FBI Moneypak virus removal

=======Manual Removal From experience=======

Main file location for the FBI virus:


C:\Users\"user"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"ctfmon.lnk" or "random"

C:\Users\"user"\AppData\Roaming\"random"

C:\Users\"user"\AppData\Local\"random"

C:\ProgramData\"random"


Names found for "random":

1. Isass.exe
2. yaaiwpoep.exe
3. zuoby.exe
4. ifgxpers.exe

Registry key location:

HKEY_USERS\S-1-5-21-3167221968-1021630806-270161164-1000\Software\Microsoft\Windows\CurrentVersion\Run\"random"

You might need to use HijackThis to end the Isass.exe , then use task manager to kill it again.

After that delete files;


*This is from personal experience, file could be named differently or located somewhere else.

================Manual Removal #1==============

Normal Antivirus will not work, must remove the virus manually.
** If you don't know what you are doing, don't delete anything

1. Re-boot PC in Safe Mode with Networking
2. Start Task Manager (Ctrl+Alt+Del)
3. Find and stop the process for the scam malware virus
4. Open Run
5. Type regedit.exe
6. Find and delete the following registry entries:
1. HKEY_CLASSES_ROOT\personalSS.DocHostUIHandler
2. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Insternet
7. Remove malicious files from the following folders:
1. C:\Users\"user name"\appdata\"random"\
2. C:\Users\"user name"\appdata\"random"\"random".exe
3. C:\Users\"user name"\appdata\"random"\"random".mof
4. check also the other folders inside appdata for any random names

Youtube tutorials:

1. http://www.youtube.com/watch?v=_gILhDFqm4I
2. http://www.youtube.com/watch?v=VYjKMA9gprM&feature=player_embedded#!

================Manual Removal #2==============

1. Open Windows Start Menu and type %appdata% into the search field, press Enter.

2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup

3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on start up. This is not ctfmon.exe.

4. Open Windows Start Menu and type %userprofile% into the search field and press enter.

5. Navigate to: Appdata\Local\Temp
6. Remove rool0_pk.exe

7.Remove [random].mof file
8. Remove V.class

The virus can have names other than “rool0_pk.exe” but it should appear similar, there may also be 2 files, 1 being a .mof. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.

All FBI Moneypak Files:

The files listed above are what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, please delete all given files. Keep in mind, [random] can be any sequence of numbers or letters.

1. %Program Files%\FBI Moneypak Virus
2. %AppData%\Protector-[rnd].exe
3. %AppData%\Inspector-[rnd].exe
4. %AppData%\vsdsrv32.exe
5. %AppData%\result.db
6. %AppData%\jork_0_typ_col.exe
7. %appdata%\[random].exe
8. %Windows%\system32\[random].exe
9. %Documents and Settings%\[UserName]\Application Data\[random].exe
10. %Documents and Settings%\[UserName]\Desktop\[random].lnk
11. %Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
12. %CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
13. %Temp%\0_0u_l.exe
14. %Temp%\[RANDOM].exe
15. %StartupFolder%\wpbt0.dll
16. %StartupFolder%\ctfmon.lnk
17. %StartupFolder%\ch810.exe
18. %UserProfile%\Desktop\FBI Moneypak Virus.lnk
19. WARNING.txt
20. V.class
21. cconf.txt.enc
22. tpl_0_c.exe

Kill ROGUE_NAME Processes:

Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

[random].exe

Remove Registry Values

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.

1. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
2. HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
3. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
4. HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
5. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
6. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
7. HKEY_CURRENT_USER\Software\FBI Moneypak Virus
8. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
9. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
10. HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
11. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
12. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
13. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
14. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
15. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
16. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
17. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
18. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
19. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
20. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
21. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
22. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
23. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
24. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
25. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
26. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
27. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
28. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
29. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
30. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

sources: 

1. http://blog.yoocare.com/pc-locked-fbi-moneypak-virus-malware-removal-guide/
2. http://www.youtube.com/watch?v=_gILhDFqm4I
3. http://www.youtube.com/watch?v=VYjKMA9gprM&feature=player_embedded#!
4. http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
5.