14 Replies

  • Used Trinity Rescue Disk and Ccleaner from Piriform to clean up a machine with this virus. It was an ugly one and my trusty AVG Rescue Disk could not help me.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Here is one we have used when Symantec & Malware Bytes have failed us.

    http://www.microsoft.com/security/scanner/en-us/default.aspxOpens a new window


    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • I ran into this infection yesterday and wanted to add my solution variant to this thread.

    My fix consisted of booting without an Internet connection (no wifi and no ethernet connected) into 'Safe Mode' and running 'msconfig' and disabling the strange or unknown items on the 'Startup' tab.  This allowed for a boot up that was not locked down and I was able bring over a copy of the Microsoft Security Scanner via USB thumb drive.

    http://www.microsoft.com/security/scanner/en-us/default.aspxOpens a new window

    After running MS utility and reboot, I connected to the Internet and downloaded and ran the latest Malwarebytes.

    http://www.malwarebytes.org/products/malwarebytes_freeOpens a new window

    Then I followed up with a scan using Trinity Rescue Kit from my trusty utility boot thumb drive.  In hindsight I could have started with this.

    My boot thumb drive is generally my swiss army knife tool for password resets (Offline NT Password + Reg Editor), partition management (GParted), drive cloning (Clonezilla)... etc.  It is also a cool way to try out or demo various Linux distros and such.  After OpsCenter's suggestion, I added Trinity Rescue Kit to my tool set in my boot thumb drive.

    http://www.pendrivelinux.com/yumi-multiboot-usb-creatorOpens a new window






    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • [Update]

    I have run into a newer variant of this infection where booting into Windows Safe Mode (with or without networking) does not work.

    My previous cleaning method does not work in this situation.

    So this has presented me with an opportunity to run through all of the various antivirus and antimalware boot images available in the Yumi USB boot utility.  


    I loaded every .ISO in the Antivirus category to my USB drive to see which ones were effective.  The following are my results:

    - Acronis Antimalware CD = nothing

    - AOSS = nothing

    - AVG Rescue CD = nothing

    - AVIRA AntiVir Rescue CD = found one infected file [JAVA/Treams.HR], but still infected and can not boot to Safe Mode

    - Bitdefender Rescue Disk = found one infected file in Microsoft's Antimalware Quarantine folder

    - Dr.Web Live CD = This finally worked!  Found 1 infected file and 6 suspicious files, but I believe it was their 'CureRegistry' tool which allowed me to regain control and run Malwarebytes and HitManPro.

    - F-Secure Rescue CD = [did not try]

    - GDATA Rescue CD = [did not try]

    - Kapersky Rescue Disk = nothing

    - Panda SafeCD = [did not try]

    - Trinity Rescue Kit / Clam-AV = nothing

    Note: I did run updates prior to each of the various scans.


    Unfortunately, once Dr.Web got me past the instant lock out on Windows boot, I was able to continue the clean up with Malwarebytes and HitManPro and further testing ended.


    My take away conclusion is that Dr.Web's CureRegistry function is what made the difference.  I  will start with that on the next encounter as it would take less than 5 minutes to get back into Windows to start the clean up.




    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Techiam, thanks for the excellent update.  I'll be sure to try Dr. Web Live CD, next time we see this nasty virus.

    Was this post helpful? thumb_up thumb_down
  • Several of our clients have been exposed to this little bugger.  For me, Safe-Mode with networking-->TDSS Killer-->Combofix-->Eset Online Scanner and then a final scan with whatever local AV is installed has always done the trick. I'm sure all you guys know this, but be sure to delete/recreate any system restore points and rebuild roaming profiles. 

    I don't have any references but some of my research indicates this little back door is often associated with other "bot-net" nasties.


    Was this post helpful? thumb_up thumb_down
  • Good information, thanks for sharing! 

    I've seen this about a dozen times in the past 6 months, and it freaks out whatever user happens to be the victim...  what a pain.

    Was this post helpful? thumb_up thumb_down
  • Yeah, becasue thats what the FBI does if it finds child porn, they require $300 then they go away

    Was this post helpful? thumb_up thumb_down
  • I've seen it 3 or 4 times (including at home on my older son's computer)... MBAM has gotten rid of it every time. Nothing fancy, just run MBAM until it comes back clean.

    Was this post helpful? thumb_up thumb_down
  • More important to me is how this is getting into your / clients systems?

    Is this a drive by infection?

    Attached to some script, trialware, warez?

    Any hint as to how the bugger initially infects would be invaluable.

    Best Regards,

    Frank Wolynski

    Was this post helpful? thumb_up thumb_down
  • It's been my observation the infections are from bogus websites, with links delivered via email.

    But it's hard to pin point.  Often the infected users don't like to admit what they were doing at time of the infection or don't make the connection between opening an email and/or clicking a link that leads to a website that asks some sort of question like, "Do you want to install latest version of Flashplayer", they agree and launch the infection.

    Or perhaps it's a football fan that wants to watch the game, but it's been blacked out in the local market.  So they search the web, find links to sites that claim to show the game if you install their video player.

    In the end, we can only try our best to protect our clients and users.  It's not like we can cut off the source, which is email and internet web browsing or both.

    Computer and network security is a matter of balance.  The most secure system in the world is one that's turned off and unplugged, but how useful is that system?  We decide to plug in the computer and turn it on, which means we've increased the risk compared to powered off mode.  We then network the computer and give it access to internet browsing, making the computer more useful, but greatly increasing risk to virus and hackers.

    One final thought, have you ever asked yourself who benefits most by these viruses?  Companies like Symantec and McAfee have made countless fortunes over the years because of virus and hackers.  Isn't in their best interest to make sure we are constantly bombarded by malicious code and attacks?

    Food for thought.



    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • I'm on the second day of trying to clean a lap top from this. According to the user it was picked up from a video on a news site. (not one of the majors).

    I used kaspersky to unlock it this morning. Booted into safe mode w/networking and ran malwarebytes. When i rebooted, I couldnt get into safe mode and so I logged on on the main screen. I managed to download spybot but shortly after the FBI screen took over.


    Back to square one. This is a nasty one.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • flyboy1957, sorry to hear of your troubles, many of us know what your going through.   We all know you'll do your best to beat this thing.  But some infections are just to pervasive and only fix it to do the "Backup, Format, Reinstall" dance.  Let us know how it turns out.

    Was this post helpful? thumb_up thumb_down
  • Thanks, I finally beat it. Unlocked it again, booted to safe mode, ran Malwarebytes, installed and ran Spywarebot S&d, ran ccleaner on the registry, installed antivirus and ran a quick scan. Then I ran all scans again to make sure they came up clean.


    When I rebooted into normal mode it was running fine and hasn't been reinfected.

    If it didn't work I had told the user I was going to wipe the drive so I'm glad it did.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down

Read these next...