Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Sunday, July 1, 2012

Remove FBI MoneyPak Ransomware (Uninstall Guide)

Tell your friends:
Ransomware is on the rise again, no doubt about that. Cyber security experts’ predictions were correct. Apparently they know this stuff very well. Seriously, you have to respect them. They also said that ransonware will probably hit smart phones too. We haven’t seen any of these yet but it’s probably just a matter of time.

Anyway, today we’re looking at the FBI MoneyPak virus or Trojan if you like. Most people nowadays don’t really know you to properly describe malware. I don’t know what it is, so let’s just call it a virus. Education is the key guys, especially when it comes to PC security. So, let's make things sparkling clear. If your computer screen is filled with a FBI warning page that claims you have to pay the $100 fine, you’re infected with ransomware. It’s not a virus. It can’t delete your files or inject .doc files.



Most of the time, ransomware locks up user’s desktop, disables task manager and other system utilities to avoid the termination. However, FBI MoneyPak ransomware takes it to the entirely new level by adding a little video recording square in the top right corner of the fake FBI warning page. It supposed to be your built-in web camera. The funny thing is that this little square shows up even if your laptop doesn’t have a built-in camera.



We have to admit that FBI MoneyPak is a very convincing looking scam/fraud. It has the official FBI logo at the top and lists victim’s IP address, location, and the name of your ISP. The fake warning claims that your PC has been locked by FBI because you downloaded or distributed copyrighted material or viewed child pornography. Creepy, isn’t it? Now, if you don’t pay the fine you will go to jail. What is more, you have only 72 hours to buy MoneyPak cash top-up card from Walmart or Kmart.



Cyber crooks are truly imaginative guys, aren’t they? Most people start to panic when they see such fake FBI warnings. You can’t let anyone know this happened; otherwise you can get arrested or even worse – have a criminal record or listed as a registered sex offender. Let’s image this happens at work. Would you tell your colleagues about that? Probably not. And this scheme really works. Cyber crooks want you to act immediately on your first impulse. I know it cruel but it works. Most importantly, don’t panic. Take a deep breath and think about it for a second. If you had done ether of those the punishment would probably be drastically more dire than just a simple $100 fine, right? Just don’t fall into the scam.

FBI MoneyPak virus removal is relatively easy for anyone with above average computer skills. This ransomware doesn’t inject explorer.exe. It injects iexplorer.exe and downloads additional files from remote web servers. It makes numerous modifications to the system. The virus actively monitors Task Manager and loads newly created Desktop with the fake FBI warning. Please note, there is no restore operation, so the desktop will never be reverted back to previous state. That means, even if you pay the ransom, the fake FBI warning won’t go away.

FBI MoneyPak ransomware is distributed using the Blackhole exploit kit. Simple visiting an infected website is enough to trigger this exploit kit which will download a malicious DLL file onto your computer.

This ransomware downloads the fake warning from the internet so if you simply unplug your network cable and manually turn your computer off the virus won’t show up after the reboot (at least it shouldn’t). Another way to remove FBI MoneyPak virus is to reboot your computer in Safe Mode and remove malicious registry keys and files manually. One way or another, you MUST scan your computer with legitimate anti-malware software properly remove this ransomware and its remnants. By the way, Kaspersky or Dr.Web rescue CDs should work just fine in this case too.

To remove FBI MoneyPak ransomware from your computer, please follow the steps in the removal guide below. If you need extra help removing this malware, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com

Guide Updates:

08/17/12 - Cyber crooks have changed payment methods.



Now, the payment should be delivered through Ultimate Game Card instead of GreenDot MonayPack. It still remains unclear if they made a permanent switch to this service or not. So, from now on it's the FBI Ultimate Game Card ransomware scam rather than MoneyPak. Ultimate Game Card service is powered by paybycash.com. It allows you to pay for thousands of online games without requiring personal information. This service is legitimate. Anyway, we think most people will find this odd because we can hardly image that FBI would actually choose Ultimate Game Card as their official finance partner.

Another variant of the FBI ransomware, FBI Anti-Piracy Warning:



One more thing, FBI virus or FBI MoneyPak scam or whatever you want to call it, it's just a name and it doesn't represent the same malware all the time. There are at least four different malware groups that use fake FBI or Police virus warning messages and they all have the same goal: to trick you into buying a MoneyPak card. However, technically speaking they are not the same. They all operate in slightly different ways, so I'm afraid there's no easy one-click removal solution at the moment.

Known FBI MoneyPak virus/ransomware variants:

1. Stays inactive in Safe Mode
2. Stays inactive in Safe Mode with Command Prompt, but works perfectly fine in Safe Mode and Safe Mode with Networking.
3. Remains active in Safe Mode, Safe Mode with Networking and Command Prompt.

Below you will find a few useful suggestions how to disable and remove this virus from your computer. Choose removal instructions according to the variant of the virus you have on your machine.


Method 1: FBI MoneyPak ransomware removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the FBI MoneyPak ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of FBI MoneyPak virus.


Method 2: FBI MoneyPak ransomware removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the FBI virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI MoneyPak virus.


Method 3: FBI MoneyPak ransomware removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake FBI screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI MoneyPak virus.


Method 4: Manual FBI MoneyPak ransomware removal instructions Safe Mode (requires registry editing) :

1. Unplug your network cable and manually turn your computer off. Reboot your computer in "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.

To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an randomly named item. Write down the file location. Then right click the randomly named item and select Delete. Please note that in your case the file name might be different. Close Registry Editor.

In our case the malicious file (pg_0rt_0p.exe) was located in Application Data folder. So, we went there and simply deleted the file. We're running Windows XP.

File location: C:\Documents and Settings\Michael\Application Data\



If you are using Windows Vista or Windows Seven, the file will be located in %AppData% folder.

File location: C:\Users\Michael\AppData\Romaming\

Finally, go into Windows Temp folder %Temp% and click Date Modified so the newest files are on top. You should see an exe file, possibly with the name  pg_0rt_0p.exe (in our case it was exactly the same), but it may be different in your case. Delete the malicious file.

One more thing, check your Programs Startup list for the following entry:

[UserPATH]\Programs\Startup\ctfmon.lnk - C:\Windows\system32\rundll32.exe pointing to [UserPATH] \Temp\wpbt0.dll,FQ10 (or FQ11)

In our case it was ctfmon.lnk pointing to malicious file which then loads the fake ransom warning. Please note that in your case the file name might be different, not necessarily ctfmon.lnk. Simply disable or remove (if possible) such entry and restart your computer.

4. Restart your computer into "Normal Mode" and scan the system with legitimate anti-malware software.

5. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of FBI MoneyPak virus.

FBI MoneyPak Ransomware video:


To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).

Tell your friends:

73 comments:

jussef said...

thx bro for the fix

Anonymous said...

the restore fixed it, thanks, I was scared as hell...was deleting all my files, and softwares that I had downloaded from the interested.....lol using window 7.

Anonymous said...

I can't restore I need other options....... Can someone pls help

Terry Feil said...

I have clicked F8, and can't get to the boot menu to fix the problem, whatever I click on makes the computer boot windows as normal, which doesn't fix the problem

Anonymous said...

Thanks for the fix! The files weren't exact but was able to figure out with your guideline! Thanks a TON. Using windows 7

Anonymous said...

I have Windows XP and I was confused on what you said to write down & I didnt write the right address & I cannot find the file to delete it. Please help.

Anonymous said...

Awesome, great instructions. Thanks much.

Anonymous said...

This scared the hell out of me this morning. I thought I accidentally clicked on some nasty porn at some point in time, but I asked a friend and he said it was a fraud and now I'm reading this and I'm extremely relieved.

Anonymous said...

this thing seems to be evolving. i have now run across a version that will not allow me into task manager or the registry editor..

Anonymous said...

Im not able to go into safe mode or safe mode with networking and get a browser. I get the same fbi moneypak message in safe mode with networking. in safe mode i get a page will load in 30 seconds please wait. any suggestions?

Anonymous said...

My Window Vista don't have a C:\windows\system32\rstrui.exe file.
The other option the computer lock up
"Page is loading, please wait. This may take up to 30 seconds."

Anonymous said...

Same issues here!

Alan Montcalm said...

locked out using windows 7 home edition just as anonymous...wait 30 seconds. Suggestions?

Anonymous said...

It worked for me thanks

Anonymous said...

I used my System Restore to go to an earlier version before the virus attack. After which, I ran a full system scan with my virus protection. So far, so good.

Imac said...

