Page 1 of 1

Help!!!!

Posted: 26 May 2013 5:04 pm
by Richard Sinkler
I just had a weird thing happen on my desktop. I get this screen that says it is the FBI and they have found files on my computer that are in violation of copyright laws and that all files have been encrypted and I have to pay a fine of $450 to unlock it. I suspect this to be malware, but I can't get past that screen on the computer.

How do I fix this? Reformat my drive and re-install Windows. I did buy Windows 7 to install on that computer, so maybe it is time to do it.

Has anyone ever heard of this before?

Posted: 26 May 2013 5:19 pm
by Richard Sinkler
OK I googled fbi computer lock down or something like that here on my laptop and found out it is indeed malware and found sites that tell how to remove it. I am going to try that now. I would like to know why my Trend Micro Internet Security Pro let that virus/malware through. Might be time re-think my anti-virus software choice.

Posted: 26 May 2013 6:47 pm
by Sid Hudson
Ok here's the deal brother.

I forgot how to restart the computer before Windows opens. Someone else will have to explain that.

I remember that you have to frantically punch two keys on the keyboard while the computer is starting up but do not remember the key commands.

After someone has explained that----here is the fix.

Go to malwarebytes.org and install the free version.
here is the link: http://download.cnet.com/Malwarebytes-A ... tag=button


It will erase the virus

Posted: 26 May 2013 6:53 pm
by Richard Sinkler
It comes up directly to the bogus FBI screen and I can't do anything at that point. It just locks up. The only way to get past it is to shut down, and that doesn't actually get me past it, it just shuts down the computer. I keep trying do go to safe mode, but when it asks me to choose which user (I am the only one), the windows shuts down and restarts and I get back to the FBI screen and not into safe mode.

Computer help

Posted: 26 May 2013 7:05 pm
by John Vaughan
Try hitting F8 after restart. That should take you to the area where you can choose safe mode. Go to Safe Mode with networking if you have that choice. Gives you the ability to get info.

John Vaughan

Posted: 26 May 2013 7:20 pm
by Richard Sinkler
I have been doing that. It does give me 2 users. Me and administrator. Although I gave my account admin privileges, only the administrator account will boot up in safe mode. My account shuts down the computer and re-boots me into regular windows and to the FBI screen again. I currently have it in safe mode under the administrator account and will download Malwarebytes and try that.

Man, this is nerve racking. My doctor told me when he released me from the hospital last monday to make sure I avoid stress as much as possible. So much for that. :(

Posted: 26 May 2013 7:29 pm
by Bill McCloskey
Yes, there were some postings about this on a few online forums I'm on. Some people actually pay the money and hope for the best. I wish I could say there were some good workarounds, but it is a pretty nasty virus.

Posted: 26 May 2013 8:07 pm
by Richard Sinkler
I am installing MB now. Hopefully it will solve the problem. I was really startled when the FBI screen came up. What aroused my suspicions that it was malware, was that I don't think the FBI would just ask you to pay a fine online. If they caught you in a real crime, they would be knocking on your door, take you in, have a court date and then a fine or jail time would be served up. I really feel sorry for anyone that doesn't think this through before sending off the money.

I really hope MB works

Posted: 26 May 2013 8:45 pm
by Wiz Feinberg
You have ransomware on your computer. It got installed by means of an outdated version of Java, Adobe reader or flash and an Administrator level user account. If you were operating as a limited user this would not have happened without sufficient warning.

You need to visit Bleeping Computers to remove this malware. It is known as Reveton Ransomware.

Posted: 26 May 2013 9:08 pm
by Richard Sinkler
I bought Malwarebytes. Will that not work?

I will look into adjusting my user account to not have admin capabilities. It was just so much more convenient to have access without having to log out and back in as the admin.

Funny thing, I was going to just go ahead and install Win7 on here since I bought the Win7 software for it. A couple of times, I could get it to boot from the DVD (by setting the boot sequence to look there first). But then, nothing I could do would get it to boot from the DVD.

I am going to let MB run all night to see if it works.

Posted: 27 May 2013 2:04 am
by Bryan Garvey
Hi Richard

If you are still having trouble getting rid of this infection, go to the following link and download a file called "Combofix" Just download it to your desktop and double click on it and follow the instructions. It will ask you to allow it to install Microsoft Recovery Console, allow it to do so. The down side of this is that you should remove your antivirus software first. As you will be in safe mode this may not be possible. Still run the file anyhow and just agree to the warnings.

http://www.bleepingcomputer.com/download/combofix/

Cheers
Bryan

Posted: 27 May 2013 4:16 am
by Richard Sinkler
Looks like MB worked. I don't get it on boot up any more. But MB only listed 1 thing it found, and that had the name "skype" in it. I don't use Skype, so I don't know what that was all about. The file that was named in a blog about the virus that should have been in the startup folder, wasn't listed. In fact, the startup folder that you can access through the start menu says it is empty, even before running MB.

Posted: 27 May 2013 7:50 am
by Wiz Feinberg
Richard;
If you are able to run System Restore, do so, to a date prior to the infection. This will repair system files that were displaced and possibly some of your data files that may have become encrypted by the malware.

Most folks who acquire the FBI Trojan end up at bleepingcomputer.com, getting professional help.

BTW: ComboFix should not be used except under the direct supervision of a trained malware removal professional. It is not a stand-alone solution, but part of a sequence that needs to be taken. Each case tends to be a little different and the tools used and sequence in which they are applied is very important.

Posted: 27 May 2013 8:30 am
by Wiz Feinberg
Richard;
In the event you discover that the virus has encrypted some types of files, so they open in a browser with the extortion demand, Panda offers a decryptor tool. It may or may not work, depending on which iteration of this malware you have.

Posted: 27 May 2013 9:53 am
by Richard Sinkler
Wiz. Thanks. I tried using system restore when I was able to get into safe mode, but either I wasn't doing something right or it was just not able to work.

Seeing as how I wanted to upgrade this computer to Windows 7, because of the ending support for Xp, I may end up doing that this week. I bought the OS software a month or so ago, but have been too lazy or too sick to do it.

The encrypted files thing does have me a little scared. So far, so good, but you never know.

Wiz, I have a question on MalwareBytes. I have always just downloaded the free version when I wanted to scan and then uninstall it after because I thought it was slowing down the boot-up of my computer (it actually dd run faster after I uninstalled MB). I went ahead and purchased licenses for both of my computers. The question is, if I leave MB so it starts up when first booting and leave it running, would it have caught something like this before it could get into my computer and cause problems?

To add to that frustration, I had brought my laptop out by this computer so I could go online and get help. When I was done, I didn't turn the laptop off, and just unplugged the power supply (like I have done hundreds of times). I closed the lid (which I have set to not do anything like make the computer go to sleep, or anything else). When I plugged it back in in my bedroom, all I had was a black screen. Re-booting just got me to that startup screen where it says "welcome" (Win7 OS). Never would go any farther. So I went into safe mode and restored it to a date earlier this week (before a critical update as was listed) and everything is back to normal. I don't think the update caused it because the update happened a few days ago and everything had been working fine. I will now shut it down before unplugging the power supply and moving it from room to room.

Yesterday was a very bad computer day for me.

Another question about the virus. Does it just attack system files on the C drive, or does it attack random files on any drive?

Posted: 27 May 2013 10:02 am
by Bill McCloskey
Here is a new york times article on it: http://www.nytimes.com/2012/12/06/techn ... email&_r=0

Posted: 27 May 2013 1:48 pm
by Wiz Feinberg
It is much safer to turn off a computer of any design, with a physical hard drive, before you move it. These drives get hot and become fragile until they cool down completely.

I learned this the hard way a few years ago when I decided to relocate a PC from the front of the house to the back room. I shut it down, unplugged the cables, picked it up carefully, carried it to the other room, set in onto the floor under the new desk, hooked it up, turned it on, and nada. It sat there and clicked, dead as a doorknob. The hard drive that was working flawlessly minutes before was hopelessly seized.

Posted: 27 May 2013 1:57 pm
by Wiz Feinberg
I let MBAM start with Windows and run in realtime protection mode. Otherwise, what good would the paid license be?

If MBAM detected and removed your "Reveton" malware, it also could have blocked it in the first place, if you had set it to realtime protection and auto updating = on.

I run MBAM in tandem with Trend Micro (a trick in itself), plus I operate as a Windows 7 Standard User (less privileged). Malware, like any other software installers I see, would require me to approve its installation with my admin password. You know that ain't gonna happen!

Posted: 27 May 2013 3:47 pm
by Richard Sinkler
Just changed my account to a limited account. We'll see how that goes.

MB didn't tell me it removed it. In the list of files it dealt with, there was only that one I mentioned that had skype as part of the file name. I kind of wonder if the virus is actually gone or is laying dormant ready to strike again.

Posted: 27 May 2013 5:36 pm
by Wiz Feinberg
Richard Sinkler wrote:Just changed my account to a limited account. We'll see how that goes.

MB didn't tell me it removed it. In the list of files it dealt with, there was only that one I mentioned that had skype as part of the file name. I kind of wonder if the virus is actually gone or is laying dormant ready to strike again.
You can open a case for free malware removal assistance on either the Malwarebytes' Malware Removal forum or the pertinent Bleeping Computer forum. They will have you run certain diagnostic files that gather intelligence about your system and its files and folders. They use advanced search terms to look for known malware files or registry entries and can even identify rootkits.

Posted: 28 May 2013 1:24 am
by Bryan Garvey
Wiz Feinberg wrote: Most folks who acquire the FBI Trojan end up at bleepingcomputer.com, getting professional help.

BTW: ComboFix should not be used except under the direct supervision of a trained malware removal professional. It is not a stand-alone solution, but part of a sequence that needs to be taken. Each case tends to be a little different and the tools used and sequence in which they are applied is very important.
Wiz.....With all due respect, Combofix should be used on Richards computer. I am a trained professional and I do this day in and day out. As you know, giving support on a forum is more difficult than sitting at the computer doing the work yourself. I was trying to simplify things for Richard to allow him to get back into windows.

If I was fixing his computer, I would have created a HitmanPro Kick start USB flash drive to assist the booting of the computer as this ransomware can infect the Master Boot Record of the hard drive. Once the computer boots, HitmanPro then removes the infection. Once the computer rebooted I would then run Combofix and let it clean up any other files. The computer would be then rebooted and Combofix would then be uninstalled by clicking on start, run and typing in "Combofix /uninstall" without the quotations.

Richard.....Now that you are able to boot into windows, I would go to bleebingcomputer.com and download HitmanPro and run it as a trial version. Just follow the prompts. If you get stuck just ask and I may be able to log into your computer remotely and do it for you.

Cheers
Bryan

Posted: 28 May 2013 9:11 am
by Richard Sinkler
Since the FBI screen no longer shows up, do you think I still need to go through all the steps that Malwarebytes and bleepingcomputer had you go through?

Posted: 28 May 2013 12:25 pm
by Wiz Feinberg
Richard Sinkler wrote:Since the FBI screen no longer shows up, do you think I still need to go through all the steps that Malwarebytes and bleepingcomputer had you go through?
Richard;
Since you hold a valid license to unlock all of the protections in MBAM, try opening it in Chameleon Mode. This allows MBAM to become invisible to malware that might otherwise interfere with its actions.

To open MBAM in Chameleon mode, close the program if it is running. Go to your Start Menu > Programs > Malwarebytes' Anti-Malware > Tools > Malwarebytes Anti-Malware Chameleon. Type in your Administrator password when prompted, or ack the UAC. A DOS window opens and launches MBAM as a process without a GUI.

It will first check for and apply all available updates, including any for RKill. The second thing it does is to RKill any known malicious processes (don't ask me to explain, please. I'd have to kill you).

Once RKill is done killing bad things, a scan will run for detectable malware, including rootkits. Do NOT reboot unless instructed to do so by MBAM prompts. Follow any on-screen prompts from this point on.

Posted: 28 May 2013 12:54 pm
by Richard Sinkler
Will do Wiz.
It will first check for and apply all available updates, including any for RKill. The second thing it does is to RKill any known malicious processes (don't ask me to explain, please. I'd have to kill you).
With the year I am having so far, killing me would be doing me a favor.