FBI MoneyPak - Please help

mfk_1979 · May 18, 2013

Hi,

I am getting the MoneyPak screen and I tried multiple websites to resolve the problem, however, nothing is working. I followed some the instructions given in this website and managed to FRST64 in system recovery more. Here is the log file. Please provide a solution when any of you get a chance at the earliest.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-05-2013

Ran by SYSTEM on 18-05-2013 04:21:40

Running from E:\

WIN_7 Service Pack 1 (X64) OS Language: English(US)

Boot Mode: RecoveryAttention: Could not load system hive.

Attention: System hive is missing.

==================== Registry (Whitelisted) ==================

Attention: Software hive is missing.

ATTENTION: Software hive is not loaded.

BootExecute:

==================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

==================== One Month Modified Files and Folders =======

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!

HKLM\...\exefile\DefaultIcon: <===== ATTENTION!

HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 12%

Total physical RAM: 3983.23 MB

Available physical RAM: 3473.39 MB

Total Pagefile: 3981.43 MB

Available Pagefile: 3451.43 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Drives ================================

Drive e: (HITMANPRO) (Removable) (Total:3.71 GB) (Free:3.71 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (BDEDrive) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (Size: 149 GB) (Disk ID: 9AD9456B)

Partition 1: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

Partition 2: (Active) - (Size=300 MB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 4 GB) (Disk ID: 9E750095)

Partition 1: (Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================

mfk_1979 · May 18, 2013

I just want to add that my disk is probably encrypted...

-mfk

MrCharlie · May 18, 2013

That's why the logs looks like that.

What else have you tried to correct the FBI MoneyPak virus??

I see HITMANPRO

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Post back the 2 logs and MBRDUMP.txt MrC

mfk_1979 · May 18, 2013

Hi MrC,

Thanks for the reply..Yes, I tried hitmepro. Because of the encryption, it could not go further.

Some questions:

1) Is the issue fixed now?

2) While executing ListParts64, I had to selected 'List BCD' before executing scan. Was that the right thing to do?

2) What is MBRDUMP.txt?

The fixlog txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-05-2013

Ran by SYSTEM at 2013-05-18 13:03:30 Run:1

Running from E:\

Boot Mode: Recovery

==============================================

HKEY_USERS\John\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.

C:\Users\John\Application Data\skype.ini => File/Directory not found.

C:\Users\John\Application Data\skype.dat => File/Directory not found.

C:\Users\John\AppData\Roaming\skype.ini => File/Directory not found.

C:\Users\John\AppData\Roaming\skype.dat => File/Directory not found.

==== End of Fixlog ====

Result txt from Listparts64:

ListParts by Farbar Version: 10-05-2013

Ran by SYSTEM (administrator) on 18-05-2013 at 13:07:47

Windows 7 (X64)

Running From: E:\

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%

Total physical RAM: 3983.23 MB

Available physical RAM: 3530.08 MB

Total Pagefile: 3981.43 MB

Available Pagefile: 3506.48 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (BDEDrive) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (HITMANPRO) (Removable) (Total:3.71 GB) (Free:3.71 GB) FAT32

4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 10 MB

Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 9AD9456B

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 148 GB 1024 KB

Partition 2 Primary 300 MB 148 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 D RAW Partition 148 GB Healthy

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C BDEDrive NTFS Partition 300 MB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Disk ID: 9E750095

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3812 MB 31 KB

======================================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E HITMANPRO FAT32 Removable 3812 MB Healthy

======================================================================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: 9AD9456B

Partition 1: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

Partition 2: (Active) - (Size=300 MB) - (Type=07 NTFS)

==============================

Partitions of Disk 1:

===============

Disk ID: 9E750095

Partition 1: (Active) - (Size=4 GB) - (Type=0B)

