We help IT Professionals succeed at work.

FBI - Your Computer has been locked! Virus

Thekiddotus
Thekiddotus asked
on
Hello i have an HP Desktop Running Windows 7
I have this malware that says i have to pay them money or they going to have the FBI come get me.  I ran computer in safe mode run malwarebytes it found 9 infections removed those however we i start in normal mode same thing it still show the FBI warring Malwarebytes is up to date as of today i made sure of that but still get this problem i have attached a screen shot for you thanks for your help!
24772.png
Comment
Watch Question

Find the which file running for the this malware and delete the file manually form the computer and restart the computer.  It's mostly store in "system drive\user" (C:\user) or system drive\windows (C:\windows) folder.
CERTIFIED EXPERT

Commented:
In 'normal' mode, rather than Safe mode, run RogueKiller, let it do its prescan, then click its Scan button in the upper-right corner of RK's dialog box... after it's killed off the rogue processes, minimize it (do not exit out of it) and run a full scan with Malwarebytes. When that's done and you've removed the malware MBAM marked, tell it you'll restart later, then go back in RogueKiller and let it remove anything it found unless you know for sure it's NOT malware. THEN reboot and see if your problem is gone.
CERTIFIED EXPERT
Top Expert 2012

Commented:
First of all, it is always better to run Malwarebytes in the "normal" Windows mode whenever possible.  If you scan in Safe Mode, there are far too many things like malicious processes that could be dormant and missed during an antivirus/malware scan.

Take a few minutes to read this excellent Experts Exchange article written by Younghv, one of the EE community's very best malware removal specialists.  It essentially involves scanning with RogueKiller, followed immediately by a Malwarebytes scan... all within the "normal" Windows mode.  If you follow his recommendations, you will probably be able to eliminate the "scare-ware" and return that machine back to normal...

Stop the Bleeding: First Aid for Malware
CERTIFIED EXPERT
Top Expert 2012

Commented:
Sorry about that, Darr.  I would normally double-check and refresh the page first, but since there weren't any comments within the previous two hours I figured that I could take my time!

Author

Commented:
you can not run anything in normal mode. This is cause the malware that i sent a picture of before blocks you from doing anything else. Can not do Ctrl Alt Delete nothing.

There for i can not run the programs you speak of only in safe mode. But after i reboot to regular mode i have same problem.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
i just have repaired a pc with this virus
the only thing you need to do is download the windows offline defender
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline/

follow the guide to make the cd - boot form it, and when it starts running; stop it, and select FULL scan - let it run
it takes more than an hour, and the reboot takes also long - but everything was fine then !
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
I had a similar problem with a computer at a family member's house and all I did to remove it was boot using F8 and chose Last Known Good Configuration.  After the next reboot, the demands were gone and full access was restored.  Very lucky fix, but it might just work depending on how much you have / have not done to your computer already.
CERTIFIED EXPERT

Commented:
I'm thinking just booting to Safe mode and dropping RogueKiller.exe in the
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
folder, then rebooting to normal should make RK run at startup.

------------ edit
nope - that won't work... you can copy it there, but it doesn't run, even using a shortcut set to Run as administrator.

From Safe mode, click the 'start' orb, type in msconfig, right-click the one that appears at the top and choose Run as administrator.

Click the Selective start option, then go to the Services tab.
Check the box next to Hide Microsoft Services, then click Disable All.
On the Startup tab, see if you can find it there. I have no idea what it's called. But it's probably something you don't recognize. If it's not fairly obvious what it is, uncheck it.

OK out, agree to a reboot if it asks, if it doesn't, reboot anyway, and see if you can run RogueKiller and MBAM from normal mode.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006
Commented:
All - this is a fairly new variant of the "ransomware" kinds of malware. You DO have to start the cleaning process in "Safe Mode with Networking" - which is unusual.

Details from MS MVP Lawrence Abrams (aka Grinler) here:
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware
CERTIFIED EXPERT

Commented:
Looks like good stuff, younghv. Fortunately I haven't seen this one in person. Yet.  :-)
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
If I ever meet Grinler, I'm going to slip him a few bucks. A customer had this last week and his instructions worked to the letter.

We had another EE member with this last week and I'll post the link if I can find it.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
as i said windows offline defender solved it for me - without any troubles, and it's a good cd to have around

Author

Commented:
Thanks Nobus for your comment and suggestion i gave it a try and all and yeah seems like it be a nice cd to have around however when it trys to download the update it fails and i can see it going and downloading then installing then downloading then installing then it fails :(

And it wont let me run it into it updates it self :(

But that did sure seem like a good idiea its just not working for me :(
CERTIFIED EXPERT
Top Expert 2012

Commented:
Thekiddotus,

If that good suggestion from Nobus didn't quite work, I would strongly recommend following the advice that Younghv posted (http:#a38291577).  While people like Nobus and Darr247 are some of the very best contributors to the Experts Exchange community, you will find that Younghv and Rpggamergirl are easily the most successful EE professionals when it comes to malware removal.  On top of that, I can also vouch for the quality of the tutorials that Grinler provides on the BleepingComputer web page.  He guidance has saved many of us on countless occasions!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
>>> when it trys to download the update it fails   <<  did you download the cd on a good working PC?  that's what i would do - then run it on the infected one
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
@Thekiddotus -
Please consider the fact that Microsoft "Answers" forum recommends using the same instructions I posted for you in my earlier comment: http:#a38291577

Resolving this infection is not as simple as using a "Boot CD" (any Boot CD) - regardless of what some people want to claim.

Windows Defender Offline is a great tool to have in your collection, but it is not the answer in this situation.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
"you will find that Younghv and Rpggamergirl are easily the most successful EE professionals when it comes to malware removal"

Couldn't agree more.  I wouldn't personally listen to anyone else's advice.  I have younghv on speeddial if ever I need him to help tackle a virus infection.
Scott ThompsonComputer Technician / Owner

Commented:
First off, I'm sorry alanhardisty.  I thought I read through it, but I must have skimmed over the fact I was repeating with sushil84 stated.  Thekiddotus, did you find any strange files in your startup of msconfig?  If so, have you removed them manually?  I do not see any response to sushil84's comment.

One thing I don't see posted above is the suggestion to run TDSSKiller.  This will find a lot of rootkits that commonly come with these types of infections.  You can run that in safe mode, the main thing to look for is an MBR infection.  I'm not sure if RogueKiller, which Darr247 recommended.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
@pc_solutions50501 -

There is absolutely no reason to manually configure anything to repair this infection.

Please read the link to the article by "Grinler" that I posted above. He is probably the best writer in malware fighting business and is a many time recipient of the MS MVP award for consumer security.

When the asker posts a question about a specific malware variant, we should only post targeted advice that addresses the known problem. Generic advice has no place in a question like this.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
younghv - i wonder why you said "Windows Defender Offline is a great tool to have in your collection, but it is not the answer in this situation. "

i can assure you it cleaned it easily for me
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
nobus - and I can assure you that it did NOT clean it for the various computer repair shops that have contracted me to do the repairs - for this variant.

Before I accept a contract, I make sure that "Windows Defender Offline" is one of the tools they have tried, since I don't want to waste my time (or their money) on basic repairs.

Without putting too fine a point on it, anyone who thinks they know more about malware repair than Lawrence Abrams (Grinler), does not have both feet planted in reality.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
ok - i accept your word for it - but it seems strange it helped me
maybe another variant ?
anyway - tx for the feedback

Author

Commented:
This seem to get rid of it coming on normal mode

Author

Commented:
Thanks Younghv That did seem to fix the problem it sure was big file and take for EVER but yeah seems to work now i boot normal mode and no more FBI Thanks
CERTIFIED EXPERT
Top Expert 2012

Commented:
Nicely done, Younghv!  Whenever a problematic malware situation appears, I don't know what the EE community would do without you and Rpggamergirl!  Thanks (again) for the great advice.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Thekiddotus - Really glad you were able to solve this.

@Run5k - thank you. I often feel like the driver of the vehicle these anti-malware geniuses put together. All I have to do is tromp on the gas and steer (and have some fun).

Explore More ContentExplore courses, solutions, and other research materials related to this topic.