Your daily technology class with Professor Randy!!

Randy The Tech Professor

July 18, 2012 at 9:18 am

How I Removed The FBI MoneyPak Virus

Hello everyone,

Update: I have a more recent FBI MoneyPak removal post here (another variant of the virus).

A client called me today with a machine (Windows 7) infected with the FBI MoneyPak virus. I got it out in about ten minutes – this is what I did:

1) Tap F8 during pre-boot and go into Safe Mode

2) Click Start>All Programs>Startup Folder

3) You’ll see “ctfmon” (without quotation marks). Delete it.

4) Click Start>Run>Type %temp% >OK

5) Look for “festOr_ot” (without quotation marks). Delete it. Some techs have reported seeing “roolO_pk.exe”, “er_OO_O_l.exe” and/or a “.mof “ file also. If you see any of these delete them!

6) Restart the machine in normal mode

7) FBI virus is gone!!

8) Run Malwarebytes just for good measure. It wouldn’t hurt to run SUPERAntiSpyware, and HitmanPro also!

Professor Randy says: The FBI MoneyPak virus is just another of the many ransomeware programs that want to scam you out of your money! Don’t be fooled – remove this phony malware by using the method described above.

Tags: , , ,
-
75
  • Anonymous
    1:44 pm on July 19th, 2012 1

    machine will not start in safe mode!

  • Michael
    3:44 pm on July 25th, 2012 2

    i got the fbi virus today and i went to the start up folder and deleted it but when i went to the temp folder i could not find festOr_ot does that mean i dont have it anymore?

  • Teya
    9:36 pm on August 1st, 2012 3

    This is confusing. I cant find Type %temp%

  • Randy Knowles
    9:25 am on August 2nd, 2012 4

    Hello Teya,

    Thank you for your comment.
    In the “run” box you have to type (with your keyboard): %temp%

    Best wishes,
    Randy Knowles

  • Mick
    10:52 am on August 2nd, 2012 5

    My computer with the FBI virus ($200) will not allow me to go to run. The screen to select users comes up, from there it goes to loading your personnel settings, then to a white screen that says ” please wait while page is loading, this may take up to 30 seconds,”

    I dont know what to try next?

  • Randy Knowles
    6:22 pm on August 2nd, 2012 6

    Hello Mick,

    Thank you for the comment.

    You may have to boot from a “rescue disk” and clear out the infection that way. You’ll have to download the .iso file first and then burn the .iso to a CD (obviously you’ll have to do this on an uninfected computer).

    A good bootable “rescue disk” is the Kaspersky Rescue Disk 10 found here: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

    Good luck and let me know the results.

    Randy Knowles

  • aj
    3:55 pm on August 4th, 2012 7

    I remember seeing the Kaspersky Rescue Disk mentioned in Part 7 of the “Computer Tools That I Can’t Live Without” series. That series was my first stop when a friend of mine picked up an email virus a few months ago. Some of those tools and a bit of Googling helped me clear the infection. I used the series again back in May when I spent part of my vacation cleaning out another friend’s system (PC work for vacation room and board — that was a good deal in my book!)

    For those of you shooting a virus infection, here are the direct links to the parts of the series that you’ll want to check out —

    http://randythetechprofessor.com/computer-repair-tools-that-i-cant-live-without-part-7-bootable-rescue-disks
    http://randythetechprofessor.com/computer-repair-tools-that-i-cant-live-without-part-9-hirens-bootcd-on-a-usb-flash-drive
    http://randythetechprofessor.com/computer-repair-tools-that-i-cant-live-without-part-10-1-utilities-on-my-usb-flash-drive
    http://randythetechprofessor.com/computer-repair-tools-that-i-cant-live-without-part-10-2-utilities-on-my-usb-flash-drive
    http://randythetechprofessor.com/computer-repair-tools-that-i-cant-live-without-part-10-3-utilities-on-my-usb-flash-drive
    http://randythetechprofessor.com/computer-repair-tools-that-i-cant-live-without-part-10-4-utilities-on-my-usb-flash-drive

    And thanks for giving us that series, Randy. There’s a HUGE amount of useful info in there!!

  • Randy Knowles
    10:14 pm on August 4th, 2012 8

    Hello aj,

    Thanks for the comments. It’s obvious that you are a real tech/computer repair enthusiast. I’m honored that you read my blog posts!

