I was tired of searching everywhere for a solution to this variant of the FBI MoneyPak ransomware virus that asks for $300 to "unlock" the computer. This flippin' virus is stubborn. My client's Windows XP SP3 machine had these symptoms:
- could not access desktop
- could not log in as different user
- could not boot to ANY Safe Mode option
- could not access System Restore
- System Restore files were corrupted
- could not access the Security Center
- could not access Windows Firewall
- bootable software to modify Windows was prevented from accessing anything (tried several)
- all standard workarounds, once initiated, would cause an automatic reboot
- loading the infected registry from another machine (to edit or repair it) would not work either
He did NOT have any virus protection but it CAN be repaired without reinstalling the operating system. Removal requires very few tools and intermediate technical knowledge. Here's what I did...
Step-By-Step:
1. Remove the infected hard drive and plug it in to a working computer as a secondary drive. (For some this is plug and play, for others, might need an adapter to do this.)
2. Scan that hard drive using Webroot SecureAnywhere Complete (find coupons) and the free version of Malwarebytes Anti-Malware. (NO, it will NOT be found during this step.)
3. Navigate to the drive's User Account files > Start Menu > Startup folder, locate the auto-loading nuisance and delete it. (For me, the file was: ctfmon.lnk which caused the desktop/screen to be blocked.)
4. Reinstall the infected hard drive back into its native machine.
5. Now it's possible, so boot to Safe Mode with Networking and log in from the Administrator account. (Most people have one on their pre-configured computers. If you don't, just work with the account you do have.)
6. Immediately disconnect and stay disconnected from the internet until all steps are completed. (Disable networking in Device Manager and re-enable later.)
7. Manually remove existing System Restore Points (if any) and again boot to Safe Mode with Networking. (Use the free version of CCleaner to perform this step.)
8. Re-scan with Webroot SecureAnywhere Complete and Malwarebytes Anti-Malware. (Yes, both will now find most of it.)
9. Clean the infected files found and reboot again into Safe Mode with Networking.
10. Re-scan again. (Both will report no infection but it is NOT completely gone yet.)
11. Manually repair the registry entries for System Restore, Security Center, and Firewall if they are disabled, deleted, and/or using corrupted entries. (Best way to do this is to use an existing registry from an uninfected machine with the same version of Windows and export all settings for these specific programs. Then, using the infected machine, run the .REG files you generated from the clean machine. Alternatively, you can find what those entries should be for your system at the Microsoft Windows website.)
12. Now, boot to normal Windows and create a new System Restore Point. (Safe Mode, System Restore, Security Center and Windows Firewall, should all be working now.)
13. Run a tool called: RogueKiller. (It will find the remnants of this infection, sometimes auto-loaders, and permit you to delete it completely from your system.)
14. From within RogueKiller, clean the selected items that are relevant to this infection only because some entries are normal! Then click to reset your HOSTS file. (This variant caused internet traffic redirects and resetting the HOSTS file resolves that.)
15. Reboot normally and run RogueKiller again. If the scan results are clean, you can delete RogueKiller because it is no longer needed.
16. To be certain your internet browsers are clean, check its plugins for pests, restore the default browser settings and/or manually clear all data and reset your homepage. (This variant hijacks browsers.)
17. Repeat all steps per Windows User Account to be certain it is 100% gone. (Both of my client's user accounts were infected.)
18. ONLY IF NECESSARY, run a Windows protected system file check to determine if any of them were corrupted by the infection. Open Command Prompt and type: C:\Windows\system32\sfc /SCANNOW (and press ENTER, then follow steps to repair any damaged files)
19. Create a new System Restore Point and label it something that will remind you that everything is now fixed.
20. Make sure you check all programs and they work correctly.
...I hope this guide helps and if it did, please let me know. If it doesn't work, try these methods or these methods instead.
