Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
321638 Views 72 Replies Latest reply: Jun 17, 2013 10:18 AM by Ex_Brit RSS Branched to a new discussion. Go to original post 1 2 3 4 ... 8 Previous Next
  • Ex_Brit Volunteer Moderator 59,571 posts since
    May 6, 2004
    Currently Being Moderated
    10. Jul 15, 2012 2:28 PM (in response to ab123xxc098)
    Re: FBI MoneyPak Scam - Removing Virus

    Exactly, that's got rid of all of them...just in case.  Now turn it back on & feel free to create a new one if you wish if all is OK now.

     

    ;-)


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • emailydesarno Newcomer 4 posts since
    Jul 20, 2012
    Currently Being Moderated
    11. Jul 20, 2012 1:50 PM (in response to gothamguy)
    Re: FBI MoneyPak Scam - Removing Virus

    If you need help removing the FBI Monepak virus, this article seems to be fail proof: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-mal ware-removal/

  • pcidiot Newcomer 1 posts since
    Aug 16, 2012
    Currently Being Moderated
    12. Aug 16, 2012 1:21 PM (in response to Ex_Brit)
    Re: FBI MoneyPak Scam - Removing Virus

    Brit your a genius. I cant believe you give this advice away free.

     

    Worked perfectly.

     

    I thought I had an expensive door stop.

  • Ex_Brit Volunteer Moderator 59,571 posts since
    May 6, 2004
    Currently Being Moderated
    13. Aug 16, 2012 1:38 PM (in response to pcidiot)
    Re: FBI MoneyPak Scam - Removing Virus

    I've been there, done that and had the T-Shirt to prove it, so to speak.  Yes I know what's it's like to suddenly have a machine that appears to be made of lead.

     

    Glad you are OK.  ;-)


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • balcava Newcomer 1 posts since
    Aug 16, 2012
    Currently Being Moderated
    14. Aug 16, 2012 1:57 PM (in response to gothamguy)
    Re: FBI MoneyPak Scam - Removing Virus

    Realistically these are all the options to remove the FBI viruses, copied and pasted from : http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-mal ware-removal/

     

    1. Malware Removal Software – Scan and remove malware
    2. Manual Removal – Remove associated files
    3. Restore – Restore PC to a date and time before infection (includes different options)
    4. Safe Mode With Networking – Remove files and/or Scan and remove malware
    5. Optical CD-R Option – Scan and remove malware
    6. Slave Hard Disk Drive Option – Scan and remove malware

    Manual removal

    It’s actually really easy to remove this virus in Windows without a restore (restore options below). Then again, if this option does not help you locate the malicious files, skip it. We are going to enter your computers App Data which is a hidden file. To learn how to show hidden files click here.
    1. Open Windows Start Menu and type %appdata% into the search field, press Enter.
    %Appdata%
    2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup
    App Data Start Menu
    3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on start up. This is not ctfmon.exe.
    4. Open Windows Start Menu and type %userprofile% into the search field and press enter.
    Userprofile
    5. Navigate to: Appdata\Local\Temp
    6. Remove rool0_pk.exe
    7.Remove [random].mof file
    8. Remove V.class
    The virus can have names other than “rool0_pk.exe” but it should appear similar, there may also be 2 files, 1 being a .mof. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.

     

    All FBI Moneypak Files:

    The files listed above are what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, please delete all given files. Keep in mind, [random] can be any sequence of numbers or letters.

    • %Documents and Settings%\[UserName]\Desktop\[random].lnk
    • %Program Files%\FBI Moneypak Virus
    • %AppData%\Protector-[rnd].exe
    • %AppData%\Inspector-[rnd].exe
    • %Windows%\system32\[random].exe
    • %appdata%\[random].exe
    • %Documents and Settings%\[UserName]\Application Data\[random].exe
    • %UserProfile%\Desktop\FBI Moneypak Virus.lnk
    • %Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
    • %AppData%\result.db
    • %CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
    Kill ROGUE_NAME Processes:

    Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

    • [random].exe
    Remove Registry Values

    To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.
    Regedit

    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
    • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
    • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
    • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
    • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
    • HKEY_CURRENT_USER\Software\FBI Moneypak Virus
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
    • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Con sentPromptBehaviorAdmin 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Con sentPromptBehaviorUser 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Ena bleLUA 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

     

    Safe mode with networking
    For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.

     

    • This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because of the FBI Moneypak infection’s progression.

    The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove  malicious files.1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.Safe mode with networking

    • Make sure to log into an account with administrator rights.

    The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
    safe mode 4 corners
    2. There are a few different things you can do…

    • Pull-up the Start menu, enter All Programs and access the StartUp folder.
    • Remove “ctfmon” link (or similar).

    This seems to be an easy step in removing the FBI virus for many users. If you are interested in learning about ctfmon.exe please click here.Now, move on to the next steps (which is not a necessity if you removed the file above but provides separate options for troubleshooting).3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows‌ registry so that you can access the Internet again.

    How To Reset Internet Explorer Proxy Settings

    Option 1
    In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
    -or-
    In Windows Vista, click the Start button , and then click Run.
    -or-
    In Windows XP, click Start, and then click Run.
    Copy and paste or type the following text in the Open box in the Run dialog box and click OK:reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v ProxyEnable /t REG_DWORD /d 0 /fIn Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
    -or-
    In Windows Vista, click the Start button , and then click Run.
    -or-
    In Windows XP, click Start, and then click Run.
    Copy and paste or type the following text in the Open box in the Run dialog box and click OK:reg delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v ProxyServer /f

    Restart Internet Explorer and then follow the steps listed previously to run the scannerOption 2
    Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
    Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
    LAN Tab4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.

