Jump to content

My experience with FBI Moneypak

Recommended Posts

I'm hoping the following will help someone. As I sure was helped quite a bit by the content of these forums. Admins, please move this topic to the correct forum if need be.

Like so many people, I was hit by the FBI Moneypak malware. Within a second of signing on my Windows account, the malware's splashscreen would appear and overtake the computer. Note that I was able to boot my Windows 7 box in safe move with networking. That allowed me to download all necessary tools. And I knew the date of the infection. However, no system restore (doh!)

Here's what I understand about the structure of the malware program as determined through the following steps done in safe-mode.

Malwarebytes, through full scans, could identify and remove the following two files and one directory:

  • Trojan.Ransom.FGen File C:\User\username\AppData\Roaming\hellomoto\TujP.dat
  • Trojan.Ransom.FGen File C:\User\username\AppData\Roaming\hellomoto
  • Trojan.Ransom.FGen File C:\User\username\AppData\Roaming\hellomoto\BukF.dat

However, upon restarting in normal mode, the directory would be recreated and the problem resurface. So clearly the real trojan program was still at large. At this point, aswMBR, plus a full virus definition download, found an issue with:

  • AppData\Local\Microsoft\Windows\1700 (dir)
  • AppData\Local\Microsoft\Windows\1700\8a303b3c
  • AppData\Local\Microsoft\Windows\1700\xwizard.exe

The "date created" column of Windows Explorer was in line with the time/date of infection. Those files were deleted.

Finally, Autoruns showed that this 'xwizard' executable was being run at startup, thereby closing the loop (hopefuly) on how this was all chained together. That startup command was deleted as well. I've been running in normal mode for an hour now without the problem resurfacing and subsequent Malwarebytes scans have come up clean.

For what it's worth, McAfee VirusScan Ent. 8.8, Avg 2013 Free, BitDefender online scan and TDSSkiller did not pick up anything on the infected machine. Trend Micro House Call and ESET did pickup on various things, but I'm afraid I didn't take notes on the specifics. I understand these malware tend to evolve and change, so your mileage may vary. Good luck.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.