How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop
Created: 08 Oct 2012 | 10 comments
Hi Guys,
I found one laptop was infected with the FBI virus. How to clean it? we cannot login by safe mode. SEP11.0.6 has been already installed on the laptop.The client ddin't report to SEP console.
Discussion Filed Under:
Comments 10 Comments • Jump to latest comment
Hi,
Check this comments and Thread
https://www-secure.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server
Mithun Sanghavi Symantec Employee Technical Support Accredited
Hello,
You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool. The tool is free, so there is no need for a Fileconnect account to download the software.
You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
I would also recommend you to make sure you create a case with Symantec Technical Support.
You could either Create a Case OR contact Symantec Technical Support.
http://www.symantec.com/docs/TECH58873
How to update a support case and upload diagnostic files with MySupport
http://www.symantec.com/docs/TECH71023
OR
Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp
Hope that helps!!
Reference :
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
collect the load point diagnostics log and open a support ticket to identify suspicious files to be submitted to Security response.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
You can run a scan in safemode
SEP Knowledge Base
Endpoint SWAT
Hi greatgu,
"Thumbs up" to teh advice, above. Please do update this thread with news of your progress.
Here is a good public blog post from Symantec Security Response about why ransomware has become so prevalent recently:
https://www-secure.symantec.com/connect/blogs/ransomware-crimeware-kits
Also see: Ransomware and Silence Locker Control Panel
https://www-secure.symantec.com/connect/blogs/ransomware-and-silence-locker-control-panel
and: https://www-secure.symantec.com/connect/node/1618951
and https://www-secure.symantec.com/connect/blogs/ransomware-and-silence-locker-control-panel
With thanks and best regards,
Mick
I am trying to download SERT from file connect but I don't know my product serial number. I am asking help from others.
Once you have SERT, call Tech Support for the PIN to allow it to run.
With thanks and best regards,
Mick
HI,
Did you received your answer ?
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Hi! Here http://www.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server I see the same problem, looks like this ransomware causes serious problems to many PCs.
I will suggest that you go into SafeMode and restore your system to a previous date whet it has been still not compromised. You can do that in the following way:
1. Use the F8 key to go into SafeMode with Command Prompt
2. In the Command Prompt line type explorer.exe, then press Enter
3. You will see your desktop, go to Start menu and type rstrui then you are taken to the System Restore point, where you can set your system to a moment in the past
Then, the system is unlocked, but FBI Moneypak is still there. Delete these files from your system (Windows XP):
C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup\ctfmon.exe
C:\Windows\[Random.exe](eg. Pmfjyiaj.exe)
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random.exe]
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random]
and in Vista :
C:\Program Data\csrss.exe
C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\… Menu\Programs\Startup\ctfmon.exe
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random.exe]
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random]
C:\Program Data\lsass.exe
C:\Program Data\[Random.exe]
Do not forget to check your registry for any registry entry changes or malicious entries made to your registry. Set changed entries to their initial values.
You can also clean your system with an automatic tool like http://www.symantec.com/products/download-security-software , or http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=n95 and you can also see removal intructions here http://www.americanpendulum.com/2012/10/02/fbi-moneypak-scam-dangerous-malware-making-millions-of/ and here http://www.youtube.com/watch?v=cuctc1_g0as
Hope this was helpful and you have managed to solve the problem!
This new Security Response whitepaper about Ransomware will be of interest to followers of this thread:
With thanks and best regards,
Mick
This new Security Response blog post also adds some extra developments/details- be informed!
With thanks and best regards,
Mick
Would you like to reply?
Login or Register to post your comment.