I had this malware show up and took my computer to "The Geek Squad" a local computer service center. When I retrieved my computer it appears the computer was set back to it's factory condition. My Office program is gone and all my Outlook and document files. They did not do a backup I was told. Can, and how, can I recover my Office program, Outlook files and my documents. Please, please help.

Mitch said...

I got hit with this Ransomware yesterday. I lost all control and could not use the regedit tool, could not regain windows, and could not set the computer back to an earlier safe date.
Finally regained control of registry edit by burning a maleware disk on another computer (Kaspersky Rescue Disk) and rebooting to read from the disk. The disk scan found nothing (downloaded file was not updated for this maleware) but the register edit function let me find the offending file and to delete it.

Then rebooted to Windows from the hard drive and immediately updated Kaspersky and ran it to find one more remnant. Then used free version of HitmanPro from a USB drive to run a scan and found another remnant (each program found one copy in various directories). Running a final scan with Rogue Killer, but no nefarious hits. I am back in business--but what a chore.

Anonymous said...

First of all, Geek Squad isn't local, it's Best Buy's tech service center. Second of all, the easiest way to remove a virus is to wipe the system and reinstall the OS, in which case, your programs need to be reinstalled manually. This is the common solution.

Anonymous said...

You just saved my husband a serious flogging!!! Thank you, thank you, thank you for this very detailed walk-through of how to get rid of this crap.

KL Noe said...

The system restore worked perfectly for me. Thanks for saving me the money and headache of having to take it to a pro.

Anonymous said...

You just saved my wife her weekly whipping. I suppose there's always another Wednesday, though.

Maulichenko said...

I was almost leaving my place to get some help before I finally found this blog. I went through Safe Mode with Command Prompt and restore the system to the earlier day. It worked! Thank you very much.

PS: I use Windows 7 Home Edition.

Anonymous said...

It seems working now. The only difference is I used Windows accessory to restore cause the commond line would not work for me.

I wish there are more and more Great people like you are. And wish you the best.

Anonymous said...

Excellently written instructions and good information. System restore worked very well.

Anonymous said...

I used the reboot instructions for vista and it worked great.

Thanks

Anonymous said...

I say we find who did this and uhh how should I say Scare the living hell outta them! LOL No physical violence ofcourse, I would never endorse that.

This is total BS and very cruel. You just don't scare ppl like this.

Gdomasky said...

WELL! It's a bit different for me, but I am GLAAAAAAD to have found this site!

It didn't have a video recording box, so i guess it's smart enough to see if your comp has one connected.

Also, I was torrenting a game (yeah, illegal, I know) at the time, so when I came back after an hour and saw the FBI logo, I was a bit psyched out. All I've done so far is restart my computer without internet connection, so let me go meddle with these bastards' file. More later if I've failed.

Anonymous said...

Excelent help tutorial. I found the file on the appdata\ roaming on the user folder. Is kind of easy to found if you look for the exe files at the same date that your computer start to show the fbi message. Thanks for the help.

Anonymous said...

You are smart!!!T thought there is no way to fix it without reinstalling windows...Thanks a lot.

j. said...

I tried to follows the steps you suggested. I went to the registry and at the end of the path you indicated C:\......\currentversion\run I found a file ce078c46.exe which I deleted.

I looked up the path it indicated but I did not find it. I them made a search on any file with that name and found one with that name which I deleted.

The next step relative to the msconfig command, I didn't find anything that it looked needed to be deleted nor I found anything at the \Temp folder. Should I have found something in that folder?

I am currently running a full malware scan and I will connect it to the internet next.

Anonymous said...

You're hella generous. Thanks for sharing the info!

Anonymous said...

Thanks, reverting to an earlier date worked. I just typed the direct prompt into the prompt box. I feel skilled now even though that solution was total noob status

Anonymous said...

Thank you! System restore completely removed it, so easy!

Michael Owen said...

Thanks man. You saved my brother's laptop. It looked a bit different from the images you posted here, but it worked the same. By the way, the fee charged on the lock was $200.

Anonymous said...

i tried with power eraser on my norton but it wouldn't work. Norton said i had to buy a 100 dollar kit.I went instead to system restore on home vista and it worked fine.
Norton should have a block for this virus as common it is. thanks for the help

Gene said...

