Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak Virus (Can't get into safe mode)


  • Please log in to reply
19 replies to this topic

#1 Mick4321

Mick4321

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 December 2012 - 01:37 PM

Using Windows XP Pro
Version 2002
Service Pack 3
32 bit

Computer is a Thinkpad Z61

So here is the deal:

A couple mornings ago I turned on my computer to find the FBI Virus after using my computer all day the day before, with no signs of anything.
Tried to boot into safe mode with networking Ė failed at Mup.sys.

Went out and bought new cheap-o computer. (Of course this happens on my finals weekendÖ I donít want to blow my finals by messing with this stupid virus all weekend instead of doing schoolwork.)

(10 minutes after I set up my new computer, Iím downloading Kaspersky rescue cd anyway). Ran Windows Unlocker and virus scan from boot cd. Rebooted Windows normally and everything worked fine. Ran complete scan with Avast, just to be extra sure. Avast found nothing. Used my computer for the whole day. Turned computer off. Next morning at reboot, the virus is back.

Tried Kaspersky Rescue CD again, ran windows unlocker, then virus scan, then rebooted normally. This time the CD/Windows Unlocker wonít get me into Windows.

Tried Kaspersky one more time, thinking I must have done something wrong. Same results. Canít get into Windows.

Created Avira Antivirus Boot Cd. Updated the virus scanner and ran virus scan from boot cd. Finds 4 detections (same as Kaspersky) but says that it ignored all 4 (Odd?). Either way, I restarted computer normally and everything is fine. Then I immediately downloaded Malwarebytes, updated it and ran a complet scan with it. At the end, it says that I have to reboot the computer to complete. So I did, fearing the worst, but everything was fine again after reboot. Looks like Iím clear. Still ran Avast again on top of it, in order to be triple sure. No threats found. Used the computer for the rest of the day and then turned it off.

Next morning, turned on the computer and the virus is back!

Gave up. Finished my finals with the new computer. Now Iím back and want to kill this thing for good. Iím thinking I need help though.

Where should I start? Did I leave any details out that you might need?

Thank you for your help in advance.

BC AdBot (Login to Remove)

 


#2 bish0p34

bish0p34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 December 2012 - 01:49 PM

I've removed this from plenty of PCs with Malware Bytes. You can install it and run it in safe mode. Also, you can boot into safe mode with a command prompt and enter rstrui.exe and run one of your previous restore points from before the infection.

#3 Mick4321

Mick4321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 December 2012 - 02:27 PM

Thanks for the response.

Every time I try to get into safe mode, either through "safe mode with command prompt", "safe mode with neworking", or "safe mode" the system hangs at Mup.sys and then flips to a blue screen that says:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure that it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

*** STOP: 0x0000007B (0xF789EA98, 0xC0000034, 0x00000000, 0x00000000)

#4 bish0p34

bish0p34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 December 2012 - 02:42 PM

If you turn off the router, or pull the cable out of your PC does the Moneypak still appear? I've seen variants that need an internet connection to activate themselves. If you can get into the pc with no internet connection you can still run the restore point from the run line on the start menu. You can also try looking for an ERD disk online and using that to boot to a command prompt, navigate to c:windows/system32 and try running the rstrui.exe command as well.

#5 Mick4321

Mick4321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 December 2012 - 03:05 PM

Interesting. I think you are correct about the virus needing a network connection to work. After turning off my wireless card and unplugging the computer from the router,I was able to load Windows normally, but the virus has not popped up yet. However, when I type rstrui.exe into the run box, it says "Windows cannot find 'rstrui.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search." I tried getting to system restore from the "sytem restore" option in the start menue and it doesn't load anything.

Anything else I should try while I'm in windows? Run mbam again maybe?

If not, I can try to find an ERD disk to boot from.

#6 bish0p34

bish0p34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 18 December 2012 - 03:16 PM

I'd try mbam again. It usually works fine for me. The rstrui only works if you had previously set up the automatic restore points.

#7 Mick4321

Mick4321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 19 December 2012 - 08:49 PM

I have run mbam twice now. Virus just comes back once I turn my wireless card on or plug the computer to a router. I suspect that I need to run mbam from safe mode, but since I cant get into safe mode, I'm kind of stuck. I have tried to find an ERD disk online, but since I don't know anything about these disks (this is the first I have heard of them) I'm not really sure what I need to be looking for. I found something called Bart's PE, but it needs the original Windows install CD to make files from. Is the kaspersky recovery cd that I mentioned earlier considered an ERD disk? It does seem to let me access the files on the C drive, but I do not know if it is ok for me to run them from the Kaspersky CD, or if it would damage the computer. Please let me know if I should go ahead with this. Thank you.

Additionally, since my system hangs on the Mup.sys driver, does that mean that I have a problem with my registry that I need to address, or is this possibly just related to the virus?

Thanks again.

#8 bish0p34

bish0p34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 20 December 2012 - 09:44 AM

Do you have a dropbox account?

#9 Mick4321

Mick4321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 22 December 2012 - 11:50 AM

Yes i do

#10 bish0p34

bish0p34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 22 December 2012 - 02:05 PM

What's your email addy?

#11 Mick4321

Mick4321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 23 December 2012 - 11:21 AM

[email protected]

#12 Humbleguy

Humbleguy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 23 December 2012 - 11:47 AM

It would be great if one of you post if this was resolved and how you did it since quite a few of us has this same issue. I cannot get into safe mode at all. The virus is on my Windows 7 Os and I am now using XP. Same computer, different OS and different drive. I dual boot with Windows 7 and Windows XP. I have tried pretty much everything the OP had including Kaspersky etc. The only thing I have not tried is turning off my internet connection and see what happens. Can you provide you how got this resolved if you did?

#13 Mick4321

Mick4321
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 23 December 2012 - 12:53 PM

I definitely will. Once this is fixed, assuming it gets fixed, I will post a complete list of everything. Hopefully it helps someone, as this has been a pretty frustrating virus.

#14 knappy26

knappy26

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 24 December 2012 - 01:21 PM

Same here with me. I've tried safe mode,networking and command prompt and can't access any of it.I've tried rebooting and unhooking the internet wire from the modem and still nothing works.That f'n screen just keeps coming up.I'm borrowing a friends labtop for now but she'll need it back soon and I do my bills on my PC.So if somebody out there knows how to fix this it would be greatly appreciated!

#15 Humbleguy

Humbleguy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 25 December 2012 - 12:22 PM

So I was able to completely get rid of the virus. I dual boot Windows 7 and Windows XP and the virus was on my Windows 7 partition. Both OS are on separate drives. I used Emisisoft, Malware bytes and Avira. Avira did most of the work. I selected the drive that my Windows 7 is installed on, the one that has the virus and I scanned that drive (deep scan). I also browsed several folders on that drive and found "nzqwwnh.exe" in temp, appdata and windows root folders. Avira also kept prompting to remove NZQWWNH.EXE and every single time I hit remove.

Then for the first time since I got this virus, I reboot and was able to get into my PC in normal mode. Keep in mind , when I had the virus, I was not able to get into neither safe mode, safe mode with networking or safe mode with command prompt. I am actually writing this post from my Windows 7 drive while doing several other scans. I have also deleted from the registry I believe it was HKLM>Software> Microsoft> Windows NT> Current Version> Winlogon and then next to shell key, you will see explorer.exe along with some added data. The default value should only be explorer.exe. So right clilck and hit modify and delete the extra piece of data.

Additionally, the virus, seems to be lodged mostly in the temp and appdata folders. I think since this virus have been around, there have been some changes because majority of the information online that gives information on blocking it only talks about safe mode. I think the latest version of this virus prevents you from accessing safe modem and nothing online talks about the NZQWWNH.EXE file. So hopefully that will help a few people on here. I got this on Dec 22 at 5AM and was determined to get rid of it without reinstalling windows. Hope it will help someone.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users