# Fake FBI Trojan Locked Up My PC! Help?



## Hearth Mistress (May 29, 2013)

I'm not completely computer stupid but this one is beyond me.  It is a fake page that tells me the FBI knows I have stolen software, kiddie porn, etc and unless I go buy a $300 money order my computer will remained locked. It also warns that If I try to bypass the warning my hard drive will be erased. None of which is true or going to happen.

However, I can't get it off, can't get into safe mode at all in anyway, it will let me select safe mode but immediately reboots in normal mode and the warning page is there.  I cannot do anything and reading about how to fix it online all talks abut going into safe mode and selecting a previous restore point to get rid of it. While that has worked for many others, I can't get this sucker into safe mode, even unplugged from the internet, it goes right back to the warning page with no other controls.

We run windows 7 home edition on a Dell about 2 years old. My cable provider and anti virus software provider told me that they can't prevent or control malware or trojan attacks because they are often downloading unbeknownst to the user on a picture or video. They can't possibly control all of the content out there.

I have a work laptop and an iPad too but really want my home PC fixed so my hubby can use it again. 

Any ideas out there that don't require safe mode? I don't want to totally restore the computer if there is another option but don't trust myself to sit and do pages of reg edits either.

Any info is appreciated!


----------



## fossil (May 29, 2013)

Same thing happened to me.  Win7 on a Dell desktop.  Was careful to not fiddle around with anything, called a local professional computer dude who specializes in Windows and works from his home.  Super guy, knew immediately what I was talking about.  I took my computer to him, and the next day he called and said..."All done, cleaned up, tuned up a little, come get it".  He charged me ~$100.00.  No complaints.  Found him in the phone book.  It was a holiday...first place I called didn't answer...he did.  Duh.  I get occasional info e-mails from him.  He's a pro.  Rick


----------



## BrotherBart (May 29, 2013)

Tough one. The only way I know to stomp it is by running malwarebytes from a USB flash drive. But that is from safe mode.


----------



## daveswoodhauler (May 29, 2013)

My wife had a similar issue and I had to reformat the hard drive and start from scratch. Do you have the factory discs that came with the pc?


----------



## Hearth Mistress (May 29, 2013)

daveswoodhauler said:


> My wife had a similar issue and I had to reformat the hard drive and start from scratch. Do you have the factory discs that came with the pc?


There are no "discs" sent out anymore, its on a partition of the hard drive, no recovery disks and since I can't get into safe mode, I can't access that partition or at least I don't think I can.



BrotherBart said:


> Tough one. The only way I know to stomp it is by running malwarebytes from a USB flash drive. But that is from safe mode.


I just looked at the boot sequence in the bios menu and it looks like I can boot from a USB device or CD. I think I can burn a cd from my laptop so maybe I'll try that before trying anything else.

I hope the people who create this crap rot in hell!


----------



## heat seeker (May 29, 2013)

Hearth Mistress said:


> I hope the people who create this crap rot in hell!


 
I second that!


----------



## Dave A. (May 30, 2013)

First off, just want to make clear I'm not an expert on this.



Hearth Mistress said:


> There are no "discs" sent out anymore, its on a partition of the hard drive, no recovery disks and since I can't get into safe mode, I can't access that partition or at least I don't think I can.


 
F8 Startup Options should include Safe mode with command prompt-- if you can get into that you might be able to access that partition.

If you can get into safe mode command prompt, see:
http://malwaretips.com/blogs/fbi-cybercrime-division-icspa-virus/
about restoring to previous configuration via command prompt

That link looks straightforward and promising if you haven't seen it yet.

Note the msconfig step. I was thinking of suggesting trying that from regular mode as a remedy to prevent the loading of the virus at startup but apparently that won't work.

Edit: If you can't get into safe mode-command prompt then you need to start at method 4 in the link -- loading Hitman pro onto a flash drive.

