- Feb 14, 2004
- 50,742
- 6,769
- 136
I've been fighting the FBI Moneypak virus (also masquerades as a fake Antivirus) for awhile and it's gotten more complex as time goes on. Typically, it runs a program fullscreen and kills any programs that try to run, such as Task Manager, so you can't kill it. So the trick was to either remove it in Safe Mode (find the root .exe or disable all startup items in msconfig), or create a second user account and remove it from there with spyware/virus cleaner.
However, the latest one sets up some kind of script in Safe Mode to shut down & restart upon login. So the next step is to log into Safe Mode with Command Line, but the latest version of the FBI Moneypak virus applies a similar script and initiates a restart as soon as the command line loads, so basically you can't get into Windows at all. Very sneaky! The best solution I've used so far is the free Kaspersky Rescue CD. ISO is available here: (just use ImgBurn to burn it to a blank CD, ~308mb)
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
There is also a USB-bootable version here:
http://support.kaspersky.com/8092
Basic steps:
1. Setup CD or USB with rescue software
2. Boot up to rescue device and launch the rescue software
3. Get the latest software updates (I plugged in an Ethernet cable)
4. Scan & remove the virus
That took care of it for me. This is the first time I've run into a Moneypak-style virus that even cut out Safe Mode with Command Line...very tricky. Once you get into the desktop, do your typical CCleaner/Malwarebytes/Antivirus updates & scans. There are 3 places to check for leftovers -
Check for leftover virus remnants:
1. Startup folder (in Start Menu)
2. MSconfig.exe (check startup stuff)
3. Scheduled Tasks (Control Panel > Admin)
In MSconfig, you can usually find it by the weird name (like qlkjwerlkjchefsdf.exe in some random place like AppData). If you have trouble finding it, use the Everything Search program to find it, or do a *.exe search using Everything and sort by latest. Usually it's pretty easy to remove the Moneypak stuff by killing the executable, removing the timers, or temporarily disabling all of the startup items on the computer, but it's evolved to the point where I just wasn't able to get in without the help of an external boot tool. This is free & worked for the latest version I've had to deal with. HTH.
However, the latest one sets up some kind of script in Safe Mode to shut down & restart upon login. So the next step is to log into Safe Mode with Command Line, but the latest version of the FBI Moneypak virus applies a similar script and initiates a restart as soon as the command line loads, so basically you can't get into Windows at all. Very sneaky! The best solution I've used so far is the free Kaspersky Rescue CD. ISO is available here: (just use ImgBurn to burn it to a blank CD, ~308mb)
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
There is also a USB-bootable version here:
http://support.kaspersky.com/8092
Basic steps:
1. Setup CD or USB with rescue software
2. Boot up to rescue device and launch the rescue software
3. Get the latest software updates (I plugged in an Ethernet cable)
4. Scan & remove the virus
That took care of it for me. This is the first time I've run into a Moneypak-style virus that even cut out Safe Mode with Command Line...very tricky. Once you get into the desktop, do your typical CCleaner/Malwarebytes/Antivirus updates & scans. There are 3 places to check for leftovers -
Check for leftover virus remnants:
1. Startup folder (in Start Menu)
2. MSconfig.exe (check startup stuff)
3. Scheduled Tasks (Control Panel > Admin)
In MSconfig, you can usually find it by the weird name (like qlkjwerlkjchefsdf.exe in some random place like AppData). If you have trouble finding it, use the Everything Search program to find it, or do a *.exe search using Everything and sort by latest. Usually it's pretty easy to remove the Moneypak stuff by killing the executable, removing the timers, or temporarily disabling all of the startup items on the computer, but it's evolved to the point where I just wasn't able to get in without the help of an external boot tool. This is free & worked for the latest version I've had to deal with. HTH.
Facebook
Twitter