Remove Latest FBI MoneyPak Virus Despite Safe Mode Forced Restart

FBI MoneyPak Virus

The FBI MoneyPak virus has been around for a while now and has had one of the highest infection rates to date. When it originally hit computers around the world, removal of the virus was very simple through safe mode. Although the latest version of FBI MoneyPak forces reboot when in safe mode, following these steps will clear your system of the malware.

The FBI MoneyPak virus is famous for scaring users into believing they have been accused of watching illegal content online.

Attention: Your computer has been locked. Your PC is blocked due to at least one of the reasons specified below…

The original virus would infect the ctfmon.exe system file which is often executed as a startup program. The original fix was to simply boot the computer into safe mode and remove ctfmon from the startup programs, then the computer could be booted and scanned for viruses. FBI MoneyPak 2.0 (as I call it) has hit the streets and now forces your computer to restart upon booting into safe mode. Originally I thought the only fix would be to hook the hard drive up to a different machine to perform the removal. However, I have managed to trick the virus once again and through these directions you can remove the virus safely.

Update

This technique has worked for many users. I have not personally come across a version of this virus that kicks me out of all 3 safe modes. However, for some mutations of the Virus, a few users are still having issues.

If this process does not work for you, do not fret! There is an alternative method that will work, but it’s more complicated. Remove the FBI MoneyPak Virus Using Hiren’s BootCD is an alternative that works even if this article does not. So try the steps below. If they are unsuccessful, then move on to using the BootCD.

Steps for virus removal

1. Though the new FBI MoneyPak virus shuts down safe mode, it cannot shut down “Safe Mode with Command Prompt” as no programs can be started on startup with this option. Booting into “Safe Mode with Command Prompt” can be different per system, but the most common method is to tap the F8 key repeatedly as soon as you power your computer on. You may hear beeping or see “Keyboard Failure” displayed on the screen, but pay no mind to these warnings. Your computer should never make it to the boot screen for Windows, but should display a screen with options including “Safe Mode”, “Safe Mode with Networking”, “Safe Mode with Command Prompt”, “Repair your Computer”, etc. You need to select the “Safe Mode with Command Prompt” option and then hit the Enter key. This will boot the computer with minimal drivers, and no startup programs will run except cmd.exe.

2. In order to run the appropriate files needed, you may first need to know how to navigate around the command prompt. (NOTE: Many systems default to the appropriate WINDOWS/System32/ directory, but I have seen a few that do not. I’ve yet to determine what causes this default directory not to be loaded, so if yours isn’t in the directory, read on.) The directory you need to browse to is C:/WINDOWS/System32/. If you do not see this file path displayed in the command prompt then you will need to manually change to that directory. To do so, type “cd ..” until you only see “<C:/>” displayed as the current file path. The “cd ..” command is “Change Directory” and the “..” means go up one directory. Once you’re at <C:/> you need to change directory down, into Windows, and then into System32. To do so, type “cd WINDOWS”, and then “cd System32″. You should now see “<C:/WINDOWS/System32>” displayed as your current directory.

3. The file you need to run is “control.exe” which will launch the Control Panel. To do so, simply type “control.exe” and hit enter. It may take a few seconds to initiate the Control Panel, as GUI based applications generally are not started from this Command Prompt view. Once the Control Panel is open, navigate to User Accounts.

4. The overall objective is to create a new temporary user account to perform the virus removal. In the User Accounts window, click Manage Another User or Create New User. One of these two should give you an option to setup a new user account. The new user MUST be set to an Administrator. Once you have created the user account, ensure that it shows up in User Accounts before closing the window. Once you’ve done all this and verified that the account showed up in User Accounts, you can restart your computer. This time do not tap F8; instead, let the computer boot as it normally would.

5. If your computer boots directly into your user account by default, you may find yourself stuck again at the FBI MoneyPak screen. The objective is to log into the other user account, and the virus allows this, but it can be tricky to do. If you are presented with a window where you can select the new user account that you made then skip to step 6. There are two ways to get back to the login screen while at the MoneyPak screen. On all Windows platforms the key combination winkey+L will send you to the login screen. The Winkey button is the one between Ctrl and Alt keys. If you’re running Windows Vista/7/8 then you have an alternate path. Pressing Ctrl+Alt+Delete should present you with the Windows Lock Screen with the option to Switch User. Clicking Switch User should bring you to the Login screen.

6. Log into the new user account that you created in Safe Mode. You will probably see a couple screens helping you setup your new user account. After that you will be presented with a clean desktop and be able to browse around and use the computer as a new user. This account is just temporary, so do not worry if it does not appear as your normal desktop. Open a web browser and download Malwarebytes Anti-Malware. The software is excellent and you should consider purchasing it. The free version, however, will remove the virus. Download and install the program. Once it has finished installing it may need to restart the PC. After the restart you may have to repeat step 5 again to get back to your new temporary user account.

7. After you enter your temporary account after the reboot, run malwarebytes and allow it to check for updates. If it does not do so automatically, click the Update tab in the user interface and then the Check for Updates button. Now, go back to the Scanner tab and click Perform Full Scan. Quick Scan usually removes the current version of the MonkeyPak virus, but it is always better to be safe than sorry with the full scan. The scan can take anywhere from 10 minutes to 5 hours depending on the speed of your system’s hardware. Once the scan is complete, you must click the Show Results button in the lower right-hand corner of Malwarebytes. This will bring you to a new screen with a list of all infections found. Check the check box to the left of every item in the list, then click Remove Selected. You will be prompted to restart your computer. The infected files will not be removed until you restart.

8. Once the computer boots back up, your regular user account should be in proper working order. You can now go back to Control Panel then User Accounts and remove the temporary user account created.

 

About Aaron St. Clair

Aaron St. Clair is a tech guru studying Computer Science at Appalachian State University in Boone, North Carolina. When he's not tinkering with new gadgets, modding systems, or slaving away at the mercy of the Tech-Recipe overlords, you can find him exploring the high country.
View more articles by Aaron St. Clair

The Conversation

Follow the reactions below and share your own thoughts.

279 Responses to “Remove Latest FBI MoneyPak Virus Despite Safe Mode Forced Restart”

  1. February 14, 2013 at 4:11 pm, franciscovj said:

    A few notes to add:

    1. On step 6 you want to log in as Safe Mode With Networking, not just Safe Mode. Something obvious for people in IT but not for the average user.

    2. Installing programs in Safe Mode does not work by default so you either enable it on below link or save the file and restart in regular mode and install it:

    http://www.symantec.com/connect/blogs/windows-installer-safe-mode

    Reply

    • February 14, 2013 at 4:15 pm, Aaron St. Clair said:

      Safe Mode and Safe Mode with Networking are both forced to shut down with the latest MoneyPak, so neither work. That’s why I’m using the Command Prompt version. Also, the instructions say to install the program after a normal boot into the new user account, so installing in safe mode shouldn’t be an issue! Thanks for the input! I’ve learned something new too. Did not know there was a way to keep installations in safe mode.

      Reply

      • May 11, 2013 at 8:34 am, Ftg said:

        My computer is shutting down in every type of safe mode. Is there another way of removing the virus?>

        Reply

      • May 14, 2013 at 12:55 am, Tye McLoche said:

        > The MoneyPak virus that I have will not even allow me to start it in Safe Mode with Command Prompt. As soon as it gets to the Command Prompt, it is shutting down my computer and restarting. What is the next step? Boot from disk in MS Dos?

        Reply

        • May 31, 2013 at 12:36 pm, Keegan said:

          We at my tech company have just ran into two clients computers that have this variant on them. no safe mode at all.

          Reply

        • June 07, 2013 at 1:49 pm, Jason said:

          My friend’s computer also will not even allow you to use Safe Mode Command prompt.

          Reply

          • July 13, 2013 at 12:13 am, Lisa said:

            > thank you… thank you… thank you… thank you… thank you…

        • June 24, 2013 at 12:26 pm, Chris said:

          > The same is happening to my computer. Is there any way to fix it or do I need to bring it in some where?

          Reply

      • June 02, 2013 at 11:39 am, Norma said:

        Thank you so much Aaron! None of the other safe mode instructions worked until I found your instructions with the command prompt. You are genious! Thanks again!>

        Reply

      • June 03, 2013 at 4:03 pm, Brian Barnes said:

        Hi Aaron, been fighting Spyware, Malware, Greyware, & Adware from the beginning of its inception. I have always been able to fight back and beat the bad guys. Although there are several new FBI Warning Variants in the wild now that has mutated into new FBI Warning Strains. Safe Mode does not work at all and if you even try any of the Safe Mode methods the computer will “BLUE SCREEN” of Death on you which forces you back into Normal Mode.

        I am currently working on one of my new tools that will Boot into Linux off a Flash Drive where I will then run my virus fighting attack tools to take out & kill the FBI Virus. A new thing I have noticed the virus doing is creating common program executable files under the main User Account Profile, like googleupdate.exe or skype.exe, or chrome.exe. Some type of common program .exe file that you might otherwise overlook but it doesn’t belong there in the first place. So these are just a few things I have noticed and picked up about the new FBI Warning Virus strain.

        Reply

      • October 26, 2013 at 1:10 pm, Fred said:

        > After creating the new user, and deleting the virus, I went back to the original user prompt and was directed back to the command prompt page (C:/windows/system 32). I exited that page, and am now on a completely blank black page where nothing happens. The curser doesn’t appear, and nothing can be done.
        If I use win-l, I am directed back to the login page where both account logos appear, and I am able to use the new login identity. If I use the original identity, I get the black page.
        Any ideas?
        Thanks,
        Fred

        Reply

        • October 28, 2013 at 11:18 am, Marvin said:

          Fred,
          I had/have the same problem after virus removal, my new account works but I get the black screen in my original account. To get around it I now have to manually run explorer by typing explorer.exe into the command prompt window every time I restart my computer.
          Hope the same works for you,
          Marvin

          Reply

    • August 05, 2013 at 12:51 am, Scottie said:

      > I just restarted my computer and it went away. Is it really gone?

      Reply

  2. February 26, 2013 at 9:14 am, Brent Marvich said:

    You can skip all the way to step 6 if you have already created a “back door” account. Something I do on all my system builds, among other things…

    I can not count the times I needed to log into a computer and the administrator account/ user account was corrupt/disabled or password was changed.

    This can be done with a simple batch file to save even more time…

    ***SAVE THE FOLLOWING TO A TEXT FILE***

    ECHO This will create the user backdoor with password backdoor!

    NET USER backdoor backdoor! /ADD /EXPIRES:NEVER /PASSWORDCHG:NO

    NET LOCALGROUP “Administrators” backdoor /ADD

    NET LOCALGROUP “Users” backdoor /DELETE

    WMIC USERACCOUNT WHERE “Name=’backdoor’” SET PasswordExpires=FALSE

    ***DO NOT ADD THIS LINE OR ANY BELOW THIS LINE***

    rename the text file as a .bat file instead of .txt and run it from the command prompt.

    Now this virus is nasty and I have seen a few different versions of it with varying complexities. Most of them have a rootkit associated with them which if not removed completely with come back. After running MalwareBytes Anti-malware and then logging in as your normal account, you should run MalwareBtyes Anti-rootkit just to be safe.

    Reply

    • April 30, 2013 at 5:21 pm, Hung Tran said:

      > Your instruction works fine. Thank you

      Reply

    • May 18, 2013 at 4:20 pm, Wendy said:

      > I can not work in safe mode neither can I create another account. What options do I have?

