Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak Virus help requested


  • Please log in to reply
30 replies to this topic

#1 kingofsiam

kingofsiam

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 11:21 AM

I posted this help request on the Norton Internet Security forum of symantec. A helpful person named Quads directed me to this site for help and I am am calling on him and his contemporaries for help.

 

It is now 2 or 3 days since I got hit with the FBI Moneypak virus. I have 3 different users on my computer. I tried following the instructions I saw for downloading NPE. I followed the instructions but it found nothing. I am not sure if it found nothing because it was running from 1 of the users that is not infected. I tried going into safe mode on the user with the problem but it won't let me in. It starts to load and then shuts down.

 

I am not advanced enough to ty command prompt instructions without knowing what I am doing.

 

Also, I don't understand enough about system restore. If I do a restore, what happens to any files I have saved on the computer, under any user? Do they get lost if I go back to a time before they were created or modified.

 

I am running the 64 bit verison Windows 7 home edition.

 

Any help is appreciated.

 

Edit: Moved to the more appropriate forum from the Windows 7 Forum.

Roger


Edited by rotor123, 17 February 2013 - 12:15 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:27 PM

Posted 17 February 2013 - 11:23 AM

I am not sure if it found nothing because it was running from 1 of the users that is not infected.

 

Please boot into this account and run these tools

 

 

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters




  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now




  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue




  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.



  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.



  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the   button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results



#3 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 03:44 PM

I can do this from an unaffected user account to elimate the virus on the other user?



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:27 PM

Posted 17 February 2013 - 04:13 PM

I will help you on that but first please post the logs.



#5 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 04:45 PM

Not sure how to post the logs. I just ran the TDSSKiller and it found no threats. This was done from one of the unaffected user accounts.



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:27 PM

Posted 17 February 2013 - 04:47 PM

Copy the contents of the log and paste it here



#7 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 04:50 PM

Where do I find the log? I know I am sounding dumb.
 



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:27 PM

Posted 17 February 2013 - 04:53 PM

You need to read the instructions.

 

Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply



#9 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 05:06 PM

The TDSSKiller log is taking a long long time to post.  Here is the asrmbw log

 

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-17 16:56:19
-----------------------------
16:56:19.457    OS Version: Windows x64 6.1.7601 Service Pack 1
16:56:19.457    Number of processors: 4 586 0x2A07
16:56:19.458    ComputerName: GREATBIRD  UserName: Kirk
16:56:21.212    Initialize success
16:58:17.535    AVAST engine defs: 13021700
16:59:07.558    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:59:07.563    Disk 0 Vendor: Hitachi_ JEDO Size: 610480MB BusType: 3
16:59:07.578    Disk 0 MBR read successfully
16:59:07.585    Disk 0 MBR scan
16:59:07.595    Disk 0 Windows 7 default MBR code
16:59:07.610    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        11258 MB offset 2048
16:59:07.631    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 23058432
16:59:07.646    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       599120 MB offset 23263232
16:59:07.668    Disk 0 scanning C:\Windows\system32\drivers
16:59:18.491    Service scanning
16:59:53.950    Modules scanning
16:59:53.963    Disk 0 trace - called modules:
16:59:53.979    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:59:54.309    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80061e5060]
16:59:54.316    3 CLASSPNP.SYS[fffff8800103b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005f45050]
16:59:56.001    AVAST engine scan C:\Windows
16:59:59.047    AVAST engine scan C:\Windows\system32
17:03:06.292    AVAST engine scan C:\Windows\system32\drivers
17:03:25.516    AVAST engine scan C:\Users\Kirk
17:04:01.378    Disk 0 MBR has been saved successfully to "C:\Users\Kirk\Downloads\MBR.dat"
17:04:01.382    The log file has been saved successfully to "C:\Users\Kirk\Downloads\aswMBR.txt"

 



#10 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 05:29 PM

I just put thr TDSSKiller log onto Microsoft Word and it is 344 pages long. Is there a way to get you the whole thing because it is taking forever to post



#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:27 PM

Posted 17 February 2013 - 05:35 PM

Just copy,paste the lower part of log alone.Few lines from last.



#12 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 05:42 PM

About five lines is good?



#13 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 05:43 PM

Tell me if you need more than this.

 

16:49:04.0269 2632  [ 18D4729031314F8C217CDFCC599EF4E4 ] C:\Windows\System32\ndfapi.dll
16:49:04.0269 2632  C:\Windows\System32\ndfapi.dll - ok
16:49:04.0274 2632  [ DD81D91FF3B0763C392422865C9AC12E ] C:\Windows\System32\rundll32.exe
16:49:04.0274 2632  C:\Windows\System32\rundll32.exe - ok
16:49:04.0278 2632  [ BE3AB4803C963BE0357541EC3B17D443 ] C:\Users\Kirk\Downloads\aswMBR.exe
16:49:04.0278 2632  C:\Users\Kirk\Downloads\aswMBR.exe - ok
16:49:04.0282 2632  [ 5B99111B7D6BBAAEAD56D17D41E9DD50 ] C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\cltlmh.exe
16:49:04.0282 2632  C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\cltlmh.exe - ok
16:49:04.0284 2632  ============================================================
16:49:04.0285 2632  Scan finished
16:49:04.0285 2632  ============================================================
16:49:04.0291 2160  Detected object count: 0
16:49:04.0291 2160  Actual detected object count: 0
 



#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:27 PM

Posted 17 February 2013 - 06:04 PM

Good,move to next scan



#15 kingofsiam

kingofsiam
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 17 February 2013 - 06:06 PM

62% done with the ESET scan






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users