Blog

Rahul Thadani
How to remove the FBI Moneypak virus from an infected machine
September 27, 2012

Last month we had highlighted the growing threat of a fake FBI notice in the United States which turned out to be a form of ‘Ransomware’. This ransomware was called Moneypak since it demanded a payment of a sum of money through a prepaid Moneypak credit card. In this scenario, the malware locked up a machine and displayed a fake message that claimed to be from the FBI.

Moneypak malware

A ransomware is a malicious software that restricts access to a computer until a ransom is paid. The FBI Moneypak (FBI virus, Citadel, Reveton) is a ransomware that locks computer systems, then alleges that the computer user has been involved in illegal activity (downloaded or distributed copyrighted material or viewed child pornography etc.) and demands a penalty of $100 or $200 be paid to unlock the system within the allotted time of 72 hours by use of Moneypak cards. The ransomware also states that the user will face jail time and prosecution by the FBI if the fine is not paid in time. However, this is only malware and these claims are not real.

The potential harm caused

  • Makes the performance of a computer slower with limited security and causes various types of system instability situations
  • Terminates programs that a computer relies on such as antivirus, antispyware and other types of related security software
  • Freezes the entire computer system
  • Obtains login names, personal information, passwords and other confidential information without user knowledge or consent
  • Discloses personal information
  • Encrypts the user’s personal documents and deletes the original files
  • Hides files which enable deletion of the malware
  • Demands a ransom in clear terms and sends a personal and accusatory message

How to manually remove the malware

STEP 1: Restart your computer

STEP 2: Press F8 immediately after the system restarts and before the Windows screen resumes. You will now see ‘Windows Advanced Boot Options’.

windows advanced boot

STEP 3: Use the UP arrow key to navigate to “Safe mode with command prompt” and press the Enter key.

STEP 4: Now type “explorer.exe” in the command prompt window and press the Enter key.

command prompt

STEP 5: Find the following files in the “Startup” or “Application Data” folder:

  • C:Documents and SettingsAllUsersStartMenuProgramsStartupCtfmon.lnk
  • C:Documents and SettingsUserApplication Datamsconfig.dat
  • C:Documents and SettingsUserApplication Datamsconfig.ini

Application data folder

STEP 6: Delete the ‘Ctfmon.lnk’ OR ‘msconfig.dat’ OR ‘msconfig.ini’

delete file

STEP 7: Reboot the system again, this time in Normal Mode. After the system restarts run a full system scan to remove any other remaining files.

These steps will help you remove this malware from your machine and protect you from the Moneypak virus. Though this malware has mostly been rampant in the United States there is a chance that it can spread to other geographical locations as well. So it is best to be aware about these steps to ensure complete protection.

UPDATE: If you are using Windows 7 OS you will not be able to locate the ‘Application Data’ folder at the path mentioned above. The alternate method is to open the Windows Run box (press the Windows key + R) and then type appdata. The Application Data folder will now be opened and you can search for the ‘msconfig’ file here.

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Rahul Thadani
About Rahul Thadani
Rahul is a web enthusiast and blogger, and has been writing about the computer security industry for the last three years. Following the latest technology trends,...
Articles by Rahul Thadani »

148 Comments

Your email address will not be published.

CAPTCHA Image

  1. I am full satisfied from My Computer is Safe. Thanks for Quick Heal

    Reply
  2. can you plz tell me howto go to startup or application data??

    Reply
    • Hi Jyoti,
      The instructions to do the same are mentioned in the post. If you face further issues, feel free to call our support center on 927-22-33-000. You can get the instructions to do the same from there as well.
      Thanks.

      Reply
      • I have a Win 7 pc, and searched for “msconfig.ini” and “msconfig.dat” from appdata but could not find either. I even tried to search the files from “c:”, and still could not find them.
        Any suggestions? Please…..

        Reply
        • Hi Shaw,
          The instructions to do the same are mentioned in the post. If you face further issues, feel free to call our support center on 927-22-33-000. You can get the instructions to do the same from there as well.
          Regards.