      Reply

    • May 21, 2013 at 5:41 pm, Rick said:

      URGENT:

      I think, it is safer to create an ISO boot Disk; then add any “boot.bat” commands

      Then, download and create an ISO image on a SAFE COMPUTER is more likely a REAL ANSWER…

      to many simple minds, including mine>

      Thank you!

      Reply

    • February 02, 2014 at 11:44 pm, the truth said:

      another way that works log on admin account Ctrl alt del log on user account Ctrl salt del log off screen may pop up wait while programs close the virus screen will go away cancel log Goff run hitman pro and malware bites virus gone and easily so good luck

      Reply

  3. February 27, 2013 at 2:33 am, xanjabu said:

    Or in the case of Vista/7 (not sure about 8 as not used it yet) you don’t need to create a new account, just enabled the disabled Administrator account.

    At command prompt type net user administrator /active:yes

    Reboot and login.

    Once removed, go back to your ordinary account and bring up command prompt and shut down the administrator account (until next time…)

    net user administrator /active:no

    Thanks for the article :-)

    Reply

  4. March 08, 2013 at 10:16 pm, Ray said:

    Thank you so much!!!

    Reply

    • May 31, 2013 at 8:19 am, Kevin said:

      > Ditto that. Thanks!

      Reply

  5. March 29, 2013 at 6:13 pm, natalie said:

    I just wanted to say THANK YOU so much!!! These instructions go the virus off my computer and saved me a lot of money! I appreciate it!!!

    Reply

  6. March 29, 2013 at 6:13 pm, natalie said:

    I just wanted to say THANK YOU so much!!! These instructions got the virus off my computer and saved me a lot of money! I appreciate it!!!

    Reply

  7. March 30, 2013 at 4:52 pm, Jacob said:

    THANK YOU SO MUCH!!! I cant thank you enough!!! You have saved my computer…

    Reply

  8. April 04, 2013 at 12:46 am, frank said:

    Such a great help!
    Easy to follow and execute!!
    Virus is gone!!!

    Reply

  9. April 09, 2013 at 3:07 pm, andraz said:

    thank you for the solution with command prompt, it works great with new versions of the scam

    when you start control.exe, you can also activate a restore point.

    Reply

  10. April 09, 2013 at 7:06 pm, Brian said:

    Thanks, I followed your great instructions and got back up & running! GREAT WORK!

    Reply

    • April 10, 2013 at 12:57 pm, Aaron St. Clair said:

      I’m glad everyone has been able to remove this virus successfully! It took me a little while to dig through the CMD and different safe modes until I found a solution… Didn’t see the need for others to endure the same torment! Hopefully this has saved somebody from falling for the scam!

      Reply

      • May 17, 2013 at 8:18 pm, Beth said:

        I’m having the same problem, but when i try to open the control it tells me i don’t have persmission. Any other way around it?

        Reply

  11. April 10, 2013 at 12:48 pm, Justin W said:

    Thank you for being a saint, this virus is disturbing. Scanning with Malware Bytes, hasn’t found it yet and it’s been through 50000 files. What if it doesn’t find it?

    Reply

    • April 10, 2013 at 12:55 pm, Aaron St. Clair said:

      Ensure that you told it to do a Full Scan and not just a Quick Scan or Flash Scan. I’ve seen MBAM scan 600,000+ files before finding anything infected… Had to leave a customers house and return the next day to finish! The amount of files it scans really just depends on the programs you’re running on your computer and the amount of data you have as well. If you do work with taxes, AutoCAD, Adobe, etc. then you’ll be in the upwards of 200k before it finishes its scan. The /winsxs directory has about 50k files MBAM scans in that folder alone… So just sit tight and wait it out!

      Also, did you allow MBAM to Update before starting the scan? To make sure, click the Update tab at the top if the scan fails to find anything. Let it download the newest virus definitions then run the scan again.

      If you do manage to get through the virus scan and MBAM doesn’t find the infection, try running Trend Micro’s Housecall, Kaspersky’s TDSSKiller and your regular anti-virus scanner. All of those scans should find the FBI virus, but MBAM is my ole’ reliable when it comes to virus removal.

      Reply

  12. April 14, 2013 at 10:20 am, Happy user said:

    Thank you do much for helping me I was so scared I thought I did something wrong man you rock

    Reply

  13. April 17, 2013 at 1:56 pm, Shannon said:

    Thank you very much for the detailed step by step instructions to remove that nasty FBI green dot virus.
    Furthermore your instructions for removal were very simple to understand. Most of all it worked!!!!

    THANK YOU!!!!

    Reply

  14. April 18, 2013 at 12:32 am, wes said:

    Article helped me to solve problem. Thank you very much! Nice work!

    Reply

  15. April 18, 2013 at 10:21 pm, Karl Drumm said:

    Hello Aaron,
    I read your instruction on how to remove a virus from my computer but I am NOT sure if it will take care of the problem I have.See I dont really know if my machine is really infested by a virus since I do not have any problems with reading and writing e-mails.However I do have a problem with downloading adobe flash,adobe player and other programs like running Spydoctor,malwarebytes even with AVG removed.
    You see every time I try to download I will receive a security warning message and cannot get any further which means I have to cancel or if I try to go ahead another window will open and ask me if I am really sure to continue.
    If I move the first window out of the way their is another window behind it where it shows a file moving from one folder to the next.There is no information on the page where the files are changing folders.
    One other problem is occuring that after it says that download was completed that I will not receive the “INSTALL” prompt therefor I cannot install and run any programs at all.
    Some icon which I click on on my desktop will open and I can do my work others will not work.All other symptons which would indicate a virus like slow computer,pop-up,screen changes etc arenot happening.
    I tried to run this in SAFE MODE and the machine acts the same way.I really dont know what to do except clean the hard drive and start all over.I am completlely lost in the world of computerspace.Can you please help me by answering myletter.
    I would appreciate if you would be so kind.This way I could learn something from you.

    Thanks Karl

    Reply

    • April 21, 2013 at 11:55 am, Aaron St. Clair said:

      The fact that some programs function normally, but others do not, definitely sounds like a virus. What exactly happens when you try to run MalwareBytes? I think your first step to cleaning your computer will be to download and run rkill from Bleeping Computer. If you’re not able to download it from your computer, try doing it from at work or a friends computer. Rkill should stop any malicious processes that are running and preventing you from running programs. After running Rkill, reattempt to run Malwarebytes. Make sure you update the virus definitions before performing a full scan.

      Reply

  16. April 20, 2013 at 3:17 am, Lithus said:

    It’s great to see that despite the bad people and losers who prey on ppl
    It’s great to see someone posting helpful stuff like this to fight back.
    Hackers are the lowest form of life, a cancer diagnosis would be too good for them…

    Reply

    • April 21, 2013 at 11:49 am, Aaron St. Clair said:

      Heh, the moneypack virus isn’t really from hackers. It’s simply a social engineering scam.

      Reply

  17. April 20, 2013 at 5:11 pm, Needhelp said:

    I tried to get into safe mode with command prompt but then it froze… maybe I was impatient but I held the power button for a hard shut down… now, I am unable to enter any safe mode… the only options available are startup repair and start windows normally… the safe mode options have not returned… help

    Reply

    • April 21, 2013 at 11:48 am, Aaron St. Clair said:

      Hard resetting your PC while it’s booting can cause this looping cycle to occur. You need to tell it to start normally and let it boot up as if it isn’t infected. Then, once you have the moneypack virus on the screen after a full boot, push the power button once. Don’t long-press until it shuts down. Pressing it once makes windows go through it’s regular shut down sequence and should keep you from getting the startup repair screen. As for no safe mode options, are you sure you’re pressing the correct Function key (usually F8)? The Safe Mode bootscreen should take priority over the startup repair screen you’re getting if you’re pressing the correct function key.

      Reply

      • June 20, 2013 at 5:41 am, DEMETRIUS said:

        Hi, Aaron!

        The FBI virus is in my laptop; a Pavillion HP, Windows XP. The F8 key works but when whatever I choose it makes a cycle ending again to the same screen. Any suggestions?

        Thanks in advance,

        Demetrius

        Reply

  18. April 22, 2013 at 10:24 am, CAC1031 said:

    Thank you! I looked at various methods posted on the internet to remove this thing without being able to get into safe mode and yours was the simplest, clearest method. At first I thought it wasn’t going to work as it never gave me a command prompt and eventually skipped to the login screen. But it worked on the second try. Thanks again.

    Reply

  19. April 22, 2013 at 5:58 pm, Dave said:

    Thank you!! I spent hours on other forums with their “solutions”…Your solution was quick and easy. Great instructions.

    Reply

  20. April 25, 2013 at 3:41 pm, Arjun said:

    Thank you so muck. Your instruction worked wonders. Did not take me more than 20 mins to get rid off the malware. Keep up the good work and thank you soooooooooooooooooooooooooooooooooooo very much.

    Reply

  21. April 25, 2013 at 6:04 pm, tascha said:

    You rock and saved my computer. Your directions were so easy to follow. Thank you thank you

    Reply

  22. April 28, 2013 at 8:34 am, computer virus repair said:

    Thank you very much for these straight-forward and your easy instructions . I was able to remove this virus without losing any of my any documents.

    Reply

  23. April 28, 2013 at 1:00 pm, Jeff McKeever said:

    I hope this works!

    Reply

    • April 28, 2013 at 1:04 pm, Aaron St. Clair said:

      So far it has worked for everyone! I just removed another case of this virus yesterday following these instructions to the T and all went smoothly!

      Reply

  24. April 28, 2013 at 3:25 pm, Jeff McKeever said:

    When I followed your instructions and got to safe mode and typed in the control.exe command I got the following window: “Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access them. The only options is “OK”. Not sure it’s important but at the top of the window there was this” {26EE0668-A00A-44D7-9371-BEB064C98683}. Any thoughts on how I should proceed?

    Reply

  25. April 28, 2013 at 5:49 pm, George Miller said:

    Thank you very much, it worked

    Reply

  26. April 28, 2013 at 11:33 pm, thanks said:

    THANK YOU!!!!!

    Reply

  27. April 29, 2013 at 6:26 pm, Rocky said:

    Well, I think it has become bigger and better yet again. I hav tried all of the suggestions to get into safe mode with Comman Prompt… But no matter what I do, the FBI screen is there telling me to get out of safe mode and log onto the Internet. I saw the post about not hard booting and let the computer shutdown properly and then try safe mode with command prompt but it still won’t let me. I have tried all of the safe modes, I get the virus and won’t let me do anything. Please help! I see you were able to work your magic a few days ago… So I’m hoping there is still hope for me!

    Reply

    • April 29, 2013 at 6:30 pm, Aaron St. Clair said:

      If you can’t get past it in any of the safe-modes, then you may can try using your system restore disk, and instead of telling it to install windows, choose Repair. There’s a repair option to run a Command Prompt. I’m not sure how functional that command prompt will be though… but you’re still not out of luck if that doesn’t work. The virus CAN be removed! But, if you cannot bypass it somehow on the actual machine’s it’s on the the hard drive will need to be removed and simply scanned using MalwareBytes on another computer.

      Reply

      • April 29, 2013 at 7:23 pm, Rocky said:

        Thanks for the quick response! To give you more info, I do not have administrator privileges on this laptop myself, so when it comes to doing a recovery or system restore, I don’t have a disk. So it looks like I’m down to removing the HD from this laptop and connecting it as a slave to another computer…. Or sending it in to my IT team except then all my files will be gone!

        Reply

        • April 29, 2013 at 7:26 pm, Aaron St. Clair said:

          If you have an IT team then I’m sure somebody there knows how to copy files from one drive to another. If you put the drive from the computer in an external enclosure it really just functions like a flash drive. But, there really isn’t a need to lose any files to remove the virus. Simply plugged the drive in and point MalwareBytes to the removal disk directory instead of C.

          Reply

  28. April 30, 2013 at 2:09 pm, Matt said:

    I got a version of this virus and removed it simply by holding f8 during startup, selecting “repair your computer” and selecting a restore point. Don’t know how many versions of the virus this works on, but I would recommend trying this first before going through all the steps the article describes (unless reverting to a restore point would uninstall a program you for whatever reason cannot easily re-install). Using a restore point does not delete any of your personal data (e.g. documents)- at least on Windows 7.

    Reply

    • April 30, 2013 at 5:23 pm, Aaron St. Clair said:

      This is a viable solution to get past the screen popping up, but, as you stated, System Restore only restores system files and settings. The System Restore will remove the virus from the startup procedures, but it does not remove the malicious files from the machine. MalwareBytes would still be necessary to ensure you don’t become re-infected. This procedure is quicker than a system restore for many systems, especially older machines.

      Reply

  29. April 30, 2013 at 3:01 pm, jack said:

    thank you for this; i was at my wit’s end but this worked like a charm!

    Reply

  30. May 02, 2013 at 7:41 pm, al said:

    my computer got infected yesterday! 1st time was about six months ago. I fixed that using safe mode then scanne w/malwarebyte. this time: safe mode, safe mode w/networking and /command prompt are alll got error messages and have option to start windows regularly. It will reboot normally, i can have access for a lil bit while it’s loading then the moneypak screen lock kicks in. I do not have access to ‘admin’ login. Waiting for my lil brother… any suggestion…im not update w/all the computer stuffs…was pretty good at it 25 yrs ago! thanks

    Reply

    • May 29, 2013 at 9:15 am, Aaron St. Clair said:

      Sorry for the delayed response. The only time I’ve ever personally seen all 3 versions of safe mode not work is when the Operating System had actually been corrupted and system files were not working properly. Yes, this can be caused by a virus, but the FBI MoneyPack, to my knowledge, does not alter any system files other than the startup procedures. Your issue may be deeper than the FBI MoneyPack virus. In lieu of having to totally wipe/reload, try using the Hiren’s BootCD method that’s been added to the article.

      Reply

  31. May 03, 2013 at 10:12 am, GSH said:

    This did not work. I went into Safe Mode with command prompt and the regular desktop with the icons for each user came up. I entered into the administrator user and the computer logged off, shut down and restarted again. I’m using Windows 7

    Reply

    • May 29, 2013 at 9:17 am, Aaron St. Clair said:

      Did you enter into the user labeled “Administrator”? Or a user that has Administrator privileges? In any case, try using the Hiren’s BootCD method that’s been added to the article.

      Reply

  32. May 03, 2013 at 11:25 am, GSH said:

    When I go into Command Prompt, everything starts with “X:\” instead of “C:\” Tried the cd .. and it wouldn’t change that part. It started with X:\windows\system32> and I was able to change the directory, but only down to “X:\>” and then it could not find the “control.exe” when I typed it in. Said it is not recognized as an internal or external command operable program or batch file.

    Reply

    • May 03, 2013 at 5:13 pm, Aaron St. Clair said:

      It seems like your primary hard drive is the X:/ drive instead of the C:/ drive. You should be able to follow the tutorial exactly, just replace every instance of C:/ with X:/. You said your default starting point was X:/WINDOWS/System32, which is where you need to be. So, as soon as your command prompt comes up you should be able to type control.exe without getting that error message!

      Reply

  33. May 03, 2013 at 3:35 pm, mike said:

    Vista laptop, moneypak virus. ALL safe modes are dead, including command prompt. What do I need to try? Thanks.

    Reply

  34. May 03, 2013 at 5:12 pm, Aaron St. Clair said:

    Hmm. It seems like there is a newer version than when I published this. Multiple people have had an issue of all 3 safe mode’s being disabled. If all of your safe modes do not work, then you’re still not completely out of luck. There are two possible solutions from here:

    1. You can remove your hard drive from the computer and scan it with another computer… I understand this is a scary topic for many and it should only be done if you’re comfortable with your computer’s guts.

    2. For the less tech-savvy, the hard drive in your computer isn’t the only drive that your computer can “boot” into (i.e. load up Windows when you turn your computer on). Your computer can boot to a disk in the disk drive, it can boot to a flash drive, and there are other possibilities as well. This fix will involve booting to your disk drive. Download and burn Hiren’s BootCD from a work or friend’s computer. Hiren is downloaded as a .zip file and must be extracted to find the file to burn. Turn your computer on and put Hiren’s in the disk drive. Power your computer off, then back on. This time, look for something that says “F10 Boot Menu” or “Boot Menu F12″. The Boot Menu hotkey is different on many systems. If you cannot find anything telling you what key it is, you can try tapping F2, F8, F10, F12, or Del when you start your computer. One of these hotkeys should bring you to the Boot Menu when you tap it repeatedly as the computer starts. From here you can select your Disk Drive as the boot drive. This will load you into the Linux distro on Hiren’s. From here, you can update and run MalwareBytes on your C:/ drive.

    I plan to update the main tutorial soon with more detail instructions with screenshots, but finals week has me bogged down at the moment.

    Reply

  35. May 04, 2013 at 7:13 am, Trish said:

    I am so happy I found this article…you saved me from this virus!! Thank you!!

    Reply

  36. May 04, 2013 at 7:51 am, liam parker said:

    Luckily i had already made another account because this white screener keeps telling im using special characters when trying to create a new account! so they must have updated it yet again, this time to stop you creating a new account.

    Reply

    • May 29, 2013 at 9:19 am, Aaron St. Clair said:

      I haven’t seen the virus stop anyone else from creating a new account. You may be having other issues such as a faulty keyboard. Try using your on-screen keyboard. In XP, it’s located in All Programs > Accessories > Accessibility > On-Screen Keyboard. In anything newer, you should be able to type “keyboard” into the start menu and Windows will pop it up for you.

      Reply

  37. May 05, 2013 at 5:16 am, Ram said:

    Hi
    Thanks a lot. It was enormously helpful. However, I went to restore by typing in command prompt and my system was restored without any problem. Worked perfect.

    Reply

  38. May 05, 2013 at 7:15 pm, Steve said:

    I lucked out on this I opened task manager which still worked and for some reason my computer opened. Started malwarebytes. I searched through program data and found something called display switch exe which malwarebytes found shortly after and deleted

    Reply

  39. May 06, 2013 at 9:48 am, vernon m. said:

    This guy knows what he is talking about…..i had the moneypak virus a few times before and I was able to get rid of it….i am a technology guy and I didn’t know what to do this time after all of my procedures failed….i tried this procedure….pretty slick by using the cmd line to create another user acct!

    Reply

  40. May 06, 2013 at 7:51 pm, Phil said:

    Thaaaaaank you soooooo much!

    Reply

  41. May 07, 2013 at 4:04 am, Michael said:

    I did all the above steps and after ful scan there were three files that shows infected my computer and it was removed and I restarted the computer. when I log in back to my account the Fbi virus is still there. what is going on

    Reply

    • May 29, 2013 at 9:21 am, Aaron St. Clair said:

      Is the user account that is infected an Administrator account? Standard Users may have issues removing files from Program Data and Application Data. Make sure the user account you created is an administrator.

      Reply

  42. May 07, 2013 at 1:21 pm, Randy said:

    My friend got this virus and asked me for help the problem is it used a password to block access to the boot menu is there a way to get around this?

    Reply

    • May 29, 2013 at 9:22 am, Aaron St. Clair said:

      I’m pretty sure this virus has not magically modified your BIOS. The password screen you are being presented with is most likely a BIOS password put on by some network administrator. Is this PC a school PC or work laptop?

      Reply

  43. May 07, 2013 at 8:05 pm, Nick St.Clair said:

    Control panel won’t come up to make a new user (step 3) it puts up the moneypak screen and won’t let me do anything. Any suggestions?

    Reply

    • May 29, 2013 at 9:24 am, Aaron St. Clair said:

      This may be a rhetorical question, but are you sure you’ve booted into Safe Mode? Instead of running “control.exe” try running “explorer.exe”. You may be prompted with a warning saying the Safe Mode with CMD is not meant to use GUI interface like explorer.exe, but ignore that. You should then be able to use your Start menu and access the Control Panel through it.

      Reply

  44. May 07, 2013 at 9:22 pm, Z said:

    I got all the way to step 6, but when I log in as the newly created user, I get a blank screen, when I do it in safe mode I get the moneypak screen….any suggestions???

    Reply

    • May 29, 2013 at 9:24 am, Aaron St. Clair said:

      Are you sure you created the new user account as an administrator?

      Reply

  45. May 07, 2013 at 11:22 pm, Freda said:

    THANK YOU!!! THANK YOU!!! THANK YOU! SO FREAKIN MUCH!
    I tried so many tutorials. I was told to pay big $$$ to fix this. I was so bummed out. Thank you!!!
    You are brilliant, seriously

    Reply

  46. May 08, 2013 at 11:22 am, Ted Falkowski said:

    control.exe not recognized in directory using Windows 8.

    Please send me instructions using a Dell laptop Windows 8 operating system.

    Thank you.

    Reply

  47. May 08, 2013 at 1:02 pm, Marek said:

    When i try to use cmd prompt my regular user account password does not work ,when i use safe mode with networking it does but the FBI screen blocks everything ……stuck

    Reply

  48. May 08, 2013 at 1:08 pm, Rick said:

    On an XP x64 machine, I have picked up a variant of this virus that does not allow any of the Safe Modes to run, including Safe Mode with Command Prompt.

    Reply

  49. May 09, 2013 at 7:16 am, Robert Klein said:

    I tried all safe mode choices and none of them will launch. I also tried to use Hitman Pro kickstart and it will start but will not connect to the internet. I have removed FBI money Pack on several computers, but this one is different. Unless there is something corrupt with safe mode features on this machine. The new money pack will not allow this computer to boot to safemode with command prompt. So the is no way to create a second user account too log into. any other ideas?

    Reply

  50. May 10, 2013 at 7:58 pm, cjmshadow89 said:

    The moneypak has evolved. I use windows vista business. When i start in safe mode with cmd it takes me to the log in screen. I log in as administrator and it restarts. Are their any new updates to this fix? Thank you.

    Reply

  51. May 11, 2013 at 9:25 am, Dennis said:

    Thanks very much! ! !

    Reply

  52. May 11, 2013 at 11:56 am, Jesse said:

    Aaron – I wish I could buy you a beer. This just saved me as well.

    Reply

  53. May 12, 2013 at 12:10 am, mw27630 said:

    I have this virus and tried the command prompt, but it still took me to the virus screen. There’s an error box that appears and says ‘please come out of safe mode and connect to the internet’. I’ve tried almost everything, and nothing seems to work.

    Reply

  54. May 13, 2013 at 6:07 am, Devin said:

    when i go on safe mode it just says please wait. i tried all of them but it just says please wait, i really want to get this fixed please help

    Reply

  55. May 13, 2013 at 6:08 am, Devin said:

    my safe mode wont finish loading please help me

    Reply

  56. May 13, 2013 at 11:48 am, Alex said:

    This is a Godsend! Thanks for sharing your tech savvy!

    Reply

  57. May 13, 2013 at 3:05 pm, Sid Frasier said:

    Unfortunately, the process you described has now been blocked by the process that shutsdown Windows on error even in Boot to Command Prompt. You cannot disable this feature within the bios. The only work around I’ve found is a secondary boot that is clean or installing the drive in a second computer!

    Reply

  58. May 13, 2013 at 5:21 pm, Help said:

    I selected Safe mode with command prompt and it still forced a reboot on me! Please help

    Reply

    • May 29, 2013 at 9:30 am, Aaron St. Clair said:

      Try using the Hiren’s BootCD method that’s been added to the article.

      Reply

  59. May 13, 2013 at 9:54 pm, Dana said:

    None of this working for me. Whenever I try safe mode, it just reboot all over again. Please help

    Reply

  60. May 13, 2013 at 11:13 pm, gino said:

    You are the best man !!!!!!!!!!!!!!!
    I tried everything and you guidlines helped me !
    You are GOOODDDDDDDDDDDDDDDDDDDD

    Reply

  61. May 14, 2013 at 2:14 pm, bl said:

    The latest FBI virus can auto shuts down “safe mode”, “safe mode with network” and “safe mode with command Prompt” on 5/14/2013, How can I do that?

    Reply

  62. May 15, 2013 at 1:05 pm, need help!!!! said:

    I tried everything from rebooting my computer and tapping the f8 button, which wouldn’t allow me to get to the safe mode screen, and also trying to go through the steps from your article. I already have another account that doesn’t have the virus on that side but it still won’t allow me to get rid of the virus for the other account even when i use malwareantivirus and pc tuneup. The live advisors tell me that i need to get a microsoft tech to clean up the computer but it is kind of pricey. Any suggestions?

    Reply

    • May 29, 2013 at 9:32 am, Aaron St. Clair said:

      You do not need a Microsoft tech. Any technician should be able to clean this for you if you are not able to yourself. The ideal way to remove it is just pull the HDD and hook it up to a clean PC, and scan it from the clean PC. But, for you, try using the Hiren’s BootCD method that’s been added to the article.

      Reply

  63. May 15, 2013 at 1:48 pm, Pat said:

    I was infected last night and ss of 5/14 it blocks all safe mode choices; any ideas on how to get past that.

    Reply

  64. May 15, 2013 at 1:55 pm, Norm said:

    After probably 8 hours of trying to get rid of this thing, your directions provided the cure.
    I was not able to boot into safe mode or safe mode with networking. Only safe mode with
    command prompt. Numerous attempts to run AVG antivirus and Malwarebytes scans did not work.
    I was just about ready to re-install Windows 7 when I found your instructions.
    Thanks a lot and may the people who contrived this pos burn in hell.

    Reply

  65. May 15, 2013 at 2:28 pm, Shequette Thompson said:

    1. “Safe Mode with Command Prompt” option and then hit the Enter key.
    After I get to this step my laptop load WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx

    All down the page and then it tell me to please wait and then it restarts Window.
    Let me add that the virus (or scum bags have changed my user name so I can not do any of the steps you told me to do. Please help I have class and do not need to fall behind.

    Reply

    • May 29, 2013 at 9:34 am, Aaron St. Clair said:

      I’ve never seen this virus change a username. The WINDOWS/System32/directoryxxxxxxxxxxxxxxxxxxx text that floods the screen is normal. It’s showing you the system files that are actually being loaded. If you’re being forced to restart still, try using the Hiren’s BootCD method that’s been added to the article.

      Reply

  66. May 15, 2013 at 7:04 pm, james said:

    hi, my computer has been infected and even when I tried to run under safe mode with command prompt, once I was in the safe mode and typed in the user password, the computer automatic went into auto shutdown. it seem like the virus creator has outsmarted the system.. I am stuck now =(

    Reply

  67. May 16, 2013 at 2:06 am, SM said:

    THANK YOU

    Reply

  68. May 16, 2013 at 1:52 pm, Attaboy said:

    Thank you so much sir. You are a gentleman and a scholar

    Reply

  69. May 16, 2013 at 2:12 pm, Nanar said:

    there is a newer version of the virus, which shuts down even safe mode with command prompt, which is my case
    -_-

    Reply

  70. May 17, 2013 at 12:20 am, Cynthia said:

    I thank you so much!!!! My safemode took me right into the virus and I did not know what to do. I had a back door account already and did not know I could use it until I read your article. This was so helpful. God bless you!

    Reply

  71. May 17, 2013 at 12:24 am, Cynthia said:

    Thanks so much!!! You really helped me a great deal. I tried safe mode but it took me directly in instead of a prompt. I already had a back door account thank goodness and was able to use it and do a scan. Even a quick scan worked. I was able to go back and get into my original account finally. Thanks again you smart person you!!!

    Reply

  72. May 17, 2013 at 6:52 pm, cristo said:

    this method no longer works. i have windows 7 and it would not go into safe with command prompt.
    i took a rescue disk and restarted, f8, repair, chose system resore option and picked the last restore date.
    it said “an unspecified error occured during system restore. (0x8000ffff)”
    even if i somehow get back onto my computer, i’ll still reformat it.
    i’m have a hard time believing we don’t know where this virus comes from and where the payments go.
    wouldn’t it just be easier to take out the hackers with a few 50 cent bullets from a few hundred yards than for them to subject the world to this crap? all we need to know is who and where they are

    Reply

  73. May 17, 2013 at 7:17 pm, cristo said:

    after the botched restore with error using the disk, i was then able to access safe mode with command prompt and carry out the rest. when i logged on, i got a message that restore was successful and my documents were not effected. my wall paper is different and desktop icons from the other account are different under the other admin account and forgot whether that was normal. when i log back in under the other account i’ll see. you just need to update this article to reflect that safe with command prompt no longer is possibe with the newest version of the virus.

    Reply

  74. May 18, 2013 at 5:10 pm, mark said:

    I have managed to get rid of the malware by doing as you said and setting up a new user, but I still cant log in using my usual login, its just a black screen with the prompt c:\windows\system32)

    Can you help.

    Reply

    • May 23, 2013 at 1:48 pm, I said:

      > I got the virus yesterday. Somehow pressing F8, F10 or F12 wouldn’t get me anywhere but the Windows Boot Manager giving me a choice of Windows 7 (I have Window XP) or Diagnostics. Selecting Windows 7 starts XP and doesn’t go anywhere. I’ve tried everything including Ctl Alt Del as well as hard powered off while XP is starting. I have the XP disk…should I try rebooting from it? Then what? Please help as I need my computer badly and Microsoft Support charges money I don’t have.

      Reply

      • May 29, 2013 at 9:38 am, Aaron St. Clair said:

        What is your computer model number? I would need to look up your motherboard to determine what your Function key would be.

        Reply

    • May 29, 2013 at 9:37 am, Aaron St. Clair said:

      It sounds like you’re still booting into safe mode. Make sure you do a normal boot.

      Reply

  75. May 19, 2013 at 4:37 pm, Ronald Norman said:

    I have tried what you said to do and I was able to get into the control panel and change the user. Everytime I go into safe mode I still can not get into the new user I created. I tried it in safe mode and safe mode with networking, same thing.

    I have the FBI Ransom Virus and running Windows 7. I know only some of the command lines and only did one or two patch file years ago. Could you please get me some better options?

    I am not sure when you wrote this article but today is May 19, 2013 and I need some help.

    Thanks
    Ronald Norman

    Reply

    • May 29, 2013 at 9:40 am, Aaron St. Clair said:

      So you have already created a new user in Safe Mode? Once you have created the new user, you are done with safe mode. You should do a normal boot and then select the newly created user once you’re presented with the User screen at startup.

      Reply

  76. May 20, 2013 at 7:03 pm, vinnie prado said:

    dude, that was awsome, the only problem I found was that after I did all that you said, every time I logged in I would see the command prompt and no desktop at all. So logged in with my temp. account I deleted the user profile of my real account and I was golden. Thanks a lot!

    Reply

  77. May 21, 2013 at 3:36 am, Jeb said:

    My windows 7 laptop will not start up even in safe mode with command prompt, it still just shuts down. I don’t know all this technical talk, how do I remove the virus?

    Reply

    • May 29, 2013 at 9:41 am, Aaron St. Clair said:

      Try using the Hiren’s BootCD method that’s been added to the article.

      Reply

  78. May 22, 2013 at 12:47 pm, Jerry W said:

    It might be good to note to use “shutdown/r” for a safe shutdown from cmd. Also, as a side note, this virus is stored in your temp files so if you delete all the temp files to remove the virus (and check the start up to disable or remove unwanted items that are related to this program). You can do all this from the cmd or along the same way as shown above. I use a free program called Ccleaner and keep it loaded on all my computers. It was how I removed the virus. It is also good to check under the uninstall programs for any programs installed during the time your computer got the virus.

    Reply

  79. May 22, 2013 at 5:19 pm, TinaJ said:

    Thank YOU!!! Your time and help is much appreciated by me and my family!!! God Bless!!

    Reply

  80. May 23, 2013 at 12:29 am, Marvin said:

    Thanks, this worked great! Malwarebytes did not find the Trojan but AVG did and seems to have removed it; however explorer.exe still does not run on my usual account (no “FBI” screen though) so I have to run it manually :( any suggestions to fix this?

    Reply

  81. May 23, 2013 at 2:13 pm, shamuboo said:

    In the below list I am not seeing a responses as to how to proceed when all safe modes are locked out. Each one is just restarting my computer each time. I only have 1 user account as well. Is there anything I can do to fix that?

    Reply

    • May 29, 2013 at 9:45 am, Aaron St. Clair said:

      The Hiren’s BootCD method should do the trick for you.

      Reply

  82. May 23, 2013 at 6:53 pm, Charlie Brasher said:

    This worked for me:
    1.Boot in safe mode with command prompt
    2.navigate to windows/system32
    3.type control.exe to open control panel
    4.Insert flash drive, with the latest Malwarebytes
    5.Install and do a full scan.

    Thank you very much for all your help!!

    Reply

    • May 31, 2013 at 8:14 am, Roger said:

      I have done this, ran MWBytes, and my pc shuts down? Any thoughts? Thanks>

      Reply

  83. May 24, 2013 at 9:06 pm, Lance said:

    Thanks very much, Aaron. Your solution to ridding my computer of the FBI MoneyPack virus did the trick. This was after trying several other methods that failed. Thanks again!

    Reply

  84. May 26, 2013 at 7:51 pm, Steve EZ said:

    One of the computers in my house got this virus somehow, and despite many other forum/website advice to kill the virus, this article was the only one that was proved effective at my knowledge of computers (which is above the average person, but still limited). I recommend following these instructions if this “FBI” virus happens to you.

    Thanks to the author(s)

    Reply

  85. May 27, 2013 at 5:56 am, Vpb12345 said:

    Thank you so much, I got worried after it scanned for 5 hours, but it finally ended and I’m virus-free

    Reply

    • May 29, 2013 at 9:46 am, Aaron St. Clair said:

      Heh, I’ve had MBAM scan for 12hours 43 minutes on a customers computer. Granted, I scanned 3 drives, but programs such as AutoCAD or SolidWorks have bookoos of files to scan through.

      Reply

  86. May 27, 2013 at 7:45 pm, Bob said:

    Hi Aaron, Thanks for the help in getting arround the ‘reboot’ in safe mode and normal mode. Curing this problem enabled me to get to safemode and then I used the ‘old standby’ the ‘emsisoft Emergency Kit’ to do the scanning and removing. After that I loaded Malwarebytes Anti-malware and did another scan just to be sure the problem was gone and CURED. Thanks for the help

    Reply

  87. May 28, 2013 at 9:52 am, christina said:

    I have this awful police virus. My computer will not let me do anything. I cant get into any mode and it will not allow me to type. It just goes to the welcome screen and then shuts itself down. Not a computer genius at all but if i have some simple instructions i maybe able to sort it out. I have a normal desktop computer thats ok but not sure how to make discs etc. Hope you can help? Many thanks Christina

    Reply

    • May 29, 2013 at 2:32 pm, Manpreet Singh said:

      Hi Christina First thing to do is if its windows 7 or windows vista manully turn of the computer 2-3 times .After that when you would turn on the computer it will automatically give you the option of Startup repair.Select that option and see if that works or not,if it does not work then in startup repair there is option of system restore. Select that option and restore the computer back to earlier date and see if that works or not. If it works do let me know otherwise i can provide you multiple options.>

      Reply

      • May 29, 2013 at 4:20 pm, Aaron St. Clair said:

        System Restore will not remove temporary files, as they are not system files. This virus hides within these files so that System Restore can only hide the virus and not remove the malicious files. After performing a System Restore, you will still have to scan to remove the virus.

        Reply

  88. May 29, 2013 at 2:26 pm, Manpreet Singh said:

    The best thing to do is start the computer by tapping the F8 and select safe mode with command prompt if you are not able to go to normal safe mode or safe mode with networking. Once the computer is started in safe mode with command prompt type the command rstrui.exe by typing this command system restore would open up. Restore the system back to earlier date when the FBI Virus was not coming up. Once the system restore is completed download and install REMOVED DUE TO SPAM it will completely remove the virus.

    Reply

    • May 29, 2013 at 4:18 pm, Aaron St. Clair said:

      Do NOT download “Spy Hunter”. Spy Hunter by Enigma Software offers a free *scan* (no fix) with exaggerated results to scare the user into buying it. There are several better FREE programs which remove the *real* infections which they find for free. Hence the use of Malwarebytes’ Anti-Malware.

      Not only that, but if you buy SpyHunter from any link posted in an answer here, the poster will get paid a commission from Enigma for tricking users into the software.

      Reply

  89. May 31, 2013 at 8:11 am, Roger said:

    So I recently got the Virus, got all the way to Step 6, loaded and ran Malwarebytes, but the PC shuts down after 3-5 minutes? Any thoughts?

    Reply

    • May 31, 2013 at 8:16 am, Aaron St. Clair said:

      Is this a laptop or a desktop? Does it go through the entire “Windows is Shutting Down, Please Wait” process or does it just go black and die? Are you running MBAM in Safe Mode or regular mode? Try having MBAM do a quick scan.

      Reply

      • May 31, 2013 at 9:04 am, Roger said:

        Aaron, Thank you. It is an HP laptop w/ Windows 7 Home. The screen goes black and does not restart. I created another user id via safe mode with command prompt, restarted into safe mode with networking, loaded up and started to run MWBytes and it goes black screen several minutes into the full scan.>

        Reply

        • May 31, 2013 at 9:43 am, Aaron St. Clair said:

          Don’t boot back into safe mode in the new account, boot as you normally would, but select the new user account when prompted. If it goes directly to your regular account, quickly hit the Windows key + L. This will bring you to the login screen

          Reply

          • May 31, 2013 at 12:08 pm, Roger said:

            I will give it a shot. To clarify, I should run the MWBytes software in the new userid in regular stratup?>

  90. May 31, 2013 at 2:42 pm, Daniel N said:

    Thank you for your article. Using a temp account seems to work well. One thing I would modify is to use Hitman Pro instead of Malware bytes Full scan although I love malwarebytes software. hitman pro will get the job done much quicker.. Just my 2cents.

    Reply

  91. June 01, 2013 at 5:20 am, twiztedmannix said:

    I’ve used Hitman Pro to remove it first time around, once going through the process it’ll reboot and find back all the lost files it claimed it encrypted it and it’ll start up like normal. It keeps coming back, it uses Java and internet Explorer (the white screen is a window of IE, so i disabled it). I raised up the security on Java but kept coming back, disabled IE and so far seems quiet. It’s really annoying imma have to set up more logins if it ever comes back, it bypass the blocking windows/Java does on programs (allow/deny.)

    Reply

  92. June 01, 2013 at 7:47 am, Elise said:

    I have to say, I love the way you’ve explained eveything, really made me save my pc. THANK YOU SO MUCH!!! You’re a PC God. Keep up the good workd. I love you!

    Reply

  93. June 02, 2013 at 3:01 pm, Pete Mekesa said:

    Aaron, thanks!!!! You’re information was spot on.

    Reply

  94. June 04, 2013 at 2:04 am, MikeB said:

    THANK YOU SO MUCH!!! JUST FOR THIS HELPFUL ADVICE…I COULD GIVE YOU THE MONEY I GOT FINED! LOL THAT VIRUS HAD ME SO SCARED, SEEING THAT I DOWNLOAD MOVIES OFF THE INTERNET BC TIMES ARE TOO ROUGH TO MAKE IT TO THEATRES. THANKS AGAIN!!!

    Reply

  95. June 04, 2013 at 11:37 am, Aleksandra Ward said:

    Hi. I was able to remove the virus, but everytime I go online, open Firefox or Internet explorer it comes back. How can I fix it?

    Reply

  96. June 04, 2013 at 5:28 pm, daren said:

    i got hit really hard this time with the fbi 2013 one. the only way was your way ………ps i LOVE you p

    Reply

  97. June 04, 2013 at 5:32 pm, daren said:

    could you please find a way to backfire the scam back at them i have 2 pc willing to use 1 for bait and once again thankyou so much

    Reply

  98. June 04, 2013 at 5:34 pm, daren said:

    forgot to say the create new user account worked for me

    Reply

  99. June 04, 2013 at 8:31 pm, Mike B said:

    Thanks, Aaron! I’m not a computer dummy, but sometimes, this electronic monster gets the best of me. I reviewed a number of sites and solutions, but your’s made the most sense. MalWareBytes has fixed problems before for me, but this is the first time that I’ve been totally locked out by a virus. I’m scanning now and will let it run through the night if necessary. Just wanted you to know that I appreciate you taking the time to help the ‘little guy’. Keep up the good work!!

    Reply

  100. June 05, 2013 at 7:18 pm, Mike said:

    Thank you, Aaron. You da man!

    Reply

  101. June 09, 2013 at 3:03 pm, R. Tyrone said:

    Thanks Aaron, worked like a charm. Took 2hrs running XP pro. But…got er done!

    Reply

  102. June 09, 2013 at 8:13 pm, Matt said:

    I went to safe mode command prompt and it loaded the windows files an says please wait… its been there for 30 minutes.. is it suppose to take that long?…

    Reply

  103. June 10, 2013 at 9:24 am, Izaha said:

    You truly helped me out the most. I didn’t know what to do when I didn’t have another user account to log into. You’re a life saver and a real Technomancer. lol. Thank you, so much.

    Reply

  104. June 10, 2013 at 2:48 pm, Tammy said:

    You are AWESOME!! I followed your instructions to the word and this worked perfectly. Thank you so much!!

    Reply

  105. June 12, 2013 at 12:23 pm, Jose Martins said:

    I got a similar virus and followed these instructions – the best I found!

    strange problem: Malwarebytes says “no malware found” after the deep scan!

    any clues?

    Reply

    • June 12, 2013 at 12:59 pm, Aaron St. Clair said:

      What is the virus that you have? Are you sure you created an administrator account? You can use archive scan to just scan the user folder of your regular account located at C:\Users

      Reply

      • June 13, 2013 at 4:13 am, Jose Martins said:

        > My virus is a portuguese version of FBI named “PSP”. I had the problems described by you and could only login in safe mode with command prompt. The virus would otherwise shut down the pc after login.

        I created a new administrator account, loaded Malwarebytes, updated and ran it – no restart was requested…
        I was surprised to see a zero malware count after a deep scan, but that’s what I got!
        I restarted and open the normal account: no problem!
        Downloaded Malwarebytes and ran it again: zero malware!

        could the virus somehow “hide and duck” in the presence of Malwarebytes?!?!?

        Reply

      • June 13, 2013 at 4:24 am, Jose Martins said:

        > correction: in the normal account I didn’t download Malwarebytes, it was already available.

        Reply

        • June 13, 2013 at 8:32 am, Aaron St. Clair said:

          Hmm, that’s odd. Download and run CCleaner on your regular account. CCleaner should remove the virus as well since it hides within Application Data as a temporary file. This is just a safety precaution to ensure the virus is actually removed and not hiding.

          Reply

      • June 13, 2013 at 9:10 am, Jose Martins said:

        > more details: I also performed on the new account, after running Malwarebytes, an on-line scan using housecall.trendmicro.com: it found some adware that I chose to eliminate, but nothing else…

        Reply

      • June 13, 2013 at 9:43 am, Jose Martins said:

        > I used Ccleaner: very nice software! cleaned 936MB of temporary files spreaded around the PC. I also cleaned some startup files like skype and then the empty space. There is a file in the “Schedule tasks” using the brandname of microsoft with a long name with numbers and letters (looks like a software password): this is the strangest thing. I read somewhere about these virus using these long names with numbers and letters… Shall I kill it?

        Reply

  106. June 12, 2013 at 2:09 pm, Kingpablo said:

    I am just finishing up battling a Windows 7 64 machine right now that has this no safe mode variant at all. Command prompt was even rebooting. I thought for sure I’d have to pull the drive.

    Watching it reboot a few times, i saw the shutdown screen for just a fraction of a second and saw a lag in the timing.

    I was able to get safe mode to “Stick” by hitting CTRL+ALT+Delete immediately after entering the password. I just hit it like a fiend once I hit enter. After a few tries, I nailed it. It finally hung the system.

    Once I had that I was able to pop open task manager. Once in Task Manager, I was able to open a command prompt. I then was able to install Malwarebytes from a USB stick.

    I would guess that the new user method works great.

    Reply

  107. June 12, 2013 at 4:47 pm, Jennifer said:

    Thanks so much !!!! Worked perfect. You are a rock star!!

    Reply

  108. June 13, 2013 at 12:43 pm, Scott Silva said:

    You should never recommend using illegal software on a public website… Hiren’s is full of software that is supposed to be paid for… There are many Linux based boot CD’s that are free and legal.

    Reply

  109. June 14, 2013 at 7:46 am, Ali Najem said:

    Hi,
    I had my office computer infected by CTFMON.exe, and friend of mine told me to remove the hard disk and plug it to a computer with Malwarebytes Pro. and scan it and it will remove it!
    I have McAfee on my computer should I remove and install the Malwarebytes Pro. or it won’t conflict.

    Sure the Malwarebytes Pro. will remove the CTFMON.exe..

    Please I need your help..

    Regards,

    Reply

    • June 14, 2013 at 4:57 pm, Aaron St. Clair said:

      Malwarebytes is not an antivirus suite, simply a removal tool. The pro version is comparable to an AV but its still not the same. Thus said, there’s no need to remove McAfee. Also, the only time you may have to pull out the hard drive is if you can’t get this tutorial to work with safe mode.

      Reply

  110. June 14, 2013 at 11:08 am, manpreet singh said:

    if you can go in safe mode with command prompt try system restore instead new a/c by rstrui.exe and then restart the computer will be in your a/c then use emsisoft emergency kit free software

    Reply

  111. June 16, 2013 at 12:34 pm, Valerie said:

    Thank you!!!! I tried so many other ways and until i found yours it helped. Thank you times a million!!!!!

    Reply

    • June 16, 2013 at 2:39 pm, joe said:

      The problem I keep running into is my computer will not connect to the internet after all steps so I cannot update malwarebytes. Any suggestion?

      Reply

  112. June 16, 2013 at 6:38 pm, mp said:

    Thank you!!!!

    Reply

  113. June 16, 2013 at 6:39 pm, Paula Andrese said:

    Thank you! Yours was the ONLY page that provided the info needed to download the fix.
    Brilliant.

    Reply

  114. June 16, 2013 at 6:40 pm, Mary said:

    THANK YOU…Thank you. I have tried every site out there to fix the FBI malware but nothing worked….UNTIL
    I found tech-recipes and followed your directions. It worked beautifully

    Reply

  115. June 17, 2013 at 7:44 pm, Michelle said:

    Thank you sooooooooooooooo much!! You helped me be a hero for my Dad whose computer was recently seized by the FBI MoneyPak Virus……I really appreciate it!! You’re the BEST!!

    Reply

  116. June 17, 2013 at 10:24 pm, Samantha Lee said:

    RE: ICE Virus. I followed all of the instructions, except I have one problem. Windows is loading the cmd.exe prompt box, I have to type explorer.exe to run my xp. Can you help?

    Sam

    Reply

    • July 02, 2013 at 2:38 pm, Aaron St. Clair said:

      Until today I’d never seen this happen, but I’ve ran across the problem myself, and I’ve yet to fix it. It’s for a customer, so I’ll be working on it shortly and should be able to give you an answer soon!

      Reply

  117. June 18, 2013 at 2:13 am, santosh said:

    My computer is shutting down in every type of safe mode. Is there another way of removing the virus?>

    Reply

  118. June 18, 2013 at 7:54 pm, Ken King said:

    This worked great for me

    Reply

  119. June 19, 2013 at 11:19 am, DA said:

    Hi , wen i gave control.exe in command prompt it didnt work..still goes to the moneypak page

    Reply

    • July 02, 2013 at 2:39 pm, Aaron St. Clair said:

      Are you sure you’re in “Safe Mode with Command Prompt” ? I’ve never seen the virus pop up in that version of safe mode.

      Reply

  120. June 21, 2013 at 4:42 pm, Barb said:

    After many, many attempts I was able to get through #5 (creating an admin account in safe mode), but unfortunately login into that account brought the virus page. The commend prompt version, on the other hand, brings up a list of C:/WINDOWS/System32 (partitions) with no cursor/arrow keys control. I’m not sure what to try next. Any ideas?

    Reply

    • July 02, 2013 at 2:42 pm, Aaron St. Clair said:

      I’m not entirely sure what you mean… You said you made it through step 5, so you’ve created a new administrator account using the CMD method in the tutorial? Are you logging back into “Safe Mode with Command Prompt” as the new administrator? The virus should not infect a newly created account… Did you name the new account “Administrator” ? If so, name it “Susie” or “BillyBob”, or whatever. There is already a default account on the machine named “Administrator” that can be enabled/disabled. I think you may have just enabled that account?

      Reply

  121. June 22, 2013 at 7:26 pm, Nicole said:

    I love you so much right now Aaron. I’ve been fighting with my laptop for weeks with this virus, and following your steps I was able to remove it. You’re the best! Thank you!

    Reply

  122. June 23, 2013 at 5:34 pm, Jessica said:

    so i have windows vista and i got the ice infection earlier today. i have tried the safe mode options…all of them but each time it takes me to login and then my computer restarts. there is no option for “repair you computer” and im at a dead end. what should i do?

    Reply

    • July 02, 2013 at 2:44 pm, Aaron St. Clair said:

      I’ve recently ran into the ICE version too. I was at a customers house, so I didn’t have all of the tools in my normal repertoire, so I had to hook up their HDD to my laptop to remove the virus. Only problem is that method broke their startup. I’ve yet to have a chance to follow up on the machine to figure out a fix, but I will soon.

      Reply

  123. June 23, 2013 at 7:57 pm, adrian geter said:

    This Sam Virus Has Brought A Blue Screen To My Compueter and Denies My System From Restoring.. But I’ve Snuck My Wasy To Command Prompt By Letting It Fail Restore Then Clicking One Of Two Sentences That Let’s You Explore 10 Other Ways To Fix Ur Cpu.. start up repair, system restor, etc

    Reply

  124. June 24, 2013 at 9:44 pm, Dan said:

    You are my hero! Worked perfectly!

    Reply

  125. June 26, 2013 at 9:27 pm, ed dormer said:

    followed your instructions , purchased Malware Bytes Pro, restarted, ran full scan and found 1 item, not sure what it was but deleted. restarted normally and signed into my user account. However my user account is still the black screen with the command prompt c windows system 32 that i used to get to the control panel.
    what next- how do i get back to my account

    also, how to remove “conduit” virus from another pc, malware bytes pro and hitman pro do nothing
    your help is really appreciated – i’m novice level

    Reply

    • July 02, 2013 at 2:54 pm, Aaron St. Clair said:

      Your computer may have got caught in a system resume loop. I’ve seen it happen a few times before. Try holding down the power button for 15+ seconds until the machine fully turns off. Then, unplug it from power, and remove the battery for 15 seconds. Then hook everything back up. What this did is ensure the computer is completely dead so you can get a clean boot. Now, turn it back on, and you may get prompt to run startup repair. If you do, go ahead and run it.

      As for Conduit, it’s not really a virus. It’s more of a toolbar. You should be able to remove Conduit via Add/Remove programs

      Reply

  126. July 03, 2013 at 5:01 pm, Walt McNally said:

    This was amazing. Thank you for all your hard work. I followed the instructions exactly and now I can finally use my computer. Thank you once again

    Reply

  127. July 04, 2013 at 12:15 pm, mike said:

    WORKED LIKE A CHARM!!!! T H A N K Y O U ! ! !
    Getting in to SAFE MODE took a couple attempts. But after getting in to SAFE MODE, everything flowed exactly as described above. Great stuff. Thanks.

    Reply

  128. July 05, 2013 at 12:38 pm, Jasmine said:

    THANK YOU SO MUCH!!! YOU’RE AMAZING!! :)

    Reply

  129. July 06, 2013 at 2:21 am, Kaylee said:

    Thank you so much.! This is the only site that actually helped me.! You are a life saver.! Thank you so much idk what i would’ve done without this site.!

    Reply

  130. July 07, 2013 at 5:45 pm, M. Caulfield said:

    Instructions worked great, Thank You, Thank you, Thank You!!!

    Reply

  131. July 08, 2013 at 7:53 am, Steve said:

    None of the below options work for me. I am unable to open my pc in any Safe Mode and now I cannot get it to start at all without receiving a blue screen. I have tried to download the anti-virus files to a stick drive, but I cannot get the infected pc to boot to the external drive. I do not have a CD burner option.

    Any other thoughts.

    Reply

  132. July 08, 2013 at 7:55 am, Steve said:

    I do have a SATA drive to put the infected hard drive into, but the drive will not completely load, it stops at about 95-98% and then just sits there.

    Reply

  133. July 08, 2013 at 10:15 pm, kevin s said:

    Thank you for the command prompt method. It would not boot into safemode with networking. Thanks so much for your work and for sharing with the less knowledgable! You’re awesome

    Reply

  134. July 14, 2013 at 10:02 pm, Jared said:

    Thank you so much. I was losing hope and getting ready to take it somewhere to get fixed.

    Reply

  135. July 17, 2013 at 8:41 pm, dan said:

    I can’t thank you enough. your solution worked perfectly.

    Reply

  136. July 17, 2013 at 8:42 pm, dnl said:

    I can’t thank you enough, your solution rked perfectly.

    Reply

  137. July 17, 2013 at 8:49 pm, Dan said:

    Top shelf instructions. Wifes ‘puter is back up and running. This is the second time in two months. First time I was able to just boot to safe mode…not this time.

    Reply

  138. July 18, 2013 at 9:32 am, Anonymous said:

    Thank you so much! It worked perfectly

    Reply

  139. July 18, 2013 at 7:54 pm, greg said:

    Thankssomuch for this!

    Reply

  140. July 20, 2013 at 7:10 am, bellamrao said:

    Very useful. I suggest a small change to start with.
    using Ctrl+Alt+Delete, first log out from your current account.
    In case there is already one more Admin account in the computer, simply switch the user (Admin).
    Thanks for the advise

    Reply

  141. July 20, 2013 at 5:11 pm, Marty said:

    Thank you SOOOOO much. Your instructions were clear, easy to follow and spot on. I did get hit with the earlier version, years ago, and agree this one was a challenge I needed help with.

    Reply

  142. July 21, 2013 at 10:52 am, Josh said:

    Thank you so much, but I wanted to know if I could still get into my last user account??

    Reply

  143. July 21, 2013 at 9:32 pm, Fletcher said:

    I don’t know if this help for the one that evolved to block command prompt safe mode but before i found this I managed to get to my desktop by logging off and onto my only user account till it lags and asks if you want to wait for the program to respond or log off now i hit cancel and the fbi virus doesnt restart till i log off or reboot, able to use internet explorer although slowly. I have vista by the way and i fix most things by hitting it with a rock but if this info helps at all awesome

    Reply

  144. July 22, 2013 at 10:36 am, Darren said:

    Seems like i just ran system restore in my guest account, and everything works instead. Though i didn’t go through any of the steps but actually went to system repair mode but ended up canceling it cause it was too long.

    Reply

  145. July 23, 2013 at 7:12 am, Beth said:

    Thank you for this information. I was not able to get into my safe modes but through safe mode with command prompt only and making a new account user. I am now running my Malwarebytes and it has picked up 9 viruses so far. Very informative info. Again thank you. :-)

    Reply

  146. July 23, 2013 at 12:47 pm, Dennis said:

    Followed your steps and cleared my computer. Thought it wasn’t possible as nothing was working in safe mode. I could get to command prompt but had no idea what to do once there. I’m old…(not old school, just old) and lost around these things. Say hello to fellow Appalachian State hero Eustace Conway if you see him…and thanks again. Don’t know how virus creators can sleep at night.

    Reply

  147. July 29, 2013 at 9:15 pm, Laura said:

    Does this work for Windows7?

    Reply

  148. July 31, 2013 at 10:31 am, Seank97 said:

    I had a variation of this theme to remove on a corporate pc this week, the fix for me was to make a Bootable Jump-Drive with Kaspersky, I was unsuccessful removing it manually on a Win-7 Pro machine on our network even though Safe-Mode/Command Prompt did work. I suspect it could also be removed with the most recent version of Hirens Boot CD and removing it from “outside” of windows itself.

    Reply

  149. July 31, 2013 at 5:35 pm, Bill said:

    Thank you very much for taking the time to help us all out. I followed your instructions and I am now up and running again. Thank YOU!

    Reply

  150. August 03, 2013 at 1:33 am, Sean said:

    Thanks Aaron worked perfect for me good stuff

    Reply

  151. August 05, 2013 at 12:53 am, Scottie said:

    So I got it too. But I just restarted my computer and it went away. Is it gone? Reply please. Thanks.

    Reply

    • August 11, 2013 at 9:05 am, Aaron St. Clair said:

      If all you did was restart, and not a restore or scan then I advise running Malwarebytes to make sure.

      Reply

  152. August 05, 2013 at 2:39 pm, Richi said:

    An other way to do this is after you type in “control.exe” is to go over and click on Recovery and then just do a system recovery to a later date before you got the virus. Bam no virus.

    I used this method with the first version and it worked several different times on several different computers.

    Though you will lose pretty much everything that you have worked on since the system saved a recovery point. But if you keep back ups of everything on a separate drive, such as myself, then this is not an issue or if you just don’t have anything of importance saved in the past few days.

    This way is much easier for those who aren’t amazing with computers…such as myself.

    Reply

    • August 11, 2013 at 9:07 am, Aaron St. Clair said:

      Again, a System Restore can sometimes move the virus out of your way from starting when your PC starts, but it does not remove the infection from the machine. You must remove the files that are infected. System Restore only restores system files and those files that were modified by a System service process during the time frame chosen. This virus is not one of those files. So, even if you perform a system restore, you still need to scan for the virus.

      Reply

  153. August 07, 2013 at 3:02 pm, Hannah said:

    My gawd the best help I’ve gotten anywhere- you know how many times I’ve googled?!?! Great work, Aaron- it’s the ONLY help I’ve found. And it’s EASY~ wonderful, just wonderful. Thank you a million times over!!!¡

    Reply

  154. August 07, 2013 at 3:04 pm, Hannah said:

    :O the best and ONLY help I’ve really gotten- its amazing and thank you so much~ not only was it quick but it was easy and painless!¡!¡ lots of help for someone not so tech savvy.

    Wonderful, thank you a million times over

    Reply

  155. August 10, 2013 at 3:36 pm, Red said:

    Hi Aaron ,
    First of all , tnx a lot for the explanation and the help to all of us that got that horrible virus
    I wish to share my related problem with you ( if it is ok ) and ask for your experience and help , and hopefully it will help others in the same situation:

    My desktop at home is being used only by my kids ( Win 7, 64 BIT ).
    I got one of the versions of that FBI Virus a month ago and Googled it and found another site that gave kind of the same solution you gave ( mainly , using Malware bytes ). a week afterward I got it again , and was able to fix it again the same way ( In these versions I was not able to go to the safe mode b/c it kept restarting and coming back to that malware screen , so I had to do system restore, and once got my desktop back , run the software ).

    Today , my son came to me crying and said it came back again , at first I did not understand why he cried but when I came to the desktop I understood why : this time it was blocked by a different version , that showed pictures of nude KIDS !!!! . I was shocked !!!.

    I spoke with my son and he admitted searching for nude pics , but he did that through regular search on Google ( as probably millions around the world do every day…. )

    could it be that whenever I am cleaning the computer I am kind of leaving that virus core and it wakes up every time again?

    Is there anything I can do to stop it from happening ?
    I even thought of reinstalling the operating system , if I will have no other choice , but do not know if it will help .

    I am very sorry for the long letter , but hope you will understand my frustration and can help me ( and I believe I am not the only one that encountered this problem ).

    Tnx a lot in advance

    Red

    Reply

    • August 10, 2013 at 5:42 pm, Aaron St. Clair said:

      Reinstalling the OS would definitely fix the infection, as long as you did a clean install and not an upgrade or overlay install. That said, reinstalling the OS may not solve your problem. I’ve had 4-5 repeat infections at my day job (service technician), including one customer who got the virus 5 times in the course of 3 months. Your timeframe of the infections matches his. I pretty much narrowed him down to getting the infection through email. I asked him to check his email for me, and low-and-behold he literally clicked every link in every email, even the ones that he was unsure of the sender. I put a stop to that real quick. Opening emails to read them cannot infect your machine. An attachment or link has to be clicked to give the network permission to receive the file, which hides and runs in the background. Email isn’t the only way this virus spreads though.

      Every boy has done exactly what he did. When you’re in the mindset of looking up nude pictures, you aren’t going to be paying much attention to what seems legitimate and what should be passed off as sketchy. Porn sites make a lot of their money through linking services, which means you click a link on their website, it redirects you through other websites, gives you popups, etc.

      My advice to you is to look into the built-in parental controls that Windows 7 has to offer. Microsoft has a small article about how to activate parental controls here, but it’s not very instructional. A simple google search can lead you to blocking websites, blocking meta-data of websites (i.e. pornographic websites in general), setting time limits and even logging activity. Granted, parental controls can’t stop all access to pornographic material, as googling “pen island” can give you results you did not intend.

      What solved the issue of the infection returning for my customer was to purchase the full version of MalwareBytes Pro. It acts somewhat as an anti-virus, and is a real-time scanner of files going in and out of your system. I cannot guarantee that purchasing the software will stop the infections, but I’ve seen it work before.

      Reply

  156. August 16, 2013 at 10:40 am, aPoorGamer said:

    I don’t need to go on Safe Mode to use my PC. Although when I go on Safe Mode it does shut down, so here’s what I do: When I start the PC I just wait normally and when I get the FBI virus screen I press Ctrl + ALT + Del and start up Windows Task Manager, after that I know there’s a program running on the background, so I press Ctrl + ALT + Del and click on Logoff, after that the I see my background normally and usually it will say “Wait for programs to shut down” I take advantage of that and click on ‘Cancel’ as fast as possible, 90% of the times it works for me. I still have the virus and I have no way of removing it. Is there a program (fast way) of removing this annoying virus? It’s making my ping higher and higher in games, pff.

    Reply

    • August 16, 2013 at 10:48 am, aPoorGamer said:

      Ops, I was too lazy to read all those 8 steps, I just considered reading it and I found out about this antivirus thingy. Trying it right now, I hope it works, although I’m just gonna install it on the normal user and when it asks for reboot I’ll do my trick and hopefully it’ll get solved. ;) >

      Reply

  157. August 17, 2013 at 2:00 am, Khosro said:

    I had this virus and I couldn’t go to any of safe mode options. After a few times try to start computer suddenly it started and I could run different anti virus and spy hunters to try to clean the computer. But still after 2 months cmd is not starting. I mean it starts and ends in the same time. I have been trying to fix this problem with no success. I replaced the cmd.exe file with a new one through winsrx and even copied the file from another computer with system 7. I have scanned the computer with spyhunter4 and tried with Norton antivirus and avg and windows essential to find what is wrong with no success. non of these programs is finding any virus. help will be appreciated.

    Regards

    Reply

  158. August 18, 2013 at 3:24 pm, Paul Flores said:

    Hi…this was almost working- I created a new admin user name…but didn’t see how to create a password for it, so I didn’t- THIS WAS MY FATAL MOVE. Then when i had a chance to sign on with the new name- it didn’t work (no password)(this should be clarified- You have to clic on the newly created Icon to create a password)
    SOO..I saw an opening to hit “system restore to an earlier date” – and unfortunately I tried it (even though I have the new bad fbi virus and I’m all locked up).. and so the system restore seemed like it wasn’t going to work… lots of time past… SO I got out/ shut down etc.. AND NOW – I cannot get into a windows screen- I CAN get into a bootup/ DOS screen….but that’s it…I’m screwed….. System repair disc will not work/ and system recovery discs…IF they worked would wipe out my trapped 18,000 songs that i need as a DJ…and TONS of pictures and documents…..AGH…..
    So does anybody have a “workaround” for this prob? like how to get the system repair disc to work?
    This is a toshiba L655 satellite laptop.. Disaster scene, Paul in Bend, Or

    Reply

  159. August 18, 2013 at 3:28 pm, Paul Flores said:

    Part 2….the thing is…We have a really nice PAID FOR Webroot anti virus that has been 100 effective… but this FBI son of a thing got past it…
    and lastly— If this fix worked I was going to praise “Aaron St. Clair” to anyone who would listen…but for now…I’m screwed-ish.. P

    Reply

  160. August 18, 2013 at 10:32 pm, Emily said:

    Thank you for saving my computer!

    Reply

  161. August 21, 2013 at 8:57 am, Todd said:

    FBI virus. I get to the c:windowssystem32> point, type control.exe and I get a window that pops up and says the file doesnt have a program associated with it for performing this action. Error 26ee0668-a00a-44d7-9371-beb064c98683

    Reply

  162. August 21, 2013 at 4:28 pm, Steve said:

    Aaron, Thank YOU! This was by far the easiest solution to the problem I’ve found on the Internet and my problem with this damn virus is now solved!

    You made a really difficult problem easy and I commend you for posting this solution.

    Thanks Again, S

    Reply

  163. August 22, 2013 at 4:25 pm, Sean said:

    I feel the easiest method is downloading a tool called autoruns. Have it on a flash drive.
    Boot into safe mode with command prompt. and then CTRL + shift + escape to bring up task manager and go to file new task run… select autoruns… Locate the virus on the startup list, and uncheck any bad keys. reboot into safe mode with networking… update antivirus and remove… 2 scans that have never failed is FULL SCAN malwarebytes ( update definitions ) and then follow up with a hitman pro second opinion scan. ( also in safemode with networking) These have givin me a 100% success rate thus far. Also doing some manual work in autoruns to be sure.

    Reply

  164. August 23, 2013 at 11:45 am, Gene said:

    Thank you SOOOOOOO much. This was a tough one. Couldn’t have done it without you.

    Reply

  165. August 27, 2013 at 5:56 pm, cb said:

    Thank you so much!!!!!

    Reply

  166. August 28, 2013 at 8:18 pm, Joseph said:

    here is the easiest way. while restarting the computer press F8. then when you see safe mode with command prompt. type “control.exe” go find where you can back up your computer to an earlier date and do it. then you will be free of all your worries.when it is completed, when you get back to normal, download your malwarebytes anti-Malware. free version will do it. or pay for it.
    this worked for me.

    Reply

  167. August 28, 2013 at 10:19 pm, pj an jane said:

    THANK YOU! :) :*

    Reply

  168. August 29, 2013 at 2:40 am, Jerry said:

    So I got this virus earlier today. I’ve had experience on the whole “safe mode with networking” technique. But the virus made the whole screen blank. I was able to trick the virus by pressing Alt+Ctrl+Del then pres restart, but then cancel the restart right when it asks you to “force restart”. I ran Malwarebytes for over an hour got 100+ viruses and was able to delete them. At this point I read this article so I went and made another user just in case. Restarted the computer and FBI virus came back. I changed to the new user and was able to run Makwarebytes again and found 2 more threats. Erased them restarted the computer. Crossing my fingers. But the virus still came back. I need help.

    Reply

  169. August 29, 2013 at 7:56 am, Jake said:

    Thank you so much!

    Reply

  170. August 29, 2013 at 7:58 am, Cindy said:

    Got to the point of creating a new user downloaded Malbytes. Had just started running this download and virus too over this user. I seem to have only so much time before it “finds” me because previously I was trying fixes using the Guest account, but then that became unusable.

    Reply

  171. August 29, 2013 at 9:06 am, David said:

    Hi Aaron;

    Thanks for the article. It got my foot in the door. I follwed the steps and left Malesrebytes scanning while I stepped away for a few minutes. When I returned, the virus screen was up on my new account! When I went to shut down, though, Malwarebytes reported it was still scanning? So I am letting it run for awhile and in the meantime I am updating AV on all my other computers. I,ll let you know how it turns out.

    Reply

  172. August 29, 2013 at 5:47 pm, frank said:

    I’m running vista and I don’t get a blank screen in all 3 system modes and when I clicked on change user it would only let me pick owner, there wasn’t any other options. Any ideas?

    Reply

  173. August 29, 2013 at 8:10 pm, Jim said:

    You are a lifesaver and an excellent communicator of IT to those of us hobbled by a liberal arts degree. Thanks a million!

    Reply

  174. August 29, 2013 at 8:31 pm, colin said:

    Thank you so much! This thing really freaked me out!

    Reply

  175. August 30, 2013 at 9:24 am, Jeff said:

    Thanks for the article. I had two machines with this. One would also not allow Safe Mode w/ Command Prompt either. Machine was very flaky in booting to Safe Mode. I removed HDD and scanned it with another machine removing a Sirefef Trojan. Once I replaced the HDD, I was able to follow the instructions you posted. Maybe on Line 6 you could state to reboot into Safe Mode, great instructions regardless.

    Reply

  176. September 02, 2013 at 1:54 pm, Peter Daniels said:

    My son dl this virus off an infected progrm he borrowed from a friend…!! Thanks for the procedure, will try it as soon as I get by laptop back home (I’m out of town and it’s a spare computer..)

    Thank You for mall the other out there who don’t bother saying it.

    Reply

  177. September 02, 2013 at 5:28 pm, Bo said:

    F8 does not work for me. If I select safe mode with command prompt I get a screen to enter my password. However, the laptop does not recognize the correct password and does nothing. Suggestions?

    Reply

  178. September 04, 2013 at 8:04 am, Cameron said:

    I’m not sure if it was just by sheer luck or not, but I created a new admin account and it didn’t work long enough to get the download. However; I hit ctrl alt del and just switched to my main admin account. I’m not sire how or why but upon doing that I can navigate myusual admin account with no problem. I just finished downloading malware bytes and am praying it works. This is the second time I’ve been hit by this vorus and this one has definitely been harder to kill.

    Reply

  179. September 06, 2013 at 3:14 pm, Jack said:

    I am trying to remove the FBI MoneyPak. Using the command line i have created 2 different user accounts with admim but before I can get a scan started the virus appears. Any additional advice? Thx

    Reply

  180. September 11, 2013 at 10:09 am, Frank said:

    Thanks for the tips. Command prompt booted properly, and got into control panel okay. The only things I noticed was the new account I created did not appear under “User Accounts” which freaked me out a bit. Also, I could not give these new accounts administrator privileges until I made my original login user account a standard account –only then did it allowed me to make the new temporary account with admin rights, but the account still did not appear under “under accounts.” So I restarted the computer, held my breath and thankfully, I was able to boot up normally to run Malwarebytes and remove every trace of this SOB virus.

    Thanks young fella!

    Reply

  181. September 11, 2013 at 2:55 pm, Patrick said:

    What do you do if when I restart my computer in safe mode with command promt my screen is only black and windows does not open, Then open task manager and start a new task for command prompt, and it tells me that it is not working. So I cannot access any windows or the command prompt. What do I do without sending it to a tech and spending $300 on my old 2005 HP?

    Reply

  182. September 14, 2013 at 4:07 pm, Andrew Myers said:

    I just read this blog and when to my desktop, but when I got on my PC and logged in the virus didn’t start up! Right away I did a system restart and now it is progress! (Before I logged on, I started my computer and forced shutdown about 10 times :p) STILL, I am thankful for seeing this website. I was really convinced I did something bad -_-. So thanks!!!

    Reply

  183. September 17, 2013 at 2:28 am, Jarod said:

    Hey guys, I have been trying to fix a friends Pc which has a virus hidden as an Antivirus program. You cant access, Task Manager, Cmd, Safe Mode, Safe Mode with Networking and Safe Mode with cmd. I can’t remove it because it blocks every .exe Any Help would be appreciated. It came with Antivirus Security Pro.

    Reply

  184. September 19, 2013 at 3:44 am, Bob said:

    For those who can’t get in regardless of which safe mode you use, here’s how I got around it:

    Download the Kaspersky Rescue 10 iso image (google it).

    Burn it onto a DVD using something like CDBurnerXP.

    Pop it into the infected machine (must have a network cable plugged in)

    Start it and go into the Boot menu (normally F12 or F2), choose to boot of CD/DVD.

    Kaspersky will start, select your language and enter graphics mode if possible.

    Once its fully loaded you must click the “Update” button, allow it to update. This can take quite awhile

    Run a scan

    This should pick up the virus and ask you what you want to do, I just click “delete” to all virus infected files

    After that reboot and you should be able to get into your machine

    Run malwarebytes to double check it.

    Reply

  185. September 19, 2013 at 2:51 pm, Rich said:

    Cheers Aaron! Quality advice, this sorted my Moneypak problems out in 5 minutes after Ive been looking for days for a resolution. Something as simple as creating a new user account, by way of the command prompt, is not so easy to find out if ur as PC illiterate as me.

    Thanks again!

    Reply

  186. September 23, 2013 at 9:55 am, Eddie said:

    THANK YOU THANK YOU THANK YOU!!! Just performed this on my computer which I thought was gone. Saved me tons of money and my files!! Awesome, and easy to follow for those of us who really don’t know anything about computers.

    Reply

  187. September 26, 2013 at 10:32 am, jhn tokay said:

    Yes it worked! I have windows 7, no idea where this virus came from, but your step by step worked. Thank you!

    Reply

  188. September 26, 2013 at 10:04 pm, Dave said:

    Aaron,
    This looks like it’s working. Thanks, Dude.

    Reply

  189. September 29, 2013 at 4:40 am, N Philips said:

    This article fix was spot on and even works with with the uk equivilent virus (says the met police ilo fbi)

    Uk based user

    Many thanks

    Reply

  190. October 03, 2013 at 3:34 pm, Dave said:

    Dude you’re the man! Worked like a charm.

    Reply

  191. October 15, 2013 at 6:24 pm, Neil said:

    Spot on. Many, many thanks

    Reply

  192. October 18, 2013 at 7:42 am, Sam said:

    U are a computer Guru. Thanx so much!!!

    Reply

  193. October 22, 2013 at 9:42 am, Jacques said:

    HI,
    I have a diffenrent version of this problem. My virus was introduce by a Sudo Microsoft helpdesk that offer my brother to fix his computer! Right !
    Now the problem is a fake login window that appear in every mode safe mode and regular mode. This is not the Window logon but a Fake that ask for password only. So creating a backdoor user does not help is this case.
    The Sudo Helpdesk was asking 200$ to unlock the computer.

    The virus even prevent loading from the DVD I try window defender and Kavensky Hitman. It always pop the fake login window.

    This is a Vista version and of course we do not have recover or original Window DVD and we need to recover some data on the disk.

    I have try every trick in my bag and runnig out of ideas. Any suggestion?

    Thanks in advance

    Reply

    • October 22, 2013 at 2:52 pm, Aaron St. Clair said:

      I have not run across the particular virus you are describing, but I can imagine it.

      Does this password scree show up when you try to boot into “Safe Mode with Command Prompt”? If not, download rkill from bleepingcomputer onto a USB Flash Drive, plug the drive in, and boot your PC to Safe Mode with Command Prompt. Then use the cd command as described earlier to change to the flash drive. I would recommend trying “cd e:/”, “cd f:/”, or “cd g:/” as these are the common default directories for flash drives.

      If it blocks you in command prompt, there are still ways to remove it. One would be trying to use Hiren’s BootCD as described here: http://www.tech-recipes.com/rx/41669/remove-nearly-any-virus-using-hirens-bootcd/

      This method may not work, as your network drivers must natively recognized in MiniXP, and many aren’t.

      Another option would be to remove the HDD from your machine, hook it up via USB to another machine (you can get these adapters pretty cheap, or if you have access to a PC with e-sata you can get a hard drive dock), and use MalwareBytes to scan the drive. Just point MalwareBytes to the USB drive when you select Full Scan.

      Finally, if you are unable to remove the virus yourself, a local PC repair shop should be able to remove the virus for much less than the $200 the rogue helpdesk requested. They will pull your HDD and scan it the way I described (via USB), but if you’re weary about taking parts out of your PC I would recommending taking it to the professionals.

      If, somehow, they are not able to remove the virus without wiping the drive and reloading the operating system, they will atleast be able to recover whatever data you need.

      Reply

      • October 22, 2013 at 3:35 pm, Jacques said:

        > Thanks for your reply. And Ideas Not I can’t get to command line I have that login window popping all the time
        I’m trying Hirens boot but for some reason It does NOT load on the machine. Work on other PC but when I try on this machine it always goes to the loading menu (safe mode and other) but it never ask to load from DVD. I have check BIOS and it’s fine. Strange it detect my Microsoft Window 7.

        I think my last resort is to get a Sata cable and try to connect that drive to another PC :-)

        Thanks again will get you posted

        Reply

  194. November 04, 2013 at 8:43 pm, Garrisn J said:

    You da man Aaron!!!

    Reply

  195. November 08, 2013 at 11:44 pm, ivan said:

    I recently had the exact same virus, but did not allow to boot into safe mode or safe mode with cmd… my solution was creating a live disc. I used Kaspersky rescue disc iso and burned the image disc. Booted from the disc updated the latest definitions and ran a full scan fixed the problem for me.
    Live discs are/Will be your best friend if you cannot start safe mode.

    Reply

  196. November 12, 2013 at 1:52 pm, donna ellison said:

    love you, love you, love you….2 days of numerous failed attempts at getting into safe mode after getting the FBI virus, I found this site and fixed it. first try….thank you

    Reply

  197. December 17, 2013 at 11:15 pm, Conrad said:

    Hi, I followed these steps and it worked BUT, when I reloaded my account I was getting small error messages of corrupt files not loading one from windows, one from chrome… So I went into system restore to the closest date (3 days before infection) , restored it and then on the reboot I got the white FBI screen again. So the malwarebytes didn’t completely remove it, and now trying these steps again, using the second account in safe mode with networking, malwarebytes won’t find any infections. I even tried malwarebytes rootkit and it also didn’t find anything, but my main account still loads the FBI page. Any recommendations?

    Reply

  198. December 19, 2013 at 1:35 am, Jourdan said:

    THANK YOU SOOOOO MUCH!! The problem was it kept shutting my computer down whenever I’d enter safe mode. You helped me get my computer back and I am soo grateful. Thank You Thank You Thank You!!!

    Reply

  199. January 27, 2014 at 12:50 pm, O.Cinelli said:

    Your safe mode with command advice worked, needless to say I am very grateful for your help. Thank-you Sir.

    Reply

  200. February 14, 2014 at 6:34 pm, RG said:

    I just got the FBI money pak , but was able to restart to a clean screen. Is my computer OK? I’m running anti-malware and it doesn’t seem to be finding anything. I was running Chrome in incognito mode, not sure that is relevant, but maybe it is.

    Reply

  201. February 16, 2014 at 4:47 pm, Linda said:

    My computer (running windows Vista home pro) will not run in any safe mode, including command prompt. I tried “repair my computer” but since the computer is several years old, I cannot remember my admin password, or even if I ever had one. What do I do now???

    Reply

  202. March 18, 2014 at 11:14 am, rick said:

    I was able to run malware and remove everything but every time I run malware again, 2 files still pop up as Trojan infected. I’ve removed then twice but still keep coming back. What do I do?

    Reply

Leave a Reply