Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI MoneyPak, but can't start in safe mode


  • This topic is locked This topic is locked
6 replies to this topic

#1 LMoseley

LMoseley

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 31 October 2012 - 11:12 AM

The computer: Dell Vostro 1310 laptop, running XP Professional with all updates and MSE AV.

Symptoms: Infected with "FBI MoneyPak" as described in:
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

What I have tried:
1. Booting normally gives the "FBI MoneyPak" screen as described above.
2. Booting to SAFE MODE (with or without networking) gives BSOD with Stop 0x0000007B
3. Manual removal guide (linked above) suggests that the EXE for the malware is in the %temp% directory. I booted to a WinPE CDROM and deleted the contents of "C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp" directory. On normal reboot, "FBI MoneyPak" reappears.

Any help appreciated...

BC AdBot (Login to Remove)

 


#2 CK Bleeps

CK Bleeps

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 02 November 2012 - 07:45 PM

Download a linux live cd/usb boot.
Then you can edit the files manually as you described.
Google it.

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:07 AM

Posted 02 November 2012 - 08:47 PM

Let me ask a malware response team member to help you.

good luck

#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 04 November 2012 - 07:03 PM

Hello LMoseley :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

Let's begin:

Posted Image Please download Farbar Recovery Scan Tool and save it to a flash drive.

  • You only need FRST.exe as you are on Windows XP. Don't bother downloading FRST64.exe
  • Plug the flashdrive into the infected PC.
  • Boot your computer using the WINPE CD ROM.
  • Now open FRST.exe and perform a Scan.
  • The scan will create a log on the flash drive: FRST.txt
  • Post the contents of FRST.txt into your next reply.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:07 AM

Posted 04 November 2012 - 08:55 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 05 November 2012 - 02:11 PM

Thank you for your reply, thisisu, and for the knowledge that the FRST can be run from a WinPE disk.

However, you may mark this case closed. I was able to resolve the problem partially by pulling the HD from the laptop and scanning it on my desktop using an exterior dock. Then, using the EMSISoft tool to finish the job.

The FBI MoneyPak thing seems to have evolved since the removal guide was created. The files were in a different place, and there seems to now be a "regrow" component.

Any, thaks again.

#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:07 AM

Posted 05 November 2012 - 06:32 PM

Ok. Glad to hear you got it sorted out. :thumbsup:
Be safe.
__

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Everyone else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users