Page 1 of 2 12 LastLast
Results 1 to 15 of 20
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Cedar Park, TX
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts

    DNS Changer, right?

    Sigh. Looks like I got nailed. I have a netbook I don't use that often. I did check it months ago and it reported fine, and I run MSE on it, although it doesn't scan when turned off. Still, it gets scanned every couple of weeks or so. Still, I just went to wake it up and it was showing the FBI Warning page. I re-booted, and it immediately goes to a blank white screen with "Navigation to the webpage was canceled".

    It won't let me re-boot into safe mode, and it doesn't run long enough before freezing on the white screen for me to run an antimalware program.

    Actually, the FBI warning page was odd...talked about illegal software and how to pay a fine...

    EDIT: I just managed to squeak in fast enough to run ipconfig/all. The DNS numbers actually appear to be okay. I'm now confused...unfortunately I know just little enough to be dangerous...

    Any thoughts?
    Last edited by tnbagwell; 2012-08-10 at 00:04.

  2. #2
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    Not DNS Changer, but FBI Moneypak.

    Bruce

  3. #3
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    ... a.k.a. Reveton virus, subject of a genuine FBI article released yesterday: “We’re getting inundated with complaints,”

    Bruce

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Cedar Park, TX
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by BruceR View Post
    Not DNS Changer, but FBI Moneypak.

    Bruce
    Interesting. Thanks. Unfortunately, I still can't get into Safe Mode to actually do anything. F8 didn't work. Went into msconfig and selected 'SAFEMODE', again with no luck. "We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software change might have caused this."

    I've posted on the forum over at Bleeping Computer as well...

  5. #5
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    If setting the Safemode boot flag in msconfig does not force boot into safemode, it sounds like the MBR has been attacked too and you are going to have a difficult job recovering from the scareware. It can be done, but may need several recursive steps which mmight be difficult to walk-through on a non-specialist anti-virus forum.

    It might be easier and quicker to revert to a factory restore image backup.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Cedar Park, TX
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Could you point me to where I can find a procedure for this? It's not something I've ever had to do. I have a couple of friends for whom this would be a snap, but I hate to bug them with tech questions. They get enough of them as it is.

  7. #7
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    I've never seen a malware infection prevent booting to SafeMode, but regardless of user timings and tapping F8 etc during boot, if setting the Safemode flag in MSconfig doesn't trigger it, then presumably safemode has been compromised.

    If you're going down the route of image restore, ideally you would have a full disk image backed up on a DVD or external hard drive, but that seems unlikely in this case.

    So, what you need is to locate the software tool on the netbook that invokes the manufacturer's factory restore application. Some machines have this as a desktop app (available through the start menu) such as Recovery Manager or similar. Others have a special boot sequence requiring you to intercept the boot by pressing <Alt>F11 or similar sequence. Each manufacturer is different and a quick lookup on their website will give you the details required.

    What you should know is that by performing a factory restore, all of your applications and data will be erased. You need to copy the user data to somewhere else first, but you also need to be careful not to copy the infection too. I would recommend manually identifying known good files and copying them off rather than performing a blanket copy "everything in My Doc's".
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  8. #8
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    You could try a Clean Boot. Not quite as basic as Safe Mode but it could disble whatever is taking over your PC.

    Jerry

  9. #9
    WS Lounge VIP Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    1,650
    Thanks
    38
    Thanked 161 Times in 139 Posts
    @OP Can you post a link to your thread on Bleeping Computer please.

    Not only will it stop duplication of effort here, it may turn out to be a useful reference for this nasty bit of malware.

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Cedar Park, TX
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hm. I guess I should have seen this coming. The last thing I tried was going into msconfig and changing the option to SAFEBOOT. However, it still didn't boot. Now there's no way to start the computer. None of the options work. I just get the "We apologize for the inconvenience" screen with a list of startup options.

  11. #11
    New Lounger
    Join Date
    Dec 2009
    Location
    Cedar Park, TX
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Browni View Post
    @OP Can you post a link to your thread on Bleeping Computer please.

    Not only will it stop duplication of effort here, it may turn out to be a useful reference for this nasty bit of malware.
    I can...but although it's had over 100 views, nobody has replied to it yet.

    http://www.bleepingcomputer.com/forums/topic464597.html

  12. #12
    WS Lounge VIP Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    1,650
    Thanks
    38
    Thanked 161 Times in 139 Posts
    Thanks for that, hopefully somebody on there will respond soon. It does say on the site that it can take 3-5 days to get an answer though.

    I was going to suggest using TDSSKiller but as you now can't access the PC it seems a rather moot point.

    EDIT: This may be worth a try Windows Defender Offline if you can create a bootable USB on another PC.

    Good luck!
    Last edited by Browni; 2012-08-10 at 17:45.

  13. #13
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    A few additional thoughts on this from me:

    Probably not a likelihood in this case, but worth a shot......I have seen malware that attempts to spoof error screens (typically BSOD's). Is there any chance that the "We apologize for the inconvenience" screen (the boot options screen) is a spoof and that the OS is running underneath? Do you see disk activity while the boot options screen is displayed?

    Do you have access to a USB attached DVD drive? If so, download and burn a copy of Hirens Boot CD from here. Boot the netbook from the USB attached DVD drive and use the Hirens Boot CD to attempt a Registry repair on the netbook - perhaps the registry is corrupt rather than the MBR? Failing that, use the same CD to run a system restore to a time before the malware infection occurred. Hirens has a number of very useful onboard tools that may also help make the netbook bootable so you can then attempt the other fixes people are suggesting.

    If you don't have an external USB attached DVD drive, consider buying one. They are not expensive (35 in the UK will get you an entry level unit) and given the circumstances could be worth the investment.

    [Edit] You could boot the machine off a USB Flash drive with Hiren's Boot CD too - similar to What Browni has just suggested [/Edit]

    On an ASUS netbook, the factory restore program in a hidden partition is often accessed by pressing F9 during the boot. It might be intact and allow you to get back to square one.
    Last edited by Tinto Tech; 2012-08-10 at 17:55. Reason: To add option of USB booting from Hirens
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  14. #14
    New Lounger
    Join Date
    Dec 2009
    Location
    Cedar Park, TX
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    No, I'm fairly certain it's a legit screen. I've tried to boot the machine of a USB in the past with little luck. I have a last resort call into a more tech-savvy friend of mine. If the cure is more difficult than system recovery, then I'll click my mouse and re-set everything.

  15. #15
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    If you have an XP OS install disk at the same service pack level, you could try a repair install.

    Jerry

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •