While virus cleanup is a normal part of a PC Technicians life, the last few months have been especially busy with the popular MoneyPak virus going around. There are many different Variants of this virus and some are easier to remove than others. At SRQ Computer Services We have been removing viruses from PC’s for over 15 years now and there are very few viruses that take more than a few minutes to remove from a PC, including the MoneyPak variants. While we could write volumes about how to remove viruses from Desktop and Server PC’s we are going to focus on 1 aspect of virus removal today with regards to MoneyPak, the startup process.
In order for any program to function on your computer it must startup and run. With the advent of 64-bit Windows requiring signed drivers and much stricter control over startup items this actually makes our job easier. There are really only two main ways for a virus to start, either by becoming a rootkit (which will soon no longer be possible with UEFI boot sectors) or by asking Windows to start it in the Windows registry. There are a limited amount of places within the Windows registry that a program or virus can startup and we will take advantage of that aspect in this article.
MoneyPak often masquerades as a legitimate program by claiming it is a needed toolbar or SHELL extension within the Windows registry.
Simple tools like the built into Windows MSCONFIG only show you a few registry locations where programs commonly startup but there are a dozen or so other locations that virus writers often take advantage of so this program is useless and will not suffice for these purposes.
Instead we will be using a more advanced tool called Autoruns, which is available from Microsoft’s technet website. This tool shows every section of registry that an item can startup and then some. When other PC technicians tell Customers they must wipe and reinstall a PC due to virus infection we simply use this tool and have the virus removed in a few minutes. The MoneyPak virus is no exception to this and is easily found and removed by Autoruns.
Now the MoneyPak virus does not want to be removed easily, and will often disable safe mode and prevent other programs from running to protect itself. There are two main workarounds for this in order to get Autoruns to work on an infected PC.
Method #1: We find this the most amusing method. When most variants of the Moneypak virus take over a computer they prevent almost all other programs from running, except for the Windows Shell, which is named “Explorer.exe”. While the real Explorer.exe is located in the Windows folder, the virus is not smart enough to detect where explorer.exe is running from and simply allows it to run from anywhere. Why is this relevant? Simply rename Autoruns.exe to Explorer.exe and the MoneyPak virus will allow it to run. It is then as simple as deleting the infected registry entries, which we will discuss more later.
Method #2: Boot into Safe Mode with Command Prompt. Have your Autoruns program located on a USB Thumb drive and simply press CTRL+ALT+DELETE and bring up the task manager. Use the task managers File/Run command to browse to the thumb drive and run the Autoruns program. While less amusing than circumventing the viruses protection it still gets the job done.
*Alternatively, some versions of MoneyPak are combined with a rootkit but by using the same methods as above and running “TDSSKiller” by Kaspersky instead of Autoruns you will be able to make short work of the rootkit. You can then proceed to use Autoruns to finish cleaning up the system.
Let’s get started:
This is the screen we often see when first sitting down to the computer. Something indicating that the user must pay money for some made up crime in order to avoid punishment. There are many different variants of this screen but they all have the same goal, to get the user to send a MoneyPak, hence the viruses nickname.
In this Particular case the virus would not allow us to run any other programs and even blocked regular safe mode. We had to enter Safe Mode with Command Prompt in order to gain any access to the PC.
This is what Safe Mode with Command Prompt looks like. It’s just a black screen with a DOS looking prompt where you can type in commands with the keyboard. In this case we browsed to our Thumb Drive containing Autoruns by typing “E:\” your drive letters will likely differ and you will need to browse through them until you find the correct one.
After browsing to the E drive, we then opened the folder containing Autoruns (Use the CD command to change directories). We were then able to open Autoruns by simply typing its name. The first thing we do is click options and Hide Microsoft Entries. This helps save time by showing us only 3rd party startup items.
We can already see the virus in this first picture under the Winlogon/Shell startup category.
We simply select the modified Shell entry objects and delete them. We also scrolled down the list and found quite a few addon toolbars and other malware/spyware items. By having all of the Microsoft entries hidden we can quickly go through the remaining startup items and determine what needs to be there and what doesn’t.
The general rule of thumb is if something says the words “Toolbar, Value, Shell, or Search” it’s probably spyware/adware or a virus and is safe to delete. If you don’t know what something is you can always google it from another PC or your smartphone.
That’s it! Simply restart the computer and it will boot normally.
While the actual virus files may still remain on the Hard Drive they will no longer startup, which means they are harmless. At this point you can install your choice of Antivirus product and run a full scan to clean up the scraps left over.
If you find that Documents or Desktop items are hidden or missing, using a tool like ComboFix will go through and unhide and reset a lot of settings back to defaults to fix this.
If you have any questions please feel free to ask the experts at SRQ Computer Services.