Jump to content

FBI Moneypak (Reveton variant) Infection - Please Help


Recommended Posts

Hi,

Your assistance in addressing the following problem is appreciated greatly. I am hesitant to proceed further in my attempts to remove or recover from this infection due to the nature of the associated problems and due to conflicting recommendations and procedures about which I have read online. These forums and the team of experts are truly impressive and, it appears, my last best hope for dealing with this infection.l

Issue: Windows XP (SP2) desktop PC is infected with variant of the FBI Moneypak ramsonware. A variant of the Reveton virus (either A or F) appeared to be on the computer about 8 or 10 weeks ago. A scan by Microsoft Security Essentials removed some files; others were manually removed. The symptoms associated with that infection disappeared.

Symptoms: The following are listed in the order in which they first occurred (or were noticed).

CMOS error (incorrect configuration) at boot-up occurred once in last week.

Hesitation in loading Windows at Startup

Computer shut down twice while in Windows (I thought that could be due to a power cord issue.)

Appearance of 'FBI' warning screen about 10 seconds after launching Internet Explorer (and concurrent with loading of home page); machine is frozen at this point and has to be shut down via the power button.

Ability to start Windows normally and conduct most operations / tasks on machine until the ethernet connection with router is re-established and the browser started (Note: browser can be loaded without triggering appearance of warning screen if computer not connected to internet)

Unable to open Command Prompt window

Unable to open and view Task Manager (icon for Task Manager visible in toolbar, not accessible)

Unable to boot into Safe Mode, Safe Mode with Command Prompt, Safe Mode with Networking

A BSOD error message results with the Stop Error: 0x0000007B (0xF78A6524, 0x00000034, 0x00000000, 0x00000000). (Note: a Microsoft forum moderator indicated that this error is often caused by the need to update drivers.)

Troubleshooting Efforts:

Unhooked the ethernet cable (wireless not enabled on the desktop) immediately after warning screen appeared.

Read about the Reveton / FBI / Moneypak ramsonware 'virus'at Symantec, McAfee, bleeping computer, other reputabable sites

Searched for: specific files (e.g., cftmon.ink) mentioned in some articles; none found

Ran: quick scan with Windows Malicious Software Tool; partial full scan with same tool; nothing found

Attempted to download free version of Malwarebytes on to infected computer but machine locked before download started

Downloaded to flash drive: Emisoft Emergency Kit; free version of Malwarebytes; neither installed

Purchased: Malwarebytes Pro; box not even opened yet

Read forum entries at Malwarebytes re: Monepak virus removal and decided to contact you before attempting any further removal or recovery attempts.

Related Information and questions:

The infected computer has not been turned on since attempting troubleshooting (e.g., running the partial full scan with Windows Malicious Software tool). It was running about 90 minutes (offline till the end when the infection was activated upon going online)

I am using my Apple Powerbook to post this message. I have access to a PC for use in downloading files/applications to a CD or flash drive for use in the process of scanning my computer.

Prior to initiating this process, I am considering making a current back-up of all of my data files on the infected computer. Is it OK to use an external hard drive for this task? If so, is it likely that the malware infect the external hard drive?

I read elsewhere on the Malwarebytes site that a bootable Kapersky Rescue Disk is recommended for use in cleaning out the infection. Should I make a rescue disk (on another PC) for possible use later?

Should I download and save to disk / flash drive the files / apps (e.g., combofix) that seem to be those tools that are used in other efforts to remove this malware)? Is it OK to download on another PC (one with internet access) and to copy/install on the infected machine?

I do not have a manufacturer's recovery disk for this computer (Sony PCV=RS30G). I do have a set of untested recovery disks made when the machine was purchased (as well as another set made a couple of years ago).

I will be available to check and respond to this post from 6 p.m. to 1 a.m. and 7 a.m. to 8:30 a.m. (EST) on each day this week (December 23rd).

Thanks very much for your time, expertise and assistance.

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Prior to initiating this process, I am considering making a current back-up of all of my data files on the infected computer. Is it OK to use an external hard drive for this task? If so, is it likely that the malware infect the external hard drive?

It is unlikely that you will get infected. If there are any files you really want to backup then go ahead.

I read elsewhere on the Malwarebytes site that a bootable Kapersky Rescue Disk is recommended for use in cleaning out the infection. Should I make a rescue disk (on another PC) for possible use later?

This is a good idea in case you need it sometime else.

Should I download and save to disk / flash drive the files / apps (e.g., combofix) that seem to be those tools that are used in other efforts to remove this malware)? Is it OK to download on another PC (one with internet access) and to copy/install on the infected machine?

No need to do this just yet. :)

I do not have a manufacturer's recovery disk for this computer (Sony PCV=RS30G). I do have a set of untested recovery disks made when the machine was purchased (as well as another set made a couple of years ago).

OK. These may be useful alter. :)

=====

Please read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:

Download Kaspersky Rescue Disk 10

How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?

How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

  • Please go to a clean computer
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • On the infected computer: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10?

Then, please print the following directions:

Boot from Kaspersky Rescue Disk 10:

Restart your computer and put the disk in the drive while booting.

Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.

Select the required interface language using the arrow-keys on your keyboard.

Press the Enter key on the keyboard.

In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode

Click Enter.

Click 'A' to accept the agreement.

Select operating system from dropdown menu (select Windows whatever).

Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:

Click My Update Center and update.

Back to other tab and click Start Object Scan.

When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.

On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.

On the upper right hand corner of the Detailed report window, click on the Save button.

After clicking Detailed Report and 'SAVE', a browse window opens.

Double-click on the \

Click 'disks'.

All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.

Click on the Save button.

The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Link to post
Share on other sites

Hi Dark Knight,

Thanks for the reply and for your time and assistance. I perform the downloads and create a bootable disc on a clean machine tonight. I will not be able to actually perform the boot-up scan until the morning of 26 December. After the report is created, shall I post it for your review? Thanks again.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.