Remove Flimrans Lockscreen Virus and Get Rid of ICE FBI Lock - How to, Technology and PC Security Forum |

Remove Flimrans Lockscreen Virus and Get Rid of ICE FBI Lock

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

flimrans-ice-lock-main-sensorstechforumFlimrans is a ransomlock virus belonging to the Police Ransomware variants. Such variants lock down the computer of the user preventing any access what so ever to it. The random lock virus leaves instructions on how to pay a fee and in those instructions, it claims to be the ICE cyber-crime center, a branch of the FBI. It “convicts” the user of illegal cyber activities leaving him with methods to pay off the access to the infected computer back. The payment requested by the ransomware is 300 USD paid via the Moneypak online service with a deadline of 48 hours. Users infected by the Flimrans Lockscreen malware are strongly advised to use the instructions we have provided in this article to restore the access to their computer.

Threat Summary

Short DescriptionDubbed Flimrans, the ransomware locks users out of their computer demanding 300 USD .
SymptomsA ransom note with instructions for paying the ransom shows as a “Read me now !.txt” file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Flimrans


Malware Removal Tool

User ExperienceJoin our forum to Discuss Flimrans Ransomware.

Flimrans Lockscreen Virus – Infection Capabilities

To infect successfully Flimrans is distributed via malicious URL web links or malicious executables. The malicious payload reported to be used by this lock screen malware consists of two files with the same names but different in size:

→ Name: {RANDOM NUMBERS}.dll
Size: 37.5 KB (38,400 bytes)
Size: 57.5 KB (58880 bytes)
Type: Win32 EXE

The executables of the ransomware may be spread from malicious domains to whose URLs the user may have been redirected. Once there, the executables may be downloaded via an exploit kit and slip past the antivirus defenses of the antivirus software of the infected PC.

Flimrans Lockscreen Ransomware – Malicious Activities

Once activated, the malicious Flimrans.exe takes advantage of the svchost process to slip past antivirus detection. The files which are created in association with Flimrans via svchost are the following:

→ C:\WINDOWS\system32\wbem\Logs\wbemprox.log
C:\Documents and Settings\Administrator\Local Settings\AppData\2433f433
C:\Documents and Settings\All Users\AppData\2433f433
C:\Documents and Settings\Administrator\AppData\2433f433
C:\Documents and Settings\Administrator\Local Settings\Temp\Content.IE5\index.dat
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\History.IE5\index.dat

After doing this, the virus disables Automatic Updates so that the computer may not be patched with security updates.

Not only this, but Flimrans also heavily modifies the registry entries in the Windows Registry Editor, by targeting the following keys and creating custom values in them:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Templates
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonAppData
HKLM\System\CurrentcontrolSet\Hardware Profiles\0001\Software\Microst\windows\CurrentVersion\Internet Settings\ProxyEnable
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKCU\Software\Microsoft\Command Processor\AutoRun
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCR\CLSID\{random alpha numerical key}\InProcServer32\ThreadingModel
HKCR\CLSID\{random alpha numerical key}\InProcServer32\TheadingModel\(Default)
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

After creating its entries, the ransomware locks down the user, displaying the following message:


The message is very well prepared to resemble an actual FBI lockdown. However users should be aware that such lockdowns by governments may not exist at all, and if they encounter them without doing anything wrong, it is most likely a police ransomware virus like Flimrans. Professional advice is to remove the virus yourself, instead of hiring an expert to do it or paying the 300 USD ransom amount.

Remove Flimrans Ransomware and Restore Access to The Locked PC

In case you have encountered this virus, your first step is to enable the Safe Mode option on your computer, which should eliminate any third-party applications and allow you to locate safely and remove the files and the registry entries created by Flimrans on your computer. The best method, however, remains to install and use an advanced anti-malware software in Safe Mode with Networking so that it automatically takes care of the threat and makes sure other threats and unwanted programs are removed as well as protect you in the future.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share