Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI moneypak runs in safe mode. Task mgr and regedit are locked too,


  • Please log in to reply
15 replies to this topic

#1 PittsburghPete

PittsburghPete

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 12 November 2012 - 02:51 AM

My computer has been attacked by FBI moneypak. As soon as I saw the notification, I unplugged the network cable and shut off the computer. It showed up on my wife's user name. I tried to boot into safe mode with another account and was able to run malwarebytes. It found a lot of viruses and needed to restart. When I restarted, the computer ran much faster and I figured it was safe. However, when my wife logged into her account, it came back. Now the only safe mode that I can access is safe mode with command prompt. I tried to use the task manager while in safe mode with cmd prompt, but now it says that it has been disabled. I checked the gpedit it settings, but they were not restricted. Also, the registry editor is locked too, but that was also fine in gpedit. So after looking through the forums I found ways to make sure it will be properly deleted from my computer. However, if I cannot access windows, the task manager, registry editor, or the Internet, then all of the forum suggestions (ie. go to this website and download tools, etc.) cannot be tried.

The computer is very old.

Running windows xp professional

BC AdBot (Login to Remove)

 


#2 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:04:09 AM

Posted 12 November 2012 - 12:58 PM

Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



Lets try a different way here.


Please download tb.exe on a flashdrive.

Plug in the flashdrive to the infected one.
Reboot in Safemode with Command Prompt.

Next you have to find the correct Driveletter from your Flashdrive ( typically F: or E: ).
For this,
In the Black Window type in Notepad and hit Enter. Go to File --> Save File --> Open Computer and look for the correct letter.
Close notepad.

Now type in start X:\tb.exe.

X needs to be replaced with the Driveletter of your flashdrive.


The tool will automaticall restart your System when done. Please try if you are now able to boot in Normal Mode and post the Log.txt which has been created on your flashdrive.

Edited by Larusso, 12 November 2012 - 12:59 PM.

regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#3 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:04:09 AM

Posted 15 November 2012 - 10:15 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#4 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:04:09 AM

Posted 17 November 2012 - 10:09 AM

Topic reopened.

Thanks for letting me know. I wrote this file a few days ago and is still in "Beta". I will find a fix for it soon.



Please download this file to your flashdrive: srep.exe

Reboot your OS in Safemode with Commandprompt and type in start X:\srep.exe
Note that X needs to be replaced again.

A shell.txt will be created on your Flashdrive. Please post it here :)
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#5 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 November 2012 - 05:36 PM

WIN_XP X86 Service Pack 3
Running from G:\

HKLM\..\Winlogon; Shell = Explorer.exe [ Microsoft Corporation ]
.
.
.
Modified HKCU shell extension. Current Shell File = C:\Documents and Settings\Lisa\Application Data\5w4yher54uyhw4.exe
File C:\Documents and Settings\Lisa\Application Data\5w4yher54uyhw4.exe moved to G:\\infected or not found


[System Process]
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
SASCore.exe
svchost.exe
helpsvc.exe
cmd.exe
wmiprvse.exe
srep.exe


HKLM\..\Run [QuickTime Task] = "C:\Program Files\QuickTime\qttask.exe" -atboottime
HKLM\..\Run [NvCplDaemon] = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\..\Run [nwiz] = nwiz.exe /install
HKLM\..\Run [TkBellExe] = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HKLM\..\Run [DivXUpdate] = "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
HKLM\..\Run [DellTouch] = C:\WINDOWS\DELLMMKB.EXE
HKLM\..\Run [st5rhuy54u45hy] = C:\Documents and Settings\Adam\Application Data\5w4yher54uyhw4.exe

HKCU\..\Run [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
HKCU\..\Run [hnNPUrMR21XBMJ2] = C:\Documents and Settings\Lisa\Application Data\Ii0Nm8sy.exe
HKCU\..\Run [4e5ayhare4yh] = c:\windows\e54yher4h6j.exe
HKCU\..\Run [st5rhuy54u45hy] = C:\Documents and Settings\Lisa\Application Data\5w4yher54uyhw4.exe

HKU\.DEFAULT\..\Winlogon; Shell =
HKU\S-1-5-20\..\Winlogon; Shell =
HKU\S-1-5-20_Classes\..\Winlogon; Shell =
HKU\S-1-5-21-1844237615-842925246-1060284298-1004\..\Winlogon; Shell = explorer.exe
HKU\S-1-5-21-1844237615-842925246-1060284298-1004_Classes\..\Winlogon; Shell =
HKU\S-1-5-18\..\Winlogon; Shell =

HKU\S-1-5-21-1844237615-842925246-1060284298-1004\..\Run [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
HKU\S-1-5-21-1844237615-842925246-1060284298-1004\..\Run [hnNPUrMR21XBMJ2] = C:\Documents and Settings\Lisa\Application Data\Ii0Nm8sy.exe
HKU\S-1-5-21-1844237615-842925246-1060284298-1004\..\Run [4e5ayhare4yh] = c:\windows\e54yher4h6j.exe
HKU\S-1-5-21-1844237615-842925246-1060284298-1004\..\Run [st5rhuy54u45hy] = C:\Documents and Settings\Lisa\Application Data\5w4yher54uyhw4.exe

==== FINISH 17.11-17.26 ====
WIN_XP X86 Service Pack 3
Running from G:\

HKLM\..\Winlogon; Shell = Explorer.exe [ Microsoft Corporation ]
.
.
.
HKCU\..\Winlogon; Shell not found
.


