Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak- no safe modes- hidden partition or HDD not scannable?


  • Please log in to reply
13 replies to this topic

#1 edgy72

edgy72

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 14 November 2013 - 05:32 PM

Hello, I have a FBI moneypak infection on another computer:  Windows XP.  All safe modes result in the BSOD and no other removal techniques have worked.  I was able to boot using a Kapersky rescue USB and using Hiren's Boot CD but each time there is no access to the drive where the virus resides.  I was able to run Malware bytes scan (with up to date file) after the rescue CD loaded Mini-XP.  I noticed the C: drive showed as "unformatted": and was only showing 75G of the 80G harddrive available.  

It appears I can't access the hard drive where the virus and Windows XP and other files reside to scan.  

 

I'm stuck and don't see any forum posts that may help.. I'm wondering if my drive is actually erased?

Thanks

 



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 14 November 2013 - 10:35 PM

:welcome: to the BC Forums, edgy72 !

 

In Windows XP, can you access the Command Prompt?

 

There are several ways...

 

  • Go to Start > Run, then type: cmd
  • Go to Start > Programs > Accessories > Command Prompt
  • Right-click the Taskbar, and then click: New Task, type cmd.exe, and press: Enter
  • Right-click Start, and open Windows Explorer, go to c:\windows\system32\ double click on: cmd.exe
  • In the Internet Explorer browser, type the following in the address bar, and press: Enter

 

file:///c:\windows\system32\cmd.exe

If so, can you then do the following...
 
Step :step1:

Note: You need to run the version of FRST compatible with your system. Your XP system should be 32-bit.
 
Step :step2:

  • Plug the pen drive into the infected PC.
  • Boot the infected machine into Windows XP, and get to the Command Prompt.

Step :step3:

  • At the Command Prompt window, type in notepad, and press Enter
  • Notepad opens. Under the File menu select: Open.
  • Select My Computer and find your pen drive letter, make note of it, and close Notepad.
  • At the Command Prompt window type x:\frst (or, for x64 bit version type e:\frst64) and press: Enter
    Note: Replace letter x with the drive letter of your pen drive!!
  • The tool starts to run.
  • At the program console, press  the Scan button. The scan may tke a few minutes...
  • When done, a report named FRST.txt is created on the pen drive.
  • Remove the pen drive using the Safely Remove Hardware icon on the bottom right of the tray.
  • Shutdown the computer using the following at the Command Prompt: shutdown -s -t 10

Place the pendrive in the clean computer, and pease provide the FRST.txt in your reply.          


Old duck...


#3 edgy72

edgy72
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 15 November 2013 - 09:16 AM

Thanks for replying!  I cannot get to the command prompt on the infected computer. :-( 

The virus locks out the infected laptop after about 30 seconds and I can't get anything to open during that time. 

 

I've been able to boot using two different rescue CD/ USB's but when I do there is not access to the local hard drive.  One of the rescue CD's (Hirens) had a version of XP and when you go into Windows the C: drive says its not formatted and there are not other drives listed.  

 

To get info on the infected computer I'm guessing I have to boot a different way.  The safe modes all take me to the blue screen also.  

Thanks



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 15 November 2013 - 08:17 PM

Let's go this route...

:step1: Use HitmanPro.Kickstart to access your computer, scan it for malware, and remove this infection. The program targets this ransomware.

You may want to print these instructions, so they are available to follow. Also, you may want to read them to have an idea of what you need to do.


:step1: Now, load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process.

Use a clean (non-infected) computer, and download HitmanPro:
http://www.surfright.nl/en/kickstart

Under Download (on the right) select the program applicable to the system: 32-bit

When HitmanPro opens, click the KickStart icon at the bottom of the screen.

Plug in the USB flash drive.
When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart

A warning that all contents of the selected flash drive will erase is presented.
Press: Yes

As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart

Remove the USB flash drive from the clean computer and press: Close


:step2: Now, with the ransomed computer shut down, plug the USB flash drive into a USB port, and turn on the power.

When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)
From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: http://www.selectrealsecurity.com/remove-ransomware

Once you select the USB flash drive to boot from, press: Enter


:step3: A Kickstart prompt with USB boot options appears.
Select: 1 - Bypass the Master Boot Record (Default)

The system continues to boot from the hard drive and starts Windows.
If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

When Windows boots you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.

In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a one-time scan to check the computer.

To start scanning for malware press: Next

If malware is detected, the program shows what malware is present on the system using a red framed screen.

hitmanpro-scan-results.jpg
Select Next to quarantine the malware into a secure storage where it can no longer start.