          Reply
  3. tambua africaSeptember 27, 2012 at 11:20 PM

    thanks

    Reply
  4. three months i got same problem.
    That locked my computer and encrypted my pdf and all document files.

    and asked for 100$. to revert back the problem.
    But i found no solution to this problem so i reinstalled my OS, but my document files remained encrypted. i lost my important data at that time.

    Is there any way to decrypt those document files?

    Reply
  5. Alhaji tajudeenSeptember 28, 2012 at 12:49 AM

    thank you for the early alert of the new devopement of the moneypak ware we will keep a watch on our computer for any sign.

    Reply
  6. FYI: It has spread to Canada

    Reply
  7. VERY USEFUL INFORMATION

    Reply
  8. William GallagherSeptember 28, 2012 at 9:46 AM

    How do I contact Quick Heal if I run into a problem with my computer, is there a phone number to call or an e-mail address? Thank You

    Reply
  9. Mukesh AdenwalaSeptember 28, 2012 at 9:49 AM

    My problem is slightly different. My computer reboots itself when I try to scan the system as also when I open a link from my mailbox or a site that I am visiting. There is also a siren like noise that occurs before the system closes itself and quite oftern the system gets hanged requiring manual reboot also. Can anyone guide me why this should happen and what to do about it? Thank you

    Reply
  10. francis barcheboSeptember 28, 2012 at 11:17 AM

    i recently[one week ago]got a message from a lady purporting to be a refugee in ghana from ivory coast.and she wanted me to assist her to withdraw her 6.5million dollars from an offfshore acount in britain ,to my account ,then send her some fare ,so as she comes to nairobi where we can live hapilly thereafter.she claimed her father died sometyme back leaving her the fortune.she claimed to be living in a convent with a catholic father.how do i ensure that i am safe from such cases?i didnt send her anything because i became suspicous.

    Reply
    • Hi Francis,
      This is commonly known as a ‘419 scam’ or a ‘Nigerian scam’. If you receive such messages in the future, ignore them completely.
      Thanks.

      Reply
      • Hi Francis,
        Rahul says correct. I didnt knew about the name of this scam but in spam folder of my mailbox i am receiving such mail on weekly basis.
        Also receiving Coca-cola or Nokia Fortune Awards….I just remember we cant get anything without hard efforts…..so nobody can give us such awards easily.

        Reply
  11. devavrat mahadikSeptember 28, 2012 at 12:52 PM

    after quick heal defragmenter some horizontal lines appear one after other is der any virus or its a monitor fault plz help if u hve any solution

    Reply
  12. What is 404 error?

    Reply
    • Hi,
      A 404 error is when a website is contacted but there is no response from the website to the server. This is because the link is broken or because access to the link is restricted.
      Thanks.

      Reply
  13. Thank you dear…
    This is very important to every people

    Reply
  14. plz tell me how to update new version because some problem with old version….
    and my quick heal anti virus dont updating data 2months

    Reply
  15. Thank u very much to aware us about this. Thanx to the Quick Heal Blog as well as to the Quick Heal Total Security on my Machine.

    Reply
  16. habib barbhuiyaSeptember 28, 2012 at 1:48 PM

    sir , i installed vista home premium a year ago . but day by day , it started slowing down and took a lot of time to boot. then i unchecked all unnecesary programs from startup. even i purchased pc tools performance tool kit but got no observable change .please help

    Reply
    • Hi Habib,
      Windows Vista is a notoriously heavy OS and its performance depends on the specifications of your machine as well. It is advisable to switch to a better OS or to enhance your hardware.
      Thanks.

      Reply
  17. Chandra S BhatnagarSeptember 28, 2012 at 1:52 PM

    Thanks for the information

    Reply
  18. santosh kumar beheraSeptember 28, 2012 at 2:34 PM

    thank you

    Reply
  19. Jitendar Singh ShekhawatSeptember 28, 2012 at 3:20 PM

    Thank u very much to aware us about this. Thanx to the Quick Heal Blog as well as to the Quick Heal Total Security on my Machine.

