Trojan Strathclyde Police

JJ_Egan

This one has started doing the rounds .,

A trojan doing the rounds it is hard to sort out as it takes over the entire screen



Its Trojan ZBot CB
Troublesome as it appears as an embedded file in a web page that you dont know you have downloaded .
It also disables Task manager so cannot turn internet browser off .

Symptoms
frozen computer screen with full screen message

Strathclyde Police
!!!!!! terrorist message etc will also show your correct IP making it look genuine to some .
But then asks for payment .

Unable to close screen .

Solution power off power of internet
Reboot in Safe Mode F8

Type run in search next to start button .
RUN
Type MSCONFIG
STARTUP

Look for entry Crude Dried etc ect
Untick



Reboot and run and you should have cleared the screen Malwarebytes and or security scannner should then be updated and a full scan carried out .

jje

DatabaseError

If I'm reading this right, shouldn't be a problem for pretty much anyone with up to date antivirus

JJ_Egan

Dont think so as i just removed from a machine with two hour old definitions .

jje

PaulineP_2

I just booted into safe mode now. But I couldn't find an entry in startup called 'Crude Dried'.

I did find something along the lines of facemood (with the virus on normal startup, when I get the page about the strathcylde police, I can only access internet explorer, and it opens to facemood and has a facemood toolbar), and I disabled facemood startup service. But when I rebooted it didn't fix it.

scotty_591

Half of the time you don't need to bother entering startup, as when in safe mode, most antivirus programs have a command line executer which scans for virus's while in safe mode.

jacko9191

I found the entry in the start up menu called 'Spare Alice Wall' supposedly from company called Agnitium Ltd (a Russian company which make legit anti-spyware and trojan software), disabling this allowed me to regain access.

Scanning with Malwarebytes showed the trojan.Zbot.CBCGen plus a Pum.Hijack.TaskManger, you need to do a full scan as a quick scan does not find all copies of the Trojan

My anti-virus and antimalware software need not stop it getting in, even with latest updates.

Coopdivi

jacko9191, the legitimate company who make anti-spyware and firewalls are Agnitum Ltd. not Agnitium. When I did a Google search for Agnitium I found a link to a website called Antitaivirus.com. It's distinctly dodgy but fortunately I've got NoScript which has blocked any potential nasties. I won't link to it but here's the Domain Registration.

http://whois.domaintools.com/antitaivirus.com

JJ_Egan

As it was a long distance repair job i never got to the bottom of the infection .

Avast missed it .
probably came from web page guess java exploit based upon male teenagers use of machine and the fact that it came back a few days later and had to be cleared again .

jje

Iwannabeamoneysaver

Hi guys,

Your info has been really useful, but JJ Egan I haven't been able to find the Crude Dreid etc...I am not really a whizz with computers and don't understand all the jargon. Is there something else I should be looking for when I have typed MSCONFIG and looked under the startup tab?

Thanks to anyone for their help

Cheers

WarioTBH

If you can get into safemode with networking, download and run rkill - http://www.bleepingcomputer.com/download/anti-virus/rkill

That will terminate any virus processes so if you run something like Malwarebytes / SuperAntiSpyware in safemode, it will remove the majority of the virus.

Always run a full / quick scan again in normal Windows mode to double check all is gone etc.

Iwannabeamoneysaver

Hi Wario TBH, that's helpful and yes I can get onto safemode, but could you talk me through a quick step by step of how I do this...if you could tell me what to type and where, that'd be great!