In some reported instances, victims have received phone calls from criminals claiming to be Microsoft employees (etc.) informing them that their computer systems has been infected with malware, etc. These phone calls are in relation to this particular type of malware. If you receive any calls like this, keep in mind these are not Microsoft employees (nor any other legitimate organization), and contact the proper law enforcement depending on your geographic location. These phone calls are defined as "phishing" schemes and may or may not be related to the FBI Moneypak virus.
If you are infected with ransomware such as the FBI Moneypak virus, your personal data and computer system functionality is already at a very high risk. If the infected computer is powered ON and connected to the internet, Trojans horses may have complete control of the computer system and access to every piece of stored data.
The main purpose of this ransomware is to target and scare unsuspecting victims into believing they are in trouble with a department of authority in order to willingly pay the fine stated on the prompted “alert page”, but that does not mean the infection will not hibernate (remain undetected) on an infected system in order to exploit vulnerabilities utilizing other malicious practices aside from locking the system. It has been reported that the FBI moneypak virus may collect private information while remaining in the background.
How To Remove the MoneyPak Virus
There are many different variants of the MoneyPak viruses, but in almost all cases, they only effect a single user on the computer. If you are able to login as another user, it is much easier to remove. The basic steps to remove the virus are as follows:
Step 1: Login as a Different User
If you have multiple accounts on the computer, simply login as a user that is not affected and run your antivirus software.
If you are unable to login as a different user, see Step 2 (Create a New User).
If your antivirus software is unable to remove the MoneyPak Virus, see Step 3 (Manual Removal).
Step 2: Create a New User
--Restart your computer and press F8 during the boot process.
--Select "Safe Mode with Command Prompt"
--At command prompt type "control userpasswords2"
--Click the "Add..." button
--Enter a name and password then click Next
--Login as new user
--Run antivirus software. If antivirus software does not remove the MoneyPak virus, see Step 3 (Manual Removal).
Step 3: Manual Removal (Optional)
If your antivirus software is unable to remove the MoneyPak virus, you may also remove the virus manually by deleting the files:
**Do not worry if you do not see cftmon.exe listed above it is not in every variant of the MoneyPak Virus.
**The file rool0_pk.exe may have different names, but they should be similar in structure. It may also be accompanied by [random].mof file.
Other file names that have been know to be associated with the MoneyPak Virus include, but are not limited to:
%Program Files%\FBI Moneypak Virus
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
Sometimes none of the above steps work on a particular variant of the MoneyPak Virus. If you find yourself in this situation, utilize free utilities that are available to remove the moneypak virus from your computer. These utilities do require some knowledge of burning CDs, building bootable usb drives, and changing enabling your computer to boot from these types of media.
Windows Defender Offline:
Kapersky Rescue Disk: