Jump to content

MoneyPak DOJ/FBI Virus on Vista

ScottT
 Share

Recommended Posts

ScottT

ScottT

Posted
Posted

I'm infected with the MoneyPak virus on our home desktop. I do have access via a laptop. I've followed a few of the posts and tried to resolve with not much sucess.

Status:

I can get to a command prompt via Shift8 key during start up. I have run the procedure to generate the Search.txt and the FRST.txt files, attached.

But now I am stuck.

Thanks

ScottT

FRST.txt

Search.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello ScottT and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

I'm afraid I have bad news.

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

I suggest you disconnect this computer from the Internet immediately you finish reading this post.

If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.

Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on Internet theft and when to reformat!

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Instructions how to format and reinstall Windows can be found here

Link to post
Share on other sites
ScottT

ScottT

Posted
  • Author
Posted

Wow...that is bad. Thank you for the timely reply.

Approach:

1. We will change all account passwords immediately.

2. Since we have some files that we would like to recover (family pictures, etc.), we'd like to see if you can clean the computer to the point where we can get these documents. Once that is complete, if possible, we'd reformat the system and start over.

Therefore, please advise steps to clean as much as possible.

Thank you again.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM\...\Run: [] [x]

HKLM\...\InprocServer32: [Default-wbemess] \\.\globalroot\systemroot\Installer\{501abf18-ab15-8200-b433-083c56065162}\n.

HKU\Ownetr\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Ownetr\Documents\5d92534.exe [ 2013-05-16] ()

HKU\Ownetr\...\Winlogon: [shell] cmd.exe [ 2008-01-20] (Microsoft Corporation)

C:\ProgramData\Application Data\2433f433

C:\ProgramData\2433f433

C:\Users\Ownetr\Application Data\2433f433

C:\Users\Ownetr\AppData\Roaming\2433f433

C:\Users\Ownetr\Local Settings\Application Data\2433f433

C:\Users\Ownetr\Local Settings\2433f433

C:\Users\Ownetr\AppData\Local\2433f433

C:\Users\Ownetr\My Documents\5d92534.exe

C:\Users\Ownetr\My Documents\5d92534.dll

C:\Users\Ownetr\Documents\5d92534.exe

C:\Users\Ownetr\Documents\5d92534.dll

C:\Windows\Installer\{501abf18-ab15-8200-b433-083c56065162}

C:\Users\Ownetr\AppData\Local\{501abf18-ab15-8200-b433-083c56065162}

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites
ScottT

ScottT

Posted
  • Author
Posted

One question before I proceed, how do I know if I have a 32 or 64 bit system? I cannot get to the START button or My Computer. I can only interrupt the system start up with the F8 key which allows me to get to the SYSTEM RECOVERY OPTIONS and COMMAND PROMPT.

Thank you. I will be happy to donate to your paypal account.

Link to post
Share on other sites
ScottT

ScottT

Posted
  • Author
Posted

Maniac:

I am back working on this. Sorry for the delay. I had some family matters to attend.

Status:

1. Fixlist is saved to a flash drive.

2. Below is the fixlog.txt (I tried to attach it as a file but I cannot find the "attach file" button now?)

Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013

Ran by SYSTEM at 2013-05-19 08:31:58 Run:1

Running from M:\

Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.

HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.

HKEY_USERS\ Ownetr\Software\Microsoft\Windows\CurrentVersion\Run\\ qcgce2mrvjq91kk1e7pnbb19m52fx => Value not found.

HKEY_USERS\ Ownetr\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.

==== End of Fixlog ====

Thank you.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Something is wrong.

Please try again, but this time make sure that every entrie is on a new line, just like this:

C:\ProgramData\Application Data\2433f433

C:\ProgramData\2433f433

C:\Users\Ownetr\Application Data\2433f433

C:\Users\Ownetr\AppData\Roaming\2433f433

C:\Users\Ownetr\Local Settings\Application Data\2433f433

C:\Users\Ownetr\Local Settings\2433f433

C:\Users\Ownetr\AppData\Local\2433f433

C:\Users\Ownetr\My Documents\5d92534.exe

C:\Users\Ownetr\My Documents\5d92534.dll

C:\Users\Ownetr\Documents\5d92534.exe

C:\Users\Ownetr\Documents\5d92534.dll

C:\Windows\Installer\{501abf18-ab15-8200-b433-083c56065162}

C:\Users\Ownetr\AppData\Local\{501abf18-ab15-8200-b433-083c56065162}

Link to post
Share on other sites
ScottT

ScottT

Posted
  • Author
Posted

Yes, each entry in the fixlist.txt is on individual lines. Here is the copy and paste from my Notepad:

HKLM\...\Run: [] [x]

HKLM\...\InprocServer32: [Default-wbemess] \\.\globalroot\systemroot\Installer\{501abf18-ab15-8200-b433-083c56065162}\n.

HKU\Ownetr\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Ownetr\Documents\5d92534.exe [ 2013-05-16] ()

HKU\Ownetr\...\Winlogon: [shell] cmd.exe [ 2008-01-20] (Microsoft Corporation)

C:\ProgramData\Application Data\2433f433

C:\ProgramData\2433f433

C:\Users\Ownetr\Application Data\2433f433

C:\Users\Ownetr\AppData\Roaming\2433f433

C:\Users\Ownetr\Local Settings\Application Data\2433f433

C:\Users\Ownetr\Local Settings\2433f433

C:\Users\Ownetr\AppData\Local\2433f433

C:\Users\Ownetr\My Documents\5d92534.exe

C:\Users\Ownetr\My Documents\5d92534.dll

C:\Users\Ownetr\Documents\5d92534.exe

C:\Users\Ownetr\Documents\5d92534.dll

C:\Windows\Installer\{501abf18-ab15-8200-b433-083c56065162}

C:\Users\Ownetr\AppData\Local\{501abf18-ab15-8200-b433-083c56065162}I ran it twice but the results look similar:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013

Ran by SYSTEM at 2013-05-19 10:23:59 Run:3

Running from L:\

Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.

HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.

HKEY_USERS\ Ownetr\Software\Microsoft\Windows\CurrentVersion\Run\\ qcgce2mrvjq91kk1e7pnbb19m52fx => Value not found.

HKEY_USERS\ Ownetr\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.

==== End of Fixlog ====

Regarding one of your earlier replies:

"Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt"

The "fixlist.txt" file disappears from the flash drive after the FRST.exe file runs. So, it seems to polling that information correctly.

When in the F R S T window, Should I be selecting "Addition.txt" in the Optional Scan window?

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please try with this script

C:\ProgramData\Application Data\2433f433

C:\ProgramData\2433f433

C:\Users\Ownetr\Application Data\2433f433

C:\Users\Ownetr\AppData\Roaming\2433f433

C:\Users\Ownetr\Local Settings\Application Data\2433f433

C:\Users\Ownetr\Local Settings\2433f433

C:\Users\Ownetr\AppData\Local\2433f433

C:\Users\Ownetr\My Documents\5d92534.exe

C:\Users\Ownetr\My Documents\5d92534.dll

C:\Users\Ownetr\Documents\5d92534.exe

C:\Users\Ownetr\Documents\5d92534.dll

C:\Windows\Installer\{501abf18-ab15-8200-b433-083c56065162}

C:\Users\Ownetr\AppData\Local\{501abf18-ab15-8200-b433-083c56065162}

Link to post
Share on other sites
ScottT

ScottT

Posted
  • Author
Posted

Maniac...

I just noticed that after the first line, there is a space at the beginning of each line in my Notepad file. I ran it again. Here is the fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013

Ran by SYSTEM at 2013-05-19 10:43:24 Run:4

Running from L:\

Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.

HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.

HKEY_USERS\Ownetr\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value not found.

HKEY_USERS\Ownetr\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\ProgramData\Application Data\2433f433 => Moved successfully.

C:\ProgramData\2433f433 => File/Directory not found.

C:\Users\Ownetr\Application Data\2433f433 => Moved successfully.

C:\Users\Ownetr\AppData\Roaming\2433f433 => File/Directory not found.

C:\Users\Ownetr\Local Settings\Application Data\2433f433 => Moved successfully.

C:\Users\Ownetr\Local Settings\2433f433 => File/Directory not found.

C:\Users\Ownetr\AppData\Local\2433f433 => File/Directory not found.

C:\Users\Ownetr\My Documents\5d92534.exe => File/Directory not found.

C:\Users\Ownetr\My Documents\5d92534.dll => Moved successfully.

C:\Users\Ownetr\Documents\5d92534.exe => File/Directory not found.

C:\Users\Ownetr\Documents\5d92534.dll => File/Directory not found.

C:\Windows\Installer\{501abf18-ab15-8200-b433-083c56065162} => Moved successfully.

C:\Users\Ownetr\AppData\Local\{501abf18-ab15-8200-b433-083c56065162} => Moved successfully.

==== End of Fixlog ====

Is this any better?

Thank you.

Link to post
Share on other sites
ScottT

ScottT

Posted
  • Author
Posted

Maniac!!!!

I rebooted and I am at my normal desktop screen.

At an earlier point before you became involved, I tried to do a System Restore to an earlier time. This was not possible then. However, now I am presented with a System Restore warning window that is informing me of the unsuccessful System Restore effort.

What steps do you suggest that I take now? (I am currently disconnected from the internet)

Note: We do have Kaspersky but it did expire and it was not running. Do you suggest we sign up for the license and run a full scan using the Kaspersky program?

Thank you. Please check your paypal.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

A small victory. :)

At an earlier point before you became involved, I tried to do a System Restore to an earlier time. This was not possible then. However, now I am presented with a System Restore warning window that is informing me of the unsuccessful System Restore effort.

Please ignore this action.

What steps do you suggest that I take now? (I am currently disconnected from the internet)

Connect your system to the Internet and then:

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Note: We do have Kaspersky but it did expire and it was not running. Do you suggest we sign up for the license and run a full scan using the Kaspersky program?

About your security protection, it is your own choice. When we finish our job here, you should immediately get a fully functional and updated antivirus protection. Then to perform a full system scan.

Thank you! :)

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.