All services rendered by myself through this Google Site are subject to this disclaimer.

FBI and Police Viruses

What is a FBI or Police Virus?

The FBI or Police Virus is a rogue virus that acts as a a ransomware on Microsoft Windows. This virus will lock a device allegedly due to involvement in illicit activities, so that the user can't access anything and then demand payment. It will also report that the user is downloading or distributing copyrighted material and other adult content.

They come in many different varieties, meant to imitate different kinds of law enforcement depending on region, such as Metropolitan Police for the United Kingdom and FBI Cyber-Crime unit for the United States. Despite claiming to be from a law enforcement entity, it is in fact a scam and not actually run by any. At least one version of this virus also includes a Cryptolocker countdown screen.

To be able to unlock the device, the FBI or Police virus demands the user to pay a penalty ranging from $100 to as high as $500 within 24 to 96 hours. This ransomware only accepts Moneypak payment method that the user can purchase from selected convenience and retail stores. Moneypak is very similar to a credit card, however, it has a pre-loaded amount of money that the user can use to buy things and purchase online.

If this virus infiltrates the user's device, it denies their access instantly. Suffering from a locked device denotes that the trojan has already altered the user's registry. This ransomware also drops harmful files onto the user's hard drive. With some components hidden on the system, there is no easy way to remove the ransomware. Depending on the version, it can either be removable via safe mode or may requires a System Restore and then a re-installation of the operating system if the pop up is unable to be bypassed.

Common Aliases

Trojan/Win32.Reveton (Microsoft Windows)
Win32:LockScreen (Avast!)
Trojan-Ransom.Win32.Urausy (Kaspersky)
Trojan.Winlock (Panda)
Win/DHADVQFVFBIA (AVG)
Trojan:W32/Revton (F-Secure)

Accessing the Windows Device

If you have determined that your device has this infection, immediately begin with accessing the device in Safe Mode with Command Prompt.
1. If the computer reboots while trying to launch Safe Mode With Command Prompt, try accessing Directory Services Restore Mode.
2. The computer will reboot and load Windows automatically.
If you get the Repair your Computer prompt, you can get to system restore through it.
1. Press the Down Arrow on the keyboard to select Repair Your Computer on the Advanced Boot Options menu, and then press Enter.
2. Specify the language settings that you want, and then click Next.
3. Log in as a user who has administrative credentials, and then click OK.
4. Click System Restore.
If that doesn't work, some versions are reported to stop coming up if you unplug the ethernet cord from the desktop and then reboot.
1. If this works, then perform a system restore and leave the device to finish before continuing.
2. If it continues to reboot at this point, then a alternate means of support, such as a computer store, is needed.
  - If you can get into Safe Mode with Command Prompt, then you can just create the temporary account with administrator access and continue. If you can't, then you're out of options.
  - If a System Restore was performed previously while in Safe Mode with Networking and it didn't change anything, then a re-installation of the operating system is necessary. This will wipe all data from the device and set it back to the way it was when it was first purchased. If you have any discs that came with their computer, most notably the drivers disc, operating system, or backup disc, they'll be needed for this. Check the device for recovery partitions, as well.
At the Windows login screen, choose the main Windows account that's been infected by the ransomware.
Once there, create a clean temporary administrator account in Windows, called "123", using the Command Prompt.

- Command Prompt will open automatically in Safe Mode with Command Prompt. When it appears, type "net user 123 /add" and press enter. If the last line on the command prompt reports as successful, continue on.
- Next, in Command Prompt, type "net localgroup administrators 123 /add" and press enter to set the new Windows Account into a administrator. If the last line on the command prompt reports as successful, continue on.

Reboot the system to apply the changes and, when you get to the login screen, log into the user account named "123".

- Make sure the account "123" is an administrator account. If it's not, navigate to the User Accounts page and turn it into one. This will again prompt you for the Windows password to the main account. Log out and back in for it to take effect.
- Make sure that you still have the password for the main Windows account. You will need it later to switch accounts and to remove the "123" account after the fix..

Lastly, if you've seen any hint or indication of the Cryptolocker infection during this whole process, note it it so you won't accidentally wipe the encryption key off of the computer by running through this process. Continue reading below to find out how to tell if this virus is using CryptoLocker Ransomware and what to do if it is.

Checking for CryptoLocker Ransomware

If the police virus displayed Cryptolocker-like symptoms, we should check for it as well. This is because running some toolkits or performing a System Restore may wipe the encryption key, ruining any chance of recovery.

An easy way to confirm this is if you've noticed that the wallpaper is related to the CryptoLocker virus.
Check the hard drive to see if the encryption key is available beforehand. This encryption key will usually be located in C:\Users\UserName\AppData\Roaming\Microsoft\Crypto
Check all user profiles to make sure it's not infected in them as well.
The CryptoDefense variant is known to create the following ransom demand files in every folder that contains encrypted files:
- - - - HOW_DECRYPT.TXT
      - HOW_DECRYPT.HTML
      - HOW_DECRYPT.URL

What if the virus is using CryptoLocker?

