Your daily technology class with Professor Randy!!

Randy The Tech Professor

July 18, 2012 at 9:18 am

How I Removed The FBI MoneyPak Virus

Hello everyone,

Update: I have a more recent FBI MoneyPak removal post here (another variant of the virus).

A client called me today with a machine (Windows 7) infected with the FBI MoneyPak virus. I got it out in about ten minutes – this is what I did:

1) Tap F8 during pre-boot and go into Safe Mode

2) Click Start>All Programs>Startup Folder

3) You’ll see “ctfmon” (without quotation marks). Delete it.

4) Click Start>Run>Type %temp% >OK

5) Look for “festOr_ot” (without quotation marks). Delete it. Some techs have reported seeing “roolO_pk.exe”, “er_OO_O_l.exe” and/or a “.mof “ file also. If you see any of these delete them!

6) Restart the machine in normal mode

7) FBI virus is gone!!

8) Run Malwarebytes just for good measure. It wouldn’t hurt to run SUPERAntiSpyware, and HitmanPro also!

Professor Randy says: The FBI MoneyPak virus is just another of the many ransomeware programs that want to scam you out of your money! Don’t be fooled – remove this phony malware by using the method described above.

Tags: , , ,
  • Barry
    8:48 pm on December 30th, 2012 1

    Glad i stumbled on this site as it looks like it may be of great help to me. My laptop got the money pak virus somehow(i have Vista on the laptop).

    My problem is i have recorded the Kaspersky rescue disk to cd as well as flash drive stick(followed protocol and installed the usb portion as well from the kaspersky site). I can get into BIOS and alter my boot-up priorities…that is where the trouble begins. Upon selecting and saving changes to boot from removable device, i then select save and exit. The computer just literally shuts off right away…which upon the next startup i get the windows screen saying that windows closed unexpectedly, what would you like to do?

    From there my only choices are safe mode, safe mode with networking, safe mode with command prompt, or start windows normally. I dont want any of these correct? Choosing any of those options lets the virus kick in. I never have the capability to shut down the laptop because the virus covers everything up. For whatever reason after saving changes to BIOS for boot priority it shuts down automatically so i ALWAYS get this “closed unexpectedly” screen. I cant get the computer to boot from cd or removable device because of that. ANy help would be appreciated. Thank you

  • Randy Knowles
    3:39 pm on December 31st, 2012 2

    Thanks for the comment Barry,

    If your computer boots into safe mode with networking then you can follow the procedure that I explained in the original post.

    If this doesn’t work then I suggest a rescue disk like Kaspersky, Trinity or AVG (the .iso file alone is not enough – you have to “burn” the .iso file to a CD which you can then boot from):

    Also check out How To Boot From a CD:

    Best wishes,

    Randy Knowles

  • Nick
    7:15 pm on January 10th, 2013 3

    i found booting in safe mode WITH NETWORKING than downloading avg free trial search in comand bar system32 and poof GONE!

  • Tiffany
    6:57 am on January 13th, 2013 4

    Hi I had the virus and followed these steps but when I ran my computer in normal mode, the desktop looks different. It looks as if it is still in safe mode but the font is not as big. Do I still have the virus? I also ran Avast anti virus in safe mode (just in case) and it I did not have any virus. Can you please help!! Thanks

  • Randy Knowles
    2:26 pm on January 13th, 2013 5

    Hi Tiffany,

    Thanks for the comment. If you are in Normal Mode and you don’t see any signs of the FBI virus popping up then it is most likely gone. Run Hitman Pro in Normal mode and see if it picks anything up.
    As far as the screen looking different, your display resolution may have changed. Right click anywhere on the Desktop and take a look in Properties or Personalize, then Display Settings.

    Best wishes,
    Randy Knowles

  • Paul
    7:24 pm on January 16th, 2013 6

    Hi Randy,

    i picked up this virus months ago. I downloaded Maleware bytes AntiMalware and it did the trick. However, I don’t think it got everything, because it’s comeback twice and I’ve had to pop into safemode with networking to run the scan and remove. However, it has reared its ugly head once again, only now the following happened.

    1 – Booted into Safemode with networking and ran malware programming but it’s no longer removing the virus as it reappears when I reboot.

    2 – When in Safemode with Networking I have no internet connectivity (though my children still have connectivity via their laptops)

    3 – After the aforementioned problems taking place over the last few days, when I no Boot up safemode with Networking or Safe Mode with Command Prompt the Virus appears right away!

    I am at a loss as to what to do. If you have any words of wisdom regarding this it would be greatly appreciated. Thank you.

  • Randy Knowles
    4:48 pm on January 20th, 2013 7

    Hello Paul,
    Thanks for the comments. I’m sorry that you “got bit” by this nasty virus.
    If you can still get into Safe Mode try a system restore to a point before you started to have the original problem.
    If you cannot get into Safe Mode without the virus reappearing, then you are going to have to make a rescue CD and boot the machine using this disk.
    Go here and follow the instructions (Kaspersky Rescue Disk 10). Create the CD from the downloaded .iso file and then boot, scan, and delete all found infections! This should do the trick.

