Latest fixes for FBI Virus?

TimTim Southwest PA Icrontian
The well published and easily found ways of fixing the FBI Virus on computers doesn't work much anymore. I used to be able to get it out by going into safe mode and running malwarebytes and a few other programs, now that doesn't work anymore.

Any new ideas on how to fix it and keep it from coming back? I can always wipe out the hard drive and reload everything, but there should be a better way.
«1

Comments

  • AlexDeGruvenAlexDeGruven Wut? Meechigan Icrontian
    The 100% best way is nuke and pave. If normal instructions out there aren't working anymore, it's really the only alternative until someone pokes around enough in the new infections to find all the different pieces.
  • RyanMMRyanMM Ferndale, MI Icrontian
    Most of the FBI virus variants I'm seeing cannot boot into Safe Mode anymore. I've had to get EXTREMELY creative with repairs for these things without resorting to nuke and pave.

    I still don't nuke and pave unless it's absolutely hopeless. Any virus can be removed if you're clever enough.
  • mertesnmertesn I am Bobby Miller Yukon, OK Icrontian
    WTF are people doing to get these things?
  • AlexDeGruvenAlexDeGruven Wut? Meechigan Icrontian
    Porn, warez, etc. Same stuff they always have been.

    Or they're not using adequate protection and are getting hit by infested ad networks.
    ardichoke
  • TimTim Southwest PA Icrontian
    edited June 2013
    Opening email attachments from friends who are also computer idiots and don't understand about opening attachments from someone you don't know.

    In most cases I've seen, a typical home user probably already had problems and a slow or semi-slow running computer, so a full hard drive wipe out and reload isn't a bad idea. It gets them to a known point and as cleaned out as possible. Then I'm the hero when not only is the FBI virus gone, but their PC is much faster as well and comes back to them with antivirus programs (AVG Free and Malwarebytes) and updated other programs too. What a bargain for $100, my standard full wipe-out-and-reload-and-save-your-important-files fee.
    midga
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    mertesn said:

    WTF are people doing to get these things?

    Running Windows ME?

    I support over 1000 PCs, of which, 800 are Windows 7. We've had 4 wipe and reloads due to malware and all of those has users running with admin rights.

    Get to Windows 7 and use a simple user account not admin account.

  • mertesnmertesn I am Bobby Miller Yukon, OK Icrontian
    QCH said:

    users running with admin rights

    Well there's your problem :D I bet they wouldn't notice if their accounts "accidentally" reverted to standard user permissions.
  • mertesnmertesn I am Bobby Miller Yukon, OK Icrontian
    edited June 2013
    Tim said:

    Opening email attachments from friends who are also computer idiots and don't understand about opening attachments from someone you don't know.

    Emphasis added for lulz
    ardichokeJBoogaloo
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    mertesn said:

    Well there's your problem :D I bet they wouldn't notice if their accounts "accidentally" reverted to standard user permissions.

    We are looking into a 3rd party tool to take care of the "But I need admin rights cuz XYZ doesn't run with normal rights..." Then a way to give one time admin rights remotely... Then I will try my darnest to remove admin rights!


  • mertesnmertesn I am Bobby Miller Yukon, OK Icrontian
    Right click on program, select "Run As". Have an account with elevated permissions that can only run that app. Receive bacon.
  • Developing Windows apps that don't require UAC at runtime is especially hacky because you are frequently bypassing Microsoft's security model by doing things like writing to temporary system directories which aren't designed at the OS level to be used for such. That has further implications in the stability of the program. It gets infinitely more complicated when you introduce a domain server, but at the same time domain admins share the responsibility for permission problems at that point.

    Frequently developers have good reasons to support UAC requests. If you are running software that has to do anything like write to the registry, register a dll, whatever ... forget it. You need elevation. I understand that should happen at the installation stage of software, but depending on the end user's requirements you sometimes have to do things like that at run time or in the middle of the user experience. This is especially true if the software has to, for example, run a process that requires elevation even though the core features of the software generally do not require UAC.

    In short, if the software has an excuse for UAC requests or not depends on what the software does which depends on end user requirements.

    If the software simply isn't calling UAC at runtime when it should, and it gets unhandled exceptions later and crashes -- well that's bad software design.
  • AlexDeGruvenAlexDeGruven Wut? Meechigan Icrontian
    Normal operation of software should not ever trigger UAC. Microsoft has published guidelines for operating within UAC including virtual stores, etc.

