FBI moneypak virus

Friend turned on his laptop and was hit by that. Followed the log thread and here they are

Thank you guys for looking at these. Hopefully its all cleared up but you never know

more logs

it wont let me upload the otl files dont know what to do about that

log

log

who is “it” ?

if the log is to big, split it in two and use two posts
alternative upload to some file share and post download link here

it meaning the board attachment system. Is it necessary? I’m not even sure I needed to do all the logs I just did them all in case.

Could you split the log in two

ok will do. I should have it done tomorrow.

Thanks

What happened? Did you clean the system? Here is a suggestion I have if you are hit by this ransomware. It really works, because I had to do it on a friend`s PC. So here is what you have to do :

Step 1 - go into safe mode with command prompt by pressing F* continuously on restart
Step 2 - in the command prompt line type explorer.exe and wait for the Desktop to appear
Step 3 - go to the Start menu and type rstrui in the search box to go to System Restore
Step 4 - set your system to a previous date when it was clean
Step 5 - when you have unlocked your PC, clean it from FBI moneypak , because it is still on your computer

How to clean the machine from the infected files?

You can do that manually:

  1. Check your registry for modifications and new entries made by FBI Moneypak

  2. Delete these malicious files:

For Vista:

C:\Program Data\csrss.exe
C:\Users{Your User Name}\AppData\Roaming\Microsoft\Windows\… Menu\Programs\Startup\ctfmon.exe
C:\Users{User Profile}\AppData\Local\Microsoft\Windows… [Random.exe]
C:\Users{User Profile}\AppData\Local\Microsoft\Windows… [Random]
C:\Program Data\lsass.exe
C:\Program Data[Random.exe]

For XP:

C:\Documents and Settings{Your User Name}\Start Menu\Programs\Startup\ctfmon.exe
C:\Windows[Random.exe](eg. Pmfjyiaj.exe)
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows[Random.exe]
C:\Documents and Settings\ {User Profile} \Local Settings\Application Data\Microsoft\Windows[Random]

You can also do all of this automatically with a security tool like http://www.americanpendulum.com/2012/10/02/fbi-moneypak-scam-dangerous-malware-making-millions-of/ (here there are also some more removal instructions) or this one http://www.malwarebytes.org/. You can also see a removal video here http://www.youtube.com/watch?v=cuctc1_g0as

I hope this is helpful to you and other user too!

Thank you for the info, I did the manual System Restore, and then I went to the steps to clean the machine of the infected files. I could find nothing…is it possible that the System Restore to an earlier date deleted the malicious files?

I could find nothing...is it possible that the System Restore to an earlier date deleted the malicious files?
system restore does not remove the infection.....it is not that easy

if you need help. start your own topic and attach the requested logs http://forum.avast.com/index.php?topic=53253.0

Here is the link with screenshot images shows how to remove the FBI MoneyPak virus, the link here: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/ using MalwareBytes Anti-Malware Free. I used it on the customer’s desktop computer two weeks ago. The program found the malware and removed it. Hope this will help you.

The ransom viruses now tend to carry an MBR/Rootkit with them nowadays