FBI virus need help

Jasiono · April 2013

I hate asking for help but I am extremely stumped. My spacebar doesn't work, so I will try to space it out. Anyways, I have a computer here that has that stupid FBI Moneypak virus. No matter what profile I log in to regularly. I am able to get into safe mode with command prompt, but that's the only thing I can get into. Somehow the CD drive is disabled, and when I try this method (Kaspersky WindowsUnlocker to fight ransom malware) the media will not boot from my flash drive. My main question is, can I install that media from my flash drive using safe mode with command prompt? What else could I do in the command prompt window? I tried searching for registry information but when I followed a tutorial online, I couldn't find any of the registry values it was talking about. It is windows Vista home premium

Bryzey · April 2013

Is the DVD drive disabled from boot? Or could you boot straight to a rescue disc/Linux live disc.?

emerald_octane · April 2013

this might be a different version of the fbi ransomware however what I did for the fix was to

A) login to a different user other than the one that was infected. Did not boot in safe mode.

kill the suspicious looking processes although I don't recall which one it was
C) run dedicated tools then run anti malware bytes etc

About7Narwhal · April 2013

This might help:

What is Windows Defender Offline?

Jasiono · April 2013

I managed to create an account using the command prompt in safe mode. The CD drive is disabled for some reason so making any CDs is out of the question (for now). Every profile on the computer has the infection as of now, but I am booting into the test profile I just made with administrative rights as I type this. It seems as though if ANYTHING is run using the explorer as the background it goes right to the virus. It's the moneypac one that wants $100 and pretends to have a webcam on it. I've gotten rid of these before but I've never seen this "flavor".

Jasiono · April 2013

Currently trying this with the new account I made.

emerald_octane wrote: »

this might be a different version of the fbi ransomware however what I did for the fix was to

A) login to a different user other than the one that was infected. Did not boot in safe mode.
kill the suspicious looking processes although I don't recall which one it was
C) run dedicated tools then run anti malware bytes etc

CodeBlox · April 2013

Only one way to fix this... I'd slick the machine with a fresh copy of the image. I just can't trust using a workstation that was previously plagued with malware.

Jasiono · April 2013

Nevermind. It seems as though the damn virus is attached to EVERYTHING in the computer. I can't even create a new account that ISNT infected. It's starting to seriously piss me off.

Jasiono · April 2013

CodeBlox wrote: »

Only one way to fix this... I'd slick the machine with a fresh copy of the image. I just can't trust using a workstation that was previously plagued with malware.

I would be doing this if I could get the CD drive to work. Is there a way to do a system restore through command prompt?

About7Narwhal · April 2013

rstrui.exe

OG Maverick · April 2013

I came across this on a machine at my work. Safe mode wouldn't work or anything. I could still easily open the CD drive when the PC was first powered on before loading Windows though and proceeded to image it.

Jasiono · April 2013

If the CD drive worked, It would be a no brainer to me to pop in a CD and call it a night. I will try the rstrui.exe command. Last time I did it, nothing showed up

OG Maverick · April 2013

Jasiono wrote: »

If the CD drive worked, It would be a no brainer to me to pop in a CD and call it a night. I will try the rstrui.exe command. Last time I did it, nothing showed up

I didn't know if it was a setting in Windows that wouldn't allow it to work or if it wouldn't work at all even before loading Windows. Any access to an external drive?

Jasiono · April 2013

I could purchase one really quick and use it. Would there need to be any drivers installed to use it?

NetworkingStudent · April 2013

Jasiono wrote: »

I hate asking for help but I am extremely stumped. My spacebar doesn't work, so I will try to space it out. Anyways, I have a computer here that has that stupid FBI Moneypak virus. No matter what profile I log in to regularly. I am able to get into safe mode with command prompt, but that's the only thing I can get into. Somehow the CD drive is disabled, and when I try this method (Kaspersky WindowsUnlocker to fight ransom malware) the media will not boot from my flash drive. My main question is, can I install that media from my flash drive using safe mode with command prompt? What else could I do in the command prompt window? I tried searching for registry information but when I followed a tutorial online, I couldn't find any of the registry values it was talking about. It is windows Vista home premium

I highly suggest an offline scan. Have you tried running Process explorer in safe mode? Or Rkill? Have you run Malware bytes in safe mode??? Does safe mode let you use a usb?

Go to another computer and if you have a USB stick download Rkill and launch it in safe mode
RKill Download

FBI Ransomeware
This link goes to a techs site for documents on removing the FBI virus

Remove FBI Ransom - FBI Moneypak Virus by Britec - YouTube
this video talks about going into safe mode and removing the virus

Good luck

Tritium · April 2013

I've fought a few of these fbi viruses.

When all else fails, download combofix. (combofix.org)

It's my go-to when there's a tough virus that isn't picked up by the usual means of malwarebytes. Try it in safemode with networking if you can get to it...or throw it on a flash drive. I haven't ran into that many viruses that blog combofix.exe...worst case rename it to .bat and you're golden!

Good luck!

Jasiono · April 2013

The only thing the computer will allow me to go into is safe mode with command prompt. As soon as I start the explorer task it goes right to the FBI screen. Now, what I'm thinking, and I'm probably wrong, is if there is an RKILL program I can run in command prompt, I could run explorer.exe and then quickly run rkill from the same window. Not sure. Any solution will have to be completed in command prompt, which I don't know my way through at all. I'll check out some of those links as well.

About7Narwhal · April 2013

copy explorer.exe from another computer to a usb --> boot the problem computer to cmd --> navagate to explorer.exe on the problem computer and rename it to explorer.bku --> xcopy / copy / robocopy the usb exploerer.exe to the host machine --> launch explorer.exe.

I highly doubt it will fix your problem, because I don't think explorer.exe is the trigger, but it cannot hurt to try. Else, there have been several offline and cmd based antivirus options posted previously.

Jasiono · April 2013

Hitmanpro looks very promising!

sratakhin · April 2013

I haven't seen this crap for a while but managed to get rid of it a few times by running MalwareBytes. The trick is to rename .exe file to .com. You could also rename mbam.exe to something like explorer.exe or iexplore.exe.

Another option is to restore exe associations (that's what the virus does - changes your exe files to open itself first). Look here - Default File Type Associations - Restore - Windows 7 Help Forums

Also, if it's a Windows Visa or 7 machine, boot from the installation DVD and run System Restore.

Jasiono · April 2013

I think I got it. I found 12 strings of ransomware on the computer. Hopefully this works!

Jasiono · April 2013

Alrighty. I really appreciate everyones response in here! I got it to work. I did some snooping in the links provided and did some more google research since I knew what I needed to look for.

SephStorm · April 2013

which specific advise fixed the issue? Any reason you couldn't mount the drive to an external system and scan from there?

Jasiono · April 2013

SephStorm wrote: »

which specific advise fixed the issue? Any reason you couldn't mount the drive to an external system and scan from there?

Laziness. Here is the breakdown, and pardon my lack of spaced out text. I turned the pc on, nothing worked. The only thing that worked was the safe mode with command prompt. I then came onto here asking what to do. I created a user according to Emerald's suggestion and it didn't work. I tried twice actually. I tried about7narwhals link, but nothing in it was useful. I learned what windows defender can do beyond than what I ever used it for. The several suggestions to boot it up via CD weren't going to happen until tomorrow since the current drive in the machine does not work. Networkingstudents post gave me clarity as to what the virus is really called (ransomeware, and not just FBI virus). I did some research online and found two things, one of them was from Kaspersky, which did not work, and the other was a trial version of hitmanpro. I tried hitmanpro, had some issues because I didn't realize I needed an internet connection for it, but other then that it removed the virus completely. Tomorrow I will comb over it with Norton as well as Malwarebytes. Everyones post helped me zone in on what to specifically look for

About7Narwhal · April 2013

Glad it is fixed. Like others have said, I would wipe it clean, make a backup, then reimage just to be safe. Hope all goes well.

Jasiono · April 2013

Thank you sir!

Im going to suggest this to the person. Maybe she will do it. She needs a new cd drive anyway but that can be had for 20 bucks. Its a welll written virus, thats for sure. Major props

effekted · April 2013

I've probably made ~$500 total from a client I do side work for because he kept getting it every couple weeks. First time was on his home desktop, and was the easiest. Safe mode and malware bytes cleaned it right up. 2 weeks later, on his desktop in the office, slightly different, took some extra work and scans.. (have to give ownership of the particular registry setting in order to delete the string). And the last and final time he got it, it was another version that was an even more PITA. After doing everything I could find on forums and etc., majority of the services and stuff was not working, primarily the windows firewall. Attempted to rebuild the service and etc. as instructed online but no success. Ended up having to LiveCD and backup all data and do a complete reformat.

Although it made me quite a bit of money last year, it's been a total PITA. Atleast now he isn't as susceptible to click on stupid links or emails....

Jasiono · April 2013

Hm. Makes me think. Im going to start offering computer repairs for people at work for cash. I need a new laptop soon

Hondabuff · April 2013

I just caught this thread but I clean this Virus atleast 3 times a week at my company. Here are the steps that will remove the FBI money pack virus.

1) Restore the computer to an earlier date.
2) Run Malwarebytes and reboot.
3) Run Mbar, Malwarebytes rootkit free tool.
4) Run CCleaner and **** the temp files.
5) Run CCleaner registry cleaner. Pretty generic but works.
6) Sign in under users account and verify its gone.

There are 4 of us on Desktop support and we spent a few days documenting the fastest way to get a user back up and running. The FBI virus gets around our Anti Virus and Zscaler all the time. I have seen a restore to a previous date fix it by itself.

IndyLoveless · April 2013

I've had this popup from time to time on student computers. One way I got it to work was to disable the camera on the laptop...most time though I just had to do a reload.

FBI virus *need help*

Comments

FBI virus need help