FBI scam Trojan/virus

[Dark]

Well just a heads up. I have ran into this scam twice in month. 1 on a friends and just got it on my moms computer . It completely locks the computer and most user dnt know what to do. Task manager dsnt show up or anything. Nod, Microsoft essential didn't catch it (moms comp) avg,Norton, Microsoft essential (friends ). I was able to clean friends by booting in safe mode and running malawayer bytes. Tried same thing on moms but it has changed.  Wouldn't let me launch explorer (yes I know about explorer ) so launched in safe with command prompt and launched that way. Ran malaware and found 3 bugs. Removed them and everything seems ok. Do u guys think if I roll it back say a month before it landed on the computer and rerun everything it should be good to go or do u think malaware did its job. Reading on Google they say go to registry and delete some stuff but I'm not no where near comfortable digging in there. Have them looking for CDs to reinstall windows but knowing them they wont find it so thought I asks here

[TilDeath]

Check your inbox.  Solution provided.

[Bizman]

Malwarebytes' AntiMalware in Safe Mode has done the trick in the four Finnish translated variations I've seen this year. Even the registry thing. You might want to double check with SuperAntiSpyware if you feel uncertain.

Why regular antivirus programs can't find this bad guy is because it actually isn't a virus. The FBI announcement is a saved website without frames and toolbars saved in Temporary Internet Files and is triggered by a ctfmon shortcut in the Startup folder of the Start menu or Orb, both legitimate Windows stuff. Even the registry hacks to prevent TaskManager and such are pure Microsoft admin stuff, available with a GUI in Windows professional versions.

After having removed all malware I'd remove all restore points to prevent rolling back to an infested state.

TD, I'd like to have your solution, too, if it's not too much asked.

[Max]

Rich! How are you? Long time; no see. Good to see you back.

[Max]

Nice to see you back Rich. How's things in Hotlanta?

[The Fugitive]

Same here TD, my brother in laws computer just picked this one up as well.

[guncrasher]

how did they get it?

semp

[Krusty]

I picked it up a month ago also. I got it from a javascript or flash exploit in an otherwise okay webpage. They load themselves that way.

[TilDeath]

Thanks guys.  Might at well post the solution here.  This works for 99% of those "Your Infected, you need to buy this software to Remove).  You need two things to remove. RKill and Malwarebytes. You can get RKill.exe from Bleeping Computer here. http://www.bleepingcomputer.com/download/rkill/ Most of these malwares will not allow you access to the internet or if they do they will not allow you to download.  Use a USB Stick or another form to place both softwares on your desktop.  If you do not have MalwareBytes installed this is what you need to do.

Restart PC in Safemode with networking
Start RKill
Run or Install MalwareBytes (try to update the database) DO NOT restart your PC if Malwarebytes asks you to.
Run MalwareBytes with an IN DEPT scan.

Again these programs attack the iExplorer.exe and RKill ends all non essential processes and keeps them stopped.

Hope this helps you guys

TD

[TequilaChaser]

Heya Rich,

they also might need to get "TDSSKiller" by kaspersky labs.....  alot of those malware/rootkit viruses are showing up as using the "Alureon" rootkit and it inserts itself in the operating memory

( CCleaner ) can also clean it from the memory......  then they can use malwarebytes, etc to scan/clean their HD's

but yeah, what Tildeath posted  


TC

[Dark]

We'll on my moms I checked out what pages she was on the day it happened and the day before to see where she was at and the day it happened she was on walmarts page for the black Friday deals but someone (most likely the neice) was over there and they were trying to get on some Disney/Nick Jr website but she didn't type in the actual website name she Googled it. So I guessing she was not on the actual website. While I was over there noticed she was running ie7 and flash wasn't up to date. So got flash to date before I left and gonna up date anything else she hasn't yet. But all looks ok did the thing u sd rich and ran malaware for like the 4 time and nothing is showing up besides what I saw the first time it ran. Guess I will post up what it showed it found and removed.  Maybe u guys can see which it actually was .

[Bizman]

Thanks TD, just cleaned version #5 today, all it needed was AntiMalware run in SafeMode with networking. Of course, back in normal Windows, I ran Eset's Online Scanner for other nasties but that's another story. Funny thing with these Finnish versions is that they have been translated with some program. The results have been more or less hilarious: You know, "can" can be either a verb or a container for food... Another funny thing: They want the payment via Ukash, which they say would be available from a kiosk chain. Ukash.com doesn't show any partner names for Finland.  My former boss tried to teach us a "qui bono" (who benefits) philosophy to find out reasons for customer behaviour. So, if no-one can get any money from here, I'd call it a lose-lose situation.

[Denniss]

Hijackthis in safe mode may find some unwanted strings as well.
Deleting temporary internet files AKA Browser Cache is a must for all browsers.

The most important advice is to dump the Internet Exploder and use Alternatives like Firefox, Opera or Chrome - a lot less option to infiltrate them.
Keeping Windows up-to-date is a must, other programs like flash Adove Reader, Java, etc should be on autoupdate, If Java is installed disable the browser plugins.

[MrRiplEy[H]]

Hijackthis in safe mode may find some unwanted strings as well.
Deleting temporary internet files AKA Browser Cache is a must for all browsers.

The most important advice is to dump the Internet Exploder and use Alternatives like Firefox, Opera or Chrome - a lot less option to infiltrate them.
Keeping Windows up-to-date is a must, other programs like flash Adove Reader, Java, etc should be on autoupdate, If Java is installed disable the browser plugins.

Adobe reader should not be installed at all. Foxit is faster and more secure.

[zack1234]

Are adobe products the problem or are some ok?

I use foxit, the other day Adobe installed itself in my pc, my mrs ok'd it