At the next screen, activate the 30-day free license.
hitmanpro-activation.jpg
After successful activation (30 days), press: Next

A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next

To obtain a report of the scan results, press: Save log
Save the Notepad log to the Desktop
It has a name such as: HitmanPro_xxxxxxxx_xxxx

Remove the USB drive, and press: Reboot

If no malware is found, press: Close

After HitmanPro.Kickstart is done, you should be back into normal Windows.

>> Please post the HitmanPro report in your reply.


:step4: To remove any remnant malicious files of the ransomware...

Download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php

Select the version that applies to your system: 32-bit
Click the button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

>> Please provide the RKreport.txt (Mode: Scan) in your reply.

Old duck...


#5 edgy72

edgy72
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 15 November 2013 - 10:09 PM

I followed the steps above and downloaded HP on the USB.  When I boot and then select bypass Master Boot Record (default)  in the Hitman USB options I get the following error:

 

HitmanPro.Kickstart booting

MBR Read

Non-NTFS partition or encrypted disk detected.

Failed to boot!

 

If I try option 2 "Regular boot (when bypass failed) it says:

Starting SafeBoot v5.1 

Please wait...

\

 

but it just sits there with a blinking cursor.. nothing happens. 



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 16 November 2013 - 01:42 AM

Let's try some other options...

Some ransomware appeas whenever a network connection is established.
Try booting into normal mode without your ethernet cable plugged in.
If you connect via wireless, try turning off your wireless modem before booting the computer.

After doing the above, are you able to boot to Normal Mode without the ransomware appearing?


If not, try creating the following CD - Kaspersky WindowsUnlocker:
http://support.kaspersky.com/us/viruses/solutions?qid=208285998

The downloaded ISO file has to be burned as an Image.
How to burn an Image using Imgburn:
http://forum.imgburn.com/index.php?showtopic=61

Run WindowUnlocker using these instructions:
http://support.kaspersky.com/us/viruses/solutions?qid=208285998

In order to disinfect the Registry using the Kaspersky WindowsUnlocker, perform the following actions:

If you booted the Kaspersky Rescue Disk in graphic mode, click the blue button with a white К and gear.
In the menu select: Terminal
At the command prompt type in the command: windowsunlocker
Press Enter on the keyboard.


If you booted Kaspersky Rescue Disk in text mode, press F10 to close the menu.
At the bottom of Midnight Commander, select the command prompt and type in: windowsunlocker
Press Enter on the keyboard.

The goal is to unlock windows. Use this option when presented.
The utility cleans the Registry and displays results in the window.

When done with WindowsUnlocker, press on to scan the computer using the Kaspersky Rescue Disk.

Old duck...


#7 edgy72

edgy72
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 20 November 2013 - 10:52 PM

Hello,
The virus does not need the internet to turn on.  It pops up regardless of whether there is any internet connection.  If I'm not connected the moneypak screen appears with a note that says "connect to internet".

i followed the above directions successfully without issue.  No harmful files were found with the scan.  When booted with the Kapersky disk (as it was with Hitman..) there appears to be NO Hard drive present.  When I ran the Kapersky scan it took about 10 seconds because it was not actually scanning the hard drive. 

The hard drive does still contain windows XP and my files because if I open explorer quickly i was able to see files and open one before the FBI screen appeared. 

The hard drive is just not visible to any of the rescue CD's tried thus far.  It seems like I need to un-hide a partition of some type and then try to run the scans from a rescue CD.

Is there a rescue CD utility that will allow me to look at hidden partitions or view the hard drive?

Thanks for any other ideas!  I'd give up except I know my files and hard drive are still there, intact!



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 21 November 2013 - 12:14 PM

Please take a snapshot of Disk Management, and let's se what i shows...

 

Go to Start, right click My Computer, click Manage
The Computer Management window appears.

In the vertical column to the left, click: Disk Management

When Disk Management opens, it shows the setup of the drives and partitions on the computer.

To take a snapshot of what you are seeing on your computer screen, here is what you do:

 

  • Open the window to be captured.
  • Hold the 'Alt' key and press the 'Print Screen' key (often just labeled 'Prt Sc') on your keyboard.
  • Open an image editing application such as MS Paint program under Start > Accessories.
  • Paste the captured image into MS Paint.
  • Go to File > Save as, and save the image as a (.GIF) file on your Desktop (easy to find)

 

Next:

 

  • Connect to the Internet, and go to Photobucket: http://photobucket.com/
  • Once there, create a free account.
  • Click 'Browse' and search for the file you wish to upload.
  • Click Upload.
  • After uploading, place the cursor on the image. Four different link options show underneath the uploaded image.
  • Click on:  IMG code (This line is used for using your image in a forum post. It makes the image appear full size in your reply.)
  • The IMG code is pasted to the clipboard
  • In your post, right click on an open area, and select: Paste

Please provide the link for the capture in your reply.


