How to remove the FBI Moneypak virus from an infected machine
Last month we had highlighted the growing threat of a fake FBI notice in the United States which turned out to be a form of ‘Ransomware’. This ransomware was called Moneypak since it demanded a payment of a sum of money through a prepaid Moneypak credit card. In this scenario, the malware locked up a machine and displayed a fake message that claimed to be from the FBI.
A ransomware is a malicious software that restricts access to a computer until a ransom is paid. The FBI Moneypak (FBI virus, Citadel, Reveton) is a ransomware that locks computer systems, then alleges that the computer user has been involved in illegal activity (downloaded or distributed copyrighted material or viewed child pornography etc.) and demands a penalty of $100 or $200 be paid to unlock the system within the allotted time of 72 hours by use of Moneypak cards. The ransomware also states that the user will face jail time and prosecution by the FBI if the fine is not paid in time. However, this is only malware and these claims are not real.
The potential harm caused
- Makes the performance of a computer slower with limited security and causes various types of system instability situations
- Terminates programs that a computer relies on such as antivirus, antispyware and other types of related security software
- Freezes the entire computer system
- Obtains login names, personal information, passwords and other confidential information without user knowledge or consent
- Discloses personal information
- Encrypts the user’s personal documents and deletes the original files
- Hides files which enable deletion of the malware
- Demands a ransom in clear terms and sends a personal and accusatory message
How to manually remove the malware
STEP 1: Restart your computer
STEP 2: Press F8 immediately after the system restarts and before the Windows screen resumes. You will now see ‘Windows Advanced Boot Options’.
STEP 3: Use the UP arrow key to navigate to “Safe mode with command prompt” and press the Enter key.
STEP 4: Now type “explorer.exe” in the command prompt window and press the Enter key.
STEP 5: Find the following files in the “Startup” or “Application Data” folder:
- C:Documents and SettingsAllUsersStartMenuProgramsStartupCtfmon.lnk
- C:Documents and SettingsUserApplication Datamsconfig.dat
- C:Documents and SettingsUserApplication Datamsconfig.ini
STEP 6: Delete the ‘Ctfmon.lnk’ OR ‘msconfig.dat’ OR ‘msconfig.ini’
STEP 7: Reboot the system again, this time in Normal Mode. After the system restarts run a full system scan to remove any other remaining files.
These steps will help you remove this malware from your machine and protect you from the Moneypak virus. Though this malware has mostly been rampant in the United States there is a chance that it can spread to other geographical locations as well. So it is best to be aware about these steps to ensure complete protection.
UPDATE: If you are using Windows 7 OS you will not be able to locate the ‘Application Data’ folder at the path mentioned above. The alternate method is to open the Windows Run box (press the Windows key + R) and then type appdata. The Application Data folder will now be opened and you can search for the ‘msconfig’ file here.
148 Comments
thanx
I am full satisfied from My Computer is Safe. Thanks for Quick Heal
can you plz tell me howto go to startup or application data??
Hi Jyoti,
The instructions to do the same are mentioned in the post. If you face further issues, feel free to call our support center on 927-22-33-000. You can get the instructions to do the same from there as well.
Thanks.
I have a Win 7 pc, and searched for “msconfig.ini” and “msconfig.dat” from appdata but could not find either. I even tried to search the files from “c:”, and still could not find them.
Any suggestions? Please…..
Hi Shaw,
The instructions to do the same are mentioned in the post. If you face further issues, feel free to call our support center on 927-22-33-000. You can get the instructions to do the same from there as well.
Regards.
thanks
three months i got same problem.
That locked my computer and encrypted my pdf and all document files.
and asked for 100$. to revert back the problem.
But i found no solution to this problem so i reinstalled my OS, but my document files remained encrypted. i lost my important data at that time.
Is there any way to decrypt those document files?
Hi Chandrakant,
Kindly visit this link – https://www.quickheal.com/supp_tic.asp.
Here you can submit a ticket about your grievance and our support team will get back to you with a solution.
Thanks.
sir my computer is also running very slow i had restarted the computer then i had press f8 also before the screen resumes but nothing ii displaying as you had told i am kindly requesting you to help me
Hi Sayed,
You need to follow the steps only if your machine has been infected with the FBI Moneypak virus. If not, there is no need to follow these steps for other symptoms.
Regards.
thank you for the early alert of the new devopement of the moneypak ware we will keep a watch on our computer for any sign.
FYI: It has spread to Canada
VERY USEFUL INFORMATION
How do I contact Quick Heal if I run into a problem with my computer, is there a phone number to call or an e-mail address? Thank You
Hi William,
You can either visit this link – https://www.quickheal.com/supp_tic.asp.
Or you can call Quick Heal support on +91-927-22-33-000.
Thanks.
My problem is slightly different. My computer reboots itself when I try to scan the system as also when I open a link from my mailbox or a site that I am visiting. There is also a siren like noise that occurs before the system closes itself and quite oftern the system gets hanged requiring manual reboot also. Can anyone guide me why this should happen and what to do about it? Thank you
Hi Mukesh,
We suggest that you show your machine to a computer repair store. If this is not an option for you, you can visit this link – https://www.quickheal.com/supp_tic.asp. Here you can submit a ticket about your issue and our support team will then contact you with a solution.
Thanks.
i recently[one week ago]got a message from a lady purporting to be a refugee in ghana from ivory coast.and she wanted me to assist her to withdraw her 6.5million dollars from an offfshore acount in britain ,to my account ,then send her some fare ,so as she comes to nairobi where we can live hapilly thereafter.she claimed her father died sometyme back leaving her the fortune.she claimed to be living in a convent with a catholic father.how do i ensure that i am safe from such cases?i didnt send her anything because i became suspicous.
Hi Francis,
This is commonly known as a ‘419 scam’ or a ‘Nigerian scam’. If you receive such messages in the future, ignore them completely.
Thanks.
Hi Francis,
Rahul says correct. I didnt knew about the name of this scam but in spam folder of my mailbox i am receiving such mail on weekly basis.
Also receiving Coca-cola or Nokia Fortune Awards….I just remember we cant get anything without hard efforts…..so nobody can give us such awards easily.
after quick heal defragmenter some horizontal lines appear one after other is der any virus or its a monitor fault plz help if u hve any solution
Hi Devavrat,
Please visit this link – https://www.quickheal.com/supp_tic.asp. You can submit a ticket about your issue and our support team will contact you with a probable solution.
Thanks.
What is 404 error?
Hi,
A 404 error is when a website is contacted but there is no response from the website to the server. This is because the link is broken or because access to the link is restricted.
Thanks.
Thank you dear…
This is very important to every people
plz tell me how to update new version because some problem with old version….
and my quick heal anti virus dont updating data 2months
Hi Omkar,
Please visit this link – https://www.quickheal.com/supp_tic.asp. You can submit a ticket about your issue and our support team will contact you with a suitable solution.
Thanks.
Thank u very much to aware us about this. Thanx to the Quick Heal Blog as well as to the Quick Heal Total Security on my Machine.
sir , i installed vista home premium a year ago . but day by day , it started slowing down and took a lot of time to boot. then i unchecked all unnecesary programs from startup. even i purchased pc tools performance tool kit but got no observable change .please help
Hi Habib,
Windows Vista is a notoriously heavy OS and its performance depends on the specifications of your machine as well. It is advisable to switch to a better OS or to enhance your hardware.
Thanks.
Thanks for the information
thank you
Thank u very much to aware us about this. Thanx to the Quick Heal Blog as well as to the Quick Heal Total Security on my Machine.
Thanks a lot! Indian Bro I will be restarting and will check if, my system has a malware virus.
can u please guide me in windows 7 OS. iam unable to get “Application Data” folder in windows7 and in “Start up” folder, it is showing empty.
Hi Sadiq,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
I am experiencing stability issues on Windows 7.
However, I dont see the folders that you have mentioned i.e. c:documents and settings
I see the following folders: c:program data or c:program files
Where should I look for the files to delete?
Hi Ajay,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
Just one question, Rajesh; the bad guys will send malware; the user will clean the system manually, so what the hell QH will be doing? This year earlier I got the virus ‘hacktool’ that installed other bots into my PC and QH, despite ‘n’ no. of scans certified the pc to be ‘clean’.
I am not a pro like u guys but I have some common sense. My machine was taking 10 mins to boot up and 5 mins to shut down and still the people at QH support claimed everything is ‘normal’.
I’m using QH because I paid for it and the license is valid till Feb 2013, after which, I plan to shift to something better that can look into the system volume information folder and remove any file infecting the system from there.
Hi Santo Ray,
We are disappointed to hear that you are dissatisfied with our product. The nature of the malware industry is such that certain threats do infect machines until they are discovered by someone. Attackers constantly utilize new methods to cause harm. No antivirus product can provide you with 100% protection. We provide excellent technical support and value for our customers and we apologize if you have been inconvenienced. We hope you change your mind about continuing with us in the future.
Best regards.
hello my name is chintan and i follow the steps but it could not remove the fbi and i am using windows7 ultimate as a os. so please help me to remove fbi.
Hi Chintan,
Kindly visit this link – https://www.quickheal.com/submitticket.asp. Here you can submit a ticket regarding your grievance and our support team will get back to you.
Thanks.
thanks….
what to do if all the folders in my external hard disk and memory card have turned into .exe files and are not getting opened
Hi Manav,
This could be a case of serious infection of your files. Please visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket about your grievance here and our support team will get back to you with a solution.
Thanks.
Thanks. It will be very help full. Can I forward this page to my friends?
Nice information and really easy steps to resolve the infection.
Thanks for the information…….
I am using QH for a very good reason. Thanks
how will i know if my pc is having this new malware or any other such infection….
Hi Sonu,
If your PC is infected by this malware you will see the screen that has been posted in the article. Additionally, your PC will be locked as well.
Thanks.
my com is hang when ever i start boot 1st time..thn after re-boot manually its apear ‘Windows Advanced Boot Options’.and after logging 2to safe mood and restart its worked normally.its allways hppnd in 1st boot.CAN ANY BODY TELL ME WHATS IT IS??is ther any virus on my com..?or it is any other reson..i had quickheal total security on my com..plz any body sugget wht is going wrong to me.
Hi Amit,
You should try running a full system scan via the Quick Heal dashboard to see if there is no infection.
thanks but i have window 7 there not Documents and Settings in C drive
Hi Pradeep,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
THANKS DADA I AM DONE UR SAING steps and get solution from this problem………………..many many thanks @Rahul Thadani
Thanks Friends
Sir i m getting a message in quickheal that Fbi Moneypak ransomware case on rise.so what shoukd i do?
Good information thank you
thank you for this information
my temp files many files not delected i run quick heal full scan but its not removed
Hi Deepak,
You do not need to be overly concerned about this. The files will be removed the next time you run a scan.
Regards.
thanks a lot for your valuable information
i am unable to start my laptop in safemode in command prompt.
What is the problem? please suggest what to do
Hi,
Please visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket about your grievance and our support team will get back to you with a solution.
Regards.
thank u vry much
thank u so much
if I dont open any of these emails is my computer safe?
Mr.Rahul Thadani,
Why we should add the detection over QH for this “FBI Moneypak virus” .
THANK YOU
thanks for informetion.
Hello Rahul,
i have quick heal internet antivirus for 1 year, last two or three week there is problem in my computer,some folder not open quickly took long time & some time computer hang when i click that folders then i restart my computer.i scan also that folder but no virus found,i have lot off software for that folder. can u help me what i do? please solve my problem.waiting for ur favorable reply soon.
Regards& Thanks.
ash baroba.