     

    Message was edited by: balcava on 8/16/12 1:57:07 PM CDT
  • surfinisme Newcomer 1 posts since
    Aug 16, 2012
    Currently Being Moderated
    15. Aug 16, 2012 3:04 PM (in response to Ex_Brit)
    Re: FBI MoneyPak Scam - Removing Virus

    Will Mcafee protect me from getting this again in the future?

  • kalonibrown Newcomer 1 posts since
    Aug 16, 2012
    Currently Being Moderated
    16. Aug 16, 2012 3:10 PM (in response to balcava)
    Re: FBI MoneyPak Scam - Removing Virus

    Thanks balcava, excellent insturctions and what a great website to share. Highly appreciated.

     

    Literally took me 3 minutes to fix with your help.

     

    http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-mal ware-removal/

     

    I think McAfee does cover FBI viruses, they're usually on top of fixing this stuff faster than most.

  • Ex_Brit Volunteer Moderator 59,571 posts since
    May 6, 2004
    Currently Being Moderated
    17. Aug 16, 2012 3:42 PM (in response to kalonibrown)
    Re: FBI MoneyPak Scam - Removing Virus

    That's an unknown I'm afraid as they morph constantly.  It obviously didn't this time but could the next unless a new variant suddenly appears.   None of the major antivirus applications are 100% effective against these fake anti-malware pests unfortunately, hence the need for specialist tools.


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    18. Aug 19, 2012 9:44 PM (in response to Ex_Brit)
    Re: FBI MoneyPak Scam - Removing Virus

    The FBI are suddenly very interested in this variant of the ransomware/scareware scam that's been plaguing European users for at least a couple of years. This is probably because large numbers of people hit by this scam have contacted the FBI to complain about it.

     

    Brian Krebs has belatedly turned his attention to this ongoing operation, and has written an informative piece about the organisation of this criminal operation. There's a useful little diagram cribbed from 'botnets.fr' which identifies most of the elements of the operation as being based in Russia and Ukraine (oh, what a surprise), but shows that parts of it rely on a US and UK presence. The US-based botnets that run the Blackhole Exploit kit (by which most users become infected) gives the FBI a legal basis for pursuing a robust international investigation. The results of that investigation will probably lead to arrests in a year or two.

     

    Reveton operation.JPG

     

    This scam persuades only a small percentage of those infected and seeing the threatening message to pay up, but that small percentage still generates an income of about $40,000 to $50,000 a day. No wonder the new variants keep being rolled out.

     

    Edit :

    Most BlackHole exploits succeed because they find a PC has an outdated version of Java installed, as can be seen from this section of a screenshot of a BlackHole exploit control panel, obtained by Kafeine, of botnets.fr :

    Reveton console (part).PNG

     

    The full sceenshot can be seen at http://krebsonsecurity.com/wp-content/uploads/2012/08/revetonBHEKit.png

     

    The advice about Java is worth repeating : if you need it, keep it updated. Updates to Java fix known security weaknesses, and are frequent. If you don't need it, uninstall it (I removed it, and haven't needed it since I did so).

     

    Two very important things to realise about this seemingly-straightforward ransom demand :

     

    ... the latest Reveton versions will steal all passwords stored on the victim’s PC. What’s more, the FBI’s report indicates Reveton is being bundled with Citadel, which is an extremely powerful and advanced family of malware that can be quite difficult to remove.

    (From Brian Krebs' article)

     

    Citadel is the successor to Zeus, and is designed to steal online banking credentials. So an infected system is hit with three related attacks - the initial (and profitable) ransom demand, theft of passwords, and installation of malware to compromise online banking.

     

    The Citadel malware is a close cousin of the Zeus crimeware kit and typically is used as a banker Trojan, stealing users' online banking credentials and allowing attackers to drain victims' bank accounts.

    (From http://threatpost.com/en_us/blogs/citadel-malware-used-infiltrate-airport-vpn-08 1412)

     

    For more information about the Police Trojan scam and its latest US incarnation :

    http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

     

    http://www.fbi.gov/news/stories/2012/august/new-internet-scam

     

    http://blogs.avg.com/news-threats/blackhole-ransomware-graphic-mimics-fbi/

    http://blogs.avg.com/news-threats/fake-fbi-ransomware-analysis/

     

    https://threatpost.com/en_us/blogs/reveton-ransomware-uses-fake-fbi-message-exto rt-money-080912

    http://threatpost.com/en_us/blogs/citadel-malware-used-infiltrate-airport-vpn-08 1412

     

    https://www.botnets.fr/index.php/Reveton

     

     

     

    Message was edited by: Hayton on 20/08/12 03:44:31 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Ex_Brit Volunteer Moderator 59,571 posts since
    May 6, 2004
    Currently Being Moderated
    19. Aug 20, 2012 4:40 AM (in response to Hayton)
    Re: FBI MoneyPak Scam - Removing Virus

    Interesting Hayton, thanks.   Of course we can expect quick action out of Russian and Ukraine authorities......not.   They're probably in on it.


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
1 2 3 4 ... 8 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points