This is a bogus FBI (or other organization) “ransomware” scam, which tries to scare you into paying a “fine” because they have allegedly done something illegal on their computer. If you don’t pay, the virus then locks your machine so you can’t get on the Internet. The payment portal screen is called MoneyPak, so the malware has commonly been named MoneyPak, it is also called Citadel or Reveton.
If you have sent any money to an online scam, contact your bank or credit card company immediately, and then contact your local police.
First thing – do not click on the screen or follow any of the links. Shut the computer down. The following instructions assume your machine is running Windows, Mac OSX is not susceptible to the virus, although you may see the popup browser ‘warning’.
Option 1) You can enter System Restore and roll your machine back to a Restore Point before the infection
- Restart the computer.
- During the startup before the Windows screens starts loading, start tapping the F8 key until “Advanced Boot Options” appears.
- Use the arrow keys to select “Repair your computer”.
- Choose your language, and click Next.
- Select the Windows that you want to repair, and then click Next.
- Select your user account and click Next.
In the Options menu, select “System Restore” and choose a restore point date before the infection. System Restore will roll back the software installs done after that date, but it will not change any of your data. Also it will not remove viruses; this is only to get your machine operational again.
Restart the machine in Safe mode (F8) and then proceed with running antivirus software as below in Option 2.
Option 2) The virus is preventing you from going on the Internet, so you will need to download some cleaning tools on another, clean machine which has access, and put the tools onto a USB memory stick or burn them to a CD.
First download the latest versions of the following tools on another, clean machine and burn to CD or copy to a USB memory stick
- Malwarebytes: http://www.malwarebytes.org/mbam.php
- FixExec: http://www.bleepingcomputer.com/download/fixexec/
- RKill http://www.bleepingcomputer.com/download/anti-virus/rkill – this page has a variety of different filenames to download to fool the virus, which will try to block RKill from running. Remember the filename of the version you downloaded.
- CCleaner (cleans out caches) http://www.ccleaner.com
- Avast! 4 Home Antivirus: http://www.avast.com/eng/download-avast-home.html
- Minitoolbox (cleans out bad Internet and proxy settings) http://www.bleepingcomputer.com/download/minitoolbox/
Now, restart the machine in Safe Mode (Shut it down, start it up, and hit the F8 function key as the machine boots up and before the Windows screen comes on, and choose Safe mode from the list.)
Copy the tools from your USB stick to your desktop and before running them, then change the names of the malwarebyte to: mblah.scr
Follow these steps in order:
Turn off System Restore on your machine, but only until you get this fixed – the virus gets copied into the System Restore files, which anti-virus programs aren’t allowed to touch and the viruses could reinstall themselves from there. Turning off System Restore allows the antivirus tool to access the saved Restore files.
My Computer > Properties > System Restore.
The malware actively blocks programs and tools, so before you can start cleaning, you need to get the malware entries out of the registry, and stop the malware’s current processes from running.
Double-click FixExec to run it to clean the registry
Now double click the RKill file (whatever name you downloaded it as) to run it. Wait for it, it could take a while. If the malware throws a warning on the screen and blocks RKill, leave the warning up on the screen and run RKill again.
Do not reboot your computer If you reboot it will just load the malware in again.
Now run CCleaner to clean out cache files (it’ll make scanning faster because it will save you from having to scan temporary files). If the virus blocks CCleaner from running, skip it and proceed to the next step.
Now run Malwarebytes (mblah), and clean everything it says.
Now install and run Avast AV – tell Avast to do a boot-scan – click on “schedule boot-scan†– and restart the computer
Let it start and do the Avast AV boot scan
Do a final Malwarebytes scan in normal boot and make sure it is clean.
If you have odd problems with web browser or internet behaviour, there may still be some bad entries in the internet settings. Run Minitoolbox to clear those out.
Then turn System Restore back on.
Now install the antivirus program of your choice to do continuous scanning, and make sure you keep it up to date. If you have your own antivirus, uninstall Avast now.
Option 3) You can boot from a bootable Antivirus CD and do the repairs from there
Below are three reputable bootable antivirus CDs.
Kaspersky Rescue Disk – Creating and using Kaspersky Rescue Disk
Avira AntiVir Rescue System – Creating and using Avira Rescue CD
Dr.Web LiveCD – Creating and using Dr.Web Live CD
- Download the ISO (disk image) file to a different, clean machine
- Burn the antivirus ISO file onto a CD using CD burning software.
- Insert the CD into the infected computer’s CD-ROM drive.
- Restart the machine and Enter the computer’s BIOS, set it to boot from the CD, and reboot the computer. See Booting from a CD for instructions
- Scan for and remove the malware using the software on the CD.
Once you have got the machine operational, go back and do the Malwarebytes scans from Option 2
Option 4) for removing scamware only, Norton Power Eraser http://security.symantec.com/nbrt/npe.aspx
This may be faster than a through antivirus scan, however there is a risk that Power Eraser could remove some legitimate software as well
About Browser Security:
Installing an Ad blocker in your Web browser or turning on the browsers anti-popup features is a first step, but it is not enough.
Many viruses that are launched from a poisoned Web page or banner ad rely on Java and/or Javascript running in your web browser software to execute their instructions. If you turn off Java entirely, or remove it from your Web browser, you will be safer. Turning off Javascript however is more problematic, because many of the legitimate sites you visit use Javascript for drop down menus, calendars, form filling, etc. and the sites won’t function without scripting. My recommended solution is to use Firefox as your Web browser, with the addition of NoScript plugin, which allows you to control which scripts that you allow to run, and blocks all others.
Adobe Flash is also used by some malware and poisoned websites. You can also use Adobe Flash Player’s privacy settings to block access to the Flash player by websites www.macromedia.com/support/documentation/en/flashplayer/help/help09.html
More info on Scams
BBB Scam Source: www.bbb.org/canada/scam-source/
RCMP Scam and Fraud page: www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm
Canadian Anti-Fraud centre: www.antifraudcentre-centreantifraude.ca/english/home-eng.html
ABC Fraud quiz: www.abcfraud.ca/
Financial and investment fraud – BC Securities Commission: www.befraudaware.ca/fraud-warning-signs?gclid=CKSr7uWFvrQCFQ_hQgodJ3IAMA