Note: Hitman is offered as a 30 day free trial but installed on your flash drive only you shouldn't have to worry about it annoying you. I use Malwarebytes and can recommend it but know nothing about Hitman other than it's available at shareware sites as a trial and what I see on this page. If it's the only way to get into windows by booting from the flash drive with Hitman on it, seems worth the try.

If for some reason you can't fix it and it looks like the only thing left is a reinstall of windows, it's probably a good idea to first try a "repair install". This is different from repair console. Repair install, if it is available as an option for you will keep your current installation but often fixes problems. Something to consider.

In the future, for safer browsing and downloading, you might want to look into setting up a VM virtual machine to run a browser in for questionable sites. You can test run questionable software on the VM without it affecting your real system. VMware is free as are some others.


----------



## StihlHead (May 30, 2013)

I use Microsoft antivirus tools. They are free on their web site:

http://windows.microsoft.com/en-US/windows/security-essentials-download

Microsoft also has a malware removal tool at this site:

http://www.microsoft.com/security/pc-security/malware-removal.aspx


----------



## Highbeam (May 30, 2013)

It's called ransomware, I had it once too. Malwarebytes was my goto page for the solution. I believe I was able to browse for a short time before the FBI page would show up.


----------



## Jags (May 30, 2013)

Do you have more than one user account on your PC?  Would you be above creating one?  If you create a new user (but be aware this has other implications) - you will more than likely be able to run malwarebytes and test the whole machine.  Going back to a single user machine can be a PIA.


----------



## WES999 (May 30, 2013)

Try  ctrl f11 at startup, should got you to system restore.
Also there are some AV programs that will boot from a disc that run under Linux,
I think I have free one from Kaspersky.


----------



## Sisu (May 30, 2013)

Start up in safe mode.  Restore the system to an earlier save date.  That should hopefully do the trick.


----------



## Seasoned Oak (May 30, 2013)

I got exactly the SAME thing. I got on one of my other computers and googled a fix for it. You can get step by step instructions that way.Took about an hour to fix. I suggest you fix it yourself so you have the knowledge to do it as it is quite common. There is also a step if safe mode dont work which was the case with my comp.


----------



## Retired Guy (May 30, 2013)

Try this. Removal instructions are way down. Good Luck

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Reveton.A

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline


----------



## Hearth Mistress (May 30, 2013)

Sisu said:


> Start up in safe mode.  Restore the system to an earlier save date.  That should hopefully do the trick.


I can't get into safe mode to load a restore point, that is the issue. It will allow me to go into all of the safe mode options but as soon as it gets to safe mode, it immediatly reboots to normal mode with that stupid page, only option is to turn off by ho,ding in the power button, no other commands work!


----------



## Hearth Mistress (May 30, 2013)

Jags said:


> Do you have more than one user account on your PC?  Would you be above creating one?  If you create a new user (but be aware this has other implications) - you will more than likely be able to run malwarebytes and test the whole machine.  Going back to a single user machine can be a PIA.


I only have 1 user set up because my hubby is the only one that uses it. I have a work laptop, work iPad and personal iPad so I really don't use it. I have no issue creating a new user but in the state it is in, don't know that I can.  This happened after my deafest husband spent several hours watching videos on line. I will absolutely set up an admin user once I get this squared away! Thanks for the idea!


----------



## Hearth Mistress (May 30, 2013)

Dave A. said:


> In the future, for safer browsing and downloading, you might want to look into setting up a VM virtual machine to run a browser in for questionable sites. You can test run questionable software on the VM without it affecting your real system. VMware is free as are some others.



My husband watches videos online posted on boards similar to ours here but they are mostly you tube videos on firearms, military field footage,etc - no porn 

I'm not sure exactly what a virtual machine is but I will look into it as I am really sick of these trojans and malware. This is the first time I haven't been able to get into safe mode though, these creeps are getting really good at screwing unsuspecting users!


