Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 07-17-2012, 08:57 PM
The Tech Professor The Tech Professor is offline
Banned
 
Join Date: Oct 2009
Location: Tennessee
Posts: 75
The Tech Professor is an unknown quantity at this point
Default How I Removed The FBI Virus

Hello everyone,

A client called me today with a machine (Windows 7) infected with the FBI virus. I got it out in about ten minutes - this is what I did:

1) Tap F8 during pre-boot and go into Safe Mode
2) Click Start> All Programs> Startup Folder
3) You'll see ctfmon. Delete.
4) Click Start> Run> Type %temp%> OK
5) Look for "festOr_ot" (without quotation marks). Delete.
6) Restart the machine in normal mode
7) FBI virus is gone!!
8) Run MalwareBytes just for good measure

Would like to hear other ways that everyone is using to get this out. Thanks.

Best wishes,
The Tech Professor
Reply With Quote
  #2  
Old 07-17-2012, 09:04 PM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,928
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default

Yeah, the FBI virus is a pain to remove; that's why I always use either the CIA, FED, or IRS to get rid of the FBI
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #3  
Old 07-17-2012, 11:36 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,680
Xander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the rough
Default

Vice, I love your sense of humour. "Hard to remove" for what's fixed by the simplest removal process ever. Closest thing about this being hard to remove would be booting into safe mode and having to press F8 at the right moment.

This is just another "tutorial for end-users".
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or Speccy reports.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.

D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
  #4  
Old 07-18-2012, 04:24 PM
tek9 tek9 is offline
 
Join Date: Feb 2011
Location: NJ
Posts: 371
tek9 will become famous soon enough
Default

Quote:
Originally Posted by Vicenarian View Post
Yeah, the FBI virus is a pain to remove; that's why I always use either the CIA, FED, or IRS to get rid of the FBI
I'd rather use the FBI to get rid of the IRS virus, not the other way around.....
Reply With Quote
  #5  
Old 07-26-2012, 11:57 PM
npinc npinc is offline
 
Join Date: Jun 2012
Posts: 170
npinc can only hope to improve
Default

Quote:
Originally Posted by The Tech Professor View Post
Hello everyone,

A client called me today with a machine (Windows 7) infected with the FBI virus. I got it out in about ten minutes - this is what I did:

1) Tap F8 during pre-boot and go into Safe Mode
2) Click Start> All Programs> Startup Folder
3) You'll see ctfmon. Delete.
4) Click Start> Run> Type %temp%> OK
5) Look for "festOr_ot" (without quotation marks). Delete.
6) Restart the machine in normal mode
7) FBI virus is gone!!
8) Run MalwareBytes just for good measure

Would like to hear other ways that everyone is using to get this out. Thanks.

Best wishes,
The Tech Professor
You didn't even scratch the surface. It's delivered by a Zeus variant called Citadel. This is a deadly infection that was used to attack the banking sector in the United States. I hope you didn't do that job for a client, because if you did you left them vulnerable to information theft (one of its favorite targets is banking information), slow performance, redirects and rapid reinfection.
Reply With Quote
  #6  
Old 07-27-2012, 01:06 AM
16k_zx81's Avatar
16k_zx81 16k_zx81 is offline
 
Join Date: Sep 2010
Location: South Australia
Posts: 3,809
16k_zx81 is a jewel in the rough16k_zx81 is a jewel in the rough16k_zx81 is a jewel in the rough
Talking

Quote:
Originally Posted by npinc View Post
you didn't even scratch the surface. It's delivered by a zeus variant called citadel. This is a deadly infection that was used to attack the banking sector in the united states. I hope you didn't do that job for a client, because if you did you left them vulnerable to information theft (one of its favorite targets is banking information), slow performance, redirects and rapid reinfection.
lol .... Pwnd!

:d

.......................
__________________
"Do something you love, and you'll never work a day in your life"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:35 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.