Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 02-12-2013, 5:47 PM
Press Check Press Check is offline
1911 Aficionado
CGN Contributor
 
Join Date: Jun 2011
Location: BLM
Posts: 4,461
iTrader: 58 / 100%
Default FBI Virus

Anyone have any experience with this virus, or how to get rid of it?
Reply With Quote
  #2  
Old 02-12-2013, 5:52 PM
rackem1899's Avatar
rackem1899 rackem1899 is offline
Member
 
Join Date: Mar 2011
Posts: 164
iTrader: 6 / 100%
Default

Malware bytes
can't have Internet connection without setting off it off. (At least that's the way it was last time I saw it) you'll have to DL the program on a USB drive from another pc and install that way.
__________________
For Sale:
Sig SP2022
http://www.calguns.net/calgunforum/s...d.php?t=872589
Reply With Quote
  #3  
Old 02-12-2013, 6:49 PM
monk's Avatar
monk monk is offline
9mm>.40
CGN Contributor
 
Join Date: Jul 2011
Posts: 4,142
iTrader: 8 / 100%
Default

I just recently started seeing this. http://botcrawl.com/how-to-remove-th...lware-removal/
__________________


NRA Member
SAF Member


Quote:
A tyrant will always find a pretext for his tyranny.
Reply With Quote
  #4  
Old 02-12-2013, 6:52 PM
StephanieLynn StephanieLynn is offline
Member
 
Join Date: Jan 2013
Posts: 409
iTrader: 8 / 100%
Default

I got that damn thing about a month ago. Had to take it to some computer guys to get rid of it. It is insidious~!
Reply With Quote
  #5  
Old 02-12-2013, 6:52 PM
keenkeen keenkeen is offline
Calguns Addict
 
Join Date: May 2011
Posts: 5,821
iTrader: 12 / 100%
Default

Quote:
Originally Posted by rackem1899 View Post
Malware bytes
can't have Internet connection without setting off it off. (At least that's the way it was last time I saw it) you'll have to DL the program on a USB drive from another pc and install that way.
Yup, Log onto a clean machine and download the instructions.
__________________
Quote:
"But far more numerous was the herd of such, Who think too little and who talk too much." -John Dryden
Reply With Quote
  #6  
Old 02-12-2013, 7:32 PM
musick's Avatar
musick musick is offline
CGSSA Associate
 
Join Date: Sep 2012
Posts: 673
iTrader: 5 / 100%
Default

Quote:
Originally Posted by Press Check View Post
Anyone have any experience with this virus, or how to get rid of it?
You can uninstall it, but there may still be keystroke loggers and other beasties that you will fail to remove. Best bet is to back up your data, wipe the hard drive clean and re install your OS from a known clean source or your recovery disc (which I KNOW you made when first plugging in your computer...)

A simple uninstall is NOT enough. Ask me how I know.
__________________
C3 Contributor San Diego
CGSSA Associate
Reply With Quote
  #7  
Old 02-12-2013, 8:45 PM
monk's Avatar
monk monk is offline
9mm>.40
CGN Contributor
 
Join Date: Jul 2011
Posts: 4,142
iTrader: 8 / 100%
Default

A person recently brought a system in with this infection. The clever thing sits on top of every single application if you just log in to windows. One guy at the shop even thought it might be legit. I told him the fact that it prompted for money thru moneypak was a dead giveaway.
__________________


NRA Member
SAF Member


Quote:
A tyrant will always find a pretext for his tyranny.
Reply With Quote
  #8  
Old 02-12-2013, 8:51 PM
billofrights's Avatar
billofrights billofrights is online now
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Oct 2012
Location: SFV
Posts: 1,971
iTrader: 3 / 100%
Default

Every box I've seen with it we ended up wiping, nothing else removed it 100%.
Reply With Quote
  #9  
Old 02-12-2013, 8:56 PM
border.bandito's Avatar
border.bandito border.bandito is offline
Senior Member
 