    Best wishes,
    Randy Knowles

  • Randy Knowles
    10:38 pm on August 4th, 2012 9

    Hello Anonymous,

    Thanks for the comment. The cause of a machine that will not start in Safe Mode is difficult to pinpoint in a forum.

    Many times its a sign the OS has sustained a fatal blow.

    You can do a search for the following repair options if your OS is XP.

    1. XP REPAIR INSTALL

    2. XP PARALLEL INSTALL

    Occasionally, Safe Mode and its various parts get corrupted. You can download and run the repair tool below and it may fix the issue:

    http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

    Best wishes,
    Randy Knowles

  • Anonymous
    12:05 pm on September 3rd, 2012 10

    I CANT EXIT OUT OF THE MONEYPAK PAGE!!!!! IT WONT LET ME OR IT WILL BE STUCK ON “PAGE IS LOAD MAY TAKE UP TO 30 SEC. AND DOES NOTHING!!!!!

  • Rick
    6:27 am on September 11th, 2012 11

    I am having the same issue as Anonymous, I cannot get past the Page is loading, screen. I am running XP, even when I start in safe mode I still ultimately end up with the same white screen with Page is loading etc. I can start with command prompt option, type explorer so I am able to access some of my files. I have run malwarebytes, rkill and still no luck. Your help is greatly appreciated. Thank you.

  • Randy Knowles
    11:42 am on September 11th, 2012 12

    Hi Rick,

    Thank you for the comment.

    You may have to boot from a “rescue disk” and clear out the infection that way. You’ll have to download the .iso file first and then burn the .iso to a CD (obviously you’ll have to do this on an uninfected computer).

    A good bootable “rescue disk” is the Kaspersky Rescue Disk 10 found here: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

    Good luck and let me know the results.

    Randy Knowles

  • Randy Knowles
    11:43 am on September 11th, 2012 13

    Hi Anonymous,

    Thank you for the comment.

    You may have to boot from a “rescue disk” and clear out the infection that way. You’ll have to download the .iso file first and then burn the .iso to a CD (obviously you’ll have to do this on an uninfected computer).

    A good bootable “rescue disk” is the Kaspersky Rescue Disk 10 found here: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

    Good luck and let me know the results.

    Randy Knowles

  • Lynn
    6:57 pm on September 11th, 2012 14

    I burned the rescue CD on my other computer, but when I type in (safe mode command screen) Start d: on the messed up machine, it goes to a Nero 8 page that tries to burn the rescue CD to another CD instead of running it. I’m obviously not computer literate. Never had a class, too old, etc. just going crazy.

  • Kamaro
    7:47 pm on September 12th, 2012 15

    Worked great for me. Thanks.

  • rob
    6:12 am on September 21st, 2012 16

    You rock

  • Rob
    10:37 am on September 26th, 2012 17

    When you recommend to run malwarebytes, are you indicating the free version or the full version.

  • Jessica
    5:06 pm on September 26th, 2012 18

    worked for me too…thanks!

  • Randy Knowles
    5:26 pm on September 26th, 2012 19

    Thanks for the comment Rob,

    Use the free version of Malwarebytes – no need to pay money for the full version.

    Best wishes,
    Randy Knowles

  • Randy Knowles
    5:27 pm on September 26th, 2012 20

    Awesome Jessica,

    I’m glad that it’s gone!! Thanks for the comment.

    Best wishes,
    Randy Knowles

  • Randy Knowles
    5:28 pm on September 26th, 2012 21

    Thanks for the comment Kamaro,

    I’m glad that this “did the trick” for you!

    Best wishes,
    Randy Knowles

  • Randy Knowles
    5:30 pm on September 26th, 2012 22

    Thanks Rob,

    Happy to see that the nasty virus is gone! Thanks for the comment.

    Best wishes,
    Randy Knowles

  • AB
    8:13 pm on September 27th, 2012 23

    Followed the instructions and all went well save for I also couldn’t go into safe mode but it had asked me to do a file check ( something about corrupt file ) and once it did that I was able to get in safe mode. I never found “er_OO_O_l.exe or something similar. I deleted a file called google updates ( don’t remember the whole name ) Not sure if it had anything to do with the virus itself but when I looked at the file location for ctfmon before I got in safe mode that’s the file that came up. Was in the c/ users/username/app data /local/temp

  • Randy Knowles
    9:00 pm on September 27th, 2012 24

    Nice Job AB,

    The FBI MoneyPak Virus can manifest itself in various ways. Sounds like you hunted it out and finished it off for good!
    Good work and thanks for the comment.

