Need Help With FBI Ransomware on Win 7
Posted 28 April 2013 - 06:30 AM
I'm an IT professional with something of an unusual hobby. I like to purposely infect one of my machines with malware and then manually try to figure out what that malware did to my system. My most recent project is the FBI Ransomware. Simply removing it with an anti-virus product would defeat my purpose, and it's something that I could easily do. If need be, I can wipe and rebuild the machine, or simply re-image it with a known good image. So I'm not looking for that type of advice. But I do need some help in figuring out what the malware has done.
And, just as an FYI, I know that it's extremely difficult to manually clean viruses, especailly the more sophisticated ones, so I only take these projects to the point where I can get back basic control of the system. At that point, I consider it a win and re-image the machine to be safe.
Current System Behavior
At start up I see the FBI ransomware screen and I am unable to get to my desktop. It seems that I can do nothing with the system. I am unable to boot into Safe Mode with Network, but I can boot into Safe Mode with Command Line support. I can launch explorer.exe with admin rights and I do have a second account that I can use to access the machine.
Once in Safe Mode with Command Line support, I typed "explorer.exe" and got into the GUI. I checked the Startup folder and found nothing launching from that location. I checked the Run and Run Once keys in the registry for both the user and system and did not find anything that is unknown to me. I ran msconfig and disabled ALL services and startup applications. I checked the scheduled tasks and nothing is running from there. I have checked the logon and logoff scripts and the startup and shutdown scripts and found nothing. I checked the .ini files that can be used when Windows boots. I have even checked the local group policies to see if something like a kiosk setup had been configured. I unplugged the network cable and I no longer see the ransomware page, but I do get a white page that I cannot get past.
I think that the white page I get is actually a big clue as to what is going on. It makes me think that at logon the computer is going out to the Internet and downloading the ransomware page. By disconnecting the network cable I have interrupted that process and hence I get the white page. Both the ransomware page and the white page behave as if I'm looking at Internet Explorer in full screen mode. This makes me think that somehow an IE session is getting launched, perhaps from something like an active desktop kind of setting, a registry entry that I've missed, a setting in IE that loads it at startup, etc.
This one has got me a bit perplexed. I cannot figure out how that page is getting loaded at logon when I've checked every location I know of from which applications can be launched, and turned off all services and startup applications. Are there any locations beyond those that I have listed above from which software can launch?
Any other ideas on how this malware is managing to load that page at logon?
Thanks for any help that you can offer!
Posted 28 April 2013 - 07:43 AM
We can't undertake malware diagnostics and cleaning in this particular sub-section of the forum.
Please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.
A qualified helper will guide you through the cleanup process.
Since you are an IT professional, you may wish instead to contact the corporate help desk directly.
They can be reached here: http://www.malwareby...pport/corporate
Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 22.214.171.1240; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 126.96.36.1990; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 188.8.131.520; Sophos ES 10.3; SAS Free; CCleaner.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users