Mandiant Moneypak Virus - How To Remove?

Type: Ransomware

Mandiant Moneypak virus is a new ransomware that was developed by computer hackers in order to steal money from random users from the Internet. The creators of this badware focus on American users however the program can infect users from other parts of the world too. Mandiant is in fact the company that is responsible for connecting China to a string of lengthy targeted U.S. companies. However, it is not related to this scam in any way.

Mandiant Moneypak virus usually takes over computers with the help of Trojan viruses. It can be distributed on infected websites, through attachments of spam emails and so on. This is not the first ransomware that locks up computer of a victim and tries to get financial benefits from its user. Usually this type of ransomware also use the name of FBI or police to look more legitimate. FBI has already released many warnings not to trust these programs, but it seems that the creators of these ransomware are still able to find new victims.

Once inside the computer, Mandiant Moneypak virus blocks the system entirely and displays a message in the middle of the screen saying that your computer has been locked because you are accused of viewing/storage and/or dissemination of banned content such as pornography. It also claims that you are suspected of violation of “Copyright and Related Rights Law”, downloading and distributing pirated content. You can have a look at the message of Mandiant Moneypak virus below:

Mandiant U.S.A. Cyber Security
FBI. Department of Defense
U.S.A. Cyber Crime Center
Your computer has been blocked for safety reasons listed below.
You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of United States of America criminal law.
Article 161 of United States Of America criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years.
Also, you are suspected of violation of “Copyright and Related rights Law” (downloading of pirated music, video, warez) and of use use and/or dissemination of copyrighted content. Thus, you are suspected of violation of Article 148 of United States of America Criminal Law.
Article 148 of United States of America criminal law provides for the punishment of deprivation of liberty for terms from 3 to 7 years or 150 to 550 basic amounts fine.
It was from your computer, that unauthorized access had been stolen to information of State importance and to data closed for public Internet access.

As you see the message also tells you to pay a fine of $300 in order get your system unblocked. It tells you to use MoneyPak or MoneyGram xpress Packet vouchers to transfer the money. Then it promises to unblock your system within 24 hours after receiving the payment. It is definitely a fake warning and it is not related to FBI or any other justice related agencies. Remove Mandiant Moneypak virus as soon as you detect it on your computer. Below we provide several way how to do that depending what this ransomware still allows you to do on your computer.

If your computer has more than one user account and not all of them are locked, scan whole PC with anti-malware programs, e.g. Spyhunter, by logging to the account that is not blocked. Another option is to use system restore. If none of these methods worked for you, do the following:

  • Restart your computer;
  • Press F8 while it is still restarting;
  • Choose between safe modes in following order: Safe mode, Safe mode with command prompt

Then follow the guides below:

If your computer runs in Safe mode or Safe mode with networking

  1. Launch MSConfig.
  2. Disable startup items rundll32 turning on any application from Application Data;. Note, that these are typical locations for Mandiant Moneypak Virus but some others might be used.
  3. Restart the system once again.
  4. Scan with to identify Mandiant Moneypak Virus files and delete it.

Here is a video showing how to complete the steps:

If your computer runs in Safe mode with command prompt

  1. Run Regedit.
  2. Search for WinLogon Entries. Write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe
  3. Search registry for Mandiant Moneypak Virus files and delete the registry keys referencing the files
  4. Try to reboot and scan with Spyhunter.
  5. If this fails, try doing system restore from safe mode with command prompt (rstrui.exe)

If none of safe modes could be launched

Some versions of Mandiant Moneypak Virus disable all safe modes, but give a short gap that you can use to run anti-malware programs:

  1. Reboot normally.
  2. Start->Run.
  3. Enter: . If malware is loaded, just press alt+tab once and keep entering the string blindly. Press Enter.
  4. Press Alt+tab and then R couple times. Mandiant Moneypak Virus process should be killed.

Here is a video detailing this approach:

Hitman Pro USB disk

If you did not succeed using any of the methods above, try scanning PC with a bootable USB or DVD disk. These should be able to remove all versions of Mandiant Moneypak Virus, but will not work if your hard drive is encrypted.

For that, we recommend using Hitman Pro Kickstarter USB.

  1. Download Hitman Pro on uninfected PC. 
  2. Run Hitman and ask to create Kickstarter USB (option on initial screen)
  3. When USB ready, reboot infected PC with USB attached and press DEL
  4. Choose USB as primary boot device.
  5. Boot normally.
  6. Run Hitman Pro and . One of these programs should detect and remove malware from your PC.

Automatic Mandiant Moneypak Virus removal tools

Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.  We might be affiliated with some of these programs. Full information is available in disclosure

Manual removal


Important Note: Although it is possible to manually remove Mandiant Moneypak Virus, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on


About the author

 - Main Editor

I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

July 17, 2013 01:51, July 28, 2013 12:59

Leave a Reply

Your email address will not be published. Required fields are marked *