Hi Ashwaq,
Please visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket about your issue there and our support team will get back to you with a solution.
Regards.
Thanks
I Am Not Able to See the Documents and Settings in c drive. What is the Problem
Hi Bhuwnesh,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
One of my friend having problem of Interpol Ransomware in his machine.
The whole screen is hijacked and we are unable to do anything.
Even tried the aforementioned steps but of no use.
Any Help??
Hi Melvyn,
Kindly visit this link – https://www.quickheal.com/submitticket.asp. You or your friend can submit a ticket there and then our support team will contact you.
Regards.
Hi,
Thanks a lot for your advise. I have a query..when I go to the youtube site or a metacafe site and wish to watch any documentary or any clip I get a message from Bing saying that “watching this video in your location is prohibited. Consider turning the safety mode off.”
Is it safe to do that?
Kind regards,
Aroop
Hi Aroop,
It is safe to do that but you should turn the safety mode back on once you are done watching the video.
Regards.
thankyou so much……
thankyou…
thank QuickHeal Tem
I am using win7 and when I do above things then it says- C:Documents’ is not recognized as an internal or external command,
operable program or batch file.
Here is what it shows(full)-
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:Windowssystem32>explorer.exe
C:Windowssystem32>C:Documents and SettingsAllUsersStartMenuProgramsStartu
pCtfmon.Ink
‘C:Documents’ is not recognized as an internal or external command,
operable program or batch file.
Hi Ayush,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
Hi Rahul, will you please send me a toll-free number.
Hi Geet,
You can call on 1800-233-3733 or on 927-22-33-000.
Regards.
I m getting alert on quick heal software that FBI moneypack ransomware on rise. please suggest how to remove this malware.
thank u for keeping us updated
Will Quick Heal come up with an antivirus compatible for OS Windows 8? If so when and will it be safe as its for Windows 7?
Hi Ramakrishnan,
Yes, Quick Heal 2013 will be compatible with Windows 8 OS when it releases.
Regards.
thanks QH is the software virus package keeps my computer safe
Hi Rahul,
I have face the issue and it has got resolved by the steps.
thanx for the updated info and its simple steps to remove.
sir,
pls tell me procedure again for removing malware…….
which OS whould you suggest in above situation.
Hi Anup,
Windows 7 is the recommended OS as of now as it is highly stable and secure.
Regards.
hey there….i am facing the problem here…..i am not understanding that youtube doesnt open up….in any of the browsers…say CHROME…or INTERNET EXPLORER or FIREFOX……is this a similar problem that u described..???? also ma laptop sometimes shutdown automatically..?? AND MAINLY the CHROME AND FIREFOX browsers crash many a times…….PLEASE HELP
Hi Yash,
This is not the FBI Moneypak virus mentioned in the post. This seems to be some other issue. Kindly visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket for your grievance and our support team will get back to you with a solution.
Regards.
Dear Sir,
please Help me, When I open several programs together in my net on the net is slow and seems to come show Request Time out.
Hi Om,
Kindly visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket for your grievance and our support team will get back to you with a solution.
Regards.
I am not able to delete the file ‘ctfmon’. It says I need permission to do so. Please help.
Hi Suhasini,
Please visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket for your grievance here and our support team will get back to you with a solution.
Regards.
thanks
I read the instructions but did not understand when it said to delete other files. Also as I came down the page it showed a blog or something above where I came to these messages. It mentioned the FBI virus and my mouse showed I could open that file and or link. I was not sure what would happen if I clicked on it, so left it alone.
So far I have not see the FBI Virus.
Anthony
I have face the issue and it has got resolved by the steps.
thanx for the updated info and its simple steps to remove.
Thank you For Suggest us !
Hello sir,
How to remove the FBI moneypak virus from an infected machin?
thanks bro…
i typed explorer.exe & then entered but nothing happended as u mentioned above……
as an os win7 is installed
pls resolve my problem…
Hi Pooja,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
Thanks for useful information.
sir,would you like to tell me how to reach startup or application data folder?
