FBI/Moneypak Remnant?

[RaineShadow]

Hey there! Earlier this weekend my computer became infected with the FBI/Moneypak ransomware. After rebooting my system in Safe Mode, I went through all the Read/Run First instructions. Upon completion, I rebooted in Normal mode and it looked like the problem had been fixed with two exceptions. As soon as my login finished, I was presented with this:

I clicked "OK" and still everything seemed fine. Hitman Pro ran its start up scan and once again, I was presented with an alert stating that my system was infected. Malwarebytes says my system is clean so I'm just a little concerned about the Hitman Pro results. The initial RunDLL popup is more of an annoyance than anything, but I want to be certain that my computer is clean.

Thanks!

I've attached all of the original clean up results. The hitmanpro2 file is the current scan results I'm getting.

[RaineShadow]

Here's the MGlogs.

[Kestrel13!]

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Quote:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

[RaineShadow]

So now there's a new problem...

I tried opening up BIOS and for the first time since I purchased the computer, it asked for the admin password. It's not accepting the admin password and I'm at a loss on how to change it and access BIOS. I thought that maybe I put in the wrong password, but nothing is working. Suggestions...?

[Kestrel13!]

Agh. This is something that you will have to ask about in the software forum and then return here to complete malware removal.

Do not keep trying to guess at the password because it could get locked up completely! I believe there is software out there that can resolve the problem, but again, ask the guys and gals in the other forum and then return here.

[RaineShadow]

Alright! Sorry that took so long.
That was far easier than I expected.

Turns out, I didn't need to enter BIOS at all. Just F8 prior to startup opened my
advance boot options. Go figure. Regardless, now I have the admin password

[Kestrel13!]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.



Delete this folder:
C:\ProgramData\blekko toolbars

Delete this file:
C:\Windows\assembly\GAC_32\desktop.ini

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Run FRST again like you did the very first time and attach the log.

[RaineShadow]

All ran well. My boot up was a little slow this time though. Not sure if that means anything.

C:\ProgramData\blekko toolbars has been deleted.
I could not find C:\Windows\assembly\GAC_32\desktop.ini anywhere, however. It seems the only time I see that full file name anywhere is when it pops up in HitmanPro.

HitmanPro's initial scan when I booted popped up with that same trojan warning and it also came up with a "suspicious file" warning as well. I've attached the xml file just in case you wish to take a look.
Not sure if I'm supposed to but I've tried deleteing that desktop.ini file through HitmanPro but it pops up with it again when I boot up.

Also, I'm still getting the RunDLL pop up:


And one more new addition: I'm getting "An add-on for this website failed to run" error whenever a new page loads.
I've tried multiple websites. Not sure if that's my ActiveX settings that are messed up somehow or what. I just find it annoying haha.

[Kestrel13!]

Please run FRST again like you did the very first time and let me see that log too please.

[RaineShadow]

Here you go!

[chaslang]

Download this >> fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[RaineShadow]

Thank you so much! Everything looks good! It booted up fine and everything is loading normally again with no delay. HitmanPro's Quick Scan was clean this time, and no RunDLL popup.

Still getting that add-on error though. I'm thinking that's probably not related to this problem though haha.

[RaineShadow]

Oh, I just noticed this, too. I don't know if something got messed up during the cleaning process or if the ransomeware disabled it, but my biometric quick launch is not working. The scanner is working so I can log into Windows, but for websites that it's supposed to run passwords for, it will not run. I've checked my device settings and everything is still set to default (I've even changed it and re set it to default) and nadda. Where would I go to find help on this? I have a lot of trust in that device (I had a problem with keyloggers on an old machine) and it's a new machine so I really don't want to have to just forget about it.

[Kestrel13!]

You can ask about that ain the software forum. Just run Ccleaner (not the registry scanner, the cleaner itself)

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[RaineShadow]

Ok, on the second to last step. Just so I make sure I don't mess this up, I have 2 drives showing up in my system protection tab:
Local Disk (C (System) On
RECOVERY (D Off

I want the Local Disk, right?
I'm just asking because the screenshot for both Win7 & Vista don't touch the "system" drive.

[Kestrel13!]

Are you referring to system restore?

[RaineShadow]

Yes, the system restore.
I want to turn off system protection to the local disk, correct?
My options are Recovery and Local Disk.

[RaineShadow]

Ok, I'm officially annoyed with this. I just tried to change some of my theme settings and now I'm getting the error:

Windows cannot find 'C:\WINDOWS\\system32\\rundll32.exe'. Make sure you typed the name correctly, and then try again.

I looked in the other threads and I don't have my Windows 7 CD and I can't find another file. I don't understand when this happened because everything was working just fine until now. I tried going into my settings to view hidden folders and I get the same error. I haven't been on any websites other than my e-mail, here, facebook, and google. I just want my computer back to normal...

[Kestrel13!]

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

[RaineShadow]

Ok! I did as you said. Both came up clean :P Anyway, here's the logs!

It's weird. Other than that rundll32.exe file, everything is running fine.