I’ve run into this nasty virus a couple of times and it can be a real pain to remove. At first, it seems fairly innocent, even though it causes a huge problem for the end user. It basically takes your computer hostage, what’s called ransomware. When you boot up your computer, you entire screen gets taken over by what you see in the picture above. It appears to be a message from the FBI and wanting you to pay $100 through Moneypak to unlock your computer.

The FBI
Federal Bureau of Investigation

ATTENTION!
IP: xxx.xxx.xxx
Location: Your Country Here
IPS: Your ISP Here

Your PC is blocked due to at least one of the reasons specified below.

You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 8, Clause 8, also known as the Copyright of the Criminal Code of United States of America.

Article I, Section 8, Clause 8 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.

You have been viewing or distributing prohibited Pornographic content (Child Porno, Zoofilia and etc). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.

Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four to nine years.

Pursuant to the amendment to the Criminal Code of United States of America of May 28, 2011, this law infringement (if it is not repeated – first time) may be considered as conditional in case you pay the fine to the State.

Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!

To unblock the computer, you must pay the fine through MoneyPak of 100$.

There’s a few ways to try to remove this virus. If you’re lucky enough and can still boot into Safe Mode, then you can probably run a few programs to remove all traces of this virus. Most of the filenames are random characters which should stand out fairly easily:

%Temp%.exe
%StartupFolder%ctfmon.lnk
File Location Notes:

%Temp% refers to the Windows Temp folder. By default, this is C:WindowsTemp for Windows 95/98/ME, C:DOCUMENTS AND SETTINGSLOCAL SETTINGSTemp for Windows 2000/XP, and C:UsersAppDataLocalTemp for Windows Vista and Windows 7.

%StartupFolder% refers to the Startup folder in the Start Menu. For Windows 95/98/ME it refers to C:windowsstart menuprogramsStartup, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:Documents and SettingsStart MenuProgramsStartup, and for Windows Vista/7 it is C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup.

One removal tool to try is the EmiSoft Emergency Kit, which can be downloaded here. Download the zip file and extract it to your desktop (or somewhere on your computer). Open the folder and click on Start.exe, then start the Emergency Kit Scanner. Click on Scan PC, then Deep Scan.

Norton also makes a removal tool called Norton Power Eraser, available here.

Another side effect of this virus is that eventually it seems to corrupt more Windows files, and sometimes even the Master Boot Record (MBR). If that’s the case, then you probably can’t even boot into Windows. If that happens to you, you can either take out the hard drive and attach it to another computer and run some virus scans on it, or you can make a boot CD/USB drive like I described here or here. If it gets to this point, I would recommend hiring an IT professional to repair the computer because one wrong move and your data might be lost.