A new virus posing as an FBI alert is freezing computers and alarming users across the country. Infected computers display a shocking pop-up that tells owners they have illegal materials on their PCs and demands a $200 fine.
How the Scam Works:
Computers infected with
the FBI MoneyPak malware display a message using the FBI seal and citing several legal documents. “Your PC is blocked due to at least one of the reasons specified below,” reads the message (image below). The reasons include owning/distributing copyrighted material, pornography or malware.
To unlock the computer, the virus demands a fine (amounts vary from $100 to $300) that must be paid with MoneyPak, a way to send cash without a bank account. It threatens criminal action against those who don’t pay within three days.
The FBI calls the virus Reveton. Unlike many viruses that activate when users open a file or attachment, this one can install itself when users simply click on a compromised website.
What to Do if Your Computer is Infected:
- Do not pay any money or provide any personal information.
- Only the most computer-savvy users will be able to remove the virus without help. See Microsoft’s “Security Essentials” and select the “I think my computer is infected” option to contact a support person in your area. You can also search for computer repair shops at BBB.org.
- Be aware that even if you are able to unfreeze your computer on your own, the malware might still operate in the background.
For More Information:
See the FBI’s scams webpage for more information and updates on the scam.
That is so not advanced or difficult to get rid of. From what I’ve read it doesn’t even infect the system registry. All you have to do is reboot in safe mode and delete the link from the startup folder. That’s not risky or very hard at all.
Report this comment
my an idiot friend was scammed by this virus.
Report this comment
Jacob, what do you mean by deleting the link from the start up folder?
Report this comment
To get rid of this in Windows 7 64-bit:
1) Unplug your PC from the internet. This will allow you to boot normally.
2) In Windows Explorer, go to %userprofile%\appdata\local\temp and sort by ‘Date Modified’ (in order to see this folder, you may be required you to uncheck ‘Hide protected operating system files’ in Windows Explorer)
3) Find the V.class file and note the Date Modified and time. Write the date and time down as you will refer to it later. Another file will exist in the same directory with the same name (in the case I saw, the filename was roper0dun.exe).
4) Delete the V.class file using shift+delete (permanent delete).
At this time, you still probably can’t open task manager because the virus will not let you. You can attempt to delete it. If you can great, if you receive a warning that rundll32 is using this file and it can’t be deleted, follow these steps to kill the processes at a command line:
5) Open the command line by typing ‘cmd’ in the Windows search/run box.
Note the PID or process ID associated with each rundll32 and iexplore process. When I looked there were two of each process.
6) Navigate to the C:\Windows\system32 directory (cd c:\Windows\system32)
7) Type Tasklist at the prompt
9) Kill the tasks using the taskkill command. For example, if the PID for one of the rundll32 processes is 1764, you’ll type the following at the command prompt:
taskkill /PID 1764 /F
Do this for each of the process IDs you noted in step 4.
10) Once the processes are stopped, you can delete the other file that coincided with the V.class file (with the same date modified) mentioned above. In the case I saw, the file’s name was roper0dun.exe.
11) Open Windows Explorer and search for a file called ctfmon. This is the shortcut file in your startup folder that kicks of the processes you just killed which in turn use the file you just deleted. You’ll find it in your
%userprofile%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs directory. If you look at the file properties, you’ll see this shortcut points to the file you just deleted. It’s only purpose is to fire up the virus on startup.
12) Shift+delete this shortcut file.
13) Finally, I did a Windows Explorer search using the date modified option and pulled up all the files that were created on the same day as the virus files. I sorted by date modified and looked for the time of day common to the other virus files and found one:
nud0repor.pad
Notice the root of the filename is the virus file mentioned above (roper0dun) spelled backward. The filename many be different for you, but it will most likely correspond to the file you deleted in the steps above and be spelled backward. Shift+delete this file.
Once this file is deleted, your system is rid of the virus and again operational. A system restore is not going to get rid of this, so it’s not that easy. The four files need to be deleted.
Report this comment
Added steps:
14) Power off.
15) Plug the network cable back in.
16) Power on
17) Login
18) If the FBI message is gone and you can right click on your start bar and open the task manager, you’re back in business.
Report this comment
Note: Step 9 refers to step 4 where it should refer to step 7. Sorry!
Report this comment
Lastly, Step 8 was removed where I noticed a redundancy.
Report this comment
The easiest way would be to do a system recovery from the day before the message showed up
Report this comment
I agree. Once your system restores, run your anti-whatever and it will get rid of this little annoying pest. Hope they catch whomever is responsible for this and lock them up, long time.
