Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FBI Virus keeps getting worse

Posted on 2013-06-12
13
Medium Priority
?
1,127 Views
Last Modified: 2013-11-22
I have a customer's computer that I have been working on for a couple of days.  When I first turned to computer on, he had a fake alert virus that was claiming that all of his EXE files were infected - so they would not run.  Not a problem, I ran The Killer to kill all the non-windows processes then ran Malwarebytes and Superantispyware.  Malwarebytes picked up some trojans and some other malware, and Superantispyware showed a lot of tracking cookies.  I rebooted and was thinking about what else I wanted to do to assure myself that the machine was clean.  It was late; I quit for the night and left the computer running.  In the AM I went to the machine to run the Eset Online scanner and found that the computer now had the FBI virus.  As far as I can tell, it was there but masked by the fake alert.  I did no browsing or anything else on that computer, and no other computer in the shop had the infection (except another one that I was working on).

The computer in question is running XP Pro SP3.  I have tried Microsoft Defender Offline and AVG Rescue CD.  I rewrote the MBR and the bootsector using a Windows installation disk.

I can't boot from Hitman Pro Kicksart from the USB or from a CD. The error message is "NTDetect failed".  I did manage to start Windows using Hitman's option 3 (Legacy), which just boots from the hard drive.  Hitman ran and found and fixed some problems, but the FBI virus was still there.

I am able to boot to a Hiren CD, but the options are fairly limited once the Mini XP OS is running.

What can I do now to eliminate this virus?
0
Comment
Question by:rhavey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +5
13 Comments
 
LVL 98

Expert Comment

by:John Hurst
ID: 39241420
Given the difficulties you have (not surprising), you need to boot from some CD (any that will work) and delete all partitions on the hard drive (not just fix the MBR). Use Killdisk or something like it. FDISK if you have it will work.

Once all the partitions are gone, you should be able to create a new partition, format and install Windows XP.

.... Thinkpads_User
0
 
LVL 1

Author Comment

by:rhavey
ID: 39241438
I know that.  that's what I am trying not to do.
0
 
LVL 7

Assisted Solution

by:dec0mpile
dec0mpile earned 800 total points
ID: 39241439
Try this:

Start Windows using Hitman's option 3 as you did before and then execute:
Roguekiller http://tigzy.geekstogo.com/roguekiller.php

After Roguekiller runs delete and fix all files that it detects (including MBR if this is affected).

Immediately after Roguekiller run ComboFix
http://www.bleepingcomputer.com/download/combofix/

NOTE: You may need to rename the files and/or use right click "Run As" command and run them form different account to get them to start.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 24

Expert Comment

by:aadih
ID: 39241453
Is there any possibility of restoring the computer to a time 1-2 weeks ago?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39241463
What you have is a root kit virus, and for the most part, re-installing the operating system is the only practical long term fix. The suggestions above might work, but as likely as not, a firm and permanent fix requires the steps I outlined.

... Thinkpads_User
0
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39241464
@aadih I've never seen a virus that wasn't able to survive Windows Restore. That's one of the first areas that get's infected after the virus executes on a machine.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39241485
I have seen otherwise  (too many times).
 
Is there any harm trying when the problem is already so severe?
0
 
LVL 30

Accepted Solution

by:
Thomas Zucker-Scharff earned 1200 total points
ID: 39241526
Have you checked out these instructions?

http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

Also check out my article on rootkits and reviews of free antirootkit software:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
0
 
LVL 70

Expert Comment

by:garycase
ID: 39242306
Hopefully you've already done this, but the FIRST thing I'd do with that much infection is to boot to a "live" CD (Knoppix, Bart's PE, etc.) and copy ALL of the user's data to an external drive [documents, pictures, music, favorites, the e-mail store for whatever client he's using, address book, etc.]

So if you DO have to wipe and reload, you wont' lose any of the user's data.

You'll want to run a good antivirus/antimalware scan on that data ... but my experience with this infection is that it doesn't hit user data, just the OS.
0
 
LVL 93

Expert Comment

by:nobus
ID: 39243598
i also suggest a fresh install, but since you do not want that, try running:
http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39244372
Are you able to  boot the system in Normal or Safe Mode?

Sudeep
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 39248303
Booting into Safe Mode was not possible.  Booting with Option 3 of Hitman did not help because that boot uses the hard drive's MBR.  I was able to boot with Hiren's CD, and run the Emsisoft Emergency Kit and Rogue Killer.  They cleaned up the C: drive enough that the PC would operate.  I was then able to reboot and run Combofix.  I double checked with TDSS Killer, Super AntiSpyware, and Eset's online scanner.  I found that the MS Security Essentials installation was corrupt; so I uninstalled and reinstalled that and ran a full scan with updated virus signatures.

Everytyhing is OK.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 39248821
Glad to hear you got it working, but one thing, on experts-exchange we generally discourage use of warez like the CD that rhymes with sirens.  There are various options on that CD that require licences, but have been hacked instead.  Use a bootable device made with SARDU excluding the option for that boot image.

I have a USB created with SARDU that has solved almost every problem I have encountered.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question