Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: ransommalware

17 Dec 2013   #1

windows7 32bit

hi have got this thing demanding money or police action I know its ascam but my computer is locked with this so called official message. I cannot get into safemode by the f8 key any ideas .

thanks . Dumper

My System SpecsSystem Spec
17 Dec 2013   #2

Windows 7 UnProfessional x64

Is it the moneypak/FBI scam virus? Do you have a recovery image you can use? If not, you'll need a virus removal guide or someone who knows how to remove it.
My System SpecsSystem Spec
17 Dec 2013   #3
Microsoft MVP

Windows 7 Ult. x64

Read this for background :
Ransomware removal | What is Ransomware | Microsoft Security

Remove it using this:
Windows Defender Offline

Use a USB flash drive for the tool so it can update the virus definitions first.
My System SpecsSystem Spec

17 Dec 2013   #4

Win-7-Pro64bit 7-H-Prem-64bit

After you get through reading through the links Golden provided,
See if this startup process gets you to a Free scanner utility site so you can download it,
Safe mode with networking,
Shut down your machine, Unplug-Hold the power button down for 30/45 seconds (Power Drain)
Leave the machine Unpluged from the power source for longer the better.
Power up and Tap the F8 key continuously until you see a black page with white text,
Use the down arrow key to toggle to safe mode with networking/ hit the enter key.
Login as usual
Other advanced methods,

Forgot the scanners,
Review Jacee’s instructions to run Adwcleaner here,
Ignore the title of the thread,

You can use these free tools to see if they find anything,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Activate the Free trial from the final install options,
My System SpecsSystem Spec
17 Dec 2013   #5

Windows 7 Home Premium



If you wish, follow these instructions. I've provided them to Users who ran them successfully, several times...

Let's use HitmanPro.Kickstart to access your computer, scan it for malware, and remove this infection. The program targets this ransomware.

Also, you may want to print these instructions, so they are available to follow.

Now, load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process!

Use a clean (non-infected) computer, and download:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight

Under Download (on the right) select the program applicable to the system: 32-bit

When HitmanPro opens, click the KickStart icon at the bottom of the screen.

>>Plug in the USB flash drive.

When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes

As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart

Remove the USB flash drive from the clean computer and press: Close

Now, with the ransomed computer shut down, plug the USB flash drive into a USB port, and turn on the power.

When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)

From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: How to Remove Ransomware - Select Real Security

Once you select the USB flash drive to boot from, press: Enter

A Kickstart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))

The system continues to boot from the hard drive and starts Windows.

If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.

In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a: One-time scan to check the computer.

To start scanning for malware press: Next

If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:

Select Next to quarantine the malware into a secure storage where it can no longer start.

At the next screen, activate the 30-day free license:

After successful activation (30 days), press: Next

A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next

To obtain a report of the scan results, press: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx

Remove the USB drive, and press: Reboot
If no malware is found, press: Close

After HitmanPro.Kickstart is done, you should be back into normal Windows.

Please post the HitmanPro log in your reply. <<Important!
My System SpecsSystem Spec
17 Dec 2013   #6

Windows 7 Home Premium


There has also been some success in removing the FBI ransomware with Windows Defender Offline.

A tutorial prepared by Brink is found here:
Windows Defender Offline

However, I recommend you use WDO on a bootable USB pen/flash drive, since the virus definitions for it can be updated.

If you decide to do so, the following are instructions for only using the USB option:

Download: What is Windows Defender Offline?
Press the download that applies to your system: 32-bit

Save the exe file to the Desktop of a computer that is not infected, since the ransomware can interfere with the USB media creation!

Double-click the downloaded mssstool32.exe file.

At the initial WDO welcome window, you are also made aware that an Internet connection is needed.
Click on: Next

At the next window with License Terms, click on: I accept

Next, you are asked which type of media you are installing Windows Defender on.
At this point select: On a USB flash drive that is not password protected
Click: Next

Connect the USB flach drive to the clean computer.
A warning appears about reformatting and its consequences.
Backup anything that you do not want to lose to another location!!

If you have more than one USB drive connected, select the one to use, and click on: Next
After clicking Next, you see another Window which initiates the copying and downloading of all the needed files to create the offline bootable version of Windows Defender.

The Window will also show a progress bar so you can see the overall progress of the process.
When the Installation Complete window appears, you can click: Finish

Remove the USB flash drive from the clean computer using the Safely Remove... icon on the lower right of the Taskbar.

Now, connect the USB flash drive to the infected computer.

Restart the infected computer from the USB flash drive.

After WDO starts (automatically), under Scan Options, click: Full
Next, click: Scan Now

WDO performs the scan, and displays steps to follow based on its scan results...

When done, close Windows Defender Offline and restart the computer.

Back in Windows, the log of quarantined or detected items should be available in: C:\Windows\Windows Defender Offline\Support

It is stored in an MPLog-MM/DD/YYYY-HH/MM/SS.txt file

Please provide the MPLog in your reply.
My System SpecsSystem Spec
17 Dec 2013   #7
Microsoft MVP

Windows 7 Ult. x64

Post #3 has it covered Cottonball
My System SpecsSystem Spec
18 Dec 2013   #8

Windows 7 Home Premium

Thanks, Golden.

Just added some miscellaneous trivia, and placed it all in one sequence so the OP does not have to refer to more than one section.

No biggie...
My System SpecsSystem Spec


Thread Tools

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:28.
Twitter Facebook Google+