Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus, Unlocking your PC Without Any Safe Mode


  • Please log in to reply
28 replies to this topic

#1 OpenSource

OpenSource

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 16 January 2013 - 11:42 PM

Greetings!
A Code Monkey i am not, but i do consider myself above average in the tech world. Six days ago i contracted the Harshest, most Aggressive case of the internet AIDS i have ever came across, the FBI Virus.
Now there are tens upon hundreds of results on Google when searching for "FBI Virus Removal", im sure many of those will help the majority. But nearly all of the fixes they suggest involve the use of Safe mode. After a solid 5 days of constant web surfing for a fix without Safe mode, it seems that the newest of the new FBI Virus which blocks ALL Safe Modes began on or just before 01-03-2013. Even the forums that involve this version, seem to be built around the logs provided by the specific user, and therefor are not suggested to be used on your system.
What i would like to share is how i stumbled upon a utility that successfully unlocked my computer and allowed me back onto my desktop, it does not delete the virus, but it will allow you to then run your normal antivirus software, or to follow the steps on other removal forums that have you use safe mode.

The Fix:
-While using a clean computer, you will want to download 'Kaspersky Rescue Disk 10.ISO' and burn it onto a CD. This is a free Boot from Disk utility that will load its own Graphical interface, the best way to find this download is to do a Google Search and download it strait from kaspersky's website.

-Put the disk in the infected computer. Boot from CD. once this loads it will give you a option to either run in Text Mode or Graphic Mode. Its easier to run in Graphic Mode.

-Once Loaded into the Graphical Interface, it will look similar to what you are used to as a normal desktop. As soon as everything loads, it may ask you to select a OS, do so. after that their antivirus program will show up and await your click to start scanning(This is the reason I downloaded the ISO to start with). Do NOT run the scan, it seems that it is able to find some older versions of the FBI Virus, but not the newer ones, running it will just be a wast of 2-3 hours.

-Close out the windows by just hitting the X until you are just seeing the desktop, now heres the cool part, apparently there is a built in Utility on the Rescue Disk simply called "Kaspersky WindowsUnlocker". This is the Golden Program that is going to give you your computer back.

-Click on their version of the Start button in the bottom Left side, and click on "Terminal", this will open a screen that looks like your CMOS, now type in "Windowsunlocker" and hit enter. Three options will show up, you want to select the first one to run the utility, it will only take a few seconds before its complete, then you simply need to restart your computer and Boot Windows Normal.

-BAM YOUR IN! But its not over. you have your computer unlocked, but the virus is still very much there, from this point you should be able to run the antivirus software of your choice, or follow any of the other 'FBI Virus Removal threads' from the point were they you to boot in Safe mode. Good Luck!
-
-
-
-
I apologize for any confusing or unprofessional instructions, this is the first time i have tried to contribute to the any Tech Help. It blew my mind that i spent 40+ hours in the last surfing the web trying to find a answer to this and coming up empty handed, i hope the people that are having the same problems i did will find this. Let me know how it works for you.

-OpenSource

BC AdBot (Login to Remove)

 


#2 wildfire365

wildfire365

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 18 January 2013 - 01:55 AM

This is for the FBI I just went through and read about the Emsisoft emergency kit I tried to do the safe mode when I did the desktop came up then the FBI screen came up so fast didn't have time to load or run anything safe mode didn't help to load the kit. Is this way going to help or do I run into a brick wall. I just need to be able to clear this do to a lot more work after this any answers will this work for sure so I won't get turned out to pasture. Thanks PS this is on a XP Pro system.

Edited by wildfire365, 18 January 2013 - 02:02 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,136 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:51 PM

Posted 18 January 2013 - 08:33 AM

Thank you for sharing your solution OpenSource. :)

I do not recommend the usage of any linux rescue disk (no matter what company it is from, Kaspersky being an excellent AV otherwise). To understand why, please see here.
The potential of causing more damage is simply too high, and it is better to fix the problem differently.
The Windows Unlocker might work (depending on the ransomware variant installed), but I'd always use it with caution.

