Ransonware Warning

Hey Guys,

Need some help here.  I have a clients computer, Windows XP SP3.  Ransomware opens when I boot.  I am unable to boot in any Safe Mode options, computer just loops back to restart.  I cannot run any files as the infection is preventing it, cannot open msconfig or registry.  Could use any help available, have to get this computer back to my client ASAP.  I have run a Panda SafeDisk Scan, nothing found, I ran an Avira scan, found nothing.  Avg scan (with Hard drive installed in another computer), found nothing.    Malwarebytes (with hard drive installed in another computer) found nothing.    Computer is old so cant book off USB Drive?  Created CDs for all the bootable scans above.    No system restore point available either, all deleted.  

Please Help
Jazz
LVL 1
JazzanlexAsked:
Who is Participating?
 
Gary CaseRetiredCommented:
Fortunately you've already done the most important thing:  "... I have already backed up the data ..."  :-)

Are you CERTAIN you can't boot off a USB device?
You stated it as a question in your original post:  " Computer is old so cant book off USB Drive? "
What's the make/model of the system?

If there's not a boot menu [F12, ESC, etc. during the initial BIOS display], be sure there's not an option in the BIOS to set a bootable USB device.   Note that many older systems do NOT show this option UNLESS there's a bootable USB device already attached to the system.    So you should prepare a bootable USB flash drive; attach it to the system; and THEN confirm whether or not you can boot from it.

I'd download HitManPro with the KickStart option (do this on another PC)  [ http://www.surfright.nl/en/downloads/ ];  prepare a bootable USB flash drive for 32-bit Windows;  and then see if you can get it to boot on the infected system (with the hard drive installed in it.    If it will boot, choose the first boot option (bypass Master Boot Record) and then let the system boot normally.   You'll still see the ransomeware screen ... but after about a minute or so HitManPro should load => if so, just select the "only want to do a one-time scan" option and let it do its thing.

If this succeeds (it's very good at removing many types of ransomware);  then do a full scan with Malwarebytes; and you should then be okay.

Note:  If you can't boot from the USB flash drive, there's another way to do this.    You still have to create the bootable flash drive; but you can also create a bootable HitManPro CD with the "SideKick" image (see the instructions in the HitManPro download).    You then insert BOTH the bootable CD AND the bootable USB flash drive in the infected PC, and boot from the CD.     This will then work just as if it had booted from the USB flash drive.
0
 
NVITCommented:
Not sure if you can do anything except nuke and repave. And/or pay ransom. I hope client has backup of precious data.

For cryptolocker, see https://www.decryptcryptolocker.com/. Still no guarantee.

See http://www.experts-exchange.com/Security/Encryption/A_18086-Ransomware-Prevention-is-the-only-solution.html
0
 
JazzanlexAuthor Commented:
His files don't appear to be encrypted...I don't believe its the cryptowall virus
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
NVITCommented:
1. Remove the hard drive and connect to a working computer
2. Backup all data ASAP
3. Try different methods to fix it
0
 
JazzanlexAuthor Commented:
Thanks for the input NewVillage, I have already backed up the data, any suggestions on what methods to try?
0
 
NVITCommented:
google: what is kaspersky rescue disk
Read up.
Make a bootable CD/USB

Being that XP is unofficially supported by microsoft, not sure if AV vendors have incentive to support XP.
0
 
JazzanlexAuthor Commented:
Running that Kaspersky Rescue now, will let you know how it turns out...
0
 
NVITCommented:
good luck. Looks like you already tried several others, to no avail...
0
 
Michael-BestCommented:
Read this post (accepted answer awarded to me with assisted answers awarded to other members )

http://www.experts-exchange.com/Software/Anti_Spyware/Q_28647546.html
0
 
jorge diazSECommented:
You've done the right thing, you have the data...  now wipe it out clean.. explain to the client they are working on an unsupported version of Microsoft and that it's in their best interest to upgrade.
0
 
JazzanlexAuthor Commented:
Hi Gary,

Yes, it will not boot off USB.  It is a Presario S4300NX and I tried changing in the bios, only hard drive and cd/dvd.

I tried the Hitman Pro with the Sidekick already but the Sidekick CD Just stalls with a number 1.  Could never get the Hitman Pro to run.  

Running another complete malwareybytes scanner now, taking over 6+ hours to run.

I do realize the OS is unsupported and I explained that to my client, but he has been reluctant, im sure now he will purchase a new unit .    

Ill check your link in the AM Michael, thank you.

