FBI Virus Removal

less than 1 minute read

Description:

The “FBI Virus” is a ransomware that locks down a user’s profile. There are different ways to remove it, but try these steps.

To Resolve:

  1. Try and get on another user account if you are locked out of yours. Try the local administrator account if you have one.

  2. If that doesn’t work, try your account in safe mode.

  3. Once inside of a user profile, Run – %userprofile%appdatalocaltemp – remove rool0_pk.exe – remove V.class – the virus can have names other than “rool0_pk.exe” but it should look like it doesn’t belong and should have a create date/time the same as a .class file… if you sort by file mod/create time you’ll find it.

  4. Run – %appdata%microsoftwindowsstart menuprogramsstartup – remove ctfmon (ctfmon.lnk) this is what’s calling the virus on startup – also check HKLMSoftwareMicrosoftWindowsCurrentVersionRun and make sure there’s nothing obvious there.

  5. If those still haven’t removed it, start running all the virus scans you have inside another profile.

  6. Re-image your computer if infection still persists.

Categories:

Updated: