FBI Moneypak Virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by crustfan, Aug 31, 2012.

  1. crustfan

    crustfan Private E-2

    The only tool that found something is Rogue. There was an entry in msconfig startup that I unchecked which tries to run hos32.exe. So far that is working.

    I'm not sure how to totally disinfect the computer though (ie what registry entries and files do I need to delete). I tried a system restore but that would not work. It also didn't let me into safe mode. It tries to fix windows and spends alot of time doing it. I was able to boot into normal mode with the lan cable detached. An error message would come up and then I could reattach my lan cable and run the computer as normal. The system restore did not work in normal mode either.

    It seems that other people have different versions of this virus (different registry entries, files, etc.)

    I'm pretty sure I got it on 8/30/12.
     

    Attached Files:

    crustfan, Aug 31, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTL to your desktop.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][Rans.Gendarm] HKCU\[...]\Run : GoogleChrome (C:\Users\Jerry\AppData\Local\Temp\hos32.exe) -> FOUND
      [RUN][Rans.Gendarm] HKUS\S-1-5-21-3343375994-744087225-4080931239-1001[...]\Run : GoogleChrome (C:\Users\Jerry\AppData\Local\Temp\hos32.exe) -> FOUND
      [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
      [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
      [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
      [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
:killallprocesses
:files
C:\Users\Jerry\AppData\Local\Temp\hos32.exe
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 31, 2012
    #2
  3. crustfan

    crustfan Private E-2

    Thank you for your reply.

    Ran analyse.exe and clicked fix on the specified O4 entry

    Copied text to fixME.reg, ran it with success message

    Ran RogueKiller but the [RUN] entries were not there. There were alot more registry entries than before and I got a little confused and didn't see the [HJ] entries that you told me to delete though they probably were there. (I reran RogueKiller as the last step in this process, after the GetLogs.bat and clicked delete on the four mentioned [HJ] entries only.)

    I'm concerned that RogueKiller presents a Root.MBR flashing warning.


    Ran OTL with the text, rebooted.

    Ran GetLogs.bat.

    Reran RogueKiller and clicked delete on the four entries that were mentioned.

    Because of the Root.MBR message I also ran TDSKiller which comes up clean and attached the log.

    Jedi Master, I wonder about the new registry entries and Root.MBR message.
     

    Attached Files:

    crustfan, Aug 31, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    As long as TDSSKiller showed up as clean then you have nothing to worry about when RogueKiller shows this.
     
    Kestrel13!, Sep 1, 2012
    #4
  5. crustfan

    crustfan Private E-2

    Don't work on this one any more. I decided to do a factory image recovery. Here's why.

    Things were working ok with the repairs you mentioned. But I was still trying to get Safe Mode to work. It would give me a blue screen and restart. I tried to do a Windows Repair but that was taking forever. I also did a System Restore and all the old registry entries came back but I knew how to deal with them. Just redid what you mentioned last time.

    However, then Norton was complaining that it wasn't working correctly and I needed to uninstall / reinstall. That combined with the MBR question and combined with the fact that I did a System Recovery a few weeks back and all my data is updated, recently went through the process, etc. It just led me to cut to the chase.

    I do wonder about an HP System Recovery using the built in tools vs. a Factory Image Recovery using the DVD's. Do they change the MBR? Does one do it and the other doesn't. HP says System Recovery does not affect user created partitions. Factory Restore reformats the entire hard drive.

    Here's what HP says about the differences http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&docname=c01867418
     
    crustfan, Sep 1, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your safest option was the Image recovery.

    Hope all is well now.
     
    TimW, Sep 1, 2012
    #6
  7. crustfan

    crustfan Private E-2

    RogueKiller doesn't complain about the Root.MBR anymore.
     

    Attached Files:

    crustfan, Sep 1, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The re-image removed all the malware.
     
    TimW, Sep 1, 2012
    #8
  9. crustfan

    crustfan Private E-2

    TDSKiller said things were ok but RogueKiller didn't. The actions I was advised to do like remove registry entries with hjt, olt, etc. in the previous script had no effect on the MBR. To me, it seems that the computer was still infected after following the helpful well intentioned advice here. To what degree it would have presented a problem I can't be sure. I don't know for sure if the Root.MBR RogueKiller complaint had anything to do with the FBI Moneypak virus. It's possible that I got it in the past and the problem was never rectified even when I did a system recovery about a month ago. My understanding is that the system recovery copies the software from a recovery partition but does not format the hard drive and thus has no effect on the MBR. Whereas a factory image recovery install from a DVD can reformat the hard drive and write a new MBR.

    After the factory image, RogueKiller says the MBR is ok. That's something to note for future malware infections on other people's computers.

    Thanks again for your help in this matter. I've been reading the educational materials about avoiding malware, etc. and am pretty sure how I got it in the first place. ;) In the future, I won't be so irresponsible. I'm cleaning up my other computers however they do seem to be running fine.
     
    crustfan, Sep 1, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Like I said, as long as TDSSKiller is run when you see this in a RK log, and it comes up clean, it's usually ok! When you reimaged and ran RogueKiller again, I bet there was NOT anti virus software on it at that time. The MBR could be hidden by that antivirus software. Hence making the RogueKiller log appear bad.
     
    Kestrel13!, Sep 2, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds