LM was infected by FBI MoneyPak virus.. Need help! [SOLVED]
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
LM was infected by FBI MoneyPak virus.. Need help! [SOLVED]
I think that my LinuxMint system was infected by so called FBI MoneyPak virus. It happened that I have both Windows XP and LinuxMint on my laptop. So since I don't have any anti-virus program installed on Linux partition, I thought that I could probably scan the Linux from my WinXp partition. WindowsXp works fine so far. What would you recommend? How can I remove the virus. Thanks.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 3 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Install and run Clam av in Mint.
Registered Linux user #557695
MX Linux user these days - I introduce newbies via Mint
MX Linux user these days - I introduce newbies via Mint
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Hello, amtex.
Irrespective of the fact that following excollier's advice to install and run ClamAV is a good idea, I would like to ask one question:
Kind regards,
Karl
Irrespective of the fact that following excollier's advice to install and run ClamAV is a good idea, I would like to ask one question:
What are the symptoms that tell you your Mint system has been infected by the FBI MoneyPak virus? Whatever one finds about it in the web all seems to suggest that FBI MoneyPak can only run on Windows systems.I think that my LinuxMint system was infected by so called FBI MoneyPak virus.
Kind regards,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
- daveinuk
- Level 7
- Posts: 1559
- Joined: Tue Mar 23, 2010 7:52 pm
- Location: Manchester, England.
- Contact:
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
That was going to be my question too . . . . . . . and how would it possibly have managed to infect anything? Do you run as root normally?
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Thanks excollier, I'll see if I can do that.
Hi Karl, while I was browsing the internet the screen was blocked and the "FBI warning page" loaded with the MoneyPak payment option of $300. I research the internet and find out that this thing happened to many other users but never see anyone with the Linux having this problem either. Interestingly as I said I have Win XP on the other partition and it seems to work fine, I scanned it with Avast, it didn't find anything.
I wonder if I could somehow scan the Linux part of the HDD with Avast that I have on Windows part...
Hi Karl, while I was browsing the internet the screen was blocked and the "FBI warning page" loaded with the MoneyPak payment option of $300. I research the internet and find out that this thing happened to many other users but never see anyone with the Linux having this problem either. Interestingly as I said I have Win XP on the other partition and it seems to work fine, I scanned it with Avast, it didn't find anything.
I wonder if I could somehow scan the Linux part of the HDD with Avast that I have on Windows part...
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
amtex,
Just to clarify what you just alluded to are you saying that you have no problems when browsing in XP, but in linux you get the "FBI warning page"
In linux what browser do you use
Just to clarify what you just alluded to are you saying that you have no problems when browsing in XP, but in linux you get the "FBI warning page"
In linux what browser do you use
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
No problem in Win XP. In Linux no problem until I get to the tab with that FBI warning page. As soon as I get there the browser locks. I am using Firefox in Linux.
I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?
I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Open a terminal and type the following command:amtex wrote:No problem in Win XP. In Linux no problem until I get to the tab with that FBI warning page. As soon as I get there the browser locks. I am using Firefox in Linux.
I tried to install Clam Av using Software Manager but the only one it has is Clam Av for Unix. Is it the one I need?
Code: Select all
sudo apt-get install clamav clamtk
I find it real strange that under XP you don't have any problems but with Linux you get problems since it's a Windows virus....
Last edited by nomko on Mon Aug 26, 2013 5:43 pm, edited 1 time in total.
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
My 2 cents...
FBI MoneyPak sounds like a browser hijacker. As such, it can attack any vulnerable browser.
First, don't log in and use computer as root.
Second, consider running a FireFox add-on called NoScript.
Third, When you open Firefox, on the menubar click Edit > Preferences > Advanced > Network > Settings. What are your proxy settings? If you don't need a proxy, try "No Proxy" if it is not already selected.
Another approach might be to create another user and log is as that user and use the browser and see what happens. (install NoScript first)...
FBI MoneyPak sounds like a browser hijacker. As such, it can attack any vulnerable browser.
