Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP FBI Virus.


  • Please log in to reply
16 replies to this topic

#1 WoShiMira

WoShiMira

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 03:10 AM

Picked up the FBI Virus Moneypak thing on my Lenovo R400. It locked everything down, and nothing works in normal mode. Tried switching to safe mode, but got BSOD. Running Windows XP and have an installation CD.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 26 November 2012 - 03:34 AM

Hello, and welcome to BleepingComputer! :)

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download shellfix.ndf and save it to your USB drive
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see shellfix.ndf that you downloaded there
  • Double-click on the shellfix.ndf and let it run
  • After it has finished a report will be located on your USB drive named shellfix.txt
  • Remove the USB drive and insert it back in your working computer and navigate to shellfix.txt

    Please note - all text entries are case sensitive
Copy and paste the shellfix.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 03:40 AM

Should shellfix.ndf open as a new tab, with a bunch of symbols on it?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 26 November 2012 - 06:51 AM

No, if that is the case right click the download link and select Save Link/Target as.... You can then save the file directly to your usb flash drive.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 07:13 AM

There's nothing in the text file.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 26 November 2012 - 07:14 AM

You mean the one you downloaded, or in the resulting text file after running shellfix? If the latter, did you see a black command window coming up when you ran it?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 07:16 AM

The text file after running shellfix. And yes, there was a black window. It said it was done and to press enter to close the window. I followed your previous instructions, and the text file came up blank.

#8 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 07:23 AM

Oh wait. I tried it again and this came up in the shellfix.txt.



Offline Shell value fix by noahdfear

software.orig exists
Backing up software to software.ntb
Backup Complete

Hive </mnt/sda1/WINDOWS/system32/config/software>

(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe



Shell value is default


Hive </mnt/sda1/WINDOWS/system32/config/software>

(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 6 values
size type value name [value if type DWORD]
4 REG_DWORD <dontdisplaylastusername> 1 [0x1]
0 REG_SZ <legalnoticecaption>
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]
4 REG_DWORD <HideFastUserSwitching> 0 [0x0]

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 26 November 2012 - 09:08 AM

Can you please look in /mnt/sda1/documents and settings/<your username>/application data and tell me what files are present there (no need for folders).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 01:21 PM

Adobe, Apple Computer, Autodest, Chief Architect X2, GetRightToGo, Google, Identities, Ilvies, Macromedia, Microsoft, Mozilla, Skype, Sun, and desktop.ini

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 26 November 2012 - 01:31 PM

Please look in /mnt/sda1/documents and settings/<your username>/start menu/programs/startup and tell me what files are present there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 01:44 PM

desktop.ini

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 26 November 2012 - 02:04 PM

Please navigate to /mnt/sda1/documents and settings/<your username> and look for a file called NTUSER.dat (without any additional letters or numbers). Do nothing with the file, but right click on it and select properties. Let me know how large the file is.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 WoShiMira

WoShiMira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 26 November 2012 - 07:58 PM

6.0 MB.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,067 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:45 PM

Posted 27 November 2012 - 02:44 AM

Please navigate to the ntuser.dat file in xPUD and right-click on it. Select Copy. Now navigate to your flashdrive, right click in an empty space and select Paste.

After pasting the file, click on the Home tab > Power Off and shut down. Now plug the usb drive in a working computer, right click on NTUSER.dat and select Send To > Zipped/compressed file. This will create ntuser.zip in the same location. Please let me know the file size of ntuser.zip (based on that I can decide how best to upload it).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users