FBI Moneypak-System Restore blocked

[smsags]

Infected with FBI Moneypak virus a couple of days back.

Specs: Dell Laptop. Win XP home, Serivce Pack 3, 32 bit

Symptoms:
- After normal boot-up, plain white screen would appear covering entire desktop.
- Task Manager was disabled, only option was to power off the laptop.
- Could not log-in in Safe Mode. Received blue screen of death

During boot-up prior to this white screen appearing, I was able to quickly launch Malwarebytes for a full scan which ID'd two threats. Also ran full McAfee Scan which found two trojans.

Researched on another computer and downloaded/ran HitManPro. This enabled a normal boot and somewhat restored the desktop, but it only showed wallpaper and task bar across bottom with start button. All desktop icons were missing. System Restore and RegEdit were disabled by the virus. Everytime these were launched I would receive error messages.
"System Restore not able to protect your computer. Please restart your computer, then run System Restore again." The same would appear for RegEdit. When I checked "My Computer" and "System Restore" tab, the checkbox to disable was and remains empty.

Once I found MajorGeeks, I followed all steps in your guide to removing Malware. Scripts are attached. After running RogueKiller, all desktop icons reappeared and the laptop seems to be running fine, but System Restore is still not working. Am also unable to toggle System Restore. I receive the same error message above.

During WIN OS Cleaning, the scans for Malwarebytes, TDSSKiller and HitmanPro were all clean (no threats). Was unable to copy/paste outcome of MGlogs.

Please review and let me know what needs to be done to re-enable System Restore as well as anything else which still needs to be corrected.

Thanks!

[Kestrel13!]

You have attached some logs that we did not request and did not attach others that we did request

Quote:

During WIN OS Cleaning, the scans for Malwarebytes, TDSSKiller and HitmanPro were all clean (no threats).

I still want to see them please.

Quote:

Was unable to copy/paste outcome of MGlogs.

You shouldn't be copying and pasting anything from MGTOols. I want you to attach the MGlogs.zip.

[smsags]

Requested logs attached.

[smsags]

MGTools zipfile attached.

[chaslang]

Quote:

Originally Posted by smsags

MGTools zipfile attached.

You did not attach anything and the file is named C:\MGlogs.zip and nothing else. Notice it is not in the C:\MGtools folder.

[smsags]

MGLogs.zip file attached.

[Kestrel13!]

Uninstall the below:

• Viewpoint Manager (Remove Only)
• Viewpoint Media Player (Remove Only)
• Babylon toolbar on IE
• BabylonObjectInstaller

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 5 detections:

• [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
• [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
• [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
• [PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
• [APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\docume~1\alluse~1\applic~1\browse~1\22643~1.41\{16cdf~1\browse~1.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -> FOUND
  
  

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Delete these folders if they show:

• C:\Documents and Settings\Steve\Local Settings\Application Data\kdnyokjla
• C:\Documents and Settings\Steve\Application Data\Babylon
• C:\Documents and Settings\Steve\Application Data\BabylonToolbar
• C:\Documents and Settings\All Users\Application Data\Babylon
• C:\Program Files\BabylonToolbar

Run CCleaner to clean out temp files.

Re run RogueKiller and attach the log.

Open up your services (start > run > type services.msc and hit ENTER.
Look for the Background Intelligent Transfer Service if it shows, let me know its status and start up type.

[smsags]

Followed your instructions. Could not identify the final two bullets in your list, bullets 4 "[PROXY IE...] and 5 [APPINIT] in the registry tab of the RogueKiller scan. The PC forced a shutdown every time I tried and would close in less than 1 minute.

I booted back up, deleted RogueKiller, and downloaded a fresh copy. Scanned and ran again. Attached are the 3 scan reports obtained during that process.

Of the folders you suggested I delete, I only found and deleted the first one ("kdnyokjla"). All others were not present.

Ran CCleaner.

When I re-ran RogueKiller I received the following error message:

"The instruction at "0x02b14fao" referenced memory at "0x02b14fao". The memory could not be "written"
Click on OK to terminate.
Click on CANCEL to debug the program.

I clicked cancel and ran RogueKiller anyway. The attached scan titled "RKreport[9].txt" is from that final scan.

"Background Intelligent Transfer Service" was not present in the list of services.

[Kestrel13!]

Uninstall this please:

Browser Manager

Now before we tackle the BITS service you should do this:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

[smsags]

OK. Removed "Browser Manager". Ran MGTools. MGLogs attached.

[Kestrel13!]

Download the below two files to your desktop.

BITS.reg
Netman.reg

• Click on start -> run -> regedit >
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BITS.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Repeat this for the Netman.reg file.

• Reboot the machine.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

[Kestrel13!]

Also: Delete these leftover folders:

C:\Documents and Settings\All Users\Application Data\Browser Manager
C:\Documents and Settings\Steve\Start Menu\Programs\Browser Manager

[smsags]

MGLogs attached.

[Kestrel13!]

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

After reboot, check to see if your firewall is working.

Now repeat the steps in post 11 to do the BITS.reg again.

Once done....

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

[smsags]

Completed all steps as instructed. Was not able to initiate a system restore using using Windows Repair by tweaking.com. Received the same error message as before, stating "System Restore not able to protect your computer. Please restart your computer, then run System Restore again."

Added BITS and NetMan to registry. Rebooted. Re-ran MGTools. Log attached.

[Kestrel13!]

How is everything currently running?

[chaslang]

Quote:

Originally Posted by smsags

Was not able to initiate a system restore using using Windows Repair by tweaking.com. Received the same error message as before, stating "System Restore not able to protect your computer.

This system restore registry key is broken.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="System Restore Service"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,72,00,\
73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice\Enum]
"0"="Root\\LEGACY_SRSERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!