[System Process]
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
SASCore.exe
svchost.exe
cmd.exe
srep.exe


HKLM\..\Run [QuickTime Task] = "C:\Program Files\QuickTime\qttask.exe" -atboottime
HKLM\..\Run [NvCplDaemon] = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\..\Run [nwiz] = nwiz.exe /install
HKLM\..\Run [TkBellExe] = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HKLM\..\Run [DivXUpdate] = "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
HKLM\..\Run [DellTouch] = C:\WINDOWS\DELLMMKB.EXE
HKLM\..\Run [st5rhuy54u45hy] = C:\Documents and Settings\Adam\Application Data\5w4yher54uyhw4.exe

HKCU\..\Run [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
HKCU\..\Run [hnNPUrMR21XBMJ2] = C:\Documents and Settings\Adam\Application Data\Ii0Nm8sy.exe
HKCU\..\Run [SUPERAntiSpyware] = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKCU\..\Run [4e5ayhare4yh] = c:\windows\e54yher4h6j.exe
HKCU\..\Run [st5rhuy54u45hy] = C:\Documents and Settings\Adam\Application Data\5w4yher54uyhw4.exe

HKU\.DEFAULT\..\Winlogon; Shell =
HKU\S-1-5-20\..\Winlogon; Shell =
HKU\S-1-5-20_Classes\..\Winlogon; Shell =
HKU\S-1-5-21-1844237615-842925246-1060284298-1003\..\Winlogon; Shell =
HKU\S-1-5-21-1844237615-842925246-1060284298-1003_Classes\..\Winlogon; Shell =
HKU\S-1-5-18\..\Winlogon; Shell =

HKU\S-1-5-21-1844237615-842925246-1060284298-1003\..\Run [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
HKU\S-1-5-21-1844237615-842925246-1060284298-1003\..\Run [hnNPUrMR21XBMJ2] = C:\Documents and Settings\Adam\Application Data\Ii0Nm8sy.exe
HKU\S-1-5-21-1844237615-842925246-1060284298-1003\..\Run [SUPERAntiSpyware] = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKU\S-1-5-21-1844237615-842925246-1060284298-1003\..\Run [4e5ayhare4yh] = c:\windows\e54yher4h6j.exe
HKU\S-1-5-21-1844237615-842925246-1060284298-1003\..\Run [st5rhuy54u45hy] = C:\Documents and Settings\Adam\Application Data\5w4yher54uyhw4.exe

==== FINISH 17.11-17.29 ====

#6 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 November 2012 - 05:40 PM

When I plugged the flash drive into my laptop, my norton security suite automatically scanned the flash drive and removed the file

e:\infected\5w4uyhw4.exe

#7 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 November 2012 - 05:42 PM

Also, does it matter which user I log into to run the scan?

#8 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:04:09 AM

Posted 18 November 2012 - 06:33 AM

Hy there.

Thanks for posting the logfile.
Yes, it could be that Norton detect the file on your USB Drive cause the tool will move it there as a backup if a file has been deleted accidently.


Please open notepad and Copy / Paste the content from the Codebox below into.
C:\Documents and Settings\Adam\Application Data\5w4yher54uyhw4.exe
c:\windows\e54yher4h6j.exe
C:\Documents and Settings\Adam\Application Data\Ii0Nm8sy.exe

Save this as fix.txt in the same location as srep.exe.


Start srep.exe again as before but this time press the Fix Button.

It wont take a long time and your System will reboot automatically. Please let me know if you are now able to work with the infected one in Normal Mode
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#9 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 November 2012 - 09:49 AM

Yes. The computer started ISP in normal mode.

#10 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 November 2012 - 09:51 AM

The computer started up in normal mode. Sorry the auto correct on the iPad changed the word

Edited by PittsburghPete, 18 November 2012 - 09:53 AM.


#11 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:04:09 AM

Posted 18 November 2012 - 10:41 AM

Well done.

Please delete the Folder Infected from your USB Drive.


Download ComboFix from this location:

Link 1


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#12 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 November 2012 - 11:41 AM

It is running now. My desktop files are missing. However, if I open MY COMPUTER and open the desktop there, all the files are there.

#13 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 November 2012 - 12:13 PM

Still scanning. It said "root kit detected". Also, just to let you know, when I did a malwarebytes scan before the computer got really bad and before I contacted you, it found the following:

Hijack.shell.gen
Hijack.shell.genA
Pum.hidden.desktop
Pum.hijack.regedit
Pum.hijack.taskmanager

#14 PittsburghPete

PittsburghPete
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 November 2012 - 05:25 PM

I got a message that rootkit was detected and then it seems to freeze. I restarted and ran it again and it said

You are infected with rootkit.zeroaccess! It has inserted itself into the tcip/ip stack. It's is a particularly difficult infection.

If for any reason that you're unable to connect to the Internet after running combofix, reboot once to see if that fixes it.

If it's not fixed, run combofix one more time.


When I clicked ok, it resumed the scan. The it said rootkit was detected. It may take more time.

Then it froze again.

Edited by PittsburghPete, 18 November 2012 - 05:26 PM.


#15 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:04:09 AM

Posted 19 November 2012 - 03:49 AM

Hy there.

Not a good message.
Zero Access on an XP Machine can be very painfull to remove. You may have to Reformat your OS ( which would be de safest way here ).


Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files ( mbar-log-YYYY-MM-DD, system-log.txt ) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users