A day fighting with Ransomeware


In this post I’m gonna explain the basic and common steps to get rid of Ransomeware (well, title explains the what I’m gonna write). You should be thinking from where I got Ransomeware, any bad sites? No, honestly saying I worked really hard to get infected (well that’s odd thing), it was first time for me to search through internet to download virus to get infected. But ultimately somehow I managed to get one. Download reached 100 % and at same instant MSE said it is cleaning viruses. I worked so hard to get that file and MSE removed it, grrr. Anyways, I restored it from quarantine and turned off MSE (turned off its Real Time Protection). The virus MSE detected was Trojan:Win32/Urausy.E. I don’t know why but Ransomeware didn’t install correctly and all I got was a White screen like this:

rgfefgv

OK now its removal part. Ransomeware are very broad, some only infect single user and some even disable Safe mode. First thing you should try is to do a System Restore in Safe mode. See this article for accessing safe mode:
How to start Windows in Safe Mode

Do a Restore to a point where you know your PC was OK. How to do a System Restore:
For XP: http://support.microsoft.com/kb/306084
For Windows Vista, 7, 8: http://windows.microsoft.com/en-IN/windows7/products/features/system-restore
(I know article is for Windows 7, but method is same for others)

Screenshot when I did it:

If System Restore didn’t work then you can use HitmanPro.Kicstart. Since I am doing all this in a Virtual PC and since booting from USB is not supported, I have used HitmanPro.Sidekick (It is used alternate way of booting i.e. booting from CD, you must have Kickstart USB connected for it to work). When I started my virtual PC with Sidekick and Kickstart I got this:

gfghujk

As mentioned in Options, you should first select Option 1, if it doesn’t work then 2 and then 3. After selecting an option your PC will start normally, as if you didn’t use anything. But you will get through ransomeware and will be able to scan your PC with HitmanPro (comes in Kickstart USB). When I ran the scan following result came:

fsdgfxcb

If you got sharp eyes you will notice many things. First is that I hid the name of file found, that’s because I don’t want you to know its name, its not suitable for public view. Second is Ransomeware was found on desktop (although you can see Desktop don’t have any file, because I hid all my files on Desktop by editing this image) and in Temporary Internet Files (yes I use IE 6 because of its vulnerabilities!). Third is that MSE and Security Center are red. If you remember, I have mentioned I turned off MSE, that’s why both are red. Now when the removal process is finished I got screen like this:

trfghj

After all this removal process I restarted my PC, this time without HitmanPro and White screen is gone!

I know I may have failed to explain in understandable words so please feel free to comment if you have anything to ask/say/have feedback, etc.

About these ads

2 thoughts on “A day fighting with Ransomeware

  1. If you got sharp eyes you will notice many things. First is that I hid the name of file found, that’s because I don’t want you to know its name, its not suitable for public view.

    yes admin ; I know I may have failed to explain in understandable words so please feel free to comment if you have anything to ask/say/have feedback, etc.

    [Admin. Note: Merged two comments into one to add clarity.]

    • ukash (Interesting name ;-) ),

      I can’t say I understood your question. You replied in two parts which I merged together. What I can understand is that you can’t understand what “If you got sharp eyes you will notice many ……” means. I wanted to say that the file name of that detected ransomeware was not suitable to be viewed in public since it contained some bad words.

      File name doesn’t matter much, it’s content do. It had ransomeware and thus it was detected. Name can be anything, anything like google.exe or microsoft.com or anything.

      I hope you were asking about this and I am able to explain it appropriately. If its still unclear or you wanted to ask anything else then please leave a reply.

      Prashant Kumar

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s