windows - How to remove the FBI Ransomware malware?

23
2014-04
  • kenswdev

    This question already has an answer here:

  • Answers
  • Kruug

    Download KAV Rescue Disc and either burn to disc or use a program like UNetBootin to install it to a USB drive.

    What this is:

    Kaspersky's own Anti-Virus LiveCD that runs on a specially built *nix that will allow you to run a scan and removal service free from Kaspersky.

    Personally, I have used it many times with great success.

    Any questions, please ask.

  • kenswdev

    I'm posting an answer to my own question (per http://blog.stackoverflow.com/2011/07/its-ok-to-ask-and-answer-your-own-questions/) because, in the end, I stumbled upon a slick way to get the FBI Ransomware off my machine. Maybe this will help someone else out.

    Summary of steps:

    1. From a powered-off state, turn on your machine. Wait for the Windows logo animation to appear, power off in the middle of Windows starting up.
    2. Power machine back on. Hope bootup message appears telling you Windows failed to start properly. Answer Yes if it asks if you want to attempt to fix the problem.
    3. Give it a few minutes. Hope Windows asks you if you want to return to a previous Restore point. Answer Yes.
    4. Wait (a long time) for the restore to complete. With luck, Windows will reboot to your normal desktop.
    5. Download, install and run Malwarebytes in "quick" mode (http://www.malwarebytes.org/) to remove infected files.

    Details:

    I was in the process of attempting to create a Windows Defender Offline boot disk on another machine. I'd also gotten a suggestion to run Malwarebytes from our IT group at work. But that assumes you can boot your machine in order to run Malwarebytes.

    I still couldn't believe that I was unable to boot into Safe Mode. So I gave that another try. The machine is a DELL and I missed pressing F12 in time to cause the Windows boot option menu to appear. The Windows 7 graphics were appearing and there was no sense booting back to the virus, so I powered off in the middle of the Windows logo animation.

    I powered right back on. This time I got a prompt telling me Windows failed to restart properly and did I want to attempt to solve the problem? I answered yes. After a minute or two I was prompted with the option to return to a restore point. I answered yes. After maybe an hour of a DOS-style progress indicator moving across the screen, Windows rebooted and the virus was gone.

    The restore point was one Windows had created. We've never created one manually on the machine. I wasn't prompted to select a restore point, so I don't know what would happen if the restore point included the virus.

    In my case, the above steps that I lucked into removed the virus quickly and easily without having to bring any other utility or boot disk into play.

    Final note: After getting back into Windows, I ran Malwarebytes and it found two files infected with Trojan.Winlock. Based on googling that, it looks to be consistent with ransomware viruses.

  • J. Bertrand

    The easiest way I have found to remove the FBI ransomware is to power down your machine and remove the hard drive. Using one of the many different USB adapters available connect it to a machine that has an updated version of Malwarebytes installed. Once the second machine detects your drive open up My Computer from the start menu. Locate your hard drive in the list and right click, then click scan with Malwarebytes. This usually finds the virus/malware and removes it.

  • Dylan Hildenbrand

    I've actually found a way that's quite useful for removing this virus. I noticed that sometimes, the FBI screen takes a little bit of time to pop up. In that time, the command prompt was showing a path to a strangely named .exe file. By starting the computer up from a bootable cd (I used Hiren's Boot CD), I was able to navigate to the file previously mentioned and delete it.

    I've noticed that sometimes the file is stored in the 'My Documents' folder (ie C:\Users\USERNAMEHERE\My Documents). Other times I've noticed it in different locations (C:\Users\USERNAMEHERE\AppData\Local\Temp).

    So I'd recommend taking a look in some of those folders and maybe even others as I've seen a few variations of the virus. Once that file is deleted, install Hitman Pro, restart, run a full scan as administrator. I also use Malwarebyetes, Super Anti-Spyware, and SpyBot just to make sure there aren't any remnants.


  • Related Question

    windows - How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?
  • Questioner

    What should I do if my Windows computer seems to be infected with a virus or malware?

    • What are the symptoms of an infection?
    • What should I do after noticing an infection?
    • What can I do to get rid of it?

    This question comes up frequently, and the suggested solutions are usually the same. This community wiki is an attempt to serve as the definitive, most comprehensive answer possible.

    Feel free to add your contributions via edits.


  • Related Answers
  • Seasoned Advice (cooking)

    Here's the thing: Malware in recent years has become both sneakier and nastier:

    Sneakier, because it travels in packs. Subtle malware can hide behind more obvious infections. There are lots of good tools listed in answers here that can find 99% of malware, but there's always that 1% they can't find yet. Mostly, that 1% is stuff that is new: the malware tools can't find it because it just came out and is using some new exploit or technique to hide itself that the tools don't know about yet. The anti-malware tools still have their place, but I'll get to that later.

    Malware also has a short shelf-life. If you're infected, something from that new 1% is actually very likely to be one part of your infection. It won't be the whole infection: just a part of it. Security tools will help you find and remove the more obvious and well-known malware, and most likely remove all of the symptoms (because you can keep digging until you get that far), but they can leave little pieces behind, like a keylogger or rootkit.

    Nastier, in that it won't just show ads, install a toolbar, or use your computer as a zombie anymore. Modern malware is likely to go right for the banking or credit card information. The people building this stuff are motivated by profit, and if they can't steal from you directly, they'll look for something that they can turn around and sell. This might be processing or network resources in your computer, but it might also be your social security number.