Jazz
0
 
Gary CaseRetiredCommented:
"... I tried the Hitman Pro with the Sidekick already but the Sidekick CD Just stalls with a number 1.  Could never get the Hitman Pro to run.   "  ==>   Did you prepare a USB flash drive and have it installed in the computer at the same time?   That is REQUIRED for Hitman Pro to run.     Note also that if #1 doesn't work, you should then try it with #2; and if that doesn't work, then with #3

But in every case, you have to have the USB flash drive already plugged in, as the "Sidekick" gets the actual data it needs from the USB flash drive.
0
 
andreasSystem AdminCommented:
Your only chance will be hunting down the thing manually if all scanners fail, if rebuilding the machine is no option.
But hunting this down might be a lenghty process (sometimes with many hours of work involved, sometimes even in the range of over 100 hours, with UNKNOWN outcome, the result of the hunt might still be a rebuild is necessary as too much was damaged.

Furthermore XP SP3 will not get any security updates anymore and soon other vendors like browser, plugins, etc. may also cease xp support and then you cannot fix any holes anymore and chances of re infection will grow with each day xp is used longer.

All in all best advice to your customer is to abandon the XP and switch to a recent version of windows. If his computer cannot run it also chane the hardware too.
Would be more cheap than paying for maybe over 100 hours of virus hunting...
0
 
nobusbiljart fanCommented:
can you post a picture of the warning?
0
 
JazzanlexAuthor Commented:
Hi Gary,

It doesn't give me any other choices, it simply just sits with a flashing cursor and the number  1.  And yes, the Hitman Pro Flashdrive was in at the time, I tried it several times to no avail.   I have a explained to my client the XP risks in the past, pretty sure this will force him to get a new computer.  

And Nobus I'd love to show you a picture  but now the computer is stuck in a complete reboot loop.  It looks something very similar to the one attached.....

I think I am officially giving up, your right Gary, it simply isn't worth the time.  I just hate when something like this gets the best of me.  I'm usually pretty good at researching and kicking butt on thing like this, but this one is tough.  I have run a least 20 scanners and nothing has found it.
Your-computer-has-been-locked-FBI-Virus.
0
 
Gary CaseRetiredCommented:
I know you said you tried scanning with Malwarebytes while the drive was installed in another PC => but did you force a scan of that specific drive?  [i.e. not just run a Malwarebytes scan on the PC]

I've NEVER seen a case where the Moneypak issue wasn't resolved by a directed Malwarebytes scan on the drive ... and I've seen quite a few cases of this exact virus.
0
 
Gary CaseRetiredCommented:
Did a bit of reading on why you can't get into Safe Mode (which is another common way to fix this issue) ... it seems there's a newer variant of the Moneypak virus which won't allow Safe Mode => EXCEPT it can't stop the   "Safe Mode with Command Prompt", since that mode doesn't start ANY programs in the boot process.

The process to remove Moneypak with that technique is outlined here:
http://www.tech-recipes.com/rx/38039/remove-latest-fbi-money-pack-virus-despite-safe-mode-forced-restart/
0
 
Gary CaseRetiredCommented:
"... I think I am officially giving up,"  ==> NEVER !!

"... I just hate when something like this gets the best of me. " ==>  So don't let it :-)

Like I suspect you do, I often spend FAR more time than I ever think of charging for to resolve an issue just to satisfy my intellectual curiosity about how to fix it.     There IS, of course,  a point at which you have to give up ... and you're well prepared for that, since you've already saved all the user's data.    But I'd at least check out the Safe Mode with Command Prompt technique, and possibly try Malwarebytes on another machine with a directed scan if you didn't use that technique before.
0
 
JazzanlexAuthor Commented:
Thanks Gary, I agree, this job challenges my brain everyday.  

Cannot start the PC in Safe Mode with Command Prompt, reboot loop with any Safe Mode Option....
0
 
Gary CaseRetiredCommented:
That's very interesting, since Safe Mode with Command Prompt isn't supposed to start ANY additional programs -- i.e. neither the Startup folder nor any of the Run-Once keys in the registry are parsed.

If you've tried a Malwarebytes directed scan [i.e. in Windows Explorer, on a system with Malwarebytes installed and the drive installed; right-click on the drive and choose "Scan with Malwarebytes" ]  .... and that still doesn't resolve this, I'd agree it's ALMOST time to call it a day.

But before doing that, I'd try scanning with Microsoft Defender Offline.    This will usually remove rootkit infections ... and since the PC won't boot to Safe Mode with Command Prompt that's likely what you have here.    The Defender Offline CD is very handy to have anyway, so it won't hurt to download it and create the appropriate CD [I keep both 32-bit and 64-bit versions handy].
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline

You can create the CD on any system, but you need to create a 32-bit CD for use on the XP system, regardless of what OS the system you create it on is running.    Once you have the CD, you just boot to it on the infected system and let it do its thing :-)
0
 
JazzanlexAuthor Commented:
Thanks guys for all your help, my client bought a new computer....best solution
0
 
JazzanlexAuthor Commented:
Thanks again for all the help....no solution found on here but awarding the points to the two that helped the most.  Thanks again
0
 
NVITCommented:
Thank for the update, Jazzanlex. FWIW... at least you got the data. Have a great week. Take care.
0
 
Gary CaseRetiredCommented:
Definitely the best solution :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.