Jump to content
Purhonen

{SOLVED} Windows 7 Recovery (32 vs. 64 bit)

Recommended Posts

Purhonen

I have a Windows 7 (64 bit) Dell Inspiron One infected with the "FBI lock screen virus (REloadit Pack Scam)"

I'm unable to boot into Safe Mode. When I hold F12 on boot up I get the following boot options:

- Hard Disk

- DVD/CD drive

- Diagnostics

- BIOS Setup

None of those help me. (The "Diagnostics" option results in the Dell "ePSA Pre-boot System Assessment" which simply checks all the hardware (cables, OS Boot Path, drives, video card, CPU fan, processor and memory) with no outlet to a Command Prompt or anything . . . so useless.)

 

So the problem via this method is getting to the desktop which I can not due.

 

I ran Windows Defender Offline on the infected machine. It found 7 problems but not the ones related to the FBI ransomware because upon reboot the same situation existed.

 

My safe machine is my Windows 7 (32 bit) laptop.

 

Next I found HitMan Pro Malware Removal tool which specifically mentions the FBI ransomware. My problem now is how do I make a USB stick for the 64 bit infected machine from my 32 bit safe machine? (This is my actual question)

 

Any other ideas on how to get this bugger out?

 

Thanks, Steve

Share this post


Link to post
Share on other sites
ross549

I just cleaned this off a machine!!!!

 

Right after the bios flashes by, start hitting f8 like a madman. You should get a windows startup menu.

 

Choose safe mode with command prompt.

 

You will get a desktop with only a command window. Run control.exe and it will launch the control panel.

 

Go to user accounts and create an administrator account. Reboot the machine and log in to that account.

 

Microsoft security essentials cleaned it off for me hit I also ran malware bytes antimalware too.

 

Let me know if you run into any problems!

 

Adam

Share this post


Link to post
Share on other sites
LilBambi

If you have trouble with that, here's BleepingComputer's Removal instructions for it:

 

Remove the FBI MoneyPak Ransomware or the Reveton Trojan

 

They recommend HitManPro run from a USB drive

 

But Adam was able to get it done with the instructions above.

 

Here's some associated traces for this piece of crap:

 

 

Associated FBI MoneyPak Ransomware Files:

%Temp%\
.exe

%StartupFolder%\ctfmon.lnk

File Location Notes:

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\
\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\
\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.

%StartupFolder% refers to the Startup folder in the Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\programs\Startup, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\\Start Menu\Programs\Startup, and for Windows Vista, Windows 7, and Windows 8 it is C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

 

It's good to have a bit of a handle on what you are up against. ;)

Share this post


Link to post
Share on other sites
Purhonen

LilBambi & Ross549 thanks for your thoughts.

 

I mentioned in my post that:

1) I can NOT boot into Safe Mode no matter how much I abusive the F8 key (I get the other [non-standard?] boot options I outlined in my post)

2) I can NOT make a HitMan Pro USB key because my safe machine is 32 bit and the infected machine is 64 bit.

 

So I'm thinking my only option is to find a safe 64 bit machine to make the HitMan Pro USB.

 

Any more ideas?

 

Steve

Share this post


Link to post
Share on other sites
ross549

1) I can NOT boot into Safe Mode no matter how much I abusive the F8 key (I get the other [non-standard?] boot options I outlined in my post)

 

Steve,

 

This is really odd. There is usually about a one half to one second timeframe right before the windows logo comes up that you should be able to invoke the menu.

 

http://windows.microsoft.com/en-us/windows-vista/advanced-startup-options-including-safe-mode

 

Assuming you are successful at brining up the menu, there should be a variety of options.

 

Good luck with HitMan Pro.... :)

 

Adam

Share this post


Link to post
Share on other sites
LilBambi

Yeah, it is not unknown though Adam. Sadly there are pieces of crap/malware that can do that too.

 

There may be more than what meets the eye going on.

Share this post


Link to post
Share on other sites
lewmur

LilBambi & Ross549 thanks for your thoughts.

 

I mentioned in my post that:

1) I can NOT boot into Safe Mode no matter how much I abusive the F8 key (I get the other [non-standard?] boot options I outlined in my post)

2) I can NOT make a HitMan Pro USB key because my safe machine is 32 bit and the infected machine is 64 bit.

 

So I'm thinking my only option is to find a safe 64 bit machine to make the HitMan Pro USB.

 

Any more ideas?