Join Date: Sep 2012
Location: Esco-bar
Posts: 785
iTrader: 14 / 100%
Default

someones been downloading some pron....
__________________
Quote:
If you suck with irons you will suck with optics. The difference is the aimpoint will allow you to suck faster and a scope will give you a closer look at how much you suck.
Quote:
AR's have finally become full blown "men's barbie dolls" now with fashion accessories.
Reply With Quote
  #10  
Old 02-12-2013, 10:42 PM
SouperMan SouperMan is offline
Senior Member
 
Join Date: Jan 2012
Location: Sacramento, CA
Posts: 1,454
iTrader: 1 / 100%
Default

I just helped out a friend rescue a machine that had a drive by download. The darn thing had the encryption variant. The malware encrypted all the docs and pictures, and basically extorted money for the decryption key. Luckily, there was a freebie decrypter through a anti-malware company and after a couple of guesses as to the key, I was able to decrypt his stuff. Backed up the data, scanned it twice with two different virus scanners, and wiped the machine before rebuilding it and putting the sanitized data back on the machine. Took two days and was rewarded with my favorite beer...(should have taken ammo...dang it...)

Major take aways: Get a virus/malware scanner, backup your data (often, and preventatively), and consider changing your DNS provider to Google DNS or OpenDNS to blacklist known bad websites.
Reply With Quote
  #11  
Old 02-12-2013, 10:49 PM
Johnnyfres's Avatar
Johnnyfres Johnnyfres is offline
Senior Member
CGN Contributor
 
Join Date: Feb 2012
Location: Clovis
Posts: 841
iTrader: 5 / 100%
Default

We have been seeing this a lot at work recently. A lot of our clients are picking this virus up from bad browsing habits.

We use Bleeping computer whenever a new virus pops up.

Check the link below for removal instructions.

http://www.bleepingcomputer.com/viru...pak-ransomware
__________________
Firearms successfully returned by the CA Department of Justice. Probation expires October 2014.



A free people ought not only to be armed, but disciplined. ~George Washington


Sign and fight - Defend our right to bear arms
Reply With Quote
  #12  
Old 02-12-2013, 11:00 PM
Press Check Press Check is offline
1911 Aficionado
CGN Contributor
 
Join Date: Jun 2011
Location: BLM
Posts: 4,461
iTrader: 58 / 100%
Default

I'm logged into the infected laptop with a Guest Account.

Is there software I can download online that will remove the virus? If so, a link would be appreciated.
Reply With Quote
  #13  
Old 02-13-2013, 11:03 AM
skale240 skale240 is online now
Member
 
Join Date: Apr 2008
Location: San Diego, CA
Posts: 473
iTrader: 37 / 100%
Default

Hitman Pro was the only thing that worked for me. download it and burn to CD or create bootable thumb drive. It will boot to Hitman and run a scan. I tried for 2 weeks to get this one off. Tried everything the interwebz suggested: System restores, other admin accounts, malwarebytes, SAS, ESET online scanner, combofix etc....and it kept coming back. Even the stuff bleepingcomputer.com suggested didn't work. Anyway good luck!

http://www.surfright.nl/en/hitmanpro/
Reply With Quote
  #14  
Old 02-13-2013, 12:36 PM
Darryl Licht's Avatar
Darryl Licht Darryl Licht is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Dec 2012
Location: Somewhere in the Inland Empire between the mountains, the desert, and the beach
Posts: 2,135
iTrader: 14 / 100%
Default

I've had several of these come through my workshop in past year. It's a PITA!!!! So far all "instructions" on Internet were incomplete, inaccurate, or totally bogus! Following some instructions on bleeping computer and other well known sites removed some of the major issues, but many still remained...

