TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Malware Extorts Cash From BitTorrent Users

A new type of malware is riding the wave of file-sharing pre-settlement letters by infecting BitTorrent users’ machines and then demanding payments in order to make imaginary lawsuits go away. ICPP Foundation try to give the impression they are RIAA and MPAA affiliated but the whole thing is a scam to extort cash and obtain credit card details.

ICCP Foundation claims to be an international company operating out of Switzerland. They say they are “committed to promoting the cultural and economic benefits of copyright” while assisting their partners to fight “copyright theft around the world”.

In fact what they really do is operate a scam to extort money from BitTorrent users.

Right at this moment we are unsure of the exact route of infection, but somehow malware (probably in either fake file or attached virus form) is displaying a “copyright violation alert” on the victim’s screen, locking it, and redirecting users to the ICPP site where they are told they have been caught infringing copyright.

There they are warned their offenses could result in 5 years in prison and a $250,000 fine and are given the option to take the (fake) case to court. They are also offered a chance to make the whole thing go away for the payment of a ‘fine’ of around $400. Victims are also prompted to give their name, address and full credit card details – it is unclear how this information is further abused but it doesn’t look good.

If they select the court option, they are scared with this screen:

So that that this evil software (believed to be located at C:\Documents and Settings\Administrator\Application Data\IQManager\iqmanager.exe) more accurately targets BitTorrent users rather than just random users, it appears to scan the user’s hard drive for .torrent files and displays these as ‘evidence’ of an earlier infringement.

In order to boost their credibility, icpp-online.com claim to be affiliated with influential partners – the RIAA, MPAA, and The Copyright Alliance. Of course, this is a complete fabrication.

This whole approach seems very similar to that employed by so-called ‘rogue software‘ or ‘scareware’ which attempt to frighten users into parting with cash for often useless software. And it seems the links to malware don’t stop there.

A WHOIS on the ICPP-Online domain reveals some contact data which shows up elsewhere in connection to other questionable activities.

Details on this new threat are scarce at the moment, so if any readers can discover more about this malware or the operation behind it, please collate the information and send it over to tips@torrentfreak.com.

Related Posts

Previous Post | Next Post

  • Zachary D.

    It is honestly too bad that people can actually fall for these without first performing research– but it does work.

    People who extort natural human thinking patterns through social engineering for purposes such as this deserve whats coming to them in my opinion.

    -Zachary

  • Anonymous

    Wait till you see web browser pop-ups that do the same thing in a few months. Then it will get bad.

  • layerbakes

    eradicate it with anti-scareware!!

  • Anonymous

    Wait until you see these in popup form. Then it will get bad.

  • k

    don’t miss my windoze machine at all…

  • Bertus

    Maybe it’s a good idea to add removal instructions to the article :)

  • Desmond

    Just a thought but do the creators get caught and tried? If they receive any $ shouldn’t it actually go to the copyright holder?

    Wheres the money going… (I’ll leave it at that)

  • politux

    Uhhh use Linux?

  • Freeleech
  • Scumbags

    Well, it’s not just that. Once they’ve got the credit card details they’ll leech everything out the account.
    Scumbags. Well it deserves people right for A: Not having decent virus protection
    and B: Being retarded enough not to google.

  • Anonymous

    only a moron would fall for it. of course they know there are thousands out there.

  • Eric

    Just as valid as the claims from actual Law Firms

    All nonsense

  • lolz

    good thing :D

  • Canuck

    Just do research and you’ll never fall for these scams. This is similar to that stupid Anti-Virus 20** scams that scare you into registering and paying cash. Look it up and you’ll be fine.

  • Anonymous

    The worst part is the RIAA will probably follow this idea

  • ROLF

    yeah, ubuntu.com :))

    .exe, whats that ? :)

  • *D

    LMAO at the “copyright protection organization fee for the use of software tracking illegal file DLs”
    statement part

    and it seems they also accept credit too lol

  • politux

    .exe is short for “executes a virus”

  • Phoenix

    go linux idiots

  • duane

    “Windows has detected that you are using content that was downloaded in violation of the copyright of its respective owners.”

    LOL.. people fall for this sort of thing?? :D

  • Anonymous

    i nearly paid it! how do i get it off my computer? thanks

  • ummm

    I suggest you people learn how to operate and maintain a computer before starting to torrent.

  • RIAAtarded

    A: stop using windows, windows is that opening in the side of your house holding the air conditioner.

    B: someone needs to chase after them. Virus writers have been chased down and sentenced to jail time malware fits right in the same category. Unknowingly infecting a PC for the purpose of extorting money is a crime. Not to mention courts require warrants to wiretap or monitor someone why would this be any different.

  • :)

    How do you get rid of it?

  • politux

    You get rid of it by reformatting your hard drive and installing Linux.

  • :)

    does that get rid of everything on my computer?:( and whats linux?,, sorry im not good with computers

  • kataanglover1

    @27
    me thinks you should listen to #23.

    Great! Now it’s not just not companies like mpaa and the like who want our money!

  • Anonymous

    i too have this virus, all of the proccess on “task manager” ahve .exe on the end, what does that mean?

  • just format

    all you have to do is format your pc and reinstall windows, and linux is for more advanced users, dont install that unless you know what your doing.

  • deleted

    the thing is i dont even know what a torrent is @28, so yannno, not to sure how its on here, maybe of the internet?

  • deleted

    waut how do you reinstall windows, @g30?

