The Only guide you need to remove FBI Virus from your PC

Sun, Sep 15, 2013 at 10:13 PM By: SuperTechMan

An aggressive ransomware campaign involving the so-called FBI MoneyPak virus (Reveton Trojan, Citadel, Trojan.Ransomlock.R) has been hitting computers since 2012 and still appears to inhibit itself despite several attempts by the law enforcement agencies to cease the black hat campaign behind it.

An official statement released by the Federal Bureau of Investigation alerted computer users on this worldwide scam urging victims to abstain from following the recommendations of these cybercriminals to pay fines demanded.

What the fake FBI message states is that the user’s PC is involved in illegal activity (such as copyright violations, viewing child pornography, etc.) and demands a fine of about $200 or more to be paid within 48-72 hours in order to free the system.

Whenever you see a message alerting you to an FBI warning message demanding a fine – remember that this is a scam. The FBI does not practice this type of law enforcement. Therefore, instead of paying the “fine” it’s strongly recommended to eliminate the malicious software causing such activity.

FBI Ransomware Removal

We are going to illustrate to you how to remove the FBI virus using different approaches.

1. System Restore

This option will enable you to recover your system to an earlier point, i.e. before the virus actually started affecting it. When restoring your OS, no saved personal files will be lost. Here is what needs to be done:

Boot into Safe Mode with Command Prompt. To do this, press F8 key repeatedly while Windows is starting. This will bring up the Windows Advanced Options Menu, where you should use the arrow keys in order to navigate to Safe Mode with Command Prompt. Once this item is highlighted, hit Enter.

2. Manual Removal

If you are an advanced user, the manual operation will allow you to remove the FBI MoneyPak virus and delete the bad processes and files in order to eradicate the infection.

• Boot into Safe Mode or Safe Mode with Networking
• Go to Start Menu in the bottom left-hand corner of the screen, type %appdata% in the Search box and hit Enter
• Browse to \Windows\Start Menu\Programs\Startup
• Find “ctfmon” (or similar-looking item) and delete it. This process is the one launching the virus at Windows startup. Save the changes
• Go back to Start Menu, type %userprofile% in the Search bar and hit Enter
• Proceed to Appdata\Local\Temp
• Delete the following process: rool0_pk.exe (or similar)

Remove the random-named file with .mof extension
• Remove V.class file

In different occurrences of the virus, it is known to have used a broad set of files and process names. Below is a complete listing of those. If spotted inside the directories above, these objects should be deleted:

%AppData%\Protector-[random].exe
%AppData%\Inspector-[random].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%Temp%\0_0u_l.exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe
irb700.exe
dtresfflsceez.exe
tpl_0_c.exe
ch810.exe
0_0u_l.exe

• It’s now recommended to make use of reliable antivirus software and run a full scan.

  1. No one has commented yet.

Post a comment

SuperTechMan’s Blogs