Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Lockout Virus CANNOT ACCESS SAFEMODE


  • Please log in to reply
4 replies to this topic

#1 Rikumo

Rikumo

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 03 December 2012 - 02:47 PM

I have another client's machine here in front of me...and believe me, I've tried everything! I can't access Safemode AT ALL and nothing I seem to follow guide wise is applying to me. Please help!

Machine is XP, cant do anything with normal boot because of the stupid FBI thing. Safemode in any mode just gives me a BSOD. I went ahead and ran some bash Restore Point thing. Here is the log. Disregard if it's irrelevant.



33.0M Dec 1 04:11 /mnt/sda2/WINDOWS/system32/config/SOFTWARE
8.0M Dec 3 14:16 /mnt/sda2/WINDOWS/system32/config/SYSTEM

32.9M Nov 30 14:51 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SOFTWARE
32.9M Nov 30 14:51 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SOFTWARE
32.9M Nov 29 15:41 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Second Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SOFTWARE
32.9M Nov 29 15:41 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Second Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SOFTWARE
32.9M Dec 3 14:36 /sda2/~/RP1/~SOFTWARE
32.9M Dec 3 14:36 /sda2/~/RP1/~SOFTWARE
7.8M Nov 30 14:51 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Nov 30 14:51 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Nov 29 15:41 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Second Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Nov 29 15:41 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Second Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Dec 3 14:36 /sda2/~/RP1/~SYSTEM
7.8M Dec 3 14:36 /sda2/~/RP1/~SYSTEM
7.8M Nov 30 14:51 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Nov 30 14:51 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Nov 29 15:41 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Second Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Nov 29 15:41 /sda2/Documents and Settings/All Users/Application Data/Geek Squad/MRI/System File Backups/Registry Hives/Second Newest Restore Point - 2012.11.30_0622PM/_REGISTRY_MACHINE_SYSTEM
7.8M Dec 3 14:36 /sda2/~/RP1/~SYSTEM
7.8M Dec 3 14:36 /sda2/~/RP1/~SYSTEM


Might I mention.....I have ran MRI on this PC, and also, the newest restore Point seems to be from when I got the machine, as in AFTER the virus infection. Please advise.

Edited by Orange Blossom, 03 December 2012 - 03:17 PM.
Moved from Windows XP to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 ginmasterjedi

ginmasterjedi

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 04 December 2012 - 10:24 AM

Try a live OS environment with REGEDIT to remove the FBI virus files manually

Press Ctrl+Alt+Del keys together to open the Task manager, and then stop all FBI Moneypak Virus/ Malware processes there.

Search for all infected files and registry entries and delete them entirely.

%Documents and Settings%\All Users\Application Data\[random]\[random].exe
%Documents and Settings%\All Users\Application Data\[random]\[random].mof
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0


Good Luck and may the Force be with you

#3 ginmasterjedi

ginmasterjedi

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 04 December 2012 - 10:25 AM

try this if still no luck

http://blog.yoocare.com/computer-locked-by-fbi-moneypak-virus-asking-to-pay-200-fine-to-unlock/

#4 ginmasterjedi

ginmasterjedi

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 04 December 2012 - 10:46 AM

A comprehensive guide to remove the FBI virus

http://malwaretips.com/blogs/fbi-virus/

#5 Rikumo

Rikumo
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 05 December 2012 - 09:40 AM

Well, none of those worked. And the client got tired of waiting, so she came and got the machine. Thanks everyone for the help! Close thread please.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users