Another FBI Moneypak with White Screen - Please Help

[jstephenson]

I've been hit with the FBI Moneypak ransomware on a Windows 7, x64. Rebooting in Safe Mode with Networking results in a white screen and the inability to do anything else. I have the run the Farbar Recovery Scan Tool and performed a search for services.exe. I understand I should provide the FRST scan log and the results of the search but before I do, I have a question. Should I be concerned about posting my log online? I'm only a mildy technical person, but given the nature of this ransomware I'm ultra sensitive, and am very concerned about additional damage caused by this breach. Should I scrub the log in anyway? Or, can someone provide a fixlist without the full log? Thanks in advance for any help!

Thanks,

John

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[jstephenson]

Thanks MrCharlie. Before I post the logs, I have a question. Should I be concerned about posting my log online? Should I scrub the log in anyway? Thanks in advance.

[MrCharlie]

You can attach it if you'd like:

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

[jstephenson]

MrCharlie,

I have attached the FRST log and a search for services.exe.

FRST.txt

Search.txt

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

MrC

[jstephenson]

Thanks. Could you please explain to me what this "fix" will do, in general. I'd just like to understand what Im doing before I do it. Also, I noticed what appears to be a focus on Skype. Is this to suggest the breach came through, or is related to Skype? Or is the ransomware masking itself as Skype?

[MrCharlie]

It's going to delete this registry entry:

HKU\jstephenson\...\Winlogon: [shell] explorer.exe,C:\Users\jstephenson\AppData\Roaming\skype.dat [83968 2011-11-16] (TENTHBIT INC.)

and delete these 2 malware files:

C:\Users\jstephenson\AppData\Roaming\skype.dat

C:\Users\jstephenson\AppData\Roaming\skype.ini

-----------------------------

This is your legitimate Skype:

HKU\jstephenson\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18642024 2013-02-28] (Skype Technologies S.A.)

MrC

[jstephenson]

I turned the computer back on and pressed F8 to enter BIOS to try and run the fix through FBAR. The BIOS said something about my computer not having been shut down correctly and/or was previoulsy started incorrectly, and/or is unable to start (unfortunaly, I dont remmebr what it said exactly. I think I chose something about Launch Startup Repair (Recommended). Now I seem to be stuck at a "Startup Repair" and the screen says "Startup Repair is checking your system for problems...Attempting Repairs. And its been doing this for about 15 minutes. Should I let it run, or re-attempt to re-boot and get into Command Prompt?

[MrCharlie]

Give it another 10 minutes and if nothing changes, reboot and run FRST and the fixlist.txt as outlined.

MrC

[jstephenson]

I spoke to soon. It just finished... It now says:

"Startup Repair cannot repair this computer automatically. Sending more information can help Microsoft create solutions.

-> Send information about this problem (recommended)

-> Dont Send

View Problem Details

Problem Signature:

Problem Event Name: StartupRepairOffline

Problem Signature 01: 6.1.7600.16385

Problem Signature 02: 6.1.7600.16385

Problem Signature 03: unkown

Problem Signature 04: 515

Problem Signature 05: AutoFailover

Problem Signature 06: 1

Problem Signature 07: NoRootCause

OS Version: 6.1.7601.2.1.0.256.1

Locale ID: 1033

[jstephenson]

OK. And now I clicked "Finish" and now I rebooted, and have the "Safe Mode with Command Prompt...

Running the fixlist now...

[jstephenson]

I ran the FRST fix, attached is the log. Also, I installed and ran MBAR. The first scan uncovered two (2) issues, the second scan uncoverd zero (0). Attached is the mbar-log following the second scan, and the system-log. What now? Thanks in advance.

Fixlog.txt

mbar-log-2013-05-19 (23-01-20).txt

system-log.txt

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[jstephenson]

I ran ComboFix, attached is the log. Thanks to review and advise next steps.

ComboFix.txt

[MrCharlie]

Looks Good.........

Lets check for any adware while you're here:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Note:

Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.

MrC

[jstephenson]

I ran AdwCleaner, attached is the log. From what I could tell, nothing looked like something I need/want to keep. But, if you feel otherwise, thanks to let me know. Thanks to review and advise next steps.

AdwCleanerR1.txt

[MrCharlie]

It's all adware:

Lots of adware found....lets clear it out.....

1. Please re-run AdwCleaner
   
2. Click on Delete button.
   
3. Confirm each time with OK if asked.
   
4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
   

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[jstephenson]

Attached are the results of the AdwCleaner delete, below are the results of the Security Check. Thanks to review and advise next steps.

Results of screen317's Security Check version 0.99.63

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG AntiVirus Free Edition 2013

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.60.0.1800

Java™ 6 Update 30

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

AVG avgwdsvc.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

AdwCleanerS1.txt

[MrCharlie]

Out dated programs on the system are vulnerable to malware.

Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java™ 6 Update 30 <--please uninstall from add/remove programs

Java version out of Date! <-------Download and install the latest version from Here

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

If you used DeFogger to disable your CD Emulation drivers, please re-enable them.

-------------------------------

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[jstephenson]

Thank you so much for your help! I will un-install the Java 6 Update 30, update Java, un-install Adobe Reader, and install Foxit Reader as you suggest. I will also perfom the cleanup you outlined.

Before we close this close this thread though, I'd be very grateful if you could answer some of my more general questions below. Any information or insight would be greatly appreciated!

1. How worried should I be about other ramifications stemming from this FBI Moneypak breach? Is there anything in particular I should keep an eye out for in the near future? Aside from trying to trick users into sending money via Moneypak, in your experience, is there anything else the authors/distributors of FBI Moneypakl were trying to accomplish?
   
2. 
   How likely is it that hackers had the ability to steal critical information or documents from my computer? I have tax returns, credit card info, mortgge applications, personal files, social security numbers, etc. on my computer.
   
3. 
   I think I would like to re-format the entire hard drive, just to be safe. Is this overkill? If not, do you have a recommended step by step site for reinstalling Windows 7? Also, before I would re-format, I would want to put all personal files (pictures, documents, etc) onto an external USB drive. Would I would copy the ransoware onto the USB drive and risk re-exposing my computer after the re-format?
   
4. 
   Do you think the FBI Moneypak came in because of the Java or Adobe Reader being out of date? Or, what is the most likely source of the breach?
   

Thanks Again!

[MrCharlie]

How worried should I be about other ramifications stemming from this FBI Moneypak breach? Is there anything in particular I should keep an eye out for in the near future? Aside from trying to trick users into sending money via Moneypak, in your experience, is there anything else the authors/distributors of FBI Moneypakl were trying to accomplish?

Not in your case, looks like they were just after money

How likely is it that hackers had the ability to steal critical information or documents from my computer? I have tax returns, credit card info, mortgge applications, personal files, social security numbers, etc. on my computer.

Not in this case but I would keep an eye on all your sensitive accounts and change your passwords on them.

I think I would like to re-format the entire hard drive, just to be safe. Is this overkill? If not, do you have a recommended step by step site for reinstalling Windows 7?

I don't think it's necessary in your case, but if you want to...

Do you have a Windows CD, restore disk or restore partition??

Also, before I would re-format, I would want to put all personal files (pictures, documents, etc) onto an external USB drive. Would I would copy the ransoware onto the USB drive and risk re-exposing my computer after the re-format?

No

Do you think the FBI Moneypak came in because of the Java or Adobe Reader being out of date? Or, what is the most likely source of the breach?

Yes that's very possible, especially the Java

MrC

[jstephenson]

Thanks for your replies to my questions, they were very helpful. I was just about to suggest this thread be closed and was then going to offer the appropriate thanks...but something very weird just happened and before I consider this closed, I'm wondering if it was/is related...

I was browsing the Internet like normal and then suddenly lost Internet connectivity. The broadand connection from my ISP was up, and my other computer worked fine, just not the previously infected computer. I did NOT go to any malicious or obvioulsy unscrupulous sites, only espn.com, cnn.com, and youtube.com, etc. When I noticed this oddity, I imediately shutdown the computer. I admit I did not update Java yet as was suggested earlier but I had planned on doing it tonight. Could I have experienced the beginnings of a re-infection? Do you think the hackers that got me the first time are just trying to re-hit the same machine? Can they even do that? I dont want to necessarily assume this oddity is realted to the prior FBI Moneypack ransomware, but I dont want discount it either, especially since I have not yet corrected the possible entry point (outdated Java). Im a bit afraid to even turn the computer back on to see if the reboot would somehow fix the connectivity issues. Any thoughts on what to do now?

Thanks Again

[MrCharlie]

Use it, update the Java and see how it is. I don't think you have been re-infected.

MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!