    Put these two factors together, and it's no longer worthwhile to even attempt to remove malware from an installed operating system. I used to be very good at removing this stuff, to the point where I made a significant part of my living that way, and I no longer even make the attempt. I'm not saying it can't be done, but I am saying that the risk analysis results have changed: it's just not worth it anymore. There's too much at stake, and it's too easy to get results that only seem to be effective.

    Lots of people will disagree with me on this, but I challenge that they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you're better at this than crooks who make millions doing this every day? ...'cause if you try to remove malware and then keep running that old system, that's exactly what you're doing.

    I know there are people out there reading this thinking, "Hey, I've removed several infections from various machines and nothing bad ever happened." I suggest you need to add "yet" to the end of that statement. You might be 99% effective, but you only have to be wrong one time, and the consequences of failure are much higher than they once were. You might even have a machine already out there that still has a ticking time bomb inside, just waiting to be activated or waiting for the right information before reporting it back. Even if you have a 100% effective process now, this stuff changes all the time. Remember: you have to be perfect every time; the bad guys only have to get lucky once.

    In summary, it's unfortunate, but if you have a confirmed malware infection, a complete re-pave of the computer should be the first place you turn instead of the last.


    Here's how to accomplish that:

    Before you're infected, make sure you have a way to re-install any purchased software, including the operating system, that does not depend on anything stored on your internal hard disk. Normally, that just means hanging onto cd/dvds or product keys1, but the operating system may require you to create recovery disks yourself. Don't rely on a recovery partition for this. If you wait until after an infection to ensure you have what you need to re-install, you may find yourself paying for the same software again.

    If you suspect you have mal-ware, look to other answers here. There are a lot of good tools suggested. My only issue is the best way to use them: I only rely on them for the detection. Install and run the tool, but as soon as it finds evidence of a real infection just stop the scan: the tool has done it's job and confirmed your infection.

    Now, at the time of a confirmed infection, take the following steps:

    1. Check your credit and bank accounts. By the time you find out about the infection, real damage may have already been done. Take any steps necessary to secure your cards, bank account, and identity. Do not use the compromised computer to do this.
    2. Take a backup of your data (even better if you already have one).
    3. Re-install the operating system using disks shipped with the computer, purchased separately, or the recovery disk you should have created when the computer was new. Make sure the re-install includes a complete re-format of your disk.
    4. Re-install your applications.
    5. Make sure your system is fully patched.
    6. Run a complete anti-virus scan to clean the backup from step one.
    7. Restore the backup.

    If done properly, this is likely to take between two and six real hours of your time, spread out over two to three days (or even longer) while you wait for things like apps to install, windows updates to download, or large backup files to transfer... but it's better than finding out later that crooks drained your bank account. Unfortunately, this is something you should do yourself, or a have a techy friend do for you. At a typical consulting rate of around $100/hr, it can be cheaper to buy a new machine than pay a shop to do this. If you have a friend do it for you, do something nice to show your appreciation. Even geeks the love helping you set up new things or fix broken hardware often hate the tedium of clean-up work. It's also best if you take your own backup... your friends aren't going to know where you put what files, or which ones are really important to you. You're in a better position to take a good backup than they are.


    If you absolutely insist, beyond all reason, that you really want to clean your existing install rather than start over, then for the love of God make sure that whatever method you use involves one of the following two procedures:

    • Remove the hard drive and connect it as a guest disk in a different (clean!) computer to run the scan.

    OR

    • Boot from a CD with it's own set of tools running it's own kernel. Make sure the image for this CD was obtained and burned on a clean computer. If necessary, have a friend make the disk for you.

    Under no circumstances should you try to clean an infected operating system using software that is running as a guest process of that compromised operating system. That's just plain dumb.


    Of course, the best way to fix an infection is to avoid it in the first place, and there are some things you can do to help with that:

    1. Keep your system patched. Make sure you promptly install Windows Updates, Adobe Updates, Java Updates, Apple Updates, etc. This is far more important even than anti-virus software, and for the most part it's not that hard, as long as you keep current. Most of those companies have informally settled on all releasing new patches on the same day each month, so if you keep current it doesn't interrupt you that often.
    2. Do not run as administrator by default. In recent versions of Windows, that is as simple as leaving the UAC feature turned on.
    3. Use a good firewall tool. These days the default firewall in Windows is actually good enough. You may want to supplement this layer with something like WinPatrol that helps stop malicious activity on the front end. Windows Defender works in this capacity to some extent as well.
    4. Run current anti-virus software. This is a distant fourth to the first three, as traditional A/V software often just isn't that effective anymore. It's also important to emphasize the "current". You could have the best antivirus software in the world, but if it's not up to date, you may just as well uninstall it. For this reason, I currently recommend Microsoft Security Essentials. There are likely far better scanning engines out there, but Security Essentials will keep itself up to date, without ever risking an expired registration. AVG and AVast also work well in this way. I just can't recommend any anti-virus software you have to actually pay for, because it's just far too common that a paid subscription lapses and you end up with out-of-date definitions.
    5. Avoid warez, pirated software, and pirated movies/videos. This stuff is often injected with malware by the person who cracked or posted it — not always, but often enough to avoid the whole mess. It's part of why the cracker would do this: sometimes they will get a cut of the profits.
    6. Use your head when browsing the web. If something sounds too good to be true, it probably is.

    1 You should also backup your data, but that's really a separate issue: if you're system security was compromised, your backups are likely compromised, too.