Malware Removal when Windows is inaccessible

Include all d7/dCloud related support topics here.
When posting for help, include d7 version, OS details, and steps to reproduce the issue.
Forum rules
1. Try to give more than you take, when possible.
2. Don't be a prick.
3. When posting for help, include d7 version, OS details, and steps to reproduce the issue.
4. Start a new topic for a new problem, don't just post on existing topics that are NOT your EXACT problem.
5. SEARCH THE FORUMS BEFORE STARTING A NEW TOPIC.

Malware Removal when Windows is inaccessible

Postby HSMC » Wed Jul 03, 2013 11:05 am

Hi Nick,

I have recently had 2 customer machines with ransomware on, and was unable to clean them using the regular AV rescue disks available.
PC wouldn't boot into safemode (just kept restarting), and when left to boot up normally would just display the ransom demand screen after logging in. No time to do anything before that screen came up and locked out any inputs.

I tried Hitman Pro kickstarter with sidekick (since the PC wouldn't boot from USB). Unfortunately the sidekick CD froze during boot for some reason, so I couldn't run HitManPro kickstarter from the USB.
I was wondering in such case, could D7 still help? I was thinking perhaps that some changes to the offline OS may be possible using a Live CD with D7 on, such that D7 would startup before the virus does and allow cleaning of the OS?
HSMC
 
Posts: 7
Joined: Sat Mar 02, 2013 11:26 am
Location: UK

Re: Malware Removal when Windows is inaccessible

Postby Jamie » Wed Jul 03, 2013 6:10 pm

We normally use WinPE and boot that, then load D7 and use the offline malware tab. enough for us to then reboot the machine and do a full clean up
Jamie
 
Posts: 27
Joined: Mon Mar 11, 2013 4:37 pm

Re: Malware Removal when Windows is inaccessible

Postby HSMC » Wed Jul 03, 2013 6:26 pm

Hitman Pro kickstarter boots up Hitman Pro alongside the OS, so it is apparently more effective since it can observe what processes are running and what files/registry entries are responsible for starting them. Then take remedial action.
The AV rescue disks are working on the infected system while it is offline. This appears to be the reason they are ineffective with this stubborn Ransomware, which I believe is a Reveton variant.
Running D7 only on the offline OS, has similar limitations.
If D7 can be launched in a similar way to Hitman Pro (alongside the OS), then it will be possible to look at the processes etc as above.
HSMC
 
Posts: 7
Joined: Sat Mar 02, 2013 11:26 am
Location: UK

Re: Malware Removal when Windows is inaccessible

Postby Dannim » Wed Jul 03, 2013 7:38 pm

If you check out my post here: viewtopic.php?f=9&t=435 . You should be able to remove it with a minimum of difficulty.

As I mention in that post, most scanners for some reason still don't pick up the infection despite it almost always using the same filenames and hooks.

To fix Safe mode you can use a PE like Hirens, load the offline registry and then import the Safeboot keys from a good XP system (99% of the time if you can't access Safe modes it is on an XP machine).
Dannim
 
Posts: 60
Joined: Mon Feb 11, 2013 10:50 am


Return to d7 Support Forum

Who is online

Users browsing this forum: No registered users and 0 guests