Anyway, today we’re looking at the FBI MoneyPak virus or Trojan if you like. Most people nowadays don’t really know you to properly describe malware. I don’t know what it is, so let’s just call it a virus. Education is the key guys, especially when it comes to PC security. So, let's make things sparkling clear. If your computer screen is filled with a FBI warning page that claims you have to pay the $100 fine, you’re infected with ransomware. It’s not a virus. It can’t delete your files or inject .doc files.
Most of the time, ransomware locks up user’s desktop, disables task manager and other system utilities to avoid the termination. However, FBI MoneyPak ransomware takes it to the entirely new level by adding a little video recording square in the top right corner of the fake FBI warning page. It supposed to be your built-in web camera. The funny thing is that this little square shows up even if your laptop doesn’t have a built-in camera.
We have to admit that FBI MoneyPak is a very convincing looking scam/fraud. It has the official FBI logo at the top and lists victim’s IP address, location, and the name of your ISP. The fake warning claims that your PC has been locked by FBI because you downloaded or distributed copyrighted material or viewed child pornography. Creepy, isn’t it? Now, if you don’t pay the fine you will go to jail. What is more, you have only 72 hours to buy MoneyPak cash top-up card from Walmart or Kmart.
Cyber crooks are truly imaginative guys, aren’t they? Most people start to panic when they see such fake FBI warnings. You can’t let anyone know this happened; otherwise you can get arrested or even worse – have a criminal record or listed as a registered sex offender. Let’s image this happens at work. Would you tell your colleagues about that? Probably not. And this scheme really works. Cyber crooks want you to act immediately on your first impulse. I know it cruel but it works. Most importantly, don’t panic. Take a deep breath and think about it for a second. If you had done ether of those the punishment would probably be drastically more dire than just a simple $100 fine, right? Just don’t fall into the scam.
FBI MoneyPak virus removal is relatively easy for anyone with above average computer skills. This ransomware doesn’t inject explorer.exe. It injects iexplorer.exe and downloads additional files from remote web servers. It makes numerous modifications to the system. The virus actively monitors Task Manager and loads newly created Desktop with the fake FBI warning. Please note, there is no restore operation, so the desktop will never be reverted back to previous state. That means, even if you pay the ransom, the fake FBI warning won’t go away.
FBI MoneyPak ransomware is distributed using the Blackhole exploit kit. Simple visiting an infected website is enough to trigger this exploit kit which will download a malicious DLL file onto your computer.
This ransomware downloads the fake warning from the internet so if you simply unplug your network cable and manually turn your computer off the virus won’t show up after the reboot (at least it shouldn’t). Another way to remove FBI MoneyPak virus is to reboot your computer in Safe Mode and remove malicious registry keys and files manually. One way or another, you MUST scan your computer with legitimate anti-malware software properly remove this ransomware and its remnants. By the way, Kaspersky or Dr.Web rescue CDs should work just fine in this case too.
To remove FBI MoneyPak ransomware from your computer, please follow the steps in the removal guide below. If you need extra help removing this malware, please leave a comment below. Good luck and be safe online!
http://deletemalware.blogspot.com
Guide Updates:
08/17/12 - Cyber crooks have changed payment methods.
Now, the payment should be delivered through Ultimate Game Card instead of GreenDot MonayPack. It still remains unclear if they made a permanent switch to this service or not. So, from now on it's the FBI Ultimate Game Card ransomware scam rather than MoneyPak. Ultimate Game Card service is powered by paybycash.com. It allows you to pay for thousands of online games without requiring personal information. This service is legitimate. Anyway, we think most people will find this odd because we can hardly image that FBI would actually choose Ultimate Game Card as their official finance partner.
Another variant of the FBI ransomware, FBI Anti-Piracy Warning:
One more thing, FBI virus or FBI MoneyPak scam or whatever you want to call it, it's just a name and it doesn't represent the same malware all the time. There are at least four different malware groups that use fake FBI or Police virus warning messages and they all have the same goal: to trick you into buying a MoneyPak card. However, technically speaking they are not the same. They all operate in slightly different ways, so I'm afraid there's no easy one-click removal solution at the moment.
