Hello, I'm an IT professional with something of an unusual hobby. I like to purposely infect one of my machines with malware and then manually try to figure out what that malware did to my system. My most recent project is the FBI Ransomware. Simply removing it with an anti-virus product would defeat my purpose, and it's something that I could easily do. If need be, I can wipe and rebuild the machine, or simply re-image it with a known good image. So I'm not looking for that type of advice. But I do need some help in figuring out what the malware has done. And, just as an FYI, I know that it's extremely difficult to manually clean viruses, especailly the more sophisticated ones, so I only take these projects to the point where I can get back basic control of the system. At that point, I consider it a win and re-image the machine to be safe. Current System Behavior At start up I see the FBI ransomware screen and I am unable to get to my desktop. It seems that I can do nothing with the system. I am unable to boot into Safe Mode with Network, but I can boot into Safe Mode with Command Line support. I can launch explorer.exe with admin rights and I do have a second account that I can use to access the machine. Steps Taken Once in Safe Mode with Command Line support, I typed "explorer.exe" and got into the GUI. I checked the Startup folder and found nothing launching from that location. I checked the Run and Run Once keys in the registry for both the user and system and did not find anything that is unknown to me. I ran msconfig and disabled ALL services and startup applications. I checked the scheduled tasks and nothing is running from there. I have checked the logon and logoff scripts and the startup and shutdown scripts and found nothing. I checked the .ini files that can be used when Windows boots. I have even checked the local group policies to see if something like a kiosk setup had been configured. I unplugged the network cable and I no longer see the ransomware page, but I do get a white page that I cannot get past. Theory I think that the white page I get is actually a big clue as to what is going on. It makes me think that at logon the computer is going out to the Internet and downloading the ransomware page. By disconnecting the network cable I have interrupted that process and hence I get the white page. Both the ransomware page and the white page behave as if I'm looking at Internet Explorer in full screen mode. This makes me think that somehow an IE session is getting launched, perhaps from something like an active desktop kind of setting, a registry entry that I've missed, a setting in IE that loads it at startup, etc. Summary This one has got me a bit perplexed. I cannot figure out how that page is getting loaded at logon when I've checked every location I know of from which applications can be launched, and turned off all services and startup applications. Are there any locations beyond those that I have listed above from which software can launch? Any other ideas on how this malware is managing to load that page at logon? Thanks for any help that you can offer! --Tom
