Malware name: FBI Ransomware
Newest version detection rate: 14/43
Detected by Malwarebytes: yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
Introduction:This malware is a ransomware, which takes your computer "hostage" and demands a ransom (cash payment).
What it does is it blocks your screen with information saying your that your computer has been locked because of several violations (copyrights/pornography/child pornography/promoting terrorism/neglect computer use/gambling/etc..)
Then enables your webcam (if you have one) and displays it on your screen saying that they are watching you (which is false)
The malware kills all process (except the ones needed to run windows) when executed and continues to close them if you try to open them somehow.
It will block/disable all shortcut keys (ctrl+alt+del/alt+tab/winkey/ctrl+esc/etc...).
Some variations of this malware also delete some registry keys for safemode. If you try to boot from safemode, it will give you a blue screen of death because of the missing registry keys and makes the removal a bit harder.
Symptoms:Pretty obvious, screen like this every time you start your computer:
http://i.imgur.com/Y53oZ.png(click to see image)
Unable to boot from safemode (blue screen of death)
Unable to open any program/use shortcut keys
Files created:c:\"path"\"program name".exe
The path can vary depending on what installed it on your computer.
If you got it by visiting a bad website (exploit) it will most likely be in %temp% or %userprofile%\application data or %userprofile%\local settings\application data.
The program name can also vary, usually it's something like svchost.exe or a spoof of it.
Registry key created:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svñhîst
{"path"}
The path is the same as the file created above.
The name of the registry key is correct, I think it's because I don't have the Russian language pack installed and the character ñ in russian looks like 'c' and î like 'o' to make svchost.
Removal:This malware would be extremely easy to remove if you would be able to open programs/alt+tab but you can't
Removal #1If you're able to boot in safemode (with the steps below) follow this part of the guide, if not, continue to the second part.
To boot in safemode, restart your computer and press f8 (spam it if you have to) before your computer boots/before windows starts up.
If done correctly, there should be a black screen with a few options, select safemode. If it gives you a blue screen of death (for half a second) skip to the second part.
Once you're in safemode, click on start - run - type "regedit" withou the quotes.
Double click on HKEY_LOCAL_MACHINE then on Software\Microsoft\Windows\CurrentVersion\Run
Now on the right side, there should be a registry key named svñhîst. Rightclick it and delete it.
Now you'll be able to restart your computer normally again without it blocking your screen.
Restart your computer in normal mode and download malwarebytes anti-malware:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htmlUpdate the program and run a quick scan.
Once it's done, it should have found the ransomware file, click on remove selected.
Removal #2If you're unable to boot in safemode, use this method to remove this ransomware. It might get a bit complicated and long so make sure to follow the all of the steps.
What you'll need is kaspersky rescue disk and another computer with an internet connection to download it.
You can download it here:
http://support.kaspersky.com/4162 (click on the green text: Kaspersky Rescue Disk 10 )
Once you've finished downloading it on your other computer/friends computer/librarys computer/etc..., either place it on a cd/dvd or a usb device.
Now you'll need to boot from the cd/usb device. To do this, restart your infected computer and press f2 before it boots. If done correctly, you'll access your BIOS. If it doesn't work, try f12 or ESC.
Next, use the arrow keys to go in the Boot tab in the bios. With the -/+ keys, make it so it boots the cd-rom drive or Removable devices before the Hard Drive.
Then go to the Exit tab and select Exit saving changes.
This will restart your computer, once it's restarting, it should show "press any key to continue" press any key.
It will boot from the kaspersky application. Select your language then press 1 in the next screen. Then select Kaspersky Rescue Disk. Graphic Mode.
It will take a few minutes to start and it should look like windows explorer.
Once it's done loading, close Kaspersky Rescue disk (or do a scan with it if you want, it takes 30-45 mins+ if c:\ is included)
Double click on Kaspersky Registry editor.
Expand (click the + sign) Microsoft Windows ## service pack #.
Then double click on HKEY_LOCAL_MACHINE then on Software\Microsoft\Windows\CurrentVersion\Run
Now on the right side, there should be a registry key named svñhîst. Rightclick it and delete it.
Now you'll be able to restart your computer normally again without it blocking your screen.
Restart your computer in normal mode and download malwarebytes anti-malware:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htmlUpdate the program and run a quick scan.
Once it's done, it should have found the ransomware file, click on remove selected.
Additional information:Since some variations delete registry keys needed for safemode, you can restore them by downloading this:
http://support.kaspersky.com/faq/?qid=208279889Scroll down until you see Sality_RegKeys.zip
Download it and unzip it. Double click the .reg file corresponding to your operating system (make sure it's the correct one)
Click Yes once it asks you to add the registry keys.
You should be able to boot in safemode now for future problems.
Never pay them, they will not unlock your computer and you'll end up with a stolen credit card.
The web cam is only there to scare the user, don't beleive anything from the page that it displays, it's pretty much all false information just to scare you onto paying the 100 dollars (and get your credit card information sold on the internet "black market").
There's also a quicker method to remove this malware, but you have to be fast.
Simply boot your computer normally and spam ctrl+shift+esc to open task manager and select the malicious process as soon as it pops up and spam the delete key.
The malware takes 1-2 seconds before it blocks your screen and I was actually able to remove it this method. Once you've ended task to the process, follow the guide above by deleting the registry key and running malwarebytes.
And if you fail, you can always restart your computer and try again