Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak Virus Removal


  • This topic is locked This topic is locked
33 replies to this topic

#1 ovid

ovid

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 15 November 2012 - 08:22 AM

My laptop (running Windows XP) has the "FBI Moneypak" virus. All of the solutions I've found online require me to go into Safe Mode. Unfortunately, I cannot log into "Safe Mode" or "Safe Mode With Networking." When I try both options, the annoying FBI Virus popup still appears. The last time I attempted to log into Safe Mode w/ Networking, I got an error message which read...

Services.exe - Bad Image

“The application or DLL C:\WINDOWS\system32\umpnpmgr.dll is not a valid Windows image. Please check this against your installation diskette.



The only version of Safe Mode that I can successfully enter is Safe Mode With Command Prompt. The FBI virus popup does NOT appear in this mode -- nor do I get the weird DLL error. I already have Malware Bytes installed on my laptop, but I can't get to it -- since the virus won't let me enter Safe Mode w/ Networking. How do I remove the virus inside Safe Mode w/ Command Prompt?

Thanks!

Edited by ovid, 15 November 2012 - 08:28 AM.


BC AdBot (Login to Remove)

 


#2 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 15 November 2012 - 11:42 AM

Hi ovid :),
I will be handling your topic to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

Edited by KarstenHansen, 15 November 2012 - 11:58 AM.


#3 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 15 November 2012 - 01:42 PM

Hi ovid :),

:welcome: to BleepingComputer. My name is Karsten and I'll help you with the cleanup of malware from your computer.

Please be aware of the following:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
NEXT

  • Start by booting into safemode with command prompt
  • When at the command prompt please type the following:
    explorer.exe
  • Now press Enter
  • This should start a desktop with no FBI warning.
  • After this I would like to get a log with the following tool, DDS:
From a clean PC, please download DDS by sUBs from one of the following links. Save it to an USB-Drive.
DDS.com
DDS.pif
  • Insert USB-Drive into the bad PC, and browse to where DDS was saved.
  • Double click on the DDS icon, allow it to run.
  • Mark the option attach.txt.
  • Click on Start.
  • After the scan has finished, confirm the message with Ok.
  • DDS will automatically open both logfiles.
  • You can find them on your desktop and on your USB-Drive as well.
  • Please post the content of those logfiles with your next answer.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup:
  • DDS logs: DDS.txt and attach.txt


#4 ovid

ovid
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 16 November 2012 - 11:58 PM

Hi Karsten,

Thanks for your help. Tonight, I selected "Safe Mode With Command Prompt," and received the weird DLL error message mentioned earlier.

Services.exe - Bad Image

“The application or DLL C:\WINDOWS\system32\umpnpmgr.dll is not a valid Windows image. Please check this against your installation diskette.


The command prompt did NOT load. Why did it load two days ago, but not now? I think the error message is being caused by the FBI Moneypak virus. Since I can't login to Safe Mode at all now, how should I proceed with removing the virus? Should I follow the instructions here, or is there a better option?

Edited by ovid, 16 November 2012 - 11:59 PM.


#5 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 17 November 2012 - 11:50 AM

Hi ovid :)
As you now have no access to your infected machine we will need to start by fixing from outside of windows. I will use xPud to acomplish that. Please do the following:

Try this please. You will need a USB drive and a empty CD.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download shellfix.ndf and save it to your USB drive
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see shellfix.ndf that you downloaded there
  • Double-click on the shellfix.ndf and let it run
  • After it has finished a report will be located on your USB drive named shellfix.txt
  • Remove the USB drive and insert it back in your working computer and navigate to shellfix.txt

    Please note - all text entries are case sensitive
Copy and paste the shellfix.txt for my review

#6 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 20 November 2012 - 11:37 AM

Hi ovid :), do you still need help? If you don't reply within 48 hours, this topic will be closed.

#7 ovid

ovid
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 20 November 2012 - 10:43 PM

Thank you! Yes, I still need help. I am following your instructions now. I will post the shellfix.txt as soon as I have it.

#8 ovid

ovid
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 20 November 2012 - 11:18 PM

Those instructions worked nicely, thanks. I've posted the content of shellfix.txt below.


Offline Shell value fix by noahdfear
Backing up software to software.orig
Backup Complete

Hive </mnt/sda2/MiniNT/system32/config/software>

(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe



Shell value is default


Hive </mnt/sda2/MiniNT/system32/config/software>

\Microsoft\Windows\CurrentVersion> Node has 23 subkeys and 4 values

<App Paths>
<Applets>
<Control Panel>
<Controls Folder>
<CSCSettings>
<Dynamic Directory>
<Explorer>
<H323TSP>
<Internet Settings>
<IPConfTSP>
<MS-DOS Emulation>
<Nls>
<Reliability>
<RenameFiles>
<RunOnce>
<RunOnceEx>
<Setup>
<SharedDlls>
<Shell Extensions>
<ShellScrap>
<Syncmgr>
<Telephony>
<Uninstall>
size type value name [value if type DWORD]
34 REG_EXPAND_SZ <DevicePath>
38 REG_EXPAND_SZ <MediaPathUnexpanded>
12 REG_SZ <SM_GamesName>
64 REG_SZ <SM_ConfigureProgramsName>



Backing up SOFTWARE to SOFTWARE.orig
Backup Complete

Hive </mnt/sda1/WINDOWS/system32/config/SOFTWARE>

(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe



Shell value is default


Hive </mnt/sda1/WINDOWS/system32/config/SOFTWARE>

(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 5 values
size type value name [value if type DWORD]
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
0 REG_SZ <legalnoticecaption>
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]



#9 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 21 November 2012 - 11:20 AM

Hi ovid :)
Please start Clean PC and do this:
  • Download driver.sh to your USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    services.*

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review

#10 ovid

ovid
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 23 November 2012 - 08:39 PM

Thanks, here are the contents of filefind.txt

Search results for services.*

c6ce6eec82f187615d1002bb3bb50ed4 /mnt/sda2/MiniNT/system32/services.exe
105.5K Aug 4 2004

85a738ba493104ed103b26cadeb8b543 /mnt/sda1/I386/SERVICES.EX_
48.8K Aug 4 2004

64e9f61d2ed093c361862de36433b5e1 /mnt/sda1/I386/SERVICES.MS_
3.6K Aug 4 2004

29bb3bbbe3d49156a42bfb3dd000f554 /mnt/sda1/I386/SERVICES._
1.9K Aug 4 2004

12 Mar 23 2011 com.sun.tools.jconsole.JConsolePlugin

1888031e033a041e4795c24628069ad6 /mnt/sda1/Program Files/Adobe/Adobe Dreamweaver CS5.5/JDK/demo/management/JTop/src/META-INF/services/com.sun.tools.jconsole.JConsolePlugin
12 Mar 23 2011

54 Mar 23 2011 com.sun.tools.jconsole.JConsolePlugin

bd19e6b74b65d856a6eeb902dc322260 /mnt/sda1/Program Files/Adobe/Adobe Dreamweaver CS5.5/JDK/demo/scripting/jconsole-plugin/src/META-INF/services/com.sun.tools.jconsole.JConsolePlugin
54 Mar 23 2011

2.6K Aug 4 2004 bigfoot.bmp
2.6K Aug 4 2004 verisign.bmp
2.6K Aug 4 2004 whowhere.bmp

e4a3c3731215f45dea015976267bf7ba /mnt/sda1/Program Files/Common Files/Services/bigfoot.bmp
2.6K Aug 4 2004

618aa7be4cd1750b0a5f6247d084392f /mnt/sda1/Program Files/Common Files/Services/verisign.bmp
2.6K Aug 4 2004

8aae6310c24fc3de8c34e55b8fb2cceb /mnt/sda1/Program Files/Common Files/Services/whowhere.bmp
2.6K Aug 4 2004

37.5K Jul 19 09:08 libmediadirs_plugin.dll
41.0K Jul 19 09:08 libpodcast_plugin.dll
83.5K Jul 19 09:08 libsap_plugin.dll
282.0K Jul 19 09:08 libupnp_plugin.dll
35.5K Jul 19 09:08 libwindrive_plugin.dll

80d072996b9050dc857c92371991e684 /mnt/sda1/Program Files/VideoLAN/VLC/plugins/services_discovery/libmediadirs_plugin.dll
37.5K Jul 19 09:08

f3fb9adc9bd375d27f7dbf7cbb91d98e /mnt/sda1/Program Files/VideoLAN/VLC/plugins/services_discovery/libpodcast_plugin.dll
41.0K Jul 19 09:08