Problem is that this thing lets other malware/spyware/virii in and the best and safest bet is to backup all your user data, then format and perform a clean install of Windows and all apps!
__________________
Quote:
"Laws that forbid the carrying of arms...disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.
--Thomas Jefferson
Quote:
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies. --Groucho Marx
Reply With Quote
  #15  
Old 02-13-2013, 12:50 PM
Quinc's Avatar
Quinc Quinc is offline
Veteran Member
 
Join Date: Jan 2010
Location: Butte County
Posts: 2,976
iTrader: 27 / 100%
Default

Why does it take the AV and mal-ware companies so long to come out with a fix for malware... Also if you are not using firefox with adblock and no-script you should be. You can get malware from java run ads on websites etc.
__________________
Shop Amazon and contribute to CGF!
click this link before going to amazon.com
http://www.shop42a.com


www.appleseedinfo.org

"Everyone has a plan, till they get punched in the face." -Mike Tyson
Reply With Quote
  #16  
Old 02-13-2013, 2:04 PM
Darryl Licht's Avatar
Darryl Licht Darryl Licht is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Dec 2012
Location: Somewhere in the Inland Empire between the mountains, the desert, and the beach
Posts: 2,135
iTrader: 14 / 100%
Default

Quote:
Originally Posted by Quinc View Post
...Also if you are not using firefox with adblock and no-script you should be. You can get malware from java run ads on websites etc.
All browsers are suspect to this nasty malware, ff isnt any safer than the others. The FBI (AKA: Moneypak) virus is quite sophisticated malware that is actually classified as ransomeware... you are instructed to pay to remove it! Do not ever pay them!

THE KEY HERE IS THAT MOST USERS DO NOT UPDATE JAVA WHEN PROMPTED TO DO SO!

Hell, most users think java is another name for coffee! LOL!
__________________
Quote:
"Laws that forbid the carrying of arms...disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.
--Thomas Jefferson
Quote:
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies. --Groucho Marx
Reply With Quote
  #17  
Old 02-13-2013, 2:16 PM
Darryl Licht's Avatar
Darryl Licht Darryl Licht is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Dec 2012
Location: Somewhere in the Inland Empire between the mountains, the desert, and the beach
Posts: 2,135
iTrader: 14 / 100%
Default

Just looked into this a bit more and in late October Norton posted this video on removing "Moneypak" ransomeware!

http://www.youtube.com/watch?v=_dKBXeoLIFo
__________________
Quote:
"Laws that forbid the carrying of arms...disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.
--Thomas Jefferson
Quote:
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies. --Groucho Marx
Reply With Quote
  #18  
Old 02-13-2013, 2:36 PM
67goat 67goat is offline
Senior Member
 
Join Date: Apr 2012
Posts: 828
iTrader: 4 / 100%
Default

Quote:
Originally Posted by Quinc View Post
Why does it take the AV and mal-ware companies so long to come out with a fix for malware... Also if you are not using firefox with adblock and no-script you should be. You can get malware from java run ads on websites etc.
First they have to identify what the actual files are (ever looked at how many actual files there are in a Windows installation). Then they have to figure out what it does and how it does it. Then they have to make something that counteracts it. The nastiest malware and viruses can get updates and modify themselves real-time. It's like having an antibiotic resistant strain of bacteria.
Reply With Quote
  #19  
Old 02-13-2013, 2:43 PM
rackem1899's Avatar
rackem1899 rackem1899 is offline
Member
 
Join Date: Mar 2011
Posts: 164
iTrader: 6 / 100%
Default

The FBI actually put out an official statement saying it wasn't theirs because they were getting so many calls about it: http://www.fbi.gov/news/stories/2012...#disablemobile
__________________
For Sale:
Sig SP2022
http://www.calguns.net/calgunforum/s...d.php?t=872589
Reply With Quote
  #20  
Old 02-13-2013, 4:51 PM
Son of BAR7's Avatar
Son of BAR7 Son of BAR7 is offline
Member
 
Join Date: Sep 2011
Location: Oakland
Posts: 284
iTrader: 10 / 100%
Default

the only way I could get that effin' thing off my computer was to do system restore. Lucky for me I had a restore point that was only a couple days earlier.... serious PITA...
__________________
Liberty is 'Freedom To' not 'Freedom From'

When they kick in your front door,
How you gonna come?
With your hands on your head,
Or on the trigger of your gun?
Reply With Quote
  #21  
Old 02-13-2013, 6:18 PM
1919_4_ME's Avatar
1919_4_ME 1919_4_ME is offline
Senior Member
 