    Randy Knowles

  • Anonymous
    9:06 am on September 28th, 2012 25

    it wont let me go to the start menue.. the fbi site pops up right after i start it in safe mode

  • Randy Knowles
    7:53 pm on September 29th, 2012 26

    Thanks for the comment Anonymous,

    Go to this link (http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline) and do the following:
    Download Windows Defender Offline and create a CD, DVD, or USB flash drive.
    Restart your PC using the Windows Defender Offline media.
    Scan your PC for malicious and other potentially unwanted software.
    Remove any malware that is found from your PC.

    Let me know how it goes,
    Randy Knowles

  • jacob
    7:58 pm on September 30th, 2012 27

    i have windows 7 when im in safe mode,there is nothing in my start up page an i can not find the names in my %temp%

  • Randy Knowles
    12:47 pm on October 1st, 2012 28

    Thanks for the comment jacob,

    Try this: Go to this link (http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline) and do the following:
    Download Windows Defender Offline and create a CD, DVD, or USB flash drive.
    Restart your PC using the Windows Defender Offline media.
    Scan your PC for malicious and other potentially unwanted software.
    Remove any malware that is found from your PC.

    Let me know how it goes,
    Randy Knowles

  • DM
    5:03 pm on October 5th, 2012 29

    I recevied the FBI virus and I have tried to start in safe mode and it will not work. I only get f2 and f12. hitting f8 on startup does nothing. HELP.

  • Randy Knowles
    8:07 pm on October 5th, 2012 30

    Hello DM,

    If your OS is XP you can try this, but you may have something seriously wrong with your Safe Mode. You may have to boot your computer from a rescue disk. I have described this in previous comments. Good Luck!

    Randy Knowles

    System Configuration Utility in Windows XP
    1. Open the Start menu and click “Run.”
    2. In the Run box, enter “msconfig” (without quotes).
    3. Click “OK.”
    4. Select the tab “BOOT.INI.”
    5. Put a check by the entry /SAFEBOOT. Also click the radio button MINIMAL.
    6. Click “Apply” and “OK.”
    7. Restart the computer. The system should open in Safe Mode.

    When finished using Safe Mode, open msconfig again and remove the check by /SAFEBOOT. Otherwise, you will continue to open in Safe Mode whenever you boot.

  • Me
    9:50 pm on October 7th, 2012 31

    I can’t boot in safe mode but I can boot to safe mode with command prompts but have no idea how to find the above mentioned files.

  • Randy Knowles
    7:12 pm on October 8th, 2012 32

    Hello Me,

    In Safe Mode with Command prompt type in explorer.exe and hit enter…then your desktop should appear. Then proceed to find the malicious FBI MoneyPak files as I mentioned in my post.

    Best wishes,
    Randy Knowles

  • xtien
    8:08 pm on October 16th, 2012 33

    got a hard time removing this virus. all the comments here is not working on me.

    safemode, safemode with networking and safemode with command promt is already blocked by this moneypak virus.

    tried to boot to hirens already but its not as effective even i scanned already on updated superantispyware.

    any suggestion?

  • Randy Knowles
    11:41 am on October 17th, 2012 34

    Hello xtien,

    Thanks for the comment. The MoneyPak virus can manifest itself in various ways. I suggest you go to this page: http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286084 and follow the instructions to download, burn to disk, and run the Kaspersky Rescue Disk.

    You’ll have to do this on a clean machine and once you have burned the CD, boot up the infected machine with it. Get the latest updates, and run the scan (may take hours). You’ll see the results of the scan and then follow the recommendations that Kaspersky gives you. You should then be “good to go”! Let me know how things turn out.

    Randy Knowles

  • SMF
    12:36 pm on October 18th, 2012 35

    Hello, I tried to delete “ctfmon” file but I got a message stating I require permission from TrustedInstaller to perform this action. What do I do?

  • Randy Knowles
    11:48 am on October 19th, 2012 36

    Thanks for the comment SMF,

    Give this a try and let me know how things go.

    “If you need to delete or overwrite a system file in Windows 7 or Vista, you’ll quickly notice that you cannot delete system files, even as administrator. This is because Windows system files are owned by the TrustedInstaller service by default, and Windows File Protection will keep them from being overwritten.

    Thankfully, there’s a way that you can get around this. You need to take ownership of the files, and then assign yourself rights to delete or modify the file. For this, we’ll use the command line.

    Open an administrator command prompt by typing cmd into the start menu search box, and hit the Ctrl+Shift+Enter key combination.

    To take ownership of the file, you’ll need to use the takeown command. Here’s an example:
    takeown /f C:\Windows\System32\en-US\winload.exe.mui
    That will give you ownership of the file, but you still have no rights to delete it. Now you can run the cacls command to give yourself full control rights to the file:
    cacls C:\Windows\System32\en-US\winload.exe.mui /G randy:F

    Note that my username is randy, so you will substitute your username there.

    At this point, you should be able to delete the file. If you still can’t do so, you may need to reboot into Safe Mode and try it again. For the filename in the example, I was able to overwrite it without safe mode, but your mileage may vary.”

    Hope that helps,

    Randy Knowles

  • Nicholas
    7:30 pm on November 14th, 2012 37

    So… I need to write my papers for class and I got this virus. The thing is, under Startup there IS not ctfmon. And in the temp file there are NONE of those files that you named nor is there any .mof file. None of these files are apparent, yet I still get the virus thing when I’m not in safemode(which I am doing this on right now). ALSO, no antivirus software that I have (malwarebytes, hitman, superantispyware) are finding ANYTHING.

  • Randy Knowles
    12:55 pm on November 18th, 2012 38

    Hello Nicholas,

    Thanks for the comment.

    Please check out this great link: http://www.selectrealsecurity.com/malware-removal-guide/
    You most likely will have to use the Kaspersky Rescue Disk (download the .iso file, burn to CD, boot from the CD, follow the prompts and run).

    The FBI virus can manifest itself in many ways. Best to boot up the machine with a rescue disk and kill all malicious entities from point zero.

    Best wishes and let me know how it goes,
    Randy Knowles

  • Lee M
    5:37 pm on November 28th, 2012 39

    Randy –

    Trying all your suggestions. I too am having trouble in safe mode – goes to the FBI screen. Tried to download the Kasper Rescue10 program. Download gets to the end and then error message says download failed contact system administrator. What next to try?

  • Anonymous
    9:42 am on December 4th, 2012 40

    My computer just shuts down right after safe mode starts what can I do . I can’t open any programs or see my homepage, it’s goes straight to the virus page and I can’t do anything. None of the safe modes work.

  • randy
    11:15 am on December 4th, 2012 41

    i am running windows 7. i can’t start in safe mode. it just restarts. I can however start in safe mode with networking

  • Randy Knowles
    5:51 pm on December 10th, 2012 42

    Thanks for the comment,
    If your computer boots into safe mode with networking then you can follow the procedure that I explained in the original post.

    If this doesn’t work then I suggest a rescue disk like Kaspersky, Trinity or AVG. Good luck!

    Randy Knowles

  • Steve
    8:03 pm on December 19th, 2012 43

    I have this virus. I cant open into safe mode, any of them, I get the blue sceen. When I boot up normally it goes straight to the MoneyPak sceen….no time at all to click start or anything. Task manager wont come up at all and everytime I press crtl-alt-dlete it makes a sound indicating that I have done something wrong. Yet still nothing pops up, jest the FBI screen. I dont think that I could download any recovery disk and actually run it because I cant see the Start menu and it goes STRAIGHT to the FBI screen, no in betwen. This is sooo aggrivating. I have a Dell Inspiron e1505 with Windows XP 2005 media center addition. Any help? Please. Thanks!

  • Raul1287
    4:03 am on December 20th, 2012 44

    In need of desperate help, my pc has the shit virus and doesnt even let me log into any of the mode(normal or the safe modes). As soon as the welcome screen is displayed all that happens is the virus popping up on the entire screen and i am unable to do anything further. The only command that my pc has responded so far is the alt + shift + del which isnt of any use to me. Also i have only a single user on my pc which has ruled any further posiibilities to remove it. I really appreciate some serious help here to get rid of the same.

  • Randy Knowles
    4:33 pm on December 20th, 2012 45

    Hi Raul,
    Thanks for the comment. Sorry that you “got bit” by the virus.

    Please check out this great link: http://www.selectrealsecurity.com/malware-removal-guide/
    You most likely will have to use the Kaspersky Rescue Disk (download the .iso file, burn to CD, boot from the CD, follow the prompts and run).

    The FBI virus can manifest itself in many ways. Best to boot up the machine with a rescue disk and kill all malicious entities from point zero.

    Best wishes and let me know how it goes,
    Randy Knowles

  • Randy Knowles
    4:34 pm on December 20th, 2012 46

    Hello Steve,

    Thanks for the comment.

    Please check out this great link: http://www.selectrealsecurity.com/malware-removal-guide/
    You most likely will have to use the Kaspersky Rescue Disk (download the .iso file, burn to CD, boot from the CD, follow the prompts and run).

    The FBI virus can manifest itself in many ways. Best to boot up the machine with a rescue disk and kill all malicious entities from point zero (AVG also has a very good rescue disk).

    Best wishes and let me know how it goes,
    Randy Knowles

  • Ted
    3:25 am on December 26th, 2012 47

    Hello, I just got the FBI Moneypak Virus today and it seems my issue is a bit different. The moneypak virus takes up my entire screen and whenever I press the windows key or try to get task manager with ctrl, alt, delete, the moneypak screen continues to cover everything up. i can see the windows bar for a split second whenever i press it but there’s no time for me to type or click anything. help please!

  • Ted
    1:10 pm on December 26th, 2012 48

    Hello Randy, this is Ted posting again. Now when I start my computer, with the moneypak virus taking permanently over the screen, the only thing I seem to be able to do is (ctrl, alt, dlt). However, the task manager option doesn’t appear anymore. If I can’t do anything with my infected computer, will the Kasperky Rescue Disk work properly? And this may seem like a dumb question, but there’s no chance the virus would “expire” as it says in the message would it? Thank you in advance, any feedback would be greatly appreciated!

  • Randy Knowles
    1:57 pm on December 26th, 2012 49

    Thanks for the comment Ted,

    I’m sorry that you “got bit” by that scum of a virus! There are no dumb questions so here are the answers:

    The Kaspersky Rescue Disk will work fine because your computer will boot from the disk itself and not from your computers Hard Drive (you may need to go into the BIOS and configure the boot options to boot first from the DVD drive). The disk will ask you to get the latest virus definitions – do so and run the scan. Delete anything that Kaspersky finds and you should be “good to go”. Once your computer boots into Normal mode, run another antivirus (MalwareBytes, SuperAntiSpyware, HitManPro) just to get a second opinion.

    Don’t worry – the Moneypak virus will not expire as it wants you to believe. That’s just another bunch of “crap” from this scum of a program.
    Please post back with your results. Best wishes.

    Randy Knowles

  • Ted
    4:41 pm on December 26th, 2012 50

    Hi Randy, thanks for your response. I’m completely computer illiterate and am wondering if I should start the infected computer in Setup mode (with information, main, security, boot, exit on across the top) or start with advanced boot options with (repair your computer, safe, mode, safe mode with networking, safe mode with command prompt, enable boot logging… start windows normally). I’ve downloaded the Kaspersky Rescue Disk 10 on a different computer and have transferred the file onto an USB. How do I go about booting up my infected computer so it boots from the USB in order to access Kaspersky? Thanks again!

  • Barry
    8:48 pm on December 30th, 2012 51

    Glad i stumbled on this site as it looks like it may be of great help to me. My laptop got the money pak virus somehow(i have Vista on the laptop).

    My problem is i have recorded the Kaspersky rescue disk to cd as well as flash drive stick(followed protocol and installed the usb portion as well from the kaspersky site). I can get into BIOS and alter my boot-up priorities…that is where the trouble begins. Upon selecting and saving changes to boot from removable device, i then select save and exit. The computer just literally shuts off right away…which upon the next startup i get the windows screen saying that windows closed unexpectedly, what would you like to do?

    From there my only choices are safe mode, safe mode with networking, safe mode with command prompt, or start windows normally. I dont want any of these correct? Choosing any of those options lets the virus kick in. I never have the capability to shut down the laptop because the virus covers everything up. For whatever reason after saving changes to BIOS for boot priority it shuts down automatically so i ALWAYS get this “closed unexpectedly” screen. I cant get the computer to boot from cd or removable device because of that. ANy help would be appreciated. Thank you

  • Randy Knowles
    3:39 pm on December 31st, 2012 52

    Thanks for the comment Barry,

    If your computer boots into safe mode with networking then you can follow the procedure that I explained in the original post.

