Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 11-05-2012, 08:25 PM   #1
muskyx1
Member
 
Join Date: Apr 2005
Posts: 115
Default Help With FBI Fake Virus - Malwarebytes Did Not Detect It

So my PC was locked up by that Fake FBI MoneyPack virus. Rebooted into safe mode and ran Malwarebytes using the latest updates (it was already installed at the time of the infection). Problem now is that it did not detect it.

Would really appreciate some help.
muskyx1 is offline   Reply With Quote
Old 11-05-2012, 09:08 PM   #2
KeithP
Diamond Member
 
KeithP's Avatar
 
Join Date: Jun 2000
Location: Sacramento
Posts: 3,942
Default

You might try the free edition of SuperAnti Spyware. You could also take a look at http://windows.microsoft.com/en-US/w...fender-offline

-KeithP
__________________
Heat 64-0-0
KeithP is offline   Reply With Quote
Old 11-05-2012, 09:23 PM   #3
SagaLore
Elite Member
 
SagaLore's Avatar
 
Join Date: Dec 2001
Posts: 23,658
Default

Your safest action is to back your stuff up, and reformat the drive (including resetting the mbr).

If you visit risky sites, you should log in with a limited user account, use firefox with noscript, keep flash up to date, don't let the browser invoke adobe reader, and uninstall java if you don't need it.
SagaLore is offline   Reply With Quote
Old 11-05-2012, 11:00 PM   #4
muskyx1
Member
 
Join Date: Apr 2005
Posts: 115
Default

Weird, I have WinPatrol installed which detects unwanted start Up programs and asks you if it's OK. When I booted into safe mode, the latest start up program entry was userinit.exe. I ran both Malwarebytes and SuperAntiSpyware, and both found nothing. I booted up in regular mode and the Fake FBI screen popped up again. I booted back into safe mode and deactivated the userinit.exe start up program in WinPatrol, and again booted up normally. The fake FBI screen has yet to return. Is it possible that the userinit.exe is also fake and related to this FBI malware? Every 5 minutes or so, WinPatrol warns me that it's trying to re-join the start up programs again.

Last edited by muskyx1; 11-05-2012 at 11:07 PM. Reason: spelling
muskyx1 is offline   Reply With Quote
Old 11-06-2012, 06:06 AM   #5
jmarti445
Senior Member
 
Join Date: Dec 2003
Location: Baltimore, MD
Posts: 298
Default

I can easily assist, remove the virus from the startup folder and reboot windows, its a scareware and easy to remove.
jmarti445 is offline   Reply With Quote
Old 11-08-2012, 10:10 PM   #6
Iron Woode
Lifer
 
Iron Woode's Avatar
 
Join Date: Oct 1999
Location: London, Ontario Canada
Posts: 20,191
Default

Quote:
Originally Posted by muskyx1 View Post
Weird, I have WinPatrol installed which detects unwanted start Up programs and asks you if it's OK. When I booted into safe mode, the latest start up program entry was userinit.exe. I ran both Malwarebytes and SuperAntiSpyware, and both found nothing. I booted up in regular mode and the Fake FBI screen popped up again. I booted back into safe mode and deactivated the userinit.exe start up program in WinPatrol, and again booted up normally. The fake FBI screen has yet to return. Is it possible that the userinit.exe is also fake and related to this FBI malware? Every 5 minutes or so, WinPatrol warns me that it's trying to re-join the start up programs again.
MSCONFIG is your friend at this point. Disable everything in Start Up and then reboot and see what happens.

Malwarebytes isn't perfect. You can also try MSE.

I bet Hitman Pro can remove this infection.
__________________
My Rigs

When I was four I gave myself a needle and the whole hospital said I got shot when I was 22 and asian. I drove a black honda. - catchphrase

Compare your lives to mine and then kill yourselves
Iron Woode is offline   Reply With Quote
Old 11-09-2012, 01:35 AM   #7
ZimZum
Golden Member
 
ZimZum's Avatar
 
Join Date: Aug 2001
Posts: 1,276
Default

Emsisoft emergency kit.
ZimZum is offline   Reply With Quote
Old 11-10-2012, 06:39 AM   #8
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,828
Default

I would run rkill in safe mode with networking first. http://www.bleepingcomputer.com/download/rkill/ Then check your LAN settings in IE that proxy server is not checked. Then run MBAM.

http://www.fixpcyourself.com/how-to-...oneypak-virus/

If MBAM still does not detect it try this, run rkill first:
http://www.bleepingcomputer.com/viru...pak-ransomware
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit

Last edited by MadScientist; 11-10-2012 at 06:41 AM.
MadScientist is offline   Reply With Quote
Old 11-16-2012, 07:15 PM   #9
Danimal1209
Senior Member
 
Join Date: Nov 2011
Posts: 329
Default

Using MSCONFIG > Startup Tab > the second column shows manufacturer. Usually, illegitimate software will say Unknown.
Danimal1209 is offline   Reply With Quote
Old 11-24-2012, 03:36 AM   #10
tcsenter
Lifer
 
tcsenter's Avatar
 
Join Date: Sep 2001
Location: Central California
Posts: 16,904
Default

Offline detection and cleaning FTW. I always keep an external enclosure handy, for PATA and SATA, in both 2.5" and 3.5". Anyone comes to me with one of these nasty rogue programs, drive automatically goes into an external enclosure and I run three proggies on it from another computer; MSSE, MalwareBytes, and then a top AV product like Norton, BitDefender, or Kaspersky. Sure, it takes a while, but its not like you must sit there watching the progress indicator.
tcsenter is offline   Reply With Quote
Old 11-25-2012, 04:38 PM   #11
NiceCold
Senior Member
 
Join Date: May 2011
Posts: 543
Default

still no work?

use combo fix but i do not recommend as it is advance and can mess up your pc. use at your own risk.



ps. can watch porn in linux ubunto live cd catch virus?

Last edited by NiceCold; 11-25-2012 at 04:41 PM.
NiceCold is offline   Reply With Quote
Old 11-26-2012, 05:32 AM   #12
smakme7757
Golden Member
 
smakme7757's Avatar
 
Join Date: Nov 2010
Location: Norway
Posts: 1,138
Default

Format.

Once you're infected there is no guarentee that you can completely scrub your system.

The aim of the game is to not get infected, once you are - Format!
__________________
Currently running Debian 7.1 and Windows 8.1
Blog: http://jack-brennan.com
smakme7757 is offline   Reply With Quote
Old 11-27-2012, 01:35 PM   #13
jrob6519
Member
 
Join Date: May 2011
Location: chucktown, sc
Posts: 35
Default

I agree...full format only real cure!
jrob6519 is offline   Reply With Quote
Old 11-29-2012, 07:42 PM   #14
T_Yamamoto
Lifer
 
T_Yamamoto's Avatar
 
Join Date: Jul 2011
Location: Anand's Closet
Posts: 13,561
Default

I was able to get rid of it with malwarebytes.
__________________
i5 4430 | MSI B85M-P33 | Gigabyte Windforce R9 270x | Random 4gb + 2gb RAM
XFX ProSeries 450W | Intel 530 128gb + Toshiba Canvio 1tb External HDD | Windows 7
NZXT Vulcan | Dell E2414H
Heatware | Steam
T_Yamamoto is offline   Reply With Quote
Old 11-30-2012, 12:25 AM   #15
smakme7757
Golden Member
 
smakme7757's Avatar
 
Join Date: Nov 2010
Location: Norway
Posts: 1,138
Default

Quote:
Originally Posted by T_Yamamoto View Post
I was able to get rid of it with malwarebytes.
What's your plan for not getting infected again?
Such a massive virus is bound to leave bits and pieces all over the place.
__________________
Currently running Debian 7.1 and Windows 8.1
Blog: http://jack-brennan.com
smakme7757 is offline   Reply With Quote
Old 12-01-2012, 10:05 AM   #16
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,828
Default

Almost 90% of the computer repair work I do now is cleaning infected computers. I totally agree that the only sure way of getting rid of a virus is to format and re-install the OS, but I also agree with John's statement from his website.

