Has anybody figured how to remove moneypak virus remotely?
- Thread starter marcink99
- Start date
Xander
Banned
- Reaction score
- 66
- Location
- Niagara region, Ontario
Are you relying entirely on removing it from within Windows?
M
Mindfulness
Guest
I just saw that forced restart safemode today on a onsite job. I got around it by going to system restore from the f8 menu. Roll it back a couple of days and you are able to clean it right up. you could talk the client through that procedure.
Easy. (Maybe 
, requires a remote customer than can follow basic instructions)
1. Walk customer through rebooting into Safe Mode with command prompt.
2. Walk customer through activating the hidden admin account.
3. Reboot into hidden admin account.
4. Do your thing.
5. Reboot into user account.
6. De-activate hidden admin account.
, requires a remote customer than can follow basic instructions) 1. Walk customer through rebooting into Safe Mode with command prompt.
2. Walk customer through activating the hidden admin account.
3. Reboot into hidden admin account.
4. Do your thing.
5. Reboot into user account.
6. De-activate hidden admin account.
- Reaction score
- 2,840
- Location
- Fort Myers, FL
I'm trying to figure out a script to run from boot, once I am remoted in (and then reboot).
But I don't know how to write scripts.
Right now, I have got one successful to restore, the other b@stard I am working on is literally going to be the one I get...if I can figure out more. Still working on it.
Currently I get the white "connect to internet" screen unless I have the client do a explorer from command prompt, I know I can get in and kill off the executable, but he's in XP and I haven't found it yet. Just started it tonight. .
But I don't know how to write scripts.
Right now, I have got one successful to restore, the other b@stard I am working on is literally going to be the one I get...if I can figure out more. Still working on it.
Currently I get the white "connect to internet" screen unless I have the client do a explorer from command prompt, I know I can get in and kill off the executable, but he's in XP and I haven't found it yet. Just started it tonight. .
I'm trying to figure out a script to run from boot, once I am remoted in (and then reboot).
But I don't know how to write scripts.
Right now, I have got one successful to restore, the other b@stard I am working on is literally going to be the one I get...if I can figure out more. Still working on it.
Currently I get the white "connect to internet" screen unless I have the client do a explorer from command prompt, I know I can get in and kill off the executable, but he's in XP and I haven't found it yet. Just started it tonight. .
http://www.autoitscript.com/site/autoit/
You could use AutoIT to script
AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying “runtimes” required!
AutoIt has a BASIC-like syntax which means that most people who have ever written a script or used a high-level language should be able to pick it up easily.
LifelineIT
Member
- Reaction score
- 24
- Location
- Fairmont, WV
I haven't tried this yet because I actually haven't seen the moneypak in a month or so, but here's my thought.
I believe that the moneypak allows you access to the command prompt, even if it's just by typing in cmd in the start menu. Ctrl+shift+enter will give you an elevated command prompt.
From there, you can access explorer like this "cd %windir%/explorer.exe" and/or pass arguments to it like this "cd %windir%/explorer.exe http://www.yourwebsitehere.com/yourremotepackage.exe" , or by using FTP.
You have to get your client to do that though, which is more than a little complicated. You could, I believe, easily enough write an autoit script to grab and run your remote package (I use single-click VNC) and/or your solution package, rkill/combofix/whatever, and then package it as an executable and call it the same way.
You may also just be able to do the same thing from the start menu search bar, just type in www.yourwebsite.com to force explorer open. AFAIK all the moneypak does is removes the shortcuts, it doesn't remove the executables.
I believe that the moneypak allows you access to the command prompt, even if it's just by typing in cmd in the start menu. Ctrl+shift+enter will give you an elevated command prompt.
From there, you can access explorer like this "cd %windir%/explorer.exe" and/or pass arguments to it like this "cd %windir%/explorer.exe http://www.yourwebsitehere.com/yourremotepackage.exe" , or by using FTP.
You have to get your client to do that though, which is more than a little complicated. You could, I believe, easily enough write an autoit script to grab and run your remote package (I use single-click VNC) and/or your solution package, rkill/combofix/whatever, and then package it as an executable and call it the same way.
