Your daily technology class with Professor Randy!!

Randy The Tech Professor

February 16, 2013 at 2:13 pm

How I Removed The FBI MoneyPak Virus (Again)!



Hello everyone,

Then FBI MoneyPak virus is still going strong and continues to reek havoc whenever it can. In a previous post I told you how I removed this nasty virus, but I must tell you that the virus has many variants and has morphed greatly since it first appeared.

So, I got a call the other day from a frantic client who was extremely nervous about going to jail. He told me that the FBI had confiscated his computer and was demanding that he pay $200.00 or else face going to the “slammer” for four to twelve years.

I went over to the clients house, turned on his machine, and sure enough the FBI screen popped up and audibly told me over and over again of  the illegal activity, and that arrest was 72 hours away if I didn’t “pay up”. I knew that this was going to be a “tough one”, so I took the clients computer to my shop and here is what I found and what I did:

1) I turned on the machine and started tapping the F8 key in order to boot the machine into Safe Mode. This did not work! The virus had rendered Safe Mode unusable! But I wasn’t too worried because I had some other tricks up my sleeve.

2) I got out my trusty Kaspersky Rescue Disk, popped it into the CD drive and attempted to boot up the machine from the CD drive. This did not work! The FBI virus would not allow the Kaspersky Disk to fully load! I wasn’t too worried though because I had some other tricks up my sleeve!

3) I got out my trusty Trinity Rescue Kit CD , popped it into the CD drive and attempted to boot up the machine from the CD drive. This did not work! The FBI virus would not allow the Trinity bootable CD to fully load! Now I was starting to get excited because things were getting interesting! It was me against the virus and I relished the challenge. As a true computer repair tech, I dug in deeper and thought “bring it on” you miserable piece of “crap” virus!

4) I knew that I had to access the infected machines hard drive somehow, so I attempted to boot the machine with Hiren’s BootCD. This did work! Hiren’s booted up and at the Hiren’s boot options screen I choose Mini Windows XP.

5) Once the Mini Windows XP OS screen appeared, I clicked on the HBCD Menu in order to access a list of all the Hiren’s repair tools. From the selection of Antivirus tools, I ran a scan with GMER and Avira AntiVir Personal (I updated these before scanning – internet connection was up and running).

6) After running these two scans, I was able to reboot the machine into Safe Mode. Once the computer had booted into Safe Mode I did a System Restore to a date before the computer had become infected (I chose two weeks earlier).

7) After the System Restore had finished running, the machine booted into Normal Mode and I completed the clean up by running HitmanPro, ESET Online Scanner, and Comodo Cleaning Essentials.

8) Bye, bye, FBI!!

Professor Randy says: I wish there was some easier way to remove this insidious nuisance but different variants are becoming a bit harder to remove as time progresses. In my next post I’ll tell you of yet another way that you can thoroughly remove this plague from your system.



Tags: , ,
  • aj
    12:52 pm on February 19th, 2013 1

    “Perseverance furthers.”
    That’s a quote from an ancient Asian book of wisdom.

    Along that line, why do you suppose your first two attempts to use a boot CD failed but the third was successful? Did the Hiren’s CD contain a non-Windows OS while the other two relied on some file on the infected hard drive? Curious, no?

  • Randy Knowles
    4:07 pm on February 19th, 2013 2

    Thanks for the comment aj,

    Actually both the Trinity and the Kaspersky CDs booted, but they would not fully load. Both stopped during the “OK” sequences and never got to their actual menu. I’ll reword it in the original post.
    I just got a call from another client with the FBI virus so I’ll try things again and post the results as soon as I have them.

    Best wishes,
    Randy Knowles

  • Nanu
    1:26 pm on August 24th, 2013 3

    I am infected by last.exe. Malwarebytes detected it as a backdoor poison and it said that it had removed this file but upon restarting the file was still present. Virustotal link of the file is

    Now I loaded minixp and went to the file’s location to delete it, which is C:\Documents and Settings\Computer\Local Settings\Application Data\Xenocode\Sandbox\COMODO \4.00.000\2010.11.27T19.25\Virtual\STUBEXE\[at]APPDA TA[at], but it kept on saying cannot find path of comodo folder or something. I NEVER installed comodo AV, been a user of KAV. What should i do now?

  • Randy Knowles
    9:44 pm on August 24th, 2013 4

    Hello Nanu,

    Use the Kaspersky Rescue Disk 10 ( Burn the .iso file to cd/dvd, boot your machine using the disk, get the most recent updates, run the scan, get rid of all infections found, reboot. The Kaspersky Rescue Disk will clean the infection and you’ll be good to go!

    Best wishes,
    Randy Knowles

  • music recycler
    7:00 pm on November 2nd, 2014 5

    I got rid of MoneyPak on XP. My version disabled safe mode by replacing user32.dll. Then it deleted my entire .Net Framework 4 directory and dropped in a 20 mbyte executable version of mscorsvw.exe, a filename used in .Net Framework installations. Only Hitman was able to do identify those files but did not seem to fix them. I had to boot with Hitman & identify the files then had to boot with a rescue CD, any one will work, and replace user32.dll with a good one and delete the other file and reinstall .Net Framework 4 later on.


RSS feed for comments on this post | TrackBack URI