A closer look at the analysis and decontamination of the virulent and destructive FBI / DOJ Moneypak ransom trojan.

We not too long ago encountered a version of the prevalent urausy.fbi.moneypack ransomware from a client who described the computer as: “My dad’s laptop obtained the Department of Justice moneypak virus. It states to be from the department of justice nonetheless everything it says tells me it’s the fbi moneypak virus i got a couple of weeks ago, just under a different name. He uses a MS Windows XP pc. I would usually try to remedy it myself the way in which I fixed my laptop earlier, but i cannot get into safe mode or safe mode with networking. Whenever I try the computer automatically reboots itself. I attempted googling help to fix this concern however now instead of restarting itself it goes into a blue screen of death”.

Ok, eradicating this bad boy is going to be enjoyable! Here is a quick summary of the virus: FBI Moneypak malware is computer virus that displays a fraudulent FBI warning as part of its attempt to divert cash from the victim via MoneyPak. Although the FBI Moneypak computer virus’s pop-up alert proclaims that your PC has been locked in connection with intellectual property-based offenses (such as downloading illegal mp3s), we point out the point that the FBI Moneypak ransomware is totally disassociated from the FBI and all supplementary legal enforcement organization. FBI Moneypak virus will attempt to prevent all major Apps even while FBI Moneypak virus is open, nonetheless an alternate boot method merged with an accurate anti-malware scan will eradicate FBI Moneypak virus, and with it, the blockade that FBI Moneypak ransomware causes. Although FBI Moneypak ransomware informs it is victims that this can end the blockade, We discourage handing money over to the FBI Moneypak malware’s lawbreaker buddies, since this isn’t guaranteed to save your PC and is not necessary for getting rid of FBI Moneypak computer virus safely.

This transformed version of urausy.fbi.moneypack virus won’t allow us to into the OS by way of safe mode so we approach the resolution by way of a different means. I begin with a bootable windows installation dvd and a USB drive containing Farbar recovery scan tool. Booting from the Windows installation cd and carrying out FRST from the USB drive enables me to sidestep the screen lock initiated by the virus. I next implement FRST and review the log saved to the USB drive. The FRST log supplies a top notch overview of the current state of the pc. The FRST log reveals numerous invalid startup records along with a compromised winlogon shell value. Additionally, compromised virus documents had been saved in the Users%user%AppDataRoaming and C: Users%user%Application Data folders. In this case the docs of interest included skype. dat, skype. ini and a lot of addtional %random%. dll’s.

I develop a FRST script and apply the fix via the USB drive. Upon completion of the fix the notebook is now capable of booting into Windows typically. Next, I execute a quick scan and cleaning with AdwCleaner and RogueKiller. The AdwCleaner log indicates a single corrupt registry entry and the RogueKiller log indicates 5 compromised registry entries including modifications to DisableTaskMgr, DisableRegistryTools, and NewStartPanel values.

The virus executed numerous major harm to the os so for the next step I implement combofix, a potent recovery tool. The combofix log indicates several more deletions of files located in the c: programdata folder. Furthermore, I produce a quick combofix script to clear the java cache on the infected computer.

Aside from a slow IE internet browser, the computer functions much smoother now. In order to repair IE I open up internet options and under the advanced tab choose to reset IE. After the reset IE operates much smoother.

This computer operates practically perfect now. I execute one last scan with malwarebytes. The MBAM logs come back negative indicating a clean laptop.

Posted in Virus, Malware And Spyware Removal

Leave a Reply

Call Us!
Call us for a free analysis.
(818) 674-0941
Poke us