Getting rid of "FBI has locked your computer" ransomeware - Pirate4x4.Com : 4x4 and Off-Road Forum
 
Pirate4x4.Com : 4x4 and Off-Road Forum  

Go Back   Pirate4x4.Com : 4x4 and Off-Road Forum > Miscellaneous > General Chit-Chat
Notices

Reply
 
Share Thread Tools Display Modes
Old 08-03-2012, 09:07 AM   #1 (permalink)
DRM
Super Moderator
 
DRM's Avatar
 
Join Date: Feb 2000
Member # 8
Location: Spring Hill, TN
Posts: 35,575
Blog Entries: 1
Getting rid of "FBI has locked your computer" ransomeware

Anyone done it? One of the PC's in our office has it, and I can't get past it. Online says to boot into safe mode, but the screen comes up anyway, and it won't let me Ctrl/Alt/Del to get to the deskptop, or kill anything.
__________________
>David
> 4x4Spot.com
>It only hurts the first time you agree with me...
>"A little nonsense now and then is cherished by the wisest men."
DRM is offline   Reply With Quote
Old 08-03-2012, 09:08 AM   #2 (permalink)
DRM
Super Moderator
 
DRM's Avatar
 
Join Date: Feb 2000
Member # 8
Location: Spring Hill, TN
Posts: 35,575
Blog Entries: 1
Oh yeah, Winxp machine if that matters.
__________________
>David
> 4x4Spot.com
>It only hurts the first time you agree with me...
>"A little nonsense now and then is cherished by the wisest men."
DRM is offline   Reply With Quote
Old 08-03-2012, 09:13 AM   #3 (permalink)
Rock God
 
nahmus's Avatar
 
Join Date: Nov 2005
Member # 57779
Posts: 1,404
I had it 2 days ago. Try booting into safe mode with command prompt. At the command prompt type

%systemroot%\system32\restore\rstrui.exe

this will run the system restore. Restore to an earlier time. Once it has restored then run malwarebytes and combofix.

If you have system restore disabled then i'm not sure what the next step would be
nahmus is offline   Reply With Quote
Old 08-03-2012, 09:17 AM   #4 (permalink)
Registered User
 
Join Date: Mar 2007
Member # 88700
Posts: 58
Theres also some videos on youtube that might help out.

Where did this virus get picked up at?
__________________
The last of a dying breed..
wonder squirrel is offline   Reply With Quote
Old 08-03-2012, 09:18 AM   #5 (permalink)
Pirate4x4 Addict!
 
spork2367's Avatar
 
Join Date: Jan 2006
Member # 66259
Posts: 6,644
Quote:
Originally Posted by wonder squirrel View Post
Theres also some videos on youtube that might help out.

Where did this virus get picked up at?
porn

*unless it was a middle aged women, then it was from an email attachment.

Last edited by spork2367; 08-03-2012 at 09:19 AM.
spork2367 is offline   Reply With Quote
Old 08-03-2012, 09:20 AM   #6 (permalink)
III
 
Chris's Avatar
 
Join Date: Oct 2000
Member # 2032
Posts: 11,863
Quote:
Originally Posted by spork2367 View Post
porn

*unless it was a middle aged women, then it was from an email attachment.
Middle aged women don't look at porn?
__________________
07 FFL
Chris is offline   Reply With Quote
Old 08-03-2012, 09:21 AM   #7 (permalink)
Who stole my title?
 
void_of_light's Avatar
 
Join Date: Apr 2006
Member # 70825
Location: Nacogdoches, Texas
Posts: 920
Look online and see if the files are listed that need to be removed.

Boot into safemode with command prompt and delete the files.


Some malware gets stored in the temporary internet files folder. You may get lucky by deleting everything in there.

If you have a sacrificial computer available you may try putting the infected hard drive in the other computer and scanning it that way. This could infect the other computer so use a computer that you can just format and reinstall when you're done.
__________________
Damn it feels good to be a Lannister.

Quote:
Originally Posted by Screwzer2 View Post
Huh. Yeah, I guess you're right.
void_of_light is offline   Reply With Quote
Old 08-03-2012, 09:22 AM   #8 (permalink)
Pirate4x4 Addict!
 
spork2367's Avatar
 
Join Date: Jan 2006
Member # 66259
Posts: 6,644
Quote:
Originally Posted by Chris View Post
Middle aged women don't look at porn?
they do, but not the extra dirty shit that gets you a virus...
spork2367 is offline   Reply With Quote
Old 08-03-2012, 09:28 AM   #9 (permalink)
Rock God
 
Join Date: Apr 2006
Member # 70555
Location: Greensboro, NC
Posts: 1,661
Make sure you are disconected form the internet when you turn the computer back on.

I've taken it off three computers. If they are not conected to the web, it would not pop up even when just normal booting to windows. Then restore to an earlier time.
__________________
clicky---> Facebook Jim's Garage
http://www.mandmfab.com/
rock mafia is offline   Reply With Quote
Old 08-03-2012, 09:33 AM   #10 (permalink)
Rock God
 
nahmus's Avatar
 
Join Date: Nov 2005
Member # 57779
Posts: 1,404
Quote:
Originally Posted by rock mafia View Post
Make sure you are disconected form the internet when you turn the computer back on.

I've taken it off three computers. If they are not conected to the web, it would not pop up even when just normal booting to windows. Then restore to an earlier time.
hmm. good tip. Might wait for the next infected machine and put a monitor on the IP through the firewall and see where it goes and then block that name/ip. Probably a bunch of them tho...
nahmus is offline   Reply With Quote
Old 08-03-2012, 09:48 AM   #11 (permalink)
DRM
Super Moderator
 
DRM's Avatar
 
Join Date: Feb 2000
Member # 8
Location: Spring Hill, TN
Posts: 35,575
Blog Entries: 1
Nothing working so far. Booting into safe mode still gets the screen.

Nothing gets past the screen.

Unplugging the internet only causes the screen to try and load - but never actually load... still can't get past that either.
__________________
>David
> 4x4Spot.com
>It only hurts the first time you agree with me...
>"A little nonsense now and then is cherished by the wisest men."
DRM is offline   Reply With Quote
Old 08-03-2012, 09:50 AM   #12 (permalink)
Registered User
 
Schly's Avatar
 
Join Date: Jan 2001
Member # 2741
Location: Santa Rosa, CA
Posts: 2,093
Tried rkill yet? EDIT: You can't boot, so you can't try rkill...

Last edited by Schly; 08-03-2012 at 09:50 AM.
Schly is offline   Reply With Quote
Old 08-03-2012, 09:53 AM   #13 (permalink)
Rock God
 
nahmus's Avatar
 
Join Date: Nov 2005
Member # 57779
Posts: 1,404
Quote:
Originally Posted by DRM View Post
Nothing working so far. Booting into safe mode still gets the screen.

Nothing gets past the screen.

Unplugging the internet only causes the screen to try and load - but never actually load... still can't get past that either.
you can't boot into safemode command prompt? must be a newer version
nahmus is offline   Reply With Quote
Old 08-03-2012, 10:01 AM   #14 (permalink)
DRM
Super Moderator
 
DRM's Avatar
 
Join Date: Feb 2000
Member # 8
Location: Spring Hill, TN
Posts: 35,575
Blog Entries: 1
Quote:
Originally Posted by nahmus View Post
you can't boot into safemode command prompt? must be a newer version
Negative - attempting to boot to safe-mode with command ends up hanging, then eventually booting to regular windows safe mode.
__________________
>David
> 4x4Spot.com
>It only hurts the first time you agree with me...
>"A little nonsense now and then is cherished by the wisest men."
DRM is offline   Reply With Quote
Old 08-03-2012, 10:04 AM   #15 (permalink)
Rock God
 
nahmus's Avatar
 
Join Date: Nov 2005
Member # 57779
Posts: 1,404
ok they must have a new version out. I was always able to boot into safemode /command prompt.

I would just pull the drive and then install it in another machine and scan it with that machine. That should pull out enough to at least make the old drive bootable
nahmus is offline   Reply With Quote
Old 08-03-2012, 10:06 AM   #16 (permalink)
DRM
Super Moderator
 
DRM's Avatar
 
Join Date: Feb 2000
Member # 8
Location: Spring Hill, TN
Posts: 35,575
Blog Entries: 1
Quote:
Originally Posted by nahmus View Post
ok they must have a new version out. I was always able to boot into safemode /command prompt.

I would just pull the drive and then install it in another machine and scan it with that machine. That should pull out enough to at least make the old drive bootable
It's a windows XP machine that still has a floppy drive... How about I just go buy a new computer and quit wasting my time

Seriously though - thanks for the tips guys... I just have to balance time/$$$ spent with going ahead and replacing an aging machine that was scheduled to be replaced before the end of the year anyway.
__________________
>David
> 4x4Spot.com
>It only hurts the first time you agree with me...
>"A little nonsense now and then is cherished by the wisest men."
DRM is offline   Reply With Quote
Old 08-03-2012, 10:09 AM   #17 (permalink)
Registered User
 
toyminator2000's Avatar
 
Join Date: Sep 2007
Member # 99025
Posts: 360
Sometimes you can boot into safe mode and bring up the task manager right away before the other shit can load. Then stop the "explorer.exe" process. Use the file/run option from the task manager to locate and delete the running file or to run a utility like combofix to remove it.

If that don't work then you can try making it a secondary drive in another computer, then locate and delete the infection manually.
toyminator2000 is offline   Reply With Quote
Old 08-03-2012, 10:10 AM   #18 (permalink)
Disc brake guru
 
GubNi's Avatar
 
Join Date: Jan 2004
Member # 25927
Location: Northeast TN
Posts: 2,379
Blog Entries: 2
Oh, that's an easy one.... format and reinstall!
__________________
Dana 60 or 14 bolt disk brake kits $315 shipped --> click here
Dana 70 kits $300 --> click here . . Sterling 10.25 kits $390 --> click here
Dana 60 front 3/4 ton kits $295--> click here . . www.lugnut4x4.com
GubNi is offline   Reply With Quote
Old 08-03-2012, 10:10 AM   #19 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86685
Location: hell
Posts: 2,025
Boot from a Linux live cd. Look at distrowatch.com or .org whichever it is
s10er8 is offline   Reply With Quote
Old 08-03-2012, 10:14 AM   #20 (permalink)
Granite Guru
 
Join Date: Feb 2000
Member # 226
Location: Yakima, WA
Posts: 4,102
Try the Kaspersky rescue disk. http://support.kaspersky.com/faq/?qid=208282173

If this is one of the ones that attacks the MBR and creates its own boot partition you are in for a painful recovery.

You can also try pulling the drive and connecting to a known good PC with a USB adapter to scan it offline. Be careful with this because you can infect the known good PC, use a thrasher box instead of your main PC.
Ben W is offline   Reply With Quote
Old 08-03-2012, 10:44 AM   #21 (permalink)
Granite Guru
 
CJeep77's Avatar
 
Join Date: Dec 2003
Member # 25458
Location: Cincinnasti,OH
Posts: 585
Quote:
Originally Posted by Ben W View Post
Be careful with this because you can infect the known good PC, use a thrasher box instead of your main PC.
Curious, what is a thrasher box? I googled it but found nothing related....
CJeep77 is offline   Reply With Quote
Old 08-03-2012, 10:49 AM   #22 (permalink)
Registered User
 
Join Date: Aug 2002
Member # 13412
Location: Chawlston
Posts: 1,772
Have you tried calling the FBI?
__________________
Elitist Know-It-All
DieLucas! is offline   Reply With Quote
Old 08-03-2012, 10:49 AM   #23 (permalink)
Newbie
 
Join Date: Dec 2003
Member # 24935
Posts: 15
Is this is the "Pay us or we will tell the cops you have kiddie porn" version?
If so much of the data on the hard drive has been encrypted and no cleaning will fix it.
Did it say if you pay them they will give you a password?

We had a customer with this last month. The solution was Format and restore from non connected backups.

http://www.bleepingcomputer.com/forums/topic449398.html

Good Luck

Last edited by Typhoon; 08-03-2012 at 10:52 AM.
Typhoon is offline   Reply With Quote
Old 08-03-2012, 10:50 AM   #24 (permalink)
Registered User
 
BassnTruck's Avatar
 
Join Date: Feb 2007
Member # 86582
Location: KS
Posts: 534
Quote:
Originally Posted by CJeep77 View Post
Curious, what is a thrasher box? I googled it but found nothing related....
See below.

Quote:
Originally Posted by void_of_light View Post
If you have a sacrificial computer available you may try putting the infected hard drive in the other computer and scanning it that way. This could infect the other computer so use a computer that you can just format and reinstall when you're done.
BassnTruck is offline   Reply With Quote
Old 08-03-2012, 11:27 AM   #25 (permalink)
Registered User
 
Join Date: Feb 2007
Member # 86724
Posts: 5,916
Quote:
Originally Posted by spork2367 View Post
porn

*unless it was a middle aged women, then it was from an email attachment.
the guy that brought us the machine in with this straight told me he was looking at pron when it took over.

I just laughed, we do this about every 6 months cause he's a dirty old man, but he's honest about it.

As to the problem.

Kaspersky Rescue Disc.

that will kill the files and such, which will let you get back into windows and unfuck it's registry settings. It does do the typical nonsense of disallowing certain executables.

So I follow that up with Rkill, just to make sure, then malwarebytes to clean up the registry.
__________________
ko derf
87manche is online now   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 06:59 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 ©2011, Crawlability, Inc.