FBI moneypac/Ransom removal


Recommended Posts

Just got in a laptop with the Ransom virus or also known as  FBI moneypac virus. anyways this is on an Acer laptop win/8 It will not load into safemode. It will load into the setup and allow me to switch the boot order but will not read the restore  disk. I tried many things but this one has me stumped. anyone have ideas that could help? Please. Thanks.

Link to post
Share on other sites

Hi Chuck. How have you been? It's been a long time. This system I believe is running 32. I see by the restore disks this system is running windows 7 home and not 8 like the customer said. when started the screen has 2 options. setup and boot. through the setup utility I can change the boot order but what ever I choose it will not allow to read. examp. boot through cd rom or use or even external cd rom.. f8 is no option will not boot into safe mode.

Thanks for your help.

Earl.

Link to post
Share on other sites

Assmar, thanks for that info ! The FBI virus is a tough one to remove, some have not had much luck removing this from their computers & have had to just restore it to factory conditions. Which user will loose all data & pics !! In case you have to go that route heres a link for doing that ! >>> http://en.kioskea.net/faq/2040-acer-pc-restore-to-factory-settings

That is the easiest route & the one i usually recommend !!!

 

Now if you want to try & removing it i will help with all the notes i have & talking to other Malware helpers !!

These are very complicated removal procedures so pay close attention:

 

 

You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer >>> http://noahdfear.net/downloads/GETxPUD.exe

    *Run GETxPUD.exe
    *A new folder will appear on the desktop.
    *Open the GETxPUD folder and click on the get&burn.bat
    *The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    *Click on Start and follow the prompts to burn the image to a CD.
    *Next download driver.sh to your USB drive >>> http://noahdfear.net/downloads/driver.sh
    *Also Download Query.exe >>> http://noahdfear.net/downloads/query.exe <<< and rst >>> http://noahdfear.net/downloads/rst.sh<<<  to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
    *Remove the USB & CD and insert them in the sick computer
    *Boot the Sick computer with the CD you just burned
    *The computer must be set to boot from the CD
    *In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
    *Follow the prompts
    *A Welcome to xPUD screen will appear
    *Press File
    Expand mnt
    sda1,2...usually corresponds to your HDD
    sdb1 is likely your USB
    *Click on the folder that represents your USB drive (sdb1 ?)
    Confirm that you see driver.sh that you downloaded there
    *Press Tool at the top
    *Choose Open Terminal
    *Type bash driver.sh
    *Press Enter
    After it has finished a report will be located on your USB drive named report.txt
    *Type bash rst.sh
    After it has finished a report will be located in the USB drive (sdb1) named enum.log
    *Then type bash driver.sh -af
    *Press Enter
    You will be prompted to input a filename.
    *Type the following:

   * Winlogon.exe
    *Press Enter
    If successful, the script will search for this file.
    After it has completed the search enter the next file to be searched
    Type the following:

   * volsnap.sys
    *Press Enter
    If successful, the script will search for this file.
    After it has completed the search enter the next file to be searched
    *Type the following:

    *explorer.exe
    *Press Enter
    After it has completed the search enter the next file to be searched
    *Type the following:

    *Userinit.exe
    *Press Enter
    After the search is completed type Exit and press Enter.
    After it has finished a report will be located in the USB drive as filefind.txt
    While still in the Open Terminal, type bash query.sh
    *Press Enter
    After it has finished a report will be located in the USB drive as RegReport.txt
    Then type dd if=/dev/sda of=mbr.txt bs=512 count=1

   * Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.txt is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

    *Press Enter
    After it has finished a report will be located in the USB drive as mbr.txt
    *Plug the USB back into the clean computer. Post the contents of the report.txt, enum.log, filefind.txt and RegReport.txt in your next reply. The mbr.txt file must be attached to your reply as it is a hex file.
 

 

Chuck

 

 

Link to post
Share on other sites

Thanks Chuck. I'll give it a try. I'm not sure if it will work and I will have to replace the hd. when I tried to do a restore with the disks, It would not read the disks. I have boot order set to #1. I'll try what you sent. I'll let you know what happens.

Thanks again.

Earl.

Link to post
Share on other sites

I would try the restore to factory settings that i posted if your thinking of changing the hard drive !!

 

Here is the standard Acer Recovery Instructions

1. Power on the machine
2. At the white ACER BIOS screen, hold the “Alt†key and press the “F10†key simultaneously to start Acer eRecovery
3. Once eRecovery has loaded, click “Restore to Factory Default Settingsâ€
4. Click “OK†to continue
5. From here, the eRecovery process will update all the data on the C: drive and restore a fully functional factory image (approximately 10 minutes).
6. Once eRecovery has run, press “OK†to reboot unit

 

Let me know how things go !!'

 

Chuck

Link to post
Share on other sites
  • 3 weeks later...
Guest
This topic is now closed to further replies.