Join Date: Oct 2005
Location: Socal
Posts: 1,578
iTrader: 37 / 100%
Default

That virus has been around for awhile its a pain to get off of your computer. After you get your computer back to normal install this asap.

http://download.cnet.com/Malwarebyte...ml?tag=mncol;1
Reply With Quote
  #22  
Old 02-13-2013, 7:08 PM
Darryl Licht's Avatar
Darryl Licht Darryl Licht is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Dec 2012
Location: Somewhere in the Inland Empire between the mountains, the desert, and the beach
Posts: 2,135
iTrader: 14 / 100%
Default

Quote:
Originally Posted by rackem1899 View Post
The FBI actually put out an official statement saying it wasn't theirs because they were getting so many calls about it: http://www.fbi.gov/news/stories/2012...#disablemobile
Did anyone really believe this malware came from the FBI? If so, they dont deserve to use a computer!

It is simply referred to as the FBI virus due to the popup message that states the FBI has locked your PC due to illegal activity. It's AKA Moneypak virus!
__________________
Quote:
"Laws that forbid the carrying of arms...disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.
--Thomas Jefferson
Quote:
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies. --Groucho Marx
Reply With Quote
  #23  
Old 02-13-2013, 8:49 PM
rackem1899's Avatar
rackem1899 rackem1899 is offline
Member
 
Join Date: Mar 2011
Posts: 164
iTrader: 6 / 100%
Default

Quote:
Originally Posted by Darryl Licht View Post
Did anyone really believe this malware came from the FBI? If so, they dont deserve to use a computer!

It is simply referred to as the FBI virus due to the popup message that states the FBI has locked your PC due to illegal activity. It's AKA Moneypak virus!
Lol I guess so! I just came across that page when I was searching how to remove the virus a few months ago. I found it pretty funny how gullible people are... Then again I worked with someone who entered their credit card info to "Purchase a subscription" for the Windows Security System virus...
Edit: I don't think anyone on here actually thought that.
__________________
For Sale:
Sig SP2022
http://www.calguns.net/calgunforum/s...d.php?t=872589
Reply With Quote
  #24  
Old 02-13-2013, 9:59 PM
SouperMan SouperMan is offline
Senior Member
 
Join Date: Jan 2012
Location: Sacramento, CA
Posts: 1,454
iTrader: 1 / 100%
Default

Quote:
Originally Posted by rackem1899 View Post
Lol I guess so! I just came across that page when I was searching how to remove the virus a few months ago. I found it pretty funny how gullible people are... Then again I worked with someone who entered their credit card info to "Purchase a subscription" for the Windows Security System virus...
Edit: I don't think anyone on here actually thought that.
I thought it was rather convenient that the FBI lets me pay with PayPal or a GreenDot Prepaid Gift Card
Reply With Quote
  #25  
Old 02-14-2013, 9:35 PM
Quinc's Avatar
Quinc Quinc is offline
Veteran Member
 
Join Date: Jan 2010
Location: Butte County
Posts: 2,976
iTrader: 27 / 100%
Default

Quote:
Originally Posted by Darryl Licht View Post
All browsers are suspect to this nasty malware, ff isnt any safer than the others. The FBI (AKA: Moneypak) virus is quite sophisticated malware that is actually classified as ransomeware... you are instructed to pay to remove it! Do not ever pay them!

THE KEY HERE IS THAT MOST USERS DO NOT UPDATE JAVA WHEN PROMPTED TO DO SO!

Hell, most users think java is another name for coffee! LOL!
The reason you have FF is for the ad-ons like no-script. With no script NOTHING can/will run in the background unless you give it permission. So when you or your wife/kid etc clicks on a link they wont just automatically get the virus without first being prompted to allow the site to run java etc.

