Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
2 replies to this topic

#1 Shelton Computers

Shelton Computers

  • Members
  • 1 posts
  • Local time:04:20 AM

Posted 24 November 2012 - 10:26 PM


We are a small town (PC/Windows) computer company, MCSE certified with expertise also in Linux/Unix Platforms. we just ran into a computer that had The Reveton you described here: http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

The Client Was running windows xp home edition.

I am posting a comment on your removal guide because this is NOT how we had to remove the trojan; this trojan has gotten smarter and updated beyond your guide. If you try to start the windows xp home pc in safe mode (of any sort) it will make the kernel think there is a hardware error when there really isnt; I bleep you not :)

We had to remove the laptop's hard drive, dock it, and manually use another pc to search through the registry and remove the startup item. Its still executed the clever way you describe though, using rundll32 process to invoke it.

I just thought you might want to update the removal guide as no one will be able to run the hijackthis, as they can never get into any safe mode.

I told my customer whether they had antivirus or not, windows 7 would have prevented it from being this hard to remove even AFTER it had gotten on a windows 7 pc, as windows 7 wouldnt have allowed user interface interaction from another program (with UAC). meaning, when you tried to do ctrl break or opening the task manager, windows 7 would have made the task manager appear OVER top of the trojan's splash screen OR killed the executable that was running it, even with it being rundll32 invoking it.

BC AdBot (Login to Remove)


#2 herg62123


  • Members
  • 553 posts
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:04:20 AM

Posted 25 November 2012 - 12:36 AM

I have been following the evolution and copy cats of this ransomeware virus. I have found at least 6 variants of this type so far but I am sure there is more variants.

The best solution I have found to use Kaspersky Rescue Disk 10. http://support.kaspersky.com/viruses/rescuedisk With this it boots up into a Linux Operating System and it has a scanner to use. Also there is away to edit the registry as well. Check it out.
Posted Image

#3 jfoust


  • Members
  • 7 posts
  • Local time:03:20 AM

Posted 26 November 2012 - 09:00 PM

Hah! I just posted a similar topic. In my case, Kaspersky didn't find it, but fixboot / fixmbr wiped it out.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users