Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by an impossible to find FBI Ransomware


  • Please log in to reply
1 reply to this topic

#1 tlman12

tlman12

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 12 November 2014 - 11:45 PM

So I have a windows XP machine infected by the FBI Ransom ware, this one in particular

 

 Your-computer-has-been-locked-FBI-Virus.

 

this pops up as soon as i log in to any account, i tried creating a new account offline and logging into that account and it still pops up instantly so everything i try has to be offline and i know theres something it's missing by being offline but i can't for the life of me find it.

 

the first malwarebytes scan i did found some infected exes and reg entries, i removed them. all subsequent malwarebytes scans are coming up clean. 

 

Safe mode was completely disabled, would not boot in to any of them, i was able to repair that but the damn thing starts in safemode, and again, can't do anything.

 

task manager and cmd are both terminated instantly, i can't run a tasklist to see what task it's running under so i can't locate it. 

 

i've been pouring though the registry removing entries that don't belong or that aren't critical to windows to see if anything budges.. no luck 

 

i've checked all the obvious places, application data both local and roaming. temp folders, windows, system32. i did find some stuff in there but removing it did nothing. 

 

i've tried expanding critical windows files off the cd (in case files like explore and a few other apps i know start with windows that could have been infected) nope...

 

at this point i've got it loaded into a VM so i can quickly access if on and offline. Part of my thought process was if i could get it into unity mode maybe i could fool the topmost attribute on the fbivirus but it won't even load the cd, drive is blank. 

 

i can't rdp into the machine, no remote registry or remote file system..

 

basically i have done everything i can possibly think of and some stuff i couldn't and i didn't get anywhere. 

 

reloading is always an option but at this point it's war, i've never been bested by a virus and i'm not about to start now. 

 

is there anything that i may have skipped or something else i could try? i've also looked at multiple known file lists for names and possible locations but all the locations i've found have been clean. and yes i do have hidden and system files shown unless theres a new way for a virus to hide itself on an offline hard drive. 



BC AdBot (Login to Remove)

 


m

#2 tlman12

tlman12
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 13 November 2014 - 09:19 PM

found it, it was an infected user32.dll and an user32.ini. ESET found it. 

 

expanded good copies off the CD and fingers crossed it won't come back till i have some time to run some full scans and make sure there's nothing left. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users