Jump to content

{SOLVED} ICE MoneyPak (GREEN DOT) Removal


Guest LilBambi

Recommended Posts

Guest LilBambi

I had an interesting time with a computer yesterday.

 

From what he told me, not much, it sounded like the FBI MoneyPak and he got it from a legitimate site (he called the institution and they confirmed it had been hacked and now fixed, BTW).

 

Apparently it was not the FBI one. I downloaded a created a bootable USB drive with HitManPro on it, and it would boot but the keyboard wouldn't work. So I used Trinity Rescue CD to remove all the temporary files from all locations.

 

But it turns out it was ICE MoneyPak or ICE very something similar to this MoneyPak GreenDot thing:

 

xice-computer-blocked-moneypak-virus.jpg.pagespeed.ic.83C6-byPlz.jpg

 

Removing all the files from the temporary spaces left the machine at a black screen but it appeared to be an overlay not a true black screen, with a commandline box on top saying that the 20someoddletter.exe file was not a valid executable or batch file.

 

I edited regedit to find that random filename and removed it from the registry several times, along with another item that kept coming back in the registry like a bad penny when I rebooted or refreshed the registry. So I knew there was something else there.

 

I called Malwarebytes from the commandline box and it updated, ran and found three additional items noted in the log file and nothing else:

 

Registry Values Detected: [/background][/size][/font]

[font=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif][size=3][background=rgb(253, 253, 253)]1HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinlogoN|Shell (PUM.Shell.CMD) -> Data: cmd.exe -> Quarantined and deleted successfully.

Files Detected: 2[/background][/size][/font]

[font=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif][size=3][background=rgb(253, 253, 253)]C:\Users\{USER}\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\ProgramData\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.[/background][/size][/font]
[font=Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif][size=3][background=rgb(253, 253, 253)]

 

Malwarebytes took care of them and when I rebooted, it booted fine.

 

I then ran the current JRT file and ran Malwarebytes Anti-Malware scans twice more over the course of the time I was updating the computer and they were all clean.

 

NOTE: Part of the problem appears as usual that the computer didn't have it's Windows 7 SP1 update and wasn't offering it either! The ONLY driver that needed updating was the Intel Video driver that I installed from the driver update button in Hardware Device Drivers. Then I downloaded the x64 SP1 (900+MB file thankfully on their fast Cox Cable connection) and installed it after disabling their (Groan!) McAfee Security Suite's realtime detection till a reboot.

 

I then got all the updates to all internet facing programs (plugins, extensions, browsers, etc.) and the computer seems to be doing fine now. Nothing else was found with scans.

 

When I got home, I found this The ICE Cyber Crimes Center (Computer Blocked) - MoneyPak Virus - PCRisk.com (was noted as a good site on WOT):

 

The ICE Cyber Crimes Center message which locks computer user's screen and asks to pay a fine of $400 for some law violations is a scam. This message has nothing to do with U.S. Immigration and Customs Enforcement, it was created by Cyber criminals who are hoping that unsuspecting PC users would believe the false statements (accusations of watching pornography, using copyrighted files, usage of unlicensed software) made in this message and would pay them the non existent fine. Notice that in reality none of the authorities (including ICE Cyber Crimes Center) are using such messages which locks PC user's screen to collect fines for any law violations. This fake message is called ransowmare and this particular infection originates from a family called Reveton.

 

What makes ransomware infections especially rogue is the fact that they come localised - computer users from different countries will see different fake messages which exploits graphics and names of local authorities. This particular ransomware is targeted at computer users from USA, however if a PC user from Australia would get infected with this virus the same message would appear as if it came from Australian Federal Police (AFP). Computer users shouldn't trust any of the messages which supposedly comes from local authorities and asks to pay a fine to unblock one's PC - it's a scam, paying the fine when asked by such message equals to sending your money to Cyber criminals.

 

...

 

The ICE Cyber Crimes Center virus is being distributed using Trojans and drive-by downloads. Computer users should be very careful when using P2P networks, social networks and when downloading software updates from non legitimate sources. To prevent ransomware infiltrations one should keep your operating system and all of the installed software (Flash, Java, etc.) up-to-date. Furthermore one should always use legitimate antivirusand anti-spyware software. If you already see a message from "The ICE Cyber Crimes Center" asking you to pay a fine of $400 using MoneyPak - ignore it and proceed with the provided removal steps.

 

This one on this guy's computer was set at $100 instead of the $400 noted at the site.

 

Thankfully between Trinity Rescue CD, cautious Registry search/editing, and Malwarebytes Anti-malware and JRT, AND most important for the future health of the PC, Win7 SP1, IE10 installation since he uses Internet Explorer and MSN, and subsequent updates, updates to the other plugins, extensions, browsers, etc.

 

So, I think I can call this SOLVED. Any other thoughts?

 

:blissysmile: :blissysmile:

:blissysmile:

Link to comment
Share on other sites

Fran, I assume that, if infected, a user could also restore a good Acronis disk image (assuming one was made) and be completely cured. True?

Link to comment
Share on other sites

Guest LilBambi

Absolutely true.

 

Of course, then you would also have to restore your daily backups to get fully up to date, but definitely a great choice.

 

But it wasn't needed in this case.

Link to comment
Share on other sites

Guest LilBambi

Plus we couldn't get in to the computer at all, so I couldn't verify that his backups had been running - when I asked he wasn't sure whether they were or not. ;)

 

After we got back in, all was well with the backups and it would have worked fine.

 

But in this particular case, since these MoneyPak things are removable generally, I thought it was better to try to get rid of the bugger than worry about whether things were doing what they were supposed to since he couldn't remember.

Link to comment
Share on other sites

Seeing as how you discovered he didn't have the SP installed, who knows what would have been in the daily backups. I agree that in this situation it was best getting the computer clean -- at least to the extent that you could check with MBAM, etc. was the best move.

Link to comment
Share on other sites

Guest LilBambi

Seeing as how you discovered he didn't have the SP installed, who knows what would have been in the daily backups. I agree that in this situation it was best getting the computer clean -- at least to the extent that you could check with MBAM, etc. was the best move.

 

That is very true. I feel more confident that the computer will now get its future updates and that the drivers are updated as well as the other things.

 

I also got him to, at the end of his daily browsing, to run CCleaner after he closes his browser.

Link to comment
Share on other sites

As long as he knows not to check the Advanced options or Memory Dumps in case help from Sysnative is needed. ;)

Link to comment
Share on other sites

Guest LilBambi

As long as he knows not to check the Advanced options or Memory Dumps in case help from Sysnative is needed. ;)

 

Excellent point.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...