Report this comment
i just recently had a run in with this virus and easily got rid of it by turning off my computer, re-opening in safe mode (it still popped up) opening task manager because it’ll still allow you to go ctrl+alt+delete and restore to an earlier date just as DD said, took all of ten minutes if that.
Report this comment
i tried ctrl+alt+delete, and found task manager but as soon as the task manager screen showed up it closed right away so idk what to do now.
Report this comment
Polly,
Do you have MalwareBytes anti-malware scan installed? If so, Reboot in Safe Mode and run MalwareBytes anti-malware software. This will remove it.
Report this comment
All I Did Was Start Task Manager, log off, then right before it logged off i pushed cancel and Wallah….Now Im Able to get U through it; Very Easy.
Report this comment
Unplug from the internet… ran Malwarebytes… 2 hour scan… done…fixed the problem
Report this comment
I am not computer saavy by any means, but didn’t want to pay $100 for microsoft to remove virus…..I opened windows in safe mode, restored computer to day before virus, rebooted and ran scans….all got removed and back to business!
Report this comment
I tried all the above and the virus is still there. I an malwarebytes, avast, spywareterminator in safe mode and off (with internet off). Manually deleting it did not work either. It wont let me open the command prompt, restore, and of course task manager… Very frustrating!
Report this comment
All I Did Was Start Task Manager, log off, then right before it logged off i pushed cancel and Wallah….Now Im Able to get U through it; Very Easy. Just Make Sure U push cancel before logging off, It Should Work
Report this comment
I have used a pc for about 15 years and would consider myself an advanced user, and this virus scared the absolute SHIT out of me when it hit. I was browsing online.
(not gonna lie, i was watching porn, the website had some name in it like neighborhoodpublic or something like that, but neighborhood was in the name, stay away from extremetube also, but anyway it was supposed to be from what i understand a homebrew porn site later found out the site caused the infection, right after i went into this site and clicked on a porn video all of a sudden this white screen pops us and then on i was infected with the Fbi virus)
IF YOU SEE ANYTHING SIMULAR TO A SITE WITH WHAT I HAVE STATED ABOVE ESPECIALLY WITH NAME NEIGHBORHOOD IN IT AND IT’S A PORNSITE DO NOT GO INTO IT IT WILL INFECT YOU’RE PC WITH THE FBI GREENDOT MONEYPACK VIRUS. if you do watch porn Youporn i know is 100% safe, as i have never had any problem with it other then popups in the site.
Imagine getting yourself off to porn and all of a sudden seeing yourself NAKED on this white screen on your own webcam and being told you’re being recorded and seeing an FBI Signa and it saying this was caused because of watching porn, and with which i was, so i admit at first glance i was absolutley petrified like a deer caught in headlights, i wish i could have taken a picture of my face when it happened, probably priceless. I literally almost shit my self. My heart literally went up into my throat and never so fast in my life did i turn the pc off.
This pesky virus honestly made me really scared for a couple hours, as i could not use my pc AT ALL it was locked not to mention i thought “no way..could this be real? it seems so real but yet its extorting me to pay money and that sounds like scammer shit a prepaid card? wtf? no something is definatly weird here” , but thankfully i was able to get into Safe Mode with Networking and finally discovered it was the Infamous Fbi Virus. You have no idea how relieved i was to know that lol.
Anyway i downloaded Malware Bytes and ran a scan and even that did not get rid of this thing i would remove it, retsrat the pc and do another scan and it would keep finding the same virus’s that i just deleted,got to the point where i finally just did a System Restore to a couple days before i got this crossing my fingers literally, and thankfully my computer ever since has been running normally, but im still really worried it’s going to happen again, so im trying everything i can do to make 100% sure this thing is gone.
Emsisoft Emergency Kit is a really good program i found not only has a free antivirus scanner and remover, but also helps you get rid of virus’s that need to get be gotten rid of manually with indepth instructions for even newbie users (some severe trojans need to be removed manually) i highly suggest getting this program, Microsoft Security Essentials, and making sure to have a firewall on if you’re using free Anti Virus Programs, as AVG did not find alot of virus’s that Emsisoft and Malware Bytes found, even Microsoft Essentials did not find some.
But yeah, this thing had me REALLLLY stressing for awhile lmao.
Report this comment
I’m so glad to here that this is a scam. The exact same thing happened to my son! He was very embarrassed to tell me…we are still working on fixing it but I have an urgent question. After you fixed it did the computer resume where it was and go back to porn?
Report this comment
Restart the pc*****
Report this comment
While the advice from Fred Ubercake is good step 11 referring to ctfmon.exe is completely wrong. That is a Microsoft Office file used to activate the Alternative User Input Text Input Processor (TIP) and also the Microsoft Language Bar and it should NOT be removed. Do a web search to confirm for yourself.
