Titoist Posted January 23, 2013 Author Share Posted January 23, 2013 In the screenshot I didn't see where the SSN/SIC number was mentioned or blocked out, just a IP and City. And curious minds want to know what the RCMP used to "check" the computer. Malwarebytes (pro or free version)? More info was at the bottom, including how much needed to be paid, etc. I did not include it. Link to comment Share on other sites More sharing options...
Obi-Wan Kenobi Posted January 23, 2013 Share Posted January 23, 2013 In the screenshot I didn't see where the SSN/SIC number was mentioned or blocked out, just a IP and City. And curious minds want to know what the RCMP used to "check" the computer. Malwarebytes (pro or free version)? I'd like to know the name of this supposed "dos" program, considering Windows hasn't used "dos" since....forever ago. why do you highly doubt it? I saw someone at work get the FBI scam one from a google image search, after clicking on the image it went right to that via an exploit (we think it was a java exploit) I got hit with something similar on Houzz.com, and that is not a malware site, it's a pretty large house design site... sounds like "drive by downloads", usually happens because a machine is not fully patched. ;) Link to comment Share on other sites More sharing options...
Titoist Posted January 23, 2013 Author Share Posted January 23, 2013 I'd like to know the name of this supposed "dos" program, considering Windows hasn't used "dos" since....forever ago. sounds like "drive by downloads", usually happens because a machine is not fully patched. ;) Command prompt. goretsky 1 Share Link to comment Share on other sites More sharing options...
fusi0n Posted January 23, 2013 Share Posted January 23, 2013 At least he did not fall for it goretsky 1 Share Link to comment Share on other sites More sharing options...
Obi-Wan Kenobi Posted January 23, 2013 Share Posted January 23, 2013 TA-DA! http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/ goretsky 1 Share Link to comment Share on other sites More sharing options...
neufuse Veteran Posted January 23, 2013 Veteran Share Posted January 23, 2013 Exactly. Every time I've seen this infection, it's never had anything to do with porn. </s> :rolleyes: you can get this crap from infected sites that aren't porn, Houzz.com definatly isn't a porn site, and I got hit by it there..... our local newspaper got hit thanks to one of their stupid ad providers..... anyone who went to the paper site got something similar.... Link to comment Share on other sites More sharing options...
Obi-Wan Kenobi Posted January 23, 2013 Share Posted January 23, 2013 Command prompt. LOLOLOLOL!!!!!! Too funny! :rofl: you can get this crap from infected sites that aren't porn, Houzz.com definatly isn't a porn site, and I got hit by it there..... our local newspaper got hit thanks to one of their stupid ad providers..... anyone who went to the paper site got something similar.... Yeah, a drive by download....which happens to unpatched machines. Not my first time dealing with them. PatchMyPC(dot)net. Sure does help! ;) Link to comment Share on other sites More sharing options...
CrashG Posted January 23, 2013 Share Posted January 23, 2013 I just had this happen to a co-worker on a company laptop (it's a POS, but anyways) and ended up just doing a format/clean install (was quicker/easier) all (needed) docs and such were on the server (and if they weren't, lesson learned). And that lesson was: 1) Use a better AV, 2) Disable Java 3) Backup anything not on the server goretsky 1 Share Link to comment Share on other sites More sharing options...
JaredFrost Posted January 23, 2013 Share Posted January 23, 2013 My brother guy the exact same one, he was so panicked it was hilarious, I made fun of him good for it, I suspect he got it from using one of those websites that let you watch TV shows for free, and using a java exploit, so I removed the trojan and Java. goretsky 1 Share Link to comment Share on other sites More sharing options...
Dot Matrix Posted January 23, 2013 Share Posted January 23, 2013 OP: Take the time to make sure his PC is up to date, browsers updates, everything. As for his browsers, if he's using Firefox: Make sure to install AdBlock Plus, and NoScript. if he's using Chrome: install Adblock, and Disconnect. if he's using IE9/10: Install the FanBoy and EasyList adblocking TPLs. Also make sure that SmartScreen filter is running. Should help him in the future. They'll prevent arbitrary code from running. Also make sure any and all unneeded addons are eliminated. Also, if possible, remove him from the default administrator account. If he's going to keep calling you for help, just set yourself up as the administrator. Lol. It's what I did for my parents, and as annoying as it was for them, it worked. They couldn't run anything without my permission. goretsky 1 Share Link to comment Share on other sites More sharing options...
neufuse Veteran Posted January 23, 2013 Veteran Share Posted January 23, 2013 LOLOLOLOL!!!!!! Too funny! :rofl: Yeah, a drive by download....which happens to unpatched machines. Not my first time dealing with them. PatchMyPC(dot)net. Sure does help! ;) unpatched machine? you mean a patch for something like Java which DIDN'T have a patch out, and is something that is actually required in a lot of business environments at the browser level?..... please tell me how it could of been more pached then the latest patches out there by Oracle and Microsoft.... goretsky 1 Share Link to comment Share on other sites More sharing options...