I think this malware has been recoded to make it more difficult to remove. My brother got this a few days ago with the demand for $200. We tried both the removal methods outlined above. Couldn't get into the registry editor. Then removed the boot drive from his system and installed as a slave drive into an uninfected system. Successively ran Avast and Malwarebytes on the infected drive. Each removed between 40-50 infected files. When the cleaned drive was reinstalled in his system, Windows would boot but the desktop would not display. Attempts to repair the Windows 7 installation were unsuccessful so we ultimately reinstalled Windows and all the apps. What a nightmare!

Anonymous said...

Very nice...These instructions were successful for a Windows 7 computer running in Safe mode. The location of the registry entry was the same as specified here. The infected file was /appdata/local/temp/msconfig.exe which differs from the example. Deleting the registry entry for msconfig.exe and then deleting the file from the ../temp folder worked. Many thanks....

Anonymous said...

Thanks a lot!! worked like charm!!
File name was not the same as pointed out by you.. but was able to apply the fix..

Anonymous said...

Thx very much. My ppls would've killed me if dat was what really happend. Thx

Anonymous said...

I had PCtools spydoctor. It not only didn't stop the virus, after scanning it couldn't even identify I had a virus. After their tech's "help" the program said it was removed, well, it wasn't. Finally theit techs admit the software desn't work, but they're working on improving it. As long as this virus has been around and they can'[t admit upfron their product doesn't work and won't as yet.

Anonymous said...

"What is more, you have only 72 hours to buy MoneyPak cash top-up card from Walmart or Kmart."

How is it that these cards are aloud to be sold if their soul purpose is to for paying scam artist?

Anonymous said...

THANK YOU for rstrui.exe; this removed this trojan!

In my case, the bad file was:

Directory of C:\ProgramData

11/02/2012 07:03 AM 44,544 lsass.exe

Directory of C:\Users\All Users

11/02/2012 07:03 AM 44,544 lsass.exe

The TOD matched when I got infected. This .exe s/not be in these folders, it should only be here:

Directory of C:\Windows\System32

11/16/2011 11:36 PM 22,528 lsass.exe

Anonymous said...

Found the culprit(s) while running from SafeMode on XP. The regedit showed an application called SHELL and it was located in DocSettgs/John/AppData/wlshjkhe.
Before i deleted that i went to that Applications Data folder and in addition found three other randomly named files FROM THE SAME DATE (yesterday). Deleted those four then went back to regedit to delete the Shell. Worked like a charm. After a couple hours of scanning and searching for answers, your fix worked in 5 minutes. You are a life saver. We should send you a Moneypack! lolz

Anonymous said...

i knew this crap wuz a scam at the start i mean it had horrible grammer:
pay 200$ wtf horrible grammer and they misspelled a word

Anonymous said...

After I was infected w/this FBI moneypak trojan, and until I ran rstrui.exe,
I was getting this at every boot (3x):

Error 11/2/2012 7:06:14 AM Eventlog 1101 Event processing

Log Name: Security
Source: Microsoft-Windows-Eventlog
Date: 11/2/2012 7:06:14 AM
Event ID: 1101
Task Category: Event processing
Level: Error
Keywords: Audit Success
User: N/A
Computer: xxx
Description:

##################################
Audit events have been dropped by the transport. 0
##################################

Event Xml:



1101
0
2
101
0
0x4020000000000000

40050



A PROCMON trace or an active Task Recorder, and possibly
NETMON, would have shown what this was (probably bogus lsass.exe)!

Security
xxx




0




Note that the bogus screen did NOT appear until an Internet connection was established,
so even if it was collecting data (I saw 5 DSNs and 2 DIRs updated during this time B 4
rstrui.exe), it had no way to transmit it. Further, using dial-up, that slowed down any
transmissions a thousand-fold. Just another reason to NOT auto-connect to the Internet
during boot, especially with a fast speed.

In a way, I have to thank this trojan. It made me move to ONLY surfing the 'Net via
the GUEST LID, and to increase my tracking defenses.

theinfluencer said...

This is very profile dependent. If you can login to the administrator account create another user ( call it whatever you'd like) Restart the PC and login with the new ID then your documents and settings to that ID.

Run you virus scanner or malwarebytes again.

Anonymous said...

...but since Permissions is needed anyway (to block external drives, whether or not a password is used), why not just use the pre-defined GUEST LID (turn on) which has the least allowances and, as u said, re-do your profile,etc settings...

