Author Topic: FBI moneypak virus  (Read 2969 times)

Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
FBI moneypak virus
« on: October 15, 2012, 04:32:36 AM »
Friend turned on his laptop and was hit by that. Followed the log thread and here they are

Thank you guys for looking at these. Hopefully its all cleared up but you never know
« Last Edit: October 15, 2012, 04:40:22 AM by MonKENy »

Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #1 on: October 15, 2012, 04:34:50 AM »
more logs

Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #2 on: October 15, 2012, 04:37:56 AM »
it wont let me upload the otl files dont know what to do about that

Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #3 on: October 15, 2012, 04:38:20 AM »
log

Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #4 on: October 15, 2012, 04:38:44 AM »
log

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21780
  • Gender: Male
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #5 on: October 15, 2012, 05:33:52 AM »
it wont let me upload the otl files dont know what to do about that
who is "it" ?

if the log is to big, split it in two and use two posts
alternative upload to some file share and post download link here
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #6 on: October 15, 2012, 11:23:48 PM »
it meaning the board attachment system. Is it necessary? I'm not even sure I needed to do all the logs I just did them all in case.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29066
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #7 on: October 16, 2012, 07:43:16 PM »
Could you split the log in two

Offline MonKENy

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #8 on: October 18, 2012, 09:21:28 AM »
ok will do. I should have it done tomorrow.

Thanks

Offline InspectorGadget

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #9 on: October 31, 2012, 01:41:43 PM »
What happened? Did you clean the system? Here is a suggestion I have if you are hit by this ransomware. It really works, because I had to do it on a friend`s PC. So here is what you have to do :

Step 1 - go into safe mode with command prompt by pressing F* continuously on restart
Step 2 - in the command prompt line type explorer.exe and wait for the Desktop to appear
Step 3 - go to the Start menu and type rstrui in the search box to go to System Restore
Step 4 - set your system to a previous date when it was clean
Step 5 - when you have unlocked your PC, clean it from FBI moneypak , because it is still on your computer

How to clean the machine from the infected files?

You can do that manually:

1. Check your registry for modifications and new entries made by FBI Moneypak

2. Delete these malicious files:

For Vista:

C:\Program Data\csrss.exe
C:\Users\{Your User Name}\AppData\Roaming\Microsoft\Windows\… Menu\Programs\Startup\ctfmon.exe
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random.exe]
C:\Users\{User Profile}\AppData\Local\Microsoft\Windows… [Random]
C:\Program Data\lsass.exe
C:\Program Data\[Random.exe]

For XP:

C:\Documents and Settings\{Your User Name}\Start Menu\Programs\Startup\ctfmon.exe
C:\Windows\[Random.exe](eg. Pmfjyiaj.exe)
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random.exe]
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows\[Random]

You can also do all of this automatically with a security tool like http://www.americanpendulum.com/2012/10/02/fbi-moneypak-scam-dangerous-malware-making-millions-of/ (here there are also some more removal instructions) or this one http://www.malwarebytes.org/. You can also see a removal video here http://www.youtube.com/watch?v=cuctc1_g0as

I hope this is helpful to you and other user too!



Offline lpierce@rtpi.org

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #10 on: November 03, 2012, 07:13:03 PM »
Thank you for the info, I did the manual System Restore, and then I went to the steps to clean the machine of the infected files.  I could find nothing...is it possible that the System Restore to an earlier date deleted the malicious files?

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21780
  • Gender: Male
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #11 on: November 03, 2012, 07:28:53 PM »
Quote
I could find nothing...is it possible that the System Restore to an earlier date deleted the malicious files?
system restore does not remove the infection.....it is not that easy

if you need help. start your own topic and attach the requested logs   http://forum.avast.com/index.php?topic=53253.0

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline keyhole the computer guru

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #12 on: November 03, 2012, 09:48:06 PM »
Here is the link with screenshot images shows how to remove the FBI MoneyPak virus, the link here: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/ using MalwareBytes Anti-Malware Free. I used it on the customer's desktop computer two weeks ago. The program found the malware and removed it. Hope this will help you.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29066
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: FBI moneypak virus
« Reply #13 on: November 03, 2012, 10:02:42 PM »
The ransom viruses now tend to carry an MBR/Rootkit with them nowadays

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now