  • kataanglover1

    Just format your hard drive and start fresh. Install windows if you feel n00bish and install linux if you never want to have these problems again.

    @ 31
    newfag.

  • deleted

    the problem is there are picturess on my hardrive i cant lose:/

  • kataanglover1

    @34
    flash drive or external hard drive.

  • deleted

    the one in the computer?

  • Anonymous

    oh no, please don’t passes my info to court.

  • Stoned

    You guys must understand this is malware it can affect everyone… and this article might bring infected people who googled for this here… Don’t be harsh on this people.

    Just try to run your anti-virus to try getting rid of it… Or any anti spyware-malware software… There must be some free one who can do the job…

  • Anonymous

    “Windows has detected that you are using content that was downloaded in violation of the copyright of its respective owners.”

    Of course this is Windows from the evil Microsoft corporation! Deuce!

    (Who are really evil by the way)

    Or

    OUTCH! My computer was attacking me so I trough him by the windows to teach him a lesson! Voila!

    LOL!

  • kataanglover1

    @36

    what does external mean? outside. so that means a hard drive that is located outside your computer

  • Milliways

    if you can download give malwarebytes a go at the infected computer, usualy good at what it does and free to use for on demand scans
    http://www.malwarebytes.org

  • droidberry

    The whole thing looks pretty real until you get to the broken English. Its always the easiest tell of a noob scammer. Retards over there think English translators work good enough. Unfortunately their somewhat right as I’m sure they have morons paying. But if your that stupid you deserve it. I don’t blame these guys one bit and I actually envy them.

    If you don’t bother to use your brain, don’t get on a computer.

  • kataanglover1

    @delete

    you sound like an oldfag screwing around with us

  • deleted

    no im actually 19, i need to keep some pictures because there of a family member who recently passed away and there are no copys of them, if your not gunna help me then just dont write on this.

  • The Mysterons

    Yes go ahead and install Linux if you feel windows is too straightforward to use and you would prefer an OS written by Trekkies! :)

  • fail.

    @deleted

    if you dont even know what an external HD or flashdrive is then call the techies (lol) and let them rip you off if the pictures are so important.

    btw the lesson to learn here is to keep external backups of important files

  • deleted

    okkayy i think i will take it tommorow how much will it costtt?

  • kataanglover1

    @everyone but delete who understands computers

    just let the newfag waste his money

  • Jay

    torrent pc is ubuntu

    path not found……

    fail :)

    ubuntu install cd is bootable, to try before use, got win7 for games and photos

    backups of photos to DVD really helps, make sure to finalize the CD

  • lol

    Isnt it just a horrible feeling when people wanna rip ya off to get something of yours for free!

  • Anonymous

    @45

    First you might be able to get ride of these malware without reformatting your HD.

    Reformatting your HD is your last resort.

    But first secure you personal data.

    1) Get some blank CD or better DVD.

    2) Gather all the stuff you want to keep including pictures, music, Video, School home work presentation and so forth. into a folder you create on your HD and copy all you pic into the blank CD/DVD using your favorite CD/DVD burning software.

    2) Make sure you can read the CD and get back the pics when it is done. You might need more than one disk. You can put 700meg on a CD and about 4.3 meg for a regular single lawyer DVD the single lawyer DVD being the most cost efficient for now.

    Alternatively you could get yourself an USB memory stick and move all your personal files on it.

    This is only a rough overdraft of what you need to do If you are really not familiar with that I suggest you get someone to help you with this who know what he or she is doing. There is plenty around.

    And Don’t listen to all these smart Alexes who try to make fun of you. They just succeeded in looking like a pack of fools and mean-heads!

  • Anonymous

    kataanglover1 how about you, stop commenting not everyone understands computers.

  • Anonymous

    “okkayy i think i will take it tommorow how much will it costtt?”

    I am sure you can find someone to help you for free. This is not a big deal!

  • lol

    @delete

    This is not a tech support forum, take it elsewhere.

  • hahaha

    As the old con man saying goes..

    Fools and their money SHOULD be parted…

  • politux

    @droidberry

    Funny how you comment on broken English and then mistake “your” for “you’re”

  • fail.

    @deleted

    try using the fucking phonebook or the internet to find a computer repair place in your area.

    seriously mate use some common sense

  • Dan

    Please, everyone, call up their ‘partners’ here; http://icpp-online.com/partners.html
    and ask if the RIAA, the CA, and the MPAA are seriously involved with this malware producing organization. They need to make a public statement separating themselves from the ICCP.

  • war59312

    @deleted If you are serious, send me an email and I will help you out.

  • Amazed

    wow.. just wow
    some people just should not be using computers in this modern world!?

    In the “warning message” it uses the term “passes” instead of “passed”.

    Blatantly obvious give-away to anyone with any sort of interpretation of the english language.

    @deleted
    good luck with teh puterz

  • hmm

    If you want to catch him, just follow the money. He can’t hide from getting paid.

  • I had a bit of a lol

    @47

    Umm.. You kind of should
    try to gain a better
    understanding of computers then!

    This website for one is epic..
    If you can’t follow most articles
    on here I feel sorry for you..

  • =/

    Email abuse@yahoo.com and tell them about this site and that this ovenersbox guy is a fraud. Having his account deactivated is a good start.

  • Hans pandacunt

    @30 Yeah, good luck with having to run wine or duel boot with windows when you actually want to play a decent game.

    Back to 4chan, newfag cancer.

