FBI Moneypak Virus Greendot


FBI Moneypak Computer Virus

 
 

Last week I had a computer virus that locked down my computer and rendered it unusable for five days.  I don't really understand what happened, but I will recount my experience.  My computer skills and sophistication is only middling to moderate.  Undoubtedly, many of you will understand this much better than I do.

I don't really know how I got this virus.  I haven't been able to figure it out.  The way it got started, I think, is that perhaps a month ago upon startup of the computer, the scanner software would open and the scanner would start to scan, even though there was nothing on the scanner to scan and I hadn't been using the scanner recently.  I am using Windows 7 operating system, by the way.  So every time I started the computer up I would have to manually close about four windows related to the scanner.  This process began spontaneously for no obvious reason that I can discern.  It was a nuisance and a week ago on a Saturday morning I got up and decided to see if I could fix this. 

If you click the Start button, you get the command line, and you type msconfig and a window opens with a menu.  If you click the Startup tab there is a list of programs that open when you start the computer with check boxes.  You can uncheck the ones you don't want to open when the computer starts up.  So I did this, unchecking the scanner software and a number of others.  When I restarted the computer, however, the scanner software still started up, as it had been doing, even though it was unchecked in msconfig.  So I thought, OK, I'll uninstall the scanner software.  So I did that uninstalling the scanner software in Control Panel.  Then I restarted the computer, and some parts of the scanner software still started up, although not all of it, even though it had been uninstalled from the computer.  So I said, OK, I'm going to completely uninstall the scanner, the driver, anything having to do with the scanner, uninstall.  So I did that and when I restarted the computer, Windows loaded and was immediately superceded by a black screen with FBI and Justice Department logos on it and a message that I had been illegally downloading copyrighted material, looking at child pornography, and various other offenses, and my computer would be locked down until I clicked on the button indicated and paid a fine.  If I didn't do this within 72 hours, the FBI would prosecute me for a host of felonies, or something to that effect.  There was a green button labeled 'Greendot,' that I was asked to click on it for the instructions on how to make this payment.  I did not click on it.  Don't be intimidated.  This is not from the FBI or the government.  This is heavy handed extortion by criminals.  However, you cannot get out of this screen by any means.  It completely takes over the computer and immobilizes it.  You can't even shut the computer down.  I had to shut it down and turn it back on with the power button.  Every time I turned the computer on Windows loaded, but then this threatening screen took over.  There was nothing that could be done.  The computer was completely locked up. 

Fortunately, I also have an Android tablet, which I never use, and regard as a waste of money, but it does have a working internet connection, and I was able to research the problem with it.  So maybe I should hold it in slightly higher esteem.  I found that there are a number of different versions of this virus and the one I had was called 'FBI Moneypak Greendot.'  The most common way people defeated the FBI Moneypak virus was by starting the computer in Safe Mode.  In Safe Mode you can operate the computer, connect to the internet, download an antivirus program called "Malwarebytes," and run it and remove the virus.  To get into Safe Mode, you press the 'Delete' key when the computer first starts up, before Windows starts to load.  It's good to keep hitting it.  You get a black screen with white lettering inviting you to choose how you want Windows to load.  Choose Safe Mode with Internet Connection.  I did this and Windows loaded, but immediately the black FBI screen took over and shut everything down.  So Safe Mode did not work.  The Greendot version of this virus disables Safe Mode.  Now what?

I got a friend to make a Windows 7 startup disc for me.  You can download to a CD the minimal files necessary to operate the computer and boot the computer from the CD.  I did this and it worked.   I could boot the computer from the CD and get a command prompt.  However, I was not able to run anything from the command prompt.  I could see into the computer, the file directories were there, but I wasn't able to do anything.  I tried 'regedit' to edit the registry -- a risky move, for someone who doesn't know what they are doing.  I was able to find the files in the WinLogon section which were attributed to the virus and deleted them, but when I restarted the computer, the virus was still present and the computer was still completely locked down.  Deleting the files in the registry that were said to operate the virus did not have any effect.  I went back into Regedit and looked again.  The two files I had deleted were back just as they had been before.  They seem to have self repaired.  So I realized that there was more to this virus that those two files.  I decided I would not be able to get rid of it by manually deleting it.   I tried to run an antivirus software program from a CD, but that didn't work either.  I thought I was stuck. 

Then the same friend who made the CD for me told me about a Windows Recovery Manager that is built into the computer, which I did not know about.  You access it by pressing F11 upon startup, just as pressing 'Delete' gave you the Safe Mode options.  Pressing F11 gets you a Recovery Manager screen with three options on it:  Microsoft System Repair Tool, Microsoft Startup Recovery Tool, and System Restore.  I tried the Microsoft System Repair Tool and restarted the computer, but it did not work.  The virus was still stubbornly in charge.  I tried again with the Microsoft Startup Recovery Tool.  This worked.  After running the Startup Recovery Tool, Windows loaded normally and everything was fine.  Like magic, after five days, the problem had been solved.  So easy, if you know exactly what to do.  That's why I am posting this. It might save you five days of distress.   

I immediately ran Malwarebytes with a full scan of the computer.  It took about an hour and a half and it located one Trojan file on the computer.  I had it deleted and there was a link that said 'show location of the file.'  I clicked this and the internet browser opened and it went to Yahoo.com.  What do you make of that?  I reinstalled the scanner and its related software.  The computer has worked normally since, except that the scanner software started to open spontaneously again after a day or so.  I immediately ran Malwarebytes again, but it did not find any suspicious files.  However, after running a full scan with Malwarebytes, the scanner stopped opening upon Startup, and the computer has run perfectly since. 

I'm still puzzled about how I acquired this malware and what its relationship is to the scanner.  I remember some time ago having a brief power failure in my apartment with the computer on.  So the computer did not shut down properly at that time.  Could that have had something to do with it?  I really don't know.  Those are the facts.  I have no explanations. 

 

Tuesday, March 19, 2013   home top of page more