Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI MoneyPak Ransomware now MORE POWERFUL


  • This topic is locked This topic is locked
37 replies to this topic

#1 mrmatt2

mrmatt2

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 30 December 2012 - 12:05 PM

Hi, Hope you can help.

Been infected with the FBI Anti-Piracy Warning MoneyPak Ransomware;
I read the information here under "Virus Removal"
However, even in safe mode, the screen is locked by virus, for all users and administrator.

Virus takes about 4 seconds to remove desktop and lock it both in safe mode and normal mode
I have an old RKill on my desktop which even though I am able to click it before the virus locks the screen, it does not seem to end the virus, which could be due to a few reasons I guess.

As recommended here, I have downloaded the iExplore.exe Rkill just now to a flash drive - can this be engaged to the computer...not sure how to do this

I have Windows XP Home

Hope you can help!

Thanks so much!!

Matt

BC AdBot (Login to Remove)

 


#2 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 30 December 2012 - 08:16 PM

Sorry , posted this into wrong forum....

#3 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 01 January 2013 - 01:58 AM

Hello and Welcome to BleepingComputer Forums! :welcome:

My name is Chris and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time :)

I must get my fixes approved so I will be back to you asap
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#4 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 01 January 2013 - 12:35 PM

Thanks Chris, hope you can help !




Matt

#5 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 01 January 2013 - 01:38 PM

Hi mrmatt,

Does the screen still pop up without an active internet connection? Pull the ethernet cable out of the back of the machine or power off your router and try to boot the machine
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#6 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 02 January 2013 - 07:18 PM

Thanks, I did it but the dislpay is still shown and my computer is still locked

Matt

#7 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 03 January 2013 - 04:20 PM

Hi Matt,

Which account did you use in Safe Mode? Try using the built in Administrator account

Failing that, you mentioned a copy of RKill on your flash drive. Does that work to rectify anything?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#8 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 03 January 2013 - 07:36 PM

Thanks Chris,

Admin or other accounts in safe mode still show the evil screen.

I do have RKill on a flash drive, but do not know how to launch it... as I cannot access the flash drive through "My Computer" due to the rapid screen lockout. Is there a way to launch it say in safe mode with command prompt?

Thanks

Matt

#9 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 03 January 2013 - 08:17 PM

You mentioned there were a few seconds before the ransom screen where you could launch programs. Can you try RKill (just double click) during that time?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#10 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 04 January 2013 - 05:45 PM

I tried that about 50 times, normal mode, safe mode, admin, non-admin - every way I can think of...

The RKill I have on my desktop is about 2 years old, if that matters, the latest one I have on my thumbdrive...

#11 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 04 January 2013 - 06:47 PM

Every time I try to launch Rkill, it does not seem to have time to run,
In safe-mode, the screen block comes up faster than normal mode

Every time I try to launch rkill it seems to make a little progress-
I just launched normally, and launched RKill again, and it seem to stumble the virus, so I quickly downloaded from my thumbdrive the rkillexe and launched that. That seemed to hang the virus up - it has not started yet, but I did launch malwarebytes and microsoft security essentials and am running that. The desktop looks horrible, (mostly white with a lot of my folders blanked out.)

I tried to install spy-hunter via thumb-drive, but would not take. Here is a log from one of the rkill runs..

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/04/2013 05:49:08 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Documents and Settings\Sacher\Desktop\rkill.scr (PID: 3880) [UP-HEUR]
* C:\DOCUME~1\Sacher\LOCALS~1\Temp\RarSFX13\nircmd.exe (PID: 2932) [SUP-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.






I am curious as to what Resetting .EXE, .COM, & .BAT associations in the Windows Registry. means...

Microsoft sec essentials says it has found malicious software... will wait for the antivirus programs finish.. could take all night..




matt

Edited by mrmatt2, 04 January 2013 - 07:22 PM.


#12 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 05 January 2013 - 04:13 PM

That essentially means that it will reset the values in the Registry that tell Windows how to open the corresponding file extensions. So each time you open an .exe file it will open correctly and start whichever program it corresponds to
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#13 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 05 January 2013 - 04:48 PM

Hopefully, it is resetting the extensions to what they should be.

I have run malarebytes and MSE, MSE is asking me to restart the computer to remove threats, when I got the virus, it asked me to do this, and I had problems restarting as mentioned before, .... so I will not restart the computer yet.

I downloaded and installed SPYHUNTER, it is running now and has identified by name the virus, along with a number of others.

Hopefully this will fix it - I will run again after cleaning...

I will keep you updated..

Thanks Chris

Matt

#14 mrmatt2

mrmatt2
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 05 January 2013 - 05:14 PM

I found this

http://malwaretips.com/blogs/fbi-online-agent-virus/'>BYPASS RANSOMEWARE INHIBITED STARTUP


THIS REALLY NEEDS TO BE POSTED IN THE Remove the FBI Anti-Piracy Warning MoneyPak Ransomware under virus tab on this site


Please review link

Thanks

Matt

#15 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 06 January 2013 - 12:30 PM

Matt,

Please don't run any fixes unless I ask you to run them. This actually inhibits my ability to clean the machine effectively because the state changes.

Have you followed that removal guide you referenced above? If so, which steps?

Can you list the detected files by the programs you've run?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users