Friday, May 17, 2013

FBI Virus Removal


This is a little off topic, but I thought it might be useful nonetheless.

I recently had the pleasure of playing computer doctor for an older relative of mine. Somehow her computer (Windows 7- 64 bit) had acquired a lovely case of the FBI virus. On start-up, the computer was immediately hijacked and a page was loaded in place of Windows Explorer. It told the user that the FBI had taken over the computer that you are responsible for paying a fine of varying amounts for breaking various laws. It even took over the computer's webcam and took a picture. Fun stuff.

Google "FBI Virus" and you will get all sorts of information of the various strains. I don't know what the official name of the strain on this computer was, but these are the steps I went through to eliminate it. Note that the first few did not work (at least for me).

1. Boot in safe mode. This did not work. While the FBI ransom screen did not come up, as soon as Windows Explorer was launched, the computer would restart.

2. Boot in safe mode with command prompt. This did work. From here you can launch windows explorer by typing "explorer" (or I suppose any other program if you know the correct prompts). From this I was able to load Malwarebytes, but it needed to download definitions. Well safe mode with networking does not work. This means I would have to use the 40 day old definitions (see step 7). No good I decided. It's also worth noting that the anti-virus on the computer would not load at all, even in safe mode.

3. Trend Micro Rescue Disk (via USB)- This computer had Trend Micro Titanium on it when it was infected, so I decided to try the Rescue Disk. This boots the computer off of the flash drive (on Linux I think) and scans it from there. 3 hours later, no threats found. Next method.

4. msconfig. I should have tried this first, but didn't think of it. Booting in safe mode with command prompt I was able to launch msconfig (type msconfig in the command line). I then shut off all startup programs. I don't know if this is any different than booting in safe mode or not. I suspect not because it did not work.

5. HitmanPro. I ran loaded HitmanPro and tried scanning with that. It found some cookies and skype.dat. Well a google later and skype.dat was quarantined. Apparently that might be a virus as well. If I kill her skype I can fix that later (it didn't kill skype). I will also say that I had never heard of HitmanPro before. I just read that someone had had success with it and tried it. I had used Malwarebytes in the past.

6. Remove Adobe Flash. I read that the virus might depend on Flash to run, so I uninstalled every Adobe Product I could get my mouse on.

Beginnings of Results
7. Update Malwarebytes definitions manually. You can download newer definitions from HERE. I say newer because it said they were 8 day old. I copied them over with a flash drive and installed them. Ran a quick scan (all with explorer launch from safe mode with command prompt). It found skype.dat and its registry file. Malwarebytes actually deleted it. Restart in safe mode with networking. It works now. Download latest Malewarebytes definitions and run full scan. I did not reboot the computer normally at this point because I feared that the computer had more than one virus on-board.  If one of them survived, it could have reloaded the other ones (such was the fear anyway).

The full scan removed three more vicious looking threats Malware.Packer.CV, Rootkit.0Access, and Rootkit.0Access. I rebooted into safe mode again.

8. Run Microsoft Security Scanner. Downloaded and scanned. It found nothing.

I restarted the computer normally and everything appears normal. Now run more scans to make sure everything is OK and re-install anti virus software. The program files folder for Trend Micro was vacant, so  I installed Microsoft Security Essentials because it was free and didn't require a licence key. Re-install all the "needed" Adobe products. Reset all startup programs. I also noted that some of the internet security settings on IE appeared to be changed. Unchange them. For good measure, install ccleaner and clean up cookies, registry, and any other junk. Turn on daily virus scans and Windows automatic updates. Cross fingers and hand keys back to relative.

Good luck!
-Matthew


List of references:

Other things to try:

  • Kaspersky Rescue Disk
  • System Restore Point
  • Manually boot OS from flash drive
  • Hire a teenager
  • Buy a new computer and send me the broken one as a gift 

No comments:

Post a Comment