Jump to content

FBI Moneypak, safe mode also infected


Recommended Posts

Hi,

My dad borked my guest room computer today. It's the FBI Moneypak malware. A pop-up covers the whole screen whenever it loads a user account and there's no way around it. I tried booting in safe mode with networking and then safe mode both, and the same thing happens. (Though booting in safe mode without networking, the pop-up says "please connect to the internet" instead of its whole song and dance about the FBI demanding your money.)

It's a Windows XP Professional computer with service pack 3. Can anyone help me?

Thanks,

Heather

Link to post
Share on other sites

  • Staff

We are going to try System Restore to restore the system prior to the infection.

Depending on your Windows version.

Windows XP

Option 1.

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Use ctrl/alt/del (keys) to get task manager opened

Step 3: choose file and create new task

Step 4: Then Navigate to:

C:\windows\system32\restore\rstrui.exe and press Enter and press Enter (double click rstrui.exe) and press Enter (double click rstrui)

Step 5: Restore Computer to a Date you know you were virus free

Step 6: Run Malwarebytes

Option 2.

Step 1: Use F8 to Boot to SafeMode With Command Prompt

At the command prompt type in: rstrui.exe

Link to post
Share on other sites

Hi,

Thanks for your help, Gringo. Safe mode with command prompt worked, I performed a system restore, and ran Malwarebytes. Here's the Malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.05.02

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

owner :: OWNER-853ACF962 [administrator]

6/5/2013 1:36:07 AM

mbam-log-2013-06-05 (01-36-07).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 443274

Time elapsed: 1 hour(s), 25 minute(s), 45 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

  • Staff

Hello heatherly

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Hi,

Both scans completed successfully. Here are the logs:

# AdwCleaner v2.301 - Logfile created 06/05/2013 at 11:13:52

# Updated 16/05/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : owner - OWNER-853ACF962

# Boot Mode : Normal

# Running from : C:\Documents and Settings\owner\Local Settings\Application Data\Opera\Opera\temporary_downloads\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\All Users\Application Data\search protection

File Deleted : C:\END

Folder Deleted : C:\DOCUME~1\Grandpa\LOCALS~1\Temp\boost_interprocess

Folder Deleted : C:\Documents and Settings\All Users\Application Data\adawaretb

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars

Folder Deleted : C:\Documents and Settings\Darla\Application Data\adawaretb

Folder Deleted : C:\Documents and Settings\Darla\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\Darla\Application Data\PriceGong

Folder Deleted : C:\Documents and Settings\Darla\Local Settings\Application Data\Conduit

Folder Deleted : C:\Documents and Settings\Darla\Local Settings\Application Data\IMVU_Inc

Folder Deleted : C:\Documents and Settings\Grandpa\Application Data\adawaretb

Folder Deleted : C:\Documents and Settings\Grandpa\Application Data\PriceGong

Folder Deleted : C:\Documents and Settings\Grandpa\Local Settings\Application Data\Conduit

Folder Deleted : C:\Documents and Settings\Grandpa\Local Settings\Application Data\IMVU_Inc

Folder Deleted : C:\Documents and Settings\owner\Application Data\adawaretb

Folder Deleted : C:\Documents and Settings\owner\Local Settings\Application Data\Conduit

Folder Deleted : C:\Documents and Settings\owner\Local Settings\Application Data\IMVU_Inc

Folder Deleted : C:\Program Files\adawaretb

Folder Deleted : C:\Program Files\Advanced System Protector

Folder Deleted : C:\Program Files\BabylonToolbar

Folder Deleted : C:\Program Files\Conduit

Folder Deleted : C:\Program Files\IMVU_Inc

***** [Registry] *****

Key Deleted : HKCU\Software\adawaretb

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\IMVU_Inc

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{90B49673-5506-483E-B92B-CA0265BD9CA8}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{90B49673-5506-483E-B92B-CA0265BD9CA8}

Key Deleted : HKCU\Software\Softonic

Key Deleted : HKLM\Software\adawaretb

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{562B9316-C08A-444A-9482-62080DD851AE}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\PropertySync.EXE

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{90B49673-5506-483E-B92B-CA0265BD9CA8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A19F5EBF-E163-4D4F-B7BD-33149BF756CC}

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2612669

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\IMVU_Inc

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{231CC657-7EB4-48A2-BCF9-743E5E13E077}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3EBADCCA-4E7B-4429-A409-BADA93043840}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\adawaretb

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IMVU_Inc Toolbar

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90B49673-5506-483E-B92B-CA0265BD9CA8}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A19F5EBF-E163-4D4F-B7BD-33149BF756CC}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adawaretb

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMVU_Inc Toolbar

Key Deleted : HKU\S-1-5-21-725345543-1844237615-1801674531-1005\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{90B49673-5506-483E-B92B-CA0265BD9CA8}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{90B49673-5506-483E-B92B-CA0265BD9CA8}]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Opera v12.15.1748.0

File : C:\Documents and Settings\owner\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

File : C:\Documents and Settings\Grandpa\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

File : C:\Documents and Settings\Darla\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [5473 octets] - [05/06/2013 11:13:52]

########## EOF - C:\AdwCleaner[s1].txt - [5533 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.9.4 (05.06.2013:1)

OS: Microsoft Windows XP x86

Ran by owner on Wed 06/05/2013 at 11:20:13.89

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\searchprotection

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\WINDOWS\system32\roboot.exe"

~~~ Folders

Failed to delete: [Folder] "C:\Documents and Settings\All Users\application data\search protection"

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\systweak"

Successfully deleted: [Folder] "C:\Documents and Settings\owner\Application Data\systweak"

Successfully deleted: [Folder] "C:\Documents and Settings\owner\Local Settings\Application Data\adawarebp"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Wed 06/05/2013 at 11:22:40.71

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

  • Staff

Hello heatherly

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.