Titoist Posted January 23, 2013 Author Share Posted January 23, 2013 I just finished removing the virus using Malwarebytes. 117 Infections in total. Oy. Machine was Windows 7 fully patched. I ran the updates 2 days ago. I will be installing Win8 this weekend. Oh, and he was using a Guest Account named Family. Not an administrator account. goretsky 1 Share Link to comment Share on other sites More sharing options...
jkrupa128 Posted January 23, 2013 Share Posted January 23, 2013 I love how everybody defends shady internet usage..."I visited GOOGLE.COM and my machine got infected, yea it could happen!" Link to comment Share on other sites More sharing options...
Dot Matrix Posted January 23, 2013 Share Posted January 23, 2013 I just finished removing the virus using Malwarebytes. 117 Infections in total. Oy. Machine was Windows 7 fully patched. I ran the updates 2 days ago. I will be installing Win8 this weekend. Oh, and he was using a Guest Account named Family. Not an administrator account. How the heck is arbitrary code running on a guest account? goretsky 1 Share Link to comment Share on other sites More sharing options...
Titoist Posted January 23, 2013 Author Share Posted January 23, 2013 How the heck is arbitrary code running on a guest account? Beats me, I was surprised. Edit: http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/800a69df-8312-4105-b70e-235500ab5421 Looks like viruses can still install on a guest account and run, but are not system wide and thus will not affect other users. This is how I was able to remove it. I ran Malwarebytes on the admin account. goretsky 1 Share Link to comment Share on other sites More sharing options...
The Evil Overlord Posted January 23, 2013 Share Posted January 23, 2013 Well, regardless, OP Thank you for letting us know, (least in my case I saw this as a service done by Titoist) +hedleigh and goretsky 2 Share Link to comment Share on other sites More sharing options...
CrashG Posted January 23, 2013 Share Posted January 23, 2013 I see the next question as: Was UAC on? goretsky 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted January 23, 2013 MVC Share Posted January 23, 2013 The funny thing about java is, it's never fully patched. Even the newest version of java is a threat. goretsky 1 Share Link to comment Share on other sites More sharing options...
Jeston Veteran Posted January 23, 2013 Veteran Share Posted January 23, 2013 Someone I work with got the FBI one, and, wait for it, she PAID IT!!!! She came to work talking about how the FBI made her pay $300 for "something" or they wouldn't unlock her computer. We could not believe how stupid that was. Obviously she or her spouse is a little guilty of something... Link to comment Share on other sites More sharing options...
CrashG Posted January 23, 2013 Share Posted January 23, 2013 Someone I work with got the FBI one, and, wait for it, she PAID IT!!!! She came to work talking about how the FBI made her pay $300 for "something" or they wouldn't unlock her computer. We could not believe how stupid that was. Obviously she or her spouse is a little guilty of something... of being a idiot. They must've had more dollars than sense.... now they have a little less... of both. AND that's EXACTY the people they prey on. The uninformed/non-neowinian type (we all know better...right?) goretsky 1 Share Link to comment Share on other sites More sharing options...
Rippleman Posted January 23, 2013 Share Posted January 23, 2013 i just removed this one from a friends laptop the other day. From what i could tell, it came from putlocker and/or skype, but could have other delivery methods. the girl that i removed it for actually thought it was real at first. goretsky 1 Share Link to comment Share on other sites More sharing options...
Nashy Posted January 23, 2013 Share Posted January 23, 2013 I don't see any identifying details even removed by yourself from the screen shot. How do you know details were stolen. Sounds like a case of a parent who doesn't know enough about the Internet, trying to do something and not realising it's unsafe and giving away details. goretsky 1 Share Link to comment Share on other sites More sharing options...
CrashG Posted January 23, 2013 Share Posted January 23, 2013 @Nashy I already asked that, and was given an answer. +hedleigh 1 Share Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted January 23, 2013 Supervisor Share Posted January 23, 2013 Hello, A fairly common scam/piece of malware, I've seen it called Win32/Reveton or simply "Moneypak." It displays fake "announcements" from various law enforcement agencies around the world. Here are a couple of articles about it: FBI Ransomware: Reveton seeks MoneyPak payment in the name of the law Ransomware Part II: not just an Irish problem I have heard of FBI (US), Garda (Ireland) and Metropolitan Police (UK) versions of this, but this is the first time I can recall hearing about an RCMP-specific version. It is very likely your anti-malware/security vendor's technical support department is quite familiar with removing this, and can give additional instructions on securing the machine. For example, one might want to check the hosts file on the computer and/or the DNS servers being used, in case they were involved in what looks like a redirection of Google's web site. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
Haggis Veteran Posted January 23, 2013 Veteran Share Posted January 23, 2013 My Sister in laws friend has this aswell so it must be doing the rounds there are lots of different versions of it for different Countrys https://www.botnets....dex.php/Reveton and also removal instructions http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml goretsky 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts