Manually remove Ransomware (Služba Kriminální Policie a Vyšetřování or other)

Surprise surprise! Usual screen information is localized depending on country of infection.

Surprise surprise! Usual screen information is localized depending on country of infection.

The Context

I recently got handed an infected laptop. Windows 7 Pro, but right after the login screen, you’d either get a blank screen, or after some time, the whole desktop is replaced by a static HTML page, showing a very scary message from some “cyber police”, your IP address and estimated location, and a shot taken from the webcam the moment it got infected. On the right, also, a column with a few fields and options for you to pay a “fine” (CZK 2000 in this case). Of course, this was very obviously a scam, and well known at that (just type Ransomware into your favorite search engine…). I’ll show you how I proceeded in order to solve the issue.

1) Virus scan with a Linux Live CD

I happened to have just burned a Mageia 3 LiveCD for testing purposes. So I thought I’d give it a try. The liveCD didn’t come with an antivirus, so I had to manually add the online repositories, then managed to install clamav and clamtk, updated the virus database and run a full scan on the windows disk. It found some adware, some malware, bad cookies, cleaned it all up, and rebooted. Unfortunately, whatever it cleaned, it didn’t clean the ransomware. On to the second try

2) Use Kaspersky Rescue Disk (from malwaretips.com)

I then tried to look on the web for other methods. I then stumbled upon a webpage on http://malwaretips.com. Unfortunately, System Restore didn’t help, so I decided to give a try to their last option, the Kaspersky Rescue Disk. Burned the CD, started it, updated the malware database, and ran another scan. It found some things, but still no cigar, unfortunately. So in the end, I had to try another, more manual way of removing it

3) Hacking the Windows registry and manually deleting things (the method that works, derived from pcrisk.com)

Looking further, I found another page with manual instructions to remove the ransomware on pcrisk.com. Here are the manual instructions they gave:

End these processes:

random.exe

Delete these files:

%UserProfile%\Application Data\msconfig.dat
%UserProfile%\Application Data\msconfig.ini

Remove these registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “explorer.exe,%UserProfile%\Application Data\msconfig.dat

Unfortunately, there was no random.exe running, and no msconfig.dat or msconfig.ini in the %UserProfile%\Application Data\ folder on the disk. But the real clue is in the Registry. The second key, in particular, means “this registry key is what cause the regular Windows desktop to be replaced with the fake page”. So here are the steps that worked for me:

Start the computer in Safe mode with command prompt, no networking.

On the command prompt, run regedit

Look for the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” key, and write down the key value, it is the location of the virus (was %UserProfile%\Application Data\msconfig.dat in the example from pcrisk.com, but was something different in my case).

Delete that file.

Run regedit again and remove the two registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell”

Reboot

This did the trick for me. Once I regained access to the system, I immediately replaced the antivirus (there were actually two of them, both with expired licenses, so not really doing anything), run a full scan, then scanned the computer with Spybot and CCleaner to clean up any remnant of infections. Some toolbars also went the way of the dinosaurs, and I updated their browser and plugins to the latest available versions.

Did this help? Would you have proceeded differently? Let me know in the comments :)

 

August 14, 2013 at 1:00 am

Easy Partition cloning in Linux with dd, ntfsclone, gparted and Mageia 2

Background

Over the past few months, whenever I booted under Windows, it would just freeze and force me to reboot. Then do a very long checkdisk at the next boot. I blamed Windows. Then at some point, while using GNU/Linux, I got a notification on the GNOME desktop that one of my hard drives was failing and was having bad sectors. (By the way, kudos for the team behind the Palimpsest utility that generated such notification). Since it was consistent with the windows freeze and failures, I figured it was time to replace my hard drives. Switch to SSD, maybe? After shopping,  I ended up buying a 120GB SSD drive, as well as a 750GB HDD. Which were supposed to replace my two dying 250GB drives (well, only the primary drive was dying, but I was thinking about expanding the storage on my personal laptop anyways…).

The task

Let’s call O1 my old primary hdd, O2 the secondary one, N1 the SSD and N2 the new HDD. O1 contained some data partition, as well as the original Vista partition, and “Splashtop/Rescue partition”. O2 contained more data partitions, and my existing Mageia 2 installation.

Somehow, I’d have to find a way to replicate the system partitions from O1 on the smaller N1, then copy the contents of O2 on N2, and put the rest of the old data partitions from O1 to N2. Any idea how to do that without having to purchase proprietary software?

The solution

Well, the answer is in the title. Using a Mageia 2 Live CD (most likely any other GNU/Linux Live CD would have worked as well), I could boot into a fully functioning system that didn’t require any of my hard disks to be mounted. So I carefully plugged O2 and N2, then booted the Live CD. From there, opening a terminal, I made sure both hard drives were not mounted (mount -a will show you what’s mounted and what isn’t), then I just used dd to clone O2 onto N2.

dd if=/dev/sda of=/dev/sdb

Warning: pay very very very special attention when using dd. Many a partition has been wiped inadvertently by a bad use of dd. dd is simple, it takes whatever you pass as if, and binary copies it onto of. I strongly advise you to use hdparm -i /dev/sdx (with /dev/sdx the device name of your hard drive) in order to identify which drive is which.

