My sister's FBI "bust"

gregrocker · 04 Mar 2013

My sister got the fake FBI virus today. Trying to help her on the phone we were able to System Restore to before it and it appears to be gone. Back on the desktop nothing is found by Malwarebytes or SuperAntiSpyware. She is running Windows Defender offline boot disk now.

An IT worker at her medical transcription company says it will never be completely removed and she should Clean Reinstall. This bothers me because usually I am the guy saying that but I think we were able to get before the infection so she should let it ride.

I realize there are likely many variants but wonder if there are any special scans I should have her run. Thanks.

Brink · 04 Mar 2013

Hey Greg,

I'm in the camp to format and reinstall to be safe.

Jacee · 04 Mar 2013

Same with me

*medical transcription company*

cottonball · 04 Mar 2013

gregrocker,

Brink's and Jacee's suggestions are the 'for sure' option, however, even though I am the underdog here

, have used the following program with success:

HitmanPro Kickstart targets this ransomware.

You need to know if the infected computer is running a 32-bit or 64-bit system.

Download link for HitmanPro.Kickstart::
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight

You need to load a USB flash drive with HitmanPro Kickstart as follows...

Use a clean”(non-infected) computer, and download HitmanPro from the link above.

When HitmanPro opens, click the Kick icon at the bottom of the screen.

Plug the USB flash drive into the clean computer and follow the instructions from the first video on the website.

Next, plug in the USB drive just created into the infected machine.
Start the infected computer.

When the computer starts, press the key (on some machines its F10 or F2) that brings up the Boot Menu. From there, select to boot from the USB drive.
Info: http://www.selectrealsecurity.com/remove-ransomware
Save the changes, and press on.

Next, perform a system scan with HitmanPro Kickstart as seen in the second video.

After HitmanPro Kickstart is done, boot into Windows.

~~~~~~~~~~~
To remove the malicious files of the ransomware...

Download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system. (See Note)
Click the dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

Note:
To find out if the system is 32 or 64 bit:
Click: Start
Type System in the Start Search box
Click System in the Programs list.

The operating system is displayed as follows:

For a 64-bit version operating system, under System > System type, it shows:
64-bit Operating System

For a 32-bit version operating system, under System > System type, it shows:
32-bit Operating System

gregrocker · 04 Mar 2013

Thank you all.

I'm sending her this thread now along with options for getting a Clean Reinstall - Factory OEM Windows 7 or Acer Recovery media and Restoring a system to factory load since she still has the factory preinstall until her brother gets back there to Clean Reinstall.

She asked me about backup before reinstall, if those files can be trusted with MSE, MBAM and SAS scans alone. She has a backup before the Acer laptop was shipped back for repairs a month ago which should be clean.

She also asked me if she is possibly infectious to others via email. Her medical transcriptions are done on another PC.

Layback Bear · 04 Mar 2013

Greg I'm in the wipe and clean install group. This FBI infection can be passed to other computers creating a botnet. Your sister could of got it from anywhere. Here is a site that has a video at the top that explains the virus very well.

FBI Warns Against Ransomware Internet Scam | KSTP TV - Minneapolis and St. Paul

http://www.azfamily.com/news/consume...192079001.html

I would also recommend that all passwords be changed from a clean computer.Most important inform all banks and credit card companies ect. what has happened so they will be on the look out for strange happenings with your sisters accounts.
I would also recommend you sister informing friends she emails that her computer was infected so they are aware not to do things like opening email from her.

King Arthur · 04 Mar 2013

Email can be a potential vector for infection since emails can be whole HTML webpages in their own right if they are not just plain text, and any attached files are obviously at risk of being virus carriers.

cottonball · 04 Mar 2013

gregrocker.

... if those files can be trusted with MSE, MBAM and SAS scans alone

Have seen where System Restore was used on the ransomware, and, although apparently successful, it was not. Furthermore, for some reason, some of the scans used are missing the issue.

Further intervention using tools such as Farbar Recovery Scan Tool, RogueKiller, and OTL has finally cleared the machine.

To answer the question above, IMO, unless further malware removal work is done on this machine, it is not to be trusted.

Jacee · 05 Mar 2013

Excellent advice cottonball!

cottonball · 05 Mar 2013

Thanks, Jacee.

I like to remove malware, vs. reinstall, but the truth is that on those ransomware infections, although they can be cleaned in most cases, the job is not an easy one. They are a big challenge.

The tools mentioned were just the ones that came to mind. In a real case scenario it goes much further than those.