    It's normal for an installer because it needs to write to Program Files and the registry, but once it's installed, it should never trigger a UAC prompt.

    There's no "especially hacky" things that need to be done to work within the envelope. This is an excuse that shoddy developers who don't want to follow the proper guidelines use to not read the guidelines.

    There is not a single program on my work desktop that triggers UAC, and I only have 2 or 3 at home because they're legacy stuff that was written pre-Vista.
  • @AlexDeGruven
    Consider if you make antivirus software, the software finds a virus in your program files directory, it asks to delete the file however the software wasn't run with admin rights to start. How do you recommend it does this without restarting with a UAC request? In fact, most anti virus at that point not only reboots the computer entirely to make sure the targeted file is out of system memory but it also launches it's deletion app with a UAC request once the computer reboots.

    There are thousands of situations like this, it depends on the program's functionality. Obviously something like a web browser or a document editor don't have this problem, and that is most software. However, it simply depends. It's not a shoddy development practice.

    By the way, if you want to see hackish UAC avoidance in action, run the Chrome installer. Look where Chrome actually installs everything on your system to avoid UAC requests. It actually goes exactly against Microsoft's guidelines that you are talking about so that it can install without a UAC prompt. This is to gain larger market share, and it's smart of them but it absolutely is hacky.
  • AlexDeGruvenAlexDeGruven Wut? Meechigan Icrontian
    You're talking about special cases. I consider AntiVirus/Malware system-level software. Also, it would have (appropriately) triggered a UAC prompt (or a few) during install, and not have to fully restart, just trigger UAC to elevate when needed. UAC elevation for this type of operation is normal and should still be there (I don't want even a virus scanner to be touching system files without my say-so).

    Chrome's installer going into user-accessible areas only is exactly what Microsoft wants for non-system-level software. A browser should be 100% able to run without touching system files, even if it is installed in Program Files.

    Again, I'm not talking about installers (I expect and require Firefox to hit UAC when I first install it). I'm talking about normal launching/running of applications.

    If, during it's regular operation it needs to write to a system-protected location (with exceptions for system-level software), that's the exact definition of "UR doin it rong".
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    mertesn said:

    Right click on program, select "Run As". Have an account with elevated permissions that can only run that app. Receive bacon.

    But there still needs to be an admin account that the user can access... which still leaves them the opportunity to elevate for that downloaded program or random UAC window... just type the password for the admin account and you're done and now infected. Other issue... there are still apps out there that cannot run in UAC environment since they get confused with which user account to use when they execute. Java Updater asks for admin right in order to update but then fails because the updater hands off to the installer which doesn't have admin. Pain in the ass...

    Solution: Call software vendor and say "It's 2013. Your software still doesn't work properly with UAC. This must be fixed by DateX or we move to a different software vendor."

    We have custom apps written in the mid to late 90's that "run" in Windows 7 but cannot run without full admin rights and cannot be re-written due to time and cost.
  • Meh, sort of at the agree to disagree point but of course I'm talking about special cases, my point is just that you can't broadly say its 2013 and call developers shoddy if they work around UAC because their target market has requested it.

    Microsoft has calls in ALL of their Vista and forward APIs to detect things like current UAC level, detecting processes that require UAC through exceptions (ie. a non elevated user tries to open a file that requires admin rights to view), specifying UAC in manifest files, etc. specifically for properly handling situations where an end user has done something that requires UAC elevation even though the program was not launched with it. It's part of Microsoft's security design, and that's why it is in the APIs so that these functions can be handled gracefully.

    Largely depending on the type of software, you just can't tell for sure when a user will need elevation. As such programs have to either deny functionality or opt to restart elevated because, as you know, it would be bad for a program to just request elevation every single time it runs. On the other side it is wrong to say a program should never request elevation.

    This is the case for many situations, not a rare few and not restricted to security software. A program has plugins that ship unactivated because users don't want the plugins activated at install. Activating them is done through the UI because users have requested plugins be added through the UI. A user goes to install a plugin, the plugin requires a third party ax file is registered with the system, UAC elevation has to happen here.
    Or let's say a user tries to open a file that requires admin rights. You have to deny them or opt to restart the program with an elevation request. Letting the program crash due to the exception would be the shoddy development you talk about and what I referenced in my first post.

    I stand by my point that you can't just say a program should never request UAC at launch, and that programmers hackishly avoid UAC all the time to keep end users happy. Not because they are shoddy developers, but because a customer comes at you with this:
    Solution: Call software vendor and say "It's 2013. Your software still doesn't work properly with UAC. This must be fixed by DateX or we move to a different software vendor."
    and the last thing your respond to them with is this:
    No, modify your systems to fit Microsoft's model better to begin with because we follow the actual rules already.

    And per this:


    Chrome's installer going into user-accessible areas only is exactly what Microsoft wants for non-system-level software. A browser should be 100% able to run without touching system files, even if it is installed in Program Files.

    I don't think that is true. AFAIK, nowhere does Microsoft recommend programs be installed to localized appdata folders. Those folders are meant to be used by roaming profiles or temporary user data like cookies and etc. Once Chrome got a big enough market share, they actually started installing to the program files folder like any other program. Of course the browser can run without UAC, all it does is make httprequests. I was just giving a popular example of a hack to avoid UAC elevation requests driven by end user demand.




    midga
  • ShadowdareShadowdare Member
    edited June 2013
    I know someone whose friend got the FBI virus on Windows 7. They couldn't get into safe mode because it kept on restarting the computer when they tried. Sometimes the FBI virus would show up during the safe mode loading screen and it would have a custom looking window title bar that's unlike Windows 7's Aero themes.

    They solved the problem by following this guide which said to go into safe mode with command prompt and running system restore. I rarely use system restore, so I wonder how this is different from the other options in the advanced start up menu such as "repair your computer" or "last known good configuration."

    Would the FBI hinder your computer usage just to make you send them a MoneyPak code? It goes to show that people still fall for these kinds of scams. Also, if people do send them a MoneyPak code, does the virus disappear from the computer or will it keep nagging them for more codes?
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    The key for most malware... it is CANCER. You can never be 100% sure you got it all. Just better to back it up, wipe, re-install, and restore the data.
  • TimTim Southwest PA Icrontian
    Yes. That is the Tim way.
    primesuspect
  • The best way is definitely to wipe the entire hard drive like others have said. I heard that system restore files can get infected as well. Be sure to run a scan on the files that you backup when you get your OS installed again.
  • RyanMMRyanMM Ferndale, MI Icrontian
    Fun fact! If you delete the partitions but don't delete the MBR, most of the rootkits now will persist onto your fresh installation of Windows.

    So make sure you're ACTUALLY nuking and not just kinda-sorta nuking. If you're gonna be lazy, do it right.
    Shadowdaremidga
  • mertesnmertesn I am Bobby Miller Yukon, OK Icrontian
    RyanMM said:

    Fun fact! If you delete the partitions but don't delete the MBR, most of the rootkits now will persist onto your fresh installation of Windows.

    Does that hold true for GPT as well?
  • RyanMMRyanMM Ferndale, MI Icrontian
    Not sure. I haven't run across any systems with viruses and a GPT partition. I'm curious to see how rootkits deal with GPT, I wonder if they are currently designed to work at all of if they'd just bork things and cause stuff to no longer boot at all.
  • RyanMMRyanMM Ferndale, MI Icrontian

    Porn, warez, etc. Same stuff they always have been.

    Or they're not using adequate protection and are getting hit by infested ad networks.

    This is a really common misconception and it hasn't been the case for years. There is a good deal of user error involved, but it's more about education than it is about shady behavior.

    It's really hard to teach users the difference between a legit Security Essentials pop-up alert and a website that flashes an image of an identical Security Essentials pop-up alert and gets the user to download a special clean-up tool that ends up rootkitting the hard drive.

    It's really hard to teach users that the video that claims it needs a newer version of Flash is actually trying to get you to install a bunch of adware and there's nothing wrong with Flash at all.

    It's really hard to get people to stop using Yahoo and MSN for their homepages and email, even though I'm pretty sure Adchoices has had a rogue malware problem and deceptive adverts leading to malware for years.
  • mertesnmertesn I am Bobby Miller Yukon, OK Icrontian
    Got a spare hard drive to use as a test subject?
  • TimTim Southwest PA Icrontian
    When I wipe out a hard drive, it either gets run through Active Killdisk for a 1 pass zeroes wipe (I'm too cheap to use the paid version), or at the very least I use an XP boot disk to fully NTFS format the drive, not the quick format, even if it is getting Windows 7 reloaded. The Windows 7 installation disk "format" that takes about 5 seconds is a joke.
  • RyanMMRyanMM Ferndale, MI Icrontian
    mertesn said:

    Got a spare hard drive to use as a test subject?

    I have spare everything but time.
    mertesn
Sign In or Register to comment.