----------



## begreen (May 30, 2013)

Gun porn is an easy target. If you have a root virus and it sounds like you do, you will have to try booting from a USB drive or CD with a basic OS and root bug removal software. But if your hubby visits eastern European weapons websites I wouldn't bother. Their malware is getting very sophisticated and they have a defense against this too. The only recourse in that case is a low level format of the drive and reinstallation of the OS.


----------



## StihlHead (May 30, 2013)

My laptops have CD/DVD drives so I can boot from them if I have to. Usually you can download that stuff and burn a system CD from the computer manufacturing site. For example Toshiba has them for my systems. Dell has a lot of that stuff online, I would look there. Or look on the box that your system came in, maybe it had a system CD in there? My older laptop has a CD that will restore that system to the minimum original configuration that it came in, and download the rest from Toshiba off the net. Worst case reformat the HD and reinstall the application SW on it.

These guys that write this malware stuff, they should be crucified. You have to run virus and malware protection all the time now. I use Microsoft which is free for earlier versions, and runs automatically on Windows8. It is fairly low profile and pretty good. Norton has become so system resource greedy that it has become a worm in itself, sucking up way too much system overhead, and it also spawns tons of pop-ups, reminders, and stupid status windows. I nuke that on any system I buy, and even that is a PITA to remove from any system now. They have all these pop-ups asking if you really really really want to remove Norton and be EXPOSED TO THE HORRORS OF THE EARTH (meaning Nigerians)... makes you wonder if Norton is not paying these gins to write malware so they make more money 'protecting' people from it with subscriber services.

Good luck. Videos are but one source of malware. SPAM is the most common source of virus, worms, spyware and malware. Never open any email attachment from anyone that you do not know. Also do not store email on your home system. Use a free service like Yahoo or Gmail and let their servers store it for free.


----------



## begreen (May 30, 2013)

Clicking on ads on suspect sites is another portal to disaster. Don't do this.


----------



## BrotherBart (May 30, 2013)

Virus writers are giving porn sites a bad name.


----------



## Hearth Mistress (May 30, 2013)

I just found my jump drive and downloaded Hitman on to it.  It is too late to screw around with it now but will give it a whirl in between my conference calls Friday, I work from home so no one but the bird and the dogs will hear me curse at it.  Worse case, I can reformat as there isn't much stored on it but that will be my last resort. I appreciate all the help, you guys are great!!

Gun porn killed my PC, I'm convinced and knowing my hubby, as an avid collector, has an unhealthy obsession with all military firearms, especially eastern european models new and old, that is for sure the culprit!  If he wasn't sleeping, I'd be yelling at him


----------



## begreen (May 30, 2013)

Get hubby his own computer. An older Mac will suffice.


----------



## StihlHead (May 31, 2013)

Or get him a PC and put Linux on it. Few viruses or malware are written for Linux or UNIX systems.

As for eastern Europe and viruses, when I was a computer design engineer in the high tech glory days, I worked with several guys that had escaped from the eastern block. One from Bulgaria had 2 PhDs, and he said he made less money than bricklayers under the communist system. He was forced by the DS (Bulgarian secret police) with other engineers to write computer virus programs to bring down the evil western empire. That is why eastern Europe is notorious for malware and computer viruses. The skills remain. The guy from Bulgaria (his name was Vess) became a dissident, and he was sent by the DS to Libya as punishment to work with Gaddafi's Soviet support group. He was there when Reagan bombed Gaddafi's tent from aircraft carriers. The Soviets had suddenly disappeared a dew days before the bombing, and Gaddafi was furious with them as they obviously were tipped off that the bombing was going to happen ahead of time. So he took away their vodka. Well, Russians simply cannot function without vodka. So as it turns out Vess was from a local village that made brandy. He knew how to make a still, and how to sprout wheat and ferment it in a bathtub, and then cook it to distill it to the beverage that the Russians required to keep going. I asked him how much he made, and he replied, "How much to you want?" Basically he could make as much as they wanted... he was eventually able to trade vodka for a weekend pass to Greece. Once in Greece, he made his way to Austria. Austria had no extradition treaty with the eastern block. Once he made it there he was sponsored by a US company and eventually got a visa to work in the US. I went on a trip with him to Boston the same week he became a US citizen. He was so happy to be out of the mess of Eastern Europe and the computer virus factory that he was forced to work in.