2ced81485bcb5e10070dd9d5b4be8b88 /mnt/sda1/Program Files/VideoLAN/VLC/plugins/services_discovery/libsap_plugin.dll
83.5K Jul 19 09:08

4cf164c6accb68cb29d1773c97384057 /mnt/sda1/Program Files/VideoLAN/VLC/plugins/services_discovery/libupnp_plugin.dll
282.0K Jul 19 09:08

d573f9dccfb8795565dabaa38ad699f2 /mnt/sda1/Program Files/VideoLAN/VLC/plugins/services_discovery/libwindrive_plugin.dll
35.5K Jul 19 09:08

95826940e657fe0567a8ec0f2a6ad11a /mnt/sda1/WINDOWS/system32/drivers/etc/services
6.9K Aug 4 2004

c6ce6eec82f187615d1002bb3bb50ed4 /mnt/sda1/WINDOWS/system32/services.exe
105.5K Aug 4 2004

e8089aa2a6f7fee89b38c1f2d77ba6c6 /mnt/sda1/WINDOWS/system32/services.msc
32.7K Aug 4 2004

1fccd04d5c854bf676e2a61920371bb4 /mnt/sda1/Documents and Settings/All Users/Start Menu/Programs/Administrative Tools/Services.lnk
1.5K Aug 9 2004


The reference to bigfoot.bmp looked suspicious, and so I Googled it. A security website says this is part of a Win32 trojan. How should I remove it? Do you see anything else that's suspicious?

Edited by ovid, 23 November 2012 - 08:39 PM.


#11 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 24 November 2012 - 11:35 AM

Hi ovid :)
Leave the bigfoot.bmp image for now, it will be checked later, dont worry.

  • Next, from the clean PC, download orst.ndf and save it to your USB drive
  • From the clean PC, please create a file in notepad. Open Notepad and type or copy/paste in the following:
    qu;software\\microsoft\\windows nt\\currentversion\\winlogon;shell
    qsw;microsoft\\windows nt\\currentversion\\winlogon;shell
  • Please save the file to the USB-drive and call it query.txt
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see orst.ndf that you downloaded there
  • Double-click on the orst.ndf and let it run
  • After it has finished a report will be located on your USB drive named orst.txt
  • Remove the USB drive and insert it back in your working computer and navigate to orst.txt

    Please note - all text entries are case sensitive
Copy and paste the orst.txt for my review

#12 ovid

ovid
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 24 November 2012 - 02:05 PM

Thanks, below are the contents of orst.txt

/mnt/sda1/Documents and Settings/Administrator/NTUSER.DAT
shell value does not exist at Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon

/mnt/sda1/Documents and Settings/CJ/NTUSER.DAT
Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon

(...)\Windows NT\CurrentVersion\Winlogon| Value <shell> of type REG_SZ, data length 144 [0x90]
C:\Documents and Settings\CJ\Application Data\msconfig.ini,explorer.exe



#13 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 24 November 2012 - 03:25 PM

Hi ovid :)
  • Please boot into xPud once again.
  • Next I would like you to browse to the following directory
  • mnt\sda1\Documents and Settings\CJ\Application Data\
  • Next you look for a file named msconfig.ini
  • Rightclick on msconfig.ini and choose to rename it to msconfig.vir
  • Now please reboot the PC and try to start up normally.
I would like to know if you now can boot into normal mode and how the PC operates all in all?

#14 ovid

ovid
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 24 November 2012 - 10:08 PM

Thanks, I renamed msconfig.ini to msconfig.vir, and then rebooted the PC in "Normal Mode."

Immediately after rebooting the PC, I received the same DLL error message...

Services.exe - Bad Image

“The application or DLL C:\WINDOWS\system32\umpnpmgr.dll is not a valid Windows image. Please check this against your installation diskette.

I then clicked "OK" to the DLL error message notification.

Now, my screen is completely black. No icons, no desktop. Just blackness.

Edited by ovid, 24 November 2012 - 10:10 PM.


#15 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 25 November 2012 - 09:01 AM

Please from the black screen try the following :

Press CTRL+ALT+DEL and choose to start taskmanager. In the taskmanager please open the menu Files, and choose the menupoint New Job.

A box should open for you now, Enter into box : explorer.exe and then Enter

Please report to me what happened when you tried this.

Edited by KarstenHansen, 25 November 2012 - 09:46 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users