Known FBI MoneyPak virus/ransomware variants:
1. Stays inactive in Safe Mode
2. Stays inactive in Safe Mode with Command Prompt, but works perfectly fine in Safe Mode and Safe Mode with Networking.
3. Remains active in Safe Mode, Safe Mode with Networking and Command Prompt.
Below you will find a few useful suggestions how to disable and remove this virus from your computer. Choose removal instructions according to the variant of the virus you have on your machine.
Method 1: FBI MoneyPak ransomware removal instructions using System Restore in Safe Mode with Command Prompt:
1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.
2. Make sure you log in to an account with administrative privileges (login as admin).
3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the FBI MoneyPak ransomware will take over and will not let you type anymore.
4. If you managed to bring up Windows Explorer you can now browse into:
- Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
- Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of FBI MoneyPak virus.
Method 2: FBI MoneyPak ransomware removal instructions using System Restore in Safe Mode:
1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
- Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
- Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
4. Select a restore point from well before the FBI virus appeared, two weeks should be enough.
5. Restore it. Please note, it can take a long time, so be patient.
6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).
7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI MoneyPak virus.
Method 3: FBI MoneyPak ransomware removal instructions using MSConfig in Safe Mode:
1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.
3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:
C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1
4. Disable the malicious entry and click OK to save changes.
5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake FBI screen.
6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI MoneyPak virus.
Method 4: Manual FBI MoneyPak ransomware removal instructions Safe Mode (requires registry editing) :
1. Unplug your network cable and manually turn your computer off. Reboot your computer in "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. When Windows loads, open up Windows Registry Editor.
To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to Start → Run... Type "regedit" and hit enter.
3. In the Registry Editor, click the [+] button to expand the selection. Expand:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Look on the list to the right for an randomly named item. Write down the file location. Then right click the randomly named item and select Delete. Please note that in your case the file name might be different. Close Registry Editor.
In our case the malicious file (pg_0rt_0p.exe) was located in Application Data folder. So, we went there and simply deleted the file. We're running Windows XP.
File location: C:\Documents and Settings\Michael\Application Data\
If you are using Windows Vista or Windows Seven, the file will be located in %AppData% folder.
File location: C:\Users\Michael\AppData\Romaming\
Finally, go into Windows Temp folder %Temp% and click Date Modified so the newest files are on top. You should see an exe file, possibly with the name pg_0rt_0p.exe (in our case it was exactly the same), but it may be different in your case. Delete the malicious file.
One more thing, check your Programs Startup list for the following entry:
[UserPATH]\Programs\Startup\ctfmon.lnk - C:\Windows\system32\rundll32.exe pointing to [UserPATH] \Temp\wpbt0.dll,FQ10 (or FQ11)
In our case it was ctfmon.lnk pointing to malicious file which then loads the fake ransom warning. Please note that in your case the file name might be different, not necessarily ctfmon.lnk. Simply disable or remove (if possible) such entry and restart your computer.
4. Restart your computer into "Normal Mode" and scan the system with legitimate anti-malware software.
5. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of FBI MoneyPak virus.
FBI MoneyPak Ransomware video:
To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).
Tell your friends:
59 comments:
thx bro for the fix
the restore fixed it, thanks, I was scared as hell...was deleting all my files, and softwares that I had downloaded from the interested.....lol using window 7.
I can't restore I need other options....... Can someone pls help
I have clicked F8, and can't get to the boot menu to fix the problem, whatever I click on makes the computer boot windows as normal, which doesn't fix the problem
Thanks for the fix! The files weren't exact but was able to figure out with your guideline! Thanks a TON. Using windows 7
I have Windows XP and I was confused on what you said to write down & I didnt write the right address & I cannot find the file to delete it. Please help.
Awesome, great instructions. Thanks much.
This scared the hell out of me this morning. I thought I accidentally clicked on some nasty porn at some point in time, but I asked a friend and he said it was a fraud and now I'm reading this and I'm extremely relieved.
this thing seems to be evolving. i have now run across a version that will not allow me into task manager or the registry editor..
Im not able to go into safe mode or safe mode with networking and get a browser. I get the same fbi moneypak message in safe mode with networking. in safe mode i get a page will load in 30 seconds please wait. any suggestions?
My Window Vista don't have a C:\windows\system32\rstrui.exe file.
The other option the computer lock up
"Page is loading, please wait. This may take up to 30 seconds."
Same issues here!
locked out using windows 7 home edition just as anonymous...wait 30 seconds. Suggestions?
It worked for me thanks
I used my System Restore to go to an earlier version before the virus attack. After which, I ran a full system scan with my virus protection. So far, so good.
I had this malware show up and took my computer to "The Geek Squad" a local computer service center. When I retrieved my computer it appears the computer was set back to it's factory condition. My Office program is gone and all my Outlook and document files. They did not do a backup I was told. Can, and how, can I recover my Office program, Outlook files and my documents. Please, please help.
I got hit with this Ransomware yesterday. I lost all control and could not use the regedit tool, could not regain windows, and could not set the computer back to an earlier safe date.
Finally regained control of registry edit by burning a maleware disk on another computer (Kaspersky Rescue Disk) and rebooting to read from the disk. The disk scan found nothing (downloaded file was not updated for this maleware) but the register edit function let me find the offending file and to delete it.
Then rebooted to Windows from the hard drive and immediately updated Kaspersky and ran it to find one more remnant. Then used free version of HitmanPro from a USB drive to run a scan and found another remnant (each program found one copy in various directories). Running a final scan with Rogue Killer, but no nefarious hits. I am back in business--but what a chore.
First of all, Geek Squad isn't local, it's Best Buy's tech service center. Second of all, the easiest way to remove a virus is to wipe the system and reinstall the OS, in which case, your programs need to be reinstalled manually. This is the common solution.
You just saved my husband a serious flogging!!! Thank you, thank you, thank you for this very detailed walk-through of how to get rid of this crap.
The system restore worked perfectly for me. Thanks for saving me the money and headache of having to take it to a pro.
You just saved my wife her weekly whipping. I suppose there's always another Wednesday, though.
I was almost leaving my place to get some help before I finally found this blog. I went through Safe Mode with Command Prompt and restore the system to the earlier day. It worked! Thank you very much.
PS: I use Windows 7 Home Edition.
It seems working now. The only difference is I used Windows accessory to restore cause the commond line would not work for me.
I wish there are more and more Great people like you are. And wish you the best.
Excellently written instructions and good information. System restore worked very well.
I used the reboot instructions for vista and it worked great.
Thanks
I say we find who did this and uhh how should I say Scare the living hell outta them! LOL No physical violence ofcourse, I would never endorse that.
This is total BS and very cruel. You just don't scare ppl like this.
WELL! It's a bit different for me, but I am GLAAAAAAD to have found this site!
It didn't have a video recording box, so i guess it's smart enough to see if your comp has one connected.
Also, I was torrenting a game (yeah, illegal, I know) at the time, so when I came back after an hour and saw the FBI logo, I was a bit psyched out. All I've done so far is restart my computer without internet connection, so let me go meddle with these bastards' file. More later if I've failed.
Excelent help tutorial. I found the file on the appdata\ roaming on the user folder. Is kind of easy to found if you look for the exe files at the same date that your computer start to show the fbi message. Thanks for the help.
You are smart!!!T thought there is no way to fix it without reinstalling windows...Thanks a lot.
I tried to follows the steps you suggested. I went to the registry and at the end of the path you indicated C:\......\currentversion\run I found a file ce078c46.exe which I deleted.
I looked up the path it indicated but I did not find it. I them made a search on any file with that name and found one with that name which I deleted.
The next step relative to the msconfig command, I didn't find anything that it looked needed to be deleted nor I found anything at the \Temp folder. Should I have found something in that folder?
I am currently running a full malware scan and I will connect it to the internet next.
