Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus 05-13-2013 Solution


  • Please log in to reply
1 reply to this topic

#1 Raistlin87

Raistlin87

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 17 May 2013 - 12:12 PM

At my shop we found a new version of the FBI virus that automated scanners were unable to remove. What we ended up doing was booting PE and run Panda Cloud Antivirus which tagged a random generated .exe in the user folder. That file was still sought by the registry and would start a command promt everytime we booted the computer. We found it in the registy as 2 keys:

 

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.
HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with the random exe and delete it as well.

 

After getting rid of these two the computer booted normally. I hope this will help people clean their machines.

 

I have found today that Hitman Pro Kickstart is now finding this so the above solution might not be nessessary but is still good info nonetheless.


Edited by hamluis, 17 May 2013 - 12:28 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:00 AM

Posted 18 May 2013 - 08:38 AM

Hello,

Thank you for sharing your solution! :) Whenever new ransomware versions come out it always takes a bit before automated tools like HMP kickstart catch up. The fix you posted will do the trick, but a bit of caution is required because wrongly editing these keys/values can cause serious damage to your computer. Unfortunately setting a system restore point or backing up is often difficult in these situations, but I'd advice any user who has this problem and isn't sure/comfortable how to fix it, not to try things but post a help request in the malware removal forum instead.

 

One small correction:

HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with the random exe

 

That would be an autorun value, not a key. You'll see something like "Autorun" = "c:\<path to random file>"


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users