Fake FBI Trojan Locked Up My PC! Help?

  • Active since 1995, Hearth.com is THE place on the internet for free information and advice about wood stoves, pellet stoves and other energy saving equipment.

    We strive to provide opinions, articles, discussions and history related to Hearth Products and in a more general sense, energy issues.

    We promote the EFFICIENT, RESPONSIBLE, CLEAN and SAFE use of all fuels, whether renewable or fossil.
Status
Not open for further replies.
By the description it sounds like they are detecting safemode and restarting the computer if safemode is detected. If so, the trojan has evolved, perhaps with a rootkit layer.

PS: Whatever remedy is tried, first disconnect the machine from the internet by unplugging the ethernet cable or shutting off wifi.
 
get BartPE and boot from that CD (burn it at a friends house). it will get you in.
 
Ok. Well it took a lot of time off and on running every scan under the sun but I got it out! This was so imbedded I couldn't load that hitman software from the USB, kept getting a boot disk error. I was finally able to get to the diagnostics partition using the on screen keyboard (I don't even remember how I got there) and scan the entire system. It took all day, really, from 8:30 this AM until about 10:30 tonight. I was then able to get into safe mode and restore to an earlier restore point. I then ran hitman from my usb drive - it found 19 instances of that damn ransomware and deleted them all. I was so impressed, i spent the $25 to buy the license so it can do a daily scan now.
I also changed my hubby's user account to a "standard" login and created an admin for me. I then set up a virtual machine but now I need to figure out how to load the OS on it, it's after midnight and that can wait until tomorrow.

You guys are the best, I can't thank you enough for the ideas. I was about to just take it somewhere but love a techy challenge every now and then. After this mess, I've had enough of it for a long time ;)

THANK YOU ALL FOR YOUR HELP!!
 
  • Like
Reactions: vinny11950
See, isnt it more gratifying to do it yourself? Although it took forever,you know a bit more about your machine now for future endeavors.. I think it took about an hour or so on my win7 64 bit HP machine. Not quite sure but i think i had to boot to a command prompt and go from there. I should have printed those instructions and saved it for future use. Makes you almost want to buy a MAC next time your computer shopping==c
 
  • Like
Reactions: Hearth Mistress
Makes you almost want to buy a MAC next time your computer shopping

I did, and haven't looked back. Not one problem (so far…) in 3 years. There are attacks on Macs now, since there are enough of them to make it worth the idiots' time, sadly.
 
Glad to hear you got it fixed.

As far as loading an operating system into a VM, it's usually pretty straight forward if you have the system in an image file on your hdd, or a cd. You said you don't have win7 on cd at present, but you might be able to download something from your mfr website. If not, perhaps you have a copy of XP or you could use a free copy of Linux.

With just linux you won't be able to use the vm to test windows software but you can use it to do safer browsing, with a browser for linux like Opera, Firefox or others.

Make the resources and disk space assigned to the vm low since you're generally going to be using it only for browsing in sites that you aren't sure of or familiar with. Though if you're not trusting your husband to be careful you could set it up so he does all his browsing there in the vm and give the vm more memory, disk space, etc. (The parameters will be there when you set up the VM and they can be modified later on if your needs change. I'd start smaller and increase as needed).

I use one of my VM's with XP -- and software that won't run in Win7. I use VMware which was free and allows what's called a "unity" mode where the XP apps in the VM blend in with my regular Win7 desktop and appear on the win7 taskbar.

Having the separate admin account and your husbands more limited acct now is going to make things a lot safer for you and you may find that a VM at this point is overkill. But the VM is something nice to have if and when you want it to use for any number of reasons, mostly however for this type situation as a "sandbox" which you have a lot more control of than you do in some of the AV programs that offer sandbox capability.

Am curious which VM software you have.

The idea here is the vm is disposable, so if it gets infected (and even if it does, your regular system won't be affected) and you don't want to bother cleaning it up, you can just wipe out the vm and reload it. In some cases the VM software will let you back up to a previous state before the infection.

PS Was going to offer some other suggestions for others to try who run into this Malware:

1. The MS Defender option given by RG sounded good too -- It's free and also loadable on a boot disk if you can't get into a command prompt from the HDD.
2. Working around the virus and trying to see if you had control over programs with tools like
a. Right mouse click to try showing the desktop (doing this over the taskbar area)
b. Task switcher commands like alt + tab, windows key + r (to bring up msconfig, eg.) or just windows key to bring up the start menu.
 
I installed Microsoft VM from their website. I have XP on CD, I wasn't sure if I could run two different OS. Test software, hah, we won't be doing any of that ;)

I also went out and bought a 1Tb portable hard drive today so I can use that as a back up too. Just out of curiosity, when I was at Staples I asked their tech guy how much it would have been to have remove it, "$150 and up" he couldn't define "and up" and told me they had 9 PCs in there now locked up with the same ransomware bug.

I didn't mess around with it today but it seems to be back up and running even better than before. I figured I'd add the VM just to have it so my hubby can watch all of the foreign "gun porn" he wants without it taking me a precious weekend day to recover the computer the next time this happens!
 
Test software, hah, we won't be doing any of that
wink.gif

What I meant was test new downloaded software for virus infection. You never said how you got this malware, and since you weren't using it you likely don't know. Myself, the only times I've got infected with things is when I was installing, supposedly cracked or hacked software, and my AntiVirus didn't pick it up for one reason or another which many times they don't. So the idea of having the VM for software testing is that you'd install the software on the VM first to see if there was obvious malware there after a reboot -- and you can do the reboot of the VM without shutting down and restarting your real computer.

