Video Screencast Help

How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

Created: 08 Oct 2012 | 10 comments

Hi Guys,

 

I found one laptop was infected with the FBI virus. How to clean it? we cannot login by safe mode. SEP11.0.6 has been already installed on the laptop.The client ddin't report to SEP console.

 

 

Comments 10 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

Check this comments and Thread

https://www-secure.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server

Mithun Sanghavi Symantec Employee Technical Support Accredited

Hello,

You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

I would also recommend you to make sure you create a case with Symantec Technical Support.

You could either Create a Case OR contact Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

OR

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

Reference :

Thanks In Advance

Ashish Sharma

 

 

pete_4u2002's picture

collect the load point diagnostics log and open a support ticket to identify suspicious files to be submitted to Security response.

_Brian's picture

You can run a scan in safemode

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi greatgu,

"Thumbs up" to teh advice, above.  Please do update this thread with news of your progress.

Here is a good public blog post from Symantec Security Response about why ransomware has become so prevalent recently:
https://www-secure.symantec.com/connect/blogs/ransomware-crimeware-kits

Also see:  Ransomware and Silence Locker Control Panel
https://www-secure.symantec.com/connect/blogs/ransomware-and-silence-locker-control-panel

and: https://www-secure.symantec.com/connect/node/1618951

and https://www-secure.symantec.com/connect/blogs/ransomware-and-silence-locker-control-panel

 

 

With thanks and best regards,

Mick

greatgu's picture

I am trying to download SERT  from file connect but I don't know my product serial number. I am asking help from others.

Mick2009's picture

Once you have SERT, call Tech Support for the PIN to allow it to run.

Symantec Endpoint Recovery Tool (SERT) requires a PIN to run
Article:TECH159200   |  Created: 2011-05-01   |  Updated: 2012-05-02   | 
Article URL http://www.symantec.com/docs/TECH159200 
 

With thanks and best regards,

Mick

SilentGhost's picture

Hi! Here http://www.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server I see the same problem, looks like this ransomware causes serious problems to many PCs.

I will suggest that you go into SafeMode and restore your system to a previous date whet it has been still not compromised. You can do that in the following way:

1. Use the F8 key to go into SafeMode with Command Prompt

2. In the Command Prompt line type explorer.exe, then press Enter

3. You will see your desktop, go to Start menu and type rstrui then you are taken to the System Restore point, where you can set your system to a moment in the past

Then, the system is unlocked, but FBI Moneypak is still there. Delete these files from your system (Windows XP):

C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup\ctfmon.exe
C:\Windows\[Random.exe](eg. Pmfjyiaj.exe)
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random.exe]
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random]

and in Vista :

C:\Program Data\csrss.exe
C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\… Menu\Programs\Startup\ctfmon.exe
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random.exe]
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random]
C:\Program Data\lsass.exe
C:\Program Data\[Random.exe]

Do not forget to check your registry for any registry entry changes or malicious entries made to your registry. Set changed entries to their initial values.

You can also clean your system with an automatic tool like http://www.symantec.com/products/download-security-software , or http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=n95 and you can also see removal intructions here  http://www.americanpendulum.com/2012/10/02/fbi-moneypak-scam-dangerous-malware-making-millions-of/ and here http://www.youtube.com/watch?v=cuctc1_g0as

Hope this was helpful and you have managed to solve the problem!

 

 

 

 

 

Mick2009's picture

This new Security Response whitepaper about Ransomware will be of interest to followers of this thread:

Ransomware: A Growing Menace
https://www-secure.symantec.com/connect/blogs/ransomware-growing-menace

 

With thanks and best regards,

Mick

Mick2009's picture

This new Security Response blog post also adds some extra developments/details- be informed!

Ransomware: Extorting Money by Panic and Pressure
https://www-secure.symantec.com/connect/blogs/ransomware-extorting-money-panic-and-pressure

With thanks and best regards,

Mick