    Reply
  20. Aviral Singh ChauhanSeptember 28, 2012 at 3:27 PM

    Thanks a lot! Indian Bro I will be restarting and will check if, my system has a malware virus.

    Reply
  21. can u please guide me in windows 7 OS. iam unable to get “Application Data” folder in windows7 and in “Start up” folder, it is showing empty.

    Reply
  22. I am experiencing stability issues on Windows 7.

    However, I dont see the folders that you have mentioned i.e. c:documents and settings

    I see the following folders: c:program data or c:program files

    Where should I look for the files to delete?

    Reply
  23. Just one question, Rajesh; the bad guys will send malware; the user will clean the system manually, so what the hell QH will be doing? This year earlier I got the virus ‘hacktool’ that installed other bots into my PC and QH, despite ‘n’ no. of scans certified the pc to be ‘clean’.

    I am not a pro like u guys but I have some common sense. My machine was taking 10 mins to boot up and 5 mins to shut down and still the people at QH support claimed everything is ‘normal’.

    I’m using QH because I paid for it and the license is valid till Feb 2013, after which, I plan to shift to something better that can look into the system volume information folder and remove any file infecting the system from there.

    Reply
    • Hi Santo Ray,
      We are disappointed to hear that you are dissatisfied with our product. The nature of the malware industry is such that certain threats do infect machines until they are discovered by someone. Attackers constantly utilize new methods to cause harm. No antivirus product can provide you with 100% protection. We provide excellent technical support and value for our customers and we apologize if you have been inconvenienced. We hope you change your mind about continuing with us in the future.
      Best regards.

      Reply
  24. hello my name is chintan and i follow the steps but it could not remove the fbi and i am using windows7 ultimate as a os. so please help me to remove fbi.

    Reply
  25. thanks….

    Reply
  26. what to do if all the folders in my external hard disk and memory card have turned into .exe files and are not getting opened

    Reply
  27. Thanks. It will be very help full. Can I forward this page to my friends?

    Reply
  28. Nice information and really easy steps to resolve the infection.

    Reply
  29. PINTU MONI TIWARISeptember 28, 2012 at 5:31 PM

    Thanks for the information…….

    Reply
  30. I am using QH for a very good reason. Thanks

    Reply
  31. how will i know if my pc is having this new malware or any other such infection….

    Reply
  32. my com is hang when ever i start boot 1st time..thn after re-boot manually its apear ‘Windows Advanced Boot Options’.and after logging 2to safe mood and restart its worked normally.its allways hppnd in 1st boot.CAN ANY BODY TELL ME WHATS IT IS??is ther any virus on my com..?or it is any other reson..i had quickheal total security on my com..plz any body sugget wht is going wrong to me.

    Reply
  33. thanks but i have window 7 there not Documents and Settings in C drive

    Reply
  34. MUDASSAR HUSAINSeptember 28, 2012 at 7:14 PM

    THANKS DADA I AM DONE UR SAING steps and get solution from this problem………………..many many thanks @Rahul Thadani

    Reply
  35. Thanks Friends

    Reply
  36. Sir i m getting a message in quickheal that Fbi Moneypak ransomware case on rise.so what shoukd i do?

    Reply
  37. Good information thank you

    Reply
  38. thank you for this information

    Reply
  39. my temp files many files not delected i run quick heal full scan but its not removed

    Reply
  40. thanks a lot for your valuable information

    Reply
  41. rajesh khannaSeptember 29, 2012 at 2:19 AM

    i am unable to start my laptop in safemode in command prompt.
    What is the problem? please suggest what to do

    Reply
  42. thank u vry much

    Reply
  43. thank u so much

    Reply
  44. if I dont open any of these emails is my computer safe?

    Reply
  45. Mr.Rahul Thadani,

    Why we should add the detection over QH for this “FBI Moneypak virus” .

    Reply
  46. THANK YOU

    Reply
  47. manoj mahadikSeptember 29, 2012 at 9:21 AM

    thanks for informetion.

    Reply
  48. ashwaq barobaSeptember 29, 2012 at 11:37 AM

    Hello Rahul,

    i have quick heal internet antivirus for 1 year, last two or three week there is problem in my computer,some folder not open quickly took long time & some time computer hang when i click that folders then i restart my computer.i scan also that folder but no virus found,i have lot off software for that folder. can u help me what i do? please solve my problem.waiting for ur favorable reply soon.

    Regards& Thanks.
    ash baroba.

    Reply
  49. Bhuwnesh JoshiSeptember 29, 2012 at 2:51 PM

    I Am Not Able to See the Documents and Settings in c drive. What is the Problem

    Reply
  50. One of my friend having problem of Interpol Ransomware in his machine.
    The whole screen is hijacked and we are unable to do anything.
    Even tried the aforementioned steps but of no use.
    Any Help??

    Reply
  51. aroop banerjeeSeptember 29, 2012 at 4:04 PM

    Hi,

    Thanks a lot for your advise. I have a query..when I go to the youtube site or a metacafe site and wish to watch any documentary or any clip I get a message from Bing saying that “watching this video in your location is prohibited. Consider turning the safety mode off.”

    Is it safe to do that?

    Kind regards,
    Aroop

    Reply
  52. anushree joshiSeptember 29, 2012 at 5:18 PM

    thankyou so much……

    Reply
  53. anushree joshiSeptember 29, 2012 at 5:19 PM

    thankyou…

    Reply
  54. Ganesh DeshmukhSeptember 29, 2012 at 5:20 PM

    thank QuickHeal Tem

    Reply
  55. I am using win7 and when I do above things then it says- C:Documents’ is not recognized as an internal or external command,
    operable program or batch file.
    Here is what it shows(full)-
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:Windowssystem32>explorer.exe
    C:Windowssystem32>C:Documents and SettingsAllUsersStartMenuProgramsStartu
    pCtfmon.Ink
    ‘C:Documents’ is not recognized as an internal or external command,
    operable program or batch file.

    Reply
  56. Hi Rahul, will you please send me a toll-free number.

    Reply
  57. I m getting alert on quick heal software that FBI moneypack ransomware on rise. please suggest how to remove this malware.

    Reply
  58. thank u for keeping us updated

    Reply
  59. Will Quick Heal come up with an antivirus compatible for OS Windows 8? If so when and will it be safe as its for Windows 7?

    Reply
  60. thanks QH is the software virus package keeps my computer safe

    Reply
  61. Hi Rahul,
    I have face the issue and it has got resolved by the steps.
    thanx for the updated info and its simple steps to remove.

    Reply
  62. sir,
    pls tell me procedure again for removing malware…….

    Reply
  63. which OS whould you suggest in above situation.

    Reply
  64. hey there….i am facing the problem here…..i am not understanding that youtube doesnt open up….in any of the browsers…say CHROME…or INTERNET EXPLORER or FIREFOX……is this a similar problem that u described..???? also ma laptop sometimes shutdown automatically..?? AND MAINLY the CHROME AND FIREFOX browsers crash many a times…….PLEASE HELP

    Reply
  65. om prakash jainSeptember 30, 2012 at 3:39 PM

    Dear Sir,

    please Help me, When I open several programs together in my net on the net is slow and seems to come show Request Time out.

    Reply
  66. I am not able to delete the file ‘ctfmon’. It says I need permission to do so. Please help.

    Reply
  67. sarbeswar beheraSeptember 30, 2012 at 4:54 PM

    thanks

    Reply
  68. Anthony WigginsSeptember 30, 2012 at 5:59 PM

    I read the instructions but did not understand when it said to delete other files. Also as I came down the page it showed a blog or something above where I came to these messages. It mentioned the FBI virus and my mouse showed I could open that file and or link. I was not sure what would happen if I clicked on it, so left it alone.
    So far I have not see the FBI Virus.
    Anthony

    Reply
  69. I have face the issue and it has got resolved by the steps.
    thanx for the updated info and its simple steps to remove.