You're hella generous. Thanks for sharing the info!
Thanks, reverting to an earlier date worked. I just typed the direct prompt into the prompt box. I feel skilled now even though that solution was total noob status
Thank you! System restore completely removed it, so easy!
Thanks man. You saved my brother's laptop. It looked a bit different from the images you posted here, but it worked the same. By the way, the fee charged on the lock was $200.
i tried with power eraser on my norton but it wouldn't work. Norton said i had to buy a 100 dollar kit.I went instead to system restore on home vista and it worked fine.
Norton should have a block for this virus as common it is. thanks for the help
I think this malware has been recoded to make it more difficult to remove. My brother got this a few days ago with the demand for $200. We tried both the removal methods outlined above. Couldn't get into the registry editor. Then removed the boot drive from his system and installed as a slave drive into an uninfected system. Successively ran Avast and Malwarebytes on the infected drive. Each removed between 40-50 infected files. When the cleaned drive was reinstalled in his system, Windows would boot but the desktop would not display. Attempts to repair the Windows 7 installation were unsuccessful so we ultimately reinstalled Windows and all the apps. What a nightmare!
Very nice...These instructions were successful for a Windows 7 computer running in Safe mode. The location of the registry entry was the same as specified here. The infected file was /appdata/local/temp/msconfig.exe which differs from the example. Deleting the registry entry for msconfig.exe and then deleting the file from the ../temp folder worked. Many thanks....
Thanks a lot!! worked like charm!!
File name was not the same as pointed out by you.. but was able to apply the fix..
Thx very much. My ppls would've killed me if dat was what really happend. Thx
I had PCtools spydoctor. It not only didn't stop the virus, after scanning it couldn't even identify I had a virus. After their tech's "help" the program said it was removed, well, it wasn't. Finally theit techs admit the software desn't work, but they're working on improving it. As long as this virus has been around and they can'[t admit upfron their product doesn't work and won't as yet.
"What is more, you have only 72 hours to buy MoneyPak cash top-up card from Walmart or Kmart."
How is it that these cards are aloud to be sold if their soul purpose is to for paying scam artist?
THANK YOU for rstrui.exe; this removed this trojan!
In my case, the bad file was:
Directory of C:\ProgramData
11/02/2012 07:03 AM 44,544 lsass.exe
Directory of C:\Users\All Users
11/02/2012 07:03 AM 44,544 lsass.exe
The TOD matched when I got infected. This .exe s/not be in these folders, it should only be here:
Directory of C:\Windows\System32
11/16/2011 11:36 PM 22,528 lsass.exe
Found the culprit(s) while running from SafeMode on XP. The regedit showed an application called SHELL and it was located in DocSettgs/John/AppData/wlshjkhe.
Before i deleted that i went to that Applications Data folder and in addition found three other randomly named files FROM THE SAME DATE (yesterday). Deleted those four then went back to regedit to delete the Shell. Worked like a charm. After a couple hours of scanning and searching for answers, your fix worked in 5 minutes. You are a life saver. We should send you a Moneypack! lolz
i knew this crap wuz a scam at the start i mean it had horrible grammer:
pay 200$ wtf horrible grammer and they misspelled a word
After I was infected w/this FBI moneypak trojan, and until I ran rstrui.exe,
I was getting this at every boot (3x):
Error 11/2/2012 7:06:14 AM Eventlog 1101 Event processing
Log Name: Security
Source: Microsoft-Windows-Eventlog
Date: 11/2/2012 7:06:14 AM
Event ID: 1101
Task Category: Event processing
Level: Error
Keywords: Audit Success
User: N/A
Computer: xxx
Description:
##################################
Audit events have been dropped by the transport. 0
##################################
Event Xml:
1101
0
2
101
0
0x4020000000000000
40050
A PROCMON trace or an active Task Recorder, and possibly
NETMON, would have shown what this was (probably bogus lsass.exe)!