Add'l info:

In "normal" (ie: UN-infected) boots, this always occurs:

Information 11/2/2012 7:06:12 AM Microsoft Windows security auditing. 4608 Security State Change
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.


. they CLEVERLY call themselves what Windows just reported on, and tho it's NOT from Security, it's similar & near enough, so a person may ASSUME, tho it's an Error event, that THEIR infected event entry is just part of a "normal" Windows boot !!! :(

Anonymous said...

Mine said 300$...... just ran system restore so far so good. Thanks alot!^_^

Anonymous said...

Ran System Restore, deleted registry items, ran four different antispy antivirus softwares and this morning Bogus FBI is back! Surely a top level MS programmer can defeat these Romanian hacker criminals??

Anonymous said...

this thing starts really fast but you can stop it if you restart your computer during boot and run startup repair. im not sure the exact details of what i accomplished by doing this, but after running startup repair and logging on normally(no need to system restore if u dont use it like me), the virus didnt run as intended. on windows 7 it tried to install a new driver for some unknown hardware which i think was somehow linked to it. but otherwise no more hijacking. computer runs well enough to install malware bytes and am currently running the scan. hope this helps somebody out.

Walcon said...

Thanks for the fix...Great to see people such as you take the time to provide these important instructions, well done!

Anonymous said...

Once AGAIN, ANOTHER reason-as if there weren't enough already, Microsoft consistently shoots itself in the foot with its terrible O.S., to make the switch to LINUX.

A large number of stable, fast, INTELLIGBLE, virus resistant versions of Linux are available (eg Mint, Ubuntu, Suse?, Fedora) ALL FREE and ALL much simpler and much more SECURE than Windows.

Anonymous said...

THE SYSTEM RESTORE WORKED! Windows 7 by the way.

Anonymous said...

Ok so been thru these instructions what happens when does come back and start getting dll errors cause it wiped registries? My advice wipe out hardrive reload os system.

Anonymous said...

How do you remove the virus on a kindle fire? Or any tablet?

Anonymous said...

Wish I came across this a little earlier. I restore my laptop back two weeks, however I am receiving a white screen after reboot. Im assuming my whole laptop is now infected?

Unknown said...

If you don't get the option to reboot in safemode with F8 and are unsure as to what your PC's specific hotkey for this is, boot your computer to the login screen then hold down your power button until the PC shuts off. This improper shut down will give you the option to reboot in safemode when you turn it back on.

I did this, then a quick scan and removed the bulk of it, rebooted back to regular windows and cleaned up the rest manually.

Good luck!

Anonymous said...

My laptop was attacked by the moneypack ransomeware late tonight. I tried to reboot using safe mode unsuccessfully. Kept going back to the frozen "FBI" warning. Tried getting on in safe mode with command prompt. I was able to somehow get onto the system restore, following your instructions above. It worked perfectly, got back to my desktop and am now runnning my anti-virus scan then will do the direct download above to remove any remnants of the virus. I am SO grateful for your help! I have a Windows 7 operating system, and am only moderately adept at the computer, but went very slowly and carefully and followed your directions. Thank you again.

Anonymous said...

Hi I received this wonderful virus yesterday. I tried to go in safemoe but cannot. Nor safe mode w/command prompt. I found a way to system restore by clicking "Repair your computer". It made me log in, then i was tahen to a list of repair choices to oinclude system restore. I have run it several times and I get the message that system restore did not complete successfully. I also did as you initially said. I disconnected the internet from the modem and rebooted which did not change anything. Please help!!!

Anonymous said...

I have a variant where I cannot get into Safe Mode with Command Prompt. After logging in, it just logs out. Here's how I fixed it:

1) safe mode with command prompt

2) log in to the account you were using when you got infected.

3) IMMEDIATELY start hitting ctrl-c like mad. This will kill the command prompt window before the virus can get a hold of it.

4) ctrl-alt-del, then "new task"

5) cmd /d (This starts a command prompt WITHOUT trying to autorun the virus)

6) regedt32 (start your registry editor)

7) navigate to hkey_current_user\software\microsoft\command processor and find the "autorun" key. The value to the right of it is where the virus is.

8) Switch to your CMD window and DEL your virus file.

9) Swtich back to your registry window and delete the "autorun" key.

10) There is probably another pointer to the (deleted) virus in HKCU/Software/Microsoft/Windows/CurrentVersion . Delete it.

