Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Different FBI virus


  • Please log in to reply
2 replies to this topic

#1 Big Red Jeff

Big Red Jeff

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 02 November 2012 - 12:39 PM

I am not sure this is where I should post this but I ran across something interesting. I wanted to know if a else had seen this. I had a customers pc come in with a FBI send $200 screen poping on startup. This one was different than the ones I have seen before, no video, red screen asking for payment through moneypak. I tried the normal, boot to safe mode scan with tdsskiller, Emsisoft Emergency Kit, malwarebytes and SuperAntiSpyware. They all found and removed things but not this fbi virus. As soon as booted to normal mode pop up was back, task manager wouldn't open and rkill wouldn't kill it.

Finally I used msconfig in safe mode to disable all services and startup and the fbi screen didn't open. I tracked it down to the following run command c:\documents and settings\user\local settings\application data\microsoft\windows\[random #]\taskschd.exe. The properties for taskschd.exe say it was origianly AutoIt3Help.exe by autoitscipt.com. I rescanned same tools in normal mode pluss avg and ms secureity essensals and nothing detected it. So I deleted the files and the run command in the registery.

I did copy the files to a virtual pc to verify it was the problem and it infected it although it changed the filename to winscart.exe.

Has anyone else seen this?

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:53 PM

Posted 02 November 2012 - 12:47 PM

This file was cause of pop up

c:\documents and settings\user\local settings\application data\microsoft\windows\[random #]\taskschd.exe

The filename and path location differs on most of the systems.

#3 Big Red Jeff

Big Red Jeff
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 02 November 2012 - 01:22 PM

The random # folder changes, plus the filename. There is also a second file in the folder with a random number name.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users