Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

afflicted with FBI scam in safe mode with networking


  • This topic is locked This topic is locked
22 replies to this topic

#1 philologist

philologist

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 12:35 PM

My son has the FBI Moneypak ransomware on his laptop.

We tried using the emsisoft emergency kit you have in your malware removal guides, which has worked for us once before on another of our laptops.

We were able to boot in safemode with networking, download the emergencykit, and extract the files. But when we clicked to run the emergency kit scanner, the scam page came up again.

Yes, in safe mode.

Can someone here help us get rid of this version of the ransomware?

The laptop isWindows 7.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:53 AM

Posted 12 January 2013 - 02:43 PM

Can you boot into safemode?

#3 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 03:17 PM

Doesn't look like it. We just tried twice. The first time it just hung up. The second time, it did look like it was going to boot, then the white screen with blue "loading" circle came up -- looking like it was going to load the malware page. But then that disappeared and we just have a blank black screen.

#4 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 03:29 PM

I just tried ctrl-alt-del and that did get rid of the black screen. The computer had booted up in safemode but then we get the malware screen.

I was then able to do ctrl-alt-del to shut it down.

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:53 AM

Posted 12 January 2013 - 03:42 PM

Restart the PC

Press F8 on bootup

Select REPAIR YOUR COMPUTER

Click on REPAIR

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Can you get to this screen?

If yes, select system restore and try restoring to previous point and see if you can boot now.

#6 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 03:54 PM

When we select "repair your computer" we didn't get to a "repair" option.

Instead, we see the "ASUS Preload Wizard". It gives the options:

1) recover windows to first partition only
2) recover windows to entire HD
3) recover windows to entire HD with two partitions

This is a newish laptop that I don't use. My son says he thinks it has 4 partitions. The stuff that went scrolling by on the screen after we selected "repair your computer" was mentioning 4 or 5 partitions.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:53 AM

Posted 12 January 2013 - 04:01 PM

Can you boot into safemode with command prompt?

#8 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 04:11 PM

We just get the malware screen again.

#9 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 04:13 PM

We can do ctrl-alt-del, but the only options are lock this computer, switch user, log off and change password. And the shutdown red button is available and works.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:53 AM

Posted 12 January 2013 - 04:23 PM

Let me ask a malware response team member to help you

good luck

#11 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 04:24 PM

Thanks!

For the next helper:

Previously, safemode, safemode with networking, and safemode with command prompt would boot but then we got the malware screen.

Now, we cannot even get the computer to boot up into safemode of any sort. It just goes right on to Windows.

Then we get a dialog box asking if we want to allow the following program to make changes to this computer -- the program name is Privitize VPN Client, the publisher is "000 "Industry"" and the file origin is "hard drive on this computer. There is no button to click to say yes or no, only a "show details" link which we haven't clicked on.

Edited by philologist, 12 January 2013 - 04:39 PM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:53 AM

Posted 12 January 2013 - 05:46 PM

When we select "repair your computer" we didn't get to a "repair" option.

Instead, we see the "ASUS Preload Wizard". It gives the options:

1) recover windows to first partition only
2) recover windows to entire HD
3) recover windows to entire HD with two partitions



If you cannot get to the Repair Console I would suggest you create a Recovery CD using a computer running the same Windows' version. Here are the instructions:

Create a Windows 7 System Repair Disc

Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.

  • Click on Start(Windows 7 Orb) >> Run...(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:

    recdisc.exe

  • Allow the UAC(User Account Control) prompt via selecting Yes.
  • You should now see a menu like the below:-
Posted Image

  • Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
  • Note: If a AutoPlay window pops up, just close it.
  • When the SRD has been created you will see the below:-
Posted Image

  • Now click on Close >> OK. Leave the disc in the drive as we will be using it shortly.
  • You now have a Windows 7 System Repair Disc.

You will need a USB Flash drive.

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected and boot the computer with the CD you just created.
  • Enter System Recovery Options.

    To enter System Recovery Options by using the Recovery disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:53 AM

Posted 12 January 2013 - 05:50 PM

PS:

Do not allow Privitize VPN Client to be installed.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:53 AM

Posted 12 January 2013 - 06:20 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 philologist

philologist
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 January 2013 - 07:55 PM

We are not having much luck. We made a system repair disk, but cannot get the infected computer to boot from it.

I don't have a lot of experience with this kind of thing, and had to google how to check the BIOS settings, then how to interpret what the settings were on this computer (the names of the choices didn't mean a lot to me at first). We tried both changing the boot option order and pressing esc on startup to let us choose the boot-from-cd-drive option. Neither works.

We can hear the cd-drive running, but we see a message saying "Windows is loading files . . .". A white bar goes across the screen once, then starts again but doesn't get more than about half an inch long. Then we get an error message saying:

"Windows has encountered a problem communicating with a device connected to your computer.

This error can be caused by unplugging a removable storage device such as an external USB drive while the device is in use. or by faulty hardware
such as a hard drive or cd-rom drive this is failing. Make use any removable storage is properly connected and then restart your computer.

If you continue to receive this error message, contact the hardware manufacturer.
Status: 0xc00000e9
Info: An unexpected I/O error has occurred."

Choosing either "ENTER to continue" or "ESC to exit" just makes the boot process restart, so I have to do a hard shut down.

Please note that we did have the flash drive plugged in, as per your instructions above. But we didn't do anything with it during startup.

The only information that came with the laptop (which we just purchased about 6 weeks ago) says that it has a "recovery partition" and to see the user manual for details. I will try to find that online, but cannot do any more until tomorrow.

Thanks very much for your help so far.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users