    If this doesn’t work then I suggest a rescue disk like Kaspersky, Trinity or AVG (the .iso file alone is not enough – you have to “burn” the .iso file to a CD which you can then boot from): http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm

    Also check out How To Boot From a CD: http://pcsupport.about.com/od/tipstricks/ht/bootcddvd.htm

    Best wishes,

    Randy Knowles

  • Nick
    7:15 pm on January 10th, 2013 53

    i found booting in safe mode WITH NETWORKING than downloading avg free trial search in comand bar system32 and poof GONE!

  • Tiffany
    6:57 am on January 13th, 2013 54

    Hi I had the virus and followed these steps but when I ran my computer in normal mode, the desktop looks different. It looks as if it is still in safe mode but the font is not as big. Do I still have the virus? I also ran Avast anti virus in safe mode (just in case) and it I did not have any virus. Can you please help!! Thanks

  • Randy Knowles
    2:26 pm on January 13th, 2013 55

    Hi Tiffany,

    Thanks for the comment. If you are in Normal Mode and you don’t see any signs of the FBI virus popping up then it is most likely gone. Run Hitman Pro in Normal mode and see if it picks anything up.
    As far as the screen looking different, your display resolution may have changed. Right click anywhere on the Desktop and take a look in Properties or Personalize, then Display Settings.

    Best wishes,
    Randy Knowles

  • Paul
    7:24 pm on January 16th, 2013 56

    Hi Randy,

    i picked up this virus months ago. I downloaded Maleware bytes AntiMalware and it did the trick. However, I don’t think it got everything, because it’s comeback twice and I’ve had to pop into safemode with networking to run the scan and remove. However, it has reared its ugly head once again, only now the following happened.

    1 – Booted into Safemode with networking and ran malware programming but it’s no longer removing the virus as it reappears when I reboot.

    2 – When in Safemode with Networking I have no internet connectivity (though my children still have connectivity via their laptops)

    3 – After the aforementioned problems taking place over the last few days, when I no Boot up safemode with Networking or Safe Mode with Command Prompt the Virus appears right away!

    I am at a loss as to what to do. If you have any words of wisdom regarding this it would be greatly appreciated. Thank you.

  • Randy Knowles
    4:48 pm on January 20th, 2013 57

    Hello Paul,
    Thanks for the comments. I’m sorry that you “got bit” by this nasty virus.
    If you can still get into Safe Mode try a system restore to a point before you started to have the original problem.
    If you cannot get into Safe Mode without the virus reappearing, then you are going to have to make a rescue CD and boot the machine using this disk.
    Go here and follow the instructions (Kaspersky Rescue Disk 10). Create the CD from the downloaded .iso file and then boot, scan, and delete all found infections! This should do the trick.

    Post back and let me know the results.
    Best wishes,
    Randy Knowles

  • tammi
    12:18 am on January 30th, 2013 58

    Hello,
    I am not well know for how to really handle a computer. I just can get by with the basics. My computer caught the fbi virus four days ago. I have tried different ways to get rid of it by reading suggestions that I read. Nothing has worked. My computer use to be able to go into safe mode, safe with command prompt and safe with networking, (quickly then blinked off) but now it won’t even do that . It will not let me restore to an earlier time. Then it got to where it wouldn,t let me boot from a cd someone suggested I make which was malwarebytes. Someone even suggested to try “restore system to factory condition”. This had me start the process, then when it appeared to me like it was at the point when it starts to restore, it stayed at one percent for over three hours before I gave up and turned it off. All it does now is keep launching files so that it can check for repairs. I haven’t checked it today, (so fed up). Last time I checked I was still able to use f8,(this would send my computer into launching files for repair. Which tells me to contact administrators) f12, and f2(this doesn’t allow me to boot.unless I am doing something wrong). Any suggestions that you might have for me will be greatly appreciated. Thanks so much.

  • Noah
    11:42 pm on February 4th, 2013 59

    Mr. Randy,

    Thanks for the great forum. A colleague handed me her laptop and said, “Here, I think I have a virus.” Somehow I’ve become the “Computer Guy” around the office — I guess it’s that silly Computer Science degree.

