Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with FBI ransomware virus that affects regular mode and safemode.


  • This topic is locked This topic is locked
48 replies to this topic

#1 igloobuilders

igloobuilders

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 May 2013 - 03:55 PM

Mod Edit: moved to better forum for assistance wit this ~~ boopme

 

Need help with FBI ransomware virus that affects regular mode and safemode.  I see there is a post for that with some instructions, but I have a twist and am looking for assistance.

 

I am a former H/W service tech with limited experience in dealing with S/W and viruses. 

 

A totally PC non-technical friend who lives out in the boonies 250 miles away is no where near any tech services, so he called me to help.  I have alsways been able to help him before and I feel ignorant when dealing with this issue he came up with this time.  He called me to help him remove the FBI ransomware that had locked up his computer with Windows XP Professional that had also affected safemode.  I worked with him over the phone as we tried what I knew (no go), so then I started to research it on the internet. 

 

I had him use another PC to download Hiren's Boot CD and he followed the instructions I found to fix it.  It did remove a little bit of things, but continued to lock up when he he booted up.  Safemode with command prompt did not allow him to use rstrui.exe to restore it to a known previous restore point.  He has a backup on CD from the end of December, but nothing recent.  The hard drive came preloaded with Windows XP Pro from the manufacturer and they did not give him his Windows CDs wehn he bought it, so formatting and reloading Windows and the rest of his programs from CDs is not possible.  

 

In frustration, I asked him to send me the hard drive and told him I would work on it.  I am now very sorry I volunteered to do this, but now that I have it, I need to get it cleaned up somehow and get it back to him.  I have it connected to my desktop PC via an external HDD connector that connects it to a USB port.  I booted up to my hard drive that is running fully updated Win XP with SP3, and ran MalwareBytes and Norton Antivirus on his drive from my C drive.  It found and removed one thing, Trojan.Maljava, but I have found nothing that links that to the FBI virus, so I doubt the FBI virus was removed. 

 

Is there a way for me to remove the FBI virus on his bad drive while using my PC?  Once done with it, I will have to mail the drive back to my friend.

 

Thanks in advance!


Edited by boopme, 03 May 2013 - 04:00 PM.


BC AdBot (Login to Remove)

 


#2 igloobuilders

igloobuilders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 May 2013 - 07:17 PM

Another piece of information.  I also tried to run Norton Power Eraser from my hard drive to the "bad" drive, but it only let me run it on my drive (current operating system).  Under the "Advanced" tab, it let me do a "reputation scan" of the bad drive and it came up with a few .exe files and a whole bunch of .dll files, but the status showed, "unknown" for all of them.  Most of the .dll files were showing up under "Open Office" files, but some others were not.  I could delete them one at a time (about 70 of them), but I didn't want to do something that might mess up the drive. 

 

Any suggestions?

 

Thanks.



#3 igloobuilders

igloobuilders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 06 May 2013 - 10:57 AM

No responses in 3 days.  Please advise if it is possible to remove the FBI virus that infected both regular mode and safe mode when it is not attached to the original computer (now attached to my computer), or should I just send the hard drive back to my totally non-technical friend who is 250 miles away and help him on the phone through the instructions on the forum?

 

Also, I saw a lot of instructions for removing it.  What is the confirmed good version of the instructions?  A link or copy/paste are fine.

 

Thanks.

 

Dawn (igloobuilders)

Former H/W service tech (up to 11 years ago), former services project manager (up to a year ago), now disabled and no longer working. 



#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 08 May 2013 - 04:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/493452 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 igloobuilders

igloobuilders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 08 May 2013 - 04:49 PM

I still need help.

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.  Already included this information.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.  I ran the DDS log, but it only scanned my good hard drive in my machine and not the infected hard drive from my friend that is attached to my machine.  I don't have his PC with me.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.  No.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.  Thank you.

     


Edited by igloobuilders, 08 May 2013 - 04:51 PM.


#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 11 May 2013 - 10:05 AM

Hello and welcome to Bleeping Computer

 

My name is oneof4, and I am here to help you.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

 

Please give me some time to research your issue, and I will return with your first set of instructions.

 


Best Regards,
oneof4.


#7 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 13 May 2013 - 09:39 PM

Hello igloobuilders :)

 

We can do part of what needs to be done with you, but afterward you will need to get the drive back to your friend to finish the cleaning.  The scans that we will need to run will require the drive to be in the host computer.

 

Let's get started:

 

  • Use your computer's disk management utility to gain access to the infected drive.
  • Click on the Windows Start Orb, then type the following into the Search box: ctfmon.lnk
  • Right-Click on the file, and choose Properties
  • Under the Shortcut tab, note the Target of the actual .exe file that the ctfmon shortcut points to.
  • Post that location in your next reply.

 


Best Regards,
oneof4.


#8 igloobuilders

igloobuilders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 14 May 2013 - 12:40 PM

There was no "ctfmon.lnk" file on the bad drive anywhere. 

 

I DID find a "ctfmon " file under "E:\WINDOWS\system32" that says it is the ctf loader.

 

Did I miss something, or is that what you were looking for?



#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 16 May 2013 - 07:24 AM

Hey there, :)   Just a quick note to let you know I'm working on this, I haven't forgotten you. :wink:   I should have something for you later this evening.

 

Oh, BTW the ctfmon you found IS legit, so this variant of FBI MoneyPak must be using a different loader.


Edited by oneof4, 16 May 2013 - 07:27 AM.

Best Regards,
oneof4.


#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 17 May 2013 - 09:26 PM

Hello igloobuilders :)

 

Let's give this a whirl, and see if it comes back with the FBI "mystery" file we need.

 

First of all, make sure the infected drive is connected and "seen" by your system.

 

Next, please run,

 

ESET Online Scanner:


Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • While still in Advanced Settings, beside “Current Scan Targets”, click Change. Uncheck Operating Memory, and all drives EXCEPT the infected drive.
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: EOLS4.gif
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

 


Best Regards,
oneof4.


#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 20 May 2013 - 08:48 PM

Are you still with us?  Do you still need help?


Best Regards,
oneof4.


#12 igloobuilders

igloobuilders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 21 May 2013 - 02:06 PM

Yes, I am still with you.  I will work on this tonight and get back to you.  Thanks.  Dawn



#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 21 May 2013 - 09:22 PM

:thumbup2:


Best Regards,
oneof4.


#14 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:12 PM

Posted 24 May 2013 - 11:55 AM

Hey Dawn,

 

I'm still waiting on that ESET scan result...


Best Regards,
oneof4.


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 28 May 2013 - 05:32 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users