How to remove the FBI Moneypak virus from an infected machine

Last month we had highlighted the growing threat of a fake FBI notice in the United States which turned out to be a form of ‘Ransomware’. This ransomware was called Moneypak since it demanded a payment of a sum of money through a prepaid Moneypak credit card. In this scenario, the malware locked up a machine and displayed a fake message that claimed to be from the FBI.

Moneypak malware

A ransomware is a malicious software that restricts access to a computer until a ransom is paid. The FBI Moneypak (FBI virus, Citadel, Reveton) is a ransomware that locks computer systems, then alleges that the computer user has been involved in illegal activity (downloaded or distributed copyrighted material or viewed child pornography etc.) and demands a penalty of $100 or $200 be paid to unlock the system within the allotted time of 72 hours by use of Moneypak cards. The ransomware also states that the user will face jail time and prosecution by the FBI if the fine is not paid in time. However, this is only malware and these claims are not real.

The potential harm caused

  • Makes the performance of a computer slower with limited security and causes various types of system instability situations
  • Terminates programs that a computer relies on such as antivirus, antispyware and other types of related security software
  • Freezes the entire computer system
  • Obtains login names, personal information, passwords and other confidential information without user knowledge or consent
  • Discloses personal information
  • Encrypts the user’s personal documents and deletes the original files
  • Hides files which enable deletion of the malware
  • Demands a ransom in clear terms and sends a personal and accusatory message

How to manually remove the malware

STEP 1: Restart your computer

STEP 2: Press F8 immediately after the system restarts and before the Windows screen resumes. You will now see ‘Windows Advanced Boot Options’.

windows advanced boot

STEP 3: Use the UP arrow key to navigate to “Safe mode with command prompt” and press the Enter key.

STEP 4: Now type “explorer.exe” in the command prompt window and press the Enter key.

command prompt

STEP 5: Find the following files in the “Startup” or “Application Data” folder:

  • C:Documents and SettingsAllUsersStartMenuProgramsStartupCtfmon.lnk
  • C:Documents and SettingsUserApplication Datamsconfig.dat
  • C:Documents and SettingsUserApplication Datamsconfig.ini

Application data folder

STEP 6: Delete the ‘Ctfmon.lnk’ OR ‘msconfig.dat’ OR ‘msconfig.ini’

delete file

STEP 7: Reboot the system again, this time in Normal Mode. After the system restarts run a full system scan to remove any other remaining files.

These steps will help you remove this malware from your machine and protect you from the Moneypak virus. Though this malware has mostly been rampant in the United States there is a chance that it can spread to other geographical locations as well. So it is best to be aware about these steps to ensure complete protection.

UPDATE: If you are using Windows 7 OS you will not be able to locate the ‘Application Data’ folder at the path mentioned above. The alternate method is to open the Windows Run box (press the Windows key + R) and then type appdata. The Application Data folder will now be opened and you can search for the ‘msconfig’ file here.

Rahul Thadani

Rahul Thadani

Follow @

Subscribe
Notify of
guest
148 Comments
Inline Feedbacks
View all comments
rksirsa
rksirsa
8 years ago

thanx

rksirsa
rksirsa
8 years ago

I am full satisfied from My Computer is Safe. Thanks for Quick Heal

jyoti
jyoti
8 years ago

can you plz tell me howto go to startup or application data??

Shaw
Shaw
8 years ago
Reply to  Rahul Thadani

I have a Win 7 pc, and searched for “msconfig.ini” and “msconfig.dat” from appdata but could not find either. I even tried to search the files from “c:”, and still could not find them.
Any suggestions? Please…..

tambua africa
tambua africa
8 years ago

thanks

chandrakant
chandrakant
8 years ago

three months i got same problem.
That locked my computer and encrypted my pdf and all document files.

and asked for 100$. to revert back the problem.
But i found no solution to this problem so i reinstalled my OS, but my document files remained encrypted. i lost my important data at that time.

Is there any way to decrypt those document files?

sayed taufiq
sayed taufiq
8 years ago
Reply to  Rahul Thadani

sir my computer is also running very slow i had restarted the computer then i had press f8 also before the screen resumes but nothing ii displaying as you had told i am kindly requesting you to help me

Alhaji tajudeen
Alhaji tajudeen
8 years ago

thank you for the early alert of the new devopement of the moneypak ware we will keep a watch on our computer for any sign.

Neil
Neil
8 years ago

FYI: It has spread to Canada

Gloria
Gloria
8 years ago

VERY USEFUL INFORMATION

William Gallagher
William Gallagher
8 years ago

How do I contact Quick Heal if I run into a problem with my computer, is there a phone number to call or an e-mail address? Thank You

Mukesh Adenwala
Mukesh Adenwala
8 years ago

My problem is slightly different. My computer reboots itself when I try to scan the system as also when I open a link from my mailbox or a site that I am visiting. There is also a siren like noise that occurs before the system closes itself and quite oftern the system gets hanged requiring manual reboot also. Can anyone guide me why this should happen and what to do about it? Thank you

francis barchebo
francis barchebo
8 years ago

i recently[one week ago]got a message from a lady purporting to be a refugee in ghana from ivory coast.and she wanted me to assist her to withdraw her 6.5million dollars from an offfshore acount in britain ,to my account ,then send her some fare ,so as she comes to nairobi where we can live hapilly thereafter.she claimed her father died sometyme back leaving her the fortune.she claimed to be living in a convent with a catholic father.how do i ensure that i am safe from such cases?i didnt send her anything because i became suspicous.

