[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

FBI - Your Computer has been locked! Virus

Posted on 2012-08-13
27
Medium Priority
?
2,813 Views
Last Modified: 2013-11-22
Hello i have an HP Desktop Running Windows 7
I have this malware that says i have to pay them money or they going to have the FBI come get me.  I ran computer in safe mode run malwarebytes it found 9 infections removed those however we i start in normal mode same thing it still show the FBI warring Malwarebytes is up to date as of today i made sure of that but still get this problem i have attached a screen shot for you thanks for your help!
24772.png
0
Comment
Question by:Thekiddotus
  • 6
  • 5
  • 4
  • +5
26 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38290564
Find the which file running for the this malware and delete the file manually form the computer and restart the computer.  It's mostly store in "system drive\user" (C:\user) or system drive\windows (C:\windows) folder.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38290715
In 'normal' mode, rather than Safe mode, run RogueKiller, let it do its prescan, then click its Scan button in the upper-right corner of RK's dialog box... after it's killed off the rogue processes, minimize it (do not exit out of it) and run a full scan with Malwarebytes. When that's done and you've removed the malware MBAM marked, tell it you'll restart later, then go back in RogueKiller and let it remove anything it found unless you know for sure it's NOT malware. THEN reboot and see if your problem is gone.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 38290727
First of all, it is always better to run Malwarebytes in the "normal" Windows mode whenever possible.  If you scan in Safe Mode, there are far too many things like malicious processes that could be dormant and missed during an antivirus/malware scan.

Take a few minutes to read this excellent Experts Exchange article written by Younghv, one of the EE community's very best malware removal specialists.  It essentially involves scanning with RogueKiller, followed immediately by a Malwarebytes scan... all within the "normal" Windows mode.  If you follow his recommendations, you will probably be able to eliminate the "scare-ware" and return that machine back to normal...

Stop the Bleeding: First Aid for Malware
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 28

Expert Comment

by:Run5k
ID: 38290744
Sorry about that, Darr.  I would normally double-check and refresh the page first, but since there weren't any comments within the previous two hours I figured that I could take my time!
0
 

Author Comment

by:Thekiddotus
ID: 38290777
you can not run anything in normal mode. This is cause the malware that i sent a picture of before blocks you from doing anything else. Can not do Ctrl Alt Delete nothing.

There for i can not run the programs you speak of only in safe mode. But after i reboot to regular mode i have same problem.
0
 
LVL 93

Expert Comment

by:nobus
ID: 38290828
i just have repaired a pc with this virus
the only thing you need to do is download the windows offline defender
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline/

follow the guide to make the cd - boot form it, and when it starts running; stop it, and select FULL scan - let it run
it takes more than an hour, and the reboot takes also long - but everything was fine then !
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38290861
I had a similar problem with a computer at a family member's house and all I did to remove it was boot using F8 and chose Last Known Good Configuration.  After the next reboot, the demands were gone and full access was restored.  Very lucky fix, but it might just work depending on how much you have / have not done to your computer already.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38291256
I'm thinking just booting to Safe mode and dropping RogueKiller.exe in the
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
folder, then rebooting to normal should make RK run at startup.

------------ edit
nope - that won't work... you can copy it there, but it doesn't run, even using a shortcut set to Run as administrator.

From Safe mode, click the 'start' orb, type in msconfig, right-click the one that appears at the top and choose Run as administrator.

Click the Selective start option, then go to the Services tab.
Check the box next to Hide Microsoft Services, then click Disable All.
On the Startup tab, see if you can find it there. I have no idea what it's called. But it's probably something you don't recognize. If it's not fairly obvious what it is, uncheck it.

OK out, agree to a reboot if it asks, if it doesn't, reboot anyway, and see if you can run RogueKiller and MBAM from normal mode.
0
 
LVL 38

Accepted Solution

by:
younghv earned 2000 total points
ID: 38291577
All - this is a fairly new variant of the "ransomware" kinds of malware. You DO have to start the cleaning process in "Safe Mode with Networking" - which is unusual.

Details from MS MVP Lawrence Abrams (aka Grinler) here:
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38291670
Looks like good stuff, younghv. Fortunately I haven't seen this one in person. Yet.  :-)
0
 
LVL 38

Expert Comment

by:younghv
ID: 38291679
If I ever meet Grinler, I'm going to slip him a few bucks. A customer had this last week and his instructions worked to the letter.

We had another EE member with this last week and I'll post the link if I can find it.
0
 
LVL 93

Expert Comment

by:nobus
ID: 38291694
as i said windows offline defender solved it for me - without any troubles, and it's a good cd to have around
0
 

Author Comment

by:Thekiddotus
ID: 38294515
Thanks Nobus for your comment and suggestion i gave it a try and all and yeah seems like it be a nice cd to have around however when it trys to download the update it fails and i can see it going and downloading then installing then downloading then installing then it fails :(

And it wont let me run it into it updates it self :(

But that did sure seem like a good idiea its just not working for me :(
0
 
LVL 28

Expert Comment

by:Run5k
ID: 38294844
Thekiddotus,

If that good suggestion from Nobus didn't quite work, I would strongly recommend following the advice that Younghv posted (http:#a38291577).  While people like Nobus and Darr247 are some of the very best contributors to the Experts Exchange community, you will find that Younghv and Rpggamergirl are easily the most successful EE professionals when it comes to malware removal.  On top of that, I can also vouch for the quality of the tutorials that Grinler provides on the BleepingComputer web page.  He guidance has saved many of us on countless occasions!
0
 
LVL 93

Expert Comment

by:nobus
ID: 38295061
>>> when it trys to download the update it fails   <<  did you download the cd on a good working PC?  that's what i would do - then run it on the infected one
0
 
LVL 38

Expert Comment

by:younghv
ID: 38295582
@Thekiddotus -
Please consider the fact that Microsoft "Answers" forum recommends using the same instructions I posted for you in my earlier comment: http:#a38291577

Resolving this infection is not as simple as using a "Boot CD" (any Boot CD) - regardless of what some people want to claim.

Windows Defender Offline is a great tool to have in your collection, but it is not the answer in this situation.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38295600
"you will find that Younghv and Rpggamergirl are easily the most successful EE professionals when it comes to malware removal"

Couldn't agree more.  I wouldn't personally listen to anyone else's advice.  I have younghv on speeddial if ever I need him to help tackle a virus infection.
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38299159
First off, I'm sorry alanhardisty.  I thought I read through it, but I must have skimmed over the fact I was repeating with sushil84 stated.  Thekiddotus, did you find any strange files in your startup of msconfig?  If so, have you removed them manually?  I do not see any response to sushil84's comment.

One thing I don't see posted above is the suggestion to run TDSSKiller.  This will find a lot of rootkits that commonly come with these types of infections.  You can run that in safe mode, the main thing to look for is an MBR infection.  I'm not sure if RogueKiller, which Darr247 recommended.
0
 
LVL 38

Expert Comment

by:younghv
ID: 38300525
@pc_solutions50501 -

There is absolutely no reason to manually configure anything to repair this infection.

Please read the link to the article by "Grinler" that I posted above. He is probably the best writer in malware fighting business and is a many time recipient of the MS MVP award for consumer security.

When the asker posts a question about a specific malware variant, we should only post targeted advice that addresses the known problem. Generic advice has no place in a question like this.
0
 
LVL 93

Expert Comment

by:nobus
ID: 38300668
younghv - i wonder why you said "Windows Defender Offline is a great tool to have in your collection, but it is not the answer in this situation. "

i can assure you it cleaned it easily for me
0
 
LVL 38

Expert Comment

by:younghv
ID: 38301289
nobus - and I can assure you that it did NOT clean it for the various computer repair shops that have contracted me to do the repairs - for this variant.

Before I accept a contract, I make sure that "Windows Defender Offline" is one of the tools they have tried, since I don't want to waste my time (or their money) on basic repairs.

Without putting too fine a point on it, anyone who thinks they know more about malware repair than Lawrence Abrams (Grinler), does not have both feet planted in reality.
0
 
LVL 93

Expert Comment

by:nobus
ID: 38301324
ok - i accept your word for it - but it seems strange it helped me
maybe another variant ?
anyway - tx for the feedback
0
 

Author Closing Comment

by:Thekiddotus
ID: 38303539
This seem to get rid of it coming on normal mode
0
 

Author Comment

by:Thekiddotus
ID: 38303541
Thanks Younghv That did seem to fix the problem it sure was big file and take for EVER but yeah seems to work now i boot normal mode and no more FBI Thanks
0
 
LVL 28

Expert Comment

by:Run5k
ID: 38303553
Nicely done, Younghv!  Whenever a problematic malware situation appears, I don't know what the EE community would do without you and Rpggamergirl!  Thanks (again) for the great advice.
0
 
LVL 38

Expert Comment

by:younghv
ID: 38304245
Thekiddotus - Really glad you were able to solve this.

@Run5k - thank you. I often feel like the driver of the vehicle these anti-malware geniuses put together. All I have to do is tromp on the gas and steer (and have some fun).
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question