Remove FBI Moneypak virus - Here's how
The FBI Moneypak virus is one of the particularly malicious variants of ransomware. Virus removal is not easy. We'll show you what you can do if your PC is infected with the ransomware.
Remove FBI Moneypak virus using Bitdefender
To remove the FBI Moneypak virus using a virus scanner like Bitdefender, you need to run the program in safe mode:
- Download Bitdefender on another computer and copy the program to a USB stick or burn it to a CD.
- Start the infected PC in safe mode and access the USB stick / CD from there.
- Now run a full virus scan. Then use the virus scanner to remove the FBI Moneypak virus. The latest variants are also called "FBI Green Dot Moneypak Virus" or "FBI Virus Black Screen.
Manually remove FBI Moneypak virus
- After deleting the virus via Bitdefender, you also have to remove various entries.
- To do this, start the registry with the "regedit" command in the command prompt ("Windows button").
In the registry, delete the values in the following paths (note: do not delete the paths or the keys, but only the values):
- HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ [random] .exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ FBI Moneypak Virus
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System 'DisableRegistryTools' = 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system 'EnableLUA' = 0
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings 'WarnOnHTTPSToHTTPRedirect' = 0
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System 'DisableRegedit' = 0
- HKEY_CURRENT_USER \ Software \ FBI Moneypak Virus
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run 'Inspector'
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall \ FBI Moneypak Virus
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System 'DisableTaskMgr' = 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ protector.exe
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Inspector% AppData% \ Protector- [rnd] .exe
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ WarnOnHTTPSToHTTPRedirect 0
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Settings \ ID 4
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Settings \ UID [rnd]
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Settings \ net [date of installation]
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system \ ConsentPromptBehaviorAdmin 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system \ ConsentPromptBehaviorUser 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system \ EnableLUA 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ AAWTray.exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ AAWTray.exe \ Debugger svchost.exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ AVCare.exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ AVCare.exe \ Debugger svchost.exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ AVENGINE.EXE
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ AVENGINE.EXE \ Debugger svchost.exe
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System “DisableRegistryTools” = 0
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System “DisableTaskMgr” = 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system “ConsentPromptBehaviorAdmin” = 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system “ConsentPromptBehaviorUser” = 0
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system “EnableLUA” = 0
Leave the registry and start the Explorer. Find and delete all of the following files (note: delete only the specified EXE, DLL and LNK files):
- % Program Files% \ FBI Moneypak Virus
- % AppData% \ Protector- [rnd] .exe
- % AppData% \ Inspectors [rnd] .exe
- % AppData% \ vsdsrv32.exe
- % AppData% \ result.db
- % AppData% \ jork_0_typ_col.exe
- % AppData% \ [random] .exe
- % Windows% \ system32 \ [random] .exe
- % Documents and Settings% \ [UserName] \ Application Data \ [random] .exe
- % Documents and Settings% \ [UserName] \ Desktop \ [random] .lnk
- % Documents and Settings% \ All Users \ Application Data \ FBI Moneypak Virus
- % CommonStartMenu% \ Programs \ FBI Moneypak Virus.lnk
- % Temp% \ 0_0u_l.exe
- % Temp% \ [random] .exe
- % Startup Folder% \ wpbt0.dll
- % Startup Folder% \ ctfmon.lnk
- % Startup Folder% \ ch810.exe
- % UserProfile% \ Desktop \ FBI Moneypak Virus.lnk
- warning.txt
- V.class
- cconf.txt.enc
- tpl_0_c.exe
Then restart the PC. The FBI Moneypak virus should now be completely removed.
In order to better protect the PC in the future, you should rely on good, current virus protection software. Stiftung Warentest checked the best programs and we summarize the results.