How To Remove Citadel Malware Reveton Ransomware (Fake IC3, FBI Malware)

Sean Doyle

Sean Doyle is an engineer from Los Angeles, California. Primary focuses include internet security and web spam. Google+

14 Responses

  1. Anonymous says:

    at the part were you tell me to type in del *.dll.lnk and press enter this pops up the file name was incorrect

  2. Mason says:

    So once i do that free scan and after its done scanning and i click the button where it says remove the stuff then after i restart like it says, am I in the clear??

    • Sean Doyle says:

      You should be fine, I can not tell you this with 100% certainty though.

      If you would like to try a free “second opinion scanner” I suggest performing a scan with HitmanPro by Surfright (You can also purchase HitmanPro here).

      If you still feel any uncertainty you could also perform a system recovery or reset (depending on your version of Windows), as well as change your user account credentials and settings… or delete the ‘infected’ Windows user account entirely.

      If you wish to prevent these types of infections in the future you can purchase Malwarebytes Pro with real-time protection, opposed to the scan-only free version.

  3. Mike says:

    Did the restore it worked ran the malware, I do I know that it is completely off the computer

    • Mike says:

      How do I know??

      • Sean Doyle says:

        A suggestion to ensure removal is complete is to install the free version of Malwarebytes, perform a scan, and search through the results (since Malwarebytes does detect and remove FBI related malware). Once you are satisfied with your results you may remove the free version of Malwarebytes or continue to use it for scans in the future.
        The free version of AVG has been documented to detect and remove the infection as well.

  4. Harry says:

    The virus took control of our server and blocked the screen with the message demanding money. The server runs Windows Business Server 2003. I can’t access the server using remote desktop connection. Also, DOS program on workstations won’t open. Is that because the server is blocked? I hope someone can help.
    Thanks, Harry

  5. Anonymous says:

    restore system worked. thanks Tim

    • Sean Doyle says:

      Glad to hear you got rid of it, I was just about to reply to your previous comment with the information below.

      1. Open Windows Start Menu and type %appdata% into the search field, press Enter.

      2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup

      3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on startup

      4. Open Windows Start Menu and type %userprofile% into the search field and press enter.

      5. Navigate to: Appdata\Local\Temp
      6. Remove rool0_pk.exe
      7.Remove [random].mof file
      8. Remove V.class

      The virus can have names other than “rool0_pk.exe” but it should appear similar, there may also be 2 files, 1 being a .mof. Removing the .exe file will fix the virus. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.


  6. Anonymous says:

    I am running Malware bytes and it finds the Citadel malware and quarantines it, however the file when quarantined or deleted, keeps reproducing it’s self. File is ctfmon.lnk. How do I stop it? Thanks Tim

  7. Anonymous says:

    None of these methods have worked for me. As soon as I go back to explorer the FBI screen is back.

    • Sean Doyle says:

      If you performed a restore via Safe Mode With Command Prompt you will have no issue.
      It’s the last option under 3. System Restore. I suggest you try it out.

  8. Anonymous says:

    Whoever created this – THANKS! Did the restore and it worked perfectly!

Leave a Reply

Your email address will not be published.