The Mother Board

[ed4586]

Have a friends hard drive with the FBI Money pack virus. Couldn't get in safe mode..so I removed the sata drive and ran AVG, Stinger, Malwarebytes etc via a laptop using an external USB adapter.

Located/deleted a bunch of malware, tojans etc..but it still has a virus. Can't locate anything in the Start/Startup files. I suspect it's in the registry.

Is there anyway to edit the registry in a slave drive that is not running the OS? Have full access to the files on the drive (as a slave)...just can't get past the virus when used as the Master.

It will be a last resort of course...Windows XP Pro 32 bit on the drive.

Thanks

[evasive]

Complete instructions are here. Malwarebytes in safe mode should take care of this one.

http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/#options

But I fear you have a rootkit in there as well which may or may not include a MBR infection.

http://malwaretips.com/Thread-MBR-check-tools
_________________
We hate rut, but we fear change.



System error, strike any user to continue...

[ed4586]

The PC will not open in Safe Mode....when selecting Safe Mode or any other options...it defaults to the FBI screen ...can't work in that environment at all. Can't run REGEDIT in the normal Windows environment ..was hoping to locate the registry file with drive as a slave.

[Karlsweldt]

If you cannot get any other start mode other than what is presented, then the MBR has indeed been infected. Try booting directly to the OS install disk recovery console, and command the Fixmbr process. You might be lucky.
Best is to mount the drive as a slave or secondary in a host case, or via a USB external case to a known-clean system.. and scan it with the host's antivirus program. Connect the drive after the OS has settled in, if external. A complete scan should clear up any unwanted entities. But if the virus has "taken root", then it could infect other system files.. and they too might be deleted. For reference, the Registry files are located in the Windows\System32\Config folder. But editing them outside of the parent OS (the one that created them) is near impossible. Only an experienced programmer should attempt it.
Yes, this "FBI Money Pack" virus is really nasty! Microsoft's Forum has hints on what to do. But don't expect a full recovery. You may have to rebuild the OS installation.
_________________
F@H.. to solve mankind's maladies.. in our lifetimes!

[Mr T]

Are you booting into SAFE MODE via pressing F8 before the windows splash screen? Should get there to SAFE MODE and then use CTRL+ALT+DELETE to close processes down....

BUT.....

Before hand when the FBI warning screen is up in Normal mode, CTRL +ALT+DELETE and using task manager close it down virus process down. Then go to user accounts and create a new account with ADMIN status and password protect it. Set the other account to standard user then reboot into the new account and install Malwarebytes. From there you can reboot into SAFE MODE using the new Admin account run Malwarebytes to remove the nasty.

I highly recommend once the nasty is off, to remove any virus scanners and install Microsoft Security essentials, update and run it. Also download and run CCleaner using the registry fixer tool as well.

All these programs are free and can be down loaded from Filehippo.com.
_________________
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...

[Hardware Junkie]

How to edit the registry offline.

http://4sysops.com/archives/regedit-as-offline-registry-editor/

The only difference is you will need to specify full paths to the slave drive.
_________________
"Imagination is the only weapon in the war against reality." -Jules de Gautier

[securityguy]

Norton Power Eraser does the job for me!