    Reply
  70. Thank you For Suggest us !

    Reply
  71. Hello sir,
    How to remove the FBI moneypak virus from an infected machin?

    Reply
  72. thanks bro…

    Reply
  73. i typed explorer.exe & then entered but nothing happended as u mentioned above……

    Reply
  74. as an os win7 is installed
    pls resolve my problem…

    Reply
  75. Virendra PatelOctober 1, 2012 at 10:57 AM

    Thanks for useful information.

    Reply
  76. sir,would you like to tell me how to reach startup or application data folder?

    Reply
  77. Dr Manas Ranjan DebtaOctober 1, 2012 at 11:24 AM

    Thanks Rahul for such informative tips time and again. It will surely help everyone to guard against any malwares or malicioius programmes. Thank you very much. Thanks Quick Heal Technology. One thing I would like to ask is that can I take a printout of your tips to keep in store for future use.

    regards
    manas

    Reply
  78. My pen drive consists of virus & not able to delete it because it is “WRITE PROTECTED”.

    how to remove write protected mode for a pen drive?

    Reply
  79. I don’t know how to reboot the computer in normal mode. Please tell how to do it.

    Reply
  80. Thanks to the Quick Heal team,I dont ve any problems regarding FBI Virus till now but I may got the same in feture. Thanks for the alert.

    Reply
  81. my system give me a message found malware i remove safely it

    Reply
  82. windows advanced statup option is not coming by pressing f8. what should i do. please tell fast.

    Reply
  83. thank you very much

    Reply
  84. nice thanx ….

    Reply
  85. thanx for this information provided .

    Reply
  86. sir i use windows 7 , so what can i do …

    Reply
  87. thanx

    Reply
  88. viney aggarwalOctober 2, 2012 at 1:09 PM

    THANKS

    Reply
  89. arvind jaiswalOctober 2, 2012 at 1:31 PM

    Dear Sir,
    Please tell me how to update laptop tracking by QH i recently install it.
    Please send me on mail also last time i ask same qn.

    Reply
  90. Dear Sir, here FBI Moneypak virus is not a way to erase the window 7

    Reply
  91. i had quickheal insatlled on the system. do i still need to remove the moneypak virus as mentioned above or routine virus scan will automatically remove it.

    Reply
    • Hi Rajesh,
      The aforementioned steps only need to be implemented if your machine has been infected with the virus. Quick Heal scan will detect the virus and remove it from your machine in other cases.
      Regards.

      Reply
  92. can u please tell me how to get the application data?

    Reply
  93. santanu duttOctober 2, 2012 at 8:29 PM

    Thank you for your valuable information. This will check cyber criminal to think illegal way of money making.Also QUICK HEAL may develop the software shortly to prevent it as whenever we updating daily it may automatically detect it and may be killed/ finished online .I am eagerly expecting for development of that software by any antivirus company at least quick heal may either develop it or market it under licence and agreement with terms and conditions.

    Reply
  94. im using windows 7 ultimate i want to know that how to remove this marlware remove from my pc
    plz reply me immidiately

    thanks

    Reply
  95. i am on w7 but can’t find msconfig in appdata inspite of fact my pc has this malware….please help asap ..
    thanks 🙂

    Reply
  96. Brajesh KumarOctober 11, 2012 at 4:15 PM

    Thanks…

    Reply
  97. DeepchandrikaOctober 29, 2012 at 10:45 AM

    Its a really valuable information. Thanks to share with us sir.

    Reply
  98. go to cmd and enter explorer.exe in safe mode but it show start menu in 3 seconds and fbi screen show up so i cannot do anything. is there any way just use cmd mode to delete virus. i have try rstrui.exe also but it show “System protection is turn off. To turn it back on so you can use system restore, see Turn System Restore on or off.” i click on the link and it go to help memu, click on link to Systems and Fbi screen show up again. please help

    Reply
  99. I am using quickheal. Butmy system shows explorer.exe error dialogue box evwrt time I start thw xomouter. Scan wont fix it. What to do

    Reply