Though this internet nasty has been around a while, it seems to have found a few new tricks for infecting your computers. It primarily prevents you from booting your computer up and has a wild accusation.
This rootkit is simply a window that covers your entire screen and “alerts” you that the FBI has found something on your computer and you must register and pay for the “it” to get your computer back to work.
This is a pure scam, so don’t do it.
For the Do-it-Yourselfers out there, here is the plan of attack that successfully use in removing this crud. I will presume you are a DYI type person and know how to burn ISO images and properly run security software, if you don’t, I suggest hiring a professional to do this cleanup. A reasonable cost would be between $200 and $350 due to the time involved.
The overall time to remove this will be 4 to 8 hours depending on your computers CPU, RAM and hard drive size.
Here is a quick rundown of what you need to do, for more details simply continue reading.
• Download and run Bit Defender
• In Safe Mode
o Run Combofix
o Run TDSSKiller
o Run Malwarebytes
o Run Spybot S&D
o Run your Anti-virus
• In “Normal” mode
o Run Combofix
o Run TDSSKiller
o Run Malwarebytes
o Run Spybot S&D
o Run your Anti-virus
That is it. Now for the details of how to do the above.
Boot your infected computer to the disk you created above (you will need to have your internet connection for this, it is alright, just leave in or reconnect you LAN cable), there is a countdown timer so you have to press “any key” to boot to the disk. Once that is done you will have your choice of which language to use, I select English. Next is the usage agreement, select the “1” key to proceed.
The CD will now finish booting your system, be patient and give it time. It will boot to a desktop and the “mount” your hard drive(s), see the network. You might get a warning that the database is out of date. In the middle window, click on the “My Update Center” tab and then click on “Start Update”. Let it run its updates, they will take a while but you will have the latest definitions to clean the computer.
Once the updates have run go back to the “Objects Scan” tab and be sure all your hard drives and any connected drives (external USB drives et al) have a check in the box as well as the “Disk boot sectors” and “Hidden startup objects”. Now simply click on “Start Objects Scan” and let the scan complete.
While that is scanning, go back to the clean uninfected computer, you will need to get the Bit Defender bootable CD from here http://download.bitdefender.com/rescue_cd/
The bit Defender CD will want you to select (via the arrow keys) which language you want to use, again I choose English.
Once booted to the CD, select “Continue”, Bit Defender will self update and once updated will automatically start its scanning.
While waiting on this scan, go back to your clean computer and download a few programs to a USB drive so you can put them on the infected computer in a little while.
Combofix (http://www.bleepingcomputer.com/download/combofix/)
Malwarebytes (http://www.malwarebytes.org/)
Spybot Search and Destroy (http://www.safer-networking.org/).
When Bit Defender has finished scanning you will need to “Resolve Issues”, just follow the recommendations.
Now you will need to reboot, with Bit Defender you go to the bottom center of the monitor on a tool bar. Next to the time is a power off button, if you hover over it it will pop up with “quit”, click on that button. A window will appear, choose “restart” from the choices. The CD will self eject and you will need to press the “Enter” key on your keyboard to continue.
Let the computer start and immediately press the “F8” key repeatedly, a black screen with white text should appear shortly. You want to get into “Safe Mode with Networking” by using they keyboard arrow keys, highlighting it and pressing the “Enter” key on your keyboard.
Booting to safe mode you will need to run Combofix. Nothing special here, just double-click on it and let it run. If it reboots the system, just let it do so. For a how-to guide go here http://www.bleepingcomputer.com/combofix/how-to-use-combofix.
Once Combofix has finished you will need to run TDSSKiller, once again, be sure you are in Safe Mode with Networking. Select “Start Scan” and let it run, we will go into the “Change Parameters” when we are running in normal mode. You only have to choose “close” from the bottom right corner if nothing is found.
Here is a link to a good set of directions if you need them – http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
If a threat or two are detected you will have a showing them, once the scan has completed. Make sure “Cure” or “Delete” or “remove” is selected in the drop down box located next to each threat. Once everything is selected click on the “continue” button at the bottom right of the page.
After that has finished, install Malwarebytes. You might have to boot to normal mode to install it and Spybot, do so then reboot to safe mode.
Go to the Malwarebytes “Update” tab and “Check for Updates”, once that has finished, go to the “Settings” tab and make sure all check boxes are selected. Now go to the “Scanner” tab and click on the radio button for “Perform full scan” and then click the “scan” button.
Here are directions for the use of and cleaning files found by Malwarebytes – http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial
After Malwarebytes you need to run Spybot Search and Destroy. Here is a tutorial on it – http://www.safer-networking.org/support/spybot-1-6/tutorials/
Now run ESET (or whichever anti-virus you have).
Finally reboot to “normal” mode and run Combofix, TDSSKiller, Malwarebytes, Spybot and finally your anti-virus again. Make sure you right-click on each program and select “run as administrator” as you run them.
With TDSSKiller, this time you will want to click on the “Change Parameters” text on the pop-up that appears you will want to be sure every box is checked, the program will require you to reboot the computer, go ahead and do so.
Yes, this takes time, yes it is not “easy”, that is why IT companies charge for properly cleaning up infections such as this one.
You should be disinfected from the FBI warning and almost any other root-kit, worm, Trojan, virus, malware, and spyware your system was infected with.
Until we meet again, have a virus free week!
This website certainly has all the information I needed
about this subject and didn’t know who to ask.