FBI Virus aka FBI Moneypak Ransomware Virus

[Tomlin Technology]

I heard about this virus a few weeks ago and we got our first drop off in the shop today with a computer with this virus. Just wanted to see if anyone has learned any lessons or tips for removing this. I've read to start off in safe mode with networking and start the virus removal from there. But I figured it would be wise to start a thread for all of us to learn the best way to deal with this virus.

 

[phaZed]

No need to start a new thread for this virus because there are many available already by using the search function

 

[Tomlin Technology]

I tried to search

I did for 'FBI Virus' and it didn't find anything. Not sure why if they exist, maybe I didn't select a certain option?

 

[fixedbynerds]

The site search will take out FBI because it is so short, so use the Google search to search the site and you get plenty of results on how to take care of the FBI virus.

 

[drjones]

I had a friend catch this particular one & I was shocked at how easy it was to remove. IIRC, I just booted into safe mode, ran rkill, then MalWareBytes. MBAM only found one threat.....removed it, all was good.

Easy...

 

[Xander]

You might want to run a few more scans, drjones. Most of the ones I've been seeing have had rootkits.

 

[drjones]

I'm sure I ran TDSSKILLER too.....what programs do you use?

 

[The Silent Hobo]

I actually dealt with one of these last night, I ran combofix, didn't get rid of it, ran MWB on full scan, found 4 trojans, that didn't fix it, so i did some searching, and actually had to remove some weird named folders and files in the %appdata% in safe mode, then went into the registry and removed some lowercase run and runonce stuff, in HKLM and HKCU, system seemed to be working fine after that.

- Joshua

 

[tim fitzgerald]

Why not just use Foolish it's Killza. It removes it and repairs everything all by itself. Great program from Nick.

 

[ZenTree]

Kasperky's rescue cd has a function called windowsunlocker which is meant to fix the registry from ransomware (note it doesn't touch the files, that's the main scan).

I've not used it as I'm not a big fan of rescue cds, I like to work on a live system but if it was ever really locked down it sounds like a quick way to get into a system to continue work as normal.

 

[mkeathley]

I actually dealt with one of these last night, I ran combofix, didn't get rid of it, ran MWB on full scan, found 4 trojans, that didn't fix it, so i did some searching, and actually had to remove some weird named folders and files in the %appdata% in safe mode, then went into the registry and removed some lowercase run and runonce stuff, in HKLM and HKCU, system seemed to be working fine after that.

- Joshua

D7 would have led you to find this much quicker you should check it out www.foolishit.com

 

[The Silent Hobo]

Actually, guys, I have D7, I just felt, since I had nothing better to do, I should learn how to remove it manually, I love D7, but it's a tool just like all the other software we use.