MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-12, 07:42
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default FBI Moneypak-System Restore blocked

Infected with FBI Moneypak virus a couple of days back.

Specs: Dell Laptop. Win XP home, Serivce Pack 3, 32 bit

Symptoms:
- After normal boot-up, plain white screen would appear covering entire desktop.
- Task Manager was disabled, only option was to power off the laptop.
- Could not log-in in Safe Mode. Received blue screen of death

During boot-up prior to this white screen appearing, I was able to quickly launch Malwarebytes for a full scan which ID'd two threats. Also ran full McAfee Scan which found two trojans.

Researched on another computer and downloaded/ran HitManPro. This enabled a normal boot and somewhat restored the desktop, but it only showed wallpaper and task bar across bottom with start button. All desktop icons were missing. System Restore and RegEdit were disabled by the virus. Everytime these were launched I would receive error messages.
"System Restore not able to protect your computer. Please restart your computer, then run System Restore again." The same would appear for RegEdit. When I checked "My Computer" and "System Restore" tab, the checkbox to disable was and remains empty.

Once I found MajorGeeks, I followed all steps in your guide to removing Malware. Scripts are attached. After running RogueKiller, all desktop icons reappeared and the laptop seems to be running fine, but System Restore is still not working. Am also unable to toggle System Restore. I receive the same error message above.

During WIN OS Cleaning, the scans for Malwarebytes, TDSSKiller and HitmanPro were all clean (no threats). Was unable to copy/paste outcome of MGlogs.

Please review and let me know what needs to be done to re-enable System Restore as well as anything else which still needs to be corrected.

Thanks!
Attached Files
File Type: txt dds.txt (8.6 KB, 3 views)
File Type: txt attach.txt (16.6 KB, 2 views)
File Type: txt ark.txt (66.1 KB, 2 views)
File Type: txt RKreport[1].txt (2.9 KB, 3 views)
File Type: txt RKreport[2].txt (2.9 KB, 3 views)
Reply With Quote
Sponsored links
  #2  
Old 09-16-12, 09:08
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

You have attached some logs that we did not request and did not attach others that we did request

Quote:
During WIN OS Cleaning, the scans for Malwarebytes, TDSSKiller and HitmanPro were all clean (no threats).
I still want to see them please.

Quote:
Was unable to copy/paste outcome of MGlogs.
You shouldn't be copying and pasting anything from MGTOols. I want you to attach the MGlogs.zip.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #3  
Old 09-16-12, 11:30
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

Requested logs attached.
Attached Files
File Type: txt mbam-log-2012-09-13 (04-40-50).txt (1.8 KB, 8 views)
File Type: txt TDSSKiller log.txt (54.5 KB, 7 views)
File Type: log HitmanPro_20120916_1221.log (2.0 KB, 6 views)
Reply With Quote
  #4  
Old 09-16-12, 11:32
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

MGTools zipfile attached.
Reply With Quote
  #5  
Old 09-16-12, 11:53
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: FBI Moneypak-System Restore blocked

Quote:
Originally Posted by smsags View Post
MGTools zipfile attached.
You did not attach anything and the file is named C:\MGlogs.zip and nothing else. Notice it is not in the C:\MGtools folder.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 09-16-12, 11:58
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

MGLogs.zip file attached.
Attached Files
File Type: zip MGlogs.zip (226.7 KB, 4 views)
Reply With Quote
  #7  
Old 09-16-12, 16:45
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

Uninstall the below:
  • Viewpoint Manager (Remove Only)
  • Viewpoint Media Player (Remove Only)
  • Babylon toolbar on IE
  • BabylonObjectInstaller


Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 5 detections:
  • [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
  • [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
  • [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\61883 (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
  • [PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
  • [APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\docume~1\alluse~1\applic~1\browse~1\22643~1.41\{16cdf~1\browse~1.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Delete these folders if they show:
  • C:\Documents and Settings\Steve\Local Settings\Application Data\kdnyokjla
  • C:\Documents and Settings\Steve\Application Data\Babylon
  • C:\Documents and Settings\Steve\Application Data\BabylonToolbar
  • C:\Documents and Settings\All Users\Application Data\Babylon
  • C:\Program Files\BabylonToolbar

Run CCleaner to clean out temp files.

Re run RogueKiller and attach the log.

Open up your services (start > run > type services.msc and hit ENTER.
Look for the Background Intelligent Transfer Service if it shows, let me know its status and start up type.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #8  
Old 09-22-12, 05:22
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

Followed your instructions. Could not identify the final two bullets in your list, bullets 4 "[PROXY IE...] and 5 [APPINIT] in the registry tab of the RogueKiller scan. The PC forced a shutdown every time I tried and would close in less than 1 minute.

I booted back up, deleted RogueKiller, and downloaded a fresh copy. Scanned and ran again. Attached are the 3 scan reports obtained during that process.

