Video Screencast Help

How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

Created: 08 Oct 2012 | 10 comments

Hi Guys,

I found one laptop was infected with the FBI virus. How to clean it? we cannot login by safe mode. SEP11.0.6 has been already installed on the laptop.The client ddin't report to SEP console.

Comments 10 CommentsJump to latest comment

Ashish-Sharma's picture


Check this comments and Thread

Mithun Sanghavi Symantec Employee Technical Support Accredited


You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

I would also recommend you to make sure you create a case with Symantec Technical Support.

You could either Create a Case OR contact Symantec Technical Support.

How to create a new case in MySupport

How to update a support case and upload diagnostic files with MySupport


Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers:

Hope that helps!!

Reference :

Thanks In Advance

Ashish Sharma

pete_4u2002's picture

collect the load point diagnostics log and open a support ticket to identify suspicious files to be submitted to Security response.

ᗺrian's picture

You can run a scan in safemode

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi greatgu,

"Thumbs up" to teh advice, above.  Please do update this thread with news of your progress.

Here is a good public blog post from Symantec Security Response about why ransomware has become so prevalent recently:

Also see:  Ransomware and Silence Locker Control Panel



With thanks and best regards,


greatgu's picture

I am trying to download SERT  from file connect but I don't know my product serial number. I am asking help from others.

Mick2009's picture

Once you have SERT, call Tech Support for the PIN to allow it to run.

Symantec Endpoint Recovery Tool (SERT) requires a PIN to run
Article:TECH159200   |  Created: 2011-05-01   |  Updated: 2012-05-02   | 
Article URL 

With thanks and best regards,


SilentGhost's picture

Hi! Here I see the same problem, looks like this ransomware causes serious problems to many PCs.

I will suggest that you go into SafeMode and restore your system to a previous date whet it has been still not compromised. You can do that in the following way:

1. Use the F8 key to go into SafeMode with Command Prompt

2. In the Command Prompt line type explorer.exe, then press Enter

3. You will see your desktop, go to Start menu and type rstrui then you are taken to the System Restore point, where you can set your system to a moment in the past

Then, the system is unlocked, but FBI Moneypak is still there. Delete these files from your system (Windows XP):

C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup\ctfmon.exe
C:\Windows\[Random.exe](eg. Pmfjyiaj.exe)
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random.exe]
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random]

and in Vista :

C:\Program Data\csrss.exe
C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\… Menu\Programs\Startup\ctfmon.exe
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random.exe]
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random]
C:\Program Data\lsass.exe
C:\Program Data\[Random.exe]

Do not forget to check your registry for any registry entry changes or malicious entries made to your registry. Set changed entries to their initial values.

You can also clean your system with an automatic tool like , or and you can also see removal intructions here and here

Hope this was helpful and you have managed to solve the problem!

Mick2009's picture

This new Security Response whitepaper about Ransomware will be of interest to followers of this thread:

Ransomware: A Growing Menace

With thanks and best regards,


Mick2009's picture

This new Security Response blog post also adds some extra developments/details- be informed!

Ransomware: Extorting Money by Panic and Pressure

With thanks and best regards,