    Post back and let me know the results.
    Best wishes,
    Randy Knowles

  • tammi
    12:18 am on January 30th, 2013 8

    I am not well know for how to really handle a computer. I just can get by with the basics. My computer caught the fbi virus four days ago. I have tried different ways to get rid of it by reading suggestions that I read. Nothing has worked. My computer use to be able to go into safe mode, safe with command prompt and safe with networking, (quickly then blinked off) but now it won’t even do that . It will not let me restore to an earlier time. Then it got to where it wouldn,t let me boot from a cd someone suggested I make which was malwarebytes. Someone even suggested to try “restore system to factory condition”. This had me start the process, then when it appeared to me like it was at the point when it starts to restore, it stayed at one percent for over three hours before I gave up and turned it off. All it does now is keep launching files so that it can check for repairs. I haven’t checked it today, (so fed up). Last time I checked I was still able to use f8,(this would send my computer into launching files for repair. Which tells me to contact administrators) f12, and f2(this doesn’t allow me to boot.unless I am doing something wrong). Any suggestions that you might have for me will be greatly appreciated. Thanks so much.

  • Noah
    11:42 pm on February 4th, 2013 9

    Mr. Randy,

    Thanks for the great forum. A colleague handed me her laptop and said, “Here, I think I have a virus.” Somehow I’ve become the “Computer Guy” around the office — I guess it’s that silly Computer Science degree.

    Anyway, I had never heard of this particular virus, but the Windows Defender boot method worked perfectly for my scenario–

    On her machine, only one (out of three) of the log-ins had the Pop-up, and eventual white screen. Booting it to Windows Defender fixed it straight-away. It took about 15 min to run the “Quick Scan” but it seemed to do the trick.

    Thanks for all the input from everybody. Best of luck to the rest of you.


  • Randy Knowles
    8:41 pm on February 5th, 2013 10

    Hi Noah,

    Thanks for the comment. I’m glad that you were able to get the machine “up and running” again. The FBI virus is nasty and is constantly changing. Now more than ever people will be bringing you their computers! Best wishes,

    Randy Knowles

  • Noah
    10:10 pm on February 5th, 2013 11

    Well, I suppose we all need to do our part to help our fellow man.

    Also, I forgot to mention the file extensions that were removed. This might help the others:


    There were several extensions also that ended in “qdsron.dll” that my run got rid of. I’m not sure if they were related to this particular case, but WinDef advised me to have them removed.

    Anyway, keep up the great site, Mr. K! I’ve got your dog-eared on my browser :)


  • Randy Knowles
    12:48 pm on March 2nd, 2013 12

    Hi tammi,
    Thank you very much for the detailed comment. It’ hard for me to make an exact diagnosis just by reading your comment, but this is what I suggest (I don’t know if you’ll be able to do this yourself – you may have to take your machine to a computer repair tech).

    1) Go to this site and make a bootable CD:
    2) Boot your computer using this disk and choose MiniXp when you see the menu choices.
    3) On a USB Flash Drive download RougeKiller
    4) Once your computer boots into the MiniXp interface, plug a USB Flash drive into your computer, install and run RougeKiller from the USB drive.
    5) Now boot your machine into Safe Mode and do a System Restore to a point in time before you were infected.
    6) After the System Restore is finished your machine should boot up into Normal Mode
    7) Run scans with Malwarebytes, SUPERAntiSpyware, and HitmanPro.
    8) This should take care of the problem!

    P.S I realize that this may sound very confusing. If you would like for me to help you “hands on”, please contact me through my website email address.

    Best wishes,
    Randy Knowles

  • EulerSteven
    8:26 pm on April 1st, 2013 13

    This is really a tricky virus. It seems to morph quickly. It freezes the computer till the computer is purged of the virus.

    One of the things I found helpful was to disconnect the internet wire from the computer. Shut the computer off. Turn the computer on in SafeMode by pressing F8.

    What I have found is that the virus shuts the computer down before Malwarebytes can purge the virus. Or the virus shuts the computer down before system restore can be completed. In effect there ends up being no way to get rid of the virus. (If the computer does not shut down, MalwareBytes or System Restore will purge the virus.)

    I have downloaded (FREE) Emisoft Emergency Kit onto a USB flashdrive. Open in safemode, then go to the flash drive and operate the cleaner from there–it can access the command line–a 40 minute scan, or it can do a quick one minute scan. And that one minute could be the only time available, if the virus shuts the computer down before MalwareBytes 5 minute scan or System Restore. By all means, practice a bit with the Emisoft Emergency Kit so that you get comfortable with it; it is not terribly complex but it does have a slight learning curve.

    There is really no point to the virus. No one is going to pay $200 to ransom ware; there is not likely any chance that it can damage a computer by deleting operational files or systems, there is little likelihood that it will steal your finances–unless you give them your bank account number when anyone makes a payment to them. So the virus is just in existence to annoy people–which it does very well.

    Why the antivirus programs cannot catch this annoying virus is beyond comprehension–but for some reason, they can’t. When people pay good money for that virus protection–IT SHOULD WORK!

    Best of luck to those so afflicted. Hope these hints work.

  • Matthew
    5:09 pm on April 2nd, 2013 14

    I have the virus on my Toshiba laptop with win 7 and Microsoft security essentials and I found the file ctfmon.exe but can’t delete it cause it says I need permission from Microsoft. What can I do cause I have tried so many things. I’ve deleted alot of temp files that were suspicious. Please help.

  • Help
    2:45 pm on April 4th, 2013 15

    This is for Win7 Pro, I have the moneypak virus and removed it without any trojan or virus software BUT I forgot how too. I cannot use any of the safe mode functions. I think I did something like this last time I removed it. I think i used the command prompt but I cannot not get to the command prompt, the virus executes right to the desktop and of course I cannot use the task manager. Any users have the same probelm please post the solution. This problem will be rectified by me. What is ironic I am using Kaspersky and they should have added the virus to their database (:

  • Russian001
    11:29 am on April 16th, 2013 16

    I literally fell out of my office chair laughing at post #3!!!!!

  • John
    9:41 am on April 19th, 2013 17

    Thank you Randy for this helpful info. So many places did not have this simple removal info, they wanted you to download first some removal tool, then run it… I find that kinda sketchy. But I had removed this once before, and your instructions were what I was exactly looking for.

    Now, I did get Malwarebytes after I did the above, cause Bitdefender is good, but it takes a awhile on my system.

  • ralph
    9:33 pm on April 20th, 2013 18

    When I cut my computer on a black screen appears that says boot manager missing press control alt delete to restart. Pressing control alt delete brings me back to the same screen. F8. Doesn’t work. F11 for system recovery starts but then the computer shuts down. What can I do to rid my computer of this virus.

  • Randy Knowles
    12:29 pm on April 21st, 2013 19

    Thanks for the comment Ralph,

    If your boot manager is missing try this:
    You probably don’t have a virus just a problem as described in the article.
    Best wishes,
    Randy Knowles

  • Randy Knowles
    12:33 pm on April 21st, 2013 20

    Thanks for the nice comment John,

    I’m glad that the post helped you. The FBI virus has many variants. Unfortunately a lot of people are trying to take advantage of the FBI removal process.

    Best wishes,
    Randy Knowles

  • Kenny G
    10:44 pm on April 27th, 2013 21

    Got this FBI bug bad… Will not boot into Safe Mode. Last thing displayed is hpdskflt, then reboots. When it boots normally, I get a white screen over everything. And if I take my disk and connect it to another computer, the drive shows as unformatted. Tried using my WIndows XP (yes still running that) for recovery, but even the console can’t see any files or directories.

    I tried using data recovery programs, but nothing can see the files. At this point in time, don’t care about the OS, but want the data files.

    Been searching all day for an answer and can’t find anything that works. HELP!!!!!!!!!!!!!! and Thank you.

  • Randy Knowles
    3:54 pm on April 29th, 2013 22

    Thanks for the comment Kenny,

    I don’t doubt that you got bit by the FBI Virus but what you are describing is a Hard Drive problem. The first thing that I would do is clone the drive ( I use Clonezilla but you may want to use Acronis (

    The next thing that I would do is boot the machine with a Live CD Repair Disk like UBCD ( and see if you can see the data from the original drive. You can also run a chkdsk/ r from UBCD and you may be able to then see the data that is on the drive.

    As a last resort you can send the drive to a data recovery outfit like ( Let me know how it goes.

    Best wishes,
    Randy Knowles

  • Kenny G
    12:32 pm on April 30th, 2013 23

    Thank you… The harddrive is fine… It is completely functional and will boot… the virus just won’t let me do anything… It really does seem to be encrypted.

    I’ve already tried to recover the disk using tools, but I really do think it is encrypted. I have other colleagues who describe these exact symptoms with encrypted disks.

    I am hoping that later today I will get this fixed

  • Sabina
    11:35 pm on August 15th, 2013 24

    I get to the part to delete the exe files and the computer will not let me. I get a message saying files/c drive are corrupted and cannot remove the files. I do not know how to override this or work around it. I have an asus and cannot find a way to boot from a usb drive.

  • Alex7
    4:34 pm on November 3rd, 2013 25

    When i start my computer with any safe mode it just shut down? What can i do?

  • the music recycler
    3:54 am on December 15th, 2014 26

    Not long ago I got the recent version infection with XP. Nothing worked except using an alternate boot CD, any one will work. Hitman Pro identified a 20 mbyte executable that was in my .net 4.0 directory. All the rest of the files in that directory were gone. Using the boot CD I deleted that file and everything got better. Then cleaned the registry & had to reinstall .net 4.0.


RSS feed for comments on this post | TrackBack URI