Randsomeware at startup even in safe mode

[youngwun0]

Hey guys,

Now about 2 weeks ago i ran into a customer who freaked out because she had caught a virus in which asked for 200$ (yes they put the $ sign after 200) in which stated it was an fbi issued warning and money should be transfered via MoneyPak yadayada........ Now this virus was removed after numerous scans and tools such as combofix being ran and used in safe mode.

But on to the real issue here... about 4 days ago a good friend of mine had caught the same virus only it asked for $50 instead a quick google search came to different amounts from 50, 100 and 200... only this one even started up in safe mode WITHOUT networking, task manager could not be opened, no way of opening anything its just a big warning screen...

Normally i will run hirens boot cd or even ubcd4win and run the scan via those only ISSUE is UBCD4WIN will BSOD his machine and hirens will not detect a hard drive. I have had this issue when attempting to reset a password on his computer about a year ago so i kind of knew it wouldn't work.

My question to you guys is, is there any way around an issue like this where safe mode is useless due to total control takeover and boot cd's will either blue screen you or just not read the hard drive. The hard drive is perfectly fine and everything loads it is just that this emachines computer as with many i have worked on is not fit to run boot cd's with........

 

[ComputerRepairTech]

Well that depends.

rkill renamed to rkill.pif usually does the trick to get by things. I would try that first by putting it on an empty flash drive (just saying empty in case it starts writing to it). I would plug it in and try to Windowskey+r and type the path for example F:\rkill.pif and hit enter.

If that doesnt work you could always simply take the drive out of his computer and add it to yours and you boot from hirens on yours. Its unlikely that its the drive itself that is stopping hirens from recognizing it.

 

[mr m]

I slave the infected drive to my bench system with a sata/ide to usb adapter or I can hook it directly to the mobo ports if needed.

Clean what you can and then go back to safe mode and finish up.

I think the UBCD4Win project has been neglected for a couple of years now. The author started his own repair biz. Too bad for us but good for him! Anyway, there are optional driver packs that you might need to enable when it won't boot certain pc's.

 

[youngwun0]

Those are some great ideas, the bench machine i kind of wanted to be a last resort as i don't want to really have to take the drive out wanted to kind of do it onsite although i can bring my laptop and adapter but i didn't spend too much time on it as i was very busy when i did the diagnostic at his home the other day but will try those things, Thank you guys for the quick and swift response, much appreciated.

 

[16k_zx81]

Those are some great ideas, the bench machine i kind of wanted to be a last resort as i don't want to really have to take the drive out wanted to kind of do it onsite although i can bring my laptop and adapter but i didn't spend too much time on it as i was very busy when i did the diagnostic at his home the other day but will try those things, Thank you guys for the quick and swift response, much appreciated.

Im not a fan of onsite virus removals for this reason. Not knocking anyone here that does it, but personally, I never felt an adequate job was able to be done within the time constraints of an onsite visit.

..

 

[Martyn]

Im not a fan of onsite virus removals for this reason. Not knocking anyone here that does it, but personally, I never felt an adequate job was able to be done within the time constraints of an onsite visit.

..

I agree, I don't think you can give the same service on site as workshop.

 

[youngwun0]

I also agree and normally would prefer to do virus removal jobs at my office with an ordinary customer but this one was for a good friend of mine i came by just to check it out and have a chat session so i did and had to run as i had someone stopping by my office and figured i'd come by another day and try it onsite.

But thanks for the helpful advice you two.

 

[4ycr]

have you tried some of the rescue cd's like bit defender. I find them useful n situations like this but they can take a while to run. As they are linux they might have a better chance of mounting the hard drive.

 

[MSC]

I used the Kapersky usb boot utility and it cleaned up a similar infection I encountered.

 

[Angle-Pc]

It is menacing and scary looking. Since it accuses you of watching child porn and claims that it is sending your information to the FBI. I also liked the finishing touches of starting your web cam and showing you the video "Recording you"

I cleaned this very same virus today onsite. I was able to get into safe mode and do a system restore to give me some breathing room.

After that I ran Rkill, combo fix and a few others to combat it. I also booted into Linux and ran a few Linux Malware programs and Virus scans.

It took me around 2 hours, but as a few of you said. I don't like doing them onsite. Since time constrains become a issue. I can do a much better job on my bench....

In the end several scans, tests and manual checks before I left. All came up clean.

 

[uprighttech]

Boot to a Windows Defender Offline disc. Just used it to clean this infection on one today.

 

[youngwun0]

Thank you all very much for your input. I wound up doing a reformat on this machine which is not my ordinary way of dealing with viruses but it turns out he also did a slew of other things to it in between the time I came back also the actual FBI message screen wouldn't even appear it was big and blank and i think he just toyed with it too much.

uprighttech - thank you, I am getting this disc right this very moment. Thank you all again.