"Ok, I'm infected. What about a fresh Windows install? If you reinstall the operating system then you'll need to reinstall Windows updates (unless you have a slipstreamed copy), drivers, assorted software, tweaks, and all of your other peripherals which could easily take several hours. You'll then need to figure out how you were infected in the first place in order to prevent it from happening in the future. This is one of the main reasons that I rarely recommend a clean install. As long as you take the time to learn how to clean an infected system a fresh Windows install should be a last resort (unless you have a recent known good image of your drive)." http://www.elitekiller.com/malware.htm

The only time I format and reinstall the OS is when the OS is beyond repair, or the person has a good image of the drive. I have yet to encounter the latter.

Most people, no matter how many times I tell them to do so, never backup their important files, i.e., music, pictures, documents. An infected computer I worked on this week had 92GB of music files on it.

To answer smakme7757's question. Quoting John again: "The fact is that no single antivirus or antispyware application can successfully remove all malware circulating around the internet. It's not unusual to resort to an arsenal of security products in an attempt to ensure that everything has been properly removed."

If your computer is infected go to John's website, download his rogue removal kit, unzip it and read his Readme.pdf file.

To keep your computer from being infected again read and follow mechBgon's "How (and why) to secure your Windows PC" http://www.mechbgon.com/build/security2.html

And as John points out: "Most of all I can't stress enough how important it is to use common sense!"
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit

Last edited by MadScientist; 12-01-2012 at 10:14 AM.
MadScientist is offline   Reply With Quote
Old 12-03-2012, 08:21 PM   #17
T_Yamamoto
Lifer
 
T_Yamamoto's Avatar
 
Join Date: Jul 2011
Location: Anand's Closet
Posts: 13,561
Default

Quote:
Originally Posted by smakme7757 View Post
What's your plan for not getting infected again?
Such a massive virus is bound to leave bits and pieces all over the place.
Tell my brother (it was his lappy that got the virus) to use better judgement.
__________________
i5 4430 | MSI B85M-P33 | Gigabyte Windforce R9 270x | Random 4gb + 2gb RAM
XFX ProSeries 450W | Intel 530 128gb + Toshiba Canvio 1tb External HDD | Windows 7
NZXT Vulcan | Dell E2414H
Heatware | Steam
T_Yamamoto is offline   Reply With Quote
Old 12-03-2012, 11:54 PM   #18
SparkyJJO
Lifer
 
SparkyJJO's Avatar
 
Join Date: May 2002
Location: Ohio
Posts: 12,173
Default

Awful lot of "nuke happy" people on here

It IS quite possible to fully disinfect a PC, and in most cases it isn't that hard to remove any remaining traces. I do it at work all the time. Aside from some people who just can't stay away from the dark corners of the internet I rarely have a reinfection.
__________________
Heatware

CO2 is evil. Stop breathing

"I have never understood why it is greed to want to keep the money that you've earned, but not greed to want to take somebody else's money." - Thomas Sowell
SparkyJJO is offline   Reply With Quote
Old 01-15-2013, 03:53 PM   #19
JEDIYoda
Lifer
 
JEDIYoda's Avatar
 
Join Date: Jul 2005
Posts: 19,417
Default

Quote:
Originally Posted by jmarti445 View Post
I can easily assist, remove the virus from the startup folder and reboot windows, its a scareware and easy to remove.
Please describe in detail what you are talking about?

Many experienced users have had issues with the FBI warning virus....
__________________
JohnOfSheffield -- That said, Palestine will exist when they understand that Israel exists, it's that blatantly simple!
JEDIYoda is offline   Reply With Quote
Old 01-23-2013, 10:20 PM   #20
VirtualLarry
Lifer
 
VirtualLarry's Avatar
 
Join Date: Aug 2001
Posts: 24,520
Default

My friend just got this on his computer, while he was away for the day.

I asked him if he has Java installed, he said yes.

I told him it was probably a poisoned ad.
__________________
Rig(s) not listed, because I change computers, like some people change their socks.
ATX is for poor people. And 'gamers.' - phucheneh
haswell is bulldozer... - aigomorla
"DON'T BUY INTEL, they will send secret signals down the internet, which
will considerably slow down your computer". - SOFTengCOMPelec
VirtualLarry is offline   Reply With Quote
Old 01-24-2013, 02:39 AM   #21
JEDIYoda
Lifer
 
JEDIYoda's Avatar
 
Join Date: Jul 2005
Posts: 19,417
Default

Quote:
Originally Posted by VirtualLarry View Post
My friend just got this on his computer, while he was away for the day.

