[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

FBI Moneypak Virus

Posted on 2012-12-27
5
Medium Priority
?
751 Views
Last Modified: 2013-11-22
A customer's computer has a particularly nasty version of the FBI Moneypak virus.  I found a couple of recent questions relating to this virus, but they did not help.  The OS is XP Pro SP3.

The Bleeping Computer article could not be used because when I try to get into Safe Mode, the computer reboots.

The Temp and Startup folders for the current user, All Users, Default User, and Administrator were all empty.

I could access all folders in the other computer, but when I reinstalled the disk in its own computer and booted from an installation disk to get to the repair console, the response was Access Denied whe I tried to get into the Documents and Settings folder or the Program Files folder.

Running Malwarebytes (Full Scan and for that drive) with the drive in another machine turned up nothing.

Bootcfg /rebuild (from the recovery console) had no effect.

Putting Rogue Killer in the startup directory did not work.  I then tried The Killer in the same way.  I saw the All Done, but the computer was still blocked.

I tried Emsisoft's command line scanner with the disk installed in the other computer.  After 5 hours the report was that 537 items were found and removed.  The situation did not change.  The computer is still infected.

I do not see any unusual entries in Program files or My Documents.

Is there any hope for this installation?  Where do I go from here?
0
Comment
Question by:rhavey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38725747
Try booting the computer WITHOUT internet.  Sometimes this will cause it not to load.  However, this is not always true.

I have dealt with this infection several times, and XP is a pain to fix.

Try AS FAST AS YOU CAN to bring up msconfig BEFORE the infection loads.  Go to startup and look at probably the last checkmarked item.  You will be able to see the two locations and names of the infections.

One is generally C:\Documents and Settings\All Users\Appdata\temp\lsass.exe (If I remember correctly)
The other one I don't remember the location.

Once you get these written down, slave the drive to another computer and remove these files.

EDIT:  I just remembered, you can also load the registry hive when you have it slaved and look up the following keys:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Here there should be the location of the infection! :)


Good luck!  Make sure to run TDSSKiller and Malwarebytes once you are back in.
0
 
LVL 93

Accepted Solution

by:
nobus earned 2000 total points
ID: 38726215
did you try running a scan  from a bootable cd?
like http://www.avg.com/us-en/avg-rescue-cd
or windows defender cd    http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 38729500
Thank you, Nobus.

I had never had success with offline scanners, and I have tried several.  The Microsoft Defender CD did the trick.  I will also put the AVG rescue CD aside for futire use.
0
 
LVL 93

Expert Comment

by:nobus
ID: 38730447
rhavey, i have had the same experience
but after running  the cd, i still suggest a round of MBAM - to clean up possible  remnants
0
 
LVL 1

Author Comment

by:rhavey
ID: 38731108
I ran MBAM, ESET's online scanner, and Superantispyware.  I like a belt to back up my suspenders.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question