ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Moneypak Madness - Fighting the Virus/Ransomware

Updated on May 27, 2014

I was asked to fix a computer infected with the FBI Green Dot MoneyPak virus. This is definitely one of the nastiest viruses I've come across as far as its ability to lock out a computer. It seems that my experience was either with a brand new variant of the virus or just atypical from what other people have posted at the time of this writing.

For those that are not familiar with the virus, it displays a full screen warning claiming that the computer has been locked by the FBI for vague infringement of various computer-related crimes, such as child or "zoo" porn. The user is instructed to pay a "fine" by purchasing a $200 (amounts may vary) MoneyPak card at a local convenience store and enter the code.

After reading some guides on the virus I saw that two primary ways people got around the lock out was to either boot in Safe Mode or to login as a different user. The startup task used to launch the virus seems to be confined to the user's profile who was originally infected.

While I found the virus quite clever, I also felt a bit challenged that I couldn't just Alt+F4 or something similar to stop it. The machine I was working on was a client's personal Windows XP machine, so it only had one user account. With the alternate login option eliminated I tried a variety of things to kill the application before resorting to Safe Mode. All of them failed.

I was able to kill or crash the virus a couple of times, but each time it either froze or crashed the rest of the operating system with it. One interesting tactic was to hold Ctrl+Alt+Esc. Normally this brings up Task Manager locked on top of other windows. The virus is smart enough to keep itself on top. However, by repeatedly launching windows I was able to occasionally get some on top. They only stayed on top as long as I held down the keys and kept focus on the window. I was able to kill some processes I suspected, but the virus would respawn and kill the task manager.

After tinkering around for a while I gave up and just booted to Safe Mode. Unfortunately Safe Mode crashed after loading mup.sys. I tried several times, including after running a repair on it, but all variants of Safe Mode would not boot. The fact that normal mode worked without a problem led me to believe the virus has done something to disable Safe Mode. Other experiences say that it’s likely this computer’s safe mode was broken prior to the virus, but I can’t be certain.

Back to the drawing board. Next I tried a utility I had downloaded called rkill. I burned it to a DVD and as soon the computer logged me I tried to launch it with the mouse, but I wasn't quite fast enough to get it running before the virus took over. On my second try I hit Win+R and typed e:\rkill.com. That did the trick. Oddly enough rkill ran and kept the focus on top of the virus. The utility found some stuff, but it did not terminate the virus processes, executables, or registry keys. I ran it a couple of times and it never did anything useful.

I finally went to my last resort. I pulled the hard drive out of the computer and hooked it up to my sata to usb converter, and then plugged it in to my laptop (fingers crossed and layered A/V running). I used the online guides to try to locate the files. They claimed I needed to find ctfmon.lnk and some random executables. Unfortunately none of the virus files were where they were reported to be. The virus also did not launch from the Startup group (it used the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to launch).

I hunted around manually, found and deleted some questionable files before putting the hard drive back in and booting the computer. Fail. The virus was still there and promptly took over again.

I finally took the hard drive back out and did a search for executables that had been modified recently. Paydirt! I cleaned up a whole bunch of executable junk that didn't have digital signatures. I can't be totally sure, but I believe the virus was in three files all with random names (xxxxxxxxxxx.exe) that were modified that day.

Once that was done I could log back into the computer, fix the registry, and run some malware cleanup utilities. Hurray! A win for the good guys! Or was it?

Clearly I spent way too much time on this single PC. It would have made much more sense to just wipe it and reinstall, but spite had me in its clutches. Before returning the computer I took a minute to check for antivirus software and noticed that "ESET NOD32" was installed. I wasn't really familiar with that one, but I just left it alone.

And that's where I went wrong. Two months later I got a call from the owner of this same PC letting me know that the virus was back and in control of his computer.

Here we go again.

This time he had a new and improved variant of the same Moneypak virus. This one had the webcam support, so it can threaten to send in pictures of you to the FBI. The ransomware still featured legalese threats in mangled English, but I did notice some refinements to the screen and the virus itself.

This particular version of the virus started sooner. I'm not sure how it was hooked in, but there was no delay between startup and the launch of the virus. There was no chance to login as another user and the task manager was disabled by policy instead of sniping the process as before.

I took a quick look, saw that safe mode still didn't work, and then promptly removed the hard drive. I found some strange executables that were definitely the viruses main run point, removed them, and rebooted.

Mysteriously, the virus came back and replaced the files I deleted. Take two.

This time I ran a scan with AVG's free virus scanner. It first deleted the same files I had deleted previously, then it found deeper problems hidden in the Windows System32 directory. This did the trick, and the battered old machine was humming along just fine.

I got rid of that ESET NOD scanner because though it was running, it clearly missed the boat on the moneypak virus twice. AVG also found at least three other viruses on the machine that this software had missed. I checked quickly to make sure that software had been updating, and it looked like it was up to date. I installed AVG Free and returned the PC... hopefully for the last time.

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)