Solved

FBI Moneypak Virus

Posted on 2012-12-27
5
739 Views
Last Modified: 2013-11-22
A customer's computer has a particularly nasty version of the FBI Moneypak virus.  I found a couple of recent questions relating to this virus, but they did not help.  The OS is XP Pro SP3.

The Bleeping Computer article could not be used because when I try to get into Safe Mode, the computer reboots.

The Temp and Startup folders for the current user, All Users, Default User, and Administrator were all empty.

I could access all folders in the other computer, but when I reinstalled the disk in its own computer and booted from an installation disk to get to the repair console, the response was Access Denied whe I tried to get into the Documents and Settings folder or the Program Files folder.

Running Malwarebytes (Full Scan and for that drive) with the drive in another machine turned up nothing.

Bootcfg /rebuild (from the recovery console) had no effect.

Putting Rogue Killer in the startup directory did not work.  I then tried The Killer in the same way.  I saw the All Done, but the computer was still blocked.

I tried Emsisoft's command line scanner with the disk installed in the other computer.  After 5 hours the report was that 537 items were found and removed.  The situation did not change.  The computer is still infected.

I do not see any unusual entries in Program files or My Documents.

Is there any hope for this installation?  Where do I go from here?
0
Comment
Question by:rhavey
  • 2
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38725747
Try booting the computer WITHOUT internet.  Sometimes this will cause it not to load.  However, this is not always true.

I have dealt with this infection several times, and XP is a pain to fix.

Try AS FAST AS YOU CAN to bring up msconfig BEFORE the infection loads.  Go to startup and look at probably the last checkmarked item.  You will be able to see the two locations and names of the infections.

One is generally C:\Documents and Settings\All Users\Appdata\temp\lsass.exe (If I remember correctly)
The other one I don't remember the location.

Once you get these written down, slave the drive to another computer and remove these files.

EDIT:  I just remembered, you can also load the registry hive when you have it slaved and look up the following keys:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Here there should be the location of the infection! :)


Good luck!  Make sure to run TDSSKiller and Malwarebytes once you are back in.
0
 
LVL 92

Accepted Solution

by:
nobus earned 500 total points
ID: 38726215
did you try running a scan  from a bootable cd?
like http://www.avg.com/us-en/avg-rescue-cd
or windows defender cd    http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 38729500
Thank you, Nobus.

I had never had success with offline scanners, and I have tried several.  The Microsoft Defender CD did the trick.  I will also put the AVG rescue CD aside for futire use.
0
 
LVL 92

Expert Comment

by:nobus
ID: 38730447
rhavey, i have had the same experience
but after running  the cd, i still suggest a round of MBAM - to clean up possible  remnants
0
 
LVL 1

Author Comment

by:rhavey
ID: 38731108
I ran MBAM, ESET's online scanner, and Superantispyware.  I like a belt to back up my suspenders.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Norton antivirus 11 82
Windows 7 Share with XP 22 181
Spam mails from a compromised internal computer 5 92
Is there a removal tool and a decryption tool for Osiris ransomware 6 96
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question