Solved

FBI Moneypak Virus

Posted on 2012-12-27
5
742 Views
Last Modified: 2013-11-22
A customer's computer has a particularly nasty version of the FBI Moneypak virus.  I found a couple of recent questions relating to this virus, but they did not help.  The OS is XP Pro SP3.

The Bleeping Computer article could not be used because when I try to get into Safe Mode, the computer reboots.

The Temp and Startup folders for the current user, All Users, Default User, and Administrator were all empty.

I could access all folders in the other computer, but when I reinstalled the disk in its own computer and booted from an installation disk to get to the repair console, the response was Access Denied whe I tried to get into the Documents and Settings folder or the Program Files folder.

Running Malwarebytes (Full Scan and for that drive) with the drive in another machine turned up nothing.

Bootcfg /rebuild (from the recovery console) had no effect.

Putting Rogue Killer in the startup directory did not work.  I then tried The Killer in the same way.  I saw the All Done, but the computer was still blocked.

I tried Emsisoft's command line scanner with the disk installed in the other computer.  After 5 hours the report was that 537 items were found and removed.  The situation did not change.  The computer is still infected.

I do not see any unusual entries in Program files or My Documents.

Is there any hope for this installation?  Where do I go from here?
0
Comment
Question by:rhavey
  • 2
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38725747
Try booting the computer WITHOUT internet.  Sometimes this will cause it not to load.  However, this is not always true.

I have dealt with this infection several times, and XP is a pain to fix.

Try AS FAST AS YOU CAN to bring up msconfig BEFORE the infection loads.  Go to startup and look at probably the last checkmarked item.  You will be able to see the two locations and names of the infections.

One is generally C:\Documents and Settings\All Users\Appdata\temp\lsass.exe (If I remember correctly)
The other one I don't remember the location.

Once you get these written down, slave the drive to another computer and remove these files.

EDIT:  I just remembered, you can also load the registry hive when you have it slaved and look up the following keys:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Here there should be the location of the infection! :)


Good luck!  Make sure to run TDSSKiller and Malwarebytes once you are back in.
0
 
LVL 92

Accepted Solution

by:
nobus earned 500 total points
ID: 38726215
did you try running a scan  from a bootable cd?
like http://www.avg.com/us-en/avg-rescue-cd
or windows defender cd    http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 38729500
Thank you, Nobus.

I had never had success with offline scanners, and I have tried several.  The Microsoft Defender CD did the trick.  I will also put the AVG rescue CD aside for futire use.
0
 
LVL 92

Expert Comment

by:nobus
ID: 38730447
rhavey, i have had the same experience
but after running  the cd, i still suggest a round of MBAM - to clean up possible  remnants
0
 
LVL 1

Author Comment

by:rhavey
ID: 38731108
I ran MBAM, ESET's online scanner, and Superantispyware.  I like a belt to back up my suspenders.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question