I asked him if he has Java installed, he said yes.

I told him it was probably a poisoned ad.
Its quite a bit worse than a poisoned add.....if it is the FBI fake virus it locks your computer up......

Foe the people that have the real FBI virus its no laughing matter.....

I am sorry to inform you that you don`t get this virus by leaving and coming back to your computer...
__________________
JohnOfSheffield -- That said, Palestine will exist when they understand that Israel exists, it's that blatantly simple!
JEDIYoda is offline   Reply With Quote
Old 01-25-2013, 12:50 PM   #22
VirtualLarry
Lifer
 
VirtualLarry's Avatar
 
Join Date: Aug 2001
Posts: 24,520
Default

Quote:
Originally Posted by JEDIYoda View Post
I am sorry to inform you that you don`t get this virus by leaving and coming back to your computer...
You can, if you leave a web page open, that has rotating ads, that come from an ad server that is hacked or otherwise distributing "poisoned" ads, and your local computer system has a currently-exploitable vulnerability, like current versions of Java.
__________________
Rig(s) not listed, because I change computers, like some people change their socks.
ATX is for poor people. And 'gamers.' - phucheneh
haswell is bulldozer... - aigomorla
"DON'T BUY INTEL, they will send secret signals down the internet, which
will considerably slow down your computer". - SOFTengCOMPelec
VirtualLarry is offline   Reply With Quote
Old 01-25-2013, 12:53 PM   #23
VirtualLarry
Lifer
 
VirtualLarry's Avatar
 
Join Date: Aug 2001
Posts: 24,520
Default

The sad irony is, if you've heard how this "FBI moneypak virus" works, the new "Six Strikes" system being implemented by ISPs around the country, in concert with demands from the RIAA/MPAA, is eerily similar.

Suddenly, whereever you browse on the internet, a page pops up, accusing you of something, and you either have to admit guilt, or pay a fine to contest it.

And your internet connection can be throttled, or cut off.

All without you actually doing something wrong.
__________________
Rig(s) not listed, because I change computers, like some people change their socks.
ATX is for poor people. And 'gamers.' - phucheneh
haswell is bulldozer... - aigomorla
"DON'T BUY INTEL, they will send secret signals down the internet, which
will considerably slow down your computer". - SOFTengCOMPelec
VirtualLarry is offline   Reply With Quote
Old 01-25-2013, 09:19 PM   #24
JEDIYoda
Lifer
 
JEDIYoda's Avatar
 
Join Date: Jul 2005
Posts: 19,417
Default

Quote:
Originally Posted by VirtualLarry View Post
You can, if you leave a web page open, that has rotating ads, that come from an ad server that is hacked or otherwise distributing "poisoned" ads, and your local computer system has a currently-exploitable vulnerability, like current versions of Java.
I am sorry that will not happen if you are on a legitimate site and not some questionable porn site or other site.....
__________________
JohnOfSheffield -- That said, Palestine will exist when they understand that Israel exists, it's that blatantly simple!
JEDIYoda is offline   Reply With Quote
Old 01-26-2013, 03:12 AM   #25
VirtualLarry
Lifer
 
VirtualLarry's Avatar
 
Join Date: Aug 2001
Posts: 24,520
Default

Quote:
Originally Posted by JEDIYoda View Post
I am sorry that will not happen if you are on a legitimate site and not some questionable porn site or other site.....
Even legit site's ad servers have been compromised. LegitReviews was compromised a few months back, and even these forums have had their ad servers compromised at least once in the past. What you say, simply isn't true.
__________________
Rig(s) not listed, because I change computers, like some people change their socks.
ATX is for poor people. And 'gamers.' - phucheneh
haswell is bulldozer... - aigomorla
"DON'T BUY INTEL, they will send secret signals down the internet, which
will considerably slow down your computer". - SOFTengCOMPelec
VirtualLarry is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:50 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.