First, don't log in and use computer as root.
Second, consider running a FireFox add-on called NoScript.
Third, When you open Firefox, on the menubar click Edit > Preferences > Advanced > Network > Settings. What are your proxy settings? If you don't need a proxy, try "No Proxy" if it is not already selected.
Another approach might be to create another user and log is as that user and use the browser and see what happens. (install NoScript first)...
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
amtex,
Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.
Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.
Code: Select all
mv .mozilla/ .mozilla.save/
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Faster and easier than my last suggestion of creating another user... NICE move! Why didn't I think of that?!?!? (LOL)WharfRat wrote:amtex,
Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.
Code: Select all
mv .mozilla/ .mozilla.save/
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
That's because I thought of it secondReorx wrote:Faster and easier than my last suggestion of creating another user... NICE move! Why didn't I think of that?!?!? (LOL)WharfRat wrote:amtex,
Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again. It will look like a fresh install though.
Code: Select all
mv .mozilla/ .mozilla.save/
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Hi, amtex.
I partially understand.
Even on Mint using Firefox you can visit a webpage that has been manipulated to deliver malware like the FBI MoneyPak ransomware.
As long as you do not boot to Windows and visit the same webpage it is likely that your Windows installation remains clean.
On Mint I would proceed like this:
So downloading, installing and using ClamAV (commandline scanner) plus ClamTK (the appropriate GUI for ClamAV), as recommended before, will be the right way for a Mint system. You might also like to use rkhunter (commandline only). All 3 can be got from the Mint/Ubuntu repositories. And in case you experience problem doing so with the help of the Software Manager, you may always resort to Synaptic package manager.
Kind regards,
Karl
--
[corrected]: addressed the wron person, foolish me. amtex started this thread.
I partially understand.
Even on Mint using Firefox you can visit a webpage that has been manipulated to deliver malware like the FBI MoneyPak ransomware.
As long as you do not boot to Windows and visit the same webpage it is likely that your Windows installation remains clean.
On Mint I would proceed like this:
- Launch Firefox. Clean the complete browser history including the cache. Tick all offerend items in the "recent history delete" dialogue. Make sure you select to delete everything, not just the past few hours or days.
- Provided Java has been installed on Mint, inside Firefox disable any Java plugin, no matter whether it is an IcedTea plugin or the genuine Oracle Java plugin, disable it.
I assume that the FBI MoneyPak ransomware might be similar to the BKA ransomware that can be found in Germany. (The BKA might be considered the German equivalent of the FBI, sort of.) The BKA ransomware uses a Java browser plugin security vulnerability in order to infect Windows computers. I have not bothered to try and find out whether this vulnerability which is present in the Java browser plugin will allow this kind of ransomware to function partially on Mint as well.
This is why disabling any Java plugin, in particular if you are still using Java v1.6_something, is highly recommended. - Unless you willingly go to the webpage where you met the FBI MoneyPak ransomware, no fake FBI warning should re-appear.
Provided the assumption about the dependency on a vulnerable Java plugin applies, even a manipulated webpage should not be able to misuse Firefox any longer.
So downloading, installing and using ClamAV (commandline scanner) plus ClamTK (the appropriate GUI for ClamAV), as recommended before, will be the right way for a Mint system. You might also like to use rkhunter (commandline only). All 3 can be got from the Mint/Ubuntu repositories. And in case you experience problem doing so with the help of the Software Manager, you may always resort to Synaptic package manager.
Kind regards,
Karl
--
[corrected]: addressed the wron person, foolish me. amtex started this thread.
Last edited by karlchen on Mon Aug 26, 2013 6:23 pm, edited 1 time in total.
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
you can put about:support in the location line and see if there's a reset button there which returns FF to default settings.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Thanks guys for all help, it seems that it was just a browser hijacker. Everything seems to work fine now, I hope nothing will show up later. I don't know what of the following has worked for me but I did almost everything recommended here in the order below:
- Opened Firefox
- Cleared cache, cookies and history
- Disabled Java plug-ins
- Changed FF settings to 'no proxy'
- Tried to move .mozilla/ folder to mozilla.save/ as per instruction (I don't know though if it actually moved, since I don't know how to check that)
- Installed ClamAv and ClamTk and scanned the system. No threats were found.
- Opened Firefox
- Cleared cache, cookies and history
- Disabled Java plug-ins
- Changed FF settings to 'no proxy'
- Tried to move .mozilla/ folder to mozilla.save/ as per instruction (I don't know though if it actually moved, since I don't know how to check that)
- Installed ClamAv and ClamTk and scanned the system. No threats were found.
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Consider browser add-ons (aka - "an ounce of prevention" ) >>>
NoScript - http://noscript.net/
WOT - http://www.mywot.com/en/aboutus
To check to see if the move worked, open your file manager. On the menubar click View > Show hidden files. You should see a folder called .mozilla.save (if the move worked).
The effect of the move is >>> Firefox saves everything (for each user) regarding the browser settings, history, cookies, etc. in a folder called ".mozilla". Firefox creates this folder the first time it is started for any user. If you move this folder to a different location (or rename it) and then open Firefox - Firefox looks for the folder .mozilla and if it doesn't find it, it will create a new one (using the default settings). The good news is that the new profile is not "infected"... the bad news is that the new profile doesn't have any of the bookmarks, useful cookies, history, etc. from the old profile. It's double edged - but it works...
You can also switch back and forth between the new profile and the old profile... to go back, rename .mozilla to .mozilla.new and then rename .mozilla.save to .mozilla - going back to the new profile is the same process in reverse (.mozilla > .mozilla.old then .mozilla.new > .mozilla). I have a tendency to use the extension .old when I rename things (helps me keep track of what's what) so I would call the original profile .mozilla.old. You can rename the folder from the command line (terminal) or through the file manager (GUI) - it's your choice.
NoScript - http://noscript.net/
WOT - http://www.mywot.com/en/aboutus
To check to see if the move worked, open your file manager. On the menubar click View > Show hidden files. You should see a folder called .mozilla.save (if the move worked).
The effect of the move is >>> Firefox saves everything (for each user) regarding the browser settings, history, cookies, etc. in a folder called ".mozilla". Firefox creates this folder the first time it is started for any user. If you move this folder to a different location (or rename it) and then open Firefox - Firefox looks for the folder .mozilla and if it doesn't find it, it will create a new one (using the default settings). The good news is that the new profile is not "infected"... the bad news is that the new profile doesn't have any of the bookmarks, useful cookies, history, etc. from the old profile. It's double edged - but it works...
You can also switch back and forth between the new profile and the old profile... to go back, rename .mozilla to .mozilla.new and then rename .mozilla.save to .mozilla - going back to the new profile is the same process in reverse (.mozilla > .mozilla.old then .mozilla.new > .mozilla). I have a tendency to use the extension .old when I rename things (helps me keep track of what's what) so I would call the original profile .mozilla.old. You can rename the folder from the command line (terminal) or through the file manager (GUI) - it's your choice.
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
Reorx, it actually moved. There is a .mozilla.save folder in there.
Thanks again.
Thanks again.
Re: My LinuxMint was infected by FBI MoneyPak virus.. Need h
You're welcome... Enjoy the Mint!
P.S.: Don't forget to edit your thread title to include [solved]...
P.S.: Don't forget to edit your thread title to include [solved]...
Re: LM was infected by FBI MoneyPak virus.. Need help! [SOLV
The FBI lock on Linux just locks down your browser session so you can't exit, search, change settings etc.. If you have your browser setup to not save anything you can just restart your computer..
Re: LM was infected by FBI MoneyPak virus.. Need help! [SOLV
Thanks Ozonedev, will keep that in mind.OzoneDev wrote:The FBI lock on Linux just locks down your browser session so you can't exit, search, change settings etc.. If you have your browser setup to not save anything you can just restart your computer..