FBI MoneyPak

In just the last few weeks I’ve serviced client computers in the Joliet, Naperville, and Plainfield areas all that encountered the same infection.  The FBI MoneyPak scam can infect, hijack, and lock you out of your system.  If you have a webcam it will hijack that as well.  It’s scareware/ransomware that warns you that the FBI has found out about illegal computer activity from your computer, presents you with a picture of yourself at the screen, and makes a demand for payment of a fine via money cards that can be purchased at local retail stores.

FBI Moneypak

This threat comes in a few variants.  The image above is only one example.  Like most infections, this starts in your temporary files and once active, creates registry entries that will replicate and are persistent.  Effective malware will attempt to disable or cripple your existing security.

Remember to practice good browsing habits by incorporating a browser security toolbar that identifies and returns safe search results and eliminates known bad ones.  Familiarize yourself with your existing security software by occasionally opening the program, reviewing the status of last update and scan dates, and manually checking for updates and performing “Full” scans regardless of built in automation.

Most people have good intentions but still experience some level of intimidation with the programs on their computers.  Thus, when prompted to update, they may fear clicking anything will cause problems.  It’s good to be cautious, but know your programs and update those that are legitimate.  Program updates are necessary to patch identified flaws that make them susceptible to infections.

Java, Adobe Flash Player, Adobe Acrobat Reader, Adobe Shockwave, Apple Quicktime, Apple iTunes, Microsoft/Windows/Office Updates, and of course whatever security software you are running may update on their own but inevitably at some point will alert you to the need for an update that requires your interaction.  These are common programs that are exploited when not kept updated with patches.

Scareware and rogue/fake anti-virus alerts often pop up in the form of an official looking window in the middle of the screen and may even utilize a familiar logo.  The number of variations of official looking alerts is overwhelming.  When presented with such an alert STOP!  Read what is in front of you carefully without clicking on anything!  Don’t be fooled by a logo alone.  A legitimate program that exists on your system will have a name in the title bar identifying itself and it will be a program window not a browser window.

Often, there are clues that this is not real.  In the title bar above above the warning, a legitimate program would identify itself not read “Windows Internet Explorer” as in the image below.  When did Internet Explorer become a security program?  If you read the text of the alert, you may find some spelling and grammatical errors.  If you think about what you read (depending upon what your pop-up says), you should question how this supposed security program already knows how many infections you have on your system but is requesting that you perform a scan or that a program that doesn’t exist on your computer is reporting you have issues then asks if you want to download and scan with it.  Use good logic when looking at one of these alerts.

The best action is first to remain calm, breathe, and read.  Don’t click on any part of the alert.  The entire thing is a booby-trap!  It doesn’t matter if you click the “x,” choose “OK,” or “Cancel.”  No matter what you do you will open the door for further infection.  Instead, call up the Windows Task Manager by holding down the control and alt keys and clicking only once on the delete key (CTRL+ALT+DEL).  Once open, you will see in the task manager that the alert you are looking at is most likely actually a browser window (probably a blue “e” indicating Internet Explorer).  Simply highlight it and choose “end task.”

Once it’s closed, update and scan with your security software, then delete all temp files using something like CCleaner by Piriform.  Do not shut down or restart the computer until you have first performed these steps.  If you want to verify that the system is clean, you can restart into safe mode and do a supplemental scan before restarting into Windows normally.

If you are dealing with the FBI Moneypak and want to attempt resolving the issue yourself, look at this page by Botcrawl.

If you’re using Microsoft Security Essentials, I have found it ineffective in removing this infection.  However, below is a list of several free programs I recommend users should have on their system.  As always, making sure your security is routinely updated and the settings tweaked to the highest level of threat detection is they key.  Some of these, like Avira and Kaspersky also provide downloadable ISO images that can be burned to disk so scans can be performed from the disk outside of windows.

I do not recommend any registry cleaning/tweaking software as accidental removals within the registry can cause significant damage to a system.  For advanced users, two great programs that are highly effective at crippling, removing, or identifying infections within the registry are Revo Uninstaller and Hijackthis (2.0.4 is the current version).

First rule of computing… Backup Backup Backup!  Before doing any work within the registry, you should always create a backup (export) in case you make a mistake and have to revert back.

Revo is excellent for identifying ocassional programs that are not listed in the Windows Program list.  Some infections legitimize themselves by placing their uninstaller in that list.  However, running the uninstaller only removes it from the list and leaves the infection in the system.  So rather than running the Windows uninstaller on a malware program like Cool Web Search (CWS), My Web Search, Fun Web Products, start by using Revo which will allow you to do a more in depth removal that identifies related registry keys and removes them.  Again, you don’t want to remove valid registry keys.

Similarly, when HijackThis is run, the resulting text file should be uploaded or copy and pasted to the HijackThis website for examination of the resulting keys.  This helps identify which keys are likely bad that can be deleted.

If you really want to avoid infections and run a clean fast system, have a rescue disk that will allow you to manually access and remove stubborn temp files from your windows system, or be able to get online in a pinch when your hard drive has failed or infection has taken over, download a version of Linux Ubuntu.  You can burn the ISO to a CD/DVD or even a USB thumb drive and start your computer from either the disk or USB and operate without Windows or even install it inside of Windows for a dual boot system!  It’s a free and valuable tool not to mention a hearty safe operating system.

None of the information provided on this website is intended to be “how-to” directions for removal of infections.  Users are solely responsible for actions they take with their computers.


Comments are closed.