Related Posts



How to remove FBI virus (Removal Guide)

FBI virus

FBI VirusThe FBI virus (also known as FBI Moneypak virus) is dangerous malware categorized as ransomware similar to the DOJ virus that infects both Mac and Windows Operating Systems. The FBI virus locks computer screens and internet browsers with a fake message that fraudulently claims to be sent from the FBI in order to scare victims into paying an unnecessary fine. The FBI virus utilizes Trojan horses (Trojan.Ransomlock.R, reveton, etc.) or script placed on websites in order to lock computer systems and internet browsers. Once a computer or internet browser is restricted by the FBI virus, a webpage or window will open that will say the computer user violated the law and the computer owner must pay a fine to unlock the browser or computer. Some of the FBI viruses may also encrypt personal files and hold them hostage until a fine is paid.

The FBI virus utilizes social engineering by attempting to persuade unsuspecting victims into paying an unnecessary fine. The FBI ransomware infection does this by making fraudulent claims on the browser-lock or screen-lock window that states the computer has been involved in illegal activity (downloaded or distributed copyrighted material or viewed child pornography, etc.) and demands a penalty fine of $100, $200, $300, or more to be paid in order to unlock the computer system, internet browser, or to obtain a key to decrypt files within the allotted time by use of Moneypak cards and other credit services (REloadit virus, Ultimate Game Card Virus, Ukash Virus, BitCoin). The FBI Moneypak ransomware virus also states on the fake FBI screen that the computer owner may see jail time or face other consequences if the unnecessary fine is not paid in time.

How to remove FBI virus

This FBI virus removal guide will help you completely unlock your computer and remove FBI virus, FBI malware, and FBI ransomware from Windows and Mac computers, as well as Chrome, Firefox, and Internet Explorer.

Step 1: Remove FBI virus with Malwarebytes Anti-Malware

1. We recommend that you write down the toll free number below in case you run into any issues or problems while removing the FBI virus. Our techs will kindly assist you with any problems.

1-888-879-0084
if you need help give us a call

2. Install the free or full version of Malwarebytes Anti-Malware. The full version enables real-time protection to block malware and unwanted programs from infecting your computer, while the free version is just a free scan and removal tool.

download
buy now

3. Once Malwarebytes is installed, run the Anti-Malware program. Malwarebytes may automatically begin to update and scan your computer at this point.

malwarebytes

4. Once Malwarebytes has been opened, if a scan or update has not automatically initiated, please click the large Scan Now button or visit the “Scan” tab to manually run a scan. Before the scan is started Malwarebytes may ask to update the software, make sure to do so if prompted to.

5. Once the scan is complete, click the Quarantine All button to isolate and remove the detected files. You may be asked to reboot your computer after removal to completely remove detected files.

malwarebytes quarantine log

6. You can chose to visit the History tab and click Delete All to remove these files from the Quarantine log, although these files no longer provide a threat.

If you are still having issues with malware after using Malwarebytes it is recommended to download and install a second opinion scanner such as HitmanPro by Surfright to eradicate existing malicious files and automatically repair corrupted settings.

Step 2: Cleanup malicious files with HitmanPro

1. Download and install the free or full version of HitmanPro.

Purchase Download
hitmanpro scan

3. Once Hitman Pro is installed, open the program and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

hitmanpro scan results

4. When the scan is complete, click the Next button again to delete any threats or traces on your system.

hitmanpro activeate free license

5. If you are initially using the free version, to activate it, enter your email address twice and click the Activate button.

hitman pro reboot computer

6. Restart your computer by selecting Reboot.

Your computer should now be clean of threats, tracking cookies, malware, and other unwanted traces.

FBI virus removal (Troubleshooting)

If you are still having trouble removing the FBI virus please follow instructions below to troubleshoot the removal process.

Manual FBI virus removal
1. Open Windows Start Menu and type %appdata% into the search field and press Enter.
%Appdata%
2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup
App Data Start Menu
3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on start up. This is not ctfmon.exe.

4. Open Windows Start Menu and type %userprofile% into the search field and press enter.
Userprofile
5. Navigate to: Appdata\Local\Temp
6. Remove rool0_pk.exe
rool0_pk.exe
7.Remove [random].mof file
8. Remove V.class

The virus files may have names other than “rool0_pk.exe” but file names should appear similar with the same style of markup. There may also be 2 files, 1 being a .mof file. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus and removal of V.class is done for safe measure.
FBI Moneypak Files:
The files listed below are a collection of what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, delete all given files if located. Keep in mind, [random] can be any sequence of numbers or letters and some files may not be found in your infection.

%Program Files%\FBI Moneypak Virus
%Appdata%\skype.dat
%Appdata%\skype.ini
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[RANDOM].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe
irb700.exe
dtresfflsceez.exe
tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe

Kill ROGUE_NAME Processes:
Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

[random].exe

Remove Registry Values
To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.
Regedit

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

System Restore – Recovery
Below we detail 3 different instructions to restore or recover a common Window’s computer.

Please also keep in mind if you have the manufacture’s boot disc that came with your computer, you will be able to perform a system restore or total system recovery by inserting the disc, tapping f8 (or your manufacture hotkey), and following the on screen instructions.
Windows Start Menu Rstrui.exe Restore
1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard


Start Menu Restore
Start Menu System RestoreStandard directions to quickly access Window’s System Restore Wizard.

1. Access Windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Follow the simple instructions to Restore your computer to a date and time before infection.
Safe Mode With Command Prompt Restore
If you can not access Window’s desktop, this is the suggested step. If it is difficult to start windows in safe mode; if Windows’s brings up a black screen, with “safe mode” in the four corners – Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer system. Unplug if necessary.
2. Enter your computer in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, the FBI MoneyPak ransomware virus will not allow you to type anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date (restore point), before infection.
Restore system files and settings

Safe Mode with Networking
For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.

  • This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because of the FBI Moneypak infection’s progression.

The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove  malicious files.

1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.

Safe mode with networking

  • Make sure to log into an account with administrator rights.

The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
safe mode 4 corners

2. There are a few different things you can do…

  • Pull-up the Start menu, enter All Programs and access the StartUp folder.
  • Remove “ctfmon” link (or similar).

This seems to be an easy step in removing the FBI virus for many users. If you are interested in learning about ctfmon.exe please click here.

Now, move on to the next steps (which is not a necessity if you removed the file above but provides separate options for troubleshooting).

3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows‌ registry so that you can access the Internet again.
How To Reset Internet Explorer Proxy Settings

  • Option 1

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f

Restart Internet Explorer and then follow the steps listed previously to run the scanner

  • Option 2

Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

LAN Tab

4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.
Flash Drive

  1. Turn off your computer system and Unplug your internet connection
  2. Turn the machine back on (In some cases the virus can only open if your machine is plugged into the internet)
  3. On another (clean) computer, download Malwarebytes or your preferred removal program and load the Mbam-Setup.exe (or similar) file onto the flash drive
  4. Remove the flash drive from the clean computer and insert it into the affected machine, proceed to install Malwarebytes (etc) using the setup file located on the flash drive.
  5. Run a full system scan, Malwarebytes will find and eradicate malicious files
  6. Restart your machine

Optical CD-R

  1. Place a blank CD-R into your CDROM drive
  2. Download and place Microsoft Defender or your prefered removal program onto the blank CD-R
  3. Restart your computer and boot from CD

“You may need an old school keyboard (not the USB, but the PC connector type) since the virus delays the USB startup. The Defender will clean your PC in totality. This virus is somehow complex, but is no match for Windows Defender. After the scan is complete, run again a full scan without a restart.”
Slave Hard Disk Drive
If you are having complications with Anti-Malware software a suggestion would be to slave your HDD, then proceed to scan. You will need a second operating computer and tools to remove your hard drive. *Please note this may be difficult for some users and there are other options to scan your hard drive during complications. This is a common practice for local computer technicians.

  1. Remove the Hard Disk Drive from your computer.
  2. On the circuit board side of your HDD set the drive to “slave”.
  3. Connect the slave drive to an unaffected computer.
  4. Scan the slave drive, and proceed to remove any malware on the drive. Make sure to scan each user account.
  5. Reconnect the HDD to your original computer.

FBI virus removal tips

*Logging in as a different user

In most cases if there are multiple accounts on your Window’s system you will be able to access the other accounts that are not infected without conflict.
If a second account has administrator rights, in some cases you will be able to remove the infection using this user. To learn more please visit the bottom of this page and view relating forum topics.

Deny flash option

The FBI Moneypak virus utilizes flash and in some cases, disabling (denying) flash can “freeze” the FBI Moneypak virus (suspend), which allows proper removal methods to be performed. Please note this is not a necessity, nor will this remove the virus. This is only an option for specific individual infections. *This may be skipped.
1. To disable (deny) flash visit: http://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html
Deny Flash
2. Select the “Deny” radio option
3. Proceed to a removal option: Anti malware software scan and removal or system restore.

What does denying flash do?

If you select Deny, the malicious application does not have access to your camera or your microphone. The application will continue running, but may not function as intended. Alternately, the application may inform you that it can’t continue unless you allow access, in which case you can either allow access or close the application.


banner-1

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

521 replies to “How to remove FBI virus (Removal Guide)

  1. Anonymous

    What if i don’t pay it would it stay there? ….what would happen i have a tablet so it blocks everything and i cant get into anything ….can so one please help…

  2. djg

    removal: in chrome/fe goto tools –> developer tools –> elements. u will see html inside head tag , right click on the script tag and delete all of them and then close the browser. Also u can try putting in any 14 digit number and click the submit button it will always work

  3. Ehns0mnyak

    Kudos to whoever wrote this. It was a pain, even for a seasoned vet.

    On an older slower machine, you have roughly 3 seconds after explorer.exe loads before the virus takes control. If your fast, you can ctrl-alt-delete and get to task manager in time to force quit explorer.exe. Closed a couple of the non critical processes, and new process explorer.exe.

    Luckily I was able to get into windows, and run malware bytes.

    7 of the malicious files were hiding out in the \windows\temp\(8 random chars).exe
    and a final in \documents and settings\(username)\local settings\temp\(18 random chars).exe