But other ways to get malware are from questionable websites or even opening links in certain emails. So to protect yourself there, you'd browse the questionable sites from the browser in your VM. And paste the email links into the VM browser, or just set up your email in the VM if you want to be able to just click on the links in the emails (but doing the latter may have other consequences)

Clicking on certain ads has been described as a source for malware and there also have been problems with malicious scripts on sites. I use Firefox with the Adblock and NoScript add ons. But that requires more thought and effort than the average person might be willing to do. E.g. with noscript if a page doesn't display right, I'll have to realize that noscript is blocking something necessary and I have to turn on scripts for the site at least temporarily and then permanently when I trust the site.

I didn't mess around with it today but it seems to be back up and running even better than before.

Following the steps, it looked like Hitman was geared towards removing certain tracking cookies, adware, and the like. The way you describe your husbands browsing, there's probably a lot of that which can slow down the computer. Might be a good idea to reqularly (monthly?) clean up his computer. (Though my version of free Malwarebytes has generally done a pretty good job of finding that sort of thing, as I recall anyway).
 
YOU will fix it a lot quicker if it happens again, mine locked up while i was on hearth .com although it was probably infected previously and something caused it to activate then.
 
Macs are not at all safe. If you think they are, you're probably infected.
I fix my gf's power book once a month with her n00b browsing skills. HEY LOOK ! I WON!!! AND HAVE A NIGERIAN UNCLE!!!

FML :(
 
Well, this darn thing is back again today but thanks to the great advice here, from last time around, in 10 minutes it was fixed. I just switched user to the admin one I set up, ran the virus program, found it, deleted it, reboot done!
My hubby hasn't been on it few days though, working a lot of OT so I'm not sure what tripped it this time. We never turn off the computer, just the monitor and the PC goes to sleep after 15 mins of inactivity. Does that leave the IP address vulnerable? The computer is hard wired to a router so I can split it out to the wireless for my laptop and iPad. I just don't know how to keep this from happening as all of the anti virus stuff if up to date, it updates and scans at 3am everyday but this randsomware keeps sneaking in! Ideas?
 
Just a thought here. Have you disabled Java in your browsers? Java (not Javascript) is practically an open portal for malware. It's generally recommended to disable it in the browsers or uninstall it from your OS.
 
Just a thought here. Have you disabled Java in your browsers? Java (not Javascript) is practically an open portal for malware. It's generally recommended to disable it in the browsers or uninstall it from your OS.
No, not that did intentionally anyway. I know there is that coffee cup logo in the programs list. I'll google it to see how to do it! Thanks for the idea ;)
 
Another program especially adept at rootkits is MacAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Some self booting rescue disk you can download and burn as .iso disks are:

Kaspersky rescue Disk https://support.kaspersky.com/viruses/rescuedisk

Windows Defender Offline http://windows.microsoft.com/is-is/windows/what-is-windows-defender-offline

F-Secure Rescue Disc http://www.f-secure.com/de/web/labs_global/removal-tools/-/carousel/view/142

AVG Rescue Disk http://www.avg.com/us-en/avg-rescue-cd

Sometimes these things are persistent and multiple fronts are needed. The self-booting rescue disk programs are the best to use for stubborn problems. They run completely independent of Windows and are dedicated to this kind of problem. You do need to download the program and burn it to a dvd or cd as a.iso and then it will boot itself when you reboot your computer.
 
Another program especially adept at rootkits is MacAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Some self booting rescue disk you can download and burn as .iso disks are:

Kaspersky rescue Disk https://support.kaspersky.com/viruses/rescuedisk

Windows Defender Offline http://windows.microsoft.com/is-is/windows/what-is-windows-defender-offline

F-Secure Rescue Disc http://www.f-secure.com/de/web/labs_global/removal-tools/-/carousel/view/142

AVG Rescue Disk http://www.avg.com/us-en/avg-rescue-cd

Sometimes these things are persistent and multiple fronts are needed. The self-booting rescue disk programs are the best to use for stubborn problems. They run completely independent of Windows and are dedicated to this kind of problem. You do need to download the program and burn it to a dvd or cd as a.iso and then it will boot itself when you reboot your computer.

Bitdefender rocks as well
 
Did you write down the name of the bug that virus program found and quarantined? Many of these programs will seed the OS in multiple locations and user accounts to escape eradication. You need to look up the bug and find all the files it creates. Then delete every single copy of their seed. If that doesn't work it is possible that a copy is on the root of the drive which will require much more aggressive tactics or you will be playing whackamole for weeks.
 
Just thought of another vulnerability. "Windows Gadgets" (AKA Sidebars) are a known problem. If you are using this, Microsoft has developed an easy way to disable it and they recommend doing so. http://support.microsoft.com/kb/2719662

If you like gadgets, Google has some that are (hopeful) safe.
 
The biggest thing is now that you are functional is to BACK UP YOUR DATA OFF SITE so that the next time, you can simply 'throw out' your hard drive with a re-format and re-install of windows, and be able to have all your pics/docs/etc.
Use a service like google drive, amazon s3, or pay for a service like mozy.com. Or, at least use usb thumb sticks, but don't rely on these as they break all the time.
 
Status
Not open for further replies.