 

Steve

Use your safe machine to download and burn a Kaspersky Rescue CD. It will boot on either a 32 or 64 bit machine. Boot the CD but don't bother running the full scan. Open the terminal and run "windowsunlocker". Find it here. Edited by lewmur

Share this post


Link to post
Share on other sites
kkehoe

Re Safe Mode, can we clarify:

 

1. are you not getting to the Advanced Startup Options menu where you can choose Safe Mode, or

2. the machine just fails to boot up when you choose Safe Mode?

 

If #1 then look for an "F-lock" (or similarly identified) key on the keyboard and hit that as soon as you power up. If your machine is powering up with function keys off then your finger will wear out before F8 will work.

 

Kevin

Edited by kkehoe
  • Like 1

Share this post


Link to post
Share on other sites
lewmur

Re Safe Mode, can we clarify:

 

1. are you not getting to the Advanced Startup Options menu where you can choose Safe Mode, or

2. the machine just fails to boot up when you choose Safe Mode?

 

If #1 then look for an "F-lock" (or similarly identified) key on the keyboard and hit that as soon as you power up. If your machine is powering up with function keys off then your finger will wear out before F8 will work.

 

Kevin

Safe mode isn't going to help anyway with the FBI rogue.

Share this post


Link to post
Share on other sites
Purhonen

Kevin,

 

To clarify the Safe Mode issue. The very first screen which appears (Dell logo) gives me two Function key options in the lower right-hand corner:

- F2 for BIOS configuring

- F12 for Boot Options

 

If I select F12 I do NOT get the expected Windows Advanced Options Menu (Safe Mode, Safe Mode with networking, Safe Mode with Command Prompt, etc.). Instead I get the following options (which I've never seen before; perhaps they are Dell's own boot options?)

- Hard Disk

- DVD/CD drive

- Diagnostics

- BIOS Setup

None of those help me. (The "Diagnostics" option results in the Dell "ePSA Pre-boot System Assessment" which simply checks all the hardware (cables, OS Boot Path, drives, video card, CPU fan, processor and memory) with no outlet to a Command Prompt or anything . . . so useless.)

 

I hope that clears it up.

 

Steve

Share this post


Link to post
Share on other sites
lewmur

Kevin,

 

To clarify the Safe Mode issue. The very first screen which appears (Dell logo) gives me two Function key options in the lower right-hand corner:

- F2 for BIOS configuring

- F12 for Boot Options

 

If I select F12 I do NOT get the expected Windows Advanced Options Menu (Safe Mode, Safe Mode with networking, Safe Mode with Command Prompt, etc.). Instead I get the following options (which I've never seen before; perhaps they are Dell's own boot options?)

- Hard Disk

- DVD/CD drive

- Diagnostics

- BIOS Setup

None of those help me. (The "Diagnostics" option results in the Dell "ePSA Pre-boot System Assessment" which simply checks all the hardware (cables, OS Boot Path, drives, video card, CPU fan, processor and memory) with no outlet to a Command Prompt or anything . . . so useless.)

 

I hope that clears it up.

 

Steve

As I stated above, Safe Mode isn't going to help you anyway, but to get to it, instead of the F2 or F12 keys, start tapping the F8 key to get to the Windows boot options and NOT the computer options. There is a very brief time when Windows starts loading that it looks for the F8 key press. It is NOT an option of the computer but of the OS itself. So it doesn't appear as an option on the compter's POST screen. And you must keep tapping the key, not press and hold it.

 

edit: Another way to get to the Safe Mode menu is by powering off the computer without letting it go through the "shutdown" proceedure. IOW, boot the computer and when it gets to the FBI screen, press and hold the on/off button till the computer shuts off. When you power it back on, it should display the Windows Recovery Menu.

Edited by lewmur

Share this post


Link to post
Share on other sites
LilBambi

Ah, that is a bit of clarification there.

 

Are there specific models of hard drives or DVD drives to the right of the Hard Disk and DVD/CD drive items?

 

You gave those earlier though. But reiterating it, made me think of that.

Share this post


Link to post
Share on other sites
Purhonen

Lwemur, Thanks for the Kaspersky recommend. However neither the USB or DVD options worked.

 

- USB: booted up and immediately got a "missing operating system" message with a flashing cursor. Dead end.

- DVD: booted up and got a Windows 8 installation screen!! So I checked the DVD on my clean machine and sure enough only the "kav_rescue_10.iso" was on it. So I formatted the DVD to begin again. After formatting it I checked the Properties and lo and behold it show no files but about 70% of the disc used space! I'm thinking that was a disc I put the Windows 8 preview installation on over a year ago to try it out - that's all I can think of. How do I get rid of whatever that "used" space is? Is the "kav_rescue_10.iso" file on a DVD the only things I need to boot up the Kaspersky WindowsUnlock? I'm pretty sketchy on how .iso files are supposed to work.

