Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"FBI virus" no access to command prompt


  • Please log in to reply
26 replies to this topic

#1 Lydiot

Lydiot

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 07 December 2013 - 06:41 PM

[EDIT: It's the "Homeland Security" thing, not "FBI" I think)

 

I contracted the FBI ransome scam virus on my machine. The one where the user is locked out and can't do anything and where the malware asks for $300.

 

- Safe modes result in reboot to OS and subsequent malware lockout.

- Can't get to prompt.

- Can't seem to either remember (I know...) the password or get it accepted when choosing options after "F8"

 

Any advise would be greatly appreciated.

 

- Windows 7 x64

 

 

/mattias


Edited by Lydiot, 07 December 2013 - 10:09 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 08 December 2013 - 12:33 AM

Can you access Task Manager?

 

Here are some options:

 

Option 1:

Right-click the taskbar at the bottom of the screen.

At the context menu select: Start Task Manager

 

Option 2:

Press the Windows key and the R key at he same time.

At the Run dialog box Open area, type: taskmgr

Click: OK

 

Option 3:

Click the Start button and, in the Search box above it, type: taskm

At the top of the Results, click: View running processes with Task Manager

 

Option 4:

Click the Start button and, in the Search box above it, type: msconfig

In the configuration utility, select the Tools tab.

Scroll down to the Task Manager utility.

Click: Launch

 

Option 5:

Press these three keys at the same time:

Ctrl + Shift + Esc

 

Option 6:

Press these three keys Ctrl + Alt + Del to bring up the Windows Security screen.

Select: Task Manager

 

Please post back on whether any of the above work, or not.

 

Also, do you have a USB pen drive, and a clean computer available?

 


Edited by Aaflac, 08 December 2013 - 12:34 AM.

Old duck...


#3 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 08 December 2013 - 02:09 PM

I have no way of getting the task manager to stay on top. Every way of bringing it up leaves it up front for less than 1 second, then the virus takes over the screen again. So it's open, but not "accessible".

 

Yes, I have one computer with Win 8 installed and I do have access to both an additional SSD and a USB thumb drive. I'm trying to find my Win7 installation disk now in case I need to boot from it.

 

Question:

If I install another copy of Windows on a clean drive (or move the current system drive to a portable case and attach to my Win 8 laptop), will trying to clean the infected OS drive risk infecting the new clean installation?

 

Finally: Thanks for your time and help!


Edited by Lydiot, 08 December 2013 - 02:09 PM.


#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 08 December 2013 - 07:22 PM

At this point there is no need to scan the infected hard drive on another computer. There are other options, such as the following:

 

Let's use HitmanPro.Kickstart to access your computer, scan it for malware, and remove this infection. The program targets this ransomware.
 
Also, you may want to print these instructions, so they are available to follow.
 
Now, load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process!
 
Use a clean (non-infected) computer, and download:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight
 
Under Download (on the right) select the program applicable to the system: 64-bit, or 32-bit?
 
When HitmanPro opens, click the KickStart icon at the bottom of the screen.
 
>>Plug in the USB flash drive.
 
When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes
 
As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart
 
Remove the USB flash drive from the clean computer and press: Close
 
 
 
Now, with the ransomed computer shut down, plug the USB flash drive into a USB port, and turn on the power.
 
When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)
 
From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: How to Remove Ransomware - Select Real Security
 
Once you select the USB flash drive to boot from, press: Enter
 
A Kickstart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))
 
The system continues to boot from the hard drive and starts Windows.
 
If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally
 
When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.
 
In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a: One-time scan to check the computer.
 
To start scanning for malware press: Next
 
If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:
hitmanpro-scan-results.jpg
Select Next to quarantine the malware into a secure storage where it can no longer start.
 
 
At the next screen, activate the 30-day free license:
hitmanpro-activation.jpg
After successful activation (30 days), press: Next
 
 
A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next
 
To obtain a report of the scan results, press: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx


Old duck...


#5 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 08 December 2013 - 07:59 PM

I went through all of the steps but made one mistake.

 

The boot from USB went fine and selecting 1 indeed did load Hitman but on top of the virus software (normal?). Before saving the log I mistakenly hit next instead and I then rebooted. It had at this point only quarantined 1 item, but there was another file with the same basic name not quarantined. I went through the scan again with one quarantined item again and this time I selected to quarantine the other with a similar name. I was however not allowed to save to desktop and got an error saying "path does not exist". I put the file on another drive.

 

How do I get the file to you?


Edited by Lydiot, 08 December 2013 - 08:00 PM.


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 08 December 2013 - 08:10 PM

If you can, attach the file to your next post.

 

If the file is too large, upload it to SendSpace and send me the link:

Free large file hosting. Send big files the easy way!
http://www.sendspace.com/   

 

The big question is, are you able to get into Windows with the infected computer?

 

The next program we are going to use will work from normal Windows, or from the Recovery Environment.  So, if you cannot get into Windows yet, we still have another option.    


Old duck...


#7 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 08 December 2013 - 08:16 PM

Ah.... sigh of relief. This is from the infected computer I'm typing.

 

Log attached.

Attached Files



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 08 December 2013 - 09:08 PM

Good job, Lydiot!!!

 

Let's press on with the following:

 

Please download the Farbar Recovery Scan Tool:

Link: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Select the version that applies to your system.

Save it to your Desktop.
 

Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.

 

Press the Scan button.

 

The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

>>  Please provide the FRST.txt in your reply.

 

The first time the tool is run, it also makes another log: Addition.txt

>>  Also post the Addition.txt in your re


Old duck...


#9 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 08 December 2013 - 09:29 PM

You got it!

 

Attached...

Attached Files



#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 08 December 2013 - 10:21 PM

Thanks for the reports.

 

Will take a look at them sometime tomorrow.

 

In the meantime, now that you got into Windows, please use the following programs to detect any leftovers that HitmanPro.KickStart may have missed. Programs have differences in the malicious files detected, so using more than one provides a greater comfort level that the malware is gone.

 

Please run Malwarebytes Anti-Malware:

Download: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Save to the Desktop

Double-click the downloaded MBAM file to run it.

 

When the installation begins, follow the prompts in the setup process.

DO NOT make any changes to default settings and when the program has finished installing, make sure only the following options are checked:

>Update Malwarebytes’ Anti-Malware

>Launch Malwarebytes’ Anti-Malware

Uncheck:

>Enable free trial of Malwarebytes Anti-Malware PRO

Click on the Finish button.

 

If an update is found, the program automatically updates itself.

At the program console, on the Scanner tab, and select: Perform Full Scan

 

When the Select the Drives to scan prompt appears, make sure all drives (except: CD-Rom/DVD) are selected.

Next, click on the Scan button.

 

When the Malwarebytes scan is completed, click on: Show Results

When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.

 

>> Please copy/paste the entire contents of the MBAM report in your reply.

 

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

 

 

Also, please run the ESET Online Scanner

It is implemented as an ActiveX control, so it is best run on Internet Explorer.

Right click the IE shortcut and select: Run as Administrator

 

Next, download: http://www.eset.com/us/online-scanner/

On the ESET website, click on: Run ESET Online Scanner

Click: Start

When asked, allow the add-on to be installed

Click: Start, again

 

On the next prompt, Computer Scan Settings, check: Remove found threats

Next, click on: Advanced Settings

Make sure the following options are checked:

>Scan for potentially unwanted applications

>Scan for potentially unsafe applications

>Enable Anti-Stealth Technology

 

By Current Scan Targets, Operating memory, Local drives, press: Change

In selection of scan targets, Local drives, select the drives in question.

Click: OK

Click: Start

Follow the prompts.

 

When the scan completes, if threats are found, in the Scan Results prompt, click on: List of threats found

Click on: Export to text file

Save to the Desktop and name it:  ESET Scan Results

Click on: Back

Place a check on: Uninstall application on close

Click on: Finish, and close the program.

 

>> If anything is found, please provide the ESET report in your reply to determine what further action is necessary.

 

 

 


Old duck...


#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 08 December 2013 - 10:36 PM

If you are not familiar with this file:

C:\ProgramData\4rzjo8z4.reg

Please submit the file for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Choose File' button to navigate to the location of the file.


In the Choose file to upload prompt, select the file, then, click the 'Open' button.
The file is now displayed in the blank box of VirusTotal
Click: Scan It, and wait for the results.

If you get a message saying: 'File has already been analyzed', click: Reanalyze file now

Once scanned, please provide the link to the results page in your reply.

Old duck...


#12 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 09 December 2013 - 08:44 AM

Here are the results of Malwarebytes. I will complement with the other this afternoon around 4pm est:

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.08.04

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Engineer :: WIN7 [administrator]

12/8/2013 10:43:42 PM
mbam-log-2013-12-08 (22-43-42).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1402627
Time elapsed: 2 hour(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Engineer\AppData\Local\Temp\0427.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Engineer\AppData\Local\Temp\4z8ojzr4.jss (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Engineer\Downloads\FreeFileViewer2012Setup.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.

(end)
 



#13 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 09 December 2013 - 01:50 PM

ESET report:

 

C:\Users\Engineer\Downloads\WinZip165Multi-language.exe    a variant of Win32/OpenInstall application    cleaned by deleting - quarantined
 


Edited by Lydiot, 09 December 2013 - 01:55 PM.


#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:46 AM

Posted 09 December 2013 - 10:08 PM

Please take a look at post #11!

 

 

Also, please download RogueKiller:

http://tigzy.geekstogo.com/roguekiller.php

Select the version that applies to the system.

Save to the Desktop.

 

After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

 

>> Please provide the RKreport.txt (Mode: Scan) in your reply.

 


Old duck...


#15 Lydiot

Lydiot
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 09 December 2013 - 10:19 PM

https://www.virustotal.com/en/file/c45dbc5cbc2166dd98bfb5ab95ed7367c0f9710459e616ad3e3c05326ad2d79a/analysis/1386645439/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users