Running the above command clones O2 onto N2. Nice and clean. Only thing is, it also clones the partition table. So N2, my 750GB drive, now looks like it’s only maxed out at 250GB. In order to fix that, I used gparted, and simply “extended” the partition table so that it takes the whole 750GB of available space.

Now, dd is cool, but it’s really low-level, and will not be able to cope with faulty drives very well (how surprising… if the data cannot be read, it cannot imagine the bits and pieces magically? :) )

To take care of the bad NTFS Partitions, I put back O1 in the laptop, left N2 as the secondary drive, and booted in safe mode. (Actually, at this point, I also tried booting the GNU/Linux freshly cloned onto N2, just to make sure everything was fine. And of course it was :) ). Once in safe mode, I tried to check the drive for bad sectors one last time before the cloning:

chkdsk /f

After that was done, I rebooted under the LiveCD, and proceeded on the partition cloning. Due to the bad sectors on the drive, dd would fail me. Instead, I used ntfsclone, which also allows cloning of partition even when they are in a ‘dirty’ state. The syntax is slightly different from dd. Again, be very careful and re-read your command seven times before hitting the Enter key. The magic option for “best effort” is the --rescue option. And with ntfsclone, the last argument is the input file (called the source on the man page), while the output file/device is specified by the --overwrite option (when copying to a non-existing partition, --output works just fine).

ntfsclone --overwrite /dev/sdb5 --rescue /dev/sda1

Here, I basically asked the first partition on /dev/sda1 to be cloned on the second drive, as the partition called /dev/sdb5.

That went rather smoothly. I continued the process with the remaining partitions, eventually switched hard drives a couple more times, but I think by now, you get the idea.

Summary

  • Always triple, quadruple check your commands before running any of them. Read the man page for each beforehand. Use hdparm -i /dev/sdx 0in order to identify your disks.
  • To clone one hard drive directly onto another one, use a LiveCD of a GNU/Linux distro, and after carefully checking your disk labels, launch the dd utility to perform a low-level binary copy of everything.
  • When cloning onto a larger drive, you may want to use gparted afterwards to fix the partition table and make it extend to the full size of your disk.
  • To clone an NTFS partition, which has bad sectors, instead of dd, use the ntfsclone utility with the --rescue option.

Happy cloning :)

September 11, 2012 at 10:30 pm

Mageia 2 upgrade + legacy Nvidia 96xx Graphic Card = Trouble

Mageia 2 is out! Updated packages, new versions for pretty much everything! A long time Linux user, from Mandrake to Mandriva, I made the switch to Mageia pretty much as soon as it was made available, on both my personal desktop and laptop.

After upgrading to Mageia 1 on my old desktop, I ran into some problems with the nvidia drivers. (Note: if you run into a problem with GNU/Linux, talk about it. In my case, I sent a bug report. Mageia 1 included Xorg 1.10, which was not yet supported by the legacy nvidia96xx drivers I needed to use for the old GeForce 4 Ti 4200 that was in there. The support from the mageia QAs, developers and packager was great. Since I’m not using my desktop PC so much anymore, I was fine with reverting to the “nv” driver for a while, and as soon as NVIDIA released new proprietary 96xx drivers, they got pushed to the “Updates Testing” repository, and shortly afterwards, to the official Updates repository.

When Mageia 2 came out, I first upgraded my personal laptop using the live update method. It went rather smoothly, and the system seemed pretty stable. I also checked the errata, and didn’t see anything too bad. I figured I could safely update my desktop too, right? But after all this time, I forgot to check the Xorg+nvidia driver compatibility…

And once again, the latest version of Xorg is not compatible with the NVIDIA 96xx drivers. So after the update, I got a “Command prompt surprise” basically indicating that X failed to start.

Checking mageia’s repository, I saw that the nvidia96xx package had been removed. So the QA did know that the driver wouldn’t work. And inspecting the xorg.conf file told me that the distro tried to upgrade me to the nouveau driver, which is also a good approach (without knowing that it is not exactly working with my card, I still have to check whether I should report the issue to the nouveau team or the gnome team…)

So I went back to using the legacy ‘nv’ driver for a while, and I’ll wait for new NVIDIA 96xx drivers to be released (one can only hope…).

But all this could have been easily avoided:

  1. Knowing I had problems with Mageia 1, I should have thought about checking which X version was included in Mageia 2, and check the NVIDIA proprietary driver’s status.
  2. Or I could have burned one of the LiveCD images. I would immediately have seen the display issues, warning me not to upgrade yet…

June 10, 2012 at 7:27 pm


Feeds

Recent Posts

Disclaimer

This is a personal weblog. The postings and opinions expressed here are my own and do not represent any of my current or past employers' positions, strategies or opinions.

Follow

Get every new post delivered to your Inbox.