Sorry, a bit off track there... anyway, Eastern Europe is one of the origins of computer virus and malware, and it remains so today.


----------



## Jags (May 31, 2013)

begreen said:


> If you have a root virus and it sounds like you do, you will have to try booting from a USB drive or CD with a basic OS and root bug removal software.


 
I believe this is the specific version that she is fighting:
*FBI Cybercrime Division virus.*

If you haven't seen this link, check it out.  If you can get to regedit, start by doing those steps.  It may allow for a reboot that doesn't crank up the virus stuff and allow you to work with the PC.
http://www.2-spyware.com/remove-fbi-virus.html


----------



## begreen (May 31, 2013)

By the description it sounds like they are detecting safemode and restarting the computer if safemode is detected. If so, the trojan has evolved, perhaps with a rootkit layer.

PS: Whatever remedy is tried, first disconnect the machine from the internet by unplugging the ethernet cable or shutting off wifi.


----------



## briansol (May 31, 2013)

get BartPE and boot from that CD (burn it at a friends house).  it will get you in.


----------



## Hearth Mistress (Jun 2, 2013)

Ok.  Well it took a lot of time off and on running every scan under the sun but I got it out! This was so imbedded I couldn't load that hitman software from the USB, kept getting a boot disk error. I was finally able to get to the diagnostics partition using the on screen keyboard (I don't even remember how I got there) and scan the entire system.  It took all day, really, from 8:30 this AM until about 10:30 tonight.  I was then able to get into safe mode and restore to an earlier restore point.  I then ran hitman from my usb drive - it found 19 instances of that damn ransomware and deleted them all.  I was so impressed, i spent the $25 to buy the license so it can do a daily scan now.
I also changed my hubby's user account to a "standard" login and created an admin for me. I then set up a virtual machine but now I need to figure out how to load the OS on it, it's after midnight and that can wait until tomorrow.

You guys are the best, I can't thank you enough for the ideas. I was about to just take it somewhere but love a techy challenge every now and then. After this mess, I've had enough of it for a long time 

THANK YOU ALL FOR YOUR HELP!!


----------



## StihlHead (Jun 2, 2013)

You are welcome.

Food gratuity accepted.


----------



## Seasoned Oak (Jun 2, 2013)

See, isnt it more gratifying to do it yourself? Although it took forever,you know a bit more about your machine now for future endeavors.. I think it took  about an hour or so on my win7 64 bit HP machine. Not quite sure but i think i had to boot to a command prompt and go from there. I should have printed those instructions and saved it for future use.  Makes you almost want to buy a MAC next time your computer shopping


----------



## heat seeker (Jun 2, 2013)

Seasoned Oak said:


> Makes you almost want to buy a MAC next time your computer shopping


 
I did, and haven't looked back. Not one problem (so far…) in 3 years. There are attacks on Macs now, since there are enough of them to make it worth the idiots' time, sadly.


----------



## Dave A. (Jun 2, 2013)

Glad to hear you got it fixed.

As far as loading an operating system into a VM, it's usually pretty straight forward if you have the system in an image file on your hdd, or a cd. You said you don't have win7 on cd at present, but you might be able to download something from your mfr website. If not, perhaps you have a copy of XP or you could use a free copy of Linux.

With just linux you won't be able to use the vm to test windows software but you can use it to do safer browsing, with a browser for linux like Opera, Firefox or others.

Make the resources and disk space assigned to the vm low since you're generally going to be using it only for browsing in sites that you aren't sure of or familiar with. Though if you're not trusting your husband to be careful you could set it up so he does all his browsing there in the vm and give the vm more memory, disk space, etc. (The parameters will be there when you set up the VM and they can be modified later on if your needs change. I'd start smaller and increase as needed).

