Dept. of Justice Lockout and Payment Demand

  • 13 November 2013
  • 8 replies
  • 44 views

Just got this omnious notice on my computer while scanning porn website - notice claims to be an official US Dept. of Justice notice that I have violated some federal statute by accessing website and that my computer has been locked down, pending payment of a $300 "fine" to this site.  Payment must be within 48 hours via MoneyPak (prepaid card) or I would face prosecution and my computer permanently disabled.  I cannot get control of my user site, but can switch users and utilize my computer,
 
Anybody familiar with this - is it legitimate? 

8 replies

Userlevel 7
Badge +6
It's fake. Right click the green (W) Webroot icon in the bottom-right of the screen > Save scan log
Look at the last 50 lines and paste any that says "Monitoring" in a message here.
 
Or just open a ticket, explain your problem, and paste the last 50 lines into the support window. Trust me they don't care where you've been, you're actually doing them a favor letting them know about your problem.
https://www.webrootanywhere.com/servicewelcome.asp
Userlevel 7
Badge +56
Hello Tony808 and Welcome to the Webroot Community Forums!


 
Yes it's fake and do as expanoit suggested and Submit a Support Ticket and they will look after you also have a look at this thread: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Please-Help-Concerned-About-FBI-MoneyPak-Virus/m-p/37996#M1714 and here: https://community.webroot.com/t5/Security-Industry-News/The-Evolution-of-FBI-MoneyPak/m-p/54702#M2150
 
HTH,
 
Daniel 😉
Posting the last 50 lines with "monitoring" from scan log.
Wed 2013-11-13 10:40:49.0732 Infection detected: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A] [3/08080001] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:49.0732 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:49.0742 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0012 Infection detected: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A] [3/08080001] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0012 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0022 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0626 Infection detected: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A] [3/08080001] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0626 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0636 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [W32.Rogue.Gen]
Wed 2013-11-13 10:40:50.0976 File blocked in realtime: c:usersownerappdatalocal empkumkrl [MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes] [134742017/00000003] [(null)]
Wed 2013-11-13 10:40:55.0485 Determination flags modified: c:usersownerappdatalocal empkumkrl - MD5: 631B7415B767D01A30614B1917B0B85A, Size: 184320 bytes, Flags: 00000020
Wed 2013-11-13 10:40:58.0248 Performing cleanup entry: 1
Wed 2013-11-13 10:40:59.0574 Scan Started:  [ID: 532 - Flags: 551/128]
Wed 2013-11-13 10:41:38.0102 Monitoring process c:usersownerappdatalocal emp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 9 (23054)
Wed 2013-11-13 10:41:38.0180 Monitoring process c:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 3 (23054)
Wed 2013-11-13 10:41:38.0180 Monitoring process c:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 4 (23054)
Wed 2013-11-13 10:41:38.0180 Monitoring process c:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 5 (23054)
Wed 2013-11-13 10:41:38.0180 Monitoring process c:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 7 (23054)
Wed 2013-11-13 10:41:38.0195 Monitoring process c:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 8 (23054)
Wed 2013-11-13 10:41:38.0195 Monitoring process c:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 6 (23054)
Wed 2013-11-13 10:41:38.0570 Monitoring process C:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 3 (23054)
Wed 2013-11-13 10:41:38.0570 Monitoring process C:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 4 (23054)
Wed 2013-11-13 10:41:38.0570 Monitoring process C:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 5 (23054)
Wed 2013-11-13 10:41:38.0570 Monitoring process C:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 7 (23054)
Wed 2013-11-13 10:41:38.0570 Monitoring process C:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 8 (23054)
Wed 2013-11-13 10:41:38.0570 Monitoring process C:UsersOwnerAppDataLocalTemp~tmp1391022918652614735.tmp [A87C6A29EEEC8033148FBABCE87A778B]. Type: 6 (23054)
Wed 2013-11-13 10:41:43.0125 Begin passive write scan (1 file(s))
Wed 2013-11-13 10:41:44.0217 End passive write scan (1 file(s))
Wed 2013-11-13 10:44:35.0179 Scan Results: Files Scanned: 37770, Duration: 3m 35s, Malicious Files: 0
Wed 2013-11-13 10:44:35.0225 Scan Finished: [ID: 532 - Seq: 2147000000]
Wed 2013-11-13 10:44:36.0349 Connected to A1
Wed 2013-11-13 10:47:03.0274 >>> Service started [v8.0.4.24]
Wed 2013-11-13 10:47:03.0290 Terminated abruptly in the last session
Wed 2013-11-13 10:47:21.0623 User process connected successfully from PID 780, Session 1
Wed 2013-11-13 10:47:29.0438 Connecting to 73 - 73
Wed 2013-11-13 10:47:31.0760 Monitoring process c:usersownerappdata
oamingmicrosoftwindows emplatesdircxtx.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 9 (23053)
Wed 2013-11-13 10:47:31.0770 Monitoring process C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 3 (23053)
Wed 2013-11-13 10:47:31.0770 Monitoring process C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 4 (23053)
Wed 2013-11-13 10:47:31.0770 Monitoring process C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 5 (23053)
Wed 2013-11-13 10:47:31.0770 Monitoring process C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 7 (23053)
Wed 2013-11-13 10:47:31.0770 Monitoring process C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 8 (23053)
Wed 2013-11-13 10:47:31.0780 Monitoring process C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe [A87C6A29EEEC8033148FBABCE87A778B]. Type: 6 (23053)
Wed 2013-11-13 10:47:37.0920 Begin passive write scan (1 file(s))
Wed 2013-11-13 10:47:38.0466 End passive write scan (1 file(s))
Wed 2013-11-13 10:47:53.0411 Begin passive write scan (1 file(s))
Wed 2013-11-13 10:47:53.0785 End passive write scan (1 file(s))
Wed 2013-11-13 11:48:34.0632 User process connected successfully from PID 780, Session 2
Wed 2013-11-13 11:49:38.0718 Scan Started:  [ID: 532 - Flags: 551/0]
Wed 2013-11-13 11:53:08.0897 Connected to A1
Wed 2013-11-13 11:53:09.0256 Scan Results: Files Scanned: 37625, Duration: 3m 30s, Malicious Files: 0
Wed 2013-11-13 11:53:09.0303 Scan Finished: [ID: 532 - Seq: 2147000000]
Wed 2013-11-13 11:55:03.0214 User process connected successfully from PID 780, Session 4
Wed 2013-11-13 11:55:39.0324 Blocked process from accessing protected data: C:Program Files (x86)RealNetworksRealDownloader
ecordingmanager.exe [Type: 1]
Userlevel 7
Badge +6
If you can, go to http://virustotal.com and submit the following file. (You can just paste this into the box at the bottom of the dialogue that comes up when you select a file)
C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe
Please paste the URL of the result webpage that comes up.
 
Open WSA > PC Security gear icon > Block/Allow Files >
Find "DircxtX.exe" in the list and click the "Block" circle.
 
Then go back to your other profile.
 
This is just a temporary thing until Webroot replies to your ticket.
Went to virustotal.com website and tried to paste C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe on file name box, but got message that it is not correct path.
Did I miss a step here?
Userlevel 7
Badge +56
@ wrote:
Went to virustotal.com website and tried to paste C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe on file name box, but got message that it is not correct path.
Did I miss a step here?
Just upload the file on VT from that Directory! C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe
 
HTH,
 
Daniel
Sorry, real non-techie here, but how do I upload the file onto VT?  The only option seems to be "choosing a file", which opens up to my documents list, which has the scan log.  Do I need to get somewhere else on the computer to upload the file, or am I using the wrong file (Directory! C:UsersOwnerAppDataRoamingMicrosoftWindowsTemplatesDircxtX.exe) ?
Userlevel 7
Badge +56
I checked the MD5 of both files on VT and came up with nothing so it's best to just contact support from the link above.
 
Thanks,
 
Daniel

Reply