Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

  • 1.  How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 08, 2012 04:37 AM

    Hi Guys,

     

    I found one laptop was infected with the FBI virus. How to clean it? we cannot login by safe mode. SEP11.0.6 has been already installed on the laptop.The client ddin't report to SEP console.

     

     



  • 2.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 08, 2012 04:41 AM

    Hi,

    Check this comments and Thread

    https://www-secure.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server

    Mithun Sanghavi Symantec Employee Technical Support Accredited

    10 Sep 2012 : Link

    Hello,

    You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

    You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    I would also recommend you to make sure you create a case with Symantec Technical Support.

    You could either Create a Case OR contact Symantec Technical Support.

    How to create a new case in MySupport

    http://www.symantec.com/docs/TECH58873

    How to update a support case and upload diagnostic files with MySupport

    http://www.symantec.com/docs/TECH71023

    OR

    Regional Support Telephone Numbers:

    United States: https://support.broadcom.com (407-357-7600 from outside the United States)

    Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

    United Kingdom: +44 (0) 870 606 6000

    Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

    Hope that helps!!

    Reference :



  • 3.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Broadcom Employee
    Posted Oct 08, 2012 05:23 AM

    collect the load point diagnostics log and open a support ticket to identify suspicious files to be submitted to Security response.



  • 4.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 08, 2012 07:27 AM

    You can run a scan in safemode



  • 5.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 09, 2012 04:44 AM

    Hi greatgu,

    "Thumbs up" to teh advice, above.  Please do update this thread with news of your progress.

    Here is a good public blog post from Symantec Security Response about why ransomware has become so prevalent recently:
    https://www-secure.symantec.com/connect/blogs/ransomware-crimeware-kits

    Also see:  Ransomware and Silence Locker Control Panel
    https://www-secure.symantec.com/connect/blogs/ransomware-and-silence-locker-control-panel

    and: https://www-secure.symantec.com/connect/node/1618951

    and https://www-secure.symantec.com/connect/blogs/ransomware-and-silence-locker-control-panel

     

     



  • 6.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 09, 2012 04:54 AM

    I am trying to download SERT  from file connect but I don't know my product serial number. I am asking help from others.



  • 7.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 09, 2012 05:10 AM

    Once you have SERT, call Tech Support for the PIN to allow it to run.

    Symantec Endpoint Recovery Tool (SERT) requires a PIN to run
    Article:TECH159200   |  Created: 2011-05-01   |  Updated: 2012-05-02   | 
    Article URL http://www.symantec.com/docs/TECH159200 
     



  • 8.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 26, 2012 10:34 PM

    HI,

    Did you received your answer ?



  • 9.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Oct 31, 2012 09:50 AM

    Hi! Here http://www.symantec.com/connect/forums/fbi-moneypak-virus-corrupting-profiles-our-server I see the same problem, looks like this ransomware causes serious problems to many PCs.

    I will suggest that you go into SafeMode and restore your system to a previous date whet it has been still not compromised. You can do that in the following way:

    1. Use the F8 key to go into SafeMode with Command Prompt

    2. In the Command Prompt line type explorer.exe, then press Enter

    3. You will see your desktop, go to Start menu and type rstrui then you are taken to the System Restore point, where you can set your system to a moment in the past

    Then, the system is unlocked, but FBI Moneypak is still there. Delete these files from your system (Windows XP):

    C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup\ctfmon.exe
    C:\Windows\[Random.exe](eg. Pmfjyiaj.exe)
    C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random.exe]
    C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random]

    and in Vista :

    C:\Program Data\csrss.exe
    C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\… Menu\Programs\Startup\ctfmon.exe
    C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random.exe]
    C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random]
    C:\Program Data\lsass.exe
    C:\Program Data\[Random.exe]

    Do not forget to check your registry for any registry entry changes or malicious entries made to your registry. Set changed entries to their initial values.

    You can also clean your system with an automatic tool like http://www.symantec.com/products/download-security-software , or http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=n95 and you can also see removal intructions here  http://www.americanpendulum.com/2012/10/02/fbi-moneypak-scam-dangerous-malware-making-millions-of/ and here http://www.youtube.com/watch?v=cuctc1_g0as

    Hope this was helpful and you have managed to solve the problem!

     

     

     

     

     



  • 10.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Nov 08, 2012 09:39 AM

    This new Security Response whitepaper about Ransomware will be of interest to followers of this thread:

    Ransomware: A Growing Menace
    https://www-secure.symantec.com/connect/blogs/ransomware-growing-menace

     



  • 11.  RE: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) on the laptop; SEP11.0.6 has been already installed on the laptop

    Posted Dec 27, 2012 04:55 AM

    This new Security Response blog post also adds some extra developments/details- be informed!

    Ransomware: Extorting Money by Panic and Pressure
    https://www-secure.symantec.com/connect/blogs/ransomware-extorting-money-panic-and-pressure