How to remove the FBI Ransomware malware?

Question

A computer in our household got hit by the FBI "ransomware" virus.

Here are details of what happened (Win 7 Home Premium):

• Family member was in a forum.
• AVG Free (which was up-to-date) warned of an attack.
• An Adobe Flash install popped up.
• Windows UAC popped up confirming Flash install.
• We answered No/Cancelled to each Flash install prompt. But it (and UAC dialog) wouldn't go away. Both would pop back up after clicking No or Cancel.
• We restarted the computer (Start -> Restart) without ever answering Yes to the Flash install. -On reboot the FBI Ransomware screen displayed and we were sunk.

We tried booting into Safe Mode but the ransom screen STILL appeared. Yes, even in Safe Mode.

Was hoping there'd be a list of instructions with quick steps for removing this virus. Thought I found it with How to remove FBI Moneypak ransomware? but that question was marked as a duplicate with redirect to How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? which contains loads of general techniques for malware removal --many very involved and impractical if you're trying to get back up FAST. (If that's possible.)

Is there any set of instructions for what to do to remove this specific ransomware infection, including not being able to boot to Safe Mode?

Answer 1

Download KAV Rescue Disc and either burn to disc or use a program like UNetBootin to install it to a USB drive.

What this is:

Kaspersky's own Anti-Virus LiveCD that runs on a specially built *nix that will allow you to run a scan and removal service free from Kaspersky.

Personally, I have used it many times with great success.

Any questions, please ask.

Answer 2

I'm posting an answer to my own question (per http://blog.stackoverflow.com/2011/07/its-ok-to-ask-and-answer-your-own-questions/) because, in the end, I stumbled upon a slick way to get the FBI Ransomware off my machine. Maybe this will help someone else out.

Summary of steps:

1. From a powered-off state, turn on your machine. Wait for the Windows logo animation to appear, power off in the middle of Windows starting up.
2. Power machine back on. Hope bootup message appears telling you Windows failed to start properly. Answer Yes if it asks if you want to attempt to fix the problem.
3. Give it a few minutes. Hope Windows asks you if you want to return to a previous Restore point. Answer Yes.
4. Wait (a long time) for the restore to complete. With luck, Windows will reboot to your normal desktop.
5. Download, install and run Malwarebytes in "quick" mode (http://www.malwarebytes.org/) to remove infected files.

Details:

I was in the process of attempting to create a Windows Defender Offline boot disk on another machine. I'd also gotten a suggestion to run Malwarebytes from our IT group at work. But that assumes you can boot your machine in order to run Malwarebytes.

I still couldn't believe that I was unable to boot into Safe Mode. So I gave that another try. The machine is a DELL and I missed pressing F12 in time to cause the Windows boot option menu to appear. The Windows 7 graphics were appearing and there was no sense booting back to the virus, so I powered off in the middle of the Windows logo animation.

I powered right back on. This time I got a prompt telling me Windows failed to restart properly and did I want to attempt to solve the problem? I answered yes. After a minute or two I was prompted with the option to return to a restore point. I answered yes. After maybe an hour of a DOS-style progress indicator moving across the screen, Windows rebooted and the virus was gone.

The restore point was one Windows had created. We've never created one manually on the machine. I wasn't prompted to select a restore point, so I don't know what would happen if the restore point included the virus.

In my case, the above steps that I lucked into removed the virus quickly and easily without having to bring any other utility or boot disk into play.

Final note: After getting back into Windows, I ran Malwarebytes and it found two files infected with Trojan.Winlock. Based on googling that, it looks to be consistent with ransomware viruses.

Answer 3

The easiest way I have found to remove the FBI ransomware is to power down your machine and remove the hard drive. Using one of the many different USB adapters available connect it to a machine that has an updated version of Malwarebytes installed. Once the second machine detects your drive open up My Computer from the start menu. Locate your hard drive in the list and right click, then click scan with Malwarebytes. This usually finds the virus/malware and removes it.

Answer 4

I've actually found a way that's quite useful for removing this virus. I noticed that sometimes, the FBI screen takes a little bit of time to pop up. In that time, the command prompt was showing a path to a strangely named .exe file. By starting the computer up from a bootable cd (I used Hiren's Boot CD), I was able to navigate to the file previously mentioned and delete it.

I've noticed that sometimes the file is stored in the 'My Documents' folder (ie C:\Users\USERNAMEHERE\My Documents). Other times I've noticed it in different locations (C:\Users\USERNAMEHERE\AppData\Local\Temp).

So I'd recommend taking a look in some of those folders and maybe even others as I've seen a few variations of the virus. Once that file is deleted, install Hitman Pro, restart, run a full scan as administrator. I also use Malwarebyetes, Super Anti-Spyware, and SpyBot just to make sure there aren't any remnants.