Security
xxx
0
Note that the bogus screen did NOT appear until an Internet connection was established,
so even if it was collecting data (I saw 5 DSNs and 2 DIRs updated during this time B 4
rstrui.exe), it had no way to transmit it. Further, using dial-up, that slowed down any
transmissions a thousand-fold. Just another reason to NOT auto-connect to the Internet
during boot, especially with a fast speed.
In a way, I have to thank this trojan. It made me move to ONLY surfing the 'Net via
the GUEST LID, and to increase my tracking defenses.
This is very profile dependent. If you can login to the administrator account create another user ( call it whatever you'd like) Restart the PC and login with the new ID then your documents and settings to that ID.
Run you virus scanner or malwarebytes again.
...but since Permissions is needed anyway (to block external drives, whether or not a password is used), why not just use the pre-defined GUEST LID (turn on) which has the least allowances and, as u said, re-do your profile,etc settings...
Add'l info:
In "normal" (ie: UN-infected) boots, this always occurs:
Information 11/2/2012 7:06:12 AM Microsoft Windows security auditing. 4608 Security State Change
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
. they CLEVERLY call themselves what Windows just reported on, and tho it's NOT from Security, it's similar & near enough, so a person may ASSUME, tho it's an Error event, that THEIR infected event entry is just part of a "normal" Windows boot !!! :(
Mine said 300$...... just ran system restore so far so good. Thanks alot!^_^
Ran System Restore, deleted registry items, ran four different antispy antivirus softwares and this morning Bogus FBI is back! Surely a top level MS programmer can defeat these Romanian hacker criminals??
this thing starts really fast but you can stop it if you restart your computer during boot and run startup repair. im not sure the exact details of what i accomplished by doing this, but after running startup repair and logging on normally(no need to system restore if u dont use it like me), the virus didnt run as intended. on windows 7 it tried to install a new driver for some unknown hardware which i think was somehow linked to it. but otherwise no more hijacking. computer runs well enough to install malware bytes and am currently running the scan. hope this helps somebody out.
Thanks for the fix...Great to see people such as you take the time to provide these important instructions, well done!
Once AGAIN, ANOTHER reason-as if there weren't enough already, Microsoft consistently shoots itself in the foot with its terrible O.S., to make the switch to LINUX.
A large number of stable, fast, INTELLIGBLE, virus resistant versions of Linux are available (eg Mint, Ubuntu, Suse?, Fedora) ALL FREE and ALL much simpler and much more SECURE than Windows.
THE SYSTEM RESTORE WORKED! Windows 7 by the way.
Ok so been thru these instructions what happens when does come back and start getting dll errors cause it wiped registries? My advice wipe out hardrive reload os system.
How do you remove the virus on a kindle fire? Or any tablet?
Wish I came across this a little earlier. I restore my laptop back two weeks, however I am receiving a white screen after reboot. Im assuming my whole laptop is now infected?
If you don't get the option to reboot in safemode with F8 and are unsure as to what your PC's specific hotkey for this is, boot your computer to the login screen then hold down your power button until the PC shuts off. This improper shut down will give you the option to reboot in safemode when you turn it back on.
I did this, then a quick scan and removed the bulk of it, rebooted back to regular windows and cleaned up the rest manually.
Good luck!
My laptop was attacked by the moneypack ransomeware late tonight. I tried to reboot using safe mode unsuccessfully. Kept going back to the frozen "FBI" warning. Tried getting on in safe mode with command prompt. I was able to somehow get onto the system restore, following your instructions above. It worked perfectly, got back to my desktop and am now runnning my anti-virus scan then will do the direct download above to remove any remnants of the virus. I am SO grateful for your help! I have a Windows 7 operating system, and am only moderately adept at the computer, but went very slowly and carefully and followed your directions. Thank you again.
Hi I received this wonderful virus yesterday. I tried to go in safemoe but cannot. Nor safe mode w/command prompt. I found a way to system restore by clicking "Repair your computer". It made me log in, then i was tahen to a list of repair choices to oinclude system restore. I have run it several times and I get the message that system restore did not complete successfully. I also did as you initially said. I disconnected the internet from the modem and rebooted which did not change anything. Please help!!!