Green Dot FBI virus

[vaskidmark]

Ransomeware.

Viscious.

Pernicious.

My computer geek friend has been trying to get rid of it on the other box o' wires since Friday morning. 

So far:  computer geek friend - 0
            Green Dot FBI virus - refuses to die

On Saturday afternoon I asked him to nuke the HD after recovering as many of my files as could be verified as not infected.  He said "No" because he expects that he will be seeing more of this and wants t know how to kill it.  So far the usual and mid-range esoteric virus killers have been no help.  The thing apparently mutates (or is mutated) fairly frequently.

AVG, Semantyc, Norton, Windows Security all are unaware of the little bugger.  There are probably a lot of other anti-virus programs that also do not protect against it.

When you go venturing into the intartubes, remember that some of the dragons are quite nasty and your shield is made of tissue paper.

stay safe.

[MikeB]

Combofix and or Rkill

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/download/rkill/

I only recommend getting these from the bleepingcomputer.com site.

These two usually clean/kill anything, though I usually run MS Security Essentials and/or Malwarebytes afterwords. Run Rkill before Combofix if Combofix doesn't clean it on it's own.

[BryanP]

Depending on what you use the box for, I'd nuke it anyway. I tend not to trust PC's that are infected until they've been wiped and reinstalled.

[geronimotwo]

any idea what porn site it came from?

[Chester32141]

What are the symptoms ?

[zahc]

Does this affect users of Linux systems?

[Tuco]

Que comments from the Apple savants.

[AJ Dual]

Combofix and or Rkill

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/download/rkill/

I only recommend getting these from the bleepingcomputer.com site.

These two usually clean/kill anything, though I usually run MS Security Essentials and/or Malwarebytes afterwords. Run Rkill before Combofix if Combofix doesn't clean it on it's own.

This.

Haven't found anything it couldn't clean up yet. It ignores some lower level adware that kind of straddles the line but that's what Malwarebytes is for.

[lee n. field]

Ransomeware.

Viscious.

Pernicious.

My computer geek friend has been trying to get rid of it on the other box o' wires since Friday morning.  

So far:  computer geek friend - 0
            Green Dot FBI virus - refuses to die

On Saturday afternoon I asked him to nuke the HD after recovering as many of my files as could be verified as not infected.  He said "No" because he expects that he will be seeing more of this and wants t know how to kill it.  So far the usual and mid-range esoteric virus killers have been no help.  The thing apparently mutates (or is mutated) fairly frequently.

AVG, Semantyc, Norton, Windows Security all are unaware of the little bugger.  There are probably a lot of other anti-virus programs that also do not protect against it.

When you go venturing into the intartubes, remember that some of the dragons are quite nasty and your shield is made of tissue paper.

stay safe.

I can understand his wanting to know how to fight it.  If it were a pay situation, there comes a time when it's better to bail out, back up his stuff and repave the system.  That's only becomes hard if there's funky customization, missing licenses or install media, etc.

This wouldn't be one where you get a full page screen claiming some federal infraction, "send two hunnerd dollar"?  (Dealt with that one a couple times.  AVG rescue CD, combofix and malwarebytes.)

[grislyatoms]

any idea what porn site it came from?

[grislyatoms]

This.

Haven't found anything it couldn't clean up yet. It ignores some lower level adware that kind of straddles the line but that's what Malwarebytes is for.

I have yet to run across anything that the "dynamic duo" of Malwarebytes and Spybot couldn't kill. Then again, I update and scan weekly and avoid suspect sites.

At work, we nuke and re-image. It's the only way to be sure.

[vaskidmark]

Combofix and or Rkill

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/download/rkill/

I only recommend getting these from the bleepingcomputer.com site.

These two usually clean/kill anything, though I usually run MS Security Essentials and/or Malwarebytes afterwords. Run Rkill before Combofix if Combofix doesn't clean it on it's own.

I have yet to run across anything that the "dynamic duo" of Malwarebytes and Spybot couldn't kill. Then again, I update and scan weekly and avoid suspect sites.

At work, we nuke and re-image. It's the only way to be sure.

Did I mention that "the usual fixes" had been tried on Friday?

This crap was not phased by any of these super-powerful heroes.

Those wanting to know what it looks like can go google it for themselves. 

AFAIK it came from a news site - either South African or Norwegian news, to be precise.  Had both open when everything went south.

stay safe.

[Stetson]

Fixed for a friend.  Restored to week prior, booted into safe mode, removed files recommended by a few diff sites ( I forgot the ones  used...CNET? I think), booted back to normal, works like a charm

win7 32 bit is the OS

[Jim147]

I've fixed one of those without wiping it. Pulled the drive and ran scans from another computer. I'm not sure you can remove it from a booted drive.

jim

[AJ Dual]

I have yet to run across anything that the "dynamic duo" of Malwarebytes and Spybot couldn't kill. Then again, I update and scan weekly and avoid suspect sites.

At work, we nuke and re-image. It's the only way to be sure.

IMO, Spybot and Malwarebytes are good indicators of infection.

Because when you can't run them, you know you're infected. 

[BryanP]

This sort of thing is why I'm also a fan of setups like the Lenovo laptops I got for my wife & stepdaughter. They have a hidden partition that you boot to with a separate power button.  It has a backup & restore utility and a "restore this thing to out-of-the-box config" option. 

[lee n. field]

AFAIK it came from a news site - either South African or Norwegian news, to be precise.  Had both open when everything went south.

stay safe.

It couldn't have come from the future.  It might have come from the past.

[MechAg94]

IMO, Spybot and Malwarebytes are good indicators of infection.

Because when you can't run them, you know you're infected. 

That happened to me one time.  In the end I finally figured out the antivirus program I was using was blocking nearly all Internet traffic for some reason.  Installed norton instead along with spy bot and all was well.

[lee n. field]

That happened to me one time.  In the end I finally figured out the antivirus program I was using was blocking nearly all Internet traffic for some reason.  Installed norton instead along with spy bot and all was well.

I've seen Norton's firewall be the culprit for that as often as any.  Reset to defaults.  If that don't work, scour out and reinstall (or replace).

I noticed the other day that Symantec has a downloadable tool specifically for removing Norton consumer products and then reinstalling them.

[Sindawe]

While I liked Symantec's Exchange AV back in the early part of this century, I've never been a fan of their AV products.  I had to get their support involved to install the thing on a coworkers PC a few months back.

My preference currently is Kaspersky products.  The consumer model paired with Malwarebytes has kept my system clean for several years now.

I've not seen the Green Dot FBI virus yet, 'probably just a matter of time until another coworker or someone in my family picks it up and comes to me to clean up the mess. 

[vaskidmark]

Computer geek friend is still finding remnants of the thing, after thinking he finally had gotten rid of it.  Said he has scanned a total of six times (so far) after supposedly clearing it out of the box o' wires, each time coming up with bits and pieces of the virus program or changes it made to other parts.

Between he and his wife (another computer fixer person) they have put in almost 30 hours and still not completely cleaned the booger completely.  It has become a personal challenge for them.  Glad I could provide the entertainment.

stay safe.

[lee n. field]

That's about 27 hours after I would have bailed. 

[Marnoot]

My preference currently is Kaspersky products.

After reading this article in Wired I become mildly wary of using Kaspersky. Kaspersky has since vehemently denied that he has any Kremlin ties, so who knows. My current preference is for Microsoft Security Essentials and Malwarebytes; as that's worked so far I haven't had a need to purchase any non-free solutions.