Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI ransonmware virus


  • Please log in to reply
54 replies to this topic

#1 benson9

benson9

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 04 February 2013 - 04:08 PM

I have a HP laptop that is infected with the FBI virus. After becoming infected I reopened the laptop in safemode with command prompt and began MBAM from a USB drive. It scanned the computer and found the trojan and I removed it as instructed. When I restarted the laptop as instructed and I go to reopen it from the Windows Advanced Options Menu it will not open. It simply begins whatever command is given and after 5 -15 seconds begins to open, then fails and returns to the Menu - I can not break the loop. I honestly, do not know where to go from here. If anyone can help, it would be greatly appreciated. Thanks in advance !!

Jim

BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 06 February 2013 - 12:51 AM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using the Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt.
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select Computer, find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Press the Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.[/list]

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 08 February 2013 - 05:25 AM

Thank you Dark Knight for your help. I have some difficulty with accessing a clean computer so my apology for the delay in responding. I downloaded farbar as instructed, plugged it in the laptop and started it.

As before, windows xp began to open and after 10 - 15 seconds the screen went black, winked out and reopened on the advanced boot options page. I tried again and the same things happened again. What should I try next - thanks !!



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 08 February 2013 - 05:51 AM

Hello benson9,

 

Please read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that.  The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like  ImgBurn that can burn an .ISO image.  I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


  • Please go to a clean computer
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • On the infected computer: put the disk in the drive and reboot.


Follow the directions here, but you will find some differences.  

Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10?

Then, please print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever).
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update.
Back to other tab and click Start Object Scan.
When scan has completed save a report:
On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 10 February 2013 - 01:42 PM

Dark Knight - I am sorry for the delay in responding. I am unfamilar with Kaspersky. I proceeded with the scan and the saving of the report, however I am unable to transfer the report to my USB drive. I did reboot normally after the scan and nothing had changed, it continues to recycle. Thanks



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 10 February 2013 - 03:36 PM

Hey benson9,

 

Did Kaspersky find anything at all?

 

Please try the following. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the Desktop of your clean computer.

  • Insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK.
  • It will install a little bootable OS on your USB.
  • After it has completed do not choose to reboot the clean computer simply close the installer.
  • Remove the USB and insert it in the sick computer.
  • Boot the Sick computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • A Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1,2...usually corres.ponds to your HDD.
  • sdb1 is likely your USB
  • Press Tool at the top.
  • Choose Open Terminal.
  • Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 11 February 2013 - 01:48 PM

Dark Knight - Kaspersky found 48 events

I followed your instructions for the xPud installation but once again have a problem. I am getting this response when trying to boot from the USB device.

 

Syslinux 3.72 2008-09-25 Ebios Copyright © 1994-2008 H. Peter Alvin

Could not find kernel image: linux

Boot: _

 

Thank you again in advance



#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 11 February 2013 - 03:33 PM

Hello benson9,

 

Please see this topic: http://www.bleepingcomputer.com/forums/t/453353/spyware/page-3

 

Scroll down to post #34 and see if following their description gets xPUD working.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 12 February 2013 - 01:23 AM

Dark Knight - I must admit to being very frustrated. I read the post and followed the instructions, however xPUD will not load. What suggestions might you have - thanks !!



#10 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 13 February 2013 - 04:46 AM

Good evening benson9,

Let's try another scan with xPUD.

Please download GETxPUD.exe to the Desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
  • This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 13 February 2013 - 06:18 PM

Dark Knight - I am sorry but my HP does not have a cd/dvd drive, only USB. Is there a way to get the iso. file onto the USB and try booting xPUD that way?? Thank you.



#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 14 February 2013 - 03:31 AM

Howdy benson9,
 
Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
    • The TestDisk command window will open
    • Choose Create and press Enter
    • TestDisk will now detect all local hard drives
    • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
    • If your not sure then note everything you see and post it for my review
    • Select Intel (even if you have an AMD processor) and press Enter
    • Select Advanced and press Enter
    • Select [Boot] and press Enter
    • Select [Dump] and press Enter
    • Select [Quit] to exit
  • A log will be created in the root of the usb device
  • Remove the USB drive and insert back in your working computer

    Please note - all text entries are case sensitive

  • Copy and paste the resultant log for my review.

Edited by The Dark Knight, 14 February 2013 - 03:32 AM.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 15 February 2013 - 01:17 PM

Dark Knight - once again I have nothing to paste for your review. This attempt ended as did an earlier on with this response :

 

Syslinux 3.72 2008-09-25 Ebios Copyright © 1994-2008 H. Peter Alvin


Could not find kernel image: linux


Boot: _

 

  • I have gone in and changed the boot order in the bios setup - no difference
  • The files on my USB device for this attempt are :   vesamenu.c32 and text disc.
  • The system goes into automatic reboot with windows (on the hard drive) after every attempt to startup by a different method
  • I can no longer access the F11 System Recovery - the screen flashes and then loops into the automatic restart of windows

Thanks in advance for any way to break thru this !!



#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:45 PM

Posted 15 February 2013 - 04:51 PM

Good morning benson9,

 

Are you able to access Safe Mode?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 benson9

benson9
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 15 February 2013 - 08:04 PM

Unfortunately no !






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users