I use one of my VM's with XP -- and software that won't run in Win7. I use VMware which was free and allows what's called a "unity" mode where the XP apps in the VM blend in with my regular Win7 desktop and appear on the win7 taskbar.

Having the separate admin account and your husbands more limited acct now is going to make things a lot safer for you and you may find that a VM at this point is overkill. But the VM is something nice to have if and when you want it to use for any number of reasons, mostly however for this type situation as a "sandbox" which you have a lot more control of than you do in some of the AV programs that offer sandbox capability.

Am curious which VM software you have.

The idea here is the vm is disposable, so if it gets infected (and even if it does, your regular system won't be affected) and you don't want to bother cleaning it up, you can just wipe out the vm and reload it. In some cases the VM software will let you back up to a previous state before the infection.

PS Was going to offer some other suggestions for others to try who run into this Malware:

1. The MS Defender option given by RG sounded good too -- It's free and also loadable on a boot disk if you can't get into a command prompt from the HDD.
2. Working around the virus and trying to see if you had control over programs with tools like
a. Right mouse click to try showing the desktop (doing this over the taskbar area)
b. Task switcher commands like alt + tab, windows key + r (to bring up msconfig, eg.) or just windows key to bring up the start menu.


----------



## Hearth Mistress (Jun 2, 2013)

I installed Microsoft VM from their website. I have XP on CD, I wasn't sure if I could run two different OS. Test software, hah, we won't be doing any of that 

I also went out and bought a 1Tb portable hard drive today so I can use that as a back up too. Just out of curiosity, when I was at Staples I asked their tech guy how much it would have been to have remove it, "$150 and up" he couldn't define "and up" and told me they had 9 PCs in there now locked up with the same ransomware bug.

I didn't mess around with it today but it seems to be back up and running even better than before. I figured I'd add the VM just to have it so my hubby can watch all of the foreign "gun porn" he wants without it taking me a precious weekend day to recover the computer the next time this happens!


----------



## Dave A. (Jun 2, 2013)

Hearth Mistress said:


> Test software, hah, we won't be doing any of that


 
What I meant was test new downloaded software for virus infection. You never said how you got this malware, and since you weren't using it you likely don't know. Myself, the only times I've got infected with things is when I was installing, supposedly cracked or hacked software, and my AntiVirus didn't pick it up for one reason or another which many times they don't. So the idea of having the VM for software testing is that you'd install the software on the VM first to see if there was obvious malware there after a reboot -- and you can do the reboot of the VM without shutting down and restarting your real computer.

But other ways to get malware are from questionable websites or even opening links in certain emails. So to protect yourself there, you'd browse the questionable sites from the browser in your VM. And paste the email links into the VM browser, or just set up your email in the VM if you want to be able to just click on the links in the emails (but doing the latter may have other consequences)

Clicking on certain ads has been described as a source for malware and there also have been problems with malicious scripts on sites. I use Firefox with the Adblock and NoScript add ons. But that requires more thought and effort than the average person might be willing to do. E.g. with noscript if a page doesn't display right, I'll have to realize that noscript is blocking something necessary and I have to turn on scripts for the site at least temporarily and then permanently when I trust the site.



Hearth Mistress said:


> I didn't mess around with it today but it seems to be back up and running even better than before.


 
Following the steps, it looked like Hitman was geared towards removing certain tracking cookies, adware, and the like. The way you describe your husbands browsing, there's probably a lot of that which can slow down the computer. Might be a good idea to reqularly (monthly?) clean up his computer. (Though my version of free Malwarebytes has generally done a pretty good job of finding that sort of thing, as I recall anyway).


----------



## Seasoned Oak (Jun 3, 2013)

YOU will fix it a lot quicker if it happens again, mine locked up while i was on hearth .com although it was probably infected previously and something caused it to activate then.


