Is The FBI Holding Your Computer for Ransom?
A concerned reader asks: 'A popup on my screen says an FBI Online Agent has detected illegal activity on my computer, and is demanding $200 to unlock my computer. What should I do?' Here's what you need to know about this so-called FBI Virus... |
Removing the "FBI Virus"
The FBI Virus (also known as FBI Online Agent or Reveton) is a new variant of an old scam, and is popping up all over the Internet. Suddenly, your computer seizes up, and the screen displays an ominous message in a popup window. You are informed that the FBI has frozen your computer because the agency detected you downloading child p**n, pirating copyrighted content, or some other illegal activity.
The message cites relevant criminal statutes and penalties. Then it says you can “settle” the charges with the FBI Online Agent by paying a fine that ranges from $100 to $400. Instructions on how and where to send the money are included. The payment method is always something from which you cannot recover your money, such as MoneyPak or Western Union.
But you’re innocent, right? (Let's hope so...) Well, this scam actually did scare one child p**n consumer into turning himself in to the FBI. But that’s not you, and the government doesn’t operate this way, anyhow. Of course, the U.S. Federal Bureau of Investigation has nothing to do with this scam. (If the government wants more money, they can just raise your taxes.)
But that’s not the only issue; you can’t do anything with your computer until the “fine” is paid. Many people panic and pay the “fine” just to make the problem go away. But it doesn’t go away; it only gets worse. Once you’ve paid, more demands for payment arrive. Don't bother going to the Add/Remove Programs icon in your Control Panel. The Reveton/FBI malware doesn’t contain the usual “uninstall” code, because it wasn't intended to be removable.
The FBI Virus is a “drive-by” malware; it’s downloaded secretly to any browser that visits an infected Web site. Many of these rogue sites are p**n or "warez" related, but any site could host the Reveton/FBI virus code. So don’t assume that “responsible surfing” will keep you safe.
Your best line of defense is up-to-date, real-time anti-malware software. Free programs I’ve recommended in the past will greatly reduce the chances that you will catch the Reveton infection.
Tools to Remove the FBI Online Agent Virus
Removing Reveton/FBI is difficult; some experts recommend letting a security professional do it. If you want to remove Reveton yourself, you can restart in Safe Mode and fiddle with the Windows registry. (I don't recommend this method, but you can Google for those instructions.)
The best method is to reboot your computer from a CD or USB drive that contains appropriate anti-malware software. If you don’t already have such a rescue disc or flash drive, you’ll have to download it and install it on removable media from a clean computer. I recommend the AVG Rescue CD for this purpose. Booting up from the rescue disk will bypass the virus, and commence a scan and removal operation to return your computer to normal.
Norton Power Eraser is one free tool that can remove Reveton and other stubborn malware. The free or paid versions of MalwareBytes AntiMalware can also do the job.
HitmanPro is designed for removing ransomware like Reveton, rootkits, and other malware that interferes with the installation or use of regular antimalware products. It comes with a 30-day free trial and costs $20 to register for permanent protection.
Never pay a “fine” if you are struck by the FBI Virus or any other malware that demands ransom. Rest assured the FBI would have no trouble finding your front door if they really wanted to discuss a criminal matter with you. If you pay the ransom demanded, you're only lining the pockets of cyber-criminals and setting yourself up for further grief.
Going forward, avoid p**n, pirated software, and other sketchy Web sites. Keep your anti-malware software up to date and fully active at all times. Make a rescue disc or USB drive before you need it.
Do you have something to say about removing the FBI Virus? Post your comment or question below...
|
|
This article was posted by Bob Rankin on 18 Jan 2013
For Fun: Buy Bob a Snickers. |
Prev Article: Seven Reasons For Computer Crashes |
The Top Twenty |
Next Article: Is Your Password Strong Enough? |
There's more reader feedback... See all 23 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Is The FBI Holding Your Computer for Ransom? (Posted: 18 Jan 2013)
Source: https://askbobrankin.com/is_the_fbi_holding_your_computer_for_ransom.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is The FBI Holding Your Computer for Ransom?"
(See all 23 comments for this article.)Posted by:
Monica
18 Jan 2013
My sister gets this FBI virus every time her 14 year old grandson uses her computer.Cox Cable charge her $120.00 to remove it.She has Mc afee virus protection.
Posted by:
Neil Harvey
18 Jan 2013
I live in the Czech Republic, but my Czech isn't very good. I got the Czech version of this, even though I had the free AVG anti-virus program. I had to take the hard drive to work for them to copy the contents and disinfect. After one week I reinstalled it.
After a further 3 weeks the same message came beck even though I was listening to a radio play through the internet. Once I closed the radio the computer froze. The same process was gone through again.
Three weeks is nearly up, the second time, so it will be interesting to see if the b*****y message comes back!
Posted by:
jr
18 Jan 2013
If you can get into safe mode, you can revert to a former day before the problem. You might lose some things, but the backup will work.
Posted by:
RaoulDuke5244
18 Jan 2013
Looks like this malware affects only computers running Win o/s? If true, it would be helpful for casual readers who don't actually have exposure if you explicitly state that fact, thx.
Posted by:
james Orpin
18 Jan 2013
Hey Bob,
I was succesful in removing "Is The FBI Holding Your Computer for Ransom?" by using system restore. My friend informed me of this hazard on thier computer. I arrived and immediately ran "system restore" and the problem was resolved.
Therefore, running routine restore points on your computer can greatly reduce the likelyhood of this type of virus from gaining control.
I recommend weekly restore points if you do adverse searches, otherwise monthly should suffice.
My friend was lucky enough to have a restore point only a few days earlier. They have had no issues since the restore.
Posted by:
Lwajsman
18 Jan 2013
I got rid of the FBI virus by restarting in safe mode and doing a system restore to a prievious date.
Posted by:
Jeff
18 Jan 2013
My daughter got the FBI ransomware infection by going to her "free music" site. I had a lot of problems with Malwarebytes, since it kept wanting to update, and I couldn't get internet connection, since the virus was blocking it.
I ended up recovering (restoring) the laptop to 2 days prior to when she got the infection, and she hasn't had any problems since.
Posted by:
Alex King
18 Jan 2013
Regarding article 'Is The FBI Holding Your Computer for Ransom? (Ask Bob Rankin)', ensure that your 'Administrator' account is active, then if your PC gets hijacked you can log on as Administrator and run your AV programs. I found that Microsoft's free Security Essentials worked just fine on this mal-ware (I got it by opening an email graphic). If you have several AV and anti-malware programs, run them all using your Administrator account to ensure your PC is clean. Do full scans (may take hours), but it works. If your Administrator account is not active, you can go to Microsoft.com to find out how to easily make it so. Every Microsoft PC platform has an Administrator account, but it is not always readily visible on your log-in screen.
Posted by:
Jeff
18 Jan 2013
A neighbor had a similar problem (it wasn't this ransomware). We did a system restore and everything is working fine.
Posted by:
Terry Hollett
18 Jan 2013
I fix a computers and had to remove this from a number of laptops.
Usually this program can be removed in SafeMode - restart computer and keep pressing F8. Then chose Safe Mode with Network Support. Normally I would download Malwarebytes and Superantispyware and run a scan from here but in this case it didn't work. The scans did not pick up the virus. These programs always seemed one step ahead of the malware producers who now seem to have the upper hand.
So I had to find it and delete it manually. First I clicked on Start button then typed in msconfig. Then click on the Startup tab - it gets a bit tricky from here because you have to try and isolate the virus. It's probably just a file whose name is just bunch of random numbers like 05957836.exe - uncheck it - then do a search for it on your hard drive. If you know how to navigate your hard drive (you'll have to enable the ability to see hidden files)
Just click on Start, type in Folder Options, accept any security prompts, click on the View tab, in the Advanced settings: section click on Show hidden files, folders, and drives. You might have to uncheck Hide protected operating system files. I always have my systems set like this.
Once your sure who the culprit is you could just type in the name of the file in the Start search bar and when it appears in the list, right click on it and click on properties, then click on the Open File Location button, find the file and delete it. Restart computer. So far in the four cases I've come across, there has been only one file involved.
Posted by:
Martha
18 Jan 2013
What is an "Administrator" account and how can I get one?
Thank you for another good article.
Posted by:
Vladimir
18 Jan 2013
I met this problem several times, the last one was the most malicios(I'm from Russia).
I took me about 2 hours to clean the comp.
I saved that inet page in order to analyze it later.
It renames the original userini.exe system file and substitutes it with fake malisious copy.
And in the autorun section of registry it makes record for starting the another copy of binary. The script is trying all the vulnarabilities java, acroread, and what is worse -help service(!). As the script machine on the browser does not allow to perfom dangeros actions, it sends script code to perform on the script machine of the help service, then the whole comp becomes vulnurable for the attack.
IE,by the way, with appropriate tuning does not allow such code to perform.
I'm still thinking of a script or binary to write, to freese the unwanted processes, launched by the browser.
The problem can be solved, starting browser with guest acc., with minimal rights.
Posted by:
Max
18 Jan 2013
Thanks for the heads up Bob!
I removed this virus from my laptop like 40 minutes ago or so. Don't waste your time guys and don't mess with safe mode, use AVG rescue CD or Kaspersky CD. I used Kaspersky because I first found this 'Malware removal' site and it does a very good job of describing how to use Kaspersky to remove the FBI virus:
http://deletemalware.blogspot.com/2012/07/remove-fbi-moneypak-ransomware.html
I hope it's OK to share this site with your readers, if not - remove it.
However, I'm sure that AVG rescue CD does exactly the same thing, so it's up to you which one to use. Unless of course you don't have a virus free PC to burn bootable CD.
Max
Posted by:
Al. S
18 Jan 2013
Alex King
18 Jan 2013 says to run more than one A/V program. You can only have one installed, as they conflict with one another. You can have as many Antomalware programs as you want.
Posted by:
Pete Peterson
19 Jan 2013
Hi--
A friend emailed a link to your article. I've been seeing the FBI malware for months and using the following process to get rid of it.
Restart, tap on F8 to get the startup menu;
In Xp choose safe mode with command prompt;
Log in as Administrator;
Type in the following;
c:\windows\system32\restore\rstrui.exe
Press to start System Restore;
In System Restore select the Next button;
Choose a date on the calender in bold before the FBI warning, then Next again;
Your date chosen will be confirmed;
Launch restoration;
Upon return to the desktop, Download, install, update and run Malwarebytes to do cleanup.
With Vista or Windows 7,
Select Repair My Computer from the startup menu;
You will be asked for your keyboard (accept the default) and login (Administrator account is locked here);
From the menu of repair options, choose System Restore;
When restore points are displayed you can get more displayed by picking the checkbox under the list;
After System Restore completes download, install, update, and run Malwarebytes.
If System Restore has no restore points available, you will need to remove the hard drive and scan it in another system. (I use a system dedicated to the task of fixing these kinds of problems and keep a full image backup in case of infection.)
When your computer has returned to normal function, you may think you are done, but first you should update your antivirus and run that.
Then clear your System Restore files (another involved process), so you can't go back to having a problem or try to use restore points that have lost corrupt files to either the antivus or Malwarebutes. Now restart and turn System Restore back on.
Posted by:
Jim
19 Jan 2013
I'm curious as to why my Avira pro or malware programs don't nail this before it happens. I, too, have experienced the program (TR.Ransom???)and deleted it ar least three times in safe mode but it returns while surfing innocuous programs.
I'm about to try House Call to see if it's imbedded. Anybody had luck with House Call?
Posted by:
delusional2
22 Jan 2013
Get yourself an Acer Chromebook and you will avoid all of these problems.... and wont have to install and pay for anti malware software at all. They are great little machines and cost only $199 and are really amazing.!
Posted by:
Dinsdale
26 Jan 2013
This is why I use Linux for surfing. :-D
A lot of people don't know that you can easily install both Lin and Win on the same machine, and switch between them at startup.
You can use Win to control your desktop and for safe surfing you can use Lin. If you don't want to install anything, you can use Puppy Linux which runs entirely from the CD and makes no changes to your system.
Posted by:
jake
14 Jan 2014
I have run into fbi 2-3 times,and utilized windows 7 boot repair, free download from m/s. change the boot sequence at start-up to disk-drive, when it boots it runs like a mini win. program and allows you to access sys.restore, ccleaner,malwarebytes,privazer,etc,without having to use safe mode...last time, eliminated virus in less than 10 min....
Posted by:
Brent K
19 Jan 2014
Hi all, I have gotten this FBI ransomware several times and the only thing i had to do was as soon as it popped up, i dod not click on anything except task manager, closed the progran,had to hit the end now box that comes up, and everything is golden. No problems at all, Win Vista. Hope this helps save some problems for everyone, just DON'T Click on anything, except task mgr.