Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I remove FBI Money Pak Virus?


  • Please log in to reply
9 replies to this topic

#1 keny1

keny1

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 09:01 AM

Hi All,   I also now have this virus. Unable to get into any of the safe modes.  Vista  of unknown version,sorry.  I am on a second computer.  I tried the web link below to make a bootable USB card:  But I was unable to access the infected computer.  I do not know if the USB is made correctly. The instructions are hard to follow.     

I tried Option 2.

http://forums.anvisoft.com/viewtopic-54-4227-0.html

 

 

Please any help would be great! 

Kenny Lyon

 

 

EDIT

Email addy removed


Edited by boopme, 13 May 2013 - 08:54 PM.


BC AdBot (Login to Remove)

 


#2 Francis Houle

Francis Houle

  • Members
  • 436 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St-Basile-le-Grand, QC, Canada
  • Local time:07:01 AM

Posted 13 May 2013 - 09:20 AM

http://www.surfright.nl/en/kickstart



#3 keny1

keny1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 09:52 AM

Thanks Francis, I'm will look at that site now!  Thanks very much!  Kenny



#4 keny1

keny1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 11:16 AM

Hi Francis

 

 When connected to the DSL modem, Hitman did not work for me.   I Disconnect the modem cable, hitman worked after a period of time.  Hitman found 113 objects detected, but no FBI malware.  On reboot I had the FBI return. 

 

I followed the instruction and  I made the bootable USB and plugged it into the infected desktop.  F12 key to pick boot from the USB,  Picked 1 to bypass master boot (must make the pick very quickly,or system stops,  I powered down and started again)  Hitman ran and found the 113 objects and deleted them.  On reboot I still had the FBI virus. 

 

I tried again, Powered down and tried again with modem connected.  Hitman did not work for me again.  Tried power down and disconnected modem, Hitman started, but timed out stating no network connect and did not proform a scan this time.

 

Any suggestion would be welcome.  Thanks very much Kenny Lyon  


Edited by boopme, 13 May 2013 - 08:52 PM.


#5 keny1

keny1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 11:54 AM

Hi Francis      Everything failed. I do not know what went wrong.  After tring for a 6 th time to use the Hitman USB, this time connected to the internet.  Hitman ran, But I had to go into License and activate for 30 days manually.  Then Hitman ran a scan and found three malware objects.  665e35f6.dll and 665e35f6.exe and browser.exe  and deleted them.  On exit and auto reboot the cmd.exe command window appears and states:  665e35f6.exe is not recognixed as an internal or external command.

 

Any suggestions would be welcome. Thanks Kenny Lyon     


Edited by boopme, 13 May 2013 - 08:52 PM.


#6 67Nero

67Nero

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:01 PM

Posted 13 May 2013 - 02:00 PM

Try running this tool and say if it fixes that

www.bleepingcomputer.com/download/junkware-removal-tool/

Signature500x83_zps94555895.png


#7 keny1

keny1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 02:40 PM

Hi 67Nero

I did not get it to work.  I downloaded jrt.exe to the USB that has Hitman on it.  Tried loading to infected computer.  CMD window opens, but when I try to run jtr.exe is states not found.  I tried to cd.. to e: , e; shows but then changes back to the directory i was in. 

Can you give me instruction on how to download and use jtr.exe?  Thank you very much Kenny Lyon


Edited by boopme, 13 May 2013 - 08:52 PM.


#8 keny1

keny1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 03:08 PM

Hi 67Nero

I download jrt.exe to my computer and it open and ran fine, Found some problems and deleted them.  Jrt.exe runs fine, I just do not know how to download jrt.exe to the infected computer.   Thanks Kenny Lyon


Edited by boopme, 13 May 2013 - 08:52 PM.


#9 keny1

keny1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 13 May 2013 - 04:41 PM

Hi All

Some success!   Somewhere two of my post got lost, rewriting them now.   Only partly fixed.  infected computer now boots to the cmd command window.  I run the command: explorer and the computer loads the home page with the cmd window still showing.  Exit CMD window and can use computer nomally.  FBI virus seem to be gone.  From here I could download the JRT.exe tool from:

bleepingcomputer.com/download/junkware-removal-tool/         

JRT.exe ran fine and found some additional problems and removed them.  Still boots to CMD window. I could use help to correct this.

 

I will now run rkill and malwarebytes to see what else is present.

JRT log below:

THANKS Kenny Lyon 

 

 

Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Dick on Mon 05/13/2013 at 13:55:21.37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

   Val Name      Type   Value Data
   ========      ====   ==========
    wshgf    REG_SZ    "C:\Windows\System32\rundll32.exe" "C:\Users\Dick\AppData\Roaming\wshgf.dll",GetMagicNumber

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\1clickdownload
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\performersoft llc
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylntlbr.bbylntlbrhlpr
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\bbylntlbr.bbylntlbrhlpr.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

 

~~~ Files

Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\drivercure"
Successfully deleted: [Folder] "C:\Users\Dick\AppData\Roaming\drivercure"
Successfully deleted: [Folder] "C:\Users\Dick\appdata\locallow\boost_interprocess"
Successfully deleted: [Folder] "C:\Users\Dick\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Program Files\coupons"
Successfully deleted: [Folder] "C:\Users\Dick\Local Settings\Application Data\google\chrome\user data\default\extensions\cdjbnddbclciabnckgeahmneohjlahdm"

 

~~~ FireFox

Successfully deleted: [File] C:\Users\Dick\AppData\Roaming\mozilla\firefox\profiles\82w9mbch.default\user.js
Emptied folder: C:\Users\Dick\AppData\Roaming\mozilla\firefox\profiles\82w9mbch.default\minidumps [2 files]

 

~~~ Chrome

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm

 

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 05/13/2013 at 13:58:01.73
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Edited by boopme, 13 May 2013 - 08:53 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,071 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 AM

Posted 13 May 2013 - 08:56 PM

Please start a new topic to properly remove this by doing steps 6,7 and 8 here

Preparation Guide


How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users