| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 132782 | 2013-05-22 00:54:00 | Australian Federal Police (AFP) Ukash/ICSPA virus | NZHawk (4093) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1342555 | 2013-05-23 08:00:00 | When I got this it hid in the app data directory with all its copied logos etc. Use two or three antimalware programs as none find evrything. I found Emisoft antit-malware good. Also used command prompt to bypass explores and msconfig to check start programs and disable almost anything that was not essential before loo0king deeper. Piva |
piva (3796) | ||
| 1342556 | 2013-05-23 08:56:00 | So I'm about to go fix this up too for a family friend... Any protips? :D ...Next time they'll take me up on the offer of Antivirus / Anti-malware a lot sooner, she says she's already written a cheque for 2 years worth of NOD32 :p |
Chilling_Silence (9) | ||
| 1342557 | 2013-05-23 09:33:00 | Some of these things I have found seem to be profile specific, if you are able, create a new user profile, so if it goes belly up when you are trying to clean it out, you should be able to log into the new profile and either clean it up or migrate the user data to the new profile. There is my tip :) | Iantech (16386) | ||
| 1342558 | 2013-05-23 10:12:00 | The two programs I always take are the Hitman pro Kickstart as mentioned earlier on, along with the Nod32 Rescue Bootable CD. You can make the bootable Rescue CD from any Nod32 install, BUT you also need either the Windows AIK or ADK installed, its Microsoft Software. Automated Installation Kit (AIK) for Windows® 7 helps you to install, customize, and deploy the Microsoft Windows® 7 and Windows Server® 2008 R2 family of operating systems. Its a 1.7GB or 2.8GB download --This is to make the WINPE bootable environment. These infections alter the Master boot record, that's why you cant boot into windows normally till its removed from there. |
wainuitech (129) | ||
| 1342559 | 2013-05-23 10:39:00 | OK so it wasn't *too* hard.... As mentioned Safe Mode triggers a reboot and Ctrl + Shift + Del / Task Manager is disabled in normal mode Kill power halfway through booting and tell it you want to do a system restore (I wasn't given the option to do-so from the F8 Boot Menu until I did that). That fixed it enough for me to get in and scan with NOD32 / Malwarebytes to remove the last of it. Took a photo of it on the laptop, it's quite a cheeky bugger of an infection.... i.imgur.com |
Chilling_Silence (9) | ||
| 1342560 | 2013-05-23 11:13:00 | Yep they are getting trickier ;) Notice on the right as well, it mentions Whitcoulls, a well known business + if camera is attached or a laptop, it can take a picture of the user and embed that -- all adding to the illusion that its real. It fools a LOT of people. One I cleaned out the owner was crapping himself, he said he was looking at porn sites at the time and thought he had been nabbed (I said - No - Trying to keep a straight face) ;) |
wainuitech (129) | ||
| 1342561 | 2013-05-23 12:21:00 | I managed to remove the AFP virus with the Kaspersky rescue disk booted it from a flash drive, It took about 3 hours to complete then ran Spy Bot S&D. Malwarebytes & Super antispyware found about 200+ infected files Cheers Wayne |
WayneMiddy (14028) | ||
| 1342562 | 2013-05-24 05:26:00 | It would scare you but you could figure it is rubbish prtetty quickly. Like, since when has paying money to an unknown entity saved you from prosecution? And when has it ever been a good idea to send unknown people money? And since when have fines been 200 to 500 minimal wages??!! Prick of a thing though. But, yes, WT, your client must have shat himself!!!! |
linw (53) | ||
| 1342563 | 2013-05-24 05:57:00 | Did nobody else notice the NZ Police logo used ? :p | Chilling_Silence (9) | ||
| 1342564 | 2013-05-25 04:12:00 | Now you mention it! | linw (53) | ||
| 1 2 3 | |||||