Windows Boot Manager

--------------------

identifier {bootmgr}

device partition=C:

description Windows Boot Manager

locale en-US

inherit {globalsettings}

default {default}

resumeobject {d4b7de54-ace4-11e1-8788-f0def1e5b563}

displayorder {default}

toolsdisplayorder {memdiag}

timeout 30

Windows Boot Loader

-------------------

identifier {default}

device partition=D:

path \Windows\system32\winload.exe

description Windows 7

locale en-US

inherit {bootloadersettings}

recoverysequence {current}

recoveryenabled Yes

osdevice partition=D:

systemroot \Windows

resumeobject {d4b7de54-ace4-11e1-8788-f0def1e5b563}

nx OptOut

Windows Boot Loader

-------------------

identifier {current}

device ramdisk=[D:]\Recovery\d4b7de56-ace4-11e1-8788-f0def1e5b563\Winre.wim,{d4b7de57-ace4-11e1-8788-f0def1e5b563}

path \windows\system32\winload.exe

description Windows Recovery Environment

inherit {bootloadersettings}

osdevice ramdisk=[D:]\Recovery\d4b7de56-ace4-11e1-8788-f0def1e5b563\Winre.wim,{d4b7de57-ace4-11e1-8788-f0def1e5b563}

systemroot \windows

nx OptIn

winpe Yes

Resume from Hibernate

---------------------

identifier {d4b7de54-ace4-11e1-8788-f0def1e5b563}

device partition=D:

path \Windows\system32\winresume.exe

description Windows Resume Application

locale en-US

inherit {resumeloadersettings}

filedevice partition=D:

filepath \hiberfil.sys

debugoptionenabled No

Windows Memory Tester

---------------------

identifier {memdiag}

device partition=C:

path \boot\memtest.exe

description Windows Memory Diagnostic

locale en-US

inherit {globalsettings}

badmemoryaccess Yes

EMS Settings

------------

identifier {emssettings}

bootems Yes

Debugger Settings

-----------------

identifier {dbgsettings}

debugtype Serial

debugport 1

baudrate 115200

RAM Defects

-----------

identifier {badmemory}

Global Settings

---------------

identifier {globalsettings}

inherit {dbgsettings}

{emssettings}

{badmemory}

Boot Loader Settings

--------------------

identifier {bootloadersettings}

inherit {globalsettings}

{hypervisorsettings}

Hypervisor Settings

-------------------

identifier {hypervisorsettings}

hypervisordebugtype Serial

hypervisordebugport 1

hypervisorbaudrate 115200

Resume Loader Settings

----------------------

identifier {resumeloadersettings}

inherit {globalsettings}

Device options

--------------

identifier {d4b7de57-ace4-11e1-8788-f0def1e5b563}

description Ramdisk Options

ramdisksdidevice partition=D:

ramdisksdipath \Recovery\d4b7de56-ace4-11e1-8788-f0def1e5b563\boot.sdi

****** End Of Log ******

MrCharlie · May 18, 2013

Where did you get that fixlist.txt from???

Use this one with FRST:

http://forums.malwarebytes.org/index.php?app=core&module=attach&section=attach&attach_id=98174

Should produce MBRDUMP.txt on the flashdrive after you run the fix, please attach it.

MrC

mfk_1979 · May 18, 2013

Hi MrC,

Pardon me for the mistake...

Fixlog txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-05-2013

Ran by SYSTEM at 2013-05-18 13:56:18 Run:1

Running from E:\

Boot Mode: Recovery

==============================================

MBRDUMP.txt is made successfully.

==== End of Fixlog ====

MBRDUMP txt:

ëHPGPGUARD ÿ À_ úêP| 1ÀŽØŽÐ¼ û @|<ÿtˆÂR¾l}è/öÂ€tH´A»ªUÍZRr=ûUªu7¾|ÆDÿÇ ÇD f‹B|f‰\f‹F|f‰\ÇD p1À‰D´BÍr» pë}´Ís

öÂ€„ÿ é ¾|ÆDÿ f1Àˆð@f‰D1ÒˆÊÁâˆèˆô@‰D1ÀˆÐÀèf‰f¡B|f1Òf÷4ˆT

f1Òf÷tˆT‰D;D}>ŠT

ÀâŠL

þÁÑŠlZŠt» pŽÃ1Û¸Ír,ŒÃ¹ ŽÁ`¹ ŽÛ1ö1ÿüó¥aê € ¾w}èE ë¾|}è= ë¾†}è5 ¾‹}è/ ëþbootguard Geom Hard Disk Read Error » ´Í¬< uôÃ kEÙš ! þÿÿ Ø—€þÿÿþÿÿ à— ` Uª

-mfk_1979

MrCharlie · May 18, 2013

Please attach the MBRDUMP.txt

To attach a log:

Bottom right corner of this page.