You may also just be able to do the same thing from the start menu search bar, just type in www.yourwebsite.com to force explorer open. AFAIK all the moneypak does is removes the shortcuts, it doesn't remove the executables.
JustInspired
Well-Known Member
- Reaction score
- 226
- Location
- Kent, United Kingdom
Easy. (Maybe
1. Walk customer through rebooting into Safe Mode with command prompt.
2. Walk customer through activating the hidden admin account.
3. Reboot into hidden admin account.
4. Do your thing.
5. Reboot into user account.
6. De-activate hidden admin account.
This makes the most sense. How well does it work with Windows 8?
I have no clue. I have yet to have a Win8 customer with a virus and I expect it will be a while even yet before that happens.
You might want to try Norton Free Eraser
If you can get into safe mode, I would definitely give this a try.
https://support.norton.com/sp/en/us/home/current/solutions/v71075396_EndUserProfile_en_us
Now, I'm guessing it will remove the threat; however, you may have to deal with post-threat damage cleanup afterwards, so be prepared accordingly.
Good luck.
If you can get into safe mode, I would definitely give this a try.
https://support.norton.com/sp/en/us/home/current/solutions/v71075396_EndUserProfile_en_us
Now, I'm guessing it will remove the threat; however, you may have to deal with post-threat damage cleanup afterwards, so be prepared accordingly.
Good luck.
altrenda
Well-Known Member
- Reaction score
- 740
- Location
- So California
Once in Safe Mode, there are many ways to remove it. The trick is getting into Safe mode remotely on an infected machine. And so far there doesn't seem like a good way without someone on site assisting.
Boston Pro Comp Serv LLC
Member
- Reaction score
- 10
- Location
- Massachusetts
Just removed one of these moneypack virus' today that forced restart in safe mode. The one I had executed the virus from hkey current user/software/Microsoft/command processor/ [ramdom chars].exe. It's also had one in the current version/run key. I slaved the drive and loaded the hive in regedit to remove the keys. That's stopped it from executing on boot , the. I had to fix the winlogon key and add explorer.exe to it. Otherwise the infected user account only booted to the command prompt. My notes on it are in the office so if you've got the same flavor I had today just let me know and I'll post more detailed.
I thought it was already understood (at this point) that some customer involvement would be required.
LifelineIT
Member
- Reaction score
- 24
- Location
- Fairmont, WV
Doing some work on this last night and I wanted to point out a couple tools I found...
1. Kaspersky seems to have reverse engineered the algorithm used to unlock the machine when you pay. Link: http://support.kaspersky.com/viruses/deblocker
2. Dr.Web has another one: https://www.drweb.com/xperf/unlocker/
3. BleepingComputer has a script that will quickly unlock safemode.
4. MalwareBytes has a tool called Chameleon to force-open malwarebytes.
1. Kaspersky seems to have reverse engineered the algorithm used to unlock the machine when you pay. Link: http://support.kaspersky.com/viruses/deblocker
2. Dr.Web has another one: https://www.drweb.com/xperf/unlocker/
3. BleepingComputer has a script that will quickly unlock safemode.
4. MalwareBytes has a tool called Chameleon to force-open malwarebytes.
techguysolutions
Member
- Reaction score
- 0
- Location
- Delphos OH
I know this does not answer the question about how to remove it remotely but I have found a very quick way using Kaspersky boot cd (again I realize the customer will not have this disk). If one of new variants comes into your shop that will not let you boot even in safe mode which I have had this week, boot to the Kaspersky CD with GUI and open up a terminal window and type windowsunlocker and give it about 5 to 6 seconds to run that script and reboot into windows and start using your favorite tools to cleanup the rest. System Restore has not worked for me on the last 2 I got in.
rsarceno
Well-Known Member
- Reaction score
- 55
- Location
- Elk Grove, CA
Easy. (Maybe
1. Walk customer through rebooting into Safe Mode with command prompt.
This doesn't work all the time. The last two laptop I've work with, load Windows regardless if you select the command prompt.
Last edited:
Xander
Banned
- Reaction score
- 66
- Location
- Niagara region, Ontario
XP & Win2K only. FYI.
Similar threads
