Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,433
    Thanks
    371
    Thanked 1,456 Times in 1,325 Posts

    Ransom malware warning issued by FBI

    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  2. The Following 4 Users Say Thank You to RetiredGeek For This Useful Post:

    dkmac (2012-09-03),Duchess843 (2012-08-16),JackStone (2012-08-21),RockFox (2014-03-28)

  3. #2
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts
    I have received a couple of these over the past year..
    "If You Are Reading This In English, Thank A VET"

  4. #3
    3 Star Lounger
    Join Date
    Jan 2010
    Location
    Michigan
    Posts
    384
    Thanks
    1
    Thanked 4 Times in 4 Posts
    So how do you get rid of the problem?The link was unclear on that issue.

  5. #4
    Star Lounger
    Join Date
    Dec 2009
    Location
    Edinburgh, Scotland
    Posts
    85
    Thanks
    10
    Thanked 0 Times in 0 Posts
    I quick google found this, which seems straightforward enough

    http://www.f-secure.com/v-descs/troj..._reveton.shtml

  6. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Billericay, Essex, England
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Must be regionalised malware, in the UK we get a version claiming to be the Metropolitan (ie London) Police!

  7. #6
    New Lounger haunja's Avatar
    Join Date
    Aug 2012
    Location
    Oak Ridge,TN
    Posts
    4
    Thanks
    0
    Thanked 1 Time in 1 Post
    I been able to use system restore twice to roll back the machine before the infection. This stops it from executing. Then clear the browser cache and check user/appdata for payload folders. Both cases have never returned. There maybe component files left, but they are effectively orphaned.

  8. The Following User Says Thank You to haunja For This Useful Post:

    Duchess843 (2012-08-16)

  9. #7
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Slough, Berkshire UK
    Posts
    924
    Thanks
    55
    Thanked 52 Times in 50 Posts
    Would not be such a problem if you had a Backup image of your drive from before infection.
    You could then use this to reformat the 'C' drive and restore the image to 'C'.
    Then all traces of the malware should be gone.

    Always good to do regular image backups. I image my drive every week or sooner if I have installed anything new.
    Clive

    All typing errors are my own work and subject to patents pending. Except errors by the spell checker. And that has its own patients.

  10. #8
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Slough, Berkshire UK
    Posts
    924
    Thanks
    55
    Thanked 52 Times in 50 Posts
    Quote Originally Posted by haunja View Post
    I been able to use system restore twice to roll back the machine before the infection. This stops it from executing. Then clear the browser cache and check user/appdata for payload folders. Both cases have never returned. There maybe component files left, but they are effectively orphaned.
    I would not trust just restore points as the so called orphaned files could be sleeping Trojans that when triggered by a certain action could re-install the malware.
    Clive

    All typing errors are my own work and subject to patents pending. Except errors by the spell checker. And that has its own patients.

  11. #9
    New Lounger
    Join Date
    Feb 2004
    Location
    Huntersville, North Carolina
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How to disinfect "FBI Moneypak" and similar Variants

    It took a while, but here is what I did:

    1. The laptop PC would not boot past the warning page which was essentially ransomware (white screen black lettering). Obviously I was unable to use any installed antimalware programs.

    2. Removed the hard drive, connected to my PC, ran six reputable antimalware scans, which found several trojans and two rootkits. Replaced the HD, still no boot to desktop.

    3. Removed the HD again, connected to my PC.

    4. Downloaded and ran on-line scan from the reputable F-secure.com. The f-secure online Scanner can help get rid of viruses and spyware that may be causing problems on your PC. Online Scanner only requires the installation of an add-on for your browser and works even if you have other security software installed on your PC. I pointed it to scan the F drive (laptop HD).

    5. It ran for three hours. Found several fake alerts and trojans as follows:
    Target: F:\
    6 malware found
    Suspicious:W32/Malware!Gemini (virus)
    F:\USERS\B\APPDATA\ROAMING\A0KQE99O.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus)
    F:\USERS\B\APPDATA\LOCAL\TEMP\~!#6F1D.TMP (Not cleaned & Submitted) Gen:Variant.Graftor.39630 (virus)
    F:\USERS\B\APPDATA\LOCAL\TEMP\~!#8C23.TMP (Renamed & Submitted) Gen:Variant.Kazy.86544 (virus)
    F:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\LOCALCOPY\{01A453B7-0D06-65F4-EF0D-C1131C735FF7}-~!#76CC.TMP (Renamed & Submitted) Trojan.Generic.KD.696248 (virus)
    F:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\LOCALCOPY\{BD3B262D-C740-5B99-6863-8AC60154DF3D}-~!#8000.TMP (Renamed & Submitted) Trojan.Generic.KD.696248 (virus)
    F:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\LOCALCOPY\{5AB3FE27-37BB-CFD6-CA53-C020BC4748CE}-~!#8000.TMP (Renamed & Submitted)

    6. Replaced the HD. It finally booted normally. Then I did the usual cleanup of files, folders and registry.

    7. I learned later that I could have booted to my Ubuntu disk and found the A0KQE99O.EXE or some nefarious executable by poking around the directories.

    I found few solutions in my initial research, so I trust this helps others.

  12. #10
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    Just got a call from a client that picked up this nasty. Had her boot into Safe Mode with Networking, Download and Run Malwarebytes and it took care of it.

    Love Malwarebytes. One of the reasons I paid for it even though it is Freeware.

    Jerry

  13. #11
    New Lounger
    Join Date
    Aug 2012
    Posts
    1
    Thanks
    0
    Thanked 1 Time in 1 Post
    Microsoft Offline Defender does a thorough job of removing this nasty bit of ransomware. I keep a bootable cd of the x86 and 64 bit versions on the bench at all times. It has the ability to update itself at startup, so the current definitions are always available.

  14. The Following User Says Thank You to newdimtech For This Useful Post:

    Dick-Y (2012-08-18)

  15. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    Sydney,NSW,Australia
    Posts
    16
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Ransom ware that can encrypt external hard drives

    I opened this thread to see if there was any information on the type of ransom ware that encrypts files, and as I have read recently, external hard drive(s) containing backups.

    This may not be the appropriate place for this - if so, apologies.

    If data files are encrypted by ransom ware, removing the infection still leaves the data unavailable.

    The obvious remedy is to restore them from backup, but if the backup drive is also encrypted then this won't work. For this reason , when discussing this type of malware, articles that I have seen advise the disconnection of the drive except when taking a backup.

    Where the backup is scheduled, and particularly if daily (or in some cases even more frequently) the advice seems rather impracticable.

    Does anyone have a suggestion for this sort of scenario? I realise the best solution is not to get infected, but mistakes can happen!

  16. #13
    New Lounger alison's Avatar
    Join Date
    Sep 2013
    Location
    Delaware
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It seems like Safe Mode method doesn't work with FBI Moneypak malware anymore. Only bootable CD/USB and
    Last edited by satrow; 2013-09-07 at 19:20.

  17. #14
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts
    I always close those pop-ups with Task Manager..

    I also have two images made everyday, one in the morning and one in the evening....

    Seeing a pop-up and trying to close it by clicking on the X is risky business..Always use Task Manager to close them.
    "If You Are Reading This In English, Thank A VET"

  18. #15
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,433
    Thanks
    371
    Thanked 1,456 Times in 1,325 Posts
    Bany,

    A simple Alt-F4 also works in most cases. HTH
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •