dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1301

joepwpb
Premium Member
join:2000-12-15
West Palm Beach, FL

joepwpb

Premium Member

Removing FBI Ransomware

First, I am aware of the Security Cleanup forum, its function and requirements, which I will use if all else fails.

I have had 100% success with removing this malware until today. On most occasions I can get into Safe Mode if not I would use a rescue disc from Kaspersky, AVG or Microsoft. In this case I cannot get into Safe Mode and all three rescue discs failed to detect any malware.

I would like to avoid a format and reinstall of Windows 7 if at all possible so any other suggestions would be appreciated.

Thanks

Joe P

MarkAW
Barry White
Premium Member
join:2001-08-27
Canada

2 recommendations

MarkAW

Premium Member

Try this »www.bleepingcomputer.com ··· nsomware

rem_root
@sbcglobal.net

rem_root to joepwpb

Anon

to joepwpb
Restart into command prompt, CTRL + ALT + DEL to open task manager, file, new task. You can put in the drive letter of your utility flash drive and go from there.

Use Rkill then mbam or combofix

joepwpb
Premium Member
join:2000-12-15
West Palm Beach, FL

1 edit

joepwpb to MarkAW

Premium Member

to MarkAW
Thanks...I am currently working on creating Emisoft and Hitman Kick Start rescue procedures.

Also I have windows Defender Offline running another full scan.

Joe P

Edit: The creation process for Hitman Kickstart failed on two different drives with a "Error #6000, copy"
joepwpb

1 edit

joepwpb

Premium Member

**Update**

GOT IT !!!

Nothing trick or special just a boot to Safe Mode with Command Prompt then explorer.exe (thanks rem_root) which invoked the desktop and then I ran Rogue Killer from a disc and all is well!!

I am now running Eset Online after a scan with MBAM.

When Googling this issue I discovered several instances where the rescue discs failed to remove this malware and where even Safe Mode with Cmd Prompt was not accessable. That sure makes this difficult. I never got to use Emisoft and as previously stated I was unable to create the Hitman Kickstart. I don't know what I would have done if Safe Mode with Cmd Prompt was inaccessible.

Thanks to all !!

Joe P

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

My computer has been infected with "FBI" malware, what should I do?
»kb.eset.com/esetkb/index ··· SOLN3140

joepwpb
Premium Member
join:2000-12-15
West Palm Beach, FL

joepwpb

Premium Member

said by siljaline:

My computer has been infected with "FBI" malware, what should I do?
»kb.eset.com/esetkb/index ··· SOLN3140

That is a standard procedure IF it is possible to access Safe Mode.

Joe P

rem_root
@sbcglobal.net

rem_root to joepwpb

Anon

to joepwpb

Re: Removing FBI Ransomware

I've seen several different versions of this malware in the wild evolve in my biz. Because of this, some major tools out there get fooled. I've resorted to creating several .reg files wrapped up in a self running BAT file, which instantly cripples the malware. If it wasn't for the fact I'm constantly tweaking the code, I would have made this public.

If I had spare daylight time, I'd start a blog with all the new malware I see on a daily basis. The bad guys primarily use copy/paste to code their garbage (re-hash), but a few times I'm impressed how clever they are (above 0-day). Sadly, they are making more money than I, doing wrong.

Triple Helix
DNA
Premium Member
join:2007-07-26
Oshawa, ON

Triple Helix to joepwpb

Premium Member

to joepwpb
If all else fails take the Drive out and put into a USB External Dock and scan it with an AV of you're choice on another machine. »www.amazon.ca/s/ref=sr_n ··· 64023011

TH

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to joepwpb

Premium Member

to joepwpb

Re: **Update**

Yes, I know you have limited access to Safe Mode. It was worth a shot - best of luck getting rid of it.

There was a previous thread:
»Anyone pay the FBI moneypak virus ransom? What happens?

DasGoat
join:2013-02-12
Charleston, WV

DasGoat to joepwpb

Member

to joepwpb

Re: Removing FBI Ransomware

There's a new variant out there that is located in (Win 7) c:\programdata and the file is displayswitch.exe. There are registry keys to have it start in safe mode as well. Boot into safe mode with command prompt to try and remove it if you can. There are other ways as well.

joepwpb
Premium Member
join:2000-12-15
West Palm Beach, FL

joepwpb to siljaline

Premium Member

to siljaline

Re: **Update**

said by siljaline:

Yes, I know you have limited access to Safe Mode. It was worth a shot - best of luck getting rid of it.

There was a previous thread:
»Anyone pay the FBI moneypak virus ransom? What happens?

Thanks...see my third post above...I got it removed

Joe P

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

Good to know.