Wednesday, September 19, 2012

How I Removed the Fake FBI MoneyPak Scam Malware from Windows XP

For those unfamiliar, the FBI MoneyPak scam is a ransomware infection that has been making the rounds recently. The malware locks the infected computer and displays a message, purportedly from the FBI, stating that you are guilty of illegal downloads and could be fined or jailed for the infraction. The message goes on to say that you need to pay money via MoneyPak to get your computer unlocked. It should go without saying that this message is a fraud and you should not pay any money.

As the malware prevents you from accessing Windows, the average computer user will not be able to remove the infection. We recommend that you take the computer to your local computer repair shop for remediation.

As there are a couple of variants of this infection, and different computer setups can provide special challenges to removal, here is the story of how I was able to remove the infection from a computer in our shop:

This malware presented itself as a white screen with the words "page is loading. please wait this may take up to 30 seconds." There was no way to get around this screen to run anti-malware software.

Complicating matters was the fact that I only had a domain login, not a local administrator login. This prevented me from accessing Safe Mode with Command Prompt. If I had been able to get to the command prompt, I may have been able to start the Explorer process and/or access the registry without removing the hard drive. As it was, I had to jump through a few hoops to remove the infection.

If you should find yourself in a similar situation, here's what I did to fix the problem:

  • I removed the infected hard drive from the computer and connected it to another computer using a USB adapter.
  • Using regedit on the main computer, I loaded the HKLM hive from the infected hard drive and navigated to \Software\Microsoft\Windows\CurrentVersion\Run. I found a reference to a program whose name was a collection of random numbers/letters and deleted it.
  • I unloaded that hive and loaded the hive for the current user account (for the login I had). I navigated to Software\Microsoft\Windows\CurrentVersion\Run and deleted another entry referencing a program whose name was a collection of random numbers/letters.
  • I then navigated to  Software\Microsoft\Windows\CurrentVersion\Policies\System and deleted the value "DisableTaskMgr."
  • I then navigated to Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and deleted the value "NoDesktop."
  • After unloading the hive, I navigated the file system, checking the Startup folder, %SystemRoot%\temp and the \Application Data folder and deleted programs whose names were a random collection of numbers/letters.
  • I then reinstalled the hard drive and was able to run ComboFix to remove the remanants of the infection.

No comments:

Post a Comment