Video Screencast Help

FBI Moneypak virus corrupting the profiles on our server

Created: 09 Sep 2012 | 15 comments


This is my first post so, forgive me for any missing information, I will try to clear anything up as best as I can.

We, as an organization are using windows xp Pro and Symantec Endpoint Protection Version 11.0.7000.975 and recently we have been getting the dreaded FBI Moneypak virus on 2 computers.  I've done some research and found ways listed to remove the virus, (regedit, delete certain files on the infected computer etc.)  But, the current version of the virus will still lock up the pc, not only when logging in as the main, probably infected, user but also as administrator, as well as all of the safe modes. So I cannot open any of the utilies that I would normally use.  What's more, is if I log in as the infected user, (Let's call him patient 0, it sounds creepy and zombie-esque) in any other computers, now that computer is infected.  So, while I still have to reformat the computer, because I can't do anything, I also have to rebuild patient 0's profile.  Because logging in as him will just bring the virus back.

It's really very infuriating. 

Now, here's my question, or maybe my list of questions:

Does anyone know exactly which files in the profile this particular virus is using?

Is there a way to remove the virus, or at least be able to work find and delete infected files while the computer is locked up?

Is there any way to find out which websites and infecting us?

Any help is truely appreciated. 

Comments 15 CommentsJump to latest comment

cus000's picture


you my try suggested SERT.... it can run via USB or Media drive.. or maybe you already tried this?

Fabiano.Pessoa's picture


You can enter in safe mode?
If you answered yes I'll go step by step how to get rid of it manually

Fabiano Pessoa

Systems Analyst - Forensic Expert

Moonbill1's picture

N safe can't do anything, Internet will not come up do I can download removal tools help

pete_4u2002's picture

open a support ticket for identifying the suspicious file residing on the affected machine.

the removal toll will help , however its better to scan in safe mode.Do you know the threat name and based on that you can download the removal tool.

Ashish-Sharma's picture


You can run this tool on safemode with networking.

Thanks In Advance

Ashish Sharma

Fabiano.Pessoa's picture


Killing processes ROGUE_NAME:
[Random] exe.

Delete files from the FBI Moneypak:
%% Documents and Settings \ All Users \ Application Data \ [random] \ [random] exe.
%% Documents and Settings \ All Users \ Application Data \ [random] \ [random]. Mof

Remove entries FBI Moneypak record:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "DisableRegistryTools" = 0
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "DisableTaskMgr" = 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "EnableLUA" = 0


Fabiano Pessoa

Systems Analyst - Forensic Expert

Fabiano.Pessoa's picture

There are other versions of the virus FBI.
One of the most annoying allows safe mode with command prompt only. This means that you can do very little, but you can repair your PC from it.
To repair your PC, do the following:
One. Reboot, press F8.

2nd. Choose Safe Mode with Command Prompt

3rd. run explorer.exe

4th. Run regedit

5th. Search all instances shell variable .. It should be under the tree WinLogon

6th. If the variable is explorer.exe shell, keep it. If there is something more and explorer.exe, explorer.exe just leave. Note another file name

7th. If the shell variable is blank, leave it as is

Eight. If it references some executables from user's folders, note the name and replace with explorer.exe

9th. Rename the file with the name you wrote

Fabiano Pessoa

Systems Analyst - Forensic Expert

Mithun Sanghavi's picture


You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

I would also recommend you to make sure you create a case with Symantec Technical Support.

You could either Create a Case OR contact Symantec Technical Support.

How to create a new case in MySupport

How to update a support case and upload diagnostic files with MySupport


Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers:

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

greg12's picture

Agree with Mithun; as you cannot log in in safe mode, SERT is the tool you should use.

Additionally, you should really think about an upgrade to SEP 12.1. Ransomware and Fake AVs are very hard to detect with signatures (because of the time gap) or traditional heuristic methods such as Bloodhound. Thousands of them are appearing every day, so signature based detection lags behind, and heuristic detection is just overstrained--its hit ratio is far too low.

SEP 12.1 with its reputation database (Insight) is able to block files that aren't trustworthy, even if Auto-Protect or Bloodhound don't find anything. This is a good approach to strongly reduce the ransomware plague. It's not a panacea, but a step forward.

Fabiano.Pessoa's picture

The problem is whether the vaccine is based File "father" of malicious code
 this type of malicious code has many variations and not a single virus.
 Example: model has 1, 2 and 3 of it.


Fabiano Pessoa

Systems Analyst - Forensic Expert

landmissle's picture

  Hi all,

  Just used the latest SERT disk (requires a PIN for use) on a system infected with the FBI MoneyPak ransomware. I made sure that the disk had the latest virus definitions and it still did not detect anything. Needless to say, I wasn't too impressed with SERT.

 BTW, the client had SEP 12.1 RU1 installed with up to date AV definitions at the time of infection.

 I was able to get into the system by launching serveral applications and command prompts before the FBI screeen took over the system. Once that screen took over, using Ctrl-Al-Del, allows you to log out. With some luck, one of your applications will hang the logout process and you'll be prompted to force-quite the applicaiton. Instead, cancel the logout, the FBI screen will be gone, and you can now go about deleting files, registry entries, or use other tools to eleminate the virus.

 I realize that morphing viri make creating signatures difficult, but between the AV engine, Proactive Treat Protection, and Sonar, I'm disappointed that SEP could not detect and stop this thing.

oykunsatis's picture


If insight with correct settings are running and clients can submit/recieve Insight submissions,it may block due to rating of file. 

You can also try to check with Norton Internet Security 2013, else it's better to create a technical case.



Mick2009's picture

This new Security Response whitepaper about Ransomware will be of interest to followers of this thread:

Ransomware: A Growing Menace

With thanks and best regards,


Mick2009's picture

This new Security Response blog post also adds some extra developments/details- be informed!

Ransomware: Extorting Money by Panic and Pressure

With thanks and best regards,