MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 07-09-12, 03:12
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default FBI/Moneypak Remnant?

Hey there! Earlier this weekend my computer became infected with the FBI/Moneypak ransomware. After rebooting my system in Safe Mode, I went through all the Read/Run First instructions. Upon completion, I rebooted in Normal mode and it looked like the problem had been fixed with two exceptions. As soon as my login finished, I was presented with this:

I clicked "OK" and still everything seemed fine. Hitman Pro ran its start up scan and once again, I was presented with an alert stating that my system was infected. Malwarebytes says my system is clean so I'm just a little concerned about the Hitman Pro results. The initial RunDLL popup is more of an annoyance than anything, but I want to be certain that my computer is clean.

Thanks!

I've attached all of the original clean up results. The hitmanpro2 file is the current scan results I'm getting.
Attached Files
File Type: txt RKreport[1].txt (2.4 KB, 6 views)
File Type: zip hitmanpro.zip (709 Bytes, 2 views)
File Type: zip hitmanpro2.zip (605 Bytes, 2 views)
File Type: txt mbam-log-2012-07-09 (02-57-22).txt (1.9 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 07-09-12, 09:37
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Here's the MGlogs.
Attached Files
File Type: zip MGlogs.zip (482.2 KB, 8 views)
Reply With Quote
  #3  
Old 07-10-12, 07:24
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Quote:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #4  
Old 07-10-12, 12:17
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

So now there's a new problem...

I tried opening up BIOS and for the first time since I purchased the computer, it asked for the admin password. It's not accepting the admin password and I'm at a loss on how to change it and access BIOS. I thought that maybe I put in the wrong password, but nothing is working. Suggestions...?
Reply With Quote
  #5  
Old 07-11-12, 10:28
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

Agh. This is something that you will have to ask about in the software forum and then return here to complete malware removal.

Do not keep trying to guess at the password because it could get locked up completely! I believe there is software out there that can resolve the problem, but again, ask the guys and gals in the other forum and then return here.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
Sponsored links
  #6  
Old 07-11-12, 16:17
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Alright! Sorry that took so long.
That was far easier than I expected.

Turns out, I didn't need to enter BIOS at all. Just F8 prior to startup opened my
advance boot options. Go figure. Regardless, now I have the admin password
Attached Files
File Type: txt FRST.txt (35.2 KB, 6 views)
Reply With Quote
  #7  
Old 07-12-12, 11:35
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt
  • Save fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.



Delete this folder:
C:\ProgramData\blekko toolbars

Delete this file:
C:\Windows\assembly\GAC_32\desktop.ini

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Run FRST again like you did the very first time and attach the log.
Attached Files
File Type: txt fixlist.txt (272 Bytes, 10 views)
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #8  
Old 07-12-12, 12:21
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

All ran well. My boot up was a little slow this time though. Not sure if that means anything.

C:\ProgramData\blekko toolbars has been deleted.
I could not find C:\Windows\assembly\GAC_32\desktop.ini anywhere, however. It seems the only time I see that full file name anywhere is when it pops up in HitmanPro.

HitmanPro's initial scan when I booted popped up with that same trojan warning and it also came up with a "suspicious file" warning as well. I've attached the xml file just in case you wish to take a look.
Not sure if I'm supposed to but I've tried deleteing that desktop.ini file through HitmanPro but it pops up with it again when I boot up.

Also, I'm still getting the RunDLL pop up:


And one more new addition: I'm getting "An add-on for this website failed to run" error whenever a new page loads.
I've tried multiple websites. Not sure if that's my ActiveX settings that are messed up somehow or what. I just find it annoying haha.
Attached Files
File Type: txt Fixlog.txt (566 Bytes, 2 views)
File Type: zip MGlogs.zip (490.4 KB, 2 views)
File Type: zip HitmanPro (3).zip (711 Bytes, 2 views)
Reply With Quote
  #9  
Old 07-12-12, 16:40
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

Please run FRST again like you did the very first time and let me see that log too please.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #10  
Old 07-12-12, 17:41
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Here you go!
Attached Files
File Type: txt FRST.txt (38.3 KB, 5 views)
Reply With Quote
Sponsored links
  #11  
Old 07-13-12, 02:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,442
Thanks: 62
Thanked 7,688 Times in 4,147 Posts
Default Re: FBI/Moneypak Remnant?

