So I have a windows XP machine infected by the FBI Ransom ware, this one in particular
this pops up as soon as i log in to any account, i tried creating a new account offline and logging into that account and it still pops up instantly so everything i try has to be offline and i know theres something it's missing by being offline but i can't for the life of me find it.
the first malwarebytes scan i did found some infected exes and reg entries, i removed them. all subsequent malwarebytes scans are coming up clean.
Safe mode was completely disabled, would not boot in to any of them, i was able to repair that but the damn thing starts in safemode, and again, can't do anything.
task manager and cmd are both terminated instantly, i can't run a tasklist to see what task it's running under so i can't locate it.
i've been pouring though the registry removing entries that don't belong or that aren't critical to windows to see if anything budges.. no luck
i've checked all the obvious places, application data both local and roaming. temp folders, windows, system32. i did find some stuff in there but removing it did nothing.
i've tried expanding critical windows files off the cd (in case files like explore and a few other apps i know start with windows that could have been infected) nope...
at this point i've got it loaded into a VM so i can quickly access if on and offline. Part of my thought process was if i could get it into unity mode maybe i could fool the topmost attribute on the fbivirus but it won't even load the cd, drive is blank.
i can't rdp into the machine, no remote registry or remote file system..
basically i have done everything i can possibly think of and some stuff i couldn't and i didn't get anywhere.
reloading is always an option but at this point it's war, i've never been bested by a virus and i'm not about to start now.
is there anything that i may have skipped or something else i could try? i've also looked at multiple known file lists for names and possible locations but all the locations i've found have been clean. and yes i do have hidden and system files shown unless theres a new way for a virus to hide itself on an offline hard drive.