The FBI/MoneyPak virus (known as Medfos or Midhos) is showing up on a number of computers. It can be tricky to uninstall the current variants of this virus, as it locks the computer up in both Safe Mode and normal mode.

Virus Warning

A common ‘scareware’ warning from the FBI/MoneyPak virus

We’ve seen a number of systems come in with this and have developed a removal procedure that is fairly quick…

  1. Download Windows Defender Offline and burn it to a CD or a blank USB drive. Note that sometimes the USB utility will not work given how some USB drives are formatted. If the tool won’t create a bootable USB drive, try using many freely available tools to perform that step, then erase the drive and try the WDO setup tool again. The only difference between using a CDR or USB is the USB boot is faster. Note there are 32 and 64 bit versions of this tool. Make sure you use the right one for your system!
  2. Connect your computer to your network with a LAN cable. WDO does not support wireless. When WDO boots, cancel the quick scan and click the update button to ensure you have the latest definitions (you would think Step 1 would get you those, but not always). I’ve seen the update fail in a few cases, if it does. Don’t worry about it.
  3. Select ‘Full Scan’ and click Scan Now. This can take a LONG time!
  4. Remove/Disinfect all the listed infections. Watch for any errors or failures.
  5. Click the ‘Red X’ and confirm you want to exit/restart
  6. Hit F8 after the BIOS  screen and select ‘Safe Mode with Command Prompt‘. If you don’t use safe mode here, you’ll see an empty desktop and a window asking you to select a video device. Use Ctrl-Alt-Delete to restart and get into Safe Mode again.
  7. Download the latest version of ComboFix and save it to a USB flash drive. Use a blank flash drive with nothing important on it!!! If you don’t have one, burn it to a CD.
  8. In the command prompt, enter the drive letter of the USB drive (it will vary so start at D: and work your way up) and then execute ComboFix.exe and let it run.
  9. ComboFix will restart your computer and you should be able to login to Windows normally.
  10. Just to be safe, run a TDSSKiller scan to check for any deep rootkit infections. You’ll have to expand Step 1 to get the download link.
  11. Run additional virus scans with your favorite tools. Suggestions include whatever AV suite is installed, MalwareBytes, Spybot v2, and adwCleaner.
  12. I have seen some systems where the firewall is damaged. Download and run the Windows All-In-One repair tool and run it. You should do a CHKDSK and SFC scan (sfc /scannow) before running the tool. WinXP users will need their installation CD (or skip the SFC scan). Then run the tool, create the restore points, and Select All steps to run. Restart.
  13. Vista/Win7/Win8 – Start Windows Update and click the link to check for updates for other Microsoft Software. Then check for updates (All-In-One resets Win Update).

This should get your computer back to health. Make sure you install the latest Microsoft Updates/Patches and ensure you update Adobe Reader, Flash, and Oracle Java.