Wednesday, November 14, 2012

FBI Online Agent

Another day, another screenlocker. These things are getting on my nerves...


This is a fairly straight-forward removal process. 

  1.  Reboot the PC into Safe Mode with Networking by repeatedly pressing the 'f8' key at the top of the keyboard until you get to the "Advanced Boot Options" menu
  2. Hold down Windows Key + R to get the run box open
  3. Clear out the text inside the run box and type "regedit.exe" (without the quotes), click "Ok"
  4. Navigate to the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
  5. Look for an exe running from the following folder: 
%userprofile%\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe

Keep in mind, the above exe name (WSManHTTPConfig.exe) and the folder that it is stored in (912 in my case) changes with each installation. I have underlined the part that changes with each installation. 

All we need to do now is navigate to the folder and remove the exe itself. Here is how to do that:

  1. Open up the run box again the same way we did above.
  2. Type "control folders" (without the quotes) and click "Ok"
  3. Navigate to the "View" tab
  4. Tick "Show hidden files, folders, drives" 
  5. UnTick "Hide Protected Operating System Files"
  6. Open the run box again
  7. Type "%userprofile%" (without the quotes) and click "Ok"
  8. Navigate to "Local Settings\Application Data\Microsoft\Windows\"
  9. Find the folder that was marked in the registry key that you found above (912 in my case)
  10. Delete that folder entirely (be careful not to delete any others, open the folder to be sure it is correct) 
  11. Repeat steps 1-5 but tick the opposites (Hide files again)
  12. Run a malware scanner on the PC to ensure that you are rid of any leftovers