[skullkrusher78]

Hello,

I'm trying to help a friend out by restoring his Acer laptop running Windows XP Media Center Edition that is being held hostage by the Homeland Security Moneypack Ransomware virus. I have been unable to use any of the 3 Safe Mode options and I can't even wipe the hard drive and reinstall the operating system because the virus appears to shut down the computer after a few minutes if I do anything besides start windows normally. I tried a promising solution with a bootable USB program called Hitman Pro, but because the hard drive is formatted in FAT32, this solution was also a bust. Any advice or direction would be greatly appreciated.

[Advertisements]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Let's try this. Download and burn the CD on a working computer. If you would rather use a flash drive for both items, let me know.


Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[Buddierdl]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Let's try this. Download and burn the CD on a working computer. If you would rather use a flash drive for both items, let me know.


Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[skullkrusher78]

Hello Buddierdl,

I created the CD and followed the instructions, unfortunately this virus appears to be able to shutdown the computer before any software can be completely loaded from the CD drive. I tried 3 times with this new CD just in case I got lucky. I have had better luck booting from a USB, as I was able to get into the file system using the Anvi Rescue Disc software booted from a USB (the software did not detect the hard drive however and I was unable to scan it properly). If you could give me instructions to create a bootable USB using the OTLPENet.exe I think I might be able to get it to load.

Thank you for your assistance.

[Buddierdl]

Ok. I seem to have misplaced my instructions, but I have given you a rough overview below. If you need more details, let me know. By the way, I assume you have tried Safe Mode with Command Prompt without any results?

First, we need to extract the iso from OTLPENet.exe:

• Download the script here and need to be saved saved on the same folder as OTLPENet.exe
• Next the ExOTLPE.exe must be renamed to match the package to extract like this:for OTLPENet.exe --> ExOTLPENet.exe
• Execute the renamed file and follow the prompts

Now, download Rufus from here. Be warned that this program will format your flash drive and erase any files on it.




Leave everything at defaults, as shown above, except you want to choose MBR instead of GPT for the partition scheme. Then choose the OTLPE iso that you extracted by clicking on the little box with the CD picture next to "ISO image." Then press start and let it create the bootable USB. When it finishes, copy FRST also onto the root of the flash drive. Then boot the computer and follow the directions from before.

[skullkrusher78]

Ok, I was able to create the USB drive, and it gets a little further than the CD, but the virus is still able to shut down the computer before I can do anything. I have tried all 3 options in Safe Mode with no positive results.

[Buddierdl]

Can you tell me exactly what happens? Does the computer just turn off? The malware should not be able to load when booting from the USB, as we are using an external operating system. Did you set the BIOS to boot from USB?

Do you have the recovery console installed or an XP install CD?

[skullkrusher78]

The computer just shuts off. I was able to get as far as starting the scan with Far Bar after several attempts but the PC shut down again during the scan. These random shut downs don't occur when I allow windows to start normally so I'm not sure what is causing them if it can't be the virus. The recovery console is not installed. I do have an XP install disc, but I already tried that, the pc just kept shutting down during the install process.

[Buddierdl]

Ok. I am going to ask for some opinions for my colleagues before we move on.

[Buddierdl]

Ok. I have another idea. I want to try a bootable linux USB. For now, we are just going to see if it can boot.

Download xPud from here. Make a bootable USB from the iso using Rufus as before. Then try to boot the computer and see if it works. If it does, please just shut down the computer and let me know, and I will show you what to do next.

[skullkrusher78]

Ok, xPud appears to be stable. I was able to boot it up the first time and it did not shutdown on its own. I had it running for at least 30 min.

[Buddierdl]

Great. Let's try for a restore point first. If anything is unclear about these instructions, please ask:


Download http://noahdfear.net/downloads/rst.sh to the USB drive

• Boot the Sick computer with the USB drive again
• Press File
• Expand mnt
• Expand your USB (sdb1)
• Confirm that you see rst.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash rst.sh
• Press Enter
• After it has finished a report will be located at sdb1 named enum.log
• Plug that USB back into the clean computer and open it

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review. Also please tell me the approximate date/time when the ransomware appeared.

[skullkrusher78]

Ok, now I'm getting a little frustrated. I left the computer on all night with the xPud running. It never shut down. I even used it to download the rst.sh from within the xPud environment. About 30 seconds after I started the bash rst.sh, the computer shut down. Now every time I try to reboot it from that USB, it shuts down within about a minute. I will keep trying, and hope it becomes stable again before your next reply. I don't have an exact date of infection, but I believe it to be sometime in December of 2012.

[Buddierdl]

I think it's alive.

So this computer hasn't been used in almost a year?

Do you have another USB drive to try just in case it might be a problem with that?

Could you also test Normal Mode one more time right away, just to rule out hardware. Maybe you just didn't leave it on long enough to shut down in Normal Mode?

[skullkrusher78]

That's correct. I tried to help my friend with it shortly after it happened, but ran into the same issues of it shutting off all the time. It always bothered me that I couldn't fix it, so since he has been using the computer as a paperweight for the last year, I asked him to leave it with me to take another crack at it. I don't have access to another USB at the moment, but I will see if I can pick up a couple of small ones over the weekend, but I really don't believe the USB I am using is bad. I have been able to launch the bash rst.sh a couple of more times but it keeps shutting down during the scan.

[Buddierdl]

How about trying to burn the xPud iso to a CD and try it that way? rst.sh must still be on the flash drive.

We can also try a different script that will take a copy of the registry for me to fix.