Solved

Moneypak Virus on Computer and now it won't boot

Posted on 2013-01-18
22
1,162 Views
Last Modified: 2013-11-22
Laptop with Windows XP Media Center edition won't boot.

User got the Moneypack virus. It is a scam where the computer screen is taken over by a warning that the computer has been locked by the FBI and you have to pay a fine of $300. The user didn't pay the fine or believe any of the nonsense but when he tried to reboot into safe mode the computer now will not boot to a desktop.

tried best known good config, safe mode, safe mode with networking, start windows normally but all of them start to go to the Windows loading screen but then cycle back to the screen that gives you the choices of safe mode etc.

What is the best way of repairing this so it will boot without having to reinstall the operating system and all the programs.
0
Comment
Question by:mrmyth
  • 7
  • 6
  • 2
  • +4
22 Comments
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 38794893
This is a particularly annoying combination of rootkit and malware.
You should still be able to boot to a Safe Mode command prompt but I'd recommend Russell_Venable's suggestion to use XP's recovery Console, MBAM and Kapersky's TDSS Killer described here http://www.experts-exchange.com/Security/Vulnerabilities/Q_27904395.html
0
 
LVL 11

Accepted Solution

by:
itguy565 earned 500 total points
ID: 38794924
MBAM, Kaspersky couldn't see that virus at least two weeks ago. I would recommend using the Free Emergency malware scanner from Emsisoft. I have personally used this software to remove this virus.

Here is a site that specifically shows how to remove it.

http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware
http://www.emsisoft.com/en/software/eek/
0
 
LVL 1

Author Comment

by:mrmyth
ID: 38795546
I was able to repair the boot file by following these instructions
http://www.computerhope.com/issues/ch000648.htm

However when I booted to the desktop I got the Moneypak screen.

I then tried to reboot in safe mode but I was unable to boot again.

I recreated another boot file and was able to get to the desktop. Is there a way of getting around this software without being in safemode?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38795572
You can get to same mode. The beauty of the FBI virus is it can't launch if it doesn't have a network connection.

1. Disconnect your network cable.
2. Reboot computer to safe mode with networking
3. start - run - msconfig
4. Choose Selective Startup
5. Disable all startup group items
6. start - run - regedit

Delete Associated FBI MoneyPak Ransomware Files:
%Temp%\<random>.exe
%StartupFolder%\ctfmon.lnk

7. Plug into network adapter.
8. Launch Web Browser and download Free Emergency malware scanner from Emsisoft
http://www.emsisoft.com/en/software/eek/
9. Run a Deep Scan, this will take several hours.
10. Remove all the detected objects.


VIRUS IS NOW GONE.
0
 
LVL 1

Author Comment

by:mrmyth
ID: 38795609
that's great, but I can't get into safe mode.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38795653
What happens when you "Disconnect the network cable" and attempt to reboot into safemode with networking?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38795654
The FBI virus can only launch if you have a connection to the internet.
0
 
LVL 1

Author Comment

by:mrmyth
ID: 38795664
The FBI virus can only launch if you have a connection to the internet.

I don't know if that is true, I booted to a hitman pro usb and it said it couldn't do anything because it didn't have an internet connection. I even tried plugging in a network cable as all this time it has been disconnected.

Seems that it would be easy to disable the virus by just turning off the wireless and disconnecting any network cables.

At any rate I have now slaved the drive to another computer and am running Malwarebytes on it. Then I'll run hitman pro for good measure. I'll report back.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38795688
I have removed this virus probably about 100 times over the last 6 months. I assure you it is true.

All you have to do to disable it is to do exactly what I have stated above. Disable it's connection to the internet, then perform the steps above to remove it. Last I checked Malwarebytes couldn't see it. Now this could have changed in the last 2 weeks but I highly doubt it. There are also multiple different flavors of this virus.

Hitman Pro can see it and remove it. Emsisoft can see it and remove it. Mcafee can't and norton can't.
0
 
LVL 1

Author Comment

by:mrmyth
ID: 38795706
I have removed this virus probably about 100 times over the last 6 months. I assure you it is true.

I apologize then for doubting you. Can hitman pro target a particular drive, or do I need to scan the computer I have the drive slaved to as well?
0
 
LVL 11

Assisted Solution

by:itguy565
itguy565 earned 500 total points
ID: 38795729
I am fairly sure Hitman Pro doesn't have the ability to do a selective Scan. I have never actually tried it slaved. I would assume that it would scan the files on both drives, however I am not sure about detecting rootkits on the second drive. Emsisoft would be your better choice. It can do selective scans and it also detects far more than Hitman.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 91

Expert Comment

by:nobus
ID: 38795929
i have removed a similar infection with offline defender  : http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 38795967
As you can see, there are many ways to clean this up.  HMPro won't selectively scan a slaved drive (as it needs to run inside the active OS) but you could use HMPro-Kickstart on the infected profile launching from a bootable flash drive which will give you an option to bypass the MBR and then complete the clean-up (but you will need either a valid HMPro Key or have not used their 30 day free trial to complete the process).  As far as MBAM goes, MoneyPak has been included in its definitions for a few months now but with this infection you need to be able to launch it in a "safe" environment to clean successfully.

Whichever route you use let us know how you get on.
0
 
LVL 3

Expert Comment

by:suribaba801
ID: 38795987
Please remove battery (if laptop) and restart your computer to logon as a DIFFERENT USER, this is very importan bcz the virus is in your profile folders and wont start if you logon as different user and wont block your screen and you can run any tool you want like hitman or something else. It is even easier to delete the virus yourself, so if you can logon as admin and goto users profile with the virus and search for exe files with strange names and delete them, also goto temp files and delelete everything there, be sure to do all temp folders.   100% garanty this will work. Let me know. Thanks
0
 
LVL 3

Expert Comment

by:suribaba801
ID: 38795989
Users profiles/ my documents specially crucial to clean out from exe files.. Let me know
0
 
LVL 11

Expert Comment

by:itguy565
ID: 38796645
mrmyth,

Not to sound Cocky, but if you can get to safe mode with networking I am 100% sure that emsisoft will remove the malware. I have used it numerous times to remove this virus and have directed many people remotely how to remove this virus on their home computers.

The trick is to make sure the network cable is disconnected, boot to safemode with networking, run rkill, follow-up with emsisoft and then finish with Hitman pro to ensure all instances of malware are gone.

rkill http://www.bleepingcomputer.com/download/rkill/
or
Combofix: http://www.bleepingcomputer.com/download/combofix/
emsisoft : http://www.emsisoft.com/en/software/eek/



Oh and you "CAN" boot to the infected profile as the virus doesn't run until the "Memory Resident EXE file detects an Internet connection and can establish connection with it's home server."

http://www.bleepingcomputer.com/virus-removal/remove-fbi-online-agent-ransomware

http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

http://www.bleepingcomputer.com/forums/topic481082.html

The first 2 use emsisoft to remove the virus. The last one uses a linux boot USB drive to boot to and remove the virus.
0
 
LVL 1

Author Closing Comment

by:mrmyth
ID: 38797080
Thanks to everyone for your help. I ended up attaching the drive to another computer via usb. Then I ran emisoft, hitman pro and malwarebytes. It successfully booted and the virus seems to be gone.

Thanks again for all your help.
0
 

Expert Comment

by:mcdonamw79
ID: 39154505
FWIW, it seems there's a new version of this thing out in the wild.  I got hit with it and I can't even get to SAFE MODE.  As soon as I boot to safe mode, the system just reboots itself automatically back into normal mode.
0
 
LVL 1

Author Comment

by:mrmyth
ID: 39154510
Slave the drive to another computer and run an antivirus on it. That's what I ended up doing the when this thread was posted.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39154578
i do a scan from a bootable cd, like offline defender
0
 

Expert Comment

by:to2007
ID: 39156608
I just ran into the FBI virus as well.  I can't boot to safe mode any which way.  I log in in safe mode and it just restarts the computer.

I downloaded Windows Offline defender as suggested and put in USB thumb drive, booted to that and ran the offline defender scan. Found 7 items, it removed them. I exited the program and on restart or reboot it still does same thing. Either if not safe mode it gives me the FBI bogus warning and if in safe mode it just restarts.

any new suggestions?  I guess i could take the drive out and pop in external HD dock and run a scan.   If run scan on  it externally on  another PC what program do you all suggest\?

also any ideas on  this before I remove it and put in external drive ?

thanks
0
 

Expert Comment

by:mcdonamw79
ID: 39157422
For those with the issue still, you will be best to start a new help request.  It won't be long before the Experts Admins request the same.

FWIW, slaving a laptop drive isn't always an easy task :).  I ended up formatting as nothing I did was working.  I even tried UBCD4Win with its array of included antivirus tools.  Found nothing.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now