  • lol

    Check out what the author did and how he worded it:

    ‘If you are sure that you can’t have download that content to your pc or there was nothing you could do to avoid it, press “pass the case to court” button and pass the case to court.’

    It even makes mention of a “Solve” button when there isn’t one. Great job, losers!

  • Bubbles

    Some of the comments here are depressing. There are people right in the thick of it here who are desperate to get some help. Yes its targeted at windows users because of some problems with that operating system.

    The fix:

    People who have this malware should boot up in safe mode and copy any vital data to a flash / pen drive.
    Put your windows CD in the drive then switch off your computer for 10 minutes.
    Switch back on and install windows.
    After the install perform an update.
    Don’t go surfing unless you have updated and rebooted.

    Your first download should be AN Other browser. I wouldn’t recommend IE to be honest. Firefox is a little safer but there are other browsers which are not targeted as much. NEVER run an executable file from an untrusted source. NEVER run an Windows CD from an untrusted source. If you would like to use Linux then you can download it for free and try it. I would recommend Ubuntu because it seems to be one of the easiest if you don’t have much computer experience. If it all goes terribly wrong for you, you can install windows following the steps above.

    No Windows or Linux haters please. I’m just trying to help.

    Oh and apologies for the tech support … I know its not a tech support forum :-)

  • Bob

    So my research says “anti-piracy movement funding terrorist organization”

  • neostyles

    LOL @ “anti piracy scanner.” At first glance, this piece of malware looks pretty convincing but when you read the explaination, it’s hard to take it seriously especially “..windows has detected.” Last time I checked windows doesn’t have a scanner to detect copyrighted content.

  • Bryan

    @everyone calling people newfag, oldfag, etc.

    4chan is stupid :)

  • Non

    Try spybot search and destroy for spyware and prevx and good antivirus is avira

  • Anonymous

    “newfag”

    what exactly is that supposed to mean anyways or is it just some childish insult from 4chan?

  • Anonymous

    @58 formating is almost the ultimate cure all but excessive, its the equivalent of killing an ant by smashing a planet into it. rather learn how to maintain your computer and if it crashes and burns how to fix it first at least.

    @37i agree malware bites is good but it might not have the definitions yet

    now for the scumware….

    bit defender may get rid of this, i believe they are aware of it for those that want the scan and nuke option then try here..

    http://www.bitdefender.com/PRODUCT-14-en–BitDefender-Free-Edition.html

    its a bit heavy on resources and is notorious for false positives, but it also very good at finding Trojans
    not one for your main scanner rather install, scan, clean, remove/disable (in registry and services) good for a once over every so often.

    if not i managed to get Google to cough this up, how accurate remains to be seen, im not infected so i cant verify.

    http://www.threatexpert.com/report.aspx?md5=d4b12487470460653459a54769e974e2

    shut down and restart
    win 7/vista users actually restart… not just hit the power button and in your start menu which usually is a sleep, click the arrow beside it and chose restart

    just before windows starts (usual just after it says verifying dmi pool data) pound the f8 key into oblivion

    and chose safemode
    hit yes i want to boot into windows to the system restore question if asked (your restore points are most likely already infested)

    first off hit ctrl + alt + del
    if presented the option open task manager click on processes and select iqmanager.exe and end the process (unlikely to be there for a run entry but would like to know if is that means, i will have, missed something.)

    then click on file, new task, type in or cut and paste:

    %windir%\system32\restore\restui.exe

    and create a restore point (backup just in case, if work will flush later)

    if file isn’t there, double click on the grey bar at the top then it should appear (for those wondering double click on the line in between the tabs and file)

    then go back to task manager click on file, new task, type in regedit

    be careful in here, if you delete the wrong thing (which consists of almost everything) if it doesn’t render your computer unusable it can give you immeasurable amount of bugs and crashes to plague you until your next reinstall.

    navigate to and delete this following key (folder)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQManager

    delete ONLY! the following values inside these keys (if the keys were folders, then using the same analogy the value will be the files as it were.)

    in:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    delete:
    iqmanager.exe = “%AppData%\IQManager\iqmanager.exe silent”

    in:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    delete:
    Shell = “%AppData%\IQManager\iqmanager.exe”

    now to delete the files
    go back to task manager, run, type in
    %appdata%

    delete the iqmanager directory

    then restart the computer and start windows normaly
    if you are satisfied that it has work and the infestation is gone,

    then for xp/2k/2k3/me/nt
    right click on my computer, go to properties, system restore tick turn off system restore click ok

    wait for the computer to settle, if your not sure go have a coffee break for 10mins or so

    then go back and re enable it
    then go to ctrl + alt + del, file, run %windir%\system32\restore\restui.exe
    and create a fresh clean one

    if your computer blows up or goes haywire or you deleted something wrong in the registry go back into safe mode and click no i dont want safe mode use system restore and try again (you will be infested again but back to the start)

    if it boots but is a cockroach and just dosent want to die then post back here or on the forums ill dig deeper

    if it does work let me know so i dont have to check back as often and can do other things.

  • meh

    forgot to add how to delete the restore points for windows 7/vista

    in your start menu (that windows button on the bottom left) search for disk cleanup, and chose system restore to be deleted as well

    then go to ctrl + alt + del, task manager, file, run %windir%\system32\restore\restui.exe
    and create a fresh clean one

    i was thinking of a2 when talking about good at Trojans which is also heavy on the system and also false positive happy bit defender is heavy but nothing spectacular and false positive happy but might be first on the bat to nail this one

  • Darth_yoda

    If anyone gets this virus then upload it to http://www.virustotal.com to see the anti-virus coverage.

  • meh

    also if it blew up and you cant even get to safe mode, then f8 at boot, then go restore last know good configuration, then restart, then safemode, no i want to use system restore, then try again.

  • Pingback: Pirate Home Page » Malware Extorts Cash From BitTorrent Users

  • Chemical

    Just advice for those who follow 63/64′s advice: Just be careful! It is, of course, stated in the “guide” above to very sure of what you are deleting, but to reiterate, BE CAREFUL.

    It’s like taking bits out of the engine of your car – Sure, if you follow the instructions to the letter you should be fine, but if you remove the wrong thing, you’ll stuff things up.

    That said, that is (as far as I can tell) the best method to remove this besides re-formatting your hard-drive. Re-formatting, of course, removes everything on your hard-drive – Not just the virus, but all your photos, games, work, financial records that you might keep on your computer – Everything.

    All said and done, though, this is a perfect example of why people need to keep backups!

    @63/64: Nice work on that.

  • Meh

    uhhh sum dude at that place told me to use lunix to fight the powa

  • toomuchstupid

    An armed SWAT team in full tactical gear swooping through the windows couldn’t get me to part with my cash if I knew it would end up going to the MAFIAA… I would burn it all laughing maniacally. Even if this was legit, they’d have a better chance of colonizing Mars as getting me to pay them over a copyright lawsuit.

    ICCP: Because morons exist, and they don’t need their monies.

  • Panic

    No!!! its DRM v 2.0, pay and you’ll be fine.

  • Cujo

    i get so many sending me crap issues like this ,, i always say the same thing ,, google is ur friend ;)

  • Unauthorized Content Consumer

    I predicted months ago at THIS web site that such scammers will eventually pop up.

    I’m glad the scammers are here reading my predictions and that I’m giving them ideas. Perhaps they’ll help drive more nails in to the RIAA/MPAA copyright law coffins.

  • Pingback: Usan malware para extorsionar a usuarios de bittorrent | TengoTecno.com

  • Ninja

    Heh, as Unauthorized Content Consumer said I was wondering why such a thing wasn’t exploited before with those golden mine ACS like schemes so popular around the world.

    Well, they are essentially doing the same thing, extorting money from people. Except that one of them is “official blackmail” an the other is just a malware. LOL

  • Anonymous

    @67 thanks!

    im not entirely sure that this will kill it though there may be a secondary and more sinister infection because threat expert did report that it does open up a connection to the net. this may just be the pay me or else that it displays considering its port 80 its feasible.

    id like to do more digging to make sure this one gets well and truly nuked before it gets off the ground

    information is scarce, hklm\…\run can and has been a red herring because its the most obvious

    ill be on the forums whenever tf feels like sending me out the activation email….

    @72 the idea is not to give them ideas, it just spawns more misery for the masses thus one picks their words carefully when providing solutions/ideas

  • justmy2cents

    for first time linux user, linux mint is probably the one to use/try since it looks more like windoze than ubuntu does. just my 2 cents

  • Anonymous

    The extortionist only send out their letters. Communication using a windoze software is just dumb

  • Anon

    Oh hai!
    I has .url links to rapidshare downloads, does that equal copyright infrigment? >_<

  • Pingback: Warning: grosso rischio truffa e malware per gli utenti BitTorrent

  • Sean

    To all those attempting to actually help solve the problem, thank you.

    To everyone hating on people who are simply trying to find answers to politely asked questions…

    Get. A. Life.

    Maybe if you’d gotten laid in the last 3 years you wouldn’t be so full of hate…

    Cheers

  • Anonymous

    lmao. So easy to remove without reformatting. Just boot the Ubuntu Live CD, find the executable, delete it, then boot back into Windows. Problem solved.

  • zenith

    Ha, ha… At all these people calling the guy who had his computer affected by this malware a noob/newfag. Formatting the drive and reinstalling everything is precisely what a noob would do. How ironic…

  • Anonymous

    I’m glad I don’t really download via bittorrent anymore, anyone dumb enough to fall for this should know that ISPs usually send e-mails, not popups concerning downloading copyrighted material via filesharing, fortunately, I just use megaupload and that sort of thing, but I usually just watch legal streams on YouTube or Hulu.

  • Pingback: Malware Extorts Cash From BitTorrent Users | TorrentFreak

  • Zits

    I use Windows for messing with video, Linux for grabbing the ‘raw’ Torrents, and aMule. Nothing goes near Windows with out a virus and a nasty-ware scan. And for freak’s sake, when you download a program from a Torrent, read the comments from the downloaders who went before you. They know if your downloading something dodgy or not. Let the swarm protect you. Demonoid generally has a good swarm. If you find something nasty, protect the swarm and leave a nastygram in the comments.

  • News

    Leading UK ISP Says It Will Defy Government’s Net Censorship Bill

    http://www.infowars.net/articles/april2010/090410ISP.htm

  • fsah

    ya, stop using windows,cut yourself off from 90% of the computer software market, that would be fun, it is fun to compile your own drivers and software to run with your “release”. Jesus, I understand this stuff, so do you, but my time is worth more money then compiling my own software, I’m sorry that your’s isn’t. Enjoy your “pride” I will enjoy my free time (oh, and getting laid).

  • Unreasoned Mind

    “newfag” is a childish insult that most internet teenies use because they like to feel a sense of exclusivity. Don’t take it personal because it is most definatly a form of trolling.

  • ciappi

    LOL, i whish it happened to mr Maroni, minister of italian govern ^^

    http://www.unita.it/news/italia/97244/maroni_pirata_informatico_scaricare_musica_non_illegale

  • jmh

    @fsah, You seem woefully misinformed about Linux systems. You only compile if you want to. GNU/Linux has actually changed in the last decade, you know.

  • Meh

    @fsah

    wtf has getting laid got to do with the type of OS you use. jesus you must be a 12yr old to slip that line in at the end as if to try and make yourself look ‘cool’ – try googling and actually taking a look at a *nix system, it’s changed alot since the old days. LEARN2RESEARCH troll.

    back on topic…

    i think it’s disgusting that people get away with scams like this.. i wouldn’t be surprised if they start getting DDoS’d – they sure deserve it!

  • Jhon Deo

    The text on the ICCP home page is copied from the ACS:law home page. So ACS:law can sue ICCP for copyright infringement. lol

  • MD3

    “WINDOWS has detected that you are using…”

    “Choose an action: Pass the case to court / Settle case in pre-trial order”

    That has got to be the FUNNIEST SHIT I’ve seen in a while!

    It’s like 21st century lawsuit! You choose how to be screwed! Could even use a wizard to help in the process?

    What about a third option: Go fuck yourself you dirty opportunist!

    Must have come from the same bandwagon that rented ads to send via the dreaded internal ‘messenger’ windows service. “Your PC has a problem, go to xxx to fix!”

  • TKian

    well its easy to arrest the guy, becuase when someone send money trough online banking then the address of the reciever will be clearly mentioned in the transaction.

    TKian@
    t0rrentkit.c0m

  • commodianus

    Solution: Linux

  • Typo ftw

    So, are they ICCP or ICPP? They don’t seem so sure themselves.

  • dkong

    What a retard xD All fear of their info being “passes” to the court xD

    This guy must also be a kontribhuthor to lolcats xD

  • Pingback: Haittaohjelma uhkailee laittomia latailijoita | Digilelut

  • @ 55 politux

    A simple misspelling does not qualify as broken English. Please refrain from pointlessly posting and further embarrassing yourself.

  • anti-execute

    Yet another reason to protect your system with an executable whitelisting product.

  • HasABrain

    Just so you know, it’s also being passed via facebook ads as well. A number of computers on our network at work are infected with this very problem and we are working on eliminating it. Malwarebytes DOES work to an extent, but it doesn’t entirely fix the registry problems. Any advice would be appreciated.

    Also, stop hating on people looking for help. You make IT people like me look bad. We’re not all jerks. I would like to say most of us like to help, not put down end users. I’m ashamed to be associated with the acid-tongued users posting on this page.

    Oh, and another thing, Linux isn’t always an option for everyone, so quit being so smug about it.

  • Pingback: ???? ????. | Play » ????? ???????? ?????? ?? ????????

  • Scout

    To get rid of this try running rkill: http://www.technibble.com/rkill-repair-tool-of-the-week/, which stops the bad stuff that is running on your computer and then run malwarebytes: http://www.malwarebytes.org/, which will clean it up and remove it.

    It’s easy, it’s free, and it will probably work.

  • Anonymous

    Is it only for Windows OS`s?

  • Sean

    Hey guys,

    I’ve managed to get back to my desktop. I ran rkill to terminate iqmanager, then downloaded and ran malwarebytes, doing a full scan. I then went ran regedit and changed hkey_current_user/software/microsoft/windowsNT/currentversion/winlogon shell from iqmanager.exe back to c:\windows\explorer.exe.

    I am no computer guru, but this seems to have worked for me.

  • Pingback: Estafas en línea inspiradas en estrategias antipiratería | Home

  • Pingback: malware cash scam by ICCP Foundation

  • HasABrain

    I have also found a fix. Once I corrupted the iqmanager file and the files within it, I was able to remove them and restart. Just to be safe I did a system rollback once everything was up and running, re-ran malwarebytes and system appears to be clean.

  • THANKS

    Thanks to everyone who posted advice! There ARE people willing to help even in the TF comments (well, its not youtube, but still…). Anyways, thanks alot! And everyone with a botnet should consider reallocating their DDoS resources…

  • bert

    @108 & all do that!
    great work on picking that one up, my bad i missed it.

    @109 that is suprising, and a little hard to belive, its become pretty well much standard practice for scumware to infect system restore or a system rollback that is unles you are using win7 and had a dvd image set to fall back on

    i assumed the winlogon allready had explorer.exe in there rather than in there not that the iq manager replaced it

    being a long time user of autoruns (well before he was headhunted by windows and now works on their kernel, and yes the same guy that dicoverd and exposed drm!)

    but in that it lists the shell value in
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

    have never had to go modify that registry key so never needed to go into the registry and notice the diffrence i didnt realise that it was in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

    had i a sample and me instructions not worked the first thing i would of hit it with would of been autoruns and then i would of picked up on it

    this knolege now raises the scumware coders skill by several dozen orders of magnatude whats done there has paved the way for a signifigant potential of mayhem unleashed upon infested systems

    if done right it can counter most antivirus programs

    ill put the revised instuctions on the forums here
    http://www.p2pfreak.com/forum/p2p-news/4004-malware-extorts-cash-bittorrent-users.html

    fist off dont play with autoruns unless with extreeme care. it dosent find whats good or bad ect like a tradional antivirus rather that its just a diagnostic tool and tells you whats there not whats good or bad, so dont ffs untick everything! same aplys to gmer, hyjackthis ice sword ect…

    explorer.exe in short is everything that most people reconise as thier computer it controls among other thigs the gui (grapical user interface) so your desktop, your icons, your bacground my computer…

    the fact that iqmanager uses a pre hacked one or loads beforehand and then sinks its teath into it gives it the potential if coded right to render most virus scanners impotent and usless simply by being able to hide from them it all depends on the skill and effort put into its creation

    after killing files registry keys and fixing explorer.exe could someone upload a log from autoruns and gmer, and hyjackthis on the forums ill read though and check is clean if not it will let me sniff out any further signs of infection.

  • bert

    also run sigverif (start, run) or ctrl alt del, taskmanager, file, run

    and upload that as well

  • bert

    gmail puts the activation link for torrent freak in the spam box…. tf you may want to clear that up!

  • Micheal Borean

    My brother got hit by this earlier. I was rather amused, because it seemed legitimate, until I saw that it was complaining about his naruto torrents, and a torrent for a music that isn’t sold.

    This came up a day after my brother installed Azuereus, Mcafee, and Norton. I believe it found a back door somewhere there. Windows 7, Home edition.

  • Matt

    You need to uninstall/remove this: C:\Documents and Settings\Administrator\Application Data\IQManager\iqmanager.exe

    Then remove the startup entry (Start – Run – msconfig) or use a tool like HiJackThis/CCleaner

    I found it on a client machine and it was easy to clean.

  • bert

    114
    dam, well unless you want your computer to act like a relic from the dark ages i would not install that or if have uninstall!

    for startes never run 2 antivirus at the same time. or they will each scan what the other opens and scans and in short will sit there and munch away and acieve nothing that is unles you keep one disabled

    also why would you install such an ugly recorce hungry pig as nortons
    sure there are alot of people out there that like it, but facts speak for them selves, look at the profensional testers comparisons if need be. its usless, it always leaves behind tendrils if it can remove anything at all

    sure once upon a time nortans WAS good but that was a long long time ago and pre xp

    so now you have your old scool fan boys and now the rather large bribes they place to get the prodouct pre installed and the good buisness deals. just becaue its cheaper dosent mean its any good.

    and mcfee thats a laugh there is an urban myth going round that the evil queen her self was sprung writing viruses and releasing them so that her scanner will pick them up fist to improve stats and sales.
    i tried finding a link but apart form some very embarising stufups i gave up shortly google is to powerfull for its own good sometimes

    if you want a good firewall use comodo or kaspersky
    if you want a good antivirus try avast or avg being the current most popular flavors of the last few years

    virus total if you have a sample or threat expert are great to upload and see whats happening or what will clean off

    @115 exept that shell now no loger knows what to load. restart and it may not work (unless windows is intelegent enough to revert back to default)

    thus nessary to fix up the load point of explorer.exe

    in:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    edit:
    Shell = “%AppData%\IQManager\iqmanager.exe”

    to:
    Shell = “c:\windows\explorer.exe”

    and of course all the other tendrils left behind folow guide here
    http://www.p2pfreak.com/forum/p2p-news/4004-malware-extorts-cash-bittorrent-users.html

  • bert
  • nonono

    norton is the worse piece of crap resource pig/hog computer crashin piece of asswipe ever.

  • Eylix

    If it simply scans the victims computer for .torrents, what if they have downloaded obviously legit stuff like ‘nix distros?

  • Anonymous

    @droidberry

    Yeah, YOUR lucky someone taught you english real GOOD over THEIR. Retard, indeed.

  • curse

    interesting case..
    while reading this thread, I really start hate those ewwwbuntu users more, “format HDD and install ewwwbuntu” ain’t the way to give a helpful response to someone in need, you’re almost as bad as the malware makers(lol at using linux without root password, n00bs). On Windows, always make sure you got an updated anti-virus program and that Windows is updated, it takes care of most crap. When the Anti-virus manufacturers hear about this, it will be fixed. If not, complain to them “I pay for your program and still don’t get rid of this virus”
    Seems like bitdefender takes it

    Remove iqmanager.exe instruction:

    1.Temporarily Disable System Restore;2.Reboot computer in SafeMode;3.delte iqmanager.exe virus files and kill iqmanager.exe file task process(if have);4.Delete/Modify any values added to the registry by iqmanager.exe ;5.delete IE temp files,restart the computer and run a whole scan with BitDefender. iqmanager.exe virus files as following:

  • bert

    indeed crap cleaner will nuke the tempory files easily and most other things

    but id still want a look at gmer/autoruns/hyjack this logs it is a basic rootkit after all there could be secondary infections.

    http://download.cnet.com/CCleaner/3000-2144_4-10547048.html

    even if sent in a pm.

  • Whatever

    @All trying to give advice… which is fine and helps people with problems however “deleted” (@30) is 99 percent certainly faking it. The following text gives it away as this site is called “Torrentfreak”: “the thing is i dont even know what a torrent is @28″

    And how does someone clueless of all (like flash drive) know how to comment with a nickname (called “deleted”). Next, it doesn’t make sense telling someone how to put all important stuff in one folder and burn on CD/DVD if they don’t know how to use the computer.

    Finally, never send anyone to just any computer repair place if data is to be saved. Almost all of them will just say the data is lost and format the harddrive anyway (to avoid working or clueless themselves). Its better to first search for a computer repair place that will actually do a real attempt to rescue data for sure. So i suggest to add a warning about this when giving that advice.

    (yes, i know, wrong forum)

  • yes yes yes

    Thank God. I saw this on my computer and got really nervous. I was hoping it was a scam although I thought it was a small chance. Fortunately my research proves me right

  • Pingback: Virusi care cer Bani – atac asupra utilizatorilor BitTorrent

  • DXdiag

    if someone knows of a link to where I can this then please post it here, I want to decode it and see how it works.

  • Pingback: NEWS: Copyright malware appears on Bittorrent | iPod and iPhone

  • hms-one

    UCC was right. It was only a matter of time. Why go to all the effort and cost to gather “evidence” and file legal paperwork, and mail warning letters? You still end up with no more valid a “claim” than a shite piece of scareware can pull off with a simple hard drive scan. This BS exposes the efforts of ACS and friends as the frauds they are.

  • Pingback: Ransomware and BitTorrent Scam « Malware Survival

  • Pingback: Malware Extorts Cash From BitTorrent Users « The College of Arts and Sciences – Gathering Point for Technology at the University of Oregon

  • Pingback: Ransomware Malware Threatens to Sue Bit Torrent Pirates | We Control The Net

  • DeltaPan

    16 Apr 11, 2010 at 22:57 by ROLF
    .exe, whats that ? :)
    - – -
    18 Apr 11, 2010 at 22:59 by politux
    .exe is short for “executes a virus”

    An exe is an Executable, a programme file which can run independently as opposed to a complex application which requires drivers and multivarious scripts to function, an exe runs as a stand alone.

    - – -

    Don’t know if anybody has noticed, but for a few weeks, until last week is when it last happened with me….

    TPB had a bogus virus scanner activating when navigating the site which was the usual malware BS, immediately stating “Your Computer Is Infected” and running an online scan.

    I didn’t let it get any farther and disconnected immediately, rebooted and added the URL from browser history to prohibited sites in Internet Options, whoever the tw@ts who were doing this were, they changed the URLs, i counted 8 different sites with the same virus.

    Don’t know about any other sites but maybe others can say if any other torrent sites were targeted.

    They didn’t get very far with me, but same as other sites all over the net where these bogus virus scans are used, they do two things, they scan everything so a list of drive contents becomes available for later hacking of your ‘puter and 2, malware is dropped allowing backdoor access and others like automated transmission of personal details etc, various malicious uses.

    Like i say, it didn’t get more than a couple of seconds every time it occurred with me, but it’d be interesting to see if somebody getting one of these fake copyright notices also had experiences of bogus online virus scans while navigating torrent sites.

    I’ve spyware 7 AV scanners anyway, only a fool hasn’t, so even if it got far enough and dropped something it’d no doubt be quarantined anyway.

    But there may be a connection here, don’t know.

    I do know there’s a lot of naive people who go to Warez sites and get malwares dropped on their PC’s, since i was member to XWT forum i have noticed so many people suffering from infections after going to porn sites and Warez sites without proper protection, these days even media portals like online newspapers and shopping sites and alsorts are hacked and users navigating get infected.

    bottom line is be aware at all times, the Internet is not a fluffy and safe environment and all too many feel being online is as safe as being at home in their nice safe house, you are at home, wherever, so feel secure, sites are nice and tidy and people are lulled into a false sense of security.

    but it’s actually better to consider yourself driving through a Crack Cocaine and Meth ridden ghetto, ergo, always be on guard.

    there’s as many deviants in the cyber world as there are in society, online doesn’t mean safe, only your own vigilance means you stay safe.

    As mentioned, anything happens, research it, don’t take a fracking thing on face value.

    scam’s are usually flagged by people who realise they have been targeted, do a few searches and you’ll find the sites which alert people to what scams are happeneing, plenty of those alert sites around and they can save you a lot of grief so use them if anything suss occurs, don’t ignore things however benign they may seem, there’s a lot of dodgy frackers out there committing cyber crimes so don’t be a victim.

    Peace. : )

  • Question

    @105 HasABrain
    “it’s also being passed via facebook ads as well”

    You mean, internal messages with links to files which people download and run on purpose?

    Just curious, what is the content of the messages if it’s the case?

  • DeltaPan

    A few mateys are mentioning anti-piracy agents themselves may be involved.

    Would not surprise me for a moment if it transpires they are.

    As i’ve mentioned quite a few times recently, a few years back a group called “Media Defender” had one of their main operatives Gmail account hacked and the whole contents of the account were floated on torrent, still available on TPB.
    http://thepiratebay.org/torrent/3806944/MediaDefender.Mail.200612.200709-MDD

    Instructions of how to browse the emails given in comments on page.

    These show how many shenanigans they were involved in, thanks again to Media Defender defenders for making these available.

    It shows anti-piracy agents are involved in criminal activities against us, such as hacking, illegal privacy invasions using fake sites, honey traps etc.

    The amount of criminal activities they were involved in is unbelievable, they should have served time for their activities, where we are simply civil infractors, they are criminals with no respect for criminal law never mind our civil infractions.

    So it wouldn’t surprise me one bit, if some anti-piracy outfit is actually behind this, they seem to think acting criminally towards us is perfectly justified and actually find it funny, sick sociopaths the fracking lot of them.

    Take a look at the emails, as i’ve said, too much time and money was spent to simply abandon their plans, they just waited until it all died down and we are indeed seeing their plans resurface and indeed, as time goes on their plans become more complex and improved but those emails give an idea of what these oiks are prepared to do.

    Governments and law enforcement agencies want to concentrate on what anti-piracy groups are doing more, again, file sharing is a civil matter, what these anti-piracy agents working on behalf of copyright holders are doing is often criminal and they break criminal laws and they seem to be completely ignored and shouldn’t be!

    As in the emails, they even think completely ignoring criminal laws and acting criminally towards file sharers is funny, utter contempt for criminal law, laws which are present in most nations, anti-piracy think criminal laws do not apply to them.

    Some idiot mentioned about Federal Taskforces in another thread, well they aren’t interested in file sharing, but were they to bother, they’d find a lot of financial irregularities in the accounts of these people, copyright holding companies and anti-piracy group;s both, as much as a plethora of other criminal offences perpetrated by these corporate oiks.

    Again, perhaps governments and law enforcement of nations should look at those before focusing on file sharers because both of those groups, copyright holders and anti-piracy agents, deem themselves above the law and act criminally as a norm, not a rarity but commonly, if the FBI did look into them, they’d find enough criminality to recoup millions of Dollars and Euro’s to keep courts busy for years.

    Peace. : )

  • TheJoker

    Having read all the comments about this issue a lot of you seem to forget you were new to pc’s once and have forgoten that fact whilst calling people morons .I wonder who are the real morons the new or you

  • Pingback: NEWS: Copyright malware appears on Bittorrent | DigiCamBlog: Digital Camera Tips and Techniques

  • deleted

    Well since ive got this virus ive been called several names by ‘kataanglover1′, inc ‘new fag’. but all of his ideas to fix this virus on my laptop did not work. Just because i dont know much about computers doesn’t mean you should be harsh to people. This is why im posting this now for all of the people out there and dont think that there amazing on computers and dont take the mic out of people who struggle on computers.log onto the affected account and press ‘ctrl,alt,del’ to start ‘task manager’ select ‘I-Q Manager’ and select end task. When the program is closed, select file in the top left corner of ‘Task manager’ and select’new task’ browse your files to find a web browser and open it. Go to google, and search for ‘avast free antivirus’ download it following the onscreen instructions. when the download is complete log off the administrator account(affected account) and log into a standard account, on this account run ‘avast full search’ when it is complete select the ‘IQ manager virus’ and select ‘delete’ when the virus is deleted, shut down the computer. Power on the computer, and log into previously affected account and it should now work:), pretty good for an ‘new fag’ dont you think?

  • bert

    @129
    7 is just exessive, you should instead have one. plus multiple others but disabled in registry and services

    knowing how to do that would give you a great start on how to combat most malware your self anyway and not need such a brutal security regieme

    sure use a good firewall, anti virus and anti spyware have sandbox apps, and blaclist apps if you were real parinoid run in a virtual enviroment and have a firewall box as well

    good security should not reduce your computer to a crawl and should be able to disable at will for gaming simply installing 7 of them is just counter productive and recomening it to people who dont have the skill to reconise the pros and cons and workarouns is realy doing more harm than good

    @131
    avast is good :D
    glad they finaly picked it up
    but i would doubble check on the registry key is set right

    in:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    edit:
    Shell = “%AppData%\IQManager\iqmanager.exe”

    to:
    Shell = “c:\windows\explorer.exe”

    just because the message is gone dosent mean it is.

    that bit is far more dangerous than the run entry

    and of course if you know how to interpret, or want to, to insure your computer is clean read up for the link to the forums where all the tools and components of the files are hiding

    if you have any troubles let me know you have done well so far :)

  • bert

    i probbably could of worded that better

    more along the lines of a listing of where the malware infects your computer and how to remove and some apps to diagnose that its gone (and could detect a significant amount of other malware at the same time!)

  • Whatever

    @127 Deltaplan
    For as far as i have encountered any of those fake AV advertisement in a browser window, for instance TPB or other sites, do NOT scan anything. However, when you allow to download something then you are in trouble.

    It is a PICTURE (or movie) possibly with a dir command on your C: drive (in YOUR browser) so it looks like they see your drive and do an online scan !!! (it is part of the scaM to make you believe they did an online scaN)

  • Pingback: Usuarios de BitTorrent: cuidado con el virus chantajista | tuexperto.com

  • Pingback: Usuarios de BitTorrent: cuidado con el virus chantajista - Vaya Huevos

  • Pingback: UniversoTek » ¡Cuidado con el virus chantajista! [BitTorrent]

  • Pingback: bittorrent « Javierserna's Blog

  • Pingback: Wtf?!?!?! Copyright violation : Copyrighted content detected??!!!?!! - Page 2 - Grasscity.com Forums

  • Pingback: La violation des droits d’auteurs – le malware de la fondation ICPP

  • Pingback: BitTorrent Extortion? « TTC Shelbyville – Technical Blog

  • Pingback: BitTorrent users beware: New Virus - E-Cigarette Forum

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • The Pirate Bay Isn’t Down Completely, Just Having a Few Issues

    Twitter and Facebook, not to mention the TorrentFreak inbox, are currently alive with complaints that The...

  • Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

    Freedom of speech is a highly valued commodity, but should people be allowed to say whatever...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.