Jump to content

FAT32 Windows XP Pro SP3 Infected with MoneyPak Virus - Please Help


Recommended Posts

Hello, My computer (Dell, Windows XP Pro SP3, 32 bit fomatted with FAT32 file system) has a version of the Moneypak virus.  I can't boot into any form of safe mode.  The system reboots as soon as it tries to load "mup.sys".  I've tried running checkdisk with both /f & /r commands but it still reboots at the "mup.sys".  I've even tried to use the "convert.exe" command to attempt to convert the file system to NTFS but it fails with something like, "can't build file system structure".  Can you help?  I have seen where people have been asked to run Farbar (FRST) from a command prompt - please advise the command line to run at the command prompt using the Windows XP Recovery Console using a USB stick.  Thanks in advance!!

Link to post
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum.

This will work if you have a good system restore point and can get to the Command prompt: (If it doesn't work the first time keep trying...you may be able get it)

Step 1: Use F8 to Boot to SafeMode With Command Prompt or Command Prompt
Step 2: Type the word "explorer" in black screen > enter
Step 3: Then Navigate to:
Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)
Step 4: Restore Computer to Date you know you were virus free
Step 5: See if it boots up normally.....post on the forum so we can ensure the computers clean

------------------------------------

or..

For the next steps, you will need a flashdrive and a clean computer, to download and transfer tools to that flashdrive...and then transfer those tools again to the infected machine:

Please download Farbar Recovery Scan Tool and save it to the flash drive.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]

Note: Your version should be the 32-bit version!

Now plug the flash drive into the infected PC, and boot into safemode with command prompt.

Once in the Command Prompt:
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
On it's first run FRST will make 2 logs (FRST.txt, and Attach.txt) on the flash drive. Please copy and paste both logs to your next reply.

MrC

Link to post
Share on other sites

Hi MrC,  Thanks for your reply.  Unfortunately, my computer won't allow me to enter safe mode in any form, even with command prompt.  I have a clean version of the FRST on USB if that helps.  I tried running FRST from a command prompt in Windows XP Recovery Console but it tells me that the command I'm trying to use isn't recognized...I am trying "d:\frst.exe" as the program is on my USB stick (drive d).  Any other thoughts?

Link to post
Share on other sites

Use Kaspersky Rescue Disk and Unlocker:

This method may remove the malware:

  • Download Kaspersky Rescue Disk (iso)
  • Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO Burner
  • Instructions for USB flash drive
  • Configure your computer to boot from CD/DVD
  • Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here
  • Once you have the cd/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus

    krd5.jpg

    Note: If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter

  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally

MrC
Link to post
Share on other sites

Thanks again for your patience MrC.  I have returned to a completed scan and that it found several "Events".  The window that is opened, "Detailed Report - Kaspersky Rescue Disk"  It doesn't offer me to do anything with these "Events" other than save them.  I will attach them here and wait for further instructions as to how best to handle them. 

 

In a different window, "Protection State - Kaspersky Rescue Disk" under the "Status" tab, it says that threats were found and that it would be best to "Neutralize" them but doesn't show the threats.  Should I go ahead and click on the "Neutralize All"?

In this same window, the "Detected Threats" tab doesn't show anything but does offer at the very bottom of the window to either "Disinfect All" or "Quarantine".  Since there is nothing listed, I'm not sure that I should click either of these.  Please let me know what I need to do on this tab.

In this same window, the "Report" tab displays a chart graph of the threats found.

 

What do I need to do next?

 

Kaspersky Rescue Disk - Detailed Report.txt

Link to post
Share on other sites

In a different window, "Protection State - Kaspersky Rescue Disk" under the "Status" tab, it says that threats were found and that it would be best to "Neutralize" them but doesn't show the threats.  Should I go ahead and click on the "Neutralize All"?

 

 

Neutralize All

 

 

In this same window, the "Detected Threats" tab doesn't show anything but does offer at the very bottom of the window to either "Disinfect All" or "Quarantine".  Since there is nothing listed, I'm not sure that I should click either of these.  Please let me know what I need to do on this tab.

 

 

Quarantine

 

MrC

Link to post
Share on other sites

Okay, I clicked "Neutralize All" and the cd spins.  When the button looks unclicked, I select the "Details" button but it doesn't display anything except the "Disinfect All" & "Quarantine" options on the bottom.  I clicked the "Quarantine" button and a window pops up requesting to open a file.  Is there something somewhere that I need to open in order to "Quarantine"?

 

None of the windows or reports display that the threats have been Neutralized or Quarantined.  What would you like for me to do next?

Link to post
Share on other sites

Great!

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Okay.  As I'm sure you are aware, this scan takes awhile to run (my last run took over 3 hours).  Before I posted this, I tried logging into safe mode but there must be some problem with my windows installation or the virus is in deep because even after windows unlocker restored those files, the system still restarts at the "mup.sys".  I also tried going into msconfig and disabling all startup items & all non-microsoft services but that moneypak screen still comes up.  I'm able to open the windows start menu but anything I try to open ends up opening behind the moneypak screen...no use to me.  The other thing that I tried was to use "rkill" which killed about 4 processes but as soon as I tried running FRST, the moneypak screen came back.  Just thought I would try it but came up short.

I will let the Kaspersky scan run and either post late tonight or early tomorrow.  Thanks for all you help today.  At least I know that we are getting closer to solving this virus as I have been able to get to the desktop but end up back at the money pak screen.  I will post back again tomorrow.  Have a great night!

Link to post
Share on other sites

Just to add..a good program to use to kill any bad registry entries is RogueKiller.

After the scan completes...look under the registry tab.

-----------------

Please download and run RogueKiller 32 Bit to your desktop.

For Windows XP, double-click to start.

Click Scan to scan the system.

Look under the Registry tab, check them all and click on delete in the right hand column.

MrC

Link to post
Share on other sites

I actually ran that after the rkill.  It found 3 HJ/Autorun registry items but I wasn't sure if I should delete them.  Do you think I should try deleting them before I run the KASP scan?  I don't know why but somehow when I run the KASP Rescue Disk, it comes up with an error and claims that the database has become corrupted.  I'm not sure how that is considering it is running from a cd-r but even after I shut down and try again, it still comes up corrupted.  I'm going to try and download the USB version and hopefully that will work better.

Link to post
Share on other sites

I ran both rkill & roguekiller.  I am attaching the rkill & 2 roguekiller files (1 pre delete & 1 post delete).  After running both programs, I was able to run FRST.  I am attaching the 2 files to this post as well.  I'm not sure but I find it strange that the FRST file just shows "end of log"...is that normal?  I ran it twice just to be sure.  Do I need to redownload the FRST or is this file acceptable?  The "Addition" file actually shows information.

Addition.txt

FRST.txt

Rkill.txt

RKreport0_D_08312013_212714.txt

RKreport0_S_08312013_212653.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.