Video Screencast Help

FBI ransomware locked computer. Help?

Created: 20 Dec 2012 | 10 comments

My computer has been locked by ransomware masquerading as the FBI.  I can still use the other user account on my computer to run Norton 360 in normal mode, and I have run it in Safe Mode in both accounts.  I have used Norton Power Eraser, to no avail. Please walk me through the removal of this monster. 

Also, I do not understand the prompt below to specify a Norton product and version.  My product, Norton 360, is not listed.  I am choosing one at random just to be able to post this.

Thanks!

Comments 10 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

Check this comments and Thread

https://www-secure.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server

Mithun Sanghavi Symantec Employee Technical Support Accredited

Hello,

You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

I would also recommend you to make sure you create a case with Symantec Technical Support.

You could either Create a Case OR contact Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

OR

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Check this thread

https://www-secure.symantec.com/connect/forums/how-remove-fbi-virus-fbi-moneypak-ransomware-virus-laptop-sep1106-has-been-already-installed-

Thanks In Advance

Ashish Sharma

 

 

Jen_Barber's picture

 

Thank you.  One question:  When I try to fill the form for a tech support case, it asks for my product and version.  I have Norton 360.  How do I translate that into an acceptable answer?  I can't file the report without those two blanks filled, and I don't know how to answer.

 

AngelD's picture

The product name and version should be visible through "Control Panel" > "Add/Remove Programs" or "Programs and Features" depending on your operating system.

AngelD's picture

In the Norton application, do you see any about button/menu option?

In that case you should see more details of the name and version

Jen_Barber's picture

 

Oh wow.  This second user account may be compromised now. I'm not sure. 

I had gone to the add/delete section and noted that it said only "Norton 360."  After your next post, I checked it in the start menu -- clicked on the icon and got some options for actions.  But this time, no matter which one I clicked, nothing happened.  I went back to the add/delete section, and Norton 360 is gone!  (I didn't touch it when I looked at it before; I didn't delete it by mistake.)

8-(

Btw, I made a bootable recovery disk last night but am not sure how or if I should use it in my current situation.  Will it delete any of my files or programs if I run it?

 

 

 

Jen_Barber's picture

Also, I just got an error notice 8504, 101.  It wasn't auto-fixable and I was instructed to notify Symantec.  ????

And...  Norton 360 is back in the add/delete section, thank goodness.  And the screen icon is up again, since I was notified of the error notice.

AngelD's picture

What operating system are you using; 2000, XP, Vista, Windows 7?

Usually a recovery disk will not wipe the disk but just recover the (vital) system files and registry.

If it's possible; recover your data on the disk (get into another computer and copy your data to that computer) and then reinstall the computer to be safe.

My guessing is that there is a self survival process which upon killed will spawn another process (or several). Depending on your skillset you could try to remove the "bad guy"; use process explorer or similar to suspend the process(es) instead so no new process(es) are re-spawned. Then remove any auto-launch (related to the ransomware) using ex. Autoruns to prevent the ransomware to be able to launch again.

Mick2009's picture

This new Security Response blog post also adds some extra developments/details- be informed!

Ransomware: Extorting Money by Panic and Pressure
https://www-secure.symantec.com/connect/blogs/ransomware-extorting-money-panic-and-pressure

The Norton Boot Recovery Tool, referenced above, should be able to deal with these threats.

With thanks and best regards,

Mick

Mick2009's picture

Just posting a small "good news" update:

Trojan.Ransomgerpo Criminal Arrested
https://www-secure.symantec.com/connect/blogs/trojanransomgerpo-criminal-arrested

 

With thanks and best regards,

Mick