Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI virus with no safe mode on XP


  • Please log in to reply
26 replies to this topic

#1 lottylee

lottylee

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 04 March 2013 - 11:10 AM

Came home yesterday to this lovely bug.  Cannot go into safe mode at all.  I have tried Farber, Kaspersky and Microsoft Defender as CD boots.  Farber goes nowhere, Kaspersky gives a long error "can't read superblock" and Microsoft has an unexpected I/O error.  Seems like my computer will not boot from anything on USB.  I put Hitman Pro on USB.  It wouldn't boot up until Windows started and of course by then the evil FBI popped up.  I have tried to find how I could possibly put HItman on CD but no luck.

 

I don't have my computer connected to the internet any longer which slows down the FBI screen so I can frustratingly open Outlook Express, start a scan, etc.  Sure wish I could get to system restore quick enough.  I also have System Suite firewall starting up as Windows opens so hard to attempt anything at startup.

 

Everywhere I have called is quoting at least $130 to remove this virus. This is an old PC and not a big concern at all.  I would just like to get Outlook Express email and contacts off before I choose the last resort- Recovery.  The Non-destructive Restore will not work.  Tech has put service packs on.


Edited by hamluis, 04 March 2013 - 12:23 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:02 PM

Posted 04 March 2013 - 09:38 PM

I will ask someone from malware response team to help you.

 

good luck



#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:02 PM

Posted 04 March 2013 - 09:48 PM

:welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe and rst to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Type bash rst.sh
  • After it has finished a report will be located in the USB drive (sdb1) named enum.log
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.txt bs=512 count=1

    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.txt is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.txt
  • Plug the USB back into the clean computer. Post the contents of the report.txt, enum.log, filefind.txt and RegReport.txt in your next reply. The mbr.txt file must be attached to your reply as it is a hex file.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 March 2013 - 08:45 AM

Thanks.  I have the CD burned.  The link to driver.sh is unavailable?  I tried going to the website noahdfear.net and it is not there.  Any help on that?  I'm just jinxed on fixing this computer!



#5 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 March 2013 - 08:47 AM

Cannot get to rst link either.  Have Query.exe saved, no problem.



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:02 PM

Posted 05 March 2013 - 11:27 AM

They are all working from here. If you cannot get a direct download, right click on the link and select save as or save link as, select the USb as the target folder and click on save.

 

See if that works.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 March 2013 - 03:14 PM

Grabbed laptop and got those files just fine (another issue for another day apparently).  I had the xPUD running just fine.  sda1 is my HDD.  sda2 says "No subfolder".  I have put driver.sh, query.sh and rst.sh on two different usb's and both give same results.



#8 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 March 2013 - 03:20 PM

There is no sdb listed at all.



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:02 PM

Posted 05 March 2013 - 03:26 PM

When you click mmt, You see sda1, and sda2. How about the USB drives such as, sdb1 or sdc1?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 March 2013 - 03:30 PM

No.  I have even tried putting the two usb's in at the same time!  Just making sure its not a dead port or stick.  I am seeing them recognized as the computer boots.



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:02 PM

Posted 05 March 2013 - 03:34 PM

While on xPUD, remove te USB stick, wait a few seconds and insert it again. Does it gets mounted?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 March 2013 - 04:31 PM

It recognizes that it has been "unmounted".  But upon reinsertion, I get no response.  I see all kinds of unmounts including sdg3, sdd3...You'd think there's a ton of files in mnt but I only see sda1,2, 5 & 6 and have checked all.   The Unmounting conversation box continues on and on.   I just saw "sdb unmounted" among the 'comments'.  I just don't get why the sick computer is so unresponsive to the usb ports if not in Windows.



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:02 PM

Posted 05 March 2013 - 08:03 PM

Lets try the AVG Rescue CD:


"AVG rescue CD is basically a portable version of AVG anti-virus, which runs on linux distribution as bootable CD or bootable USB flash drive. This Rescue CD is equipped with AVG Antivirus , AVG Anti Spyware and some administrator recovery tool.


You can scan and remove computer virus without booting operating system first. It is suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems) from virus and spyware attack. Meanwhile, Administrator toolset on AVG rescue disk are Windows Registry editor, a TestDisk utility for data recovering and lost partitions, a file browser for navigating folders, and a Ping tool for basic network diagnostics."

Please Note: Windows does not have to load for this scanner to work.

AVG Rescue CD Guide-check here

You can download  AVG rescue CD HERE.
It's also located on ThisPage, make sure you download the .iso file.

Here's how it goes:

Download and install Active@ ISO Burner
Click HERE  for ISOBurner Instructions.
Install the program, and follow the next set of steps.

After you install Active@ ISO Burner, put a blank cd-r in your burner and double click on the AVG Rescue CD.iso you downloaded and Active@ ISO Burner should automatically open up.....now click BURN.

The program is very easy to use, you'll just be pressing Enter most of the time but here's how it goes:

1. After the rescue cd is made, boot-up the sick computer, put the rescue cd in and then restart it.
Note: In order to do so, the computer must be set to boot from the CD first. For information on how to do that....click HERE.
2. At the Boot Menu: Choose AVG Rescue CD (1) and press Enter

3. Let it load, at the "Disclaimer Screen"... just choose I agree or not and press Enter

4. At the "Update Screen", choose Yes and press Enter

Next screen, Choose Update from Internet and press Enter

5. At the "Update Priority Configuration" window, choose Priority 2 Virus Database Update and press Enter

6. Let it update and when finished, Press any key to continue

7. You end up back at the "Update Screen", choose Return and press Enter

8. Your at the "Main Menu" screen, choose Scan, press Enter

9. "Scan Type Menu", choose "Volumes Scan - Selected Volumes" and press Enter

10. "Scan Volumes", choose "OK" and press Enter

11. "Scan Options", choose "OK" and press Enter

12. "Run Scan", choose "Yes" and press Enter

13. When scan is complete, Press any key to continue

14. "Info screen", choose "OK" and press Enter

15. To see the scan report, select "Report File" and press Enter
Please look over the list as some files can be crucial for the Windows system and deleting them can make it inoperative, if  in your not sure please Google the file or files.

16. "Scan Results Menu", use the up and down keys and choose "Select - Handle single or groups of infected files", press Enter
Go through the files and choose to Rename the infected file, don't choose Delete!
This is important....Rename<---

17. Read the "Warning Screen", "Yes" and Enter

18. Back to "Scan Results Menu", choose "Back or Return" to get to the "Main Menu" and then choose ---->Reboot System
Don't forget to take out the rescue cd.

19. All the malware files will be renamed to "_INFECTED.arl", to find all of these files....
Go to Start > Search > All Files and Folders > type "_INFECTED.arl" and click search.
  Example: malware.exe would be renamed to malware.exe_infected.arl

20. Note: If you find the cd doesn't load, it's most likely do to a bad download or bad burn, download the file again and burn it at a slower speed.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 lottylee

lottylee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 06 March 2013 - 08:16 AM

YAY!!!  Things went well and I saw that evil thing in the files where I thought it was.  This program has had some different options from what you described but I made it through.  BUT-  I picked the RENAME option and it came back with Rename successful.  So I don't know what they were renamed.  I'm just letting you know before I reboot.



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:02 PM

Posted 06 March 2013 - 08:42 AM

Let me know if able to boot in Normal Mode.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users