Ok so I recently encountered the FBI Moneypak Virus/Malware.
FBI Moneypak Virus/ Malware is defined as a ransomware.
Is FBI Moneypak fine legit? No! It’s a scam and you shouldn’t pay anything!
Removing this Virus/Malware from your computer.
This should be fairly easy in most cases, to remove the Virus/Malware follow along with the short tutorial below. To get started here is a screen shoot of what it may look like, although it may be slightly different in each case.
To begin the removal of this bogus Virus/Malware scam from your computer, begin by restarting you computer and starting windows in safe mode by repeatedly pressing the F8 key during your computers startup, before the windows logo appears.
You will want to select the “Safe Mode” option and if you need internet to refer back to this article during the removal process, then select the “Safe Mode with Networking” option.
After your computer starts and windows is loaded, log in to your account as normal. After logging you will want to start task manager by dooing one of the following:
Pressing ctrl+alt+delete at the same time and selecting the “Start Task Manager”
Click start button and typing “task manager” in the search fileld and pressing return/enter
You will want to right click on that process and select the “End Process” option from the drop down menu. Close the task manager.
Removing the actual FBI Moneypak Virus/ Malware Files
Now you will need to click on the start button and in the search filed type the following ” %appdata% ” (with out quotes) and press return/enter.
You should now have Windows Explorer open and be in a directory
” C:\Users\USER NAME\AppData\Roaming ”
You will want to navigate to:
C:\Users\USER NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
In this directory you may notice several files, depending if you have several applications/programs that start when your computer does, you will want to look for a file named “runctf” or “runctf.lnk” and delete it.
This is the file that starts the stupid FBI Moneypak Virus/Malware thing when your computer starts. This is one of the reasons why we started in safe mode, to disable all the start up programs.
The next file is located at C:\ProgramData\ and this file may have a funny and long name, on my machine it was labeled dsgsdgdsgdsgw.pad and another with the same name only with a *.js file extension like so, dsgsdgdsgdsgw.js. You will want to remove them both.
The next file for the FBI Moneypak Virus/Malware is located in C:\User\User Name\ and is\was labeled “wgsdgsdgdsgsd.dll”. Remove this file as well.
If everything went smoothly you can now restart your computer and if all went well your computer should start with out the annoying FBI Virus/Malware message.
Conclusion / Final Thought
I have also noticed others claiming the need to go into the registry to remove key from the registry, I never noticed any entry’s that needed to be removed but in case you want to look for your self here they are.
HKCU-Software-Microsoft-Windows-CurrentVersion-Run-Inspector AppData-.exe Software-CurrentVersion-Internet Settings-Warn0 HKCU-Software-ID 4
HKLM-SOFTWARE-Microsoft-Windows-CurrentVersion-policies-system-ConsentPromptBehaviorAdmin 0 HKLM-SOFTWARE-svchost.exe
HKLM-SOFTWARE-Microsoft-Windows NT-CurrentVersion-Image File Execution Options-AVCare.exe HKLM-SOFTWARE-Microsoft-Windows NT-CurrentVersion-svchost.exe
HKLM-SOFTWARE-Microsoft-Windows NT-CurrentVersion-Image File Execution Options-AVENGINE.EXE
HKLM-SOFTWARE-Microsoft-Windows NT-CurrentVersion-Image File Execution Optionsr svchost.exe