If malware has completely blocked both normal and safe mode you always have the recovery environment to fix matters. If you do not know how to use this and/or how to check for malware, then the safest solution is looking for help from someone who does know, because otherwise you risk causing only more problems. If you need help removing FBI ransomware, please post a topic in this forum with an explanation of the problem you are experiencing. Be sure to check out the different removal guides first.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#4 Docd4u

Docd4u

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 18 January 2013 - 02:40 PM

Hello,
I ran into the same problem of both windows and windows safe mode being blocked by the DOJ ransomeware. What I ended up doing is to boot to command prompt. The virus seems to start when you start explorer. I was able to then run Emsisoft emergency kit.
Hope that helps
DocD

#5 OpenSource

OpenSource
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 18 January 2013 - 03:13 PM

Hello,
I ran into the same problem of both windows and windows safe mode being blocked by the DOJ ransomeware. What I ended up doing is to boot to command prompt. The virus seems to start when you start explorer. I was able to then run Emsisoft emergency kit.
Hope that helps
DocD


Indeed, I found threads suggesting that fix as well. but as the tittle said, this is what i had to do when unable to use ANY safe mode, including safe mode with command prompt. Full blown internet AIDS indeed >.>

#6 OpenSource

OpenSource
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 18 January 2013 - 03:18 PM

Thank you for sharing your solution OpenSource. :)

I do not recommend the usage of any linux rescue disk (no matter what company it is from, Kaspersky being an excellent AV otherwise). To understand why, please see here.
The potential of causing more damage is simply too high, and it is better to fix the problem differently.
The Windows Unlocker might work (depending on the ransomware variant installed), but I'd always use it with caution.

If malware has completely blocked both normal and safe mode you always have the recovery environment to fix matters. If you do not know how to use this and/or how to check for malware, then the safest solution is looking for help from someone who does know, because otherwise you risk causing only more problems. If you need help removing FBI ransomware, please post a topic in this forum with an explanation of the problem you are experiencing. Be sure to check out the different removal guides first.


I understand, i should of stated such in the original post. but after 40+ hours of attempts and research i became very impatient, and extreme last resort measures became became a solution

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,136 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:51 PM

Posted 18 January 2013 - 04:11 PM

If you have but a few seconds in Safe Mode with Command Prompt, you could try to execute the cmd /d command which may stop the screenlocker from loading.
Another trick that works for some versions is disconnecting the computer from the internet (LAN), in some cases this will prevent the ransomware from loading.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#8 OpenSource

OpenSource
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 18 January 2013 - 04:17 PM

If you have but a few seconds in Safe Mode with Command Prompt, you could try to execute the cmd /d command which may stop the screenlocker from loading.

i7 Extreme, 2x 256gb SSD's, 32GB 1866 RAM. A few seconds, I do not have >.<

Another trick that works for some versions is disconnecting the computer from the internet (LAN), in some cases this will prevent the ransomware from loading.

Tried this as well with no effect.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,136 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:51 PM

Posted 18 January 2013 - 04:22 PM

That is the downside of having new hardware. :)
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#10 Ed_B

Ed_B

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 13 March 2013 - 02:50 PM

I followed the process of making the CD, and it worked.  I then got into safe mode w networking and downloaded Norton NPE eraser after viewing their video.

 

After a few restarts, I appear normal again with Win 7.   I am a bit afraid to re boot just in case it shows up again, but if I do not post again, take it that all is OK.

 

Nice combination of solutions..



#11 BlackHawk1

BlackHawk1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 17 March 2013 - 02:49 AM

I'm glad this topic is here because I wanted to say a few things and ask as well. :) I've been using KAV since 1996 when it was known as AVP. I've known about the KAV Rescue disk and the unlocker feature for a while, but I never tried the "unlocker" feature until today when a friend of mine got hit with some ransomware. I've used other ways to deal with ransomware. I first would like to ask why does it seem that Bleeping recommends Emsisoft Anti-Malware in these ransomware situations? Why not any other programs? Is the Emsisoft program the best at dealing with them? I haven't used anything by Emsisoft for a few years as it always seemed they flagged too many things... too many false positives, too many harmless things. When the KAV rescue disk didn't want to work for me or maybe it was user error I went to Malwarebytes Chameleon and it took care of the ransomware. After getting the desktop unlocked I installed a trial version of Kaspersky for him, ran a full scan, and it found nothing. I also tried Superantispyware and all was ok. So I say Malwarebytes did the job 100%. I was surprised by this as I thought for sure something else would be found. I would like to hear more about the current Emsisoft if you can tell me please. Now on to my KAV rescue disk problem when I tried to have it deal with the ransomware...