Quote:
Originally Posted by 67goat View Post
First they have to identify what the actual files are (ever looked at how many actual files there are in a Windows installation). Then they have to figure out what it does and how it does it. Then they have to make something that counteracts it. The nastiest malware and viruses can get updates and modify themselves real-time. It's like having an antibiotic resistant strain of bacteria.
I work as a sys admin for a large IT company and deal with this crap all the time. The thing that puzzles me is apps like Malware bytes and other virus scanners will find the virus say they removed them and then as soon as you reboot they find them again... It seems like they no they where are there etc. Plus its pretty simple to install windows download all the latest patches etc and know which files are windows related etc.

Linux for the Win!
__________________
Shop Amazon and contribute to CGF!
click this link before going to amazon.com
http://www.shop42a.com


www.appleseedinfo.org

"Everyone has a plan, till they get punched in the face." -Mike Tyson
Reply With Quote
  #26  
Old 02-15-2013, 9:32 AM
Rusty_Rebar Rusty_Rebar is offline
Member
 
Join Date: Dec 2009
Location: Chico, CA
Posts: 259
iTrader: 0 / 0%
Default

Wipe. That is the ONLY thing to do when you think you have been infected. I am sure you can figure out a way to clean it out, but the only be all end all is to wipe and reload OS.

Try going with linux, these virus problems are quite rare in linux.
Reply With Quote
  #27  
Old 02-15-2013, 10:28 AM
the86d's Avatar
the86d the86d is offline
Calguns Addict
 
Join Date: Jul 2011
Location: Pinko-occupied ObamaDerkaderkastan
Posts: 5,494
iTrader: 2 / 100%
Default

Some stuff can hide in the system restore dir, and gets restored every boot if you are having this issue try turning off system restore for a reboot, then use MalwareBytes, then if it goes away re-enable system restore..

Quote:
Originally Posted by Rusty_Rebar View Post
Wipe. That is the ONLY thing to do when you think you have been infected. I am sure you can figure out a way to clean it out, but the only be all end all is to wipe and reload OS.

Try going with linux, these virus problems are quite rare in linux.
You don't really need to wipe the drive, a clean reinstall should be sufficient.
__________________
"That's what governments are for - get in a man's way." - Captain Malcolm 'Mal' Reynolds

Last edited by the86d; 02-15-2013 at 10:31 AM..
Reply With Quote
  #28  
Old 02-15-2013, 12:26 PM
Rusty_Rebar Rusty_Rebar is offline
Member
 
Join Date: Dec 2009
Location: Chico, CA
Posts: 259
iTrader: 0 / 0%
Default

Yeah, I did not mean a disk format, just an OS reload, but while you are down there, could not hurt.
Reply With Quote
  #29  
Old 02-17-2013, 8:18 PM
problemchild problemchild is offline
Banned
 
Join Date: Oct 2005
Location: 33.753276,-118.19139
Posts: 6,968
iTrader: 82 / 100%
Default

Amateurs......

Emsisoft (follow these instructions)

Combofix (run this too)

Malwarebytes (run this too)

Also you could follow these instructions.........

http://www.bleepingcomputer.com/foru...453/fbi-virus/
Reply With Quote
  #30  
Old 02-19-2013, 10:56 PM
Fizz's Avatar
Fizz Fizz is online now
Senior Member
 
Join Date: Feb 2012
Location: San Diego
Posts: 620
iTrader: 3 / 100%
Default

Quote:
Originally Posted by billofrights View Post
Every box I've seen with it we ended up wiping, nothing else removed it 100%.
I've done the FBI Virus no less than ~40 instances with removal being as close to 100% as I can reasonably expect.

I've seen it come along with the ZeroAccess trojan and a few other oddities/damages to windows components like the Windows Firewall. However, I can't recall any instance where I wasn't able to remove it.
Reply With Quote
  #31  
Old 02-19-2013, 11:05 PM
Press Check Press Check is offline
1911 Aficionado
CGN Contributor
 
Join Date: Jun 2011
Location: BLM
Posts: 4,461
iTrader: 58 / 100%
Default

I completed a system restore, which seems to have eliminated the virus for now. I have a few issues during start-up that weren't present before, but I'm just glad to have control of my machine again.

