Please help remove Moneypak/FBI ransomware

My PC is infected wit the Moneypak/FBI ransomware - it puts up a fake FBI screen with m y IP address and takes control of my camera. It says I can pay $100 at several different stores to "unlock" my machine.

I have a Sony VGN-FW laptop running Win7 (64-Bit).
I had a malware issue about 8 years ago - and got help here.

I followed the Malware Removal Guide steps for Win7 and have attached my logs. I ran these steps in safe mode with netoworking. When Ilog back on to Win7 normally (with an internet connection) I get the same "FBI" ransom screen.

Hope eveyone is enjoying their Independence Day. When someone has a chance - help would be much apprecciated.

Thanks.

 

Welcome to MajorGeeks, craaber

Open RogueKiller.

• Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
• When it opens, press the Scan button.
• Once the scan has completed, press the Delete button.
• When it is finished, there will be a log on your desktop called: RKreport[2].txt
• Attach RKreport[2].txt to your next message. (How to attach)

Now delete this file: C:\Users\craab\AppData\Local\Temp\0_0u_l.exe

Reviewing the rest of your logs now.

 

Once you have finished with the above you can proceed with these steps:

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

O4 - Startup: ctfmon.lnk = C:\Windows\System32\rundll32.exe

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31

__

The rest of your logs look fine.
Let me know what malware related problems you are experiencing after you have completed these steps.

 

Ok - I ran Rogue Killer again - deleted what came up and have attached the log. I 'm working on completing your instruction from your second post now...

 

Ok - I followed your instructions per below, but I did not get the O4 line you mention in the scan results. I checked carefully.
I did remove the Java updater you told me to.

What should I do now?
Thanks!

 

It looks like RogueKiller deleted the O4 entry we see in HJT too, so that's good. I just wanted to make sure it was gone.
Did you delete this file? C:\Users\craab\AppData\Local\Temp\0_0u_l.exe

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems persist after you have completed this step.

 

I did find and delete this: C:\Users\craab\AppData\Local\Temp\0_0u_l.exe

Following the second half of your instructions now - will post logs shortly.

 

I did find and delete this: C:\Users\craab\AppData\Local\Temp\0_0u_l.exe

Following the second half of your instructions now - will post logs shortly.

 

Ok - new MGlogs.zip attached...

 

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

Other than the above, your latest logs look fine. Experiment with the PC a bit. I can see you were in Normal Mode last time you ran MGtools (GetLogs.bat) so that's good.

 

Ok - I'll do that this afternoon.

Yes I was in normal mode and the PC seems to be ok - no ransom screen.
Do you need me to post any more logs after scanning and "fixing" that line?

I apprecciate the help!

 

Yes if you could run GetLogs.bat once again after you fix that line so I can make sure that entry is gone that would be fine

 

Ok - here's the latest log:

 

Looks like it was removed successfully

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe