FBI Moneypak virus

computer security

FBI MoneyPak Virus is a ransomware* infection which locks the computer on startup and asks to pay money in order to unlock it. Please beware such urge as it is fake an FBI or any other US Government institution has nothing to do with it. This virus has been detected in July, 2012 in the USA and affected mainly US citizens’ computers. DO NOT PAY any money (some versions require $100 fine, later ones $200).

*Ransomware is the special class of the malware which requires paying the fine, donation or ransom for the specific action or continuing specific procedures.

How FBI MoneyPak virus works

FBI MoneyPak virus locks the computer screen on the startup. It displays the white window saying “Page is loading, please wait. This may take up to 30 seconds”. Then a new screen appears with the FBI warning that computer has been locked due to some illegal activities such as viewing porn and other illegal material, sending unsolicited emails and information, which is under the prosecution of Federal Government according to the Copyright Act (Section 106), Criminal code (section 184 paragraph 3). It is pointed that person should pay the fine of $200 to MoneyPak payment system in 72 hours. If payment is not preceded in the given time, the confiscation of the computer and even putting to the jail is threatened.

It has been unclear how many payments of fake FBI fines were made, but the scam was quite big. Some of the infection cases may occur from time to time due to the lack of proper protection of the computer.

The people who control this virus over the internet seek easy money. Their primary goal is to be able to control your computer remotely using special Trojan viruses. The secondary goal is to deceive the people and make them pay $200 to their accounts using complicated MoneyPak payment platform which is quite popular in the USA and available in major stores across the country. This fraud scheme is used by the criminals worldwide for already 10 years when card payments became available.

FBI MoneyPak Virus does not steal any of your personal data. It just locks the computer and requests the single payment threatening the legal actions and even imprisonment.

How FBI MoneyPak virus infects the computer

 

The FBI Virus is not distributed as a single virus file like regular viruses. It infects the computer through the Trojan viruses which are placed in the computer hard disk by opening suspected links and software. The villains, who control the Trojans install the FBI MoneyPak virus after they check the IP and makes sure that the victim is American and has the access to the MoneyPak prepaid card system in a local store.

 

This infection may be prevented by securing the computer from Trojan viruses which are making much more harm to personal data and computer.

How to remove FBI Virus with SpyHunter 

In the first place, the owner of the infected computer should know that the only way to remove this virus – by activating the Safe Mode of his/her computer on the startup. The Virus blocks any action, so launching the anti-virus software is not possible. Here are some simple steps, how to use the SpyHunter virus removal tool to get rid of this situation.

Step 1. Copy the SpyHunter installation files to CD or USB flash card in another computer.

Step 2. Turn on your computer. When the black screen appears, press F8 on your keyboard. It will evoke the selection of Windows launch mode.

Step 3. Choose Safe Mode with Networking option and hit Enter. The computer now should start in Safe Mode. You will see the desktop with your files.

Step 4. Reboot your computer and run the full system scan. The SpyHunter should detect the infected files and remove them.

Now you can turn on your computer without that FBI MoneyPak virus screen and continue with virus removal as some files may still be left on the hard disk.

How to remove the FBI Virus manually

Manual removal may be complicated for the inexperienced users, so please ask someone for help or read manuals online. There are some helpful videos in YouTube with the step by step instructions how to remove FBI MoneyPak Virus.

Step 1. Reboot the video and launch the Safe Mode with Networking.

Step 2. Hit Alt+Ctrl+Del to launch the task manager. Look at the processes the commuter is currently running. Find the application which is made of random letters .exe and End Process. The applications which need to be terminated:

tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe
jork_0_typ_col.exe
vsdsrv32.exe
Protector-[rnd].exe
Inspector-[rnd].exe

 

Step 3. Remove the Virus files:

Go to My Computer

Find to Folder options and click View tab.

Select Show hidden files, folders, and drives and click Apply

Go to C:\Users\Your profile\AppData\Local\Temp

 

The temp folder should contain many folders with letters and numbers. Please find the following and delete the .exe files:

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Random.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Random.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe

Also the infected files can be removed using RegEdit software which finds and removes the Registry entries. You should get rid of those values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

Now search for the following files and if you find them, please delete:

%Program Files%\FBI Moneypak Virus
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[random].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe

The removal process is over. Reboot your computer ad you may try repeating the cleaning procedure in case some of infected files are still left and may result some strange behavior of the computer.

Please do not open the attachments from people you do not know or your friends whose emails are unnatural. Always let the anti-virus software be active and scan the computer for Trojans, as that may cause such viruses as FBI MoneyPak virus scam.

Leave a Reply