    Anyway, I had never heard of this particular virus, but the Windows Defender boot method worked perfectly for my scenario–

    On her machine, only one (out of three) of the log-ins had the Pop-up, and eventual white screen. Booting it to Windows Defender fixed it straight-away. It took about 15 min to run the “Quick Scan” but it seemed to do the trick.

    Thanks for all the input from everybody. Best of luck to the rest of you.

    -N

  • Randy Knowles
    8:41 pm on February 5th, 2013 60

    Hi Noah,

    Thanks for the comment. I’m glad that you were able to get the machine “up and running” again. The FBI virus is nasty and is constantly changing. Now more than ever people will be bringing you their computers! Best wishes,

    Randy Knowles

  • Noah
    10:10 pm on February 5th, 2013 61

    Well, I suppose we all need to do our part to help our fellow man.

    Also, I forgot to mention the file extensions that were removed. This might help the others:

    “Trojan:Win32/Medfos.A”

    There were several extensions also that ended in “qdsron.dll” that my run got rid of. I’m not sure if they were related to this particular case, but WinDef advised me to have them removed.

    Anyway, keep up the great site, Mr. K! I’ve got your dog-eared on my browser :)

    -N

  • Randy Knowles
    12:48 pm on March 2nd, 2013 62

    Hi tammi,
    Thank you very much for the detailed comment. It’ hard for me to make an exact diagnosis just by reading your comment, but this is what I suggest (I don’t know if you’ll be able to do this yourself – you may have to take your machine to a computer repair tech).

    1) Go to this site and make a bootable CD: http://www.hirensbootcd.org/files/Hirens.BootCD.15.2.zip
    2) Boot your computer using this disk and choose MiniXp when you see the menu choices.
    3) On a USB Flash Drive download RougeKiller
    4) Once your computer boots into the MiniXp interface, plug a USB Flash drive into your computer, install and run RougeKiller from the USB drive.
    5) Now boot your machine into Safe Mode and do a System Restore to a point in time before you were infected.
    6) After the System Restore is finished your machine should boot up into Normal Mode
    7) Run scans with Malwarebytes, SUPERAntiSpyware, and HitmanPro.
    8) This should take care of the problem!

    P.S I realize that this may sound very confusing. If you would like for me to help you “hands on”, please contact me through my website email address.

    Best wishes,
    Randy Knowles

  • EulerSteven
    8:26 pm on April 1st, 2013 63

    This is really a tricky virus. It seems to morph quickly. It freezes the computer till the computer is purged of the virus.

    One of the things I found helpful was to disconnect the internet wire from the computer. Shut the computer off. Turn the computer on in SafeMode by pressing F8.

    What I have found is that the virus shuts the computer down before Malwarebytes can purge the virus. Or the virus shuts the computer down before system restore can be completed. In effect there ends up being no way to get rid of the virus. (If the computer does not shut down, MalwareBytes or System Restore will purge the virus.)

    I have downloaded (FREE) Emisoft Emergency Kit onto a USB flashdrive. Open in safemode, then go to the flash drive and operate the cleaner from there–it can access the command line–a 40 minute scan, or it can do a quick one minute scan. And that one minute could be the only time available, if the virus shuts the computer down before MalwareBytes 5 minute scan or System Restore. By all means, practice a bit with the Emisoft Emergency Kit so that you get comfortable with it; it is not terribly complex but it does have a slight learning curve.

    There is really no point to the virus. No one is going to pay $200 to ransom ware; there is not likely any chance that it can damage a computer by deleting operational files or systems, there is little likelihood that it will steal your finances–unless you give them your bank account number when anyone makes a payment to them. So the virus is just in existence to annoy people–which it does very well.

    Why the antivirus programs cannot catch this annoying virus is beyond comprehension–but for some reason, they can’t. When people pay good money for that virus protection–IT SHOULD WORK!

    Best of luck to those so afflicted. Hope these hints work.

  • Matthew
    5:09 pm on April 2nd, 2013 64

    I have the virus on my Toshiba laptop with win 7 and Microsoft security essentials and I found the file ctfmon.exe but can’t delete it cause it says I need permission from Microsoft. What can I do cause I have tried so many things. I’ve deleted alot of temp files that were suspicious. Please help.

  • Help
    2:45 pm on April 4th, 2013 65

    This is for Win7 Pro, I have the moneypak virus and removed it without any trojan or virus software BUT I forgot how too. I cannot use any of the safe mode functions. I think I did something like this last time I removed it. I think i used the command prompt but I cannot not get to the command prompt, the virus executes right to the desktop and of course I cannot use the task manager. Any users have the same probelm please post the solution. This problem will be rectified by me. What is ironic I am using Kaspersky and they should have added the virus to their database (:

  • Russian001
    11:29 am on April 16th, 2013 66

    I literally fell out of my office chair laughing at post #3!!!!!

  • John
    9:41 am on April 19th, 2013 67

    Thank you Randy for this helpful info. So many places did not have this simple removal info, they wanted you to download first some removal tool, then run it… I find that kinda sketchy. But I had removed this once before, and your instructions were what I was exactly looking for.

    Now, I did get Malwarebytes after I did the above, cause Bitdefender is good, but it takes a awhile on my system.

  • ralph
    9:33 pm on April 20th, 2013 68

    When I cut my computer on a black screen appears that says boot manager missing press control alt delete to restart. Pressing control alt delete brings me back to the same screen. F8. Doesn’t work. F11 for system recovery starts but then the computer shuts down. What can I do to rid my computer of this virus.

  • Randy Knowles
    12:29 pm on April 21st, 2013 69

    Thanks for the comment Ralph,

    If your boot manager is missing try this: http://www.techsupportalert.com/content/how-fix-bootmgr-missing-error-vista-and-windows-7.htm
    You probably don’t have a virus just a problem as described in the article.
    Best wishes,
    Randy Knowles

  • Randy Knowles
    12:33 pm on April 21st, 2013 70

    Thanks for the nice comment John,

    I’m glad that the post helped you. The FBI virus has many variants. Unfortunately a lot of people are trying to take advantage of the FBI removal process.

    Best wishes,
    Randy Knowles

  • Kenny G
    10:44 pm on April 27th, 2013 71

    Got this FBI bug bad… Will not boot into Safe Mode. Last thing displayed is hpdskflt, then reboots. When it boots normally, I get a white screen over everything. And if I take my disk and connect it to another computer, the drive shows as unformatted. Tried using my WIndows XP (yes still running that) for recovery, but even the console can’t see any files or directories.

    I tried using data recovery programs, but nothing can see the files. At this point in time, don’t care about the OS, but want the data files.

    Been searching all day for an answer and can’t find anything that works. HELP!!!!!!!!!!!!!! and Thank you.

  • Randy Knowles
    3:54 pm on April 29th, 2013 72

    Thanks for the comment Kenny,

    I don’t doubt that you got bit by the FBI Virus but what you are describing is a Hard Drive problem. The first thing that I would do is clone the drive (http://www.makeuseof.com/tag/how-to-clone-your-hard-drive/). I use Clonezilla but you may want to use Acronis (http://www.acronis.com/homecomputing/products/trueimage/).

    The next thing that I would do is boot the machine with a Live CD Repair Disk like UBCD (http://www.ubcd4win.com/) and see if you can see the data from the original drive. You can also run a chkdsk/ r from UBCD and you may be able to then see the data that is on the drive.

    As a last resort you can send the drive to a data recovery outfit like (http://www.nationwidedatarecovery.com/). Let me know how it goes.

    Best wishes,
    Randy Knowles

  • Kenny G
    12:32 pm on April 30th, 2013 73

    Thank you… The harddrive is fine… It is completely functional and will boot… the virus just won’t let me do anything… It really does seem to be encrypted.

    I’ve already tried to recover the disk using tools, but I really do think it is encrypted. I have other colleagues who describe these exact symptoms with encrypted disks.

    I am hoping that later today I will get this fixed

  • Sabina
    11:35 pm on August 15th, 2013 74

    I get to the part to delete the exe files and the computer will not let me. I get a message saying files/c drive are corrupted and cannot remove the files. I do not know how to override this or work around it. I have an asus and cannot find a way to boot from a usb drive.

  • Alex7
    4:34 pm on November 3rd, 2013 75

    When i start my computer with any safe mode it just shut down? What can i do?

 

RSS feed for comments on this post | TrackBack URI