New window that comes up.

-------------------------------------------------------

Do you have any good system restore points??

Do you know how to navigate around the registry?

Let me know....MrC

mfk_1979 · May 18, 2013

I don't have a system restore point. I do not know how to navigate around registry..

MBRDUMP.txt

MrCharlie · May 18, 2013

While we figure something out for you, have you tried the Kaspersky disk, worth a try:

This method may remove this malware:

[*]Download Kaspersky Rescue Disk (iso)

[*]Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO Burner

[*]Configure your computer to boot from CD/DVD

[*]Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here

[*]Once you have the cd/DVD created, boot the computer up using it

[*]Press any key to enter the menu

[*]Select your language

[*] Press 1 to accept the End User License Agreement

[*] Select Kaspersky Rescue Disk. Graphic Mode

[*]Click on the Start button located in the left bottom corner of the screen

[*]Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus

[*]When it's done, click on the Start button and start Kaspersky Rescue Disk utility

[*]Click on My Update Center tab and press Start to download the latest update

[*]Next, select the Object Scan tab

[*]Put a check next to C:\ and any other local drives

[*]Then click Start Objects Scan

[*]Quarantine any malware found

[*]Restart your computer and see if it boots up normally

MrC

mfk_1979 · May 18, 2013

My laptop does not have cd drive. Can I use it on a USB?

MrCharlie · May 18, 2013

Yes it says you can, it's worth a try > it will restore the correct registry entries that the malware changed and its loading from. The question is will it find and fix them all.

You might want to run My Update Center to download the latest updates first and then run the Kaspersky WindowsUnlocker.

http://support.kaspersky.com/8092

Good Luck....MrC

mfk_1979 · May 18, 2013

The link you have was not working. So I went with kav_rescue_10.iso available on the net.

I could boot it from USB, but as soon as the Kav OS came online. I got a warning that there is no sufficient memory. Moreover, I cannot find the WindowsUnlocker in the Kav I downloaded.

The tried running other application like Kav Rescue Disk. It's didn't seem like did any thing, rather stay at the bottom of the screen.

Is there anything else that I can do?

-mfk_1979

MrCharlie · May 18, 2013

http://support.kaspersky.com/us/viruses/rescuedisk

The link worked for me, try this one.

MrC

mfk_1979 · May 18, 2013

Ok..I will this one more try...thanks..

By the way, I read in the following link that this malware goes away itself in two day. Is that true?

http://www.wiki-security.com/wiki/Parasite/FBIMoneypakRansomware/

(please go to Sucessful Removal section or search for 'day' in the page)

-mfk

MrCharlie · May 18, 2013

Not that I know of.....MrC

mfk_1979 · May 19, 2013

Mr C..

I'm stuck here...

When I do Kaspersky Rescue Disk, I am getting following warning on boot up in the desktop in graphics mode:

"There is no enough disk space to copy required files -352 MB of free space are needed. The files will be stored in memory"

Also, I did not see windows unlocker. When I tried windows unlocker from command terminal. It could not find the command. Therefore, I went with the text mode. Even after doing windows unlocker via text mode, I see the screen. It has been really frustrating. Is there anything that can be done? Is the only option here to see a IT technician?

-mfk

MrCharlie · May 19, 2013

Is this a company computer?? MrC

mfk_1979 · May 19, 2013

Yes..

mfk_1979 · May 19, 2013

Why did you ask that?

-mfk

mfk_1979 · May 19, 2013

This got infected while I was at home...I was planning to do some work over the weekend. That's gone now...

No idea why people come up with so irritating/malicious stuff, when the same brain could have used for something good...I guess that's what the world is..

mfk

MrCharlie · May 19, 2013

Why did you ask that?

I just wanted to know what I'm working on being it's an encrypted drive.

If the computer was sitting in front of me, I would have it fixed in 10 minutes....but it's not.

Your IT guys should be able to fix this, but a lot of times they come here for help.

The only way I see stop the malware from loading is by correcting the registry changes made by the malware.

This means navigating around in the registry and making some changes.

Let me know....MrC

Maurice Naggar · May 23, 2013

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

FBI MoneyPak - Please help

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information