes\Roguekiller\AdwCleaner and then reboot.

 

This tip will not help you to get rid of such crap once fully established on your pc but might prevent to happen if you react like it should in the beginning of its process whatever the type of ransomeware. In all cases, it always worked successfully for me so far.

 

Yep it really depends on what virus is happens to be.

 

If you can get the actual name of the infection it can help narrow down the best method for removal. Generally SAS and MWB SHOULD do the trick, but if it's really nasty it might need alternative help to kill it. TDSSKiller is decent for finding rootkits. Alternatively if it's a well known one that buries itself into the registry, you can remove it by finding the infected registry code. However, that one I do not generally advise if you don't know what you're doing. You can f*** things up badly that way. There was another program I used that found something on my pc that the others didn't pick up. Hijack this? Something similar.

 

 

@Weinie I can't read what the error messages say. Does this mostly happen when the computer is booted? When he tries to access the internet?

[FireWienie]

 

Yep it really depends on what virus is happens to be.

 

If you can get the actual name of the infection it can help narrow down the best method for removal. Generally SAS and MWB SHOULD do the trick, but if it's really nasty it might need alternative help to kill it. TDSSKiller is decent for finding rootkits. Alternatively if it's a well known one that buries itself into the registry, you can remove it by finding the infected registry code. However, that one I do not generally advise if you don't know what you're doing. You can f*** things up badly that way. There was another program I used that found something on my pc that the others didn't pick up. Hijack this? Something similar.

 

 

@Weinie I can't read what the error messages say. Does this mostly happen when the computer is booted? When he tries to access the internet?

I told him to reboot his pc so he could send me a pic of the blue screen. He told me the blue screen is gone and its replaced with black. I'm not sure what he did to get those error messages. I went on the original video he sent me on fb and turned on hd but I still couldnt decipher what it said.

 

I can give a bit more information but I doubt it will be any help as of to find what type of ransomware he has. it says error bosd, and error 333. That's all he gave me that could kind of give us some information, everything else was just "blue screen".

 

UPDATE: I scrolled through our fb chat and found this picture. 

 

It's kind of hard to read but if you look carefully you can see what it says.

[SiD]

So that looks like windows error reporting is buggin' its shit out. Most sources just tell people to disable it.

 

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/error-code-werfaultexe-application-error/1dada681-2d89-492f-92c0-2eae4c5a6d20

 

Is he using a pirated version of windows? (Notice the win activation code)

 

Starting to wonder how far gone the system is if he's getting a shit ton of error messages.

[FireWienie]

So that looks like windows error reporting is buggin' its shit out. Most sources just tell people to disable it.

 

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/error-code-werfaultexe-application-error/1dada681-2d89-492f-92c0-2eae4c5a6d20

 

Is he using a pirated version of windows? (Notice the win activation code)

 

Starting to wonder how far gone the system is if he's getting a shit ton of error messages.

He told me he never got those errors until he actually got the virus. Additionally his windows version is genuine considering he got windows 7 when he got his computer. He was never asked to put an activation key until that moment. I think the virus he's gotten is getting worse than just a ransomware, maybe becoming a trojan horse or a different virus considering these are most probably random pop ups that had appeared when he'd received the virus.

[SiD]

Yeah I would start with the above methods of removal, then. Get something started. Then if the problems still persist, we can move on from there.

[Ann!b@l]

-Ransomware\Cryptolocker are trojans.

-not sure it's a good idea to use HighJackthis in his case since it's a tool for experienced people.

-yea heard me too that some firms got a database of some passwords.. but not sure that it will be effective. New ones are generated and there's prolly much more than what they got. Aside that, the encryption is too strong to crack and so is hopeless.

-don't be surprised to see appearing all kind of system errors. It affects also system files.

-the only thing you can do is to remove the troyan itself. But a large amount of files with certain extensions will remain still locked anyway in the case of an encrypting ransomware. Same goes for some system files and some Windows registry entries. Worth a try if it's a non-encrypting ransomware.. But Would you use a pc in which will remain the doubt of its presence? Me not. Backup some datas on a removable disk if they were not encrypted and are safe, format and re-install Windows. That's the best to do imho.

