UGH. Me Too - FBI Ransomware Virus

CRAP!  I picked up the FBI Ransomware virus today.  I cant get past the ransomware screen wether I'm connected to the internet or not. I have an MSI laptop running Windows 7 Home Premium.  Oddly enough I dont find any pre-set way to boot in safe mode. 

The ransomware screen comes up immediately and I cant get past it.  Can anyone help?????

Correction - I am able to boot in safe mode (guess I wasnt holding F8 long enough) and I can boot without the virus page coming up. 

ANY other user other than the thread starter is not to use any instructions, scripts or proceedures,  The work though in cleaning a system is individual and only for that system due to a number of factors.

 

Unfortunately, with the amount of threads means the waiting time is longer, Norton continually Blocking files won't hurt your system but is is just annoying, Please wait and be patient.   I am  trying to keep up, spending hours here to script and clean machines on a first come/first served basis. If you or someone adds to your thread It will be pushed back in line due to the new update.  I use the boards in reverse to what is seen

 

Please do not run any tools unless instructed to do so. 

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
  • If I ask a Question just answer it, don't run anything unless it states.
  • Major steps used:

1. Find

2. Break

3. Destroy

4. Cleanup  (including system as a whole)

 

Please read every post completely before doing anything. 

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

 

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes :smileylol:)

  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

 

 

I see we have a complete malware novice here, hope the user checked the rest of the system, of every little object


Safe Mode with Networking

 

Download OTL http://www.bleepingcomputer.com/download/otl/    To your Desktop

 

Start OTL,   (Right click "Run As Administrator" for Win 7 and Vista)

Click the Scan All Users checkbox.

Change file age to 60 days

 

Press the 

 

 

An OTL.txt  and extras.txt will be created. To attach back in a post

 

Quads

Thanks Quads.  Files attached.

Start OTL,   under   Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom)  and run the script. (Red Run Fix Button)

 

The output log, should be placed in the C:\ _OTL folder after.

 

Quads

So far so good!!   After running the script my pc booted normally without the FBI Moneypak.  Attached is the log file from the

 _OTL>MovedFiles folder.  Several folders down _OTL>MovedFiles>......Microsoft>Windows>2339 folder I also see this file -  WcnEapAuthProxy.exe.  Is that the culprit? Should i delete it from there?

 

Only do as I ask.

 

Download Adwcleaner http://general-changelog-team.fr/fr/downloads/view.download/2   The Green Arrow and run a scan (Search) .  It will create a log after.

 

Quads

Adwcleaner log file attached

You can have adwcleaner delete / repair all 

 

Quads

deletion from Adwcleaner

step 4. (a)

 

Please read carefully and Slowly

 

You might have to export the results

 

 Please scan with ESET next 


I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Attach the resulting log in your next reply


If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it. 

 

Quads

ESET log attached. Two infected files were found. One is the WcnEapAuthProxy.exe that was moved earlier by OTL.

In Normal Mode create a new OTL log. and attach.

 

Quads

New OTL log. And Extras.txt which shows modified today.

Uninstall

 

 

ESET Online Scanner

 

I have to script for the rest.

 

Quads

ESET is removed.

 

Quads - general question - since Norton 360 did not detect or block this Moneypak virus  -  and you are using several other tools to san and delete it - should I be running other AV programs either full time or as occasional scans in additional to Norton?

 

 

You can't have more than one AV installed, and the other tools are advanced only, not for general use.

 

Quads

Delete your copy of OTL and download a new copy.

 

Disable Norton for say 30mins

 

Start OTL,   under   Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom)  and run the script. (Red Run Fix Button)

 

The output log, should be placed in the C:\ _OTL folder after.

 

Quads