Thanks Rahul for such informative tips time and again. It will surely help everyone to guard against any malwares or malicioius programmes. Thank you very much. Thanks Quick Heal Technology. One thing I would like to ask is that can I take a printout of your tips to keep in store for future use.
regards
manas
Hi Dr. Manas,
Yes of course you can take a printout of the same. You’re welcome.
My pen drive consists of virus & not able to delete it because it is “WRITE PROTECTED”.
how to remove write protected mode for a pen drive?
Hi Mahesh,
Please visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket here and our support team will get back to you with a solution.
Regards.
I don’t know how to reboot the computer in normal mode. Please tell how to do it.
Hi Bhuvanyu,
Press F8 when the machine is booting and then select the option that says boot machine in Normal Mode and then press Enter.
Regards.
Thanks to the Quick Heal team,I dont ve any problems regarding FBI Virus till now but I may got the same in feture. Thanks for the alert.
my system give me a message found malware i remove safely it
windows advanced statup option is not coming by pressing f8. what should i do. please tell fast.
Hi Farah,
You can visit this link – https://www.quickheal.com/submitticket.asp. Here you can submit a ticket about the issue you are facing and our support team will get back to you.
Regards.
thank you very much
nice thanx ….
thanx for this information provided .
sir i use windows 7 , so what can i do …
Hi Nikhil,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
thanx
THANKS
Dear Sir,
Please tell me how to update laptop tracking by QH i recently install it.
Please send me on mail also last time i ask same qn.
Hi Arvind,
Kindly visit this link – https://www.quickheal.com/submitticket.asp. You can submit a ticket for our requirement and our support team will contact you with a solution.
Regards.
Dear Sir, here FBI Moneypak virus is not a way to erase the window 7
i had quickheal insatlled on the system. do i still need to remove the moneypak virus as mentioned above or routine virus scan will automatically remove it.
Hi Rajesh,
The aforementioned steps only need to be implemented if your machine has been infected with the virus. Quick Heal scan will detect the virus and remove it from your machine in other cases.
Regards.
can u please tell me how to get the application data?
Thank you for your valuable information. This will check cyber criminal to think illegal way of money making.Also QUICK HEAL may develop the software shortly to prevent it as whenever we updating daily it may automatically detect it and may be killed/ finished online .I am eagerly expecting for development of that software by any antivirus company at least quick heal may either develop it or market it under licence and agreement with terms and conditions.
im using windows 7 ultimate i want to know that how to remove this marlware remove from my pc
plz reply me immidiately
thanks
Hi Imdad,
We have added an update to the post regarding the location of Application Data folder in Windows 7 OS. Kindly check the same.
Regards.
i am on w7 but can’t find msconfig in appdata inspite of fact my pc has this malware….please help asap ..
thanks 🙂
Hi Rachit,
We have added an update to the post about how to find the folder in Windows 7. Kindly check the same.
Regards.
Thanks…
Its a really valuable information. Thanks to share with us sir.
go to cmd and enter explorer.exe in safe mode but it show start menu in 3 seconds and fbi screen show up so i cannot do anything. is there any way just use cmd mode to delete virus. i have try rstrui.exe also but it show “System protection is turn off. To turn it back on so you can use system restore, see Turn System Restore on or off.” i click on the link and it go to help memu, click on link to Systems and Fbi screen show up again. please help
Hi Danny,
If you are facing some issue and require our assistance, you can contact our support team on 927-22-33-000. Alternately, you can also visit this link to submit a ticket – https://www.quickheal.co.in/submitticket.asp. Once done, our support team will contact you with a solution.
Regards.
I am using quickheal. Butmy system shows explorer.exe error dialogue box evwrt time I start thw xomouter. Scan wont fix it. What to do
Hi Vivek,
Please contact our technical support team. They will help you resolve this issue immediately. You can submit a ticket to contact them by visiting this link – https://www.quickheal.co.in/submitticket.
Regards.