“Your Computer has been locked!” – Fake FBI Virus Removal Guide

 

This guide will describe the process I used to rid myself of the “Your Computer has been locked!” Fake FBI Trojan Virus on my Windows 7 computer.  If you’d like to learn more about the symptoms of this virus, read our blog about the “Your Computer has been locked!” – FBI Warning message.

Although I was able to rid my Windows 7 computer of the virus using a simple method, I realize that many of you may not be able to follow the steps I took.  I will describe a second method for those of you who do not have a second user account to work with on your computer.

Method 1 – Logon as another user to rescue the locked user

  1. Press “CTRL+ALT+Delete”
  2. Click “Switch User”
    1. If you don’t have this option, move on to Method 2
    2. If you don’t know the username and password for another account, move on to Method 2
  3. Logon as another user
  4. Proceed to the “After you’ve gained limited access to your computer” section below.

Method 2 – Boot into Safe Mode to rescue the locked user

  1. Windows Boot MenuTurn your computer off, then back on.  Tap the F8 key repeatedly until you get a boot menu
  2. Select “Safe Mode” (the option at the top is fine even though the image has safe mode with command prompt highlighted)
  3. Logon
  4. Proceed to the “After you’ve gained limited access to your computer” section below.

After you’ve gained limited access to your computer – follow the remaining steps:

      1. Fake lsass.exe file is component of the "Your Computer has been locked!" Fake FBI Virus

        The lsass file highlighed in this image is an imposter!

        Click Start, Click “Computer”.  In the address bar at the top of the window, browse to “C:\ProgramData”  Since that’s a hidden folder, you can just type the folder name as quoted and press enter to arrive in that folder.  Look for a filed named “lsass”  It has been highlighted in this image.  You’re going to need to either delete, or rename this file.  In my case, I renamed it to “lsass.crap”

Update 04/16/2013: The FBI Moneypack Virus has been evolving since it first surfaced in mid 2012.  In the C:\ProgramData folder, you may find “edzrw.bat” “edzrw.pad” or ”edzrw.reg”

    1. You may now attempt to logon to your infected user account again.  If you followed Method 1 – you can just logoff or switch users and logon as the infected account.  If you’re followed Method 2 - you may restart your computer at this time and then logon as usual.
    2. After loging back on to the infected user account, you may see an error message stating "Error in C:\Users\{UserName}\AppData\Local\Temp\vlcplayer.dll Missing entry: GOF1"You may recieve an error like this when you log on to the infected user account.  I would call this a step in the right direction, because now, instead of the computer being locked and displaying that fake FBI Warning, we have an error message which also points to another component of the virus which we will now proceed to disable.
    3. Browse to C:\Users\{your username}\AppData\Local\Temp\
    4. Locate the file “vlcplayer.dll” and either rename it or delete it.  I deleted it.
    5. "Your Computer has been locked!" Fake FBI Virus is started when you logon because it creates a shortcut to the virus in your Startup folder

      Remove the link to “ctfmon” in Startup folder under Programs menu

      Click Start, Click All Programs, Click Startup.  In this image, I’ve highlighted the shortcut that we’ll be deleting from the Startup folder, which is the “ctfmon” icon.  Right click on that icon and delete it.

    6. That should be the end of it.  Those were all the steps necessary to disable the “Your Computer has been locked!” Fake FBI Warning Ransomware Virus.

If you require additional help or assistance, as always, feel free to contact one of our technicians at (888) 777-WURX.  One of our friendly technicians will be glad to assist you with the removal of this or any other virus from your computer.

If you found this article useful – please like us on facebook.  Click here to visit our facebook page.

This entry was posted in Uncategorized. Bookmark the permalink.