Edited by Aaflac, 21 November 2013 - 12:33 PM.

Old duck...


#9 edgy72

edgy72
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 21 November 2013 - 02:54 PM

Hello,  I tried to get into disk management in the past but the FBI screen pops up before I can get it to open.

I definitely can't get a screen shot.  The time seems to vary but I don't think this is going to happen..

 

I was able to run disk management using "mini-XP" when I booted the computer from Hiren's boot CD.  

It showed the entire C: drive as one parition of ~73.4G (on an 80G HD).  While in Mini-XP you click in explorer on the C: drive it says it is unformatted and asks if you want to format the C: drive.. (which i say NO to..)

 

From the behavior I've seen the computer boots from the normal C: drive where the virus is.  The entire C: drive appears to be Hidden because there are files and programs still on the PC.

When I boot using any rescue CD/ USB I can't access any part of the hard drive.

 

Stuck.. 



#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 21 November 2013 - 10:10 PM

Let's see if the following works for you...

From a clean computer, please download: GParted

To create a bootable CD for GParted, use ImgBurn
This CD burner program burns ISO images to a CD, this is not the same as copying to a CD!! You must burn an ISO image.


Next, you need to boot from the newly created GParted CD, however, the BIOS (Setup) of the infected computer
must support booting from a CD.

If you need to change this setting, start the infected computer, and pay close attention to its initial screen for the key
used to access the BIOS (Setup).
Some of the keys used to grant access to the BIOS set up menu are: F1, F2, F10, DEL, or Esc


If, for example, the key is F2, press the key until the BIOS screen shows up.
Go to the Boot tab, and make the appropriate changes to boot from CD.
Save the changes to the BIOS (normally F10, but may be different for your computer)
Exit the BIOS (Setup).



Now, check your CD to make sure you can boot from it and run GParted.

Post back when you confirm.

Old duck...


#11 edgy72

edgy72
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 24 November 2013 - 10:55 PM

Hello,

I got Gparted to load.

It says i have two partitions:

The boot partition is /dev/sda1  and is 74.53GiB

It has the flag as the boot parition

the info tab says:

status:not mounted

 

"unable to detect file system"

Possible reasons:

Damaged

unknown file system to gparted

unformatted or there is no file system

The device entry /dev/sda1/ is missing

 

The other partition is 1.09MiB and is "unallocated

 

Let me know if there is anything else I can check?

Thanks



#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 25 November 2013 - 05:28 PM

What make/model computer is this?

Do you have an XP install CD for it?

Rather hesitant to do much with the HDD, you may need to access and retrieve files from it, since that appears to be a main concern.

Old duck...


#13 edgy72

edgy72
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 26 November 2013 - 04:17 PM

It's a Dell latitude 600 or something laptop (I don't have it in front of me right now)  It's fairly old..

 

I find it odd that it will boot into XP with the virus but that the hard drive is inaccessible otherwise!!

I have no issue re-imaging it if I could copy my files off of it.  It's only used for web-surfing etc..

Thanks



#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:27 AM

Posted 26 November 2013 - 11:08 PM

Since we are doing data recovery from a corrupted disk file system, or a failing hard drive, have two suggestions.

The first is to try booting from a Linux CD and check whether or not you can see and access your files. If so, you need to copy them to an external USB hard drive, or flashdrive.

If the above is not possible, the second suggestion is to attempt data recovery using TestDisk. This is also done from a bootable Linux CD.

Once you recover your important files, then you can take any action you wish.


Suggestion 1:

On a working computer...

Download GETxPUD.exe
Save to the Desktop.
  • Run GETxPUD.exe
  • A new folder appears on the Desktop.
  • Open the GETxPUD folder and click on get&burn.bat
  • The Command Prompt opens, xpud_0.9.2.iso is downloaded, and BurnCDCC opens ready to burn the .iso image. This could take a while Download file size is 63MB. Please be patient.
  • Click on Start at the BurnCDCC console, and follow the prompts to burn the image to a CD.
On the problem computer...
  • Connect an external hard drive or flashdrive.
  • Boot to the xPUD CD.
  • A Welcome to xPUD screen appears.
  • Click on File.
  • Expand the mnt icon on the left by clicking on the small arrow beside the icon.
    • sda1, sda2 etc. ...usually correspond to your HDD partitions if a SATA hard drive.
    • hda1, hda2 etc. ... usually correspond to your HDD partitions if an IDE/ATA hard drive.
    • sda1, sdb1, sdc1... is likely to correspond to a USB flashdrive, external USB hard drive, etc.
  • Copy your important files to the external hard drive or flashdrive.
    • To do so, open your hard drive partition and navigate to the files/folders that you wish to copy.
    • Select multiple files/folders by holding down the <CTRL> key and selecting them.
    • Use right-click > Copy
    • Navigate to your external media, and in the right-side window pane, use right-click > Paste.
To shut down the computer...
  • Go to Home > Power off
Post back on results.

If the partition and your files are not visible, try the next suggestion.



Suggestion 2:

Preliminaries:

On a working computer...

Download and extract TestDisk to a USB flashdrive:
  • Download xPUDtestdisk.exe and save it to the USB flashdrive
  • Double click xPUDtestdisk.exe to extract its contents.
  • Remove the USB flashdrive from the working computer.
On the problem computer...
  • Connect an external HDD large enough to accommodate your files.
Using xPUD and TestDisk...

:Step 1: Run TestDisk to check what files are in the partition:
  • Insert the flashdrive with TestDisk in the problem computer.
  • Boot the the computer to the xPUD CD created in Suggestion 1.
  • A Welcome to xPUD screen appears.
  • Click on: File
  • Expand the mnt icon on the left (click on the little arrow beside the icon).
    • sda1, sda2 etc. ...usually correspond to your HDD partitions if using a SATA hard drive.
    • hda1, hda2 etc. ... usually correspond to your HDD partitions if using an IDE/ATA hard drive.
    • sda1, sdb1, sdc1 ...is likely to correspond to your USB flashdrive with TestDisk on it, external USB hard drive, etc.
      (Note the designation/name of the external HDD that you intend to save files to. You will need to know this later.)
  • Click on the folder that represents your USB flashdrive (sdb1 ?)
  • You should see the TestDisk folder showing in the right-pane.
  • Click on Tool at the top, and select: Open Terminal
  • Type testdisk/testdisk_static and press the <ENTER> key.
  • The TestDisk command window opens.
  • Select: [Create], and press <ENTER>
  • TestDisk detects all local hard drives.
  • Use the arrow (up and down) keys to highlight the disk called /dev/sda (if it represents your primary hard drive) and press <ENTER>
    (If you are not sure of what is what, then note everything you see and post it for review.)
  • Select [Intel] and press <ENTER>
  • Select [Analyse], and press <ENTER>
  • Select [Quick Search] and press <ENTER>
  • Press Y.
  • You should now see the partitions listed.
  • If you do not see all your partitions listed, press <ENTER> to go to [Deeper Search], and press <ENTER> once again.
    This begins the search for more partitions. Please be patient while the search completes: It will take some time.
:Step 2: Let's look in your <xxxx> (substitute its name) partition ...
  • Use the Up/Down arrow keys to select the <xxxx> partition.
  • Press P to list the contents of the partition.
  • Use the Up/Down arrow keys to select a folder to explore from among the list of files and folders.
  • Press the right-arrow key to open a folder and see the contents listed.
  • Use the left-arrow/right-arrow keys to move up and down respectively through the folder tree. Doing this, you should be able to navigate to the contents of the <xxxx> partition and see all files in all folders.
:Step 3: Now, let's retrieve your files from the <xxxx> folder ...
  • At the root of your <xxxx> partition, use the Up/Down arrow keys to select a file or folder to copy.
    Note: If you select a folder, the entire contents will be copied![/b]
  • If there is nothing at the root of the partition that you wish to copy, simply navigate to whatever file or folder you wish to retrieve, and select/highlight it.
  • Press C to copy the data.
  • Now select a location to save it.
  • By default, the flashdrive on which you have TestDisk is selected. You need to navigate to the external HDD where you wish to save your data.
Since navigation can be tricky, try the following ...
  • Press the left-arrow key, to see a list of your hard drives.
    (As an example, the flashdrive with TestDisk is sdc1, and the external HDD is sdd1.)
  • Use the Up/Down arrow keys to select the hard drive on which you wish to save your items.
  • If you wish to use a folder on the hard drive, use the right-arrow key to navigate into that partition.
  • When you are sure that you have the correct destination entered, type Y.
  • If there is a lot of data to copy, it may take some time.
  • When done, the message Copy done! appears.
To go out of TestDisk...
  • Press Q repeatedly until TestDisk closes.
  • Close the Terminal Window.

Edited by Aaflac, 27 November 2013 - 10:25 AM.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users