1. Welcome Hearth.com Guests and Visitors - Please enjoy our forums!
    Hearth.com GOLD Sponsors who help bring the site content to you:
    Hearthstone Soapstone and Cast-Iron stoves( Wood, Gas or Pellet Stoves and Inserts)

Fake FBI Trojan Locked Up My PC! Help?

Post in 'DIY and General non-hearth advice' started by Hearth Mistress, May 29, 2013.

  1. begreen

    begreen Mooderator Staff Member

    Joined:
    Nov 18, 2005
    Messages:
    49,653
    Loc:
    South Puget Sound, WA
    By the description it sounds like they are detecting safemode and restarting the computer if safemode is detected. If so, the trojan has evolved, perhaps with a rootkit layer.

    PS: Whatever remedy is tried, first disconnect the machine from the internet by unplugging the ethernet cable or shutting off wifi.

    Helpful Sponsor Ads!





  2. briansol

    briansol Minister of Fire

    Joined:
    Jan 18, 2009
    Messages:
    1,906
    Loc:
    central ct
    get BartPE and boot from that CD (burn it at a friends house). it will get you in.
  3. Hearth Mistress

    Hearth Mistress Minister of Fire

    Joined:
    Jan 24, 2012
    Messages:
    852
    Loc:
    Pt Pleasant, PA (SE PA)
    Ok. Well it took a lot of time off and on running every scan under the sun but I got it out! This was so imbedded I couldn't load that hitman software from the USB, kept getting a boot disk error. I was finally able to get to the diagnostics partition using the on screen keyboard (I don't even remember how I got there) and scan the entire system. It took all day, really, from 8:30 this AM until about 10:30 tonight. I was then able to get into safe mode and restore to an earlier restore point. I then ran hitman from my usb drive - it found 19 instances of that damn ransomware and deleted them all. I was so impressed, i spent the $25 to buy the license so it can do a daily scan now.
    I also changed my hubby's user account to a "standard" login and created an admin for me. I then set up a virtual machine but now I need to figure out how to load the OS on it, it's after midnight and that can wait until tomorrow.

    You guys are the best, I can't thank you enough for the ideas. I was about to just take it somewhere but love a techy challenge every now and then. After this mess, I've had enough of it for a long time ;)

    THANK YOU ALL FOR YOUR HELP!!
    vinny11950 likes this.
  4. StihlHead

    StihlHead Guest

    You are welcome.

    Food gratuity accepted. ==c
    Hearth Mistress likes this.
  5. Seasoned Oak

    Seasoned Oak Minister of Fire

    Joined:
    Oct 17, 2008
    Messages:
    3,728
    Loc:
    Eastern Central PA
    See, isnt it more gratifying to do it yourself? Although it took forever,you know a bit more about your machine now for future endeavors.. I think it took about an hour or so on my win7 64 bit HP machine. Not quite sure but i think i had to boot to a command prompt and go from there. I should have printed those instructions and saved it for future use. Makes you almost want to buy a MAC next time your computer shopping==c
    Hearth Mistress likes this.
  6. heat seeker

    heat seeker Minister of Fire

    Joined:
    Feb 25, 2011
    Messages:
    2,122
    Loc:
    Northern CT
    I did, and haven't looked back. Not one problem (so far…) in 3 years. There are attacks on Macs now, since there are enough of them to make it worth the idiots' time, sadly.
  7. Dave A.

    Dave A. Minister of Fire

    Joined:
    Mar 17, 2013
    Messages:
    614
    Loc:
    SE PA
    Glad to hear you got it fixed.

    As far as loading an operating system into a VM, it's usually pretty straight forward if you have the system in an image file on your hdd, or a cd. You said you don't have win7 on cd at present, but you might be able to download something from your mfr website. If not, perhaps you have a copy of XP or you could use a free copy of Linux.

    With just linux you won't be able to use the vm to test windows software but you can use it to do safer browsing, with a browser for linux like Opera, Firefox or others.

    Make the resources and disk space assigned to the vm low since you're generally going to be using it only for browsing in sites that you aren't sure of or familiar with. Though if you're not trusting your husband to be careful you could set it up so he does all his browsing there in the vm and give the vm more memory, disk space, etc. (The parameters will be there when you set up the VM and they can be modified later on if your needs change. I'd start smaller and increase as needed).

