Solved

FBI Moneypak Virus

Posted on 2012-12-27
5
741 Views
Last Modified: 2013-11-22
A customer's computer has a particularly nasty version of the FBI Moneypak virus.  I found a couple of recent questions relating to this virus, but they did not help.  The OS is XP Pro SP3.

The Bleeping Computer article could not be used because when I try to get into Safe Mode, the computer reboots.

The Temp and Startup folders for the current user, All Users, Default User, and Administrator were all empty.

I could access all folders in the other computer, but when I reinstalled the disk in its own computer and booted from an installation disk to get to the repair console, the response was Access Denied whe I tried to get into the Documents and Settings folder or the Program Files folder.

Running Malwarebytes (Full Scan and for that drive) with the drive in another machine turned up nothing.

Bootcfg /rebuild (from the recovery console) had no effect.

Putting Rogue Killer in the startup directory did not work.  I then tried The Killer in the same way.  I saw the All Done, but the computer was still blocked.

I tried Emsisoft's command line scanner with the disk installed in the other computer.  After 5 hours the report was that 537 items were found and removed.  The situation did not change.  The computer is still infected.

I do not see any unusual entries in Program files or My Documents.

Is there any hope for this installation?  Where do I go from here?
0
Comment
Question by:rhavey
  • 2
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38725747
Try booting the computer WITHOUT internet.  Sometimes this will cause it not to load.  However, this is not always true.

I have dealt with this infection several times, and XP is a pain to fix.

Try AS FAST AS YOU CAN to bring up msconfig BEFORE the infection loads.  Go to startup and look at probably the last checkmarked item.  You will be able to see the two locations and names of the infections.

One is generally C:\Documents and Settings\All Users\Appdata\temp\lsass.exe (If I remember correctly)
The other one I don't remember the location.

Once you get these written down, slave the drive to another computer and remove these files.

EDIT:  I just remembered, you can also load the registry hive when you have it slaved and look up the following keys:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Here there should be the location of the infection! :)


Good luck!  Make sure to run TDSSKiller and Malwarebytes once you are back in.
0
 
LVL 92

Accepted Solution

by:
nobus earned 500 total points
ID: 38726215
did you try running a scan  from a bootable cd?
like http://www.avg.com/us-en/avg-rescue-cd
or windows defender cd    http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 38729500
Thank you, Nobus.

I had never had success with offline scanners, and I have tried several.  The Microsoft Defender CD did the trick.  I will also put the AVG rescue CD aside for futire use.
0
 
LVL 92

Expert Comment

by:nobus
ID: 38730447
rhavey, i have had the same experience
but after running  the cd, i still suggest a round of MBAM - to clean up possible  remnants
0
 
LVL 1

Author Comment

by:rhavey
ID: 38731108
I ran MBAM, ESET's online scanner, and Superantispyware.  I like a belt to back up my suspenders.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question