----------



## briansol (Jun 3, 2013)

Macs are not at all safe.  If you think they are, you're probably infected.
I fix my gf's power book once a month with her n00b browsing skills.  HEY LOOK ! I WON AND HAVE A NIGERIAN UNCLE

FML


----------



## Hearth Mistress (Jun 12, 2013)

Well, this darn thing is back again today but thanks to the great advice here, from last time around, in 10 minutes it was fixed.  I just switched user to the admin one I set up, ran the virus program, found it, deleted it, reboot done!
My hubby hasn't been on it few days though, working a lot of OT so I'm not sure what tripped it this time.  We never turn off the computer, just the monitor and the PC goes to sleep after 15 mins of inactivity.  Does that leave the IP address vulnerable? The computer is hard wired to a router so I can split it out to the wireless for my laptop and iPad.  I just don't know how to keep this from happening as all of the anti virus stuff if up to date, it updates and scans at 3am everyday but this randsomware keeps sneaking in! Ideas?


----------



## Sprinter (Jun 12, 2013)

Just a thought here.  Have you disabled Java in your browsers?  Java (not Javascript) is practically an open portal for malware.  It's generally recommended to disable it in the browsers or uninstall it from your OS.


----------



## Hearth Mistress (Jun 12, 2013)

Sprinter said:


> Just a thought here.  Have you disabled Java in your browsers?  Java (not Javascript) is practically an open portal for malware.  It's generally recommended to disable it in the browsers or uninstall it from your OS.


No, not that did intentionally anyway. I know there is that coffee cup logo in the programs list.  I'll google it to see how to do it!  Thanks for the idea


----------



## Sprinter (Jun 12, 2013)

Another program especially adept at rootkits is MacAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Some self booting rescue disk you can download and burn as .iso disks are:

Kaspersky rescue Disk https://support.kaspersky.com/viruses/rescuedisk

Windows Defender Offline http://windows.microsoft.com/is-is/windows/what-is-windows-defender-offline

F-Secure Rescue Disc http://www.f-secure.com/de/web/labs_global/removal-tools/-/carousel/view/142

AVG Rescue Disk http://www.avg.com/us-en/avg-rescue-cd

Sometimes these things are persistent and multiple fronts are needed.  The self-booting rescue disk programs are the best to use for stubborn problems.  They run completely independent of Windows and are dedicated to this kind of problem.  You do need to download the program and burn it to a dvd or cd as a.iso and then it will boot itself when you reboot your computer.


----------



## Wildo (Jun 12, 2013)

Sprinter said:


> Another program especially adept at rootkits is MacAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx
> 
> Some self booting rescue disk you can download and burn as .iso disks are:
> 
> ...


 
Bitdefender rocks as well


----------



## begreen (Jun 12, 2013)

Did you write down the name of the bug that virus program found and quarantined? Many of these programs will seed the OS in multiple locations and user accounts to escape eradication. You need to look up the bug and find *all* the files it creates. Then delete every single copy of their seed. If that doesn't work it is possible that a copy is on the root of the drive which will require much more aggressive tactics or you will be playing whackamole for weeks.


----------



## Sprinter (Jun 12, 2013)

Just thought of another vulnerability. "Windows Gadgets" (AKA Sidebars) are a known problem. If you are using this, Microsoft has developed an easy way to disable it and they recommend doing so. http://support.microsoft.com/kb/2719662

If you like gadgets, Google has some that are (hopeful) safe.


----------



## briansol (Jun 14, 2013)

The biggest thing is now that you are functional is to BACK UP YOUR DATA OFF SITE so that the next time, you can simply 'throw out' your hard drive with a re-format and re-install of windows, and be able to have all your pics/docs/etc.
Use a service like google drive, amazon s3, or pay for a service like mozy.com.  Or, at least use usb thumb sticks, but don't rely on these as they break all the time.


----------

