FAT32 Windows XP Pro SP3 Infected with MoneyPak Virus - Please Help

[swsexton]

Hello, My computer (Dell, Windows XP Pro SP3, 32 bit fomatted with FAT32 file system) has a version of the Moneypak virus.  I can't boot into any form of safe mode.  The system reboots as soon as it tries to load "mup.sys".  I've tried running checkdisk with both /f & /r commands but it still reboots at the "mup.sys".  I've even tried to use the "convert.exe" command to attempt to convert the file system to NTFS but it fails with something like, "can't build file system structure".  Can you help?  I have seen where people have been asked to run Farbar (FRST) from a command prompt - please advise the command line to run at the command prompt using the Windows XP Recovery Console using a USB stick.  Thanks in advance!!

[MrCharlie]

Welcome to the forum.

This will work if you have a good system restore point and can get to the Command prompt: (If it doesn't work the first time keep trying...you may be able get it)

Step 1: Use F8 to Boot to SafeMode With Command Prompt or Command Prompt
Step 2: Type the word "explorer" in black screen > enter
Step 3: Then Navigate to:
Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)
Step 4: Restore Computer to Date you know you were virus free
Step 5: See if it boots up normally.....post on the forum so we can ensure the computers clean

------------------------------------

or..

For the next steps, you will need a flashdrive and a clean computer, to download and transfer tools to that flashdrive...and then transfer those tools again to the infected machine:

Please download Farbar Recovery Scan Tool and save it to the flash drive.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]

Note: Your version should be the 32-bit version!

Now plug the flash drive into the infected PC, and boot into safemode with command prompt.

Once in the Command Prompt:
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
On it's first run FRST will make 2 logs (FRST.txt, and Attach.txt) on the flash drive. Please copy and paste both logs to your next reply.

MrC

[swsexton]

Hi MrC,  Thanks for your reply.  Unfortunately, my computer won't allow me to enter safe mode in any form, even with command prompt.  I have a clean version of the FRST on USB if that helps.  I tried running FRST from a command prompt in Windows XP Recovery Console but it tells me that the command I'm trying to use isn't recognized...I am trying "d:\frst.exe" as the program is on my USB stick (drive d).  Any other thoughts?

[MrCharlie]

Use Kaspersky Rescue Disk and Unlocker:

This method may remove the malware:

• Download Kaspersky Rescue Disk (iso)
• Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO Burner
• Instructions for USB flash drive
• Configure your computer to boot from CD/DVD
• Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here
• Once you have the cd/DVD created, boot the computer up using it
• Press any key to enter the menu
• Select your language
• Press 1 to accept the End User License Agreement
• Select Kaspersky Rescue Disk. Graphic Mode
• Click on the Start button located in the left bottom corner of the screen
• Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus

  

  Note: If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter

• When it's done, click on the Start button and start Kaspersky Rescue Disk utility
• Click on My Update Center tab and press Start to download the latest update
• Next, select the Object Scan tab
• Put a check next to C:\ and any other local drives
• Then click Start Objects Scan
• Quarantine any malware found
• Restart your computer and see if it boots up normally

MrC

[swsexton]

Thanks MrC.  I am downloading it now.  Looks like it will take awhile to download (huge file - 322MB).  I will post again once it downloads and I run (or attempt to run) it.

[swsexton]

MrC, I need to leave for 3-4 hours but I am currently updating the virus database and will run scans while I am away.  Again I thank you for your patience and all your help.  I will post my results as soon as I get back and the scan has finished.

[MrCharlie]

OK, take your time......MrC

[swsexton]

Thanks again for your patience MrC.  I have returned to a completed scan and that it found several "Events".  The window that is opened, "Detailed Report - Kaspersky Rescue Disk"  It doesn't offer me to do anything with these "Events" other than save them.  I will attach them here and wait for further instructions as to how best to handle them. 

 

In a different window, "Protection State - Kaspersky Rescue Disk" under the "Status" tab, it says that threats were found and that it would be best to "Neutralize" them but doesn't show the threats.  Should I go ahead and click on the "Neutralize All"?

In this same window, the "Detected Threats" tab doesn't show anything but does offer at the very bottom of the window to either "Disinfect All" or "Quarantine".  Since there is nothing listed, I'm not sure that I should click either of these.  Please let me know what I need to do on this tab.

In this same window, the "Report" tab displays a chart graph of the threats found.

 

What do I need to do next?

