[Jay2014]

Hi I am trying to fix my mom's computer that has been affected with FBI Ransomware for just over a week now. She is on Win 7 Home Premium 32Bit from what I can tell. When the pc boots up and I enter her password to enter her user account (which also happens to be the admin account) the screen turns white as if it is having a response issue and goes immediately to the FBI Ransomware page. I cannot do anything except for a manual shut down. I tried entering safe mode to load Malwarebytes but this was an unsuccessful attempt to resurrect a working pc. I then turned to Kaspersky Rescue Disk 10 which found the virus including two others: Trojan-FakeAV.WIn32 SmartFortress2012.zhc and HEUR: Trojan.Win32 Generic. Kaspersky stated the threats were deleted and I then ran the windowsunlocker tool which also found the virus in the resigtery and was deleted. However, the ransomware is still on the pc. I am using my own pc right now with my mom's hooked up next to it. Any help is appreciated. 

[Advertisements]

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat

Before we start please note the following:

Analysis and research take some time, also sometimes real life gets in the way, please be patient.
Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
Paste the logs in your posts, attachments make my work harder and more complicated.
Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight!


Now let's see if Safe Mode with command prompt will be operational. If not, we will approach it differently.


Boot into Safe Mode

Reboot your machine and start tapping F8 key repeatedly.
You should see Advanced Boot Menu with a couple of options (Safe Mode, Safe Mode with networking, Safe Mode with command prompt).

• Please select Safe Mode with command prompt and press Enter

A black window should appear.

• In the black command prompt window please type in
  

  explorer.exe

  and press Enter.

If succeeded, your desktop should appear. If not - report here and we'll do it outside the working system.


Cheers,
Naat

[Naathim]

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat

Before we start please note the following:

Analysis and research take some time, also sometimes real life gets in the way, please be patient.
Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
Paste the logs in your posts, attachments make my work harder and more complicated.
Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight!


Now let's see if Safe Mode with command prompt will be operational. If not, we will approach it differently.


Boot into Safe Mode

Reboot your machine and start tapping F8 key repeatedly.
You should see Advanced Boot Menu with a couple of options (Safe Mode, Safe Mode with networking, Safe Mode with command prompt).

• Please select Safe Mode with command prompt and press Enter

A black window should appear.

• In the black command prompt window please type in
  

  explorer.exe

  and press Enter.

If succeeded, your desktop should appear. If not - report here and we'll do it outside the working system.


Cheers,
Naat

[Jay2014]

Hi Naat, thanks for responding to my post. I'm currently at the job right now; however, I will take the steps you have stated in the above post as soon as I arrive home this afternoon. I appreciate your time in helping me resolve this issue.

[Naathim]

Hi
 
Take your time, I will be around

[Jay2014]

Hi again Naat,

 

I selected safe mode with command prompt and after it finished loading the windows files it took me straight to the user account login screen. A black command window did not appear. 

[Jay2014]

Correction for my ignorance lol. I have never used safe mode with command prompt before. I have logged into the account and entered explorer.exe into the command prompt and I can see the desktop.

[Naathim]

That's great!
 
I will give you two programs to run there, but first please check this one for me. I need to be sure is it 32- or 64-bit to choose better tools.


Check Windows architecture

Please check your windows architecture:

• Click the Start button.
• Right-click on Computer and select Properties.
• A window should appear - in the middle part of it there should be a note if your system has 32- or 64-bit architecture.

Please rewrite this information for me - it will help me choose better tools to assist you.

[Jay2014]

Naat, I have verified that it indeed has a 64-bit architecture. However, doing this step caused the FBI Ransom image to come back up. I will did a restart and went back to safe mode with command prompt as you first instructed.

[Naathim]

Nope, I feel that the Safe Mode won't help us here. We'll approach it differently.

 

Do you have the access to another clean machine and a thumbdrive (pendrive, USBdrive)?

[Jay2014]

Yes, I am currently using my computer to access this forum at the moment. 

[Naathim]

_ Scan with Farbar Recovery Scan Tool from the Recovery Environment

We will be working outside of Windows, so I think it would be prudent to save it or print down for further reference.
This instruction is a quite complicated one as it contains multiple steps. We will need a clean machine and a USB stick (thumbdrive).

DOWNLOADS

There will be three things to download on your clean machine:

• RUFUS by Akeo Consulting
• Windows 7 x64 Recovery Environment
• Farbar Recovery Scan Tool x64 by Farbar

Save them preferably to the desktop, as it would make the rest of instructions easier.
Recovery .iso file will be downloaded from my GoogleDrive. You will be notified that the file is too big for Google to scan it with built-in virus scanners - I assure you that it's perfectly safe.

PREPARATIONS

Prepare the tool on your clean machine.

Create bootable USB drive with RUFUS

• Right-click on icon and select Run as Administrator to start the tool.
• Configure it with the settings listed below:
  • Device - make sure that your pendrive is listed;
  • File System - set to NTFS;
  • Make sure that Quick format option is checked;
  • Create a bootable disk using - select ISO Image;
  • Click on the small CD icon next to ISO Image - select the downloaded Recovery Environment .iso file.
• Press Start ant the process should run.

You will be notified on the lower bar when it will be completed.

After that please copy FRST to the root of your pendrive.
Now unplug your pendrive and move it into your corrupted machine.

ACTION

Insert your USB drive to the corrupted machine and start the computer.
Make sure that booting from USB is set. If you don't know how to do it, instructions HERE.

Getting from one step to another during this part will take some time. Please be patient.

Run Recovery Environment

• When the machine boots-up, you will see the Install now window. Instead choose the Repair my computer option.
• You will be presented with the list of operating systems (usually there will be only one). Highlight it by clicking on it and select Next.
• In the Choose Recovery Tool menu select Command Prompt.

You will see a big black window with a blinking cursor (command prompt).

Access the notepad and identify your USB drive

In the Command Prompt please type in:

notepad

and press Enter.

• When the notepad opens, go to File menu.
• Select Open.
• Go to Computer and search there for your USB drive letter.

Note down the letter and close the notepad.

Scan with Farbar Recovery Scan Tool

Once back in the command prompt window, please do the following:

• Type in e:\frst.exe and press Enter.
  You need to replace e with the letter of your USB drive taken from notepad!
• FRST will start to run. Give him a minute or so to load itself.
• Click Yes to Disclaimer.
• In the main console, please click Scan and wait.

When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

Transfer it to your clean machine and include it in your next reply.

Edited by Naathim, 20 August 2014 - 09:03 AM.
Removed RE download link

[Jay2014]

Naat I am still here, I am having issues getting the computer to boot to the usb drive. I am going to try again before I have to go off to work

[Naathim]

No worries, I am still around and won't abandon the thread so easily

[Jay2014]

Naat, I will have to try again when I get home from work. For some reason it is not booting to the usb even though it is set to boot there first. I was able to boot to Kaspersky by disc, so I know it is possible. I will make sure I it's not the usb when I get home. Thanks so much for your patience and time. 

[Naathim]

Ok, awaiting

 

If you wish so, we may use a CD/DVD to create a Recovery Environment Disc, but the pendrive with FRST will still be mandatory to transfer the tools / logfiles.