 

 

Keep in mind the OS is Windows 7 64 bit. I bootup with the KAV disk and select "Kaspersky Rescue Disk Graphic Mode" and continue. Once it loads I get a screen that gives me a selection of Windows Setup or Windows 7. I tried both to no avail. After selecting one of those choices I go to the terminal and... in the command prompt I enter the command "windowsunlocker" and press Enter on the keyboard. I then proceed to do this...

1 - Unblock Windows
2 - Save boot sector copies
0 - Exit

After doing the above steps I stay in the rescue disk. I then try to run a full scan with the KAV antivirus scanner, but for some reason the "C" drive does NOT show up. All I get to pick from is Disk Boot Sectors, Hidden Startup Objects, and Browse. I select browse, but can't access any other drives or folders to add. So I went ahead and selected the only things I could... Disk Boot Sectors and Hidden Startup Objects. I do that and the scan finishes very quickly like it didn't scan anything from the actual infected hard drive. What am I doing wrong or what is the issue? I even tried a KAV rescue disk from 8/2011 and it went all goofy on me and I never got to where I needed to be. I would like some input on this as I hate not being able to solve something. The KAV forums these days seem to me worthless as the help just doesn't seem to tbe there. Thank you!!!

 

Has anyone tried the very simple methods below when dealing with ransonware? If so, what did you think? Were they successful in addressing the issue? Links...

 

http://support.kaspersky.com/viruses/deblocker

https://www.drweb.com/xperf/unlocker/



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,136 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:51 PM

Posted 18 March 2013 - 07:31 AM

Is the Emsisoft program the best at dealing with them? I haven't used anything by Emsisoft for a few years as it always seemed they flagged too many things... too many false positives, too many harmless things

Since Emsisoft switched its secondary scan engine from Ikarus to BitDefender the amount of FPs has been reduced quite a bit.

 

What is used in BC guides can differ a bit (also, the removal guides describe one way to address an issue, that does of course not mean this is the only way to do it or the only product that can do it). The guides always will use tools that clean for free though.

 

I can't answer your question about the rescue disks, I never use them. :)

 

The two sites you mention work well, but the problem is that most ransomware doesn't ask for unlock codes, it asks for Ukash/Pay Safe codes. These codes are verified against the (legitimate) servers from Ukash/PaySafe and cannot be faked for obvious reasons.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#13 tech_head_707

tech_head_707

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 24 March 2013 - 04:20 PM

I just want to say thank you and this did work. I repeat, this did work. A friend brought me their laptop running XP. This is the second time they were infected, but the first time I got my hands on their pc. I do not know if the BSOD on the safe mode was caused after the first infection or the second. I do know that I have had one heck of a time trying to find a SIMPLE solution through the hundreds of forum posts that I read. Prior to jumping on the forums I trying Kaspersky's Rescue disk which found Java files that were infected but did not clean the newest version of this virus by doing a complete scan.

 

Here's my experience with this solution.


1. I ran Kaspersky's Rescue disk, and once I got to the screen that would allow me to start a computer scan, I clicked on the program manager icon in the lower left and ran the terminal windows.

 

2. I then ran the windowsunlocker command as specified in your post and voila! it ran and told me windows was successfully unlocked.

 

3. I rebooted and tried safe mode, but again BSOD as expected since I haven't repaired any registry settings or files yet. However, I was able to boot normally and run the antivirus software without the FBI screen locking the computer. This PC had AVG installed already, and it claimed to have found and cleaned 2 infections.

 

4. I rebooted after the infections were "cleaned" and still BSOD on the safe mode boot, but on a regular boot I am not seeing the FBI locking screen any longer. It appears to have been resolved for now, however I will be using Malwarebytes and trying to get safe mode back, but at least I can work with that PC directly as opposed to being locked out completely.

 

Thank you again, I now learned a new feature on my Kaspersky disk (I am a big advocate of their rescue disk and was surprised it didn't come through on the computer scan).

 

Cheers!



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,136 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:51 PM

Posted 24 March 2013 - 04:54 PM

Glad it worked for you. :)

To get Safe Mode back an AV won't help you, the following should do the trick though:

Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.

http://download.bleepingcomputer.com/sUBs/...otKeyRepair.exe

To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#15 GLIM

GLIM

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 02 April 2013 - 11:38 AM

Thank you for taking the time to post this . . . I too spent many hours researching and getting no where - BSOD on every safe mode.

 

Your instructions were clear and to the point.

 

Personally I do not understand why the LAW cannot go after these people, or maybe they just don't want to?

 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users