Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another FBI Moneypak virus


  • This topic is locked This topic is locked
90 replies to this topic

#1 jcfvoygr

jcfvoygr

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 09 December 2012 - 12:27 AM

Just turned on my computer after being gone a week and I get this internet crimes complaint... It won't let me do anything. It boots up in either safe or regular mode (BTW its and older HP desktop running windows XP. then after it applies settings the screen blacks out and then replaces with this FBI warning / pay money message. It will not let me activate rkill or any virus software. I have no known control after boot. my last good back up was quite a long time ago. Can you help?

"All hail J"

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:22 AM

Posted 10 December 2012 - 08:05 PM

I'll report this topic to appropriate helpers.
Hold on....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 11 December 2012 - 02:17 PM

Thanks Broni

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 PM

Posted 12 December 2012 - 01:18 PM

Hello jcfvoygr,

Can you try to boot in Safe Mode in the Administrator account?
If that doesn't change anything, please try Safe Mode Command Prompt. Let me know if the ransom screen shows up there too.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 12 December 2012 - 03:33 PM

Hi Elise,

I see you are working a couple of these FBI Moneypak issues right now. Thank you for your help in advance.

My logon id to that computer has administrator priviliges. I have started it up in Safe Mode w/Networking and the virus/rootkit launches once Windows applies its settings. It will not let me logon in Safe Mode w/Command Prompt. I have not tried just Safe Mode yet.

Additional info. I have downloaded to a USB, rkill, DDS, Combofix, and TDSSKiller for our future use under your direction.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 PM

Posted 12 December 2012 - 03:54 PM

It is important to try the inbuild Administrator account though. Not because it has more permissions, but simply because the malware may not load using that profile, allowing us to run some tools. :)

Alternatively try the following (you need to be fast, so it may take a few tries). Please boot in Safe Mode Command Prompt. Immediately after the black command window with prompt opens, type cmd /d and press enter (you should have a few seconds with a bit of luck to do this). See if this stops the ransom screen from appearing.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 12 December 2012 - 04:40 PM

"All hail E"...

Seriously though, I will give it a shot. I dont have any idea what the inbuild Admin would be any more. It has been too many years. As far as being quick, I will try it, but it will have to be through the Safe Mode w/networking. It will not let me logon when I boot in Safe Mode Command Prompt. I will try it later tonight after I get home from work.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 PM

Posted 12 December 2012 - 04:50 PM

It is quite likely you haven't used the Administrator account ever (most users don't). However it can come in handy in cases like this one. :)
You usually can choose the Administrator account in the Welcome screen in Safe mode. If you have disabled the welcome screen and use classic logon, just type Administrator as username and leave password blank.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 12 December 2012 - 10:47 PM

So I have tried both ways. I can't logon Safe Mode w/command prompt. I am not fast enough to get the cmd /d to launch before too much of the malware script runs. while I keep trying, any other options?

#10 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 12 December 2012 - 11:07 PM

It looks like I may have been able to launch rkill in time...

#11 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 12 December 2012 - 11:27 PM

well, I can't tell what rkill is doing, but I was able to launch McAfee to scan my PC...

#12 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 12 December 2012 - 11:39 PM

i quit the scan. I thought better of it after I had launched it. it looks like a standoff. my screen is basically black though it does say Safe Mode at the top and bottom. there look to be two windows open on the desktop, but the are both blacked out. One has a yellow triangle icon with and exclamation point in it. the other had a menu bar across the top. rkill doesn't seem to be doing much but I will let it continue... but i am a little concerned to let it crank all night...

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 PM

Posted 13 December 2012 - 04:00 AM

Try Ctrl-alt-del and see if that brings up the Taskmanager. If not, press Windows key + R and see if that brings up the Run box. Type explorer and press enter and see if that starts the desktop.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 jcfvoygr

jcfvoygr
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Americas
  • Local time:07:22 AM

Posted 13 December 2012 - 01:25 PM

I was a little to nervous to let it continue to crank last night. I shut it down. I will give your directions a shot tonight. I had tried the Cntrl-Alt-Del before to no avail. BTW: I hope 3:00 a.m. is just the time zone you're from. :o

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 PM

Posted 13 December 2012 - 01:46 PM

No problem, just post when ready. If alt-ctrl-del didn't work, windows key + R might still work.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users