Of the folders you suggested I delete, I only found and deleted the first one ("kdnyokjla"). All others were not present.

Ran CCleaner.

When I re-ran RogueKiller I received the following error message:

"The instruction at "0x02b14fao" referenced memory at "0x02b14fao". The memory could not be "written"
Click on OK to terminate.
Click on CANCEL to debug the program.

I clicked cancel and ran RogueKiller anyway. The attached scan titled "RKreport[9].txt" is from that final scan.

"Background Intelligent Transfer Service" was not present in the list of services.
Attached Files
File Type: txt RKreport[6].txt (3.9 KB, 0 views)
File Type: txt RKreport[7].txt (2.8 KB, 0 views)
File Type: txt RKreport[8].txt (3.4 KB, 0 views)
File Type: txt RKreport[9].txt (2.5 KB, 4 views)
Reply With Quote
  #9  
Old 09-22-12, 17:04
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

Uninstall this please:

Browser Manager

Now before we tackle the BITS service you should do this:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #10  
Old 09-23-12, 07:05
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

OK. Removed "Browser Manager". Ran MGTools. MGLogs attached.
Attached Files
File Type: zip MGlogs.zip (221.7 KB, 2 views)
Reply With Quote
Sponsored links
  #11  
Old 09-23-12, 17:00
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

Download the below two files to your desktop.

BITS.reg
Netman.reg

  • Click on start -> run -> regedit >
  • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
  • Right click on regedit.exe and select Run As Administrator
  • Then in the Registry Editor menu click File and select Import.
  • Navigate to the BITS.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Repeat this for the Netman.reg file.
  • Reboot the machine.
  • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #12  
Old 09-23-12, 17:53
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

Also: Delete these leftover folders:

C:\Documents and Settings\All Users\Application Data\Browser Manager
C:\Documents and Settings\Steve\Start Menu\Programs\Browser Manager
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #13  
Old 09-29-12, 09:21
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

MGLogs attached.
Attached Files
File Type: zip MGlogs.zip (223.9 KB, 1 views)
Reply With Quote
  #14  
Old 09-29-12, 17:32
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
  • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
  • Now select the Start Repairs tab.
  • The click the Start button.
  • Create a System Restore point if prompted.
  • On the next screen, click the Unselect All button to first deselect all repairs.
  • Now select the following repair options:
    • Reset Registry Permissions
    • Reset File Permissions
    • Register System Files
    • Repair WMI
    • Repair Windows Firewall
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    • Repair Windows Updates
    • Set Windows Services To Default Startup
  • Now on the lower right side check the box to Restart/Shutdown System When Finished
  • Then make sure the Restart System radio button is enabled.
  • Shutdown any other programs that you are running now before continuing.
  • Now click the Start button.
  • Be patient while the tool repairs the selected items.
  • It should reboot automatically when finished.

After reboot, check to see if your firewall is working.

Now repeat the steps in post 11 to do the BITS.reg again.

Once done....

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #15  
Old 10-06-12, 08:59
smsags smsags is offline
Private E-2
 
Join Date: Sep 2012
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: FBI Moneypak-System Restore blocked

Completed all steps as instructed. Was not able to initiate a system restore using using Windows Repair by tweaking.com. Received the same error message as before, stating "System Restore not able to protect your computer. Please restart your computer, then run System Restore again."

Added BITS and NetMan to registry. Rebooted. Re-ran MGTools. Log attached.
Attached Files
File Type: zip MGlogs.zip (288.9 KB, 3 views)
Reply With Quote
Sponsored links
  #16  
Old 10-06-12, 16:19
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,836
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: FBI Moneypak-System Restore blocked

How is everything currently running?
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #17  
Old 10-06-12, 16:48
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,453
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: FBI Moneypak-System Restore blocked

Quote:
Originally Posted by smsags View Post
Was not able to initiate a system restore using using Windows Repair by tweaking.com. Received the same error message as before, stating "System Restore not able to protect your computer.
This system restore registry key is broken.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="System Restore Service"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,72,00,\
73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srservice\Enum]
"0"="Root\\LEGACY_SRSERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
The Following User Says Thank You to chaslang For This Useful Post:
Kestrel13! (10-06-12)
Reply

Tags
fbi moneypak, system restore

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
No Restore points created with system restore turned on boneyeye Software 31 10-29-13 21:52
FBI Green Dot Moneypak Virus and GWRMDX.EXE - System Error MWarren Malware Removal 6 09-15-12 16:30
System Restore stuck at "Preparing to restore... forrest mc Software 5 08-28-12 10:15
XP System restore is not working (unable to create Restore Points) hobiefreak Malware Removal 1 10-02-09 23:42
.EXE executions blocked; can't get to system restore revmomles88 Malware Removal 2 02-16-05 02:19


All times are GMT -5. The time now is 20:12.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger