Remove Latest FBI MoneyPak Virus Despite Safe Mode Forced Restart
Posted by Aaron St. Clair in Windows spyware
The FBI MoneyPak virus has been around for a while now and has had one of the highest infection rates to date. When it originally hit computers around the world, removal of the virus was very simple through safe mode. Although the latest version of FBI MoneyPak forces reboot when in safe mode, following these steps will clear your system of the malware.
The FBI MoneyPak virus is famous for scaring users into believing they have been accused of watching illegal content online.
Attention: Your computer has been locked. Your PC is blocked due to at least one of the reasons specified below…
The original virus would infect the ctfmon.exe system file which is often executed as a startup program. The original fix was to simply boot the computer into safe mode and remove ctfmon from the startup programs, then the computer could be booted and scanned for viruses. FBI MoneyPak 2.0 (as I call it) has hit the streets and now forces your computer to restart upon booting into safe mode. Originally I thought the only fix would be to hook the hard drive up to a different machine to perform the removal. However, I have managed to trick the virus once again and through these directions you can remove the virus safely.
UPDATE: This technique has worked for many, yet there are still those who cannot make it work. I am in the process of finding a work-around for those who cannot get any safe mode to work, but I have not personally come across a version of this virus that kicks me out of all 3 safe modes.
If this process does not work for you, do not fret! There IS an alternative method that will work, but it’s more complicated. Click the link below to view my alternate method.
Remove FBI MoneyPak Virus Using Hiren’s BootCD
Steps for virus removal
1. Though the new FBI MoneyPak virus shuts down safe mode, it cannot shut down “Safe Mode with Command Prompt” as no programs can be started on startup with this option. Booting into “Safe Mode with Command Prompt” can be different per system, but the most common method is to tap the F8 key repeatedly as soon as you power your computer on. You may hear beeping or see “Keyboard Failure” displayed on the screen, but pay no mind to these warnings. Your computer should never make it to the boot screen for Windows, but should display a screen with options including “Safe Mode”, “Safe Mode with Networking”, “Safe Mode with Command Prompt”, “Repair your Computer”, etc. You need to select the “Safe Mode with Command Prompt” option and then hit the Enter key. This will boot the computer with minimal drivers, and no startup programs will run except cmd.exe.
2. In order to run the appropriate files needed, you may first need to know how to navigate around the command prompt. (NOTE: Many systems default to the appropriate WINDOWS/System32/ directory, but I have seen a few that do not. I’ve yet to determine what causes this default directory not to be loaded, so if yours isn’t in the directory, read on.) The directory you need to browse to is C:/WINDOWS/System32/. If you do not see this file path displayed in the command prompt then you will need to manually change to that directory. To do so, type “cd ..” until you only see “<C:/>” displayed as the current file path. The “cd ..” command is “Change Directory” and the “..” means go up one directory. Once you’re at <C:/> you need to change directory down, into Windows, and then into System32. To do so, type “cd WINDOWS”, and then “cd System32″. You should now see “<C:/WINDOWS/System32>” displayed as your current directory.
3. The file you need to run is “control.exe” which will launch the Control Panel. To do so, simply type “control.exe” and hit enter. It may take a few seconds to initiate the Control Panel, as GUI based applications generally are not started from this Command Prompt view. Once the Control Panel is open, navigate to User Accounts.
4. The overall objective is to create a new temporary user account to perform the virus removal. In the User Accounts window, click Manage Another User or Create New User. One of these two should give you an option to setup a new user account. The new user MUST be set to an Administrator. Once you have created the user account, ensure that it shows up in User Accounts before closing the window. Once you’ve done all this and verified that the account showed up in User Accounts, you can restart your computer. This time do not tap F8; instead, let the computer boot as it normally would.
5. If your computer boots directly into your user account by default, you may find yourself stuck again at the FBI MoneyPak screen. The objective is to log into the other user account, and the virus allows this, but it can be tricky to do. If you are presented with a window where you can select the new user account that you made then skip to step 6. There are two ways to get back to the login screen while at the MoneyPak screen. On all Windows platforms the key combination winkey+L will send you to the login screen. The Winkey button is the one between Ctrl and Alt keys. If you’re running Windows Vista/7/8 then you have an alternate path. Pressing Ctrl+Alt+Delete should present you with the Windows Lock Screen with the option to Switch User. Clicking Switch User should bring you to the Login screen.
6. Log into the new user account that you created in Safe Mode. You will probably see a couple screens helping you setup your new user account. After that you will be presented with a clean desktop and be able to browse around and use the computer as a new user. This account is just temporary, so do not worry if it does not appear as your normal desktop. Open a web browser and download Malwarebytes Anti-Malware. The software is excellent and you should consider purchasing it. The free version, however, will remove the virus. Download and install the program. Once it has finished installing it may need to restart the PC. After the restart you may have to repeat step 5 again to get back to your new temporary user account.
7. After you enter your temporary account after the reboot, run malwarebytes and allow it to check for updates. If it does not do so automatically, click the Update tab in the user interface and then the Check for Updates button. Now, go back to the Scanner tab and click Perform Full Scan. Quick Scan usually removes the current version of the MonkeyPak virus, but it is always better to be safe than sorry with the full scan. The scan can take anywhere from 10 minutes to 5 hours depending on the speed of your system’s hardware. Once the scan is complete, you must click the Show Results button in the lower right-hand corner of Malwarebytes. This will bring you to a new screen with a list of all infections found. Check the check box to the left of every item in the list, then click Remove Selected. You will be prompted to restart your computer. The infected files will not be removed until you restart.
8. Once the computer boots back up, your regular user account should be in proper working order. You can now go back to Control Panel then User Accounts and remove the temporary user account created.
About Aaron St. Clair
View more articles by Aaron St. Clair
The Conversation
Follow the reactions below and share your own thoughts.
February 14, 2013 at 4:11 pm, franciscovj said:
A few notes to add:
1. On step 6 you want to log in as Safe Mode With Networking, not just Safe Mode. Something obvious for people in IT but not for the average user.
2. Installing programs in Safe Mode does not work by default so you either enable it on below link or save the file and restart in regular mode and install it:
http://www.symantec.com/connect/blogs/windows-installer-safe-mode
February 14, 2013 at 4:15 pm, Aaron St. Clair said:
Safe Mode and Safe Mode with Networking are both forced to shut down with the latest MoneyPak, so neither work. That’s why I’m using the Command Prompt version. Also, the instructions say to install the program after a normal boot into the new user account, so installing in safe mode shouldn’t be an issue! Thanks for the input! I’ve learned something new too. Did not know there was a way to keep installations in safe mode.
May 11, 2013 at 8:34 am, Ftg said:
My computer is shutting down in every type of safe mode. Is there another way of removing the virus?>
May 14, 2013 at 12:55 am, Tye McLoche said:
> The MoneyPak virus that I have will not even allow me to start it in Safe Mode with Command Prompt. As soon as it gets to the Command Prompt, it is shutting down my computer and restarting. What is the next step? Boot from disk in MS Dos?
May 31, 2013 at 12:36 pm, Keegan said:
We at my tech company have just ran into two clients computers that have this variant on them. no safe mode at all.
June 07, 2013 at 1:49 pm, Jason said:
My friend’s computer also will not even allow you to use Safe Mode Command prompt.
June 02, 2013 at 11:39 am, Norma said:
Thank you so much Aaron! None of the other safe mode instructions worked until I found your instructions with the command prompt. You are genious! Thanks again!>
June 03, 2013 at 4:03 pm, Brian Barnes said:
Hi Aaron, been fighting Spyware, Malware, Greyware, & Adware from the beginning of its inception. I have always been able to fight back and beat the bad guys. Although there are several new FBI Warning Variants in the wild now that has mutated into new FBI Warning Strains. Safe Mode does not work at all and if you even try any of the Safe Mode methods the computer will “BLUE SCREEN” of Death on you which forces you back into Normal Mode.
I am currently working on one of my new tools that will Boot into Linux off a Flash Drive where I will then run my virus fighting attack tools to take out & kill the FBI Virus. A new thing I have noticed the virus doing is creating common program executable files under the main User Account Profile, like googleupdate.exe or skype.exe, or chrome.exe. Some type of common program .exe file that you might otherwise overlook but it doesn’t belong there in the first place. So these are just a few things I have noticed and picked up about the new FBI Warning Virus strain.
February 26, 2013 at 9:14 am, Brent Marvich said:
You can skip all the way to step 6 if you have already created a “back door” account. Something I do on all my system builds, among other things…
I can not count the times I needed to log into a computer and the administrator account/ user account was corrupt/disabled or password was changed.
This can be done with a simple batch file to save even more time…
***SAVE THE FOLLOWING TO A TEXT FILE***
ECHO This will create the user backdoor with password backdoor!
NET USER backdoor backdoor! /ADD /EXPIRES:NEVER /PASSWORDCHG:NO
NET LOCALGROUP “Administrators” backdoor /ADD
NET LOCALGROUP “Users” backdoor /DELETE
WMIC USERACCOUNT WHERE “Name=’backdoor’” SET PasswordExpires=FALSE
***DO NOT ADD THIS LINE OR ANY BELOW THIS LINE***
rename the text file as a .bat file instead of .txt and run it from the command prompt.
Now this virus is nasty and I have seen a few different versions of it with varying complexities. Most of them have a rootkit associated with them which if not removed completely with come back. After running MalwareBytes Anti-malware and then logging in as your normal account, you should run MalwareBtyes Anti-rootkit just to be safe.
April 30, 2013 at 5:21 pm, Hung Tran said:
> Your instruction works fine. Thank you
May 18, 2013 at 4:20 pm, Wendy said:
> I can not work in safe mode neither can I create another account. What options do I have?
May 21, 2013 at 5:41 pm, Rick said:
URGENT:
I think, it is safer to create an ISO boot Disk; then add any “boot.bat” commands
Then, download and create an ISO image on a SAFE COMPUTER is more likely a REAL ANSWER…
to many simple minds, including mine>
Thank you!
February 27, 2013 at 2:33 am, xanjabu said:
Or in the case of Vista/7 (not sure about 8 as not used it yet) you don’t need to create a new account, just enabled the disabled Administrator account.
At command prompt type net user administrator /active:yes
Reboot and login.
Once removed, go back to your ordinary account and bring up command prompt and shut down the administrator account (until next time…)
net user administrator /active:no
Thanks for the article
March 08, 2013 at 10:16 pm, Ray said:
Thank you so much!!!
May 31, 2013 at 8:19 am, Kevin said:
> Ditto that. Thanks!
March 29, 2013 at 6:13 pm, natalie said:
I just wanted to say THANK YOU so much!!! These instructions go the virus off my computer and saved me a lot of money! I appreciate it!!!
March 29, 2013 at 6:13 pm, natalie said:
I just wanted to say THANK YOU so much!!! These instructions got the virus off my computer and saved me a lot of money! I appreciate it!!!
March 30, 2013 at 4:52 pm, Jacob said:
THANK YOU SO MUCH!!! I cant thank you enough!!! You have saved my computer…
April 04, 2013 at 12:46 am, frank said:
Such a great help!
Easy to follow and execute!!
Virus is gone!!!
April 09, 2013 at 3:07 pm, andraz said:
thank you for the solution with command prompt, it works great with new versions of the scam
when you start control.exe, you can also activate a restore point.
April 09, 2013 at 7:06 pm, Brian said:
Thanks, I followed your great instructions and got back up & running! GREAT WORK!
April 10, 2013 at 12:57 pm, Aaron St. Clair said:
I’m glad everyone has been able to remove this virus successfully! It took me a little while to dig through the CMD and different safe modes until I found a solution… Didn’t see the need for others to endure the same torment! Hopefully this has saved somebody from falling for the scam!
May 17, 2013 at 8:18 pm, Beth said:
I’m having the same problem, but when i try to open the control it tells me i don’t have persmission. Any other way around it?
April 10, 2013 at 12:48 pm, Justin W said:
Thank you for being a saint, this virus is disturbing. Scanning with Malware Bytes, hasn’t found it yet and it’s been through 50000 files. What if it doesn’t find it?
April 10, 2013 at 12:55 pm, Aaron St. Clair said:
Ensure that you told it to do a Full Scan and not just a Quick Scan or Flash Scan. I’ve seen MBAM scan 600,000+ files before finding anything infected… Had to leave a customers house and return the next day to finish! The amount of files it scans really just depends on the programs you’re running on your computer and the amount of data you have as well. If you do work with taxes, AutoCAD, Adobe, etc. then you’ll be in the upwards of 200k before it finishes its scan. The /winsxs directory has about 50k files MBAM scans in that folder alone… So just sit tight and wait it out!
Also, did you allow MBAM to Update before starting the scan? To make sure, click the Update tab at the top if the scan fails to find anything. Let it download the newest virus definitions then run the scan again.
If you do manage to get through the virus scan and MBAM doesn’t find the infection, try running Trend Micro’s Housecall, Kaspersky’s TDSSKiller and your regular anti-virus scanner. All of those scans should find the FBI virus, but MBAM is my ole’ reliable when it comes to virus removal.
April 14, 2013 at 10:20 am, Happy user said:
Thank you do much for helping me I was so scared I thought I did something wrong man you rock
April 17, 2013 at 1:56 pm, Shannon said:
Thank you very much for the detailed step by step instructions to remove that nasty FBI green dot virus.
Furthermore your instructions for removal were very simple to understand. Most of all it worked!!!!
THANK YOU!!!!
April 18, 2013 at 12:32 am, wes said:
Article helped me to solve problem. Thank you very much! Nice work!
April 18, 2013 at 10:21 pm, Karl Drumm said:
Hello Aaron,
I read your instruction on how to remove a virus from my computer but I am NOT sure if it will take care of the problem I have.See I dont really know if my machine is really infested by a virus since I do not have any problems with reading and writing e-mails.However I do have a problem with downloading adobe flash,adobe player and other programs like running Spydoctor,malwarebytes even with AVG removed.
You see every time I try to download I will receive a security warning message and cannot get any further which means I have to cancel or if I try to go ahead another window will open and ask me if I am really sure to continue.
If I move the first window out of the way their is another window behind it where it shows a file moving from one folder to the next.There is no information on the page where the files are changing folders.
One other problem is occuring that after it says that download was completed that I will not receive the “INSTALL” prompt therefor I cannot install and run any programs at all.
Some icon which I click on on my desktop will open and I can do my work others will not work.All other symptons which would indicate a virus like slow computer,pop-up,screen changes etc arenot happening.
I tried to run this in SAFE MODE and the machine acts the same way.I really dont know what to do except clean the hard drive and start all over.I am completlely lost in the world of computerspace.Can you please help me by answering myletter.
I would appreciate if you would be so kind.This way I could learn something from you.
Thanks Karl
April 21, 2013 at 11:55 am, Aaron St. Clair said:
The fact that some programs function normally, but others do not, definitely sounds like a virus. What exactly happens when you try to run MalwareBytes? I think your first step to cleaning your computer will be to download and run rkill from Bleeping Computer. If you’re not able to download it from your computer, try doing it from at work or a friends computer. Rkill should stop any malicious processes that are running and preventing you from running programs. After running Rkill, reattempt to run Malwarebytes. Make sure you update the virus definitions before performing a full scan.
April 20, 2013 at 3:17 am, Lithus said:
It’s great to see that despite the bad people and losers who prey on ppl
It’s great to see someone posting helpful stuff like this to fight back.
Hackers are the lowest form of life, a cancer diagnosis would be too good for them…
April 21, 2013 at 11:49 am, Aaron St. Clair said:
Heh, the moneypack virus isn’t really from hackers. It’s simply a social engineering scam.
April 20, 2013 at 5:11 pm, Needhelp said:
I tried to get into safe mode with command prompt but then it froze… maybe I was impatient but I held the power button for a hard shut down… now, I am unable to enter any safe mode… the only options available are startup repair and start windows normally… the safe mode options have not returned… help
April 21, 2013 at 11:48 am, Aaron St. Clair said:
Hard resetting your PC while it’s booting can cause this looping cycle to occur. You need to tell it to start normally and let it boot up as if it isn’t infected. Then, once you have the moneypack virus on the screen after a full boot, push the power button once. Don’t long-press until it shuts down. Pressing it once makes windows go through it’s regular shut down sequence and should keep you from getting the startup repair screen. As for no safe mode options, are you sure you’re pressing the correct Function key (usually F8)? The Safe Mode bootscreen should take priority over the startup repair screen you’re getting if you’re pressing the correct function key.
April 22, 2013 at 10:24 am, CAC1031 said:
Thank you! I looked at various methods posted on the internet to remove this thing without being able to get into safe mode and yours was the simplest, clearest method. At first I thought it wasn’t going to work as it never gave me a command prompt and eventually skipped to the login screen. But it worked on the second try. Thanks again.
April 22, 2013 at 5:58 pm, Dave said:
Thank you!! I spent hours on other forums with their “solutions”…Your solution was quick and easy. Great instructions.
April 25, 2013 at 3:41 pm, Arjun said:
Thank you so muck. Your instruction worked wonders. Did not take me more than 20 mins to get rid off the malware. Keep up the good work and thank you soooooooooooooooooooooooooooooooooooo very much.
April 25, 2013 at 6:04 pm, tascha said:
You rock and saved my computer. Your directions were so easy to follow. Thank you thank you
April 28, 2013 at 8:34 am, computer virus repair said:
Thank you very much for these straight-forward and your easy instructions . I was able to remove this virus without losing any of my any documents.
April 28, 2013 at 1:00 pm, Jeff McKeever said:
I hope this works!
April 28, 2013 at 1:04 pm, Aaron St. Clair said:
So far it has worked for everyone! I just removed another case of this virus yesterday following these instructions to the T and all went smoothly!
April 28, 2013 at 3:25 pm, Jeff McKeever said:
When I followed your instructions and got to safe mode and typed in the control.exe command I got the following window: “Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access them. The only options is “OK”. Not sure it’s important but at the top of the window there was this” {26EE0668-A00A-44D7-9371-BEB064C98683}. Any thoughts on how I should proceed?
April 29, 2013 at 2:36 am, Aaron St. Clair said:
You may have other issues on the machine other than just the FBI Virus. As a work-around, the command “explorer.exe” should work from any location (i.e. C:/WINDOWS/System32/ AND C:/Users/Steve will both work). This will launch Windows Explorer. Go to My Computer, your Local Disk (usually C:/), the WINDOWS folder, then the System32 folder. Here you should be able to find control.exe. If you still cannot run the file then make sure you’re using an administrator account. You can enable the default administrator account in
W8:http://www.eightforums.com/tutorials/9650-built-administrator-account-enable-disable-windows-8-a.html
W7/Vista via: http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/
Windows XP: http://www.tomshardware.com/forum/95509-45-enable-admin-account-home#8719322
April 28, 2013 at 5:49 pm, George Miller said:
Thank you very much, it worked
April 28, 2013 at 11:33 pm, thanks said:
THANK YOU!!!!!
April 29, 2013 at 6:26 pm, Rocky said:
Well, I think it has become bigger and better yet again. I hav tried all of the suggestions to get into safe mode with Comman Prompt… But no matter what I do, the FBI screen is there telling me to get out of safe mode and log onto the Internet. I saw the post about not hard booting and let the computer shutdown properly and then try safe mode with command prompt but it still won’t let me. I have tried all of the safe modes, I get the virus and won’t let me do anything. Please help! I see you were able to work your magic a few days ago… So I’m hoping there is still hope for me!
April 29, 2013 at 6:30 pm, Aaron St. Clair said:
If you can’t get past it in any of the safe-modes, then you may can try using your system restore disk, and instead of telling it to install windows, choose Repair. There’s a repair option to run a Command Prompt. I’m not sure how functional that command prompt will be though… but you’re still not out of luck if that doesn’t work. The virus CAN be removed! But, if you cannot bypass it somehow on the actual machine’s it’s on the the hard drive will need to be removed and simply scanned using MalwareBytes on another computer.
April 29, 2013 at 7:23 pm, Rocky said:
Thanks for the quick response! To give you more info, I do not have administrator privileges on this laptop myself, so when it comes to doing a recovery or system restore, I don’t have a disk. So it looks like I’m down to removing the HD from this laptop and connecting it as a slave to another computer…. Or sending it in to my IT team except then all my files will be gone!
April 29, 2013 at 7:26 pm, Aaron St. Clair said:
If you have an IT team then I’m sure somebody there knows how to copy files from one drive to another. If you put the drive from the computer in an external enclosure it really just functions like a flash drive. But, there really isn’t a need to lose any files to remove the virus. Simply plugged the drive in and point MalwareBytes to the removal disk directory instead of C.
April 30, 2013 at 2:09 pm, Matt said:
I got a version of this virus and removed it simply by holding f8 during startup, selecting “repair your computer” and selecting a restore point. Don’t know how many versions of the virus this works on, but I would recommend trying this first before going through all the steps the article describes (unless reverting to a restore point would uninstall a program you for whatever reason cannot easily re-install). Using a restore point does not delete any of your personal data (e.g. documents)- at least on Windows 7.
April 30, 2013 at 5:23 pm, Aaron St. Clair said:
This is a viable solution to get past the screen popping up, but, as you stated, System Restore only restores system files and settings. The System Restore will remove the virus from the startup procedures, but it does not remove the malicious files from the machine. MalwareBytes would still be necessary to ensure you don’t become re-infected. This procedure is quicker than a system restore for many systems, especially older machines.
April 30, 2013 at 3:01 pm, jack said:
thank you for this; i was at my wit’s end but this worked like a charm!
May 02, 2013 at 7:41 pm, al said:
my computer got infected yesterday! 1st time was about six months ago. I fixed that using safe mode then scanne w/malwarebyte. this time: safe mode, safe mode w/networking and /command prompt are alll got error messages and have option to start windows regularly. It will reboot normally, i can have access for a lil bit while it’s loading then the moneypak screen lock kicks in. I do not have access to ‘admin’ login. Waiting for my lil brother… any suggestion…im not update w/all the computer stuffs…was pretty good at it 25 yrs ago! thanks
May 29, 2013 at 9:15 am, Aaron St. Clair said:
Sorry for the delayed response. The only time I’ve ever personally seen all 3 versions of safe mode not work is when the Operating System had actually been corrupted and system files were not working properly. Yes, this can be caused by a virus, but the FBI MoneyPack, to my knowledge, does not alter any system files other than the startup procedures. Your issue may be deeper than the FBI MoneyPack virus. In lieu of having to totally wipe/reload, try using the Hiren’s BootCD method that’s been added to the article.
May 03, 2013 at 10:12 am, GSH said:
This did not work. I went into Safe Mode with command prompt and the regular desktop with the icons for each user came up. I entered into the administrator user and the computer logged off, shut down and restarted again. I’m using Windows 7
May 29, 2013 at 9:17 am, Aaron St. Clair said:
Did you enter into the user labeled “Administrator”? Or a user that has Administrator privileges? In any case, try using the Hiren’s BootCD method that’s been added to the article.
May 03, 2013 at 11:25 am, GSH said:
When I go into Command Prompt, everything starts with “X:\” instead of “C:\” Tried the cd .. and it wouldn’t change that part. It started with X:\windows\system32> and I was able to change the directory, but only down to “X:\>” and then it could not find the “control.exe” when I typed it in. Said it is not recognized as an internal or external command operable program or batch file.
May 03, 2013 at 5:13 pm, Aaron St. Clair said:
It seems like your primary hard drive is the X:/ drive instead of the C:/ drive. You should be able to follow the tutorial exactly, just replace every instance of C:/ with X:/. You said your default starting point was X:/WINDOWS/System32, which is where you need to be. So, as soon as your command prompt comes up you should be able to type control.exe without getting that error message!
May 03, 2013 at 3:35 pm, mike said:
Vista laptop, moneypak virus. ALL safe modes are dead, including command prompt. What do I need to try? Thanks.
May 03, 2013 at 5:12 pm, Aaron St. Clair said:
Hmm. It seems like there is a newer version than when I published this. Multiple people have had an issue of all 3 safe mode’s being disabled. If all of your safe modes do not work, then you’re still not completely out of luck. There are two possible solutions from here:
1. You can remove your hard drive from the computer and scan it with another computer… I understand this is a scary topic for many and it should only be done if you’re comfortable with your computer’s guts.
2. For the less tech-savvy, the hard drive in your computer isn’t the only drive that your computer can “boot” into (i.e. load up Windows when you turn your computer on). Your computer can boot to a disk in the disk drive, it can boot to a flash drive, and there are other possibilities as well. This fix will involve booting to your disk drive. Download and burn Hiren’s BootCD from a work or friend’s computer. Hiren is downloaded as a .zip file and must be extracted to find the file to burn. Turn your computer on and put Hiren’s in the disk drive. Power your computer off, then back on. This time, look for something that says “F10 Boot Menu” or “Boot Menu F12″. The Boot Menu hotkey is different on many systems. If you cannot find anything telling you what key it is, you can try tapping F2, F8, F10, F12, or Del when you start your computer. One of these hotkeys should bring you to the Boot Menu when you tap it repeatedly as the computer starts. From here you can select your Disk Drive as the boot drive. This will load you into the Linux distro on Hiren’s. From here, you can update and run MalwareBytes on your C:/ drive.
I plan to update the main tutorial soon with more detail instructions with screenshots, but finals week has me bogged down at the moment.
May 04, 2013 at 7:13 am, Trish said:
I am so happy I found this article…you saved me from this virus!! Thank you!!
May 04, 2013 at 7:51 am, liam parker said:
Luckily i had already made another account because this white screener keeps telling im using special characters when trying to create a new account! so they must have updated it yet again, this time to stop you creating a new account.
May 29, 2013 at 9:19 am, Aaron St. Clair said:
I haven’t seen the virus stop anyone else from creating a new account. You may be having other issues such as a faulty keyboard. Try using your on-screen keyboard. In XP, it’s located in All Programs > Accessories > Accessibility > On-Screen Keyboard. In anything newer, you should be able to type “keyboard” into the start menu and Windows will pop it up for you.
May 05, 2013 at 5:16 am, Ram said:
Hi
Thanks a lot. It was enormously helpful. However, I went to restore by typing in command prompt and my system was restored without any problem. Worked perfect.
May 05, 2013 at 7:15 pm, Steve said:
I lucked out on this I opened task manager which still worked and for some reason my computer opened. Started malwarebytes. I searched through program data and found something called display switch exe which malwarebytes found shortly after and deleted
May 06, 2013 at 9:48 am, vernon m. said:
This guy knows what he is talking about…..i had the moneypak virus a few times before and I was able to get rid of it….i am a technology guy and I didn’t know what to do this time after all of my procedures failed….i tried this procedure….pretty slick by using the cmd line to create another user acct!
May 06, 2013 at 7:51 pm, Phil said:
Thaaaaaank you soooooo much!
May 07, 2013 at 4:04 am, Michael said:
I did all the above steps and after ful scan there were three files that shows infected my computer and it was removed and I restarted the computer. when I log in back to my account the Fbi virus is still there. what is going on
May 29, 2013 at 9:21 am, Aaron St. Clair said:
Is the user account that is infected an Administrator account? Standard Users may have issues removing files from Program Data and Application Data. Make sure the user account you created is an administrator.
May 07, 2013 at 1:21 pm, Randy said:
My friend got this virus and asked me for help the problem is it used a password to block access to the boot menu is there a way to get around this?
May 29, 2013 at 9:22 am, Aaron St. Clair said:
I’m pretty sure this virus has not magically modified your BIOS. The password screen you are being presented with is most likely a BIOS password put on by some network administrator. Is this PC a school PC or work laptop?
May 07, 2013 at 8:05 pm, Nick St.Clair said:
Control panel won’t come up to make a new user (step 3) it puts up the moneypak screen and won’t let me do anything. Any suggestions?
May 29, 2013 at 9:24 am, Aaron St. Clair said:
This may be a rhetorical question, but are you sure you’ve booted into Safe Mode? Instead of running “control.exe” try running “explorer.exe”. You may be prompted with a warning saying the Safe Mode with CMD is not meant to use GUI interface like explorer.exe, but ignore that. You should then be able to use your Start menu and access the Control Panel through it.
May 07, 2013 at 9:22 pm, Z said:
I got all the way to step 6, but when I log in as the newly created user, I get a blank screen, when I do it in safe mode I get the moneypak screen….any suggestions???
May 29, 2013 at 9:24 am, Aaron St. Clair said:
Are you sure you created the new user account as an administrator?
May 07, 2013 at 11:22 pm, Freda said:
THANK YOU!!! THANK YOU!!! THANK YOU! SO FREAKIN MUCH!
I tried so many tutorials. I was told to pay big $$$ to fix this. I was so bummed out. Thank you!!!
You are brilliant, seriously
May 08, 2013 at 11:22 am, Ted Falkowski said:
control.exe not recognized in directory using Windows 8.
Please send me instructions using a Dell laptop Windows 8 operating system.
Thank you.
May 08, 2013 at 1:02 pm, Marek said:
When i try to use cmd prompt my regular user account password does not work ,when i use safe mode with networking it does but the FBI screen blocks everything ……stuck
May 08, 2013 at 1:08 pm, Rick said:
On an XP x64 machine, I have picked up a variant of this virus that does not allow any of the Safe Modes to run, including Safe Mode with Command Prompt.
May 09, 2013 at 7:16 am, Robert Klein said:
I tried all safe mode choices and none of them will launch. I also tried to use Hitman Pro kickstart and it will start but will not connect to the internet. I have removed FBI money Pack on several computers, but this one is different. Unless there is something corrupt with safe mode features on this machine. The new money pack will not allow this computer to boot to safemode with command prompt. So the is no way to create a second user account too log into. any other ideas?
May 10, 2013 at 7:58 pm, cjmshadow89 said:
The moneypak has evolved. I use windows vista business. When i start in safe mode with cmd it takes me to the log in screen. I log in as administrator and it restarts. Are their any new updates to this fix? Thank you.
May 11, 2013 at 9:25 am, Dennis said:
Thanks very much! ! !
May 11, 2013 at 11:56 am, Jesse said:
Aaron – I wish I could buy you a beer. This just saved me as well.
May 12, 2013 at 12:10 am, mw27630 said:
I have this virus and tried the command prompt, but it still took me to the virus screen. There’s an error box that appears and says ‘please come out of safe mode and connect to the internet’. I’ve tried almost everything, and nothing seems to work.
May 13, 2013 at 6:07 am, Devin said:
when i go on safe mode it just says please wait. i tried all of them but it just says please wait, i really want to get this fixed please help
May 13, 2013 at 6:08 am, Devin said:
my safe mode wont finish loading please help me
May 13, 2013 at 11:48 am, Alex said:
This is a Godsend! Thanks for sharing your tech savvy!
May 13, 2013 at 3:05 pm, Sid Frasier said:
Unfortunately, the process you described has now been blocked by the process that shutsdown Windows on error even in Boot to Command Prompt. You cannot disable this feature within the bios. The only work around I’ve found is a secondary boot that is clean or installing the drive in a second computer!
May 13, 2013 at 5:21 pm, Help said:
I selected Safe mode with command prompt and it still forced a reboot on me! Please help
May 29, 2013 at 9:30 am, Aaron St. Clair said:
Try using the Hiren’s BootCD method that’s been added to the article.
May 13, 2013 at 9:54 pm, Dana said:
None of this working for me. Whenever I try safe mode, it just reboot all over again. Please help
May 13, 2013 at 11:13 pm, gino said:
You are the best man !!!!!!!!!!!!!!!
I tried everything and you guidlines helped me !
You are GOOODDDDDDDDDDDDDDDDDDDD
May 14, 2013 at 2:14 pm, bl said:
The latest FBI virus can auto shuts down “safe mode”, “safe mode with network” and “safe mode with command Prompt” on 5/14/2013, How can I do that?
May 15, 2013 at 1:05 pm, need help!!!! said:
I tried everything from rebooting my computer and tapping the f8 button, which wouldn’t allow me to get to the safe mode screen, and also trying to go through the steps from your article. I already have another account that doesn’t have the virus on that side but it still won’t allow me to get rid of the virus for the other account even when i use malwareantivirus and pc tuneup. The live advisors tell me that i need to get a microsoft tech to clean up the computer but it is kind of pricey. Any suggestions?
May 29, 2013 at 9:32 am, Aaron St. Clair said:
You do not need a Microsoft tech. Any technician should be able to clean this for you if you are not able to yourself. The ideal way to remove it is just pull the HDD and hook it up to a clean PC, and scan it from the clean PC. But, for you, try using the Hiren’s BootCD method that’s been added to the article.
May 15, 2013 at 1:48 pm, Pat said:
I was infected last night and ss of 5/14 it blocks all safe mode choices; any ideas on how to get past that.
May 15, 2013 at 1:55 pm, Norm said:
After probably 8 hours of trying to get rid of this thing, your directions provided the cure.
I was not able to boot into safe mode or safe mode with networking. Only safe mode with
command prompt. Numerous attempts to run AVG antivirus and Malwarebytes scans did not work.
I was just about ready to re-install Windows 7 when I found your instructions.
Thanks a lot and may the people who contrived this pos burn in hell.
May 15, 2013 at 2:28 pm, Shequette Thompson said:
1. “Safe Mode with Command Prompt” option and then hit the Enter key.
After I get to this step my laptop load WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
All down the page and then it tell me to please wait and then it restarts Window.
Let me add that the virus (or scum bags have changed my user name so I can not do any of the steps you told me to do. Please help I have class and do not need to fall behind.
May 29, 2013 at 9:34 am, Aaron St. Clair said:
I’ve never seen this virus change a username. The WINDOWS/System32/directoryxxxxxxxxxxxxxxxxxxx text that floods the screen is normal. It’s showing you the system files that are actually being loaded. If you’re being forced to restart still, try using the Hiren’s BootCD method that’s been added to the article.
May 15, 2013 at 7:04 pm, james said:
hi, my computer has been infected and even when I tried to run under safe mode with command prompt, once I was in the safe mode and typed in the user password, the computer automatic went into auto shutdown. it seem like the virus creator has outsmarted the system.. I am stuck now =(
May 16, 2013 at 2:06 am, SM said:
THANK YOU
May 16, 2013 at 1:52 pm, Attaboy said:
Thank you so much sir. You are a gentleman and a scholar
May 16, 2013 at 2:12 pm, Nanar said:
there is a newer version of the virus, which shuts down even safe mode with command prompt, which is my case
-_-
May 17, 2013 at 12:20 am, Cynthia said:
I thank you so much!!!! My safemode took me right into the virus and I did not know what to do. I had a back door account already and did not know I could use it until I read your article. This was so helpful. God bless you!
May 17, 2013 at 12:24 am, Cynthia said:
Thanks so much!!! You really helped me a great deal. I tried safe mode but it took me directly in instead of a prompt. I already had a back door account thank goodness and was able to use it and do a scan. Even a quick scan worked. I was able to go back and get into my original account finally. Thanks again you smart person you!!!
May 17, 2013 at 6:52 pm, cristo said:
this method no longer works. i have windows 7 and it would not go into safe with command prompt.
i took a rescue disk and restarted, f8, repair, chose system resore option and picked the last restore date.
it said “an unspecified error occured during system restore. (0x8000ffff)”
even if i somehow get back onto my computer, i’ll still reformat it.
i’m have a hard time believing we don’t know where this virus comes from and where the payments go.
wouldn’t it just be easier to take out the hackers with a few 50 cent bullets from a few hundred yards than for them to subject the world to this crap? all we need to know is who and where they are
May 17, 2013 at 7:17 pm, cristo said:
after the botched restore with error using the disk, i was then able to access safe mode with command prompt and carry out the rest. when i logged on, i got a message that restore was successful and my documents were not effected. my wall paper is different and desktop icons from the other account are different under the other admin account and forgot whether that was normal. when i log back in under the other account i’ll see. you just need to update this article to reflect that safe with command prompt no longer is possibe with the newest version of the virus.
May 18, 2013 at 5:10 pm, mark said:
I have managed to get rid of the malware by doing as you said and setting up a new user, but I still cant log in using my usual login, its just a black screen with the prompt c:\windows\system32)
Can you help.
May 23, 2013 at 1:48 pm, I said:
> I got the virus yesterday. Somehow pressing F8, F10 or F12 wouldn’t get me anywhere but the Windows Boot Manager giving me a choice of Windows 7 (I have Window XP) or Diagnostics. Selecting Windows 7 starts XP and doesn’t go anywhere. I’ve tried everything including Ctl Alt Del as well as hard powered off while XP is starting. I have the XP disk…should I try rebooting from it? Then what? Please help as I need my computer badly and Microsoft Support charges money I don’t have.
May 29, 2013 at 9:38 am, Aaron St. Clair said:
What is your computer model number? I would need to look up your motherboard to determine what your Function key would be.
May 29, 2013 at 9:37 am, Aaron St. Clair said:
It sounds like you’re still booting into safe mode. Make sure you do a normal boot.
May 19, 2013 at 4:37 pm, Ronald Norman said:
I have tried what you said to do and I was able to get into the control panel and change the user. Everytime I go into safe mode I still can not get into the new user I created. I tried it in safe mode and safe mode with networking, same thing.
I have the FBI Ransom Virus and running Windows 7. I know only some of the command lines and only did one or two patch file years ago. Could you please get me some better options?
I am not sure when you wrote this article but today is May 19, 2013 and I need some help.
Thanks
Ronald Norman
May 29, 2013 at 9:40 am, Aaron St. Clair said:
So you have already created a new user in Safe Mode? Once you have created the new user, you are done with safe mode. You should do a normal boot and then select the newly created user once you’re presented with the User screen at startup.
May 20, 2013 at 7:03 pm, vinnie prado said:
dude, that was awsome, the only problem I found was that after I did all that you said, every time I logged in I would see the command prompt and no desktop at all. So logged in with my temp. account I deleted the user profile of my real account and I was golden. Thanks a lot!
May 21, 2013 at 3:36 am, Jeb said:
My windows 7 laptop will not start up even in safe mode with command prompt, it still just shuts down. I don’t know all this technical talk, how do I remove the virus?
May 29, 2013 at 9:41 am, Aaron St. Clair said:
Try using the Hiren’s BootCD method that’s been added to the article.
May 22, 2013 at 12:47 pm, Jerry W said:
It might be good to note to use “shutdown/r” for a safe shutdown from cmd. Also, as a side note, this virus is stored in your temp files so if you delete all the temp files to remove the virus (and check the start up to disable or remove unwanted items that are related to this program). You can do all this from the cmd or along the same way as shown above. I use a free program called Ccleaner and keep it loaded on all my computers. It was how I removed the virus. It is also good to check under the uninstall programs for any programs installed during the time your computer got the virus.
May 22, 2013 at 5:19 pm, TinaJ said:
Thank YOU!!! Your time and help is much appreciated by me and my family!!! God Bless!!
May 23, 2013 at 12:29 am, Marvin said:
Thanks, this worked great! Malwarebytes did not find the Trojan but AVG did and seems to have removed it; however explorer.exe still does not run on my usual account (no “FBI” screen though) so I have to run it manually
any suggestions to fix this?
May 29, 2013 at 9:44 am, Aaron St. Clair said:
You can simply add explorer.exe to your Startup programs: http://www.sevenforums.com/tutorials/1401-startup-programs-change.html
May 23, 2013 at 2:13 pm, shamuboo said:
In the below list I am not seeing a responses as to how to proceed when all safe modes are locked out. Each one is just restarting my computer each time. I only have 1 user account as well. Is there anything I can do to fix that?
May 29, 2013 at 9:45 am, Aaron St. Clair said:
The Hiren’s BootCD method should do the trick for you.
May 23, 2013 at 6:53 pm, Charlie Brasher said:
This worked for me:
1.Boot in safe mode with command prompt
2.navigate to windows/system32
3.type control.exe to open control panel
4.Insert flash drive, with the latest Malwarebytes
5.Install and do a full scan.
Thank you very much for all your help!!
May 31, 2013 at 8:14 am, Roger said:
I have done this, ran MWBytes, and my pc shuts down? Any thoughts? Thanks>
May 24, 2013 at 9:06 pm, Lance said:
Thanks very much, Aaron. Your solution to ridding my computer of the FBI MoneyPack virus did the trick. This was after trying several other methods that failed. Thanks again!
May 26, 2013 at 7:51 pm, Steve EZ said:
One of the computers in my house got this virus somehow, and despite many other forum/website advice to kill the virus, this article was the only one that was proved effective at my knowledge of computers (which is above the average person, but still limited). I recommend following these instructions if this “FBI” virus happens to you.
Thanks to the author(s)
May 27, 2013 at 5:56 am, Vpb12345 said:
Thank you so much, I got worried after it scanned for 5 hours, but it finally ended and I’m virus-free
May 29, 2013 at 9:46 am, Aaron St. Clair said:
Heh, I’ve had MBAM scan for 12hours 43 minutes on a customers computer. Granted, I scanned 3 drives, but programs such as AutoCAD or SolidWorks have bookoos of files to scan through.
May 27, 2013 at 7:45 pm, Bob said:
Hi Aaron, Thanks for the help in getting arround the ‘reboot’ in safe mode and normal mode. Curing this problem enabled me to get to safemode and then I used the ‘old standby’ the ‘emsisoft Emergency Kit’ to do the scanning and removing. After that I loaded Malwarebytes Anti-malware and did another scan just to be sure the problem was gone and CURED. Thanks for the help
May 28, 2013 at 9:52 am, christina said:
I have this awful police virus. My computer will not let me do anything. I cant get into any mode and it will not allow me to type. It just goes to the welcome screen and then shuts itself down. Not a computer genius at all but if i have some simple instructions i maybe able to sort it out. I have a normal desktop computer thats ok but not sure how to make discs etc. Hope you can help? Many thanks Christina
May 29, 2013 at 2:32 pm, Manpreet Singh said:
Hi Christina First thing to do is if its windows 7 or windows vista manully turn of the computer 2-3 times .After that when you would turn on the computer it will automatically give you the option of Startup repair.Select that option and see if that works or not,if it does not work then in startup repair there is option of system restore. Select that option and restore the computer back to earlier date and see if that works or not. If it works do let me know otherwise i can provide you multiple options.>
May 29, 2013 at 4:20 pm, Aaron St. Clair said:
System Restore will not remove temporary files, as they are not system files. This virus hides within these files so that System Restore can only hide the virus and not remove the malicious files. After performing a System Restore, you will still have to scan to remove the virus.
May 29, 2013 at 2:26 pm, Manpreet Singh said:
The best thing to do is start the computer by tapping the F8 and select safe mode with command prompt if you are not able to go to normal safe mode or safe mode with networking. Once the computer is started in safe mode with command prompt type the command rstrui.exe by typing this command system restore would open up. Restore the system back to earlier date when the FBI Virus was not coming up. Once the system restore is completed download and install REMOVED DUE TO SPAM it will completely remove the virus.
May 29, 2013 at 4:18 pm, Aaron St. Clair said:
Do NOT download “Spy Hunter”. Spy Hunter by Enigma Software offers a free *scan* (no fix) with exaggerated results to scare the user into buying it. There are several better FREE programs which remove the *real* infections which they find for free. Hence the use of Malwarebytes’ Anti-Malware.
Not only that, but if you buy SpyHunter from any link posted in an answer here, the poster will get paid a commission from Enigma for tricking users into the software.
May 31, 2013 at 8:11 am, Roger said:
So I recently got the Virus, got all the way to Step 6, loaded and ran Malwarebytes, but the PC shuts down after 3-5 minutes? Any thoughts?
May 31, 2013 at 8:16 am, Aaron St. Clair said:
Is this a laptop or a desktop? Does it go through the entire “Windows is Shutting Down, Please Wait” process or does it just go black and die? Are you running MBAM in Safe Mode or regular mode? Try having MBAM do a quick scan.
May 31, 2013 at 9:04 am, Roger said:
Aaron, Thank you. It is an HP laptop w/ Windows 7 Home. The screen goes black and does not restart. I created another user id via safe mode with command prompt, restarted into safe mode with networking, loaded up and started to run MWBytes and it goes black screen several minutes into the full scan.>
May 31, 2013 at 9:43 am, Aaron St. Clair said:
Don’t boot back into safe mode in the new account, boot as you normally would, but select the new user account when prompted. If it goes directly to your regular account, quickly hit the Windows key + L. This will bring you to the login screen
May 31, 2013 at 12:08 pm, Roger said:
I will give it a shot. To clarify, I should run the MWBytes software in the new userid in regular stratup?>
May 31, 2013 at 2:42 pm, Daniel N said:
Thank you for your article. Using a temp account seems to work well. One thing I would modify is to use Hitman Pro instead of Malware bytes Full scan although I love malwarebytes software. hitman pro will get the job done much quicker.. Just my 2cents.
June 01, 2013 at 5:20 am, twiztedmannix said:
I’ve used Hitman Pro to remove it first time around, once going through the process it’ll reboot and find back all the lost files it claimed it encrypted it and it’ll start up like normal. It keeps coming back, it uses Java and internet Explorer (the white screen is a window of IE, so i disabled it). I raised up the security on Java but kept coming back, disabled IE and so far seems quiet. It’s really annoying imma have to set up more logins if it ever comes back, it bypass the blocking windows/Java does on programs (allow/deny.)
June 01, 2013 at 7:47 am, Elise said:
I have to say, I love the way you’ve explained eveything, really made me save my pc. THANK YOU SO MUCH!!! You’re a PC God. Keep up the good workd. I love you!
June 02, 2013 at 3:01 pm, Pete Mekesa said:
Aaron, thanks!!!! You’re information was spot on.
June 04, 2013 at 2:04 am, MikeB said:
THANK YOU SO MUCH!!! JUST FOR THIS HELPFUL ADVICE…I COULD GIVE YOU THE MONEY I GOT FINED! LOL THAT VIRUS HAD ME SO SCARED, SEEING THAT I DOWNLOAD MOVIES OFF THE INTERNET BC TIMES ARE TOO ROUGH TO MAKE IT TO THEATRES. THANKS AGAIN!!!
June 04, 2013 at 11:37 am, Aleksandra Ward said:
Hi. I was able to remove the virus, but everytime I go online, open Firefox or Internet explorer it comes back. How can I fix it?
June 04, 2013 at 5:28 pm, daren said:
i got hit really hard this time with the fbi 2013 one. the only way was your way ………ps i LOVE you p
June 04, 2013 at 5:32 pm, daren said:
could you please find a way to backfire the scam back at them i have 2 pc willing to use 1 for bait and once again thankyou so much
June 04, 2013 at 5:34 pm, daren said:
forgot to say the create new user account worked for me
June 04, 2013 at 8:31 pm, Mike B said:
Thanks, Aaron! I’m not a computer dummy, but sometimes, this electronic monster gets the best of me. I reviewed a number of sites and solutions, but your’s made the most sense. MalWareBytes has fixed problems before for me, but this is the first time that I’ve been totally locked out by a virus. I’m scanning now and will let it run through the night if necessary. Just wanted you to know that I appreciate you taking the time to help the ‘little guy’. Keep up the good work!!
June 05, 2013 at 7:18 pm, Mike said:
Thank you, Aaron. You da man!
June 09, 2013 at 3:03 pm, R. Tyrone said:
Thanks Aaron, worked like a charm. Took 2hrs running XP pro. But…got er done!
June 09, 2013 at 8:13 pm, Matt said:
I went to safe mode command prompt and it loaded the windows files an says please wait… its been there for 30 minutes.. is it suppose to take that long?…
June 10, 2013 at 9:24 am, Izaha said:
You truly helped me out the most. I didn’t know what to do when I didn’t have another user account to log into. You’re a life saver and a real Technomancer. lol. Thank you, so much.
June 10, 2013 at 2:48 pm, Tammy said:
You are AWESOME!! I followed your instructions to the word and this worked perfectly. Thank you so much!!
June 12, 2013 at 12:23 pm, Jose Martins said:
I got a similar virus and followed these instructions – the best I found!
strange problem: Malwarebytes says “no malware found” after the deep scan!
any clues?
June 12, 2013 at 12:59 pm, Aaron St. Clair said:
What is the virus that you have? Are you sure you created an administrator account? You can use archive scan to just scan the user folder of your regular account located at C:\Users
June 13, 2013 at 4:13 am, Jose Martins said:
> My virus is a portuguese version of FBI named “PSP”. I had the problems described by you and could only login in safe mode with command prompt. The virus would otherwise shut down the pc after login.
I created a new administrator account, loaded Malwarebytes, updated and ran it – no restart was requested…
I was surprised to see a zero malware count after a deep scan, but that’s what I got!
I restarted and open the normal account: no problem!
Downloaded Malwarebytes and ran it again: zero malware!
could the virus somehow “hide and duck” in the presence of Malwarebytes?!?!?
June 13, 2013 at 4:24 am, Jose Martins said:
> correction: in the normal account I didn’t download Malwarebytes, it was already available.
June 13, 2013 at 8:32 am, Aaron St. Clair said:
Hmm, that’s odd. Download and run CCleaner on your regular account. CCleaner should remove the virus as well since it hides within Application Data as a temporary file. This is just a safety precaution to ensure the virus is actually removed and not hiding.
June 13, 2013 at 9:10 am, Jose Martins said:
> more details: I also performed on the new account, after running Malwarebytes, an on-line scan using housecall.trendmicro.com: it found some adware that I chose to eliminate, but nothing else…
June 13, 2013 at 9:43 am, Jose Martins said:
> I used Ccleaner: very nice software! cleaned 936MB of temporary files spreaded around the PC. I also cleaned some startup files like skype and then the empty space. There is a file in the “Schedule tasks” using the brandname of microsoft with a long name with numbers and letters (looks like a software password): this is the strangest thing. I read somewhere about these virus using these long names with numbers and letters… Shall I kill it?
June 12, 2013 at 2:09 pm, Kingpablo said:
I am just finishing up battling a Windows 7 64 machine right now that has this no safe mode variant at all. Command prompt was even rebooting. I thought for sure I’d have to pull the drive.
Watching it reboot a few times, i saw the shutdown screen for just a fraction of a second and saw a lag in the timing.
I was able to get safe mode to “Stick” by hitting CTRL+ALT+Delete immediately after entering the password. I just hit it like a fiend once I hit enter. After a few tries, I nailed it. It finally hung the system.
Once I had that I was able to pop open task manager. Once in Task Manager, I was able to open a command prompt. I then was able to install Malwarebytes from a USB stick.
I would guess that the new user method works great.
June 12, 2013 at 4:47 pm, Jennifer said:
Thanks so much !!!! Worked perfect. You are a rock star!!
June 13, 2013 at 12:43 pm, Scott Silva said:
You should never recommend using illegal software on a public website… Hiren’s is full of software that is supposed to be paid for… There are many Linux based boot CD’s that are free and legal.
June 14, 2013 at 7:46 am, Ali Najem said:
Hi,
I had my office computer infected by CTFMON.exe, and friend of mine told me to remove the hard disk and plug it to a computer with Malwarebytes Pro. and scan it and it will remove it!
I have McAfee on my computer should I remove and install the Malwarebytes Pro. or it won’t conflict.
Sure the Malwarebytes Pro. will remove the CTFMON.exe..
Please I need your help..
Regards,
June 14, 2013 at 4:57 pm, Aaron St. Clair said:
Malwarebytes is not an antivirus suite, simply a removal tool. The pro version is comparable to an AV but its still not the same. Thus said, there’s no need to remove McAfee. Also, the only time you may have to pull out the hard drive is if you can’t get this tutorial to work with safe mode.
June 14, 2013 at 11:08 am, manpreet singh said:
if you can go in safe mode with command prompt try system restore instead new a/c by rstrui.exe and then restart the computer will be in your a/c then use emsisoft emergency kit free software
June 16, 2013 at 12:34 pm, Valerie said:
Thank you!!!! I tried so many other ways and until i found yours it helped. Thank you times a million!!!!!
June 16, 2013 at 2:39 pm, joe said:
The problem I keep running into is my computer will not connect to the internet after all steps so I cannot update malwarebytes. Any suggestion?
June 16, 2013 at 6:38 pm, mp said:
Thank you!!!!
June 16, 2013 at 6:39 pm, Paula Andrese said:
Thank you! Yours was the ONLY page that provided the info needed to download the fix.
Brilliant.
June 16, 2013 at 6:40 pm, Mary said:
THANK YOU…Thank you. I have tried every site out there to fix the FBI malware but nothing worked….UNTIL
I found tech-recipes and followed your directions. It worked beautifully
June 17, 2013 at 7:44 pm, Michelle said:
Thank you sooooooooooooooo much!! You helped me be a hero for my Dad whose computer was recently seized by the FBI MoneyPak Virus……I really appreciate it!! You’re the BEST!!
June 17, 2013 at 10:24 pm, Samantha Lee said:
RE: ICE Virus. I followed all of the instructions, except I have one problem. Windows is loading the cmd.exe prompt box, I have to type explorer.exe to run my xp. Can you help?
Sam
June 18, 2013 at 2:13 am, santosh said:
My computer is shutting down in every type of safe mode. Is there another way of removing the virus?>
June 18, 2013 at 7:54 pm, Ken King said:
This worked great for me