 

I'm now trying an Ubuntu DVD just to see if I can get at the hard drive. If I'm successful how can I get rid of the ransomware through Ubuntu?

 

Thanks, Steve

Share this post


Link to post
Share on other sites
lewmur

Lwemur, Thanks for the Kaspersky recommend. However neither the USB or DVD options worked.

 

- USB: booted up and immediately got a "missing operating system" message with a flashing cursor. Dead end.

- DVD: booted up and got a Windows 8 installation screen!! So I checked the DVD on my clean machine and sure enough only the "kav_rescue_10.iso" was on it. So I formatted the DVD to begin again. After formatting it I checked the Properties and lo and behold it show no files but about 70% of the disc used space! I'm thinking that was a disc I put the Windows 8 preview installation on over a year ago to try it out - that's all I can think of. How do I get rid of whatever that "used" space is? Is the "kav_rescue_10.iso" file on a DVD the only things I need to boot up the Kaspersky WindowsUnlock? I'm pretty sketchy on how .iso files are supposed to work.

 

I'm now trying an Ubuntu DVD just to see if I can get at the hard drive. If I'm successful how can I get rid of the ransomware through Ubuntu?

 

Thanks, Steve

If the DVD is burned properly, you can't read it on a Windows box. It uses the Linux OS. With the DVD inserted, press the F12 key at the POST screen and choose to boot from the DVD drive. Watch the screen carefully. A green and white screen should appear and give a few seconds the "Press Enter". If you don't "Press Enter", it will revert to booting the HDD. If that green and white screen doesn't appear, then the DVD wasn't burned properly.

 

You can't just copy the .iso file to the DVD. You have to use an iso burning app, like this one, to burn it.

 

You can't get rid of it using Ubuntu. You have to have a malware removal DVD and the Kaspersky I know to work.

Edited by lewmur

Share this post


Link to post
Share on other sites
ross549

Safe mode isn't going to help anyway with the FBI rogue.

 

Regular safe mode will not work. Safe mode with command prompt will. I just did this on a machine last week, and I know the procedure I posted near the top will work.

 

Adam

Share this post


Link to post
Share on other sites
LilBambi

Actually you can get rid of it via anything that can write to the HD while not being the Windows operating system on the hard drive.

 

If you look at the Bleeping Computer link I posted earlier, read the whole page, it will give you where this thing hides in Application Data/App Data, and where to find the traces. It's below the Hitman Pro instructions.

Share this post


Link to post
Share on other sites
lewmur

Actually you can get rid of it via anything that can write to the HD while not being the Windows operating system on the hard drive.

 

If you look at the Bleeping Computer link I posted earlier, read the whole page, it will give you where this thing hides in Application Data/App Data, and where to find the traces. It's below the Hitman Pro instructions.

You are right in that it CAN be done that way, but with the Kas Rescue CD all a person, unfamiliar with the Window CMD prompt or Linux, has to do is type "windowsunlocker" and its done. And having the rescue CD is great anyway. Its malware scan and removal is about as good as any on the market.

Share this post


Link to post
Share on other sites
LilBambi

Let me ask this question again:

 

There were no detailed hard drive or DVD/CD listings to the right of each of the following you posted earlier?

 

- Hard Disk

- DVD/CD drive

- Diagnostics

- BIOS Setup

 

When you use F12 to get the boot menu?

 

Usually there is a listing of the type of hard drive, for example, ST31000524AS (which would be a Seagate 1TB drive), or under the DVD/CD drive one for example, TSSTcorp DVD+-RW SN-208BB which is a common DVD +/- RW drive in use by OEMs.

 

If it doesn't show anything after them, it could mean that the BIOS isn't seeing your hard drive or DVD drive.

Edited by LilBambi

Share this post


Link to post
Share on other sites
burninbush

If the DVD is burned properly, you can't read it on a Windows box. It uses the Linux OS. With the DVD inserted, press the F12 key at the POST screen and choose to boot from the DVD drive. Watch the screen carefully. A green and white screen should appear and give a few seconds the "Press Enter". If you don't "Press Enter", it will revert to booting the HDD. If that green and white screen doesn't appear, then the DVD wasn't burned properly.

 

You can't just copy the .iso file to the DVD. You have to use an iso burning app, like this one, to burn it.

 

You can't get rid of it using Ubuntu. You have to have a malware removal DVD and the Kaspersky I know to work.

 

 

@ Purhonen ... And to add a slight bit more clarity, you can download and burn a 64-bit iso on a 32-bit machine, and then it will boot on a 64-bit machine. Burner apps know nothing about what's inside an iso file. It's an image that will just be copied bit-for-bit onto the optical media. But in any case, it must be burned as an image, not a data file.

 

So, you already know your machine will boot from cd / dvd after hitting the F12 key -- just arrow down to dvd and hit return. This will completely ignore whatever is on your hard disk and will boot from the optical media.

 

Good luck with your problem. I recommend Puppy and PMagic rescue disks -- everybody needs an alternate way to boot on occasion. I'd splurge and burn either to new / fresh media. Both those will have Firefox browser so you can go onto the web for fixit files you might need, even if your hard drive is totally busted. And, as another poster noted, you can read /write /delete / copy files from your windows partition with them, assuming you know what files you need.

Share this post


Link to post
Share on other sites
goretsky

Hello,

 

At the risk of asking a somewhat naïve question, have you considered just contacting your anti-malware vendor and asking them for help in removing the malware? I know that the criminals behind this stuff update it constantly to avoid detect and hinder removal, but the anti-malware techs who work with it day in and day out are familiar with its tricks, too, and should be able to guide you step-by-step through removing it from the system.

 

Regards,

 

Aryeh Goretsky

Share this post


Link to post
Share on other sites
LilBambi

Also, it would appear that your computer isn't providing an option to to boot from USB in the Boot Menu, although not all BIOS give that type of listing. Here's what I am talking about:

 

bootmenu.jpg

 

If the computer is capable of booting to USB, you will have to enable it in the BIOS if you want to use Hitman Pro.

 

Creating a DVD/CD might be better since it at least list that option.

Share this post


Link to post
Share on other sites
Purhonen

LilBambi, re the boot menu: YES, when F12 is used it does list both the hard drive and CD/DVD drives (in addition to BIOS Setup & Diagnostics). I'm not at the infected machine at this moment so I can't five you the specific detailed listing for each drive. But as you say, if they are listed then the system can see them. As a matter of fact, one of the first things I did was to reconfigure the BIOS so that USB was first and DVD/CD was second on boot priority.

 

Burninbush: Thanks for the input. The Puppy rescue disk looks like a winner - I'll keep it in mind if I keep having trouble getting the HItMan Pro and Kaspersky WindowsUnlocker to work (my problem, not the programs')

 

Goretsky: Thanks for the recommendation. Just one problem: the infected machine is a friend's who has practically zero technical understanding of PCs. I have no idea if there is even any anti-malware programs on it, let alone if they are up to date and active. And, like I've said previously, I have yet to be able to see the desktop for longer than a couple of seconds before the screen whites-out as the ransomeware takes over.

 

LilBambi: Yes, the infected PC CAN boot from a USB drive. I tried using Kaspersky rescue disk on a USB drive but all I got was an "Operating System Missing" message with a flashing cursor tailing the message - a dead end for I don't know what reason.

 

Right now my problem is understanding the .IOS burning process. I've tried making a Kaspersky rescue disk to use on a DVD/CD but can't get it to work. Should I be able to do it using Windows 7's native disk burning? Any free burning programs you people can recommend that will do the job if the native Windows is a no go? Probably most importantly, what should I see on the burned disk to know it was successful; I'm kind of flying blind here. If I see the Kaspersky Rescue .IOS file on the DVD/CD, should that work when I use it in the infected machine?

 

I REALLY appreciate all your help. We will get this done . . . won't we?

 

Steve

Share this post


Link to post
Share on other sites
lewmur

LilBambi, re the boot menu: YES, when F12 is used it does list both the hard drive and CD/DVD drives (in addition to BIOS Setup & Diagnostics). I'm not at the infected machine at this moment so I can't five you the specific detailed listing for each drive. But as you say, if they are listed then the system can see them. As a matter of fact, one of the first things I did was to reconfigure the BIOS so that USB was first and DVD/CD was second on boot priority.

 

Burninbush: Thanks for the input. The Puppy rescue disk looks like a winner - I'll keep it in mind if I keep having trouble getting the HItMan Pro and Kaspersky WindowsUnlocker to work (my problem, not the programs')

 

Goretsky: Thanks for the recommendation. Just one problem: the infected machine is a friend's who has practically zero technical understanding of PCs. I have no idea if there is even any anti-malware programs on it, let alone if they are up to date and active. And, like I've said previously, I have yet to be able to see the desktop for longer than a couple of seconds before the screen whites-out as the ransomeware takes over.

 

LilBambi: Yes, the infected PC CAN boot from a USB drive. I tried using Kaspersky rescue disk on a USB drive but all I got was an "Operating System Missing" message with a flashing cursor tailing the message - a dead end for I don't know what reason.

 

Right now my problem is understanding the .IOS burning process. I've tried making a Kaspersky rescue disk to use on a DVD/CD but can't get it to work. Should I be able to do it using Windows 7's native disk burning? Any free burning programs you people can recommend that will do the job if the native Windows is a no go? Probably most importantly, what should I see on the burned disk to know it was successful; I'm kind of flying blind here. If I see the Kaspersky Rescue .IOS file on the DVD/CD, should that work when I use it in the infected machine?

 

I REALLY appreciate all your help. We will get this done . . . won't we?

 

Steve

Yes, you can use Win7's native burning tool. Click on the "Folder" icon in the task bar to open Window Explorer. Find and highlight the .iso file. There should now be a "Burn" option in the toolbar.

 

Because the CD created is a Linux LiveCD, you won't be able to read it on your Windows box. The only way to check it is to let it boot.

Share this post


Link to post
Share on other sites
burninbush

Also, it would appear that your computer isn't providing an option to to boot from USB in the Boot Menu, although not all BIOS give that type of listing. Here's what I am talking about:

 

bootmenu.jpg

 

If the computer is capable of booting to USB, you will have to enable it in the BIOS if you want to use Hitman Pro.

 

Creating a DVD/CD might be better since it at least list that option.

 

 

To put a slightly finer point on it, bios will generally not offer the choice to boot from USB on the F12 screen -- unless there is a bootable USB device plugged in.

  • Like 1

Share this post


Link to post
Share on other sites
zlim
bios will generally not offer the choice to boot from USB on the F12 screen -- unless there is a bootable USB device plugged in.
Well that is interesting. I was not aware of that.

Share this post


Link to post
Share on other sites
Purhonen

Update. Just spent two hours with my tech savvy cousin.

No luck, but some new, and I hope pertinent, info:

1) I CAN successfully boot from the DVD drive in the infected machine to Ubuntu, BUT I can NOT boot with the Kaspersky Rescue DVD (with the WindowsUnlocker feature). What's up with that?

2) I am now able to successfully boot to the Safe Mode options (apparently the pressing of the F8 key is an art; my cousin set me straight). If I select the Command Line option it still goes to the Windows sign-on screen (the GUI one).

3) In Ubuntu I can view the folders on the C: drive but do nothing with them (as in look for and delete the traces of the ransomware). I think it's because I'm operating from a shell.

I'm running out of do-it-your-self options people and major frustrated.

 

Steve

  • Like 1

Share this post


Link to post
Share on other sites
LilBambi

Windows sign in/welcome screen is pretty much the same regardless. If you ask for Commandline only, it will take you to commandline only.

 

After you get into command line, follow Adam's instructions earlier to create a new account in control panel. He listed how to dot that earlier.

Share this post


Link to post
Share on other sites
lewmur

Update. Just spent two hours with my tech savvy cousin.

No luck, but some new, and I hope pertinent, info:

1) I CAN successfully boot from the DVD drive in the infected machine to Ubuntu, BUT I can NOT boot with the Kaspersky Rescue DVD (with the WindowsUnlocker feature). What's up with that?

2) I am now able to successfully boot to the Safe Mode options (apparently the pressing of the F8 key is an art; my cousin set me straight). If I select the Command Line option it still goes to the Windows sign-on screen (the GUI one).

3) In Ubuntu I can view the folders on the C: drive but do nothing with them (as in look for and delete the traces of the ransomware). I think it's because I'm operating from a shell.

I'm running out of do-it-your-self options people and major frustrated.

 

Steve

What happens with the Rescue CD? Do you get the first green and white screen? Have you tried booting it in another computer?

Share this post


Link to post
Share on other sites
Temmu

i've used the kaspersky rescue disk on several score different machines, old, new, laptop, pc...

but some of the oldest do not like and and won't boot from it.

 

one thing to try, download the kaspersky rescue disk again - they ~do~ update it from time to time, & sometimes changes are significant. (like when they went from "a" to accept, to "1" to accept, it made it a lot easier to continue on some finicky machines.)

and it could be that the iso to cd burn on your copy may have been funky.

Share this post


Link to post
Share on other sites
Purhonen

Sorry for not updating sooner. THE PROBLEM HAS BEEN RECTIFIED! The "Russian Ransomware" is gone.

 

The problem was that I did not pay close enough attention to how one uses HitMan Pro. As is often the case, the difficulty was between the ears of the operator (me).

 

I can't thank all of you enough for your eager assistance and patience. I learned a lot. Truth be told, that's what I love about such challenging episodes as this . . . I learn.

 

I hope to be able to help you in the future.

 

Regards, Steve

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...