    I use one of my VM's with XP -- and software that won't run in Win7. I use VMware which was free and allows what's called a "unity" mode where the XP apps in the VM blend in with my regular Win7 desktop and appear on the win7 taskbar.

    Having the separate admin account and your husbands more limited acct now is going to make things a lot safer for you and you may find that a VM at this point is overkill. But the VM is something nice to have if and when you want it to use for any number of reasons, mostly however for this type situation as a "sandbox" which you have a lot more control of than you do in some of the AV programs that offer sandbox capability.

    Am curious which VM software you have.

    The idea here is the vm is disposable, so if it gets infected (and even if it does, your regular system won't be affected) and you don't want to bother cleaning it up, you can just wipe out the vm and reload it. In some cases the VM software will let you back up to a previous state before the infection.

    PS Was going to offer some other suggestions for others to try who run into this Malware:

    1. The MS Defender option given by RG sounded good too -- It's free and also loadable on a boot disk if you can't get into a command prompt from the HDD.
    2. Working around the virus and trying to see if you had control over programs with tools like
    a. Right mouse click to try showing the desktop (doing this over the taskbar area)
    b. Task switcher commands like alt + tab, windows key + r (to bring up msconfig, eg.) or just windows key to bring up the start menu.
  8. Hearth Mistress

    Hearth Mistress Minister of Fire

    Joined:
    Jan 24, 2012
    Messages:
    852
    Loc:
    Pt Pleasant, PA (SE PA)
    I installed Microsoft VM from their website. I have XP on CD, I wasn't sure if I could run two different OS. Test software, hah, we won't be doing any of that ;)

    I also went out and bought a 1Tb portable hard drive today so I can use that as a back up too. Just out of curiosity, when I was at Staples I asked their tech guy how much it would have been to have remove it, "$150 and up" he couldn't define "and up" and told me they had 9 PCs in there now locked up with the same ransomware bug.

    I didn't mess around with it today but it seems to be back up and running even better than before. I figured I'd add the VM just to have it so my hubby can watch all of the foreign "gun porn" he wants without it taking me a precious weekend day to recover the computer the next time this happens!
  9. Dave A.

    Dave A. Minister of Fire

    Joined:
    Mar 17, 2013
    Messages:
    614
    Loc:
    SE PA
    What I meant was test new downloaded software for virus infection. You never said how you got this malware, and since you weren't using it you likely don't know. Myself, the only times I've got infected with things is when I was installing, supposedly cracked or hacked software, and my AntiVirus didn't pick it up for one reason or another which many times they don't. So the idea of having the VM for software testing is that you'd install the software on the VM first to see if there was obvious malware there after a reboot -- and you can do the reboot of the VM without shutting down and restarting your real computer.

    But other ways to get malware are from questionable websites or even opening links in certain emails. So to protect yourself there, you'd browse the questionable sites from the browser in your VM. And paste the email links into the VM browser, or just set up your email in the VM if you want to be able to just click on the links in the emails (but doing the latter may have other consequences)

    Clicking on certain ads has been described as a source for malware and there also have been problems with malicious scripts on sites. I use Firefox with the Adblock and NoScript add ons. But that requires more thought and effort than the average person might be willing to do. E.g. with noscript if a page doesn't display right, I'll have to realize that noscript is blocking something necessary and I have to turn on scripts for the site at least temporarily and then permanently when I trust the site.

    Following the steps, it looked like Hitman was geared towards removing certain tracking cookies, adware, and the like. The way you describe your husbands browsing, there's probably a lot of that which can slow down the computer. Might be a good idea to reqularly (monthly?) clean up his computer. (Though my version of free Malwarebytes has generally done a pretty good job of finding that sort of thing, as I recall anyway).
  10. Seasoned Oak

    Seasoned Oak Minister of Fire

    Joined:
    Oct 17, 2008
    Messages:
    3,728
    Loc:
    Eastern Central PA
    YOU will fix it a lot quicker if it happens again, mine locked up while i was on hearth .com although it was probably infected previously and something caused it to activate then.
  11. briansol

    briansol Minister of Fire

    Joined:
    Jan 18, 2009
    Messages:
    1,906
    Loc:
    central ct
    Macs are not at all safe. If you think they are, you're probably infected.
    I fix my gf's power book once a month with her n00b browsing skills. HEY LOOK ! I WON!!! AND HAVE A NIGERIAN UNCLE!!!

