Jump to content

FBI Moneypack virus: can't get to safe mode


Recommended Posts

Hi all,

I would appreciate some help with this. I am assisting an elderly gentleman in cleaning his (old Pentium 3) computer with Windows 7 ultimate. He appears to have the FBI Moneypak virus. I can get to advanced boot options at boot but cannot select safemode (this may have something to do with the fact that I have only a USB keyboard and mouse to connect to this old machine). Any advice on next steps is appreciated!

Thanks!

Link to post
Share on other sites

Welcome to the forum, here's how we deal with that malware:

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      Select Command Prompt
      Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

Link to post
Share on other sites

Thanks. Two issues: 1) I am in advanced boot options and do not see an option "repair your computer and 2) I can't scroll down using the arrow key. I'm wondering if the latter is due to the fact that this is a pretty old computer and I am trying to use a USB keyboard.

Link to post
Share on other sites

If you don't make out, you can try this method......I'm not sure if it will work but I'm curious to see if it will:

http://maddoktor2.co...ic,64792.0.html

If not follow these instructions:

Here's what I would like you to do, you'll be scanning with FRST and OTLPE:

You'll need a usb flash drive and be able to burn a cd.

The cd I would like you to create is OTLPE:

Download OTLPE from HERE

Now put a blank cd-r in your burner and double click on OTLPEStd.exe, it will automatically burn the cd. (burn it at a slow speed to avoid errors)

You will also need to download Farbar Recovery Scan Tool, or FRST and copy it to your flash drive.

Once you have the cd created, boot the computer up using it.

Note : If you do not know how to set your computer to boot from CD follow the steps here

Plug in the flash drive and navigate to it.

Run FRST and click on Scan

When the scan completes.....

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Don't close out OTLPE!

-------------------------

Now OTLPE also has a built in scanner called OTL which I also want you to run:

It's going to go something like this when OTLPE loads:

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the C:\OTL.txt file in your reply.

MrC

Link to post
Share on other sites

Here's the first log

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-05-2013 01

Ran by SYSTEM on 12-05-2013 22:51:08

Running from D:\

Windows 7 Ultimate (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode [x]

HKLM\...\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup [602624 2009-04-05] ()

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-03-18] (Apple Inc.)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-12] (Adobe Systems Incorporated)

HKLM\...\Run: [MigAutoPlay] "C:\ProgramData\MigAutoPlay.exe" [47896 2013-03-12] ()

HKLM\...\Winlogon: [shell] C:\ProgramData\MigAutoPlay.exe [x ] ()

HKU\Administrator\...\Run: [GoogleChrome] C:\Users\Administrator\ms.exe [ 2012-10-25] (www.hp.com)

========================== Services (Whitelisted) =================

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

S3 FontCache3.0.0.0; %systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [x]

S3 idsvc; "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [x]

S4 NetTcpPortSharing; "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]

==================== Drivers (Whitelisted) ====================

S3 ac97intc; C:\Windows\System32\drivers\ac97intc.sys [108032 2008-01-18] (Intel Corporation)

S3 fasttx2k; C:\Windows\system32\DRIVERS\fasttx2k.sys [156672 2003-06-10] (Promise Technology, Inc.)

S3 JRAID; C:\Windows\system32\DRIVERS\jraid.sys [48256 2020-02-01] (JMicron Technology Corp.)

S3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()

S2 PARPEPPY; C:\Windows\system32\PARPEPPY.SYS [10256 1998-02-20] (Zenographics, Inc.)

S3 cpuz132; \??\C:\Users\ADMINI~1\AppData\Local\Temp\cpuz132\cpuz132_x32.sys [x]

S4 WerSvc;

S4 WSearch;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-12 22:50 - 2013-05-12 22:50 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders ========

2020-02-01 20:02 - 2009-08-30 02:44 - 00048256 ____A (JMicron Technology Corp.) C:\Windows\System32\Drivers\jraid.sys

2013-05-12 22:51 - 2010-03-15 21:20 - 00000000 ____D C:\users\Administrator

2013-05-12 22:50 - 2013-05-12 22:50 - 00000000 ____D C:\FRST

2013-05-12 21:41 - 2010-03-15 21:28 - 00717336 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-12 21:41 - 2010-03-15 21:18 - 01425430 ____A C:\Windows\WindowsUpdate.log

2013-05-12 21:36 - 2009-07-14 00:34 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-12 21:36 - 2009-07-14 00:34 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-12 21:28 - 2012-09-19 21:14 - 00008366 ____A C:\Windows\setupact.log

2013-05-12 21:28 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-12 21:27 - 2013-03-13 22:22 - 121814130 ____A C:\Windows\MEMORY.DMP

Other Malware:

===========

C:\Users\Administrator\ms.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll

[2009-08-28 02:04] - [2010-03-15 21:23] - 0811520 ____A (Microsoft Corporation) ED33264518DD8BC4030406602C857589

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2013-02-21 22:37] - [2012-09-06 12:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 55%

Total physical RAM: 382.3 MB

Available physical RAM: 172 MB

Total Pagefile: 326.13 MB

Available Pagefile: 200.68 MB

Total Virtual: 2047.88 MB

Available Virtual: 1994.02 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS

Drive c: () (Fixed) (Total:37.27 GB) (Free:23.84 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Drive d: (UDISK 12X) (Removable) (Total:0.12 GB) (Free:0.1 GB) FAT

Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 37 GB) (Disk ID: EEA4EEA4)

Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 119 MB) (Disk ID: 4086684D)

Partition 1: (Active) - (Size=119 MB) - (Type=06)

Last Boot: 2013-03-06 16:15

==================== End Of Log ============================

Link to post
Share on other sites

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Yes, it's important to run some additional scans to ensure you're clean:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Try it like this......

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown: (copy and paste)

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now. MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.