cancel
Showing results for 
Search instead for 
Did you mean: 

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Thanks balcava, excellent insturctions and what a great website to share. Highly appreciated.

Literally took me 3 minutes to fix with your help.

http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

I think McAfee does cover FBI viruses, they're usually on top of fixing this stuff faster than most.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 22 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

That's an unknown I'm afraid as they morph constantly.  It obviously didn't this time but could the next unless a new variant suddenly appears.   None of the major antivirus applications are 100% effective against these fake anti-malware pests unfortunately, hence the need for specialist tools.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 23 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

The FBI are suddenly very interested in this variant of the ransomware/scareware scam that's been plaguing European users for at least a couple of years. This is probably because large numbers of people hit by this scam have contacted the FBI to complain about it.

Brian Krebs has belatedly turned his attention to this ongoing operation, and has written an informative piece about the organisation of this criminal operation. There's a useful little diagram cribbed from 'botnets.fr' which identifies most of the elements of the operation as being based in Russia and Ukraine (oh, what a surprise), but shows that parts of it rely on a US and UK presence. The US-based botnets that run the Blackhole Exploit kit (by which most users become infected) gives the FBI a legal basis for pursuing a robust international investigation. The results of that investigation will probably lead to arrests in a year or two.

Reveton operation.JPG

This scam persuades only a small percentage of those infected and seeing the threatening message to pay up, but that small percentage still generates an income of about $40,000 to $50,000 a day. No wonder the new variants keep being rolled out.

Edit :

Most BlackHole exploits succeed because they find a PC has an outdated version of Java installed, as can be seen from this section of a screenshot of a BlackHole exploit control panel, obtained by Kafeine, of botnets.fr :

Reveton console (part).PNG

The full sceenshot can be seen at http://krebsonsecurity.com/wp-content/uploads/2012/08/revetonBHEKit.png

The advice about Java is worth repeating : if you need it, keep it updated. Updates to Java fix known security weaknesses, and are frequent. If you don't need it, uninstall it (I removed it, and haven't needed it since I did so).

Two very important things to realise about this seemingly-straightforward ransom demand :

... the latest Reveton versions will steal all passwords stored on the victim’s PC. What’s more, the FBI’s report indicates Reveton is being bundled with Citadel, which is an extremely powerful and advanced family of malware that can be quite difficult to remove.

(From Brian Krebs' article)

Citadel is the successor to Zeus, and is designed to steal online banking credentials. So an infected system is hit with three related attacks - the initial (and profitable) ransom demand, theft of passwords, and installation of malware to compromise online banking.

The Citadel malware is a close cousin of the Zeus crimeware kit and typically is used as a banker Trojan, stealing users' online banking credentials and allowing attackers to drain victims' bank accounts.

(From http://threatpost.com/en_us/blogs/citadel-malware-used-infiltrate-airport-vpn-081412)

For more information about the Police Trojan scam and its latest US incarnation :

http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

http://www.fbi.gov/news/stories/2012/august/new-internet-scam

http://blogs.avg.com/news-threats/blackhole-ransomware-graphic-mimics-fbi/

http://blogs.avg.com/news-threats/fake-fbi-ransomware-analysis/

https://threatpost.com/en_us/blogs/reveton-ransomware-uses-fake-fbi-message-extort-money-080912

http://threatpost.com/en_us/blogs/citadel-malware-used-infiltrate-airport-vpn-081412

https://www.botnets.fr/index.php/Reveton

Message was edited by: Hayton on 20/08/12 03:44:31 IST
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 24 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Interesting Hayton, thanks.   Of course we can expect quick action out of Russian and Ukraine authorities......not.   They're probably in on it.

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

I've done all these steps.  None have worked. by none have worked I mean none of the files, folders or registry items are anywhere to be found. but I still get the webpage fbi warning

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 26 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Look in the last part of the lower link in my signature below for Hijackthis or DDS and post the log as instructed there on one of the specialist forums.  They'll take a look and give advice accordingly.

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

I've tried all your steps (including disconnected my internet, but when I start my computer in safe mode I get a white screen that says "page is loading, please wait. This may take up to 30 seconds.

Any ideas on how to get past that?

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 28 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Sorry not that great with such issues. Maybe get a copy of an AV bootable cd and run that. Kaperksky has 1 I think as does Mcafee have cleanboot. They might also help you..

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

I have this same virus as well.  The problem I am having is that once I login FBI notice pops up and will not allow me to get to my homescreen or start up Task Manager.  Any ideas how to bypass this screen so I can at least try to remove it?

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 30 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

restore to a restore point before the issue or maybe if you cannot boot into windows get an AV bootable cdrom.

There is a new version of the ransonware read this

https://community.mcafee.com/message/257791#257791

Message was edited by: Peacekeeper on 27/09/12 6:32:39 PM
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.