If you have determined that the device is infected by CryptoLocker or CryptoDefense, do not attempt to continue following this procedure - you run the risk of wiping the encryption key from the device, thereby making the data on it irretrievable. Instead, feel free to follow the procedure for that particular ransomware by clicking on the button below.

Click here to learn how to remove CryptoLocker Ransomware

Removing the Police Virus

Download each of the tools to the device's desktop, and begin running them one by one.

- 1. RKill
    - Prepares the computer for scans by killing any malicious processes.
  2. RogueKiller
    - RogueKiller can remove infections such as ZeroAccess, TDSS, rogues, missing shortcuts, repair the HOSTS file, proxy hijackers.
  3. Malwarebytes Anti-Malware
    - Also known as the Malware Removal Tool (MRT) on the toolkit.
  4. Junkware Removal Tool
    - Cleans PC of potentially unwanted programs (PUP).
  5. Advanced System Care
    - ASC is a weaker alternative to Malwarebytes Anti-Malware with the ability to batch uninstall programs.
  6. TDSSKiller
    - TDSSKiller is a utility created by Kaspersky Labs that is designed to remove the rootkitsm, including Zero Access.
  7. CCleaner / CCleaner for MAC
    - CCleaner will scan the computer for temporary files and deletes it to keep the computer running efficiently, while protecting sensitive information.
  8. AdwCleaner
    - AdwCleaner removes adware, toolbars, potentially unwanted programs (PUP), and browser hijackers from your computer. It will force a reboot after use.
  9. ComboFix
    - ComboFix scans your computer for known malware and cleans these infections automatically.
    - Very powerful and outclasses HitmanPro, but also known to have a chance of losing chat connections.

Police Virus Returns

If you've run the tools above, but the Police Virus keeps coming back in normal mode.

The Police Virus is actually a file that starts with the Windows operating system. As such, you don't need to download 10 different and often unsupported scanners. You will actually save time manually hunting them down!

1. MSConfig Method: Click on the "Startup" tab and make the "Command" section longer. You're looking for anything out of the ordinary. As you practice and do this more often, you'll recognize a pattern and Police Viruses will always break it.

For example...

Suspicious files: A file named "xzxkcasd.exe" is an easy one. Randomly named executable files are quite easy to spot, and poorly hidden. Browse to the file's directory in File Explorer and delete it, to resolve the problem.
Suspicious directories: "C:\Users\Owner-PC\AppData\Local\Temp\helper.exe" In this case, what is a file named "helper.exe" doing by itself in the "AppData" folder? AppData is a directory where programs save information, and therefore will have a folder with the program's name. This one doesn't seem to belong to any, and is definitely highly suspicious.
Suspicious files in directories: "C:\Users\Owner-PC\ProgramData\Microsoft\conime.exe" This can be a tricky one. They will appear in what looks like an official folder from Microsoft. On top of that, it uses the name "conime.exe", which is the real name of a program from Microsoft. So why is this one a Police Virus? This is because "conime.exe" should actually be located in "C:\Windows\system32\"! The ones that use official sounding names or normal looking directories will take time to learn. As you open and use msconfig, you will eventually memorize what should be there and what shouldn't.

Suspicious names for the "Startup Item" and "Manufacturer" like "Unknown". This one can be easy. If it says unknown, give it a closer look in the "Command" section. However, be advised that this is not always the best way to find the Police Virus. The newer ones actually use "Microsoft Corporation" so always double check the "Command" section!

If you're having trouble figuring out whether it's real or not, just disable everything and reboot to normal. You cannot cause any permanent damage by disabling Startup items, even from Microsoft. If it doesn't come back, then you can then use trial and error to determine which Startup item is the Police Virus.

2. The "\Start Menu\All Programs\Startup\" Method: This one is extremely simple. The Startup folder in the Start Menu is designed for end users so they can customize which programs they want to run when Windows starts up. As such, it's generally empty because the end user normally installs the program and then picks whether or not it should start up with Windows in the program's settings. If you see any files in here, try removing them from it and rebooting to normal mode.

3. The "%appdata%" Method: Sometimes, the Police Virus hides in the %appdata% folder. Look around within the AppData folder for anything suspicious.

File Explorer will normally take you to Roaming sub-folder in AppData by default, so go back one layer of folder after entering the directory in. We'll want to make sure we're checking Local as well as Roaming AppData.

4. The "%programdata%" Method: Sometimes, the Police Virus hides in the %programdata% folder. Look around within the ProgramData folder for anything suspicious.

Page updated

Google Sites

Report abuse