Solved FBI Locked computer scam virus

[revmike]

My daughter's hp dv5 laptop, running vista, has been infected by this ramsomware. I logged on in safe mode w/networking and dowloaded malwarebytes and it located 14 issues and upon restart the lockscreen was still there. I tried norton which was already on the computer and it found 9 minor issues and it's still there. I posted on the vista forum and it was recommended going to a restore point before the infection, which I'm going to try as soon as malwarebytes finishes another scan. Anyone here any successful experience with this virus?
Thanks

Malwarebytes found nothing, doing restore.

 

[boohbah]

try hitman kickstart...

HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight

 

[revmike]

Restore worked

 

[boohbah]

ok good, bookmark kickstart for next time. kids huh!

 

[revmike]

Thanks will do. I don't know what she's going to when she's in college in a few months 5 hours away.

 

[Layback Bear]

If all you did is use a restore point to solve your problem the infection is probably still in your computer.

 

[Petey7]

What layback is saying is, go ahead and do the scans anyways to be safe. I know its what I would do in your situation, especially since it is your daughter's computer.

 

[Layback Bear]

Petey7 you are correct. I should of been more to the point.
Thanks.

 

[cottonball]

revmike,

What Bear is saying is correct. A Restore Point may still contain the infection.

On Post #2 boohbah suggested the use of HitmanPro.KickStart
That is a good choice since the program targets this particular ransomware. It removes the infection and allows you to access your computer to scan it for malware.

You need to know if the infected computer is running a 32-bit or 64-bit ststem. See Note at the bottom of these instructions.

Download HitmanPro.Kickstart:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight

Next, you need to load a USB flash drive with HitmanPro Kickstart as follows...

Use a clean (non-infected) computer, and download HitmanPro from the link above.

When HitmanPro opens, click the Kick icon at the bottom of the screen.

Plug the USB flash drive into the clean computer and follow the instructions from the first video on the website.

Next, plug in the USB drive just created into the infected machine. The machine needs to be in a shutdown state at this point.

>> Start the infected computer.

When the computer is starting, press the key (on some machines its F10 or F2) that brings up the Boot Menu. From there, select to boot from the USB drive.
Info: How to Remove Ransomware - Select Real Security
Save the changes, and press on.

Next, perform a system scan with HitmanPro Kickstart as seen in the second video.

After HitmanPro Kickstart is done, boot into Windows.


~~~~
To remove the malicious files of the ransomware...

Download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system. (See Note)
Click the dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
press: SCAN

When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.


Note:
To find out if the system is 32 or 64 bit:
Click: Start
Type System in the Start Search box
Click System in the Programs list.

The operating system is displayed as follows:
For a 64-bit version operating system, under System > System type, it shows:
64-bit Operating System

For a 32-bit version operating system, under System > System type, it shows:
32-bit Operating System

 

[boohbah]

Thanks will do. I don't know what she's going to when she's in college in a few months 5 hours away.

sounds like you are counting the days and minutes until she goes . i fully emphathise i have a 19 yr old daughter who goes to university in 7 months, five days and three hours.

 

[revmike]

Thanks Cottonball and everyone else for the help. I'm going to do as suggested. As for counting the days in away I am, she's my youngest (18) and is ready to leave the nest, whereas son at 25 still lives at home.

 

[M1GU31]

I noticed the thread was solved but another way to remove this is using windows defender offline and scanning and removing from a usb stick. I removed this ransom ware off my aunts pc using this method. Hitman pro didn't help in this situation for me.

Has a download link for 32 and 64bit and talks to you about the program and how to use it
http://blogs.technet.com/b/security...-security-tools-windows-defender-offline.aspx

 

[revmike]

Cottonball,
For some reason the computer would not boot from the flash drive, so i just installed hitmanPro and ran the scan. It found and removed the ransomware. I then used roquekiller and it produced the following report.

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : sydni [Admin rights]
Mode : Scan -- Date : 02/25/2013 10:43:37
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Microsoft Games (rundll32.exe "C:\Users\sydni\AppData\Local\Microsoft Help\Microsoft Games\afqxk.dll",DllRegisterServer) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Adobe (rundll32.exe "C:\Users\sydni\AppData\Local\AOL\Adobe\ymkqqtz.dll",CreateInstance) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : AOL (rundll32.exe "C:\Users\sydni\AppData\Local\assembly\AOL\nyshiwys.dll",winampGetInModule2W) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : WeatherBug (rundll32.exe "C:\Users\sydni\AppData\Local\Yahoo\WeatherBug\jloebxo.dll",svn_lock_createW) [x] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x824E1591 -> HOOKED (Unknown @ 0x89475068)
SSDT[14] : NtAlertThread @ 0x8245A1F5 -> HOOKED (Unknown @ 0x895D9118)
SSDT[18] : NtAllocateVirtualMemory @ 0x8249647D -> HOOKED (Unknown @ 0x897117D8)
SSDT[21] : NtAlpcConnectPort @ 0x82438824 -> HOOKED (Unknown @ 0x88B1F7B0)
SSDT[42] : NtAssignProcessToJobObject @ 0x8240BB08 -> HOOKED (Unknown @ 0x8956F110)
SSDT[67] : NtCreateMutant @ 0x8246E7A2 -> HOOKED (Unknown @ 0x897125B8)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8240E31F -> HOOKED (Unknown @ 0x89714998)
SSDT[78] : NtCreateThread @ 0x824DFBA4 -> HOOKED (Unknown @ 0x89711C68)
SSDT[116] : NtDebugActiveProcess @ 0x824B2CA0 -> HOOKED (Unknown @ 0x89656120)
SSDT[129] : NtDuplicateObject @ 0x824464E1 -> HOOKED (Unknown @ 0x89711970)
SSDT[147] : NtFreeVirtualMemory @ 0x822D2F1D -> HOOKED (Unknown @ 0x89712F00)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82408F15 -> HOOKED (Unknown @ 0x895C1388)
SSDT[158] : NtImpersonateThread @ 0x8241E50F -> HOOKED (Unknown @ 0x8947C2F0)
SSDT[165] : NtLoadDriver @ 0x823B9DEE -> HOOKED (Unknown @ 0x88B1F738)
SSDT[177] : NtMapViewOfSection @ 0x8245E83A -> HOOKED (Unknown @ 0x89712DE0)
SSDT[184] : NtOpenEvent @ 0x82447D5F -> HOOKED (Unknown @ 0x89366108)
SSDT[194] : NtOpenProcess @ 0x8246EF3E -> HOOKED (Unknown @ 0x89711B10)
SSDT[195] : NtOpenProcessToken @ 0x8244F9C0 -> HOOKED (Unknown @ 0x89562DA8)
SSDT[197] : NtOpenSection @ 0x8245F60D -> HOOKED (Unknown @ 0x895A4120)
SSDT[201] : NtOpenThread @ 0x8246A48F -> HOOKED (Unknown @ 0x89711A40)
SSDT[210] : NtProtectVirtualMemory @ 0x82468272 -> HOOKED (Unknown @ 0x89714B88)
SSDT[282] : NtResumeThread @ 0x82469ADA -> HOOKED (Unknown @ 0x8947E068)
SSDT[289] : NtSetContextThread @ 0x824E103F -> HOOKED (Unknown @ 0x89355118)
SSDT[305] : NtSetInformationProcess @ 0x82462868 -> HOOKED (Unknown @ 0x89712C08)
SSDT[317] : NtSetSystemInformation @ 0x82434E9B -> HOOKED (Unknown @ 0x895B6120)
SSDT[330] : NtSuspendProcess @ 0x824E14CB -> HOOKED (Unknown @ 0x895A2118)
SSDT[331] : NtSuspendThread @ 0x823E8921 -> HOOKED (Unknown @ 0x8947B110)
SSDT[334] : NtTerminateProcess @ 0x8243F0D3 -> HOOKED (Unknown @ 0x88D56DA8)
SSDT[335] : NtTerminateThread @ 0x8246A4C4 -> HOOKED (Unknown @ 0x8936A110)
SSDT[348] : NtUnmapViewOfSection @ 0x8245EAFD -> HOOKED (Unknown @ 0x89561DA8)
SSDT[358] : NtWriteVirtualMemory @ 0x8245B8CD -> HOOKED (Unknown @ 0x89711680)
SSDT[382] : NtCreateThreadEx @ 0x82469F79 -> HOOKED (Unknown @ 0x89714A68)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8999EE78)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8999EC28)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8999EB68)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8999ECE8)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8999EDA8)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8999E8F8)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x8999EA98)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8999E9C8)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8999EF38)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87C483E0)
_INLINE_ : NtAllocateVirtualMemory -> HOOKED (\??\C:\Windows\system32\drivers\hitmanpro37.sys @ 0xB0542566)
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9250827AS +++++
--- User ---
[MBR] b53a47771bf5e1c78ce5a2a891eab856
[BSP] 7aa6a89907a87e66c4d8b33fd195b1e7 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 228263 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 467484672 | Size: 10208 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] 6f24357292dfcf2f4126c3dad1ca9445
[BSP] b0aa0a426751b111cace3c8865469653 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7436 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_02252013_02d1043.txt >>
RKreport[1]_S_02252013_02d1043.txt

Thanks again everyone

 

[cottonball]

As long as the ransomeware is gone, we're good.

Please run RogueKiller again.

Click the Registry tab.
Make sure the entries there are checked.

Then, press the [Delete] button.

Please post the new RKreport (Mode: Delete) in your reply.
(The RKreport also opens using the Report button on the console.)