My sister's FBI "bust"

[gregrocker]

My sister got the fake FBI virus today. Trying to help her on the phone we were able to System Restore to before it and it appears to be gone. Back on the desktop nothing is found by Malwarebytes or SuperAntiSpyware. She is running Windows Defender offline boot disk now.

An IT worker at her medical transcription company says it will never be completely removed and she should Clean Reinstall. This bothers me because usually I am the guy saying that but I think we were able to get before the infection so she should let it ride.

I realize there are likely many variants but wonder if there are any special scans I should have her run. Thanks.

 

[Brink]

Hey Greg,

I'm in the camp to format and reinstall to be safe.

 

[Jacee]

Same with me *medical transcription company*

 

[cottonball]

gregrocker,

Brink's and Jacee's suggestions are the 'for sure' option, however, even though I am the underdog here , have used the following program with success:

HitmanPro Kickstart targets this ransomware.

You need to know if the infected computer is running a 32-bit or 64-bit system.

Download link for HitmanPro.Kickstart::
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight


You need to load a USB flash drive with HitmanPro Kickstart as follows...


Use a clean”(non-infected) computer, and download HitmanPro from the link above.


When HitmanPro opens, click the Kick icon at the bottom of the screen.


Plug the USB flash drive into the clean computer and follow the instructions from the first video on the website.


Next, plug in the USB drive just created into the infected machine.
Start the infected computer.


When the computer starts, press the key (on some machines its F10 or F2) that brings up the Boot Menu. From there, select to boot from the USB drive.
Info: http://www.selectrealsecurity.com/remove-ransomware
Save the changes, and press on.


Next, perform a system scan with HitmanPro Kickstart as seen in the second video.


After HitmanPro Kickstart is done, boot into Windows.



~~~~~~~~~~~
To remove the malicious files of the ransomware...


Download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system. (See Note)
Click the dark-blue button to download.
Save to the Desktop.


Close all windows and browsers.
Right-click and select: Run as Administrator


At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN


When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.



Note:
To find out if the system is 32 or 64 bit:
Click: Start
Type System in the Start Search box
Click System in the Programs list.


The operating system is displayed as follows:

For a 64-bit version operating system, under System > System type, it shows:
64-bit Operating System

For a 32-bit version operating system, under System > System type, it shows:
32-bit Operating System

 

[gregrocker]

Thank you all.

I'm sending her this thread now along with options for getting a Clean Reinstall - Factory OEM Windows 7 or Acer Recovery media and Restoring a system to factory load since she still has the factory preinstall until her brother gets back there to Clean Reinstall.

She asked me about backup before reinstall, if those files can be trusted with MSE, MBAM and SAS scans alone. She has a backup before the Acer laptop was shipped back for repairs a month ago which should be clean.

She also asked me if she is possibly infectious to others via email. Her medical transcriptions are done on another PC.

 

[Layback Bear]

Greg I'm in the wipe and clean install group. This FBI infection can be passed to other computers creating a botnet. Your sister could of got it from anywhere. Here is a site that has a video at the top that explains the virus very well.

FBI Warns Against Ransomware Internet Scam | KSTP TV - Minneapolis and St. Paul

http://www.azfamily.com/news/consumer/Beware-of-FBI-virus--192079001.html

I would also recommend that all passwords be changed from a clean computer.Most important inform all banks and credit card companies ect. what has happened so they will be on the look out for strange happenings with your sisters accounts.
I would also recommend you sister informing friends she emails that her computer was infected so they are aware not to do things like opening email from her.

 

[King Arthur]

Email can be a potential vector for infection since emails can be whole HTML webpages in their own right if they are not just plain text, and any attached files are obviously at risk of being virus carriers.

 

[cottonball]

gregrocker.

... if those files can be trusted with MSE, MBAM and SAS scans alone

Have seen where System Restore was used on the ransomware, and, although apparently successful, it was not. Furthermore, for some reason, some of the scans used are missing the issue.

Further intervention using tools such as Farbar Recovery Scan Tool, RogueKiller, and OTL has finally cleared the machine.

To answer the question above, IMO, unless further malware removal work is done on this machine, it is not to be trusted.

 

[Jacee]

Excellent advice cottonball!

 

[cottonball]

Thanks, Jacee.

I like to remove malware, vs. reinstall, but the truth is that on those ransomware infections, although they can be cleaned in most cases, the job is not an easy one. They are a big challenge.

The tools mentioned were just the ones that came to mind. In a real case scenario it goes much further than those.

 

[Layback Bear]

Good point cottonball. I have watch threads cleaning out infection lasting many days and a 100 plus post to get them clean.
This young lady has a brother that can do a clean install in his sleep in minutes and has guided many others to do the same. Well the others had to stay awake. One clean computer and one happy sister in a very short time.

 

[gied]

Ransomware infections can be cleaned in most cases without reinstall. They rarely come with something else, and, according to analysis, many of them are poorly coded (though good at locking you out). Hitman kickstarter or other boot cds/usbs like Norton Power Eraser should handle them (as long as they are updated).

 

[jimbo45]

Hi all
I'm really surprised at the advice offered here.

If the infection is a particularly nasty one how can you guarantee that ANY "Cleaning program" probably written before the virus was even THOUGHT of would clean the computer 100%. Also since the OS itself is infected how are you sure that even the OS will behave "Normally".

IMO there is EVER only ONE solution -- COMPLETE RESTORE from an UNINFECTED image. If you don't have one then you'll need to re-format the OS partition and re-install the OS.

ALWAYS KEEP OS IN ITS OWN SEPARATE PARTITION - AND TAKE REGULAR BACKUPS.

If you are doing a load of things on the Internet then DAILY SCAN your system -- if clean Back it up otherwise restore from previous nights backup. A typical W7 image backup won't take you long anyway and even a "Bare metal restore" won't take more than 30 mins even on a large system -- and if you are restoring to an SSD it will be a lot faster than that.

I've restored a W8 partition (similar in size to a typical W7 partition) from a USB3 external Disk to an SSD in around 7 mins. The system had quite large programs too such as adobe CS6 extended -- full suite etc.

Plenty of free backup programs too -- Macrium for example --although I use Acronis.

I repeat again ALWAYS TAKE REGULAR BACKUPS - this advice can't be repeated often enough --in fact a message should ideally appear DAILY -- Have you backed up the OS yet.

Cheers
jimbo

 

[gied]

Jombo45: Restore, even from partition is by no means much safer than cleaning using anti-malware tools. If anti-malware tools try to determine problem and fix it, then restoring tries to fix all problems by copying one part of the infected machines disk on top of other.

Backups, that are kept on the same machine are useful for single thing only: restoring the data if something goes wrong and you corrupted/deleted it. If you want increased security, use read-only media like DVDs or reinstall.
That is my 2c.