Posted 02 November 2012 - 12:39 PM
I am not sure this is where I should post this but I ran across something interesting. I wanted to know if a else had seen this. I had a customers pc come in with a FBI send $200 screen poping on startup. This one was different than the ones I have seen before, no video, red screen asking for payment through moneypak. I tried the normal, boot to safe mode scan with tdsskiller, Emsisoft Emergency Kit, malwarebytes and SuperAntiSpyware. They all found and removed things but not this fbi virus. As soon as booted to normal mode pop up was back, task manager wouldn't open and rkill wouldn't kill it.
Finally I used msconfig in safe mode to disable all services and startup and the fbi screen didn't open. I tracked it down to the following run command c:\documents and settings\user\local settings\application data\microsoft\windows\[random #]\taskschd.exe. The properties for taskschd.exe say it was origianly AutoIt3Help.exe by autoitscipt.com. I rescanned same tools in normal mode pluss avg and ms secureity essensals and nothing detected it. So I deleted the files and the run command in the registery.
I did copy the files to a virtual pc to verify it was the problem and it infected it although it changed the filename to winscart.exe.
Has anyone else seen this?