11) Navigate to HKCU/Software/Microsoft/Windows NT/CurrentVersion/Winlogin and look at the "Shell" key. The value may be: cmd.exe , which would boot you to a black CMD window. Change this value to: explorer.exe so you will reboot into your normal looking windows.

12) Reboot as normal. You should log in fine. Run your antivirus software.

John Maring said...

OK... read and tried all the suggestions above. Even tried the "hit CNTL C like mad", to no avail. White ICE screen reappears upon reboot. Running Windows 7. Can get into Safe mode with internet unplugged, but not much else. Any suggestions?

David Chong said...

Thank you for the post. I managed to remove the FBI virus from the registry using Method 1 but with modifications. This way you don't have to worry about not being able to type faster than the virus.

First make sure the computer is not connected to the internet. Then use Method 1 Step 1 to boot up in Safe Mode with command prompt. When the command prompt window appears, close the command prompt window by clicking 'X'. Then it will go to blank screen in safe mode. Press CTRL + ALT + DEL to bring up the task manager and click "Task Manager". Task manager will load and click on FILE then NEW TASK(RUN), that's where you can type in the command to run the System Restore as pointed out in the blog.

Choose your restore point and let it run. Once the restore process is done, Windows should run properly. Download software "RougeKiller" to remove the registry entry of the virus.

Thanks to the author of the blog without which I would not have recovered the computer.

Anonymous said...

This is a reason why Linux is on the rise ..one reason why I am making the switch .

Randy said...

Just a recent update on how I defeated this ransomware virus. It was really a combination of several suggestions.

First, my symptoms so you can compare. Mine was an NSA Ransom. It would not let me start Safe Mode, Safe with Networking, or Safe with Command Prompt. Reading through the comments I saw where repeatedly holding down CTRL and tapping "C" very quickly you could shortcut the Ransomware's hijacking of the Comand Prompt. Note, I typed in my admin account name and started the CTRL+C action as soon as I hit "Enter". I did this for about 60 seconds and nothing seemed to happen, so I stopped and pressed CTRL-ALT-Delete all at once like one of the very last commenters said. Then when the task manager came up I selected "New Task". This opened my command prompt, into which I typed "cmd \d" Once in there I typed "%systemroot%\system32\restore\rstrui.exe" because I use Win XP and typing simply "rstrui.exe" didn't work. Did a system restore and regained control of my system. Afterwards I ran a full Malwarebytes scan several times. It did not catch all the infected files the first pass. The third pass it came up clean.

Randy

Admin said...

Thanks for sharing this Randy.

Robby Bower said...

This hit me at about one am and scared the hell out of me, I'm on a kindle fire so it didn't lock Me out but I'm glad to see I'm not alone.

Anonymous said...

Was on kindle fire and got popup but my screen looked different. Is it still same virus

Cassandra said...

hi can someone pleae tell me how to remove this virus from my table? yeah it's a smart phone table whatever you'd like to call and it's samsung....I wanted to know how i can remove this stupid virus from it?

Anonymous said...

cassandra, so far everyone seems to be saying the virus is a "Tablet Killer" .. that is your table is a paper weight now.... I see the problem in that tablets are running "android" and dont seem to even have a task manager which one can jump into... let alone a keyboard to type ctl-alt-del from

So I AM NOT HELPING. I am new to tablet computeing but am somewhat of an old time expert hobbyist on MS Windows... I saw this virus years ago and simply deleted it everytime then cleaned all my cookies... that was over two years ago and i still do nothing but delete my cookies to get rid of it (after killing the browser task it is in.)

But I am getting alot of young friend with this crap on their tablets, they come to me the old guy all of a sudden now that no one else can help them.. but i aint shit on tablets or Android....
So now I am learning... and I want to say thanks to the guy who has this blog ... bookmarking..

the question is how come android does not have a task manger that you can get into with just a button push?... looks like a design flaw... if it is a design flaw you should sue the company...
lol

SantosCurser is bookmarking hope to talk again

Anonymous said...

My husband hsa an at&t samsung galaxy s4 that has this fbi warning on the screen. What do we need to do to fix his phone?

Admin said...

Tell him to clear his web browser cache and history. That should be enough.

Anonymous said...

ive looked everywhere and i need to know how to get it off my android phone

Anonymous said...

How would i remove the virus on my galaxy s4 smartphone