Sunday, 1 July 2012

Remove FBI MoneyPak Ransomware (Uninstall Guide)

Ransomware is on the rise again, no doubt about that. Cyber security experts’ predictions were correct. Apparently they know this stuff very well. Seriously, you have to respect them. They also said that ransonware will probably hit smart phones too. We haven’t seen any of these yet but it’s probably just a matter of time.

Anyway, today we’re looking at the FBI MoneyPak virus or Trojan if you like. Most people nowadays don’t really know you to properly describe malware. I don’t know what it is, so let’s just call it a virus. Education is the key guys, especially when it comes to PC security. So, let's make things sparkling clear. If your computer screen is filled with a FBI warning page that claims you have to pay the $100 fine, you’re infected with ransomware. It’s not a virus. It can’t delete your files or inject .doc files.



Most of the time, ransomware locks up user’s desktop, disables task manager and other system utilities to avoid the termination. However, FBI MoneyPak ransomware takes it to the entirely new level by adding a little video recording square in the top right corner of the fake FBI warning page. It supposed to be your built-in web camera. The funny thing is that this little square shows up even if your laptop doesn’t have a built-in camera.



We have to admit that FBI MoneyPak is a very convincing looking scam/fraud. It has the official FBI logo at the top and lists victim’s IP address, location, and the name of your ISP. The fake warning claims that your PC has been locked by FBI because you downloaded or distributed copyrighted material or viewed child pornography. Creepy, isn’t it? Now, if you don’t pay the fine you will go to jail. What is more, you have only 72 hours to buy MoneyPak cash top-up card from Walmart or Kmart.



Cyber crooks are truly imaginative guys, aren’t they? Most people start to panic when they see such fake FBI warnings. You can’t let anyone know this happened; otherwise you can get arrested or even worse – have a criminal record or listed as a registered sex offender. Let’s image this happens at work. Would you tell your colleagues about that? Probably not. And this scheme really works. Cyber crooks want you to act immediately on your first impulse. I know it cruel but it works. Most importantly, don’t panic. Take a deep breath and think about it for a second. If you had done ether of those the punishment would probably be drastically more dire than just a simple $100 fine, right? Just don’t fall into the scam.

FBI MoneyPak virus removal is relatively easy for anyone with above average computer skills. This ransomware doesn’t inject explorer.exe. It injects iexplorer.exe and downloads additional files from remote web servers. It makes numerous modifications to the system. The virus actively monitors Task Manager and loads newly created Desktop with the fake FBI warning. Please note, there is no restore operation, so the desktop will never be reverted back to previous state. That means, even if you pay the ransom, the fake FBI warning won’t go away.

FBI MoneyPak ransomware is distributed using the Blackhole exploit kit. Simple visiting an infected website is enough to trigger this exploit kit which will download a malicious DLL file onto your computer.

This ransomware downloads the fake warning from the internet so if you simply unplug your network cable and manually turn your computer off the virus won’t show up after the reboot (at least it shouldn’t). Another way to remove FBI MoneyPak virus is to reboot your computer in Safe Mode and remove malicious registry keys and files manually. One way or another, you MUST scan your computer with legitimate anti-malware software properly remove this ransomware and its remnants. By the way, Kaspersky or Dr.Web rescue CDs should work just fine in this case too.

To remove FBI MoneyPak ransomware from your computer, please follow the steps in the removal guide below. If you need extra help removing this malware, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com

Guide Updates:

08/17/12 - Cyber crooks have changed payment methods.



Now, the payment should be delivered through Ultimate Game Card instead of GreenDot MonayPack. It still remains unclear if they made a permanent switch to this service or not. So, from now on it's the FBI Ultimate Game Card ransomware scam rather than MoneyPak. Ultimate Game Card service is powered by paybycash.com. It allows you to pay for thousands of online games without requiring personal information. This service is legitimate. Anyway, we think most people will find this odd because we can hardly image that FBI would actually choose Ultimate Game Card as their official finance partner.

Another variant of the FBI ransomware, FBI Anti-Piracy Warning:



One more thing, FBI virus or FBI MoneyPak scam or whatever you want to call it, it's just a name and it doesn't represent the same malware all the time. There are at least four different malware groups that use fake FBI or Police virus warning messages and they all have the same goal: to trick you into buying a MoneyPak card. However, technically speaking they are not the same. They all operate in slightly different ways, so I'm afraid there's no easy one-click removal solution at the moment.

Known FBI MoneyPak virus/ransomware variants:

1. Stays inactive in Safe Mode
2. Stays inactive in Safe Mode with Command Prompt, but works perfectly fine in Safe Mode and Safe Mode with Networking.
3. Remains active in Safe Mode, Safe Mode with Networking and Command Prompt.

Below you will find a few useful suggestions how to disable and remove this virus from your computer. Choose removal instructions according to the variant of the virus you have on your machine.


Method 1: FBI MoneyPak ransomware removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the FBI MoneyPak ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of FBI MoneyPak virus.


Method 2: FBI MoneyPak ransomware removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the FBI virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI MoneyPak virus.


Method 3: FBI MoneyPak ransomware removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake FBI screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI MoneyPak virus.


Method 4: Manual FBI MoneyPak ransomware removal instructions Safe Mode (requires registry editing) :

1. Unplug your network cable and manually turn your computer off. Reboot your computer in "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.

To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an randomly named item. Write down the file location. Then right click the randomly named item and select Delete. Please note that in your case the file name might be different. Close Registry Editor.

In our case the malicious file (pg_0rt_0p.exe) was located in Application Data folder. So, we went there and simply deleted the file. We're running Windows XP.

File location: C:\Documents and Settings\Michael\Application Data\



If you are using Windows Vista or Windows Seven, the file will be located in %AppData% folder.

File location: C:\Users\Michael\AppData\Romaming\

Finally, go into Windows Temp folder %Temp% and click Date Modified so the newest files are on top. You should see an exe file, possibly with the name  pg_0rt_0p.exe (in our case it was exactly the same), but it may be different in your case. Delete the malicious file.

One more thing, check your Programs Startup list for the following entry:

[UserPATH]\Programs\Startup\ctfmon.lnk - C:\Windows\system32\rundll32.exe pointing to [UserPATH] \Temp\wpbt0.dll,FQ10 (or FQ11)

In our case it was ctfmon.lnk pointing to malicious file which then loads the fake ransom warning. Please note that in your case the file name might be different, not necessarily ctfmon.lnk. Simply disable or remove (if possible) such entry and restart your computer.

4. Restart your computer into "Normal Mode" and scan the system with legitimate anti-malware software.

5. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of FBI MoneyPak virus.

FBI MoneyPak Ransomware video:


To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).

Tell your friends:

No comments:

Post a Comment