FBI Moneypak-System Restore blocked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by smsags, Sep 16, 2012.

  1. smsags

    smsags Private E-2

    Infected with FBI Moneypak virus a couple of days back.

    Specs: Dell Laptop. Win XP home, Serivce Pack 3, 32 bit

    Symptoms:
    - After normal boot-up, plain white screen would appear covering entire desktop.
    - Task Manager was disabled, only option was to power off the laptop.
    - Could not log-in in Safe Mode. Received blue screen of death

    During boot-up prior to this white screen appearing, I was able to quickly launch Malwarebytes for a full scan which ID'd two threats. Also ran full McAfee Scan which found two trojans.

    Researched on another computer and downloaded/ran HitManPro. This enabled a normal boot and somewhat restored the desktop, but it only showed wallpaper and task bar across bottom with start button. All desktop icons were missing. System Restore and RegEdit were disabled by the virus. Everytime these were launched I would receive error messages.
    "System Restore not able to protect your computer. Please restart your computer, then run System Restore again." The same would appear for RegEdit. When I checked "My Computer" and "System Restore" tab, the checkbox to disable was and remains empty.

    Once I found MajorGeeks, I followed all steps in your guide to removing Malware. Scripts are attached. After running RogueKiller, all desktop icons reappeared and the laptop seems to be running fine, but System Restore is still not working. Am also unable to toggle System Restore. I receive the same error message above.

    During WIN OS Cleaning, the scans for Malwarebytes, TDSSKiller and HitmanPro were all clean (no threats). Was unable to copy/paste outcome of MGlogs.

    Please review and let me know what needs to be done to re-enable System Restore as well as anything else which still needs to be corrected.

    Thanks!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have attached some logs that we did not request and did not attach others that we did request ;)

    I still want to see them please.

    You shouldn't be copying and pasting anything from MGTOols. I want you to attach the MGlogs.zip.
     
  3. smsags

    smsags Private E-2

    Requested logs attached.
     

    Attached Files:

  4. smsags

    smsags Private E-2

    MGTools zipfile attached.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything and the file is named C:\MGlogs.zip and nothing else. Notice it is not in the C:\MGtools folder. ;)
     
  6. smsags

    smsags Private E-2

    MGLogs.zip file attached.
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall the below:
    • Viewpoint Manager (Remove Only)
    • Viewpoint Media Player (Remove Only)
    • Babylon toolbar on IE
    • BabylonObjectInstaller


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 5 detections:
    • [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
    • [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
    • [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
    • [PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
    • [APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\docume~1\alluse~1\applic~1\browse~1\22643~1.41\{16cdf~1\browse~1.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Delete these folders if they show:

    • C:\Documents and Settings\Steve\Local Settings\Application Data\kdnyokjla
    • C:\Documents and Settings\Steve\Application Data\Babylon
    • C:\Documents and Settings\Steve\Application Data\BabylonToolbar
    • C:\Documents and Settings\All Users\Application Data\Babylon
    • C:\Program Files\BabylonToolbar

    Run CCleaner to clean out temp files.

    Re run RogueKiller and attach the log.

    Open up your services (start > run > type services.msc and hit ENTER.
    Look for the Background Intelligent Transfer Service if it shows, let me know its status and start up type.
     
  8. smsags

    smsags Private E-2

    Followed your instructions. Could not identify the final two bullets in your list, bullets 4 "[PROXY IE...] and 5 [APPINIT] in the registry tab of the RogueKiller scan. The PC forced a shutdown every time I tried and would close in less than 1 minute.

    I booted back up, deleted RogueKiller, and downloaded a fresh copy. Scanned and ran again. Attached are the 3 scan reports obtained during that process.

    Of the folders you suggested I delete, I only found and deleted the first one ("kdnyokjla"). All others were not present.

    Ran CCleaner.

    When I re-ran RogueKiller I received the following error message:

    "The instruction at "0x02b14fao" referenced memory at "0x02b14fao". The memory could not be "written"
    Click on OK to terminate.
    Click on CANCEL to debug the program.

    I clicked cancel and ran RogueKiller anyway. The attached scan titled "RKreport[9].txt" is from that final scan.

    "Background Intelligent Transfer Service" was not present in the list of services.
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall this please:

    Browser Manager

    Now before we tackle the BITS service you should do this:

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  10. smsags

    smsags Private E-2

    OK. Removed "Browser Manager". Ran MGTools. MGLogs attached.
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download the below two files to your desktop.

    BITS.reg
    Netman.reg


    • Click on start -> run -> regedit >
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    • Then in the Registry Editor menu click File and select Import.
    • Navigate to the BITS.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Repeat this for the Netman.reg file.

    • Reboot the machine.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also: Delete these leftover folders:

    C:\Documents and Settings\All Users\Application Data\Browser Manager
    C:\Documents and Settings\Steve\Start Menu\Programs\Browser Manager
     
  13. smsags

    smsags Private E-2

    MGLogs attached.
     

    Attached Files:

  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your firewall is working.

    Now repeat the steps in post 11 to do the BITS.reg again.

    Once done....

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  15. smsags

    smsags Private E-2

    Completed all steps as instructed. Was not able to initiate a system restore using using Windows Repair by tweaking.com. Received the same error message as before, stating "System Restore not able to protect your computer. Please restart your computer, then run System Restore again."

    Added BITS and NetMan to registry. Rebooted. Re-ran MGTools. Log attached.
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    How is everything currently running?
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This system restore registry key is broken.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds