Is The FBI Holding Your Computer for Ransom? - Comments Page 1

I wonder how many people actually called the FBI to complain...

Bob,

A friend was struggling with the FBI malware issue, so I downloaded and used ComboFix. (I know about the warnings regarding this very powerful tool.)

Once ComboFix scanned the hard drive and I rebooted, no more issues.

However, I was unable to understand the ComboFix-printed log of what modifications the program had made. (Not a Bob Rankin!!!)

Have you ever tried ComboFix with the FBI issue?

Brian Phelan
Hamton, NH

In laws called me as I was getting home from work, and they were leaving in 6 hours to go to the airport. :-(. Laptop with Windows 7 . After seeing multiple spelling errors in the threat warning, deduced the infection. Rebooted into Safe Mode, went to the MS site for the Microsoft Windows Malicious Software Removal tool, and 1 hour later, scan complete, system repaired.

My sister gets this FBI virus every time her 14 year old grandson uses her computer.Cox Cable charge her $120.00 to remove it.She has Mc afee virus protection.

I live in the Czech Republic, but my Czech isn't very good. I got the Czech version of this, even though I had the free AVG anti-virus program. I had to take the hard drive to work for them to copy the contents and disinfect. After one week I reinstalled it.
After a further 3 weeks the same message came beck even though I was listening to a radio play through the internet. Once I closed the radio the computer froze. The same process was gone through again.
Three weeks is nearly up, the second time, so it will be interesting to see if the b*****y message comes back!

If you can get into safe mode, you can revert to a former day before the problem. You might lose some things, but the backup will work.

Looks like this malware affects only computers running Win o/s? If true, it would be helpful for casual readers who don't actually have exposure if you explicitly state that fact, thx.

Hey Bob,

I was succesful in removing "Is The FBI Holding Your Computer for Ransom?" by using system restore. My friend informed me of this hazard on thier computer. I arrived and immediately ran "system restore" and the problem was resolved.

Therefore, running routine restore points on your computer can greatly reduce the likelyhood of this type of virus from gaining control.

I recommend weekly restore points if you do adverse searches, otherwise monthly should suffice.

My friend was lucky enough to have a restore point only a few days earlier. They have had no issues since the restore.

I got rid of the FBI virus by restarting in safe mode and doing a system restore to a prievious date.

My daughter got the FBI ransomware infection by going to her "free music" site. I had a lot of problems with Malwarebytes, since it kept wanting to update, and I couldn't get internet connection, since the virus was blocking it.
I ended up recovering (restoring) the laptop to 2 days prior to when she got the infection, and she hasn't had any problems since.

Regarding article 'Is The FBI Holding Your Computer for Ransom? (Ask Bob Rankin)', ensure that your 'Administrator' account is active, then if your PC gets hijacked you can log on as Administrator and run your AV programs. I found that Microsoft's free Security Essentials worked just fine on this mal-ware (I got it by opening an email graphic). If you have several AV and anti-malware programs, run them all using your Administrator account to ensure your PC is clean. Do full scans (may take hours), but it works. If your Administrator account is not active, you can go to Microsoft.com to find out how to easily make it so. Every Microsoft PC platform has an Administrator account, but it is not always readily visible on your log-in screen.

A neighbor had a similar problem (it wasn't this ransomware). We did a system restore and everything is working fine.

I fix a computers and had to remove this from a number of laptops.

Usually this program can be removed in SafeMode - restart computer and keep pressing F8. Then chose Safe Mode with Network Support. Normally I would download Malwarebytes and Superantispyware and run a scan from here but in this case it didn't work. The scans did not pick up the virus. These programs always seemed one step ahead of the malware producers who now seem to have the upper hand.

So I had to find it and delete it manually. First I clicked on Start button then typed in msconfig. Then click on the Startup tab - it gets a bit tricky from here because you have to try and isolate the virus. It's probably just a file whose name is just bunch of random numbers like 05957836.exe - uncheck it - then do a search for it on your hard drive. If you know how to navigate your hard drive (you'll have to enable the ability to see hidden files)

Just click on Start, type in Folder Options, accept any security prompts, click on the View tab, in the Advanced settings: section click on Show hidden files, folders, and drives. You might have to uncheck Hide protected operating system files. I always have my systems set like this.

Once your sure who the culprit is you could just type in the name of the file in the Start search bar and when it appears in the list, right click on it and click on properties, then click on the Open File Location button, find the file and delete it. Restart computer. So far in the four cases I've come across, there has been only one file involved.

What is an "Administrator" account and how can I get one?

Thank you for another good article.

I met this problem several times, the last one was the most malicios(I'm from Russia).
I took me about 2 hours to clean the comp.
I saved that inet page in order to analyze it later.
It renames the original userini.exe system file and substitutes it with fake malisious copy.
And in the autorun section of registry it makes record for starting the another copy of binary. The script is trying all the vulnarabilities java, acroread, and what is worse -help service(!). As the script machine on the browser does not allow to perfom dangeros actions, it sends script code to perform on the script machine of the help service, then the whole comp becomes vulnurable for the attack.
IE,by the way, with appropriate tuning does not allow such code to perform.
I'm still thinking of a script or binary to write, to freese the unwanted processes, launched by the browser.
The problem can be solved, starting browser with guest acc., with minimal rights.

Thanks for the heads up Bob!

I removed this virus from my laptop like 40 minutes ago or so. Don't waste your time guys and don't mess with safe mode, use AVG rescue CD or Kaspersky CD. I used Kaspersky because I first found this 'Malware removal' site and it does a very good job of describing how to use Kaspersky to remove the FBI virus:

http://deletemalware.blogspot.com/2012/07/remove-fbi-moneypak-ransomware.html

I hope it's OK to share this site with your readers, if not - remove it.

However, I'm sure that AVG rescue CD does exactly the same thing, so it's up to you which one to use. Unless of course you don't have a virus free PC to burn bootable CD.

Max

Alex King
18 Jan 2013 says to run more than one A/V program. You can only have one installed, as they conflict with one another. You can have as many Antomalware programs as you want.

Hi--

A friend emailed a link to your article. I've been seeing the FBI malware for months and using the following process to get rid of it.
Restart, tap on F8 to get the startup menu;

In Xp choose safe mode with command prompt;
Log in as Administrator;
Type in the following;
c:\windows\system32\restore\rstrui.exe
Press to start System Restore;
In System Restore select the Next button;
Choose a date on the calender in bold before the FBI warning, then Next again;
Your date chosen will be confirmed;
Launch restoration;
Upon return to the desktop, Download, install, update and run Malwarebytes to do cleanup.

With Vista or Windows 7,
Select Repair My Computer from the startup menu;
You will be asked for your keyboard (accept the default) and login (Administrator account is locked here);
From the menu of repair options, choose System Restore;
When restore points are displayed you can get more displayed by picking the checkbox under the list;
After System Restore completes download, install, update, and run Malwarebytes.

If System Restore has no restore points available, you will need to remove the hard drive and scan it in another system. (I use a system dedicated to the task of fixing these kinds of problems and keep a full image backup in case of infection.)

When your computer has returned to normal function, you may think you are done, but first you should update your antivirus and run that.

Then clear your System Restore files (another involved process), so you can't go back to having a problem or try to use restore points that have lost corrupt files to either the antivus or Malwarebutes. Now restart and turn System Restore back on.

I'm curious as to why my Avira pro or malware programs don't nail this before it happens. I, too, have experienced the program (TR.Ransom???)and deleted it ar least three times in safe mode but it returns while surfing innocuous programs.

I'm about to try House Call to see if it's imbedded. Anybody had luck with House Call?

Get yourself an Acer Chromebook and you will avoid all of these problems.... and wont have to install and pay for anti malware software at all. They are great little machines and cost only $199 and are really amazing.!