 

Kaspersky Rescue Disk - Detailed Report.txt

[MrCharlie]

In a different window, "Protection State - Kaspersky Rescue Disk" under the "Status" tab, it says that threats were found and that it would be best to "Neutralize" them but doesn't show the threats.  Should I go ahead and click on the "Neutralize All"?

 

 

Neutralize All

 

 

In this same window, the "Detected Threats" tab doesn't show anything but does offer at the very bottom of the window to either "Disinfect All" or "Quarantine".  Since there is nothing listed, I'm not sure that I should click either of these.  Please let me know what I need to do on this tab.

 

 

Quarantine

 

MrC

[swsexton]

Okay, I clicked "Neutralize All" and the cd spins.  When the button looks unclicked, I select the "Details" button but it doesn't display anything except the "Disinfect All" & "Quarantine" options on the bottom.  I clicked the "Quarantine" button and a window pops up requesting to open a file.  Is there something somewhere that I need to open in order to "Quarantine"?

 

None of the windows or reports display that the threats have been Neutralized or Quarantined.  What would you like for me to do next?

[MrCharlie]

See if you can get out of it if there's nothing to quarantine.

MrC

[swsexton]

Should I try for a reboot to see if I can boot into Windows?

[MrCharlie]

Yes, you did run the windowsunlocker correct??

MrC

[swsexton]

Yes and it found a few "suspicious modifications" which the program restored to what it should have been.

 

Here goes a reboot.

[swsexton]

I have rebooted and I am looking at the desktop.  Hooray!!!!  You are the best!

 

What's next?

[MrCharlie]

Great!

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[swsexton]

YIkes!  I click "yes" on the disclaimer and after it disappeared and was about to scan, the MoneyPak screen came back.  Do I need to go back to square one and rescan with the windows unlocker & Kaspersky?

[MrCharlie]

Yes, if the screen is still there......MrC

[swsexton]

Okay.  This time would you advise me to change the advanced settings of the Kaspersky scan to "High", automatic "disinfect or remove that which cannot be disinfected" & to have it do a "deep scan"?

[MrCharlie]

Yes, give that a try. Windowsunlocker is want restores or deletes all the bad registry entries created by the malware and then you scan to clear out any of the malware files.

Give it a try. When you boot back up...boot to safe mode with networking.

MrC

[swsexton]

Okay.  As I'm sure you are aware, this scan takes awhile to run (my last run took over 3 hours).  Before I posted this, I tried logging into safe mode but there must be some problem with my windows installation or the virus is in deep because even after windows unlocker restored those files, the system still restarts at the "mup.sys".  I also tried going into msconfig and disabling all startup items & all non-microsoft services but that moneypak screen still comes up.  I'm able to open the windows start menu but anything I try to open ends up opening behind the moneypak screen...no use to me.  The other thing that I tried was to use "rkill" which killed about 4 processes but as soon as I tried running FRST, the moneypak screen came back.  Just thought I would try it but came up short.

I will let the Kaspersky scan run and either post late tonight or early tomorrow.  Thanks for all you help today.  At least I know that we are getting closer to solving this virus as I have been able to get to the desktop but end up back at the money pak screen.  I will post back again tomorrow.  Have a great night!

[MrCharlie]

OK..let me know.....MrC

[MrCharlie]

Just to add..a good program to use to kill any bad registry entries is RogueKiller.

After the scan completes...look under the registry tab.

-----------------

Please download and run RogueKiller 32 Bit to your desktop.

For Windows XP, double-click to start.

Click Scan to scan the system.

Look under the Registry tab, check them all and click on delete in the right hand column.

MrC

[swsexton]

I actually ran that after the rkill.  It found 3 HJ/Autorun registry items but I wasn't sure if I should delete them.  Do you think I should try deleting them before I run the KASP scan?  I don't know why but somehow when I run the KASP Rescue Disk, it comes up with an error and claims that the database has become corrupted.  I'm not sure how that is considering it is running from a cd-r but even after I shut down and try again, it still comes up corrupted.  I'm going to try and download the USB version and hopefully that will work better.

[swsexton]

I ran both rkill & roguekiller.  I am attaching the rkill & 2 roguekiller files (1 pre delete & 1 post delete).  After running both programs, I was able to run FRST.  I am attaching the 2 files to this post as well.  I'm not sure but I find it strange that the FRST file just shows "end of log"...is that normal?  I ran it twice just to be sure.  Do I need to redownload the FRST or is this file acceptable?  The "Addition" file actually shows information.

Addition.txt

FRST.txt

Rkill.txt

RKreport0_D_08312013_212714.txt

RKreport0_S_08312013_212653.txt