FBI/Moneypak Remnant?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by RaineShadow, Jul 9, 2012.

  1. RaineShadow

    RaineShadow Private E-2

    Hey there! Earlier this weekend my computer became infected with the FBI/Moneypak ransomware. After rebooting my system in Safe Mode, I went through all the Read/Run First instructions. Upon completion, I rebooted in Normal mode and it looked like the problem had been fixed with two exceptions. As soon as my login finished, I was presented with this:
    [​IMG]
    I clicked "OK" and still everything seemed fine. Hitman Pro ran its start up scan and once again, I was presented with an alert stating that my system was infected. Malwarebytes says my system is clean so I'm just a little concerned about the Hitman Pro results. The initial RunDLL popup is more of an annoyance than anything, but I want to be certain that my computer is clean.

    Thanks!

    I've attached all of the original clean up results. The hitmanpro2 file is the current scan results I'm getting.
     

    Attached Files:

  2. RaineShadow

    RaineShadow Private E-2

    Here's the MGlogs.
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  4. RaineShadow

    RaineShadow Private E-2

    So now there's a new problem...

    I tried opening up BIOS and for the first time since I purchased the computer, it asked for the admin password. It's not accepting the admin password and I'm at a loss on how to change it and access BIOS. I thought that maybe I put in the wrong password, but nothing is working. Suggestions...?
     
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Agh. This is something that you will have to ask about in the software forum and then return here to complete malware removal.

    Do not keep trying to guess at the password because it could get locked up completely! I believe there is software out there that can resolve the problem, but again, ask the guys and gals in the other forum and then return here. :)
     
  6. RaineShadow

    RaineShadow Private E-2

    Alright! Sorry that took so long.
    That was far easier than I expected.

    Turns out, I didn't need to enter BIOS at all. Just F8 prior to startup opened my
    advance boot options. Go figure. Regardless, now I have the admin password :cool
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.



    Delete this folder:
    C:\ProgramData\blekko toolbars

    Delete this file:
    C:\Windows\assembly\GAC_32\desktop.ini

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    Run FRST again like you did the very first time and attach the log.
     

    Attached Files:

  8. RaineShadow

    RaineShadow Private E-2

    All ran well. My boot up was a little slow this time though. Not sure if that means anything.

    C:\ProgramData\blekko toolbars has been deleted.
    I could not find C:\Windows\assembly\GAC_32\desktop.ini anywhere, however. It seems the only time I see that full file name anywhere is when it pops up in HitmanPro.

    HitmanPro's initial scan when I booted popped up with that same trojan warning and it also came up with a "suspicious file" warning as well. I've attached the xml file just in case you wish to take a look.
    Not sure if I'm supposed to but I've tried deleteing that desktop.ini file through HitmanPro but it pops up with it again when I boot up.

    Also, I'm still getting the RunDLL pop up:
    [​IMG]

    And one more new addition: I'm getting "An add-on for this website failed to run" error whenever a new page loads.
    I've tried multiple websites. Not sure if that's my ActiveX settings that are messed up somehow or what. I just find it annoying haha.
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please run FRST again like you did the very first time and let me see that log too please.
     
  10. RaineShadow

    RaineShadow Private E-2

    Here you go!
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  12. RaineShadow

    RaineShadow Private E-2

    Thank you so much! Everything looks good! It booted up fine and everything is loading normally again with no delay. HitmanPro's Quick Scan was clean this time, and no RunDLL popup.

    Still getting that add-on error though. I'm thinking that's probably not related to this problem though haha.
     

    Attached Files:

  13. RaineShadow

    RaineShadow Private E-2

    Oh, I just noticed this, too. I don't know if something got messed up during the cleaning process or if the ransomeware disabled it, but my biometric quick launch is not working. The scanner is working so I can log into Windows, but for websites that it's supposed to run passwords for, it will not run. I've checked my device settings and everything is still set to default (I've even changed it and re set it to default) and nadda. Where would I go to find help on this? I have a lot of trust in that device (I had a problem with keyloggers on an old machine) and it's a new machine so I really don't want to have to just forget about it.
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can ask about that ain the software forum. Just run Ccleaner (not the registry scanner, the cleaner itself)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  15. RaineShadow

    RaineShadow Private E-2

    Ok, on the second to last step. Just so I make sure I don't mess this up, I have 2 drives showing up in my system protection tab:
    Local Disk (C:) (System) On
    RECOVERY (D:) Off

    I want the Local Disk, right?
    I'm just asking because the screenshot for both Win7 & Vista don't touch the "system" drive.
     
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you referring to system restore?
     
  17. RaineShadow

    RaineShadow Private E-2

    Yes, the system restore.
    I want to turn off system protection to the local disk, correct?
    My options are Recovery and Local Disk.
     
  18. RaineShadow

    RaineShadow Private E-2

    Ok, I'm officially annoyed with this. I just tried to change some of my theme settings and now I'm getting the error:

    Windows cannot find 'C:\WINDOWS\\system32\\rundll32.exe'. Make sure you typed the name correctly, and then try again.

    I looked in the other threads and I don't have my Windows 7 CD and I can't find another file. I don't understand when this happened because everything was working just fine until now. I tried going into my settings to view hidden folders and I get the same error. I haven't been on any websites other than my e-mail, here, facebook, and google. I just want my computer back to normal...
     
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
  20. RaineShadow

    RaineShadow Private E-2

    Ok! I did as you said. Both came up clean :p Anyway, here's the logs!

    It's weird. Other than that rundll32.exe file, everything is running fine.
     

    Attached Files:

  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Have you still got FRST on your machine? If so run it once more and attach the log.
     
  22. RaineShadow

    RaineShadow Private E-2

    Sure do! Here ya go.
    I hope you can find some way to fix it, I'm not sure what else to do. I think the CD that came with my computer is at my parents' house across the country packed away in a box :p
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes your system32\rundll32.exe file is missing as can be seen from the MGtools logs. You SysWow64\rundll32.exe file is okay. We need to look for a replacement to the one that belongs in system32.

    Boot to System Recovery Options and run FRST again.
    Type the below bolded text in the edit box after "Search:".

    rundll32.exe

    Then click the Search button.

    It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
     
  24. RaineShadow

    RaineShadow Private E-2

    Here you are!
     

    Attached Files:

  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  26. RaineShadow

    RaineShadow Private E-2

    Here you go!
     

    Attached Files:

  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to tell me how things are working.
     
  28. RaineShadow

    RaineShadow Private E-2

    Oh, sorry! Yesterday was kind of a daze for me.

    It looks like everything is working again! I'm able to access everything in my control panel just fine.
    Thanks again!
     
  29. RaineShadow

    RaineShadow Private E-2

    So I need to go through those "Final Steps" now, right?

    I'm still unsure about which drive to use for the system restore.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes.

    Just the System Drive. You don't need system restore on your factory partition.
     
  31. RaineShadow

    RaineShadow Private E-2

    Ok, I think we're good to go! Thanks so much :)
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds