Avatar of rhavey
rhavey
Flag for United States of America asked on

FBI Moneypak Virus

A customer's computer has a particularly nasty version of the FBI Moneypak virus.  I found a couple of recent questions relating to this virus, but they did not help.  The OS is XP Pro SP3.

The Bleeping Computer article could not be used because when I try to get into Safe Mode, the computer reboots.

The Temp and Startup folders for the current user, All Users, Default User, and Administrator were all empty.

I could access all folders in the other computer, but when I reinstalled the disk in its own computer and booted from an installation disk to get to the repair console, the response was Access Denied whe I tried to get into the Documents and Settings folder or the Program Files folder.

Running Malwarebytes (Full Scan and for that drive) with the drive in another machine turned up nothing.

Bootcfg /rebuild (from the recovery console) had no effect.

Putting Rogue Killer in the startup directory did not work.  I then tried The Killer in the same way.  I saw the All Done, but the computer was still blocked.

I tried Emsisoft's command line scanner with the disk installed in the other computer.  After 5 hours the report was that 537 items were found and removed.  The situation did not change.  The computer is still infected.

I do not see any unusual entries in Program files or My Documents.

Is there any hope for this installation?  Where do I go from here?
Anti-Virus AppsWindows XP

Avatar of undefined
Last Comment
rhavey

8/22/2022 - Mon
Scott Thompson

Try booting the computer WITHOUT internet.  Sometimes this will cause it not to load.  However, this is not always true.

I have dealt with this infection several times, and XP is a pain to fix.

Try AS FAST AS YOU CAN to bring up msconfig BEFORE the infection loads.  Go to startup and look at probably the last checkmarked item.  You will be able to see the two locations and names of the infections.

One is generally C:\Documents and Settings\All Users\Appdata\temp\lsass.exe (If I remember correctly)
The other one I don't remember the location.

Once you get these written down, slave the drive to another computer and remove these files.

EDIT:  I just remembered, you can also load the registry hive when you have it slaved and look up the following keys:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Here there should be the location of the infection! :)


Good luck!  Make sure to run TDSSKiller and Malwarebytes once you are back in.
ASKER CERTIFIED SOLUTION
nobus

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
rhavey

ASKER
Thank you, Nobus.

I had never had success with offline scanners, and I have tried several.  The Microsoft Defender CD did the trick.  I will also put the AVG rescue CD aside for futire use.
nobus

rhavey, i have had the same experience
but after running  the cd, i still suggest a round of MBAM - to clean up possible  remnants
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
rhavey

ASKER
I ran MBAM, ESET's online scanner, and Superantispyware.  I like a belt to back up my suspenders.