FBI / Bundespolizei virus without Safe mode and system recovery

Page 1 of 2 12 LastLast

  1. Posts : 5
    Windows 7 Enterprise 32-bit
       #1

    FBI / Bundespolizei virus without Safe mode and system recovery


    Hi Gents,

    I had the "German" version of the virus (Bundespolizei) 2 times in the last 1 year and I managed to get rid of it. But now...

    One of my biggest problems is BitLocker - my hard drive is encrypted (but I have the codes)

    I am having the following problem now:
    1. The screen after a normal restart is as usual - no chance to do anything on the desktop. I only see very brief the CMD prompt opening obviously to start the virus
    2. All safe modes are disabled - when I select one I give my password and then it starts and shuts down. This happens in any of the three types of Safe-modes.
    3. As I live in Germany I had a look first in the German forums. I found a solution with FRST 32-bit. Unfortunately the description is in German (I can give you the link) but I can shortly explain - the computer goes into System recovery, then a CMD prompt is selected and FRST is started. Then I give my BitLocker code again to decrypt temporary my 2 drives and then opens a window for my user account. Here starts another problem - I have admin rights but it doesn't show my user name but Administrator only. I have no idea what password is that so I can't continue.

    Do you have any ides if it is possible the BitLocker to be decrypted from outside of Windows so i can access the command prompt? From there on I can handle it.

    I also would like to say that, because I am working, it is possible that I give you an answer to your request in the evening.

    Thanks a lot for your support!!!

    Best Regards,
    andreicho
      My Computer


  2. Posts : 6,830
    Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
       #2
      My Computer


  3. Posts : 1,261
    Windows 7 Professional X64
       #3

    Great link for any type of virus.

    I haven't had any in a long while, but I do an image backup ( Trueimage from Acronis) weekly and in the event of a problem, can simply get back to normal.

    Amazing how many people don't do a backup of OS.

    I would add to your rep, but since I did recently, it won't allow it.

    Sorry.

    Paul
      My Computer


  4. Posts : 2,470
    Windows 7 Home Premium
       #4

    andreicho,

    I have admin rights but it doesn't show my user name but Administrator only. I have no idea what password is that so I can't continue.
    When running FRST from System Recovery Options/Command Prompt, you go through the Advanced Boot Options menu > Select the Repair your computer menu item > Select your language settings > Select your User account, and if you did not set a password, you leave the entry blank.

    Have you tried leaving the Password entry blank, and pressing OK?

    ...if it is possible the BitLocker to be decrypted from outside of Windows
    Have not seen any info that allows you to do this, and have never used the program.
      My Computer


  5. Posts : 5
    Windows 7 Enterprise 32-bit
    Thread Starter
       #5

    VistaKing said:
    Thanks for the link VistaKing but it doesn't work due to 2 reasons:
    1. I obviously have a modified version which blocks any Safe mode (tried all 3 of them) - when you enter safe mode it restarts the PC
    2. I have BitLocker so if I use external Linux (like Kaspersky) it will not be able to do anything on my harddrive

    cottonball said:

    Have you tried leaving the Password entry blank, and pressing OK?
    Unfortunately I do not get to the point to start FRST because of this password that the PC expects and leaving it blank also don't works.
      My Computer


  6. Posts : 2,470
    Windows 7 Home Premium
       #6

    Also unfortunate, it apppears you need to overcome BitLocker to get anywhere.

    A couple of things to try:
    BitLocker Drive Encryption - Unlock a Locked OS Drive



    Also, do you have the installation CD for Windows 7 Enterprise?


    This is long shot, but, there is a BitLocker Repair Tool to recover a drive:

    http://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx

    Have no clue if you can get this to work in your circumstances.
      My Computer


  7. Posts : 5
    Windows 7 Enterprise 32-bit
    Thread Starter
       #7

    cottonball said:
    Also unfortunate, it apppears you need to overcome BitLocker to get anywhere.

    A couple of things to try:
    BitLocker Drive Encryption - Unlock a Locked OS Drive

    Also, do you have the installation CD for Windows 7 Enterprise?

    This is long shot, but, there is a BitLocker Repair Tool to recover a drive:

    http://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx

    Have no clue if you can get this to work in your circumstances.
    Thanks for the answer, cottonball!

    Actually almost everything I find is related to type in the Command prompt including the links you sent me. The problem is that I can't get to this point... If I could I found some solutions to remove the virus.

    Can anyone help please?
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #8

    Did you try HitmanPro.Kickstart, as follows, it does not request for you to go through the Command Prompt:

    (You may want to print these instructions, so they are available to follow.)

    Load a USB flash drive with HitmanPro.Kickstart as follows...
    Note: the contents of the USB flash drive are erased during this process!

    Use a clean (non-infected) computer, and download:
    HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight

    Under Download (on the right) select the program applicable to the infected system: 64-bit or 32-bit

    When HitmanPro opens, click the KickStart icon at the bottom of the screen.

    Plug in the [I]USB flash drive.

    When the USB flash drive is detected, a selection screen is presented.
    Select the USB flash drive from the choices, and press: Install Kickstart
    A warning that all contents of the selected flash drive will erase is presented.
    Press: Yes

    As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
    Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart

    Remove the USB flash drive from the clean computer and press: Close


    Now, with the problem computer shut down, plug the USB flash drive into a USB port, and turn on the power.

    When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)

    From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
    Info: How to Remove Ransomware - Select Real Security

    Once you select the USB flash drive to boot from, press: Enter

    A KickStart prompt with USB boot options appears.
    Select: 1 (Bypass the Master Boot Record (Default))

    The system continues to boot from the hard drive and starts Windows.

    If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

    When Windows boots, you either get a logon screen, or the Desktop is started.
    If you see a logon screen with your User name, logon with it.


    In the next prompt, to start the program without installing to the local hard disk, select the option to do: One-time scan to check the computer

    To start scanning for malware press: Next

    If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:


    Select Next to quarantine the malware into a secure storage where it can no longer start.


    At the next screen, activate the 30-day free license:

    After successful activation (30 days), press: Next

    A screen indicating that the malware was successfully disabled or removed is presented.
    Press: Next

    To obtain a report of the scan results, press: Save log
    Save the Notepad log!!
    It has a name such as: HitmanPro_xxxxxxxx_xxxx


    Remove the USB drive, and press: Reboot
    If no malware is found, press: Close

    After HitmanPro.Kickstart is done, you should be back into normal Windows.

    Please post the HitmanPro log in your reply.
      My Computer


  9. Posts : 5
    Windows 7 Enterprise 32-bit
    Thread Starter
       #9

    I got rid of it!

    You need to make a bootable USB/DVD with Windows 7 (if you have windows 7 if not - with the one you have). You enter in System repair (sorry I have it in German and I am not sure if that is the right name in English). Then it asks for the Bitlocker code. After you finish you get temporary access to the drives BUT this time it doesn't ask for a Administrator password! Actually you get access to the repair possibilities and then you can choose Command Prompt! This wasn't possible before as I described above! The next step is to use a program like FRST 32bit (or 64) and it generates a log in which you can find files marked as "<===== ATTENTION" and also a list of the files changed in the last 30 days. The last modified file was created exactly at the date I had my failure. There it was - 2433f422 (or something similar - I was anxious to delete it :) ). I found 5 instances of the file by using:
    dir 2433f422 /s /p

    After deletion the stupid screen with you picture is off and you can boot normally but I recommend using some programs in safe mode to delete the registry entries first and everything is OK.

    Remember - if you use bitlocker - keep your key safe. I sent it to my email account after the first problems i had.

    Best Regards,
    Andrey
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #10

    andreicho,

    Good for you!! Also, good work!!

    Would you mind sharing where you found the process to do the following:

    ...to make a bootable USB/DVD with Windows 7 (if you have windows 7 if not - with the one you have). You enter in System repair (sorry I have it in German and I am not sure if that is the right name in English). Then it asks for the Bitlocker code...
    Even if it is in German (or any other language), it can be translated and be of help to others who may also have BitLocker and face the same issue.

    Also, to make sure the malware is all gone, would you mind running the following:

    Download RogueKiller:
    http://tigzy.geekstogo.com/roguekiller.php
    Select the version that applies to the infected system.
    Save to the Desktop.

    After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator
    At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)
    Press: SCAN

    When done, a report opens on the drive: RKreport.txt

    Please provide the RKreport.txt (Mode: Scan) in your reply.

    Thanks! :)
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:37.
Find Us