Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit with FBI Moneypak variant


  • Please log in to reply
6 replies to this topic

#1 GregBauman

GregBauman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:40 PM

Posted 22 November 2012 - 06:15 PM

Hi all

My work laptop encountered the FBI Moneypak virus two nights ago. I've been working on it ever since with no luck.

Win 7 Enterprise
Alienware M14x

The variant I got defends against Task Manager, as well as Safe Mode. Regardless of how I try to login, I get snagged by the overlay screen. Because I immediately disconnected from the internet, it isn't displaying the web page - I get a blank white screen.

ALT-F4 does not work
ALT-Tab does not work
CTRL-ALT-DEL works, but if I go into Task Manager, the virus screen resumes with no other effect

I have two options that would enable me to save my data

1) Create a new user account (my IT guys @ work would have to do this, I think)
2) Create a bootable USB drive with Malwarebytes on it to clean it

I have followed the instructions at http://www.maximumpc.com/article/howtos/howto_make_bootable_usb_key to create the bootable USB. However, I do not have an OS DVD - it's a work laptop.

I have a local email archive on the laptop, so formatting and starting over (or trying a restore point) is not a viable option at this time. I have critical files on there. I'd have a backup to rely on, but I just started this job and don't have network storage yet.

I'd love any help you can offer on Thanksgiving. :)

Greg

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:40 PM

Posted 22 November 2012 - 06:30 PM

Hello Greg, Did you try this......

Download: te94decrypt.exe by DrWeb

Place it in the root of your C: drive. So... it should be at C:\te94decrypt.exe

  • Press and hold the Windows key Posted Image and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • C:\te94decrypt.exe -k 186
  • Now press ENTER
  • The tool should open and start scanning your system to repair the .POLICE files to their original decrypted state.

Note: Some users report that C:\te94decrypt.exe -k 85 worked for them. So try that one incase the first command was not successful.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 GregBauman

GregBauman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:40 PM

Posted 22 November 2012 - 06:49 PM

I can't even get to the desktop, in Safe Mode or standard Windows boot.

I can't put the file on C: at this point.

Greg

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:40 PM

Posted 22 November 2012 - 07:18 PM

Ok ,I will ask someone that specializes in these non boot issues to look here when they can.. With the Holiday i am not sure it will be today.

Edited by boopme, 22 November 2012 - 07:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 22 November 2012 - 07:26 PM

are you able to boot to the recovery environment?

please give this a try:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 GregBauman

GregBauman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:40 PM

Posted 22 November 2012 - 08:55 PM

Thanks for a quick reply.

I got as far as selecting the proper user. I have options that are clearly set from the IT folks at work, not my own user account. They are obviously using some sort of permissions system and not giving me "my own account" so to speak.

Looks like I need to wait for our IT guys.

Greg

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:40 PM

Posted 22 November 2012 - 09:00 PM

ok, good luck

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users