joepwpb Premium Member join:2000-12-15 West Palm Beach, FL |
joepwpb
Premium Member
2013-May-22 8:38 pm
Removing FBI RansomwareFirst, I am aware of the Security Cleanup forum, its function and requirements, which I will use if all else fails.
I have had 100% success with removing this malware until today. On most occasions I can get into Safe Mode if not I would use a rescue disc from Kaspersky, AVG or Microsoft. In this case I cannot get into Safe Mode and all three rescue discs failed to detect any malware.
I would like to avoid a format and reinstall of Windows 7 if at all possible so any other suggestions would be appreciated.
Thanks
Joe P |
|
MarkAWBarry White Premium Member join:2001-08-27 Canada
2 recommendations |
MarkAW
Premium Member
2013-May-22 9:18 pm
|
|
|
rem_root to joepwpb
Anon
2013-May-22 9:25 pm
to joepwpb
Restart into command prompt, CTRL + ALT + DEL to open task manager, file, new task. You can put in the drive letter of your utility flash drive and go from there.
Use Rkill then mbam or combofix |
|
joepwpb Premium Member join:2000-12-15 West Palm Beach, FL 1 edit |
to MarkAW
Thanks...I am currently working on creating Emisoft and Hitman Kick Start rescue procedures. Also I have windows Defender Offline running another full scan. Joe P Edit: The creation process for Hitman Kickstart failed on two different drives with a "Error #6000, copy" |
|
joepwpb 1 edit |
joepwpb
Premium Member
2013-May-22 10:20 pm
**Update**GOT IT !!!
Nothing trick or special just a boot to Safe Mode with Command Prompt then explorer.exe (thanks rem_root) which invoked the desktop and then I ran Rogue Killer from a disc and all is well!!
I am now running Eset Online after a scan with MBAM.
When Googling this issue I discovered several instances where the rescue discs failed to remove this malware and where even Safe Mode with Cmd Prompt was not accessable. That sure makes this difficult. I never got to use Emisoft and as previously stated I was unable to create the Hitman Kickstart. I don't know what I would have done if Safe Mode with Cmd Prompt was inaccessible.
Thanks to all !!
Joe P |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
My computer has been infected with "FBI" malware, what should I do? » kb.eset.com/esetkb/index ··· SOLN3140 |
|
joepwpb Premium Member join:2000-12-15 West Palm Beach, FL |
joepwpb
Premium Member
2013-May-23 8:27 am
That is a standard procedure IF it is possible to access Safe Mode. Joe P |
|
|
rem_root to joepwpb
Anon
2013-May-23 11:04 am
to joepwpb
Re: Removing FBI RansomwareI've seen several different versions of this malware in the wild evolve in my biz. Because of this, some major tools out there get fooled. I've resorted to creating several .reg files wrapped up in a self running BAT file, which instantly cripples the malware. If it wasn't for the fact I'm constantly tweaking the code, I would have made this public.
If I had spare daylight time, I'd start a blog with all the new malware I see on a daily basis. The bad guys primarily use copy/paste to code their garbage (re-hash), but a few times I'm impressed how clever they are (above 0-day). Sadly, they are making more money than I, doing wrong. |
|
|
to joepwpb
If all else fails take the Drive out and put into a USB External Dock and scan it with an AV of you're choice on another machine. » www.amazon.ca/s/ref=sr_n ··· 64023011TH |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to joepwpb
Re: **Update**Yes, I know you have limited access to Safe Mode. It was worth a shot - best of luck getting rid of it. There was a previous thread: » Anyone pay the FBI moneypak virus ransom? What happens? |
|
DasGoat join:2013-02-12 Charleston, WV |
to joepwpb
Re: Removing FBI RansomwareThere's a new variant out there that is located in (Win 7) c:\programdata and the file is displayswitch.exe. There are registry keys to have it start in safe mode as well. Boot into safe mode with command prompt to try and remove it if you can. There are other ways as well. |
|
joepwpb Premium Member join:2000-12-15 West Palm Beach, FL |
to siljaline
Re: **Update**Thanks...see my third post above...I got it removed Joe P |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
Good to know. |
|