Jump to content

Help! I'm stuck with FBI Ransomware Virus!


Recommended Posts

Alright, So I'm stuck with this stupid FBI Moneypak virus, and for the life of me, I cannot get rid of it.

I'm very computer literate, and have tried flushing out the registry, running tasklist from command prompt (it wouldn't let me open cmd.exe from the run menu, so I created a .bat file, and was able to run it as administrator. Each time I type in tasklist, I get "The remote procedure call failed.)

I am stuck. I usually can take care of any virus, but this one has me baffeled. It has wiped my recovery options, and will not allow me to access alot of things.

Help would be very appreciated,

Chris.

PS Attach.txt is the only one dos.com would generate.

attach.txt

Link to post
Share on other sites

See if you can do this:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

See if you can run this..............

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Do this instead.

Download, unzip and run the attached TDSSKiller.

Do update it when asked!!!

Run it like this:

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

image000q.png

[*]Put a checkmark beside loaded modules.

2012081514h0118.png

[*]A reboot will be needed to apply the changes. Do it.

[*]TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.

[*]Then click on Change parameters in TDSSKiller.

[*]Check all boxes then click OK.

clip.jpg

[*]Click the Start Scan button.

19695967.jpg

[*]The scan should take no longer than 2 minutes.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

67776163.jpg

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

[*]If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

62117367.jpg

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

[*]A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.

[*]Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC (be back in the am)

Link to post
Share on other sites

All of those drivers were good that you deleted:

19:36:50.0121 2232 androidusb ( UnsignedFile.Multi.Generic ) - User select action: Delete

It clearly states in my instructions to choose "Skip" for "UnsignedFile.Multi.Generic"

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

How's the computer running with those drivers deleted?? MrC

Link to post
Share on other sites

I had another relative at the computer, and he deleted the files. It's still infected. I am able to log into a profile, but am greeted with the FBI fake warning page. I can log out, and log back in, and the task bar is accessible, so I can click on the script that is running. Thimg is, I can't start any program from shortcuts or anything, but I can from the start menu. I'm still at a loss as to what to do.

Link to post
Share on other sites

Take a look for these drivers and folder:

2012-10-31 14:07 - 2012-10-31 14:07 - 00054016 ___AC C:\Windows\System32\Drivers\ovudtxff.sys

2012-10-31 14:07 - 2012-10-31 14:07 - 00001336 ___AC C:\Windows\System32\mlvhlxt <---folder

2012-11-16 18:02 - 2012-11-16 18:02 - 00054016 ___AC C:\Windows\System32\Drivers\nehw.sys

C:\Users\Yes\Desktop\yes.bat <---what is this from?

MrC

Link to post
Share on other sites

There's a post of mine above this one also.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

See if you can also run ComboFix:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.