cancel
Showing results for 
Search instead for 
Did you mean: 

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Will Mcafee protect me from getting this again in the future?

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

I have this virus. I had been able to open in safe mode and then restore the computer to an earlier date but it got reinfected. Now I'm not able to open it in safe mode. It will start to open and then shut down automatically and restart in normal mode. Any suggestions? Thanks!!

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 13 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

If you have a bootable flash drive and anbother computer at your disposal here's a video tutorial on how to get around this without using Safe Mode or System Restore.  It seems to be fairly good advice.

http://www.youtube.com/watch?v=P2fgFVQz3W8

If, in future you use System Restore to go back to before an infection, make sure to switch off System Restore temporarily to erase the infected restore point(s).

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Brit your a genius. I cant believe you give this advice away free.

Worked perfectly.

I thought I had an expensive door stop.

Highlighted
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 15 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

I've been there, done that and had the T-Shirt to prove it, so to speak.  Yes I know what's it's like to suddenly have a machine that appears to be made of lead.

Glad you are OK.  😉

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Thank you sooooooooo much...I tried at least ten different suggestions and your post was the only one that worked!!

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 17 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Glad you are OK now, good luck 😉

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 18 of 73

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

This has been moved to Top Threats.

I'm not sure exactly what you've accomplished so far. This infection is relatively easy to clear, but it may have downloaded other malware - and you haven't said whether you have a problem with encrypted files.

See the following threads, which have removal advice. Try Microsoft first.

http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-do-i-remove-fbi-moneypak/e...

http://forums.majorgeeks.com/showthread.php?p=1752485

Edit - I see two replies arrived together. Try Ex_Brit's System Restore advice first.

Message was edited by: Hayton on 14/07/12 23:06:16 IST

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

If you need help removing the FBI Monepak virus, this article seems to be fail proof: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

Re: FBI MoneyPak Scam - Removing Virus

Jump to solution

Realistically these are all the options to remove the FBI viruses, copied and pasted from : http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

  1. Malware Removal Software – Scan and remove malware
  2. Manual Removal – Remove associated files
  3. Restore – Restore PC to a date and time before infection (includes different options)
  4. Safe Mode With Networking – Remove files and/or Scan and remove malware
  5. Optical CD-R Option – Scan and remove malware
  6. Slave Hard Disk Drive Option – Scan and remove malware

Manual removal

It’s actually really easy to remove this virus in Windows without a restore (restore options below). Then again, if this option does not help you locate the malicious files, skip it. We are going to enter your computers App Data which is a hidden file. To learn how to show hidden files click here.
1. Open Windows Start Menu and type %appdata% into the search field, press Enter.
%Appdata%
2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup
App Data Start Menu
3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on start up. This is not ctfmon.exe.
4. Open Windows Start Menu and type %userprofile% into the search field and press enter.
Userprofile
5. Navigate to: Appdata\Local\Temp
6. Remove rool0_pk.exe
7.Remove [random].mof file
8. Remove V.class
The virus can have names other than “rool0_pk.exe” but it should appear similar, there may also be 2 files, 1 being a .mof. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.

All FBI Moneypak Files:

The files listed above are what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, please delete all given files. Keep in mind, [random] can be any sequence of numbers or letters.

  • %Documents and Settings%\[UserName]\Desktop\[random].lnk
  • %Program Files%\FBI Moneypak Virus
  • %AppData%\Protector-[rnd].exe
  • %AppData%\Inspector-[rnd].exe
  • %Windows%\system32\[random].exe
  • %appdata%\[random].exe
  • %Documents and Settings%\[UserName]\Application Data\[random].exe
  • %UserProfile%\Desktop\FBI Moneypak Virus.lnk
  • %Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
  • %AppData%\result.db
  • %CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
Kill ROGUE_NAME Processes:

Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

  • [random].exe
Remove Registry Values

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.
Regedit

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
  • HKEY_CURRENT_USER\Software\FBI Moneypak Virus
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

Safe mode with networking
For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.

  • This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because of the FBI Moneypak infection’s progression.

The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove  malicious files.1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.Safe mode with networking

  • Make sure to log into an account with administrator rights.

The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
safe mode 4 corners
2. There are a few different things you can do…

  • Pull-up the Start menu, enter All Programs and access the StartUp folder.
  • Remove “ctfmon” link (or similar).

This seems to be an easy step in removing the FBI virus for many users. If you are interested in learning about ctfmon.exe please click here.Now, move on to the next steps (which is not a necessity if you removed the file above but provides separate options for troubleshooting).3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows‌ registry so that you can access the Internet again.

How To Reset Internet Explorer Proxy Settings

Option 1
In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
-or-
In Windows Vista, click the Start button , and then click Run.
-or-
In Windows XP, click Start, and then click Run.
Copy and paste or type the following text in the Open box in the Run dialog box and click OK:reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v ProxyEnable /t REG_DWORD /d 0 /fIn Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
-or-
In Windows Vista, click the Start button , and then click Run.
-or-
In Windows XP, click Start, and then click Run.
Copy and paste or type the following text in the Open box in the Run dialog box and click OK:reg delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v ProxyServer /f

Restart Internet Explorer and then follow the steps listed previously to run the scannerOption 2
Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
LAN Tab4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.

Message was edited by: balcava on 8/16/12 1:57:07 PM CDT

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community