Getting rid of "FBI has locked your computer" ransomeware

[DRM]

Anyone done it? One of the PC's in our office has it, and I can't get past it. Online says to boot into safe mode, but the screen comes up anyway, and it won't let me Ctrl/Alt/Del to get to the deskptop, or kill anything.

[DRM]

Oh yeah, Winxp machine if that matters.

[nahmus]

I had it 2 days ago. Try booting into safe mode with command prompt. At the command prompt type

%systemroot%\system32\restore\rstrui.exe

this will run the system restore. Restore to an earlier time. Once it has restored then run malwarebytes and combofix.

If you have system restore disabled then i'm not sure what the next step would be

[wonder squirrel]

Theres also some videos on youtube that might help out.

Where did this virus get picked up at?

[spork2367]

Quote:

Originally Posted by wonder squirrel

Theres also some videos on youtube that might help out.

Where did this virus get picked up at?

porn

*unless it was a middle aged women, then it was from an email attachment.

[Chris]

Quote:

Originally Posted by spork2367

porn

*unless it was a middle aged women, then it was from an email attachment.

Middle aged women don't look at porn?

[void_of_light]

Look online and see if the files are listed that need to be removed.

Boot into safemode with command prompt and delete the files.


Some malware gets stored in the temporary internet files folder. You may get lucky by deleting everything in there.

If you have a sacrificial computer available you may try putting the infected hard drive in the other computer and scanning it that way. This could infect the other computer so use a computer that you can just format and reinstall when you're done.

[spork2367]

Quote:

Originally Posted by Chris

Middle aged women don't look at porn?

they do, but not the extra dirty shit that gets you a virus...

[rock mafia]

Make sure you are disconected form the internet when you turn the computer back on.

I've taken it off three computers. If they are not conected to the web, it would not pop up even when just normal booting to windows. Then restore to an earlier time.

[nahmus]

Quote:

Originally Posted by rock mafia

Make sure you are disconected form the internet when you turn the computer back on.

I've taken it off three computers. If they are not conected to the web, it would not pop up even when just normal booting to windows. Then restore to an earlier time.

hmm. good tip. Might wait for the next infected machine and put a monitor on the IP through the firewall and see where it goes and then block that name/ip. Probably a bunch of them tho...

[DRM]

Nothing working so far. Booting into safe mode still gets the screen.

Nothing gets past the screen.

Unplugging the internet only causes the screen to try and load - but never actually load... still can't get past that either.

[Schly]

Tried rkill yet? EDIT: You can't boot, so you can't try rkill...

[nahmus]

Quote:

Originally Posted by DRM

Nothing working so far. Booting into safe mode still gets the screen.

Nothing gets past the screen.

Unplugging the internet only causes the screen to try and load - but never actually load... still can't get past that either.

you can't boot into safemode command prompt? must be a newer version

[DRM]

Quote:

Originally Posted by nahmus

you can't boot into safemode command prompt? must be a newer version

Negative - attempting to boot to safe-mode with command ends up hanging, then eventually booting to regular windows safe mode.

[nahmus]

ok they must have a new version out. I was always able to boot into safemode /command prompt.

I would just pull the drive and then install it in another machine and scan it with that machine. That should pull out enough to at least make the old drive bootable

[DRM]

Quote:

Originally Posted by nahmus

ok they must have a new version out. I was always able to boot into safemode /command prompt.

I would just pull the drive and then install it in another machine and scan it with that machine. That should pull out enough to at least make the old drive bootable

It's a windows XP machine that still has a floppy drive... How about I just go buy a new computer and quit wasting my time

Seriously though - thanks for the tips guys... I just have to balance time/$$$ spent with going ahead and replacing an aging machine that was scheduled to be replaced before the end of the year anyway.

[toyminator2000]

Sometimes you can boot into safe mode and bring up the task manager right away before the other shit can load. Then stop the "explorer.exe" process. Use the file/run option from the task manager to locate and delete the running file or to run a utility like combofix to remove it.

If that don't work then you can try making it a secondary drive in another computer, then locate and delete the infection manually.

[GubNi]

Oh, that's an easy one.... format and reinstall!

[s10er8]

Boot from a Linux live cd. Look at distrowatch.com or .org whichever it is

[Ben W]

Try the Kaspersky rescue disk. http://support.kaspersky.com/faq/?qid=208282173

If this is one of the ones that attacks the MBR and creates its own boot partition you are in for a painful recovery.

You can also try pulling the drive and connecting to a known good PC with a USB adapter to scan it offline. Be careful with this because you can infect the known good PC, use a thrasher box instead of your main PC.

[CJeep77]

Quote:

Originally Posted by Ben W

Be careful with this because you can infect the known good PC, use a thrasher box instead of your main PC.

Curious, what is a thrasher box? I googled it but found nothing related....

[DieLucas!]

Have you tried calling the FBI?

[Typhoon]

Is this is the "Pay us or we will tell the cops you have kiddie porn" version?
If so much of the data on the hard drive has been encrypted and no cleaning will fix it.
Did it say if you pay them they will give you a password?

We had a customer with this last month. The solution was Format and restore from non connected backups.

http://www.bleepingcomputer.com/forums/topic449398.html

Good Luck

[BassnTruck]

Quote:

Originally Posted by CJeep77

Curious, what is a thrasher box? I googled it but found nothing related....

See below.

Quote:

Originally Posted by void_of_light

If you have a sacrificial computer available you may try putting the infected hard drive in the other computer and scanning it that way. This could infect the other computer so use a computer that you can just format and reinstall when you're done.

[87manche]

Quote:

Originally Posted by spork2367

porn

*unless it was a middle aged women, then it was from an email attachment.

the guy that brought us the machine in with this straight told me he was looking at pron when it took over.

I just laughed, we do this about every 6 months cause he's a dirty old man, but he's honest about it.

As to the problem.

Kaspersky Rescue Disc.

that will kill the files and such, which will let you get back into windows and unfuck it's registry settings. It does do the typical nonsense of disallowing certain executables.

So I follow that up with Rkill, just to make sure, then malwarebytes to clean up the registry.