FBI Virus Removal
The FBI Moneypak virus has many aliases like the FBI virus, FBI Green Dot Moneypak virus, Citadel and Reveton. It is similar to a ransom-ware Trojan that locks up an infected user’s computer. This malware is delivered by the Blackhole exploit kit and displays a ransom-ware page while claiming to be a legal action page from the U.S. Federal Bureau of Investigation (FBI). The malware locks up the machine and demands payment of $100 or $200 to unlock it. It also disables task manager and the registry editor. The page states that the machine is violating copyright and related laws such as video, music, software and illegally using or distributing copyright content, viewing or distributing prohibited pornographic content and that the machine is infected with malware and demands a payment of $100 or $200 through an untraceable money transfer. This is yet another example of ransom-ware or social engineering tactics to exploit Windows users.
The fraudulent FBI page shows fake claims such as follows:
- Attention! Your PC is blocked due to at least one of the reasons specified below:
- You have been violating Copyright and related rights Law (Video, Music,Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 8, clause 8, also known as the Copyright of the Criminal Code of United States of America.
- You have been viewing or distributing prohibited pornographic content (Child Pornography/Zoofilia). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the criminal provides for deprivation of liberty for two or twelve yours.
- Illegal access to computer data has been initiated from your PC,or you have been. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four to nine years.
- Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
Here is another example:
- All activity of this computer has been recorded.
- If you use a webcam, videos and pictures were saved for identification.You can be clearly identified by resolving your IP address and the associated hostname.Your computer has been locked! Illegally downloaded materials (MP3’s, Movies or Software) have been located on your computer.By downloading, those were reproduced, thereby involving a criminal offense under Section 106 of the Copyright Act.
- The downloading of copyrighted material via the Internet or music-sharing networks is illegal and is in accordance with Section 106 of the Copyright Act subject to a fine of imprisonment for a penalty of up to 3 years.
- Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also lead to the confiscation of the computer, with which the files were downloaded.
- To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $200. Payable through GreenDot Moneypak. After successful payment, your computer will be automatically unlocked. Failure to adhere to this request could involve criminal charges and possible imprisonment. To perform the payment, enter the acquired GreenDot Moneypak code in the designated payment field and press the “Submit” button.
The ransom-ware instructs victims to pay their “fine” with a MoneyPak card, which can be purchased from any of the following well-known U.S. retail chain stores such as Rite Aid, Walmart, Walgreens, CVS/Pharmacy, Kmart, and 7-Eleven. MoneyPak is a payment system that allows users to “replenish” the card by paying at an approved partner site and then use it to pay other merchants.
Processes created by FBI Moneypak virus
The following malicious processes are started:
The following registry values are created:
- HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak
- HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
- HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
- HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
- HKEY_CURRENT_USER\Software\FBI Moneypak
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak
- HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
- KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
- KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe\Debugger svchost.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger svchost.exe
… and numerous more Image File Execution Options entries to block execution of executable files and legitimate security software.
DLLs registered by FBI Moneypak virus:
The following DLLs are registered:
Files and folders created by FBI Moneypak virus:
The following files and folders are created in the filesystem:
- %Program Files%\FBI Moneypak
- %Documents and Settings%\[UserName]\Application Data\[random].exe
- %Documents and Settings%\[UserName]\Desktop\[random].lnk
- %Documents and Settings%\All Users\Application Data\FBI Moneypak
- %CommonStartMenu%\Programs\FBI Moneypak.lnk
- %UserProfile%\Desktop\FBI Moneypak.lnk
If the infected PC has multiple user accounts and if one such account has administrator privileges, then you can launch an anti-virus or anti-malware program to scan and remove the FBI Moneypak virus.1. Open Windows Start Menu, and enter %appdata% into the search field, then click “Enter”.
2. Go to “Microsoft\Windows\Start Menu\Programs\Startup”
3. Remove ctfmon.lnk (this is not same as ctfmon.exe, which is a legitimate system file).
4. Again open Windows Start Menu, and enter %userprofile% into the search field, then click “Enter”.
5. Go to “Appdata\Local\Temp” and remove “rool0_pk.exe”
6. Also delete “[random characters].mof” and “V.class” files.
7. Run a full system scan with an updated version of your anti-virus or anti-malwre program to remove any remaining entries related to the FBI Moneypak virus.
If the above steps do not work or are not allowed by the malware, then try the following steps described below:1. Restart the infected PC and press F8 while it is restarting.
2. Choose safe mode with networking.
3. Launch “MSConfig” by opening Windows start menu and entering “msconfig” in the search filed.
4. Disable startup items launched by rundll32 from Application Data folder.
5. Restart the PC and scan with your updated anti-virus or anti-malware program.
These steps are a sure way to rid your PC of the FBI Moneypak virus. Although simple, it can sometimes cause unexpected hurdles during the process, which can be cleared by professional experts. Remote technicians like iSupport365 are here to assist you 24/7 with any virus removal issues you may need help with, within a price range you can afford.
Our goal is customer satisfaction to its full extent. If our customers are not satisfied with our service, our business would be a waste of time. We aim to ensure that your computer works the way it was designed to.
Read more »
to help you understand today's changing landscape and show how you can arm yourself from the negative sides of technology and help you enhance your personal and business productivity.
Our remote computer support experts have years of experience researching and devising number one solutions to some of the most complex technical issues. It is our undertaking to keep you satisfied or you don't pay a cent. We thrive on affordable PC repair rates that cater to everyone's budget. We understand how important it is today to pay upon service, which is why we stand for quality services.
ISupport is a renowned online tech support service provider to assist in the day to day computer life of users. We are committed to the satisfaction of a global audience through online/remote caring and repairing PCs, troubleshooting and resolving personal computer issues,
Read more »
installing various PC software and applications as well as setting up peripheral devices and their troubleshooting.
With 2 years of distinguished tech support services, ISupport has created its mark among millions of users from every corner of the globe.
Our strength lies in a management team of professional and mature individuals that carry eminent educational qualifications from industry verticals especially IT and Marketing as well as a team of young, dynamic experts with a proven track record, expert computer and network engineers, electronic gadgets technicians and a pool of tech support trainees.
Our technical experts help you in resolving technical issues which could be with your computers (Desktops/ Laptops), tablets, smart phones, printers, scanners and apps. We repair, restore and recommend solutions to prevent problems with your gadgets. We also provide key health checkups for your computers and related devices and provide suggestions on open ware which can help enjoying the computing with enriched attributes.
We are here 24x7, 365 days a year to provide upbeat and proactive support to both individuals and corporate bodies.