FBI Moneypak Virus (Can't get into safe mode)
Posted 18 December 2012 - 01:37 PM
Service Pack 3
Computer is a Thinkpad Z61
So here is the deal:
A couple mornings ago I turned on my computer to find the FBI Virus after using my computer all day the day before, with no signs of anything.
Tried to boot into safe mode with networking Ė failed at Mup.sys.
Went out and bought new cheap-o computer. (Of course this happens on my finals weekendÖ I donít want to blow my finals by messing with this stupid virus all weekend instead of doing schoolwork.)
(10 minutes after I set up my new computer, Iím downloading Kaspersky rescue cd anyway). Ran Windows Unlocker and virus scan from boot cd. Rebooted Windows normally and everything worked fine. Ran complete scan with Avast, just to be extra sure. Avast found nothing. Used my computer for the whole day. Turned computer off. Next morning at reboot, the virus is back.
Tried Kaspersky Rescue CD again, ran windows unlocker, then virus scan, then rebooted normally. This time the CD/Windows Unlocker wonít get me into Windows.
Tried Kaspersky one more time, thinking I must have done something wrong. Same results. Canít get into Windows.
Created Avira Antivirus Boot Cd. Updated the virus scanner and ran virus scan from boot cd. Finds 4 detections (same as Kaspersky) but says that it ignored all 4 (Odd?). Either way, I restarted computer normally and everything is fine. Then I immediately downloaded Malwarebytes, updated it and ran a complet scan with it. At the end, it says that I have to reboot the computer to complete. So I did, fearing the worst, but everything was fine again after reboot. Looks like Iím clear. Still ran Avast again on top of it, in order to be triple sure. No threats found. Used the computer for the rest of the day and then turned it off.
Next morning, turned on the computer and the virus is back!
Gave up. Finished my finals with the new computer. Now Iím back and want to kill this thing for good. Iím thinking I need help though.
Where should I start? Did I leave any details out that you might need?
Thank you for your help in advance.
BC AdBot (Login to Remove)
Posted 18 December 2012 - 01:49 PM
Posted 18 December 2012 - 02:27 PM
Every time I try to get into safe mode, either through "safe mode with command prompt", "safe mode with neworking", or "safe mode" the system hangs at Mup.sys and then flips to a blue screen that says:
A problem has been detected and Windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure that it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.
*** STOP: 0x0000007B (0xF789EA98, 0xC0000034, 0x00000000, 0x00000000)
Posted 18 December 2012 - 02:42 PM
Posted 18 December 2012 - 03:05 PM
Anything else I should try while I'm in windows? Run mbam again maybe?
If not, I can try to find an ERD disk to boot from.
Posted 18 December 2012 - 03:16 PM
Posted 19 December 2012 - 08:49 PM
Additionally, since my system hangs on the Mup.sys driver, does that mean that I have a problem with my registry that I need to address, or is this possibly just related to the virus?
Posted 23 December 2012 - 11:47 AM
Posted 23 December 2012 - 12:53 PM
Posted 24 December 2012 - 01:21 PM
Posted 25 December 2012 - 12:22 PM
Then for the first time since I got this virus, I reboot and was able to get into my PC in normal mode. Keep in mind , when I had the virus, I was not able to get into neither safe mode, safe mode with networking or safe mode with command prompt. I am actually writing this post from my Windows 7 drive while doing several other scans. I have also deleted from the registry I believe it was HKLM>Software> Microsoft> Windows NT> Current Version> Winlogon and then next to shell key, you will see explorer.exe along with some added data. The default value should only be explorer.exe. So right clilck and hit modify and delete the extra piece of data.
Additionally, the virus, seems to be lodged mostly in the temp and appdata folders. I think since this virus have been around, there have been some changes because majority of the information online that gives information on blocking it only talks about safe mode. I think the latest version of this virus prevents you from accessing safe modem and nothing online talks about the NZQWWNH.EXE file. So hopefully that will help a few people on here. I got this on Dec 22 at 5AM and was determined to get rid of it without reinstalling windows. Hope it will help someone.