Report this comment
I cant even get my computer to run in safe mode or safe mode networking i turned computer unhooked internet press f9 and went to both at seperate time to safe mode and networking and when it asks for computer name and password i click enter starts to load up only to shut down only thing i can go to is regular start up and goes to this fbi shit i need help im not paying someone to stop this its bullshit i shouldnt have to
Report this comment
Are you running Windows 8?
Report this comment
Go to safe mode with command prompt then run explorer.exe make a new user name as an admin, go on that user name and run antivirus
Report this comment
First thing I did was disconnect from my router, then I forced a shutdown. On reboot everything was fine…until I plugged back into my network. I don’t know if it’s an online trigger based on your IP, I didn’t bother running a VPN to find out, but all i did was reboot in safe mode w/out networking and ran a system restore for the previous day. Everything seems to fine. I found a file called ‘dgsdgsdgs.pad’ or something close, only funky one i could find deep in my system. took a shot and just deleted it. all is well. good luck.
Report this comment
Last night, while surfing the internet, my computer was affected with the ‘FBI Moneypak’ virus. I admit, upon first glance, the message scared me. It looked official, although for mine, there was no picture of me taken with a webcam. There was a picture, (I do not own a webcam) but it was not of me. I tried to stay calm, and read through the message a couple of times, and noticed how the fine was demanded to be paid. Moneypak? Really? The FBI really expects people to go to their local Wal-Mart, K-Mart, Rite-Aid, (etcetera) and and load a card or whatever? haha .. By this point, it was becoming obvious to me that it was a scam, but there was that voice in the back of my head saying, “Well, what if this is legitimate?” So, I was still a little nervous about it. My computer has two user accounts, so to make sure that I was on the right track, I rebooted my machine and loaded up the other user account. Internet Explorer and Firefox both loaded perfectly, and I was able to access the Internet once again.
By this point, I was annoyed and angry. I had been meaning to reformat my hard drive and reinstall Windows, so I took this opportunity to do so. Which, of course, solved the problem. There are, of course, several methods in which to get rid of the virus.
F***ing a$$holes ..
Report this comment
It is a federal felony as well as a felony in most states to threaten criminal prosecution in order to attempt to cause someone to perform some act or to avoid performing some act. The perpetrator of this virus is an extortionist.
Report this comment
Okay apparently I know nothing about computers…
1. What does it mean to reboot in ‘safe mode’ and how is that done?
2. How do you run a system restore?
Help please!!! I should be asking my genius brother but then he’d know his baby sister watches porn, scarring moment.
Report this comment
I think you should forget worrying about your brother finding out that you look at porn and just tell him that something is wrong with the computer and you don’t know what happened. Just don’t tell him you were looking at porn. Maybe now is a good time to stop looking at porn. How old are you? Well anyhow my point I am getting to is that trying to learn everyhting you need to do to the computer without doing more harm to it you just can’t learn real quick by reading a few lines while your hands are shaking and having someone watching the door. Then when it messes up all the more then you are really in more trouble. So just say it was like that when you went to use it. Or the truth .
Report this comment
Ive been approached by these theives, .All you have to do is turn off power ,restart windows choosing comand prompt, type ; ” control ” This brings you to the control panel ,get into” system restore” and restore your computer to an uninfected prior date.
Report this comment
Thanks Gary, This worked very well for me, My daughter was watching a frikin cartoon when this happened! But i was foolish enough to go and purchace the $100 voucher and pay it before I checked with my friends! When I heard it was a scam I was pissed!
Report this comment
This worked great thanks! I was OD scared
Report this comment
This Trojan locked up my computer last night. Have spent several hours investigating it and trying to get rid of it. I’m no expert in these things, that’s for sure. Turns out that not only is the creator of the virus trying to make money off of us, several reputable and not-so-reputable businesses are as well. I’m not the biggest fan of the BBB, but I have always appreciated them being there. Occasionally, a complaint I make to them about a business will actually gets results. TODAY, they helped me BIG TIME by having this information along with the replies. In particular, Gary Caudell’s suggestion made so much sense that I couldn’t resist trying it even though I had already found a local computer tech who would fix it for me tomorrow. I had already tried starting the computer in safe mode with the command prompt option. It worked, but I didn’t know what to do when I got to the prompt. Turns out all you need to do is type the word “control” and hit enter. Up came the familiar control panel and system restore worked perfectly. I am back in business, at least for the time being. I’m running a full virus scan as we speak. Its a pretty big hard drive, so it will take a while. Hopefully it will find the pest(s) and remove it before it can raise its ugly head again. As I understand it, the system restore option gets you running again, but the trojan is still there. It may even be more deeply embedded, but that may just be hype from some of the people trying to make big bucks off of this situation. In any event, I’ll post an update to let you know how it all turned out. I’m 11% through the scan and nothing has been found yet.
Report this comment
Here is a followup to what I wrote last night. My security software is McAfee Total Protection (full retail version). I did a full scan with that once my computer was working again. It found and quarantined two trojans. Took about five hours. The result screen is confusing because it read like it found nothing and that didn’t make sense to me. So I called McAfee to ask them why their software didn’t catch this trojan and if my computer was really secure like the software said it was. Their only response to my first question was that they were sorry it happened and that they could remotely check my computer and remove the virus for a fee. Surprised me because I thought they would step up to the plate when their software failed. Well, I eventually convinced them that I needed to at least talk with a tech qualified to answer my questions. I told him what I did to get the computer operating again and he told me he was impressed (thanks again Gary). He also told me that the restore of the computer to a previous uninfected state probably deleted the trojan because restore deletes everything after the date you went back to. Didn’t know that. My local tech later confirmed that this was true. So as long as the trojan was introduced after the date that computer was restored to, it was most likely gone. But things are obviously not that simple because the full scan found two more trojans. I used the computer today and things went well. Then I decided to do a backup of all new files since my last backup. That is happening now. What also is happening is the McAfee software has quarantined 3 more trojans with similar names to the two it found list night. I’m not sure right now if that has something to do with my USB backup drive or with the FBI virus. Or it could be something else. My local tech was able to help me understand how these things get past the security software. Basically, there are natural channels that they can go through to get past the firewall: things like Java, windows update, etc. Some of these things like automatic windows update, you can shut down. Some you cannot without a lot of inconvenience. But here is the rub. The channels can also be created by malware and even techs who are trying to help you with a problem by taking remote control of your computer. He said to never trust someone who wants to help you by taking remote control of your computer unless you have reason to trust them 100 percent. I then remembered that I had a problem 6 months ago and I called HP, the manufacturer of my computer. The tech there took control of my computer and while he was working, I realized it wasn’t HP I was talking with. It was a company that had fooled me into thinking they were HP. They were pressuring me to pay $180 per year for their ongoing service. Didn’t sound like HP and so I asked them directly. They had no affiliation. Long story, short: I cut their connection to my computer because I had no reason to trust them. Now I’m concerned that they could have opened some of these channels because it would fit the whole game they were playing with me. If my computer keeps having problems, then I keep needing them, and they keep getting $180 or more per year from me. So this computer is going to the local tech and I’ll report here what I find. I still need to back up my data to my other external hard drive and then do a few more things. Then it is off to the tech for his analysis.
Report this comment
wow. why the hackers starting using FBI’s alert and camouflage as a virus? The hackers don’t even think about when FBI caught them on that. It’s silly who would have the guts to do? unless some “mindless” hacker think is funny to mess with a law enforcement dept.
Report this comment
I did wjat was said and doing safe mode to then restoring point helped. I have gotten this thing twice and agree no way Id pay money as it is a scam and just like a virus. The guru of how to fix this gets props thanks a bunch
Report this comment
Hi, I can’t do anything my computer comes on a I press the F8 button a lot and I got to safe mode with networking / prompt command and it keeps bringing me back to the same black screen with safe mode stuff. I can’t do restore point either. When I try to go to a different use I still can’t do anything. The white screen pops up and I can’t do anything, nothing at all. Please help!!!
Report this comment
This virus stops you from doing almost anything, but here is how to get around it:
1. Shut down your computer.
2. At start-up, keep pressing F8 to enable how you want to start your computer (this time only). Then choose “Safe Mode with Command Prompt”. Do not use
networking!
3. At the DOS prompt, type “taskmgr” (without the quotes), and then press Enter. This will bring up Windows Task Manager. (This is just like pressing
ctrl/alt/delete from your desktop.)
4. In Task Manager, click on the “File” tab and then choose “New Task (Run…)”. This will bring up the “Run Command” (This is just like clicking “Start” and then “Run” from your desktop.)
5. In the Run Command window type “msconfig” (without the quotes). This will bring up the System Configuration Utility. There, in the “General tab, you can click on “Launch System Restore”.
6. Follow the prompts to restore your computer to another time. Be sure to choose a date previous to the virus attack.
7. This will take several minutes to accomplish. Be patient, and you will soon be back at your desktop.
I hope this helped you.
Report this comment
Also I’m running XP .
Report this comment
once I go to safe w/command it says please wait and then shuts off
Report this comment
I am running vista does that make a difference
Report this comment