Santosh
Santosh
8 years ago
Reply to  Rahul Thadani

Hi Francis,
Rahul says correct. I didnt knew about the name of this scam but in spam folder of my mailbox i am receiving such mail on weekly basis.
Also receiving Coca-cola or Nokia Fortune Awards….I just remember we cant get anything without hard efforts…..so nobody can give us such awards easily.

devavrat mahadik
devavrat mahadik
8 years ago

after quick heal defragmenter some horizontal lines appear one after other is der any virus or its a monitor fault plz help if u hve any solution

Viam
Viam
8 years ago

What is 404 error?

omkar
omkar
8 years ago

Thank you dear…
This is very important to every people

omkar
omkar
8 years ago

plz tell me how to update new version because some problem with old version….
and my quick heal anti virus dont updating data 2months

Aditya K
Aditya K
8 years ago

Thank u very much to aware us about this. Thanx to the Quick Heal Blog as well as to the Quick Heal Total Security on my Machine.

habib barbhuiya
habib barbhuiya
8 years ago

sir , i installed vista home premium a year ago . but day by day , it started slowing down and took a lot of time to boot. then i unchecked all unnecesary programs from startup. even i purchased pc tools performance tool kit but got no observable change .please help

Chandra S Bhatnagar
Chandra S Bhatnagar
8 years ago

Thanks for the information

santosh kumar behera
santosh kumar behera
8 years ago

thank you

Jitendar Singh Shekhawat
Jitendar Singh Shekhawat
8 years ago

Thank u very much to aware us about this. Thanx to the Quick Heal Blog as well as to the Quick Heal Total Security on my Machine.

Aviral Singh Chauhan
Aviral Singh Chauhan
8 years ago

Thanks a lot! Indian Bro I will be restarting and will check if, my system has a malware virus.

sadiq
sadiq
8 years ago

can u please guide me in windows 7 OS. iam unable to get “Application Data” folder in windows7 and in “Start up” folder, it is showing empty.

Ajay Mundra
Ajay Mundra
8 years ago

I am experiencing stability issues on Windows 7.

However, I dont see the folders that you have mentioned i.e. c:documents and settings

I see the following folders: c:program data or c:program files

Where should I look for the files to delete?

Santo Ray
Santo Ray
8 years ago

Just one question, Rajesh; the bad guys will send malware; the user will clean the system manually, so what the hell QH will be doing? This year earlier I got the virus ‘hacktool’ that installed other bots into my PC and QH, despite ‘n’ no. of scans certified the pc to be ‘clean’. I am not a pro like u guys but I have some common sense. My machine was taking 10 mins to boot up and 5 mins to shut down and still the people at QH support claimed everything is ‘normal’. I’m using QH because I paid for… Read more »

chintan
chintan
8 years ago

hello my name is chintan and i follow the steps but it could not remove the fbi and i am using windows7 ultimate as a os. so please help me to remove fbi.

RAJA Paul
RAJA Paul
8 years ago

thanks….

manav
manav
8 years ago

what to do if all the folders in my external hard disk and memory card have turned into .exe files and are not getting opened

M.Sh. Abdi
M.Sh. Abdi
8 years ago

Thanks. It will be very help full. Can I forward this page to my friends?

Sameer
Sameer
8 years ago

Nice information and really easy steps to resolve the infection.

PINTU MONI TIWARI
PINTU MONI TIWARI
8 years ago

Thanks for the information…….

SP Gupta
SP Gupta
8 years ago

I am using QH for a very good reason. Thanks

sonu
sonu
8 years ago

how will i know if my pc is having this new malware or any other such infection….

amit
amit
8 years ago

my com is hang when ever i start boot 1st time..thn after re-boot manually its apear ‘Windows Advanced Boot Options’.and after logging 2to safe mood and restart its worked normally.its allways hppnd in 1st boot.CAN ANY BODY TELL ME WHATS IT IS??is ther any virus on my com..?or it is any other reson..i had quickheal total security on my com..plz any body sugget wht is going wrong to me.

Pradeep
Pradeep
8 years ago

thanks but i have window 7 there not Documents and Settings in C drive

MUDASSAR HUSAIN
MUDASSAR HUSAIN
8 years ago

THANKS DADA I AM DONE UR SAING steps and get solution from this problem………………..many many thanks Thadani

Narendra
Narendra
8 years ago

Thanks Friends

Shanki
Shanki
8 years ago

Sir i m getting a message in quickheal that Fbi Moneypak ransomware case on rise.so what shoukd i do?

Amir Ahmd
Amir Ahmd
8 years ago

Good information thank you

Amir Ahmd
Amir Ahmd
8 years ago

thank you for this information

deepak
deepak
8 years ago

my temp files many files not delected i run quick heal full scan but its not removed

agnes
agnes
8 years ago

thanks a lot for your valuable information

rajesh khanna
rajesh khanna
8 years ago

i am unable to start my laptop in safemode in command prompt.
What is the problem? please suggest what to do

sweta
sweta
8 years ago

thank u vry much

sweta
sweta
8 years ago

thank u so much

caroline
caroline
8 years ago

if I dont open any of these emails is my computer safe?

Siva Kumar
Siva Kumar
8 years ago

Mr.Rahul Thadani,

Why we should add the detection over QH for this “FBI Moneypak virus” .

ANAND RAO
ANAND RAO
8 years ago

THANK YOU

manoj mahadik
manoj mahadik
8 years ago

thanks for informetion.

ashwaq baroba
ashwaq baroba
8 years ago

Hello Rahul,

i have quick heal internet antivirus for 1 year, last two or three week there is problem in my computer,some folder not open quickly took long time & some time computer hang when i click that folders then i restart my computer.i scan also that folder but no virus found,i have lot off software for that folder. can u help me what i do? please solve my problem.waiting for ur favorable reply soon.

Regards& Thanks.
ash baroba.

SIRAJ
SIRAJ
8 years ago

Thanks

148
0
Would love your thoughts, please comment.x
()
x