Remove the MoneyPak FBI virus

A couple of weeks ago, one of my clients had a machine infected by the MoneyPak FBI scam virus/malware. The MoneyPak variant works by suppressing all computer programs basically rendering the system unusable while displaying a fake warning message from the FBI stating that all activities on the PC are being recorded/encrypted. The fake message is a creative spin on the traditional blackmail ware type of scam where the computer is rendered useless after boot up with the intention of making the end user pay a sum of money to regain access to their system. Here’s how to get rid of the MoneyPak malware.

[the problem]

Computer is infected by MoneyPak malware/spyware variant.

fbi-warning-moneypak-malware-spyware-virus

[requirements]

[solution 1] This solution only works if you have access to another account with admin privileges on the infected computer.

[step 1] On a working computer, download the latest versions of Rogue Killer and Malwarebytes and ESET Online Scanner to a thumbdrive.

[step 2] Reboot the infected system and into Safe Mode or Safe Mode with Networking. NOTE: DO NOT LOG IN AS THE USER UNDER WHICH THE SYSTEM WAS INFECTED. In my experience this malware will work even in safe-mode if the system is logged in under the infected user account.

[step 3] If you are able to log in and use the computer in safe mode under this secondary user account, run RogueKiller and remove any found items. Then run MalwareBytes (FULL SCAN) and ESET Online Scanner and remove any items it finds and reboot the system.

That’s it.

[solution 2] This solution works only if you are able to remove the hard drive and connect it to a known working system using a USB-to-sata adapter.

[step 1] Remove infected hard drive from computer and connect it to the known working machine using a USB-to-SATA adapter.

[step 2] Run a Malwarebytes full scan on the infected hard drive and remove any found items.

[step 3] Run the ESET Online Scanner on the infected hard drive and remove any found items.

[step 4] Replace the previously infected hard drive into the computer and boot it up normally…cross your fingers.

That’s it.