    FML :(
  12. Hearth Mistress

    Hearth Mistress Minister of Fire

    Joined:
    Jan 24, 2012
    Messages:
    852
    Loc:
    Pt Pleasant, PA (SE PA)
    Well, this darn thing is back again today but thanks to the great advice here, from last time around, in 10 minutes it was fixed. I just switched user to the admin one I set up, ran the virus program, found it, deleted it, reboot done!
    My hubby hasn't been on it few days though, working a lot of OT so I'm not sure what tripped it this time. We never turn off the computer, just the monitor and the PC goes to sleep after 15 mins of inactivity. Does that leave the IP address vulnerable? The computer is hard wired to a router so I can split it out to the wireless for my laptop and iPad. I just don't know how to keep this from happening as all of the anti virus stuff if up to date, it updates and scans at 3am everyday but this randsomware keeps sneaking in! Ideas?
  13. Sprinter

    Sprinter Minister of Fire

    Joined:
    Jul 1, 2012
    Messages:
    2,072
    Loc:
    SW Washington
    Just a thought here. Have you disabled Java in your browsers? Java (not Javascript) is practically an open portal for malware. It's generally recommended to disable it in the browsers or uninstall it from your OS.
  14. Hearth Mistress

    Hearth Mistress Minister of Fire

    Joined:
    Jan 24, 2012
    Messages:
    852
    Loc:
    Pt Pleasant, PA (SE PA)
    No, not that did intentionally anyway. I know there is that coffee cup logo in the programs list. I'll google it to see how to do it! Thanks for the idea ;)
  15. Sprinter

    Sprinter Minister of Fire

    Joined:
    Jul 1, 2012
    Messages:
    2,072
    Loc:
    SW Washington
    Another program especially adept at rootkits is MacAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

    Some self booting rescue disk you can download and burn as .iso disks are:

    Kaspersky rescue Disk https://support.kaspersky.com/viruses/rescuedisk

    Windows Defender Offline http://windows.microsoft.com/is-is/windows/what-is-windows-defender-offline

    F-Secure Rescue Disc http://www.f-secure.com/de/web/labs_global/removal-tools/-/carousel/view/142

    AVG Rescue Disk http://www.avg.com/us-en/avg-rescue-cd

    Sometimes these things are persistent and multiple fronts are needed. The self-booting rescue disk programs are the best to use for stubborn problems. They run completely independent of Windows and are dedicated to this kind of problem. You do need to download the program and burn it to a dvd or cd as a.iso and then it will boot itself when you reboot your computer.
  16. Wildo

    Wildo Feeling the Heat

    Joined:
    Dec 14, 2011
    Messages:
    323
    Loc:
    jackmanistan, maine
    Bitdefender rocks as well
  17. begreen

    begreen Mooderator Staff Member

    Joined:
    Nov 18, 2005
    Messages:
    49,653
    Loc:
    South Puget Sound, WA
    Did you write down the name of the bug that virus program found and quarantined? Many of these programs will seed the OS in multiple locations and user accounts to escape eradication. You need to look up the bug and find all the files it creates. Then delete every single copy of their seed. If that doesn't work it is possible that a copy is on the root of the drive which will require much more aggressive tactics or you will be playing whackamole for weeks.
  18. Sprinter

    Sprinter Minister of Fire

    Joined:
    Jul 1, 2012
    Messages:
    2,072
    Loc:
    SW Washington
    Just thought of another vulnerability. "Windows Gadgets" (AKA Sidebars) are a known problem. If you are using this, Microsoft has developed an easy way to disable it and they recommend doing so. http://support.microsoft.com/kb/2719662

    If you like gadgets, Google has some that are (hopeful) safe.
  19. briansol

    briansol Minister of Fire

    Joined:
    Jan 18, 2009
    Messages:
    1,906
    Loc:
    central ct
    The biggest thing is now that you are functional is to BACK UP YOUR DATA OFF SITE so that the next time, you can simply 'throw out' your hard drive with a re-format and re-install of windows, and be able to have all your pics/docs/etc.
    Use a service like google drive, amazon s3, or pay for a service like mozy.com. Or, at least use usb thumb sticks, but don't rely on these as they break all the time.

Share This Page