[SOLVED] ICE MoneyPak (GREEN DOT) Removal

[LilBambi]

I had an interesting time with a computer yesterday.

From what he told me, not much, it sounded like the FBI MoneyPak and he got it from a legitimate site (he called the institution and they confirmed it had been hacked and now fixed, BTW).

Apparently it was not the FBI one. I downloaded a created a bootable USB drive with HitManPro on it, and it would boot but the keyboard wouldn't work. So I used Trinity Rescue CD to remove all the temporary files from all locations.

But it turns out it was ICE MoneyPak or ICE very something similar to this MoneyPak GreenDot thing:



Removing all the files from the temporary spaces left the machine at a black screen but it appeared to be an overlay not a true black screen, with a commandline box on top saying that the 20someoddletter.exe file was not a valid executable or batch file.

I edited regedit to find that random filename and removed it from the registry several times, along with another item that kept coming back in the registry like a bad penny when I rebooted or refreshed the registry. So I knew there was something else there.

I called Malwarebytes from the commandline box and it updated, ran and found three additional items noted in the log file and nothing else:

Registry Values Detected:
 
1HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinlogoN|Shell (PUM.Shell.CMD) -> Data: cmd.exe -> Quarantined and deleted successfully.


Files Detected: 2

C:\Users\{User}\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\ProgramData\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.

Malwarebytes took care of them and when I rebooted, it booted fine.

I then ran the current JRT file and ran Malwarebytes Anti-Malware scans twice more over the course of the time I was updating the computer and they were all clean.

NOTE: Part of the problem appears as usual that the computer didn't have it's Windows 7 SP1 update and wasn't offering it either! The ONLY driver that needed updating was the Intel Video driver that I installed from the driver update button in Hardware Device Drivers. Then I downloaded the x64 SP1 (900+MB file thankfully on their fast Cox Cable connection) and installed it after disabling their (Groan!) McAfee Security Suite's realtime detection till a reboot.

I then got all the updates to all internet facing programs (plugins, extensions, browsers, etc.) and the computer seems to be doing fine now. Nothing else was found with scans.

When I got home, I found this The ICE Cyber Crimes Center (Computer Blocked) - MoneyPak Virus - PCRisk.com (was noted as a good site on WOT):

The ICE Cyber Crimes Center message which locks computer user's screen and asks to pay a fine of $400 for some law violations is a scam. This message has nothing to do with U.S. Immigration and Customs Enforcement, it was created by Cyber criminals who are hoping that unsuspecting PC users would believe the false statements (accusations of watching pornography, using copyrighted files, usage of unlicensed software) made in this message and would pay them the non existent fine. Notice that in reality none of the authorities (including ICE Cyber Crimes Center) are using such messages which locks PC user's screen to collect fines for any law violations. This fake message is called ransowmare and this particular infection originates from a family called Reveton.

What makes ransomware infections especially rogue is the fact that they come localised - computer users from different countries will see different fake messages which exploits graphics and names of local authorities. This particular ransomware is targeted at computer users from USA, however if a PC user from Australia would get infected with this virus the same message would appear as if it came from Australian Federal Police (AFP). Computer users shouldn't trust any of the messages which supposedly comes from local authorities and asks to pay a fine to unblock one's PC - it's a scam, paying the fine when asked by such message equals to sending your money to Cyber criminals.

...

The ICE Cyber Crimes Center virus is being distributed using Trojans and drive-by downloads. Computer users should be very careful when using P2P networks, social networks and when downloading software updates from non legitimate sources. To prevent ransomware infiltrations one should keep your operating system and all of the installed software (Flash, Java, etc.) up-to-date. Furthermore one should always use legitimate antivirusand anti-spyware software. If you already see a message from "The ICE Cyber Crimes Center" asking you to pay a fine of $400 using MoneyPak - ignore it and proceed with the provided removal steps.

This one on this guy's computer was set at $100 instead of the $400 noted at the site.

Thankfully between Trinity Rescue CD, cautious Registry search/editing, and Malwarebytes Anti-malware and JRT, AND most important for the future health of the PC, Win7 SP1, IE10 installation since he uses Internet Explorer and MSN, and subsequent updates, updates to the other plugins, extensions, browsers, etc.

So, I think I can call this SOLVED. Any other thoughts?

:dance::dance::dance:

 

[Wrench97]

Nice work :)

Have you ever tried running Trinity Rescue Kit from a UDB thumb drive?

 

[LilBambi]

Thanks! :cool3:

No I haven't ... but I was glad that I had it on CD since the last USB drive (HitManPro) disabled the keyboard. I have no idea why that happened either! Since booting from CD worked fine. I was concerned that since the malware also disabled safemode (just hung), that there was more going on than meets the eye. So I tried the CD.

 

[Wrench97]

I ask since more and more new laptops are shipping without cd/dvd drives...................

 

[Corrine]

Great job, LilBambi!

I just remembered something I didn't think about when we talked about this yesterday.

Another tool you may want to have in your toolbox is RKill by Grinler. If the person doesn't have an Internet connection and since .exe's are often blocked by malware, you might want to have a couple versions handy. It is important to understand that RKill does not remove anything. It merely terminates the processes.

Discussion topic: RKill - What it does and What it Doesn't - A brief introduction to the program

 

[LilBambi]

Great job, LilBambi!

I just remembered something I didn't think about when we talked about this yesterday.

Another tool you may want to have in your toolbox is RKill by Grinler. If the person doesn't have an Internet connection and since .exe's are often blocked by malware, you might want to have a couple versions handy. It is important to understand that RKill does not remove anything. It merely terminates the processes.

Discussion topic: RKill - What it does and What it Doesn't - A brief introduction to the program

Hi Corrine,

Thanks for thinking of that, however, I do have RKill (in it's many iterations) that I wasn't sure how I would run since I couldn't get to anything but what was on the hard drive itself via commandline, such as regedit, and MBAM. But that might not be a bad idea to have in a known location on the hard drive for a possible future situation. Thanks. :rose:

It is a great tool and I love it! Has come in handy many times.

Thanks for the kind words too! It was great to talk to you by phone yesterday. Thankfully I was able to get it without having to use Chameleon. But it was great to know what Chameleon is; I wondered what it was when I have seen it during the install process! Thanks for that and the link to read up on it!

 

[LilBambi]

I ask since more and more new laptops are shipping without cd/dvd drives...................

Excellent point!

I don't know why the keyboard didn't work with USB HitManPro, but if I hadn't had a few other tricks up my sleeve, I would have been up a creek as it were.

 

[Corrine]

It was great to talk to you by phone yesterday.

Finally, considering we've know each other virtually for 10 years!

 

[LilBambi]

It was great to talk to you by phone yesterday.

Finally, considering we've know each other virtually for 10 years!

Yes, amazing! It is truly amazing that you can have a very good friendship with folks you have never met in real life or even talked by voice. Says something for your wonderful spirit Corrine! I feel privileged to have you as a friend.

 

[Corrine]

:hug:

 

[Digerati]

the computer didn't have it's Windows 7 SP1 update and wasn't offering it either!

Which "suggests" to me a user of that system told Windows to hide the update. Keeping our systems current with the latest patches is a cornerstone of a good security defense along with critical updates, using a good anti-malware solution, and a software based firewall. These, of course, are user responsibilities which takes us back to the core of most security issues, the user - always the weakest link in computer security.

Besides failing to keep the system current with patches and updates, was the user using a good anti-malware solution? Did the user disable IE's phishing filter (SmartScreen Filter)? Was the participating in risky behavior, such as illegal filesharing via torrents or P2P sites? Was the user being "click-happy" with unsolicited downloads and attachments?

Did you have a firm word with the user?

 

[LilBambi]

the computer didn't have it's Windows 7 SP1 update and wasn't offering it either!

Which "suggests" to me a user of that system told Windows to hide the update. Keeping our systems current with the latest patches is a cornerstone of a good security defense along with critical updates, using a good anti-malware solution, and a software based firewall. These, of course, are user responsibilities which takes us back to the core of most security issues, the user - always the weakest link in computer security.

Besides failing to keep the system current with patches and updates, was the user using a good anti-malware solution? Did the user disable IE's phishing filter (SmartScreen Filter)? Was the participating in risky behavior, such as illegal filesharing via torrents or P2P sites? Was the user being "click-happy" with unsolicited downloads and attachments?

Did you have a firm word with the user?

Hi Digerati,

No, this user doesn't know how to hide it and besides, I checked hidden and it wasn't in there. So something else was going on. I thought it might be due to a driver needing to be updated (video driver did need and I installed that update; no other drivers needed updating).

He definitely wasn't keeping his Windows 7 updated (SP1) as he should but he was not prompted so that part he wouldn't have realized and he didn't call me in till there was a problem. Long time since I had been there.

He did not disable IE's phishing filter (SmartScreen Filter). He rarely goes anywhere that is not in his normal list of sites and they are all legitimate sites ... one of which sadly was the one that he got hit from (confirmed by the institution that they had been hacked and were the cause and was now fixed).

Yes, he did get a firm word about keeping all his Windows updates up to date, and his Internet-facing programs, in particular browsers, plugins, extensions, etc. updated and running his security programs more religiously (CCleaner, MBAM, SpywareBlaster). As to AV I can't get him to leave McAfee Security Suite he gets for free from his cable company, so that's a no go there.

Thanks!

 

[niemiro]

Well done on getting SP1 installed (and indeed everything else you did too) :)

Yes, those old Intel integrated graphics drivers are the biggest cause of that problem now (we've mostly ridden the tide of people with pre-release copies of Windows 7, and indeed vLite/DriverSweeper (which admittedly didn't cause this problem, just made the update fail instead with a rather nasty component store corruption)).

For future readers with the same problem of Windows 7 SP1 not being offered, see here: You do not have the option of downloading Windows 7 SP1 when you use Windows Update to check for updates

And if you still can't get it to show, register for free, create a new thread in our Windows Update forum, and we'll see what we can do :)

Richard

 

[Digerati]

As to AV I can't get him to leave McAfee Security Suite he gets for free from his cable company, so that's a no go there.

Well, regardless your (and mine) personal feelings about McAfee, it is a good at securing a computer - if updated.

Not sure why WU did not offer SP1. I have only seen that when Windows had not yet been activated after installation, or when users manually installed it, thus it was already installed, or when WU had other issues.

vLite/DriverSweeper (which admittedly didn't cause this problem, just made the update fail instead with a rather nasty component store corruption)).

I really don't like 3rd party driver removers for this reason. I think these programs should only be used when normal driver uninstall procedures fails. Same with program uninstallers. I often think they cause more problems (or make existing problems worse) more often than they fix things.

 

[niemiro]

Not sure why WU did not offer SP1. I have only seen that when Windows had not yet been activated after installation, or when users manually installed it, thus it was already installed, or when WU had other issues.

It was because of the out of date and incompatible Intel integrated graphics drivers in this case. SP1 will not be offered if there is an incompatible program/driver detected. A simple driver update here was all that was necessary (or in the case of Driver Sweeper which decided to delete a few files from the Windows folder - putting those files back). There are a couple more listed programs at the above link from Microsoft, but I tell you, if you ever come across this issue today, always get straight to updating any Intel integrated graphics drivers. They're almost always the cause, if you are unlucky enough to run into this somewhere. :)

Richard

 

[LilBambi]

Thank you Richard. That means a lot!!

So glad you posted the link and additional info on the incompatible drivers/programs that can keep SP1 from being presented.

 

[Digerati]

SP1 will not be offered if there is an incompatible program/driver detected

Which really seems odd to me. I can see W7 not installing if an incompatible driver is detected, but if W7 has already been installed successfully, that means (or suggests to me) the existing drivers were working - thus compatible. If an Intel graphics driver update was already available and required for SP1, it seems to me WU should have already offered the driver update before offering SP1. Or even offering it at the same time. I have seen many times where WU only installs some updates offered, forces a reboot, then installs the remaining updates that required the previous updates be installed first.

Oh well - this is why I hang out at forums. I am always learning something new - like learning there is ALWAYS so much more to learn no matter how much experience and knowledge I already have.

Thanks.

 

[Wrench97]

I think it's only revolves around 1 Intel video setup, I've seen the video driver listed as a optional update possibly because there were some issues on some systems with the update?

 

[LilBambi]

I think it's only revolves around 1 Intel video setup, I've seen the video driver listed as a optional update possibly because there were some issues on some systems with the update?

Yes, me too many times. I usually go to the OEM website to get the updated driver, or the manufacturer to get the latest driver, but with Windows 7, Intel drivers offered in the optional list are generally a good match. It's not like the old days in XP with drivers offered in Windows Update being a real dangerous crapshoot at times.

 

[niemiro]

SP1 will not be offered if there is an incompatible program/driver detected

Which really seems odd to me. I can see W7 not installing if an incompatible driver is detected, but if W7 has already been installed successfully, that means (or suggests to me) the existing drivers were working - thus compatible. If an Intel graphics driver update was already available and required for SP1, it seems to me WU should have already offered the driver update before offering SP1. Or even offering it at the same time. I have seen many times where WU only installs some updates offered, forces a reboot, then installs the remaining updates that required the previous updates be installed first.

Oh well - this is why I hang out at forums. I am always learning something new - like learning there is ALWAYS so much more to learn no matter how much experience and knowledge I already have.

Thanks.

Yes...as the others have said, it would have been offered as an optional update in this case. The problem was, it sounds like this user wasn't installing any updates. If they had installed everything, then SP1 would have been offered. And most people don't expect SP1 to show until all previous updates have been installed. So why did Microsoft mention this update in their article, and not all of the other prerequisistes? Well, quite a few people have misgivings about driver updates supplied through Windows Update and hide them.

Personally, I do not understand this. Maybe I've just been lucky, but I've found Windows Update driver updates to be very stable, and when I used a USB wireless card, they were the only stable drivers I could find as the manufacturer's caused me BSODS.

As for why this driver become unstable after SP1, I will admit that I do not know. However, my guess would be was that it was doing something against the documentation in some circumstances, and Microsoft had to close that loophole down, perhaps because it was being exploited by malware in some way.