Link to home
Start Free TrialLog in
Avatar of Jazzanlex
Jazzanlex

asked on

Ransonware Warning

Hey Guys,

Need some help here.  I have a clients computer, Windows XP SP3.  Ransomware opens when I boot.  I am unable to boot in any Safe Mode options, computer just loops back to restart.  I cannot run any files as the infection is preventing it, cannot open msconfig or registry.  Could use any help available, have to get this computer back to my client ASAP.  I have run a Panda SafeDisk Scan, nothing found, I ran an Avira scan, found nothing.  Avg scan (with Hard drive installed in another computer), found nothing.    Malwarebytes (with hard drive installed in another computer) found nothing.    Computer is old so cant book off USB Drive?  Created CDs for all the bootable scans above.    No system restore point available either, all deleted.  

Please Help
Jazz
SOLUTION
Avatar of NVIT
NVIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Jazzanlex
Jazzanlex

ASKER

His files don't appear to be encrypted...I don't believe its the cryptowall virus
1. Remove the hard drive and connect to a working computer
2. Backup all data ASAP
3. Try different methods to fix it
Thanks for the input NewVillage, I have already backed up the data, any suggestions on what methods to try?
google: what is kaspersky rescue disk
Read up.
Make a bootable CD/USB

Being that XP is unofficially supported by microsoft, not sure if AV vendors have incentive to support XP.
Running that Kaspersky Rescue now, will let you know how it turns out...
good luck. Looks like you already tried several others, to no avail...
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Read this post (accepted answer awarded to me with assisted answers awarded to other members )

https://www.experts-exchange.com/questions/28647546/cryptowall-trojan-horse.html
You've done the right thing, you have the data...  now wipe it out clean.. explain to the client they are working on an unsupported version of Microsoft and that it's in their best interest to upgrade.
Hi Gary,

Yes, it will not boot off USB.  It is a Presario S4300NX and I tried changing in the bios, only hard drive and cd/dvd.

I tried the Hitman Pro with the Sidekick already but the Sidekick CD Just stalls with a number 1.  Could never get the Hitman Pro to run.  

Running another complete malwareybytes scanner now, taking over 6+ hours to run.

I do realize the OS is unsupported and I explained that to my client, but he has been reluctant, im sure now he will purchase a new unit .    

Ill check your link in the AM Michael, thank you.

Jazz
"... I tried the Hitman Pro with the Sidekick already but the Sidekick CD Just stalls with a number 1.  Could never get the Hitman Pro to run.   "  ==>   Did you prepare a USB flash drive and have it installed in the computer at the same time?   That is REQUIRED for Hitman Pro to run.     Note also that if #1 doesn't work, you should then try it with #2; and if that doesn't work, then with #3

But in every case, you have to have the USB flash drive already plugged in, as the "Sidekick" gets the actual data it needs from the USB flash drive.
Your only chance will be hunting down the thing manually if all scanners fail, if rebuilding the machine is no option.
But hunting this down might be a lenghty process (sometimes with many hours of work involved, sometimes even in the range of over 100 hours, with UNKNOWN outcome, the result of the hunt might still be a rebuild is necessary as too much was damaged.

Furthermore XP SP3 will not get any security updates anymore and soon other vendors like browser, plugins, etc. may also cease xp support and then you cannot fix any holes anymore and chances of re infection will grow with each day xp is used longer.

All in all best advice to your customer is to abandon the XP and switch to a recent version of windows. If his computer cannot run it also chane the hardware too.
Would be more cheap than paying for maybe over 100 hours of virus hunting...
can you post a picture of the warning?
Hi Gary,

It doesn't give me any other choices, it simply just sits with a flashing cursor and the number  1.  And yes, the Hitman Pro Flashdrive was in at the time, I tried it several times to no avail.   I have a explained to my client the XP risks in the past, pretty sure this will force him to get a new computer.  

And Nobus I'd love to show you a picture  but now the computer is stuck in a complete reboot loop.  It looks something very similar to the one attached.....

I think I am officially giving up, your right Gary, it simply isn't worth the time.  I just hate when something like this gets the best of me.  I'm usually pretty good at researching and kicking butt on thing like this, but this one is tough.  I have run a least 20 scanners and nothing has found it.
Your-computer-has-been-locked-FBI-Virus.
I know you said you tried scanning with Malwarebytes while the drive was installed in another PC => but did you force a scan of that specific drive?  [i.e. not just run a Malwarebytes scan on the PC]

I've NEVER seen a case where the Moneypak issue wasn't resolved by a directed Malwarebytes scan on the drive ... and I've seen quite a few cases of this exact virus.
Did a bit of reading on why you can't get into Safe Mode (which is another common way to fix this issue) ... it seems there's a newer variant of the Moneypak virus which won't allow Safe Mode => EXCEPT it can't stop the   "Safe Mode with Command Prompt", since that mode doesn't start ANY programs in the boot process.

The process to remove Moneypak with that technique is outlined here:
http://www.tech-recipes.com/rx/38039/remove-latest-fbi-money-pack-virus-despite-safe-mode-forced-restart/
"... I think I am officially giving up,"  ==> NEVER !!

"... I just hate when something like this gets the best of me. " ==>  So don't let it :-)

Like I suspect you do, I often spend FAR more time than I ever think of charging for to resolve an issue just to satisfy my intellectual curiosity about how to fix it.     There IS, of course,  a point at which you have to give up ... and you're well prepared for that, since you've already saved all the user's data.    But I'd at least check out the Safe Mode with Command Prompt technique, and possibly try Malwarebytes on another machine with a directed scan if you didn't use that technique before.
Thanks Gary, I agree, this job challenges my brain everyday.  

Cannot start the PC in Safe Mode with Command Prompt, reboot loop with any Safe Mode Option....
That's very interesting, since Safe Mode with Command Prompt isn't supposed to start ANY additional programs -- i.e. neither the Startup folder nor any of the Run-Once keys in the registry are parsed.

If you've tried a Malwarebytes directed scan [i.e. in Windows Explorer, on a system with Malwarebytes installed and the drive installed; right-click on the drive and choose "Scan with Malwarebytes" ]  .... and that still doesn't resolve this, I'd agree it's ALMOST time to call it a day.

But before doing that, I'd try scanning with Microsoft Defender Offline.    This will usually remove rootkit infections ... and since the PC won't boot to Safe Mode with Command Prompt that's likely what you have here.    The Defender Offline CD is very handy to have anyway, so it won't hurt to download it and create the appropriate CD [I keep both 32-bit and 64-bit versions handy].
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline

You can create the CD on any system, but you need to create a 32-bit CD for use on the XP system, regardless of what OS the system you create it on is running.    Once you have the CD, you just boot to it on the infected system and let it do its thing :-)
Thanks guys for all your help, my client bought a new computer....best solution
Thanks again for all the help....no solution found on here but awarding the points to the two that helped the most.  Thanks again
Thank for the update, Jazzanlex. FWIW... at least you got the data. Have a great week. Take care.
Definitely the best solution :-)