If the virus resurfaces, I will simply wipe the system clean.
Reply With Quote
  #32  
Old 02-19-2013, 11:08 PM
Fizz's Avatar
Fizz Fizz is online now
Senior Member
 
Join Date: Feb 2012
Location: San Diego
Posts: 620
iTrader: 3 / 100%
Default

One of the most important aspects of this virus is its prevalence/reported instances. Essentially, the virus has to make itself known to be effective; it has to fool the user into handing over money.

Most traditional viruses hide in the background, sending spam, recording keystrokes, being used for DOS attacks/part of a botnet, redirecting searches, etc. Viruses of yesterday really had no interest in 'breaking' your machine so you couldn't use it; doing so was counterproductive to their goals of maintaining control.

Now, the computer place I used to work for saw this A LOT. It's probably been the No. 1 known-to-be virus related check in over the last year. However, that doesn't mean it's the most common virus, it means that because it's front and center and impossible to ignore that that's the ONLY time people are aware their machines have been compromised.

The problem is people get update notifications between Java, Flash, Windows, etc. that they ignore the warnings; they come so often they're just crying wolf. However, they really are important.

Anyway, no such thing as a foolproof antivirus. You have to take a proactive approach to security, stay up on updates and known what to do and what not to do. Computer and firearms share the same safety... the gray matter between your ears.
Reply With Quote
  #33  
Old 02-19-2013, 11:09 PM
Fizz's Avatar
Fizz Fizz is online now
Senior Member
 
Join Date: Feb 2012
Location: San Diego
Posts: 620
iTrader: 3 / 100%
Default

Quote:
Originally Posted by Press Check View Post
I completed a system restore, which seems to have eliminated the virus for now. I have a few issues during start-up that weren't present before, but I'm just glad to have control of my machine again.

If the virus resurfaces, I will simply wipe the system clean.
Get caught up on Windows updates, Java, Flash, antivirus etc. while it's working.
Reply With Quote
  #34  
Old 02-19-2013, 11:11 PM
vintagearms's Avatar
vintagearms vintagearms is offline
Calguns Addict
 
Join Date: Jan 2009
Location: CA
Posts: 5,719
iTrader: 41 / 100%
Default

Quit going on pron sites! Go into safe mode and do a system restore. Your welcome.
Reply With Quote
  #35  
Old 02-19-2013, 11:58 PM
1GunLover's Avatar
1GunLover 1GunLover is offline
Senior Member
 
Join Date: Nov 2012
Posts: 821
iTrader: 104 / 100%
Default

Make a new user profile or sign into one on Safe mode with networking. Then change your proxy and search and delete all the exe. bad files if you know how to look for them. Go to start up menu and run all the files that were made on the date you got the virus and delete them all. Run a Anti Virus and you should be good to go. Worst case sernario do a system restore.
Reply With Quote
  #36  
Old 02-20-2013, 12:08 AM
Fizz's Avatar
Fizz Fizz is online now
Senior Member
 
Join Date: Feb 2012
Location: San Diego
Posts: 620
iTrader: 3 / 100%
Default

Quote:
Originally Posted by 1GunLover View Post
Make a new user profile or sign into one on Safe mode with networking. Then change your proxy and search and delete all the exe. bad files if you know how to look for them. Go to start up menu and run all the files that were made on the date you got the virus and delete them all. Run a Anti Virus and you should be good to go. Worst case sernario do a system restore.
Viruses can load any number of ways, not always an executable. A lot of them install as rootkits/have a rootkit component that alter the Windows API so you can't 'see' them. You have registry entries, DLLs, drivers (in some circumstances), infected/replaced system files/executables (in which case removing them breaks the machine), etc.

Deleting the executables is generally a poor idea; pretty much all of them have ways to bring exes back.
Reply With Quote
  #37  
Old 02-20-2013, 1:25 AM
1GunLover's Avatar
1GunLover 1GunLover is offline
Senior Member
 
Join Date: Nov 2012
Posts: 821
iTrader: 104 / 100%
Default

I am speaking from personal experiance with the FBI Virus, worked for me and many others as well


Quote:
Originally Posted by Fizz View Post
Viruses can load any number of ways, not always an executable. A lot of them install as rootkits/have a rootkit component that alter the Windows API so you can't 'see' them. You have registry entries, DLLs, drivers (in some circumstances), infected/replaced system files/executables (in which case removing them breaks the machine), etc.

Deleting the executables is generally a poor idea; pretty much all of them have ways to bring exes back.
Reply With Quote
  #38  
Old 02-21-2013, 7:57 AM
Darryl Licht's Avatar
Darryl Licht Darryl Licht is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Dec 2012
Location: Somewhere in the Inland Empire between the mountains, the desert, and the beach
Posts: 2,135
iTrader: 14 / 100%
Default

Quote:
Originally Posted by problemchild View Post
Amateurs......

Emsisoft (follow these instructions)

Combofix (run this too)

Malwarebytes (run this too)

Also you could follow these instructions.........

http://www.bleepingcomputer.com/foru...453/fbi-virus/
I resent this "Amateur" comment!!! I have over 25 years experience in the industry, teach computer science, and consult on the side.

I have encountered this malware 3 or 4 times in last 18 months, the first time I followed the instructions on bleeping computer, running combofix, malwarebytes stealth mode, and others... Even Paul Thurrrotts instructions failed to remove completely. The issue is all looks good until reboot then... Nada! Why??? Because this is a polymorphic virus, it morphs (changes) to avoid detection with each new generation.

In the end I wasted more time than had I just backed up the user files and performed a clean install. The next infected machines that came to me were just backed up, formatted, and clean installs performed.

IMHO - There is no "easy fix" for this infection. It lets too many other infections in and is nearly impossible to completely get rid of "easily".
__________________
Quote:
"Laws that forbid the carrying of arms...disarm only those who are neither inclined nor determined to commit crimes. Such laws make things worse for the assaulted and better for the assailants; they serve rather to encourage than prevent homicides, for an unarmed man may be attacked with greater confidence than an armed one.
--Thomas Jefferson
Quote:
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong remedies. --Groucho Marx
Reply With Quote
  #39  
Old 02-22-2013, 7:39 AM
Bobby Hated's Avatar
Bobby Hated Bobby Hated is offline
Senior Member
 
Join Date: Oct 2010
Location: Los Angeles
Posts: 1,535
iTrader: 161 / 100%
Default

i got this stupid thing wednesday night. cant a guy look at some titties in peace anymore?

the version i had woudlnt let my PC run in safemode with networking. soon as i tried it would auto shut down and restart in standard mode.

so i had to run safe mode from command and download emsisoft on another PC and transfer it to the infected PC with a memory stick. it was a royal PITA!

then i downloaded emsisoft on the infected PC and ran it again. then i did a restore from 2 weeks ago.

it seems to be gone now but im going to have the IT guy at work wipe it clean and reinstall windows just to be sure.

thanks to Monk and billofrights for their advice via PM. a couple of standup calgunners right there!
__________________
USPSA IPSC X3 NRG PRG LDF SWPL

Reply With Quote
  #40  
Old 02-25-2013, 2:01 PM
NickTheGreek's Avatar
NickTheGreek NickTheGreek is offline
Senior Member
 
Join Date: Apr 2012
Location: Valley Springs, CA
Posts: 1,742
iTrader: 2 / 100%
Default

We see this thing a few times a week at my shop. I recommend you get it into a professional (not geeksquad) or risk some serious damage to your filesystem as it is usually accompanied by a Master Boot Record virus.. My shop is in Campbell and if you are close I give calguns discounts. Drop me a PM.
__________________
Western Hunting - follow us on FaceBook!

Quote:
Originally Posted by rootuser View Post
There are too many in this forum that do nothing. Don't vote, don't belong to the NRA, don't donate time and or money, etc etc so the anti-gun bills will just keep coming and coming. You are right. Us doing nothing at all won't help.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 9:05 AM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2016, Calguns.net an Incorporated Company All Rights Reserved.