Tricky (Stubborn) Virus help.

[Petetech888]

I have come across a virus that locks up the system completely called "Internet Crime Complaint Center" its got an FBI logo and locks the computer up.

Apparently, if you get to it fast enough you can remove it using safe mode but the client didn't bring it in before that time period, and I can't remove it that way.

I have attached it to a safe system and swept it, but each time I put the drive back in it has re-spawned.

All I can find on Google is software purchasing scams for the removal or tech links for paid support, & that's not happening.

Anyone got any experience with this one?

Thanks in advance.

 

[Xander]

Can you elaborate (greatly) on "swept it"? For some, that could mean a single Full scan with MBAM; for those like myself, it would mean something entirely more thorough.

What scanners and apps have you run? How have you reviewed what's autostarting on that machine?

 

[ZenTree]

Hitman pro have a new feature where you can make a bootable usb which should get you in to the system. I've not used it since not found a need to but might be worth a look for you. Let us know how you get on, i'd be intrigued to see how well it performs.

 

[FremontPC]

Looks like the "fine" is up to $500 now?

 

[kpk1]

I think this may be Reveton related.......

 

[Petetech888]

Update in the battle.

Ok, all Windows & some linux based boot cds (avast bart - ubcd - part magic etc) get crashed & smashed before accessing the GUI or within a second of the GUI loading properly.

We are searching for an offline windows registry editor to get to the registry.


Its at the point we have a few seconds of GUI before the virus blocks us.

Will keep you all posted.

Any magic wands or previous experience with this nasty will be appreciated

 

[Martyn]

Slave the drive would be my move.

Edit

Sorry just re-read

 

[NYJimbo]

Ok, all Windows & some linux based boot cds (avast bart - ubcd - part magic etc) get crashed & smashed before accessing the GUI or within a second of the GUI loading properly.

A virus on a hard drive can't stop a boot cd from working. Are you sure there isnt more to this than just a virus ?

 

[Petetech888]

Update in the battle.

Ran batch file stopping all run once process, nope...

This little **** is hiding in group policy.

Very tricky, looking more and more like a data save & wipe.

 

[Boston Pro Comp Serv LLC]

Yeah you should be able to slave it and edit the hive. At worst and I can't see why you'd need to you could copy the hive, edit it and put it back. Like Jimbo said if you boot from a cd or USB it can't be stopping you, there would have to be some other problem. Jimbo you usually make me laugh aloud... I'm waiting

 

[Petetech888]

A virus on a hard drive can't stop a boot cd from working. Are you sure there isnt more to this than just a virus ?

Got BSOD error 7B a few times when the GUI almost loaded, swapped out RAM, HDD tested OK, but not holding much stock in that right now.

We are past that now and elbow deep into the analysis & behaviour of this nasty (but clever) hijack.

 

[Petetech888]

Its using a corrupt system to boot from so all windows boot disks fail producing the BSOD.

Linux based boot disks now seem to work (Parted magic).

It looks like its in the local security policy.

Anyone have any helpful answers or suggestions before we nuke & reinstall?

 

[Petetech888]

Yeah you should be able to slave it and edit the hive. At worst and I can't see why you'd need to you could copy the hive, edit it and put it back. Like Jimbo said if you boot from a cd or USB it can't be stopping you, there would have to be some other problem. Jimbo you usually make me laugh aloud... I'm waiting

Not if its in group policy and use What!?

What allows us to edit the hive of a slave?

I've already removed the windows start up stuff & it still loads. I created a registry entry - batch/ script to remove it from start up but its still going, so we think its in local policy.

If I slave it, what would I use to edit the hive with?

My idea would be to put it on a smaller network of its own and link into it with the local security policy snap in.

 

[NYJimbo]

Got BSOD error 7B a few times when the GUI almost loaded, swapped out RAM, HDD tested OK, but not holding much stock in that right now.

We are past that now and elbow deep into the analysis & behaviour of this nasty (but clever) hijack.

Do you know what a 0x7B is ? I think you are chasing your tail on this and need to do more research on the errors you are gettting.

 

[NYJimbo]

Its using a corrupt system to boot from so all windows boot disks fail producing the BSOD.

Since when does a boot disk use a corrupt system to boot from ?

 

[kisk]

If you can't boot with a bootcd - hirens, erd cmdr, linux -- then something else is wrong. Whats the rest of the stop code after 0x7b? CMOS recently been reset (bad cmos battery or on purpose by you)? If so, check your IDE settings... bad mode will cause a 0x7b, however it wouldn't stop a boot disk.

 

[Petetech888]

A responce to all. Thread Closed (For me at least).

For those attempting to help many thanks.

We all have clients with issues we want to solve ASAP & having the tech help is a great resource for us all.

CONCLUSION: This particular virus does not have a common fix yet available. The easiest ethical fix (in my opinion only) is a profile recovery (after scanning for any nasty leftovers both before 7 after profile/data salvage) & a fresh install, otherwise its more time & money to solve than you deserve to lump onto your customers bill.
If anyone does find a fix (that doesn't want money for giving it) I would be pleased to hear from you.

As for those with more questions rather than answers

It's supposed to go like this...

Hi guys, here is the problem "Bla bla bla"'.

Hi Bla, here are a few solutions.
Link one
and
try this one

Then there's a reply, that kind of looks like this...

"Thanks that was a great help, much appreciated".

Then perhaps a polite retort...

"No problem".

Instead it looks & feels more like this...

Why not start being kinder to people guys.

If you don't know the answer to a question when you see it, either move on or let it go & stop using people for your own research or to do the leg work for you.

It feels kind of torturous labouring through questions from people who either don't know or understand what your saying always asking for more answers rather than giving them.

Love Technibble, & a lot of the members are A1, but... not too crazy about some of the techs in it.

This post is aimed at no-one individual in particular, nor this forum thread specifically & is a general comment only.

Adios, have a GREAT DAY

 

[kisk]

Oh jeez.. ::gets popcorn ready::

Unfortunately some of your information is spotty, and whether you understand or not we're trying to clear out all the fluff.

 

[NYJimbo]

You made a bad request for help and then just made it worse by trying to defend your post instead of realizing your made mistakes and then trying to fix it.

I mean, how could it be "hiding in group policy" and stop you from booting a disk ? How does a boot disk get "get crashed & smashed" ?

Good luck getting help in the future if you are going to act like this.

 

[bertie40]

Hi Petetech.
I've read your posting through a few times, and I'm sorry but your conclusions just don't add up.

It doesn't follow the logical progression we normally take in these situations.

You appeared fixed on a registry infiltration, and whilst that is possible, it shouldn't affect booting a repair disk. That's end user talk.

Did you slave the drive via another machine ? You weren't clear on that.

Crashed and smashed ?
Eh ? What does that mean ?

First point of entry is to get access to the data. You can afford to lose the OS, that isn't normally a problem.

Try another cd drive ?

Your conclusion is a completely new variant of nasty to explain it all away.

Eh ?

Im sure we would be interested in your final analysis.