 

 

some of the extensions locked:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6,
.bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map,
.wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf,
.iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0,
.dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a,
.pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt,
.cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2,
.srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst,
.accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Edited April 9, 2016 by Ann!b@l

[FireWienie]

 

-Ransomware\Cryptolocker are trojans.

-not sure it's a good idea to use HighJackthis in his case since it's a tool for experienced people.

-yea heard me too that some firms got a database of some passwords.. but not sure that it will be effective. New ones are generated and there's prolly much more than what they got. Aside that, the encryption is too strong to crack and so is hopeless.

-don't be surprised to see appearing all kind of system errors. It affects also system files.

-the only thing you can do is to remove the troyan itself. But a large amount of files with certain extensions will remain still locked anyway in the case of an encrypting ransomware. Same goes for some system files and some Windows registry entries. Worth a try if it's a non-encrypting ransomware.. But Would you use a pc in which will remain the doubt of its presence? Me not. Backup some datas on a removable disk if they were not encrypted and are safe, format and re-install Windows. That's the best to do imho.

 

 

some of the extensions locked:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6,
.bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map,
.wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf,
.iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0,
.dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a,
.pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt,
.cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2,
.srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst,
.accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

I've informed him about what you guys said, surprisingly he was pretty chill about it considering he has a lot of important school files in there. I'll be going to his house tomorrow so I guess I have more time to find more solutions. Thanks alot guys

[FireWienie]

Boy do I have a story to tell you guys, yes I managed to fix it, but not what you guys told me to do.

 

So let me start (warning long ass story with tl:dr in the end)

 

So basically I told me friend to show me the blue screen as I wanted to see what it looked like, to see if it looked similar to any other tutorials I saw. It looked different, so I doubt I would fix it using task manager. So, following the steps of the previous tutorial i watched, I looked for 2 windows.exe, yet I couldnt even find one. So, confused, I said whatever and moved onto the second part.

 

I went on safe mode and ran what sid told me to do. It took about 30 minutes each, and it managed to find a LOT of malicious files and viruses, so we deleted them. Unfortunately, when we went back on normal mode the blue screen was still there. So I thought i did something wrong, and did it once again, but still didnt work.

 

We went on another tutorial and followed him, yet a lot of people in the comments said he didnt know what he was saying, but we tried it anyways. Unsurprisingly, it didnt work.

 

So now I was desperate (not really, just making this more interesting ). I went back onto the normal windows and went on task manager. I scrolled through it and would ask my friend if he knew what this was. If he said no, I would look at the date modified (system files would say last modified, 2009 as thats when he got his pc.)

 

So now I found something called Junker, there were 2 of those to be exact. I asked my friend if he knew what it was, he said no. I checked the date and it said April 10th, which is today. So I ended the task, yet nothing happened. So I got kinda pissed, scrolled through and couldnt find anything else suspicious. I went back to the second Junker, ended that process, then boom! The blue screen disappeared! 

 

After that I went on his c drive and searched up junker, with a bunch of files and folders coming up called "Junker". I deleted them and ran another scan. 

 

After the scan I restarted the pc to see if it would appear again, as he told me he didnt want to constantly go on task manager and delete Junker. When it reopened, everything was back to normal! I was so glad I was able to fix it and not let him down. 

 

Although what you guys said didnt work, I'm still glad you guys took your time to assist me and I can't thank you guys enough.

 

TL;DR I fixed the virus by going on task manager and deleting something called Junker, then deleting the files. It worked surprisingly. 

[-=HipKat=-]

That's awesome, dude. Good work!

[RedBaird]

Did you get rid of his "free" copy of Word 2013?  He can try getting Open Office from a reputable source, such as http://www.openoffice.org/ ... NOT  Openoffice.com, which my Norton's just blocked for having "threats" on it.  

 

This is such an important topic that I am going to copy and save all the posts here.  

 

Congrats on the Happy Ending...or is it?  [evil laugh]

[Vanaraud]

Yep Event Viewer and Task Manager, 2 good friends on fixing problems;)

[-=HipKat=-]

If you're going to find a free copy of something, READ THE COMMENTS before downloading the file. If there are no comments, then don't d/l it. I've been running the program your friend was looking for for the last few years with no problems because I took my time and found a reputable copy with no viruses attached