Jump to content

Need help with FBI Moneypak virus! Can't get it to go away!


KJK

Recommended Posts

My computer got the FBI Moneypak virus a few days ago. I ran rKill and Malwarebytes and removed the affected files mbam found. A few hours later it showed up again. I did the same thing. Went to a web page and it happened again. It starts with Adobe flash player asking to make changes to the computer. If I choose "no" the virus takes over. The first 2 times I was able to Ctrl-alt-delete to get out of it and run mbam. The last time a black screen took over. Restarted in safe mode and ran rKill and mbam. Found several threats includung in recycle bin. Restarted computer and did scan again. found different threats. I restarted again and got message about recycle bin being corrupted. Emptied recycle bin and am scanning again. Malwarebytes doesn't seem to be completely getting rid of the virus. What do I do now?

Link to post
Share on other sites

Hy

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Download DDS and save it to your desktop from here.

Double click DDS to run the tool and press Start

Don't change any stettings without instruction

  • When done, DDS will save two (2) logs to your desktop:
    1. DDS.txt
    2. Attach.txt

    [*].Please post them in your next reply

Link to post
Share on other sites

Hi,

Thanks for your help! Here are the files you requested. I restarted my computer in normal mode today and so far the virus has not taken over. However, I have not run mbam yet since restarting the computer. Yesterday every time I ran the program it kept finding the same virus and did not seem to remove it: (PUM.UserWLoad) and (Trojan.Ransom). McAfee was also disabled. Since restarting my computer McAfee seems to be running fine today.

dds.txt

attach.zip

Link to post
Share on other sites

Download ComboFix from this location:

Link 1

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

Link to post
Share on other sites

You are welcome.

Still any open issues ? :)

Open notepad and copy/paste the text in the Code-box below into it:


DirLook::
c:\users\Swaims\AppData\Roaming\Utpora
c:\users\Swaims\AppData\Roaming\Uklus
c:\users\Swaims\AppData\Roaming\Ovtu
c:\users\Swaims\AppData\Roaming\Gaxo
c:\users\Swaims\AppData\Roaming\Tate
c:\users\Swaims\AppData\Roaming\Ebexi

  • Save this as CFScript.txt, in the same location as ComboFix.exe.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Open notepad and copy/paste the text in the Code-box below into it:


Folder::
c:\users\Swaims\AppData\Roaming\Utpora
c:\users\Swaims\AppData\Roaming\Uklus
c:\users\Swaims\AppData\Roaming\Ovtu
c:\users\Swaims\AppData\Roaming\Gaxo
c:\users\Swaims\AppData\Roaming\Tate
c:\users\Swaims\AppData\Roaming\Ebexi
ClearJavaCache::

  • Save this as CFScript.txt, in the same location as ComboFix.exe.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

Please download SecurityCheck and save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.

Please post the contents of that document in your next reply.

Link to post
Share on other sites

I attached the ComboFix Report.

ESET did find a threat:

C:\Qoobox\Quarantine\C\ProgramData\ms026309FB.dat.vir a variant of Win32/Kryptik.AQPB trojan

Here is the results from Security Check:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java™ 6 Update 15

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Adobe Reader 10.1.3 Adobe Reader out of Date!

Mozilla Firefox (3.6.12) Firefox out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

McAfee Online Backup MOBKbackup.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

ComboFix.txt

Link to post
Share on other sites

Do you know why I cannot use Powerpoint? I try to load the program and Office 2010 comes up and says it's configuring. Then it says there is an error and it can't find the files or connect to the network. It directs me to a temp file for more information. I didn't go to that file. Then it tries to connect to update and install and says there is an error. Then it shuts down. Is this connected to the virus? Or to one of the programs we ran? I really need this program for work ASAP! Thanks.

Link to post
Share on other sites

I'm not able to copy the error message. What I am getting now is this when I try to open up Microsoft Word: "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'Office64WW.msi' in the box below."

Use source:

C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\

It's like the programs got uninstalled and need to be reinstalled with the cd-rom. These are programs we added to the computer after purchasing. Do you know if that is common? I can try that and see if it fixes the problem.

Is the virus gone now? Are there more steps I need to take? Thanks for your help!!

Link to post
Share on other sites

Hy there.

Is MS Word installed on your Harddrive ? It sounds like that it has been installed on a Network Drive. You can try to reinstall it.

Lets fix some Security Holes now.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Enviroment 7 Update 10 and save it to your desktop.
  • Scroll down to where it says Java SE 7 Update 10
  • Click the red Download JRE button on the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u10-windows-i586 to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are three options in the window to clear the cache - Make sure all are checked
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

To Update Firefox please follow the instructions here: http://www.mozilla.org/en-US/firefox/update/

Link to post
Share on other sites

I updated Adobe Reader and Java. With Java I get a pop-up saying "The Java plug-in SSV Helper add on is ready for use. Enable? Don't Enable?" Should I enable that add-on? Also, I uninstalled Adobe Acrobat X Pro 10.1.0. Is that ok?

Do I need to update Firefox if I don't use it?

Do I need to update my Flash Player? How do I do that?

Is there anything else I need to do?

Thanks for your help! I appreciate it!

Link to post
Share on other sites

If you dont use Firefox, than uninstall it ;)

Each Software on your system must be up to date even you dont use it.

Sorry, I missed the instruction for Flash Player. --> http://www.adobe.com/support/flashplayer/downloads.html

How about MS Word ? Did reinstalling it solve the issue ?

Link to post
Share on other sites

I uninstalled firefox and installed the new flash player. I'm still trying to find my product key for MS Word, so haven't gotten to reinstall that.

Do I need to remove any of the programs we used to clean up the computer, such as combofix?

Thanks!

Link to post
Share on other sites

Hy there.

All tools will be removed after the cleanup.

Please bare in mind to defrag your Disk if it is not a SSD.

Please launch DDS.

Make sure that the following options are checked:

  • DDS.txt
  • attach.txt

Press the Start Button.

When done, DDS will open both logfiles which will also be saved on your desktop.

Please post them in your next reply.

Link to post
Share on other sites

hy there. I dont want to run the cleanup for now as this will also flush your System Restore Points and it could be, that we need them.

One of my colleagues gave me this link --> http://answers.microsoft.com/en-us/office/forum/office_2007-office_install/office-2007-is-asking-me-to-reinstall-cmsocacheall/14b42278-dee4-448c-bb64-9016317703bb

Maybe you are familar how to run the Office diagnostics :D

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.