Download this >> fixlist.txt


Save fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:
  • Fixlog.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following 2 Users Say Thank You to chaslang For This Useful Post:
Kestrel13! (07-13-12), RaineShadow (07-13-12)
  #12  
Old 07-13-12, 11:27
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Thank you so much! Everything looks good! It booted up fine and everything is loading normally again with no delay. HitmanPro's Quick Scan was clean this time, and no RunDLL popup.

Still getting that add-on error though. I'm thinking that's probably not related to this problem though haha.
Attached Files
File Type: txt Fixlog.txt (1,007 Bytes, 3 views)
File Type: zip MGlogs.zip (485.5 KB, 5 views)
Reply With Quote
  #13  
Old 07-13-12, 11:57
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Oh, I just noticed this, too. I don't know if something got messed up during the cleaning process or if the ransomeware disabled it, but my biometric quick launch is not working. The scanner is working so I can log into Windows, but for websites that it's supposed to run passwords for, it will not run. I've checked my device settings and everything is still set to default (I've even changed it and re set it to default) and nadda. Where would I go to find help on this? I have a lot of trust in that device (I had a problem with keyloggers on an old machine) and it's a new machine so I really don't want to have to just forget about it.
Reply With Quote
  #14  
Old 07-13-12, 16:39
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

You can ask about that ain the software forum. Just run Ccleaner (not the registry scanner, the cleaner itself)

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #15  
Old 07-13-12, 16:56
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Ok, on the second to last step. Just so I make sure I don't mess this up, I have 2 drives showing up in my system protection tab:
Local Disk (C (System) On
RECOVERY (D Off

I want the Local Disk, right?
I'm just asking because the screenshot for both Win7 & Vista don't touch the "system" drive.
Reply With Quote
Sponsored links
  #16  
Old 07-14-12, 13:03
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

Are you referring to system restore?
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #17  
Old 07-14-12, 17:24
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Yes, the system restore.
I want to turn off system protection to the local disk, correct?
My options are Recovery and Local Disk.
Reply With Quote
  #18  
Old 07-15-12, 01:25
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Ok, I'm officially annoyed with this. I just tried to change some of my theme settings and now I'm getting the error:

Windows cannot find 'C:\WINDOWS\\system32\\rundll32.exe'. Make sure you typed the name correctly, and then try again.

I looked in the other threads and I don't have my Windows 7 CD and I can't find another file. I don't understand when this happened because everything was working just fine until now. I tried going into my settings to view hidden folders and I get the same error. I haven't been on any websites other than my e-mail, here, facebook, and google. I just want my computer back to normal...
Reply With Quote
  #19  
Old 07-15-12, 08:58
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,736
Thanks: 955
Thanked 3,696 Times in 3,600 Posts
Default Re: FBI/Moneypak Remnant?

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #20  
Old 07-15-12, 10:26
RaineShadow's Avatar
RaineShadow RaineShadow is offline
Private First Class
 
Join Date: Jul 2012
Posts: 32
Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: FBI/Moneypak Remnant?

Ok! I did as you said. Both came up clean :P Anyway, here's the logs!

It's weird. Other than that rundll32.exe file, everything is running fine.
Attached Files
File Type: txt MBRCheck_07.15.12_11.23.18.txt (16.4 KB, 1 views)
File Type: txt TDSSKiller.2.7.45.0_15.07.2012_11.13.26_log.txt (128.2 KB, 1 views)
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Please help remove Moneypak/FBI ransomware craaber Malware Removal 13 07-05-12 16:10
PLEASE HELP! About to lose it - Aurora remnant? VCMnet11.exe rschryver1 Malware Removal 6 05-25-05 12:59
Possible remnant spyware oquela Malware Removal 8 02-10-05 13:10


All times are GMT -5. The time now is 20:02.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger