Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


ICE Moneypack Virus

  • This topic is locked This topic is locked
No replies to this topic

#1 jmark235


  • Members
  • 4 posts
  • Local time:02:51 PM

Posted 18 February 2014 - 06:30 PM

I was hit with the ICE moneypack virus earlier today and was able to fix it and wanted to share some information from the process. I am running Windows XP SP3 with Norton Internet Security 2013.


The symptoms were similar to all of the moneypack viruses whereby upon boot a 'send me the money' notice appeared and I wasn't able to do a normal shutdown, start in safe mode, start Windows Task Manager to delete the process or, initially, boot from my Norton Recovery disk. Following are the steps that worked.


1) Change BIOS boot order - I noticed that my PC was not even trying to boot from the Norton Recovery disk so I  rebooted while pressing the F2 ket to get into the BIOS. The C drive was the 1st boot device which I'm 99.999% sure was not what it had previously been set to. I suspect that the virus changed the boot order to prevent booting from a disk. I changed so that the removeable disk was the 1st boot device and was able to boot from the Norton Recovery disk.


2) Boot from an anti-virus recovery disk such as Norton's. I ran Norton Power Eraser and scan which identified the file qfwjnbtlw.cpp (compiled C++ executable) as a virus. I had Norton remove the file. I would bet that the file name is different on every computer but look for the .CPP file flagged by your scan.


3) I rebooted in normal mode and received a file not found message referring to the file deleted in step 2 but the boot finished normally and everything worked fine. I deleted the file which was trying to start the executable in step 2 (an INI file in startup I think) and rebooted again and everything seemed normal.


4) Run system restore. Just to make sure and to remove any settings, registry entries or additional files installed by the virus I ran system restore to restore everyhting to a pre-virus restore point. On my PC, to run restore I have to boot in safe mode (press the F8 key about twice per second as soon as the PC starts to boot) and run restore from safe mode.


I think that I have everything back to pre-virus configurations. If anyone is aware of anything else that the virus changed that I should check/change/delete then details would be appreciated.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users