Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Get Rid of this Variant of the MoneyPak Virus


  • Please log in to reply
10 replies to this topic

#1 Glaring_Foil

Glaring_Foil

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 27 May 2013 - 07:32 PM

I've got a laptop that is infected with a really stubborn version of one of the MoneyPak viruse. When that laptop boots, I'm presented with a white screen with a box you can type in, a button below it that says submit, and a pop-up box asking that I connect to the Internet, start the computer out of Safe Mode and connect to the Internet. 

 

I'm a tech and have removed this virus plenty of times, but this is the first one making me slam my head off my desk. The following things DO NOT work: 

 

-Any Safe Mode (Yes, even with Command Prompt gives me a white screen and tells me to restart)

-Windows System Restore (Through the "Repair Your Computer Option on F8", white screen remains)

-Unlocker utility found on the Kaspersky Rescue Disk

 

I've run scans with SuperAntiSpyware, Avast Anti-Virus, and MalwareBytes. They all removed several things, but this problem still occurs. 

 

I've also gone through the user account (as well as the Default and Public accounts) and removed various suspicious files (please, for the love of God trust that I know what to remove and what to keep) which were in the user directory and the AppData folder. 

 

I would back up data and wipe, but this is for a customer which has some estimating software installed which they cannot replace.

 

Has anyone else got any ideas? This is a Vista SP2 machine. 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:15 PM

Posted 27 May 2013 - 07:39 PM

Dock the hard drive in a cradle. I had one of these recently, nasty things they are... Apparently some guys are making headway with the Hitman USB utility. Could try that if you don't have a cradle...

 

edit: your lucky it's not all encrypted... makes it much easier.


Edited by TsVk!, 27 May 2013 - 07:41 PM.


#3 Glaring_Foil

Glaring_Foil
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 27 May 2013 - 08:10 PM

I tried to use Hitman while I had the drive docked, but it only seems to want to run a full system scan and won't let me scan specific drives or folders without buying the software. I'm going to attempt to do a scan with the USB kickstart thing. I didn't know how to do this because there's literally nothing anywhere explaining that the little icon of the guy kicking was the icon to click to create the USB. 

 

It's crazy how much this is frustrating me. Thank you for your help so far. 



#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:15 PM

Posted 27 May 2013 - 08:48 PM

I can't really say more to be honest... I just chipped and chipped at it whilst it was docked, then finally gmer got the bulk of it out. Took ages though, pain in the ass.

 

I read somewhere these ukash/moneypak viruses were flash dependent, if you think of a service to disable on boot that stops flash (with a rescue disc) it will be unable to protect itself and easy to remove. Shouldn't be too hard.

 

edit: probably a system restore before virus removal, that'll open it I think, after the flash disable.


Edited by TsVk!, 27 May 2013 - 08:58 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:15 PM

Posted 27 May 2013 - 10:16 PM

Have you looked at this?

Remove the FBI Anti-Piracy Warning MoneyPak Ransomware


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Glaring_Foil

Glaring_Foil
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 27 May 2013 - 11:20 PM

I looked through the link boopme provided, and I'm still prompted with the same issue that I encountered with all of the other guides I looked at: I cannot get into any variant of Safe Mode at all. Like I said before, I deal with this virus a lot. 100% of the virus infections customers bring into the place I work at have this virus at this point. I've removed countless variants of it plenty of times, some needing more work than others. For the most part, my procedure to remove any version of this virus is the following:

 

-Start Windows in Safe Mode with Command Prompt

-Run Kaspersky TDSS Killer (check the box to look for the TDS file system)

-Delete what is found (usually TDS file system), then restart in Safe Mode with Command Prompt again and re-run TDSS Killer

-Run ComboFix (Inspect the 3M report as well as the section where it shows what files were created in the past week)

-Run MalwareBytes and SuperAntiSpyware

 

I usually run MalwareBytes last and depending on how much/ what it finds, I'll look into other things. After this I'll go through and remove any browser add-ons and toolbars. 

 

I feel these procedures are pretty thorough (obviously someone needs to know what they're looking at with the ComboFix logs and what currently installed programs are actually legit), but I can't even start to do any of these things since I can't get into Safe Mode. 

 

After Vista restarted, and Startup Repair started doing its thing (over and over again), it was after 10PM and I was fed up. I've left notes and handed this off to whoever is working tomorrow. The customer needed a quick solution without wiping the hard drive, so I'm not sure what's going to happen with the laptop tomorrow. Since I feel this is a new (or at least rare variant) of this virus, I will attempt more repairs and post my progress as I go through it. 

 

I just noticed that I either forgot to hit the post button, or my post was deleted, but long story short, before I left work tonight I was left at Vista looping in Startup Repair (for a missing system file Hitman Pro had deleted due to it being infected) and I was attempting to simply drop the missing system files from a good working Vista installation into the directory where Hitman had deleted files, but due to my frustration, I decided to call it a night. 

 

If I still have the laptop when I return to work on Wednesday, I intend to update this. Otherwise, this thread can be deleted in a few days. 



#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:15 PM

Posted 27 May 2013 - 11:50 PM

didn't try the hitman usb boot? I'd have tried Emisoft, as seen in boopme's link, whilst it was docked, also... If it's sat there as a 'slave' try everything! hit it.



#8 Clarke123

Clarke123

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Atlanta
  • Local time:10:15 PM

Posted 28 May 2013 - 11:08 AM

Similar situation here as well ... currently unresolved as I (too) cannot get much past boot (via USB) into Windows (where Hitman has to run)

It appears that this version "may" not initiate in boot record, but immediately thereafter (?)

I would like to know whether docking (then scanning on a uninfected machine) actually works?!  These Dell laptops require a zillion screws to

disassemble / reassemble ... all with blue locktight!


Edited by Clarke123, 28 May 2013 - 11:17 AM.


#9 Glaring_Foil

Glaring_Foil
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 28 May 2013 - 11:36 AM

didn't try the hitman usb boot? I'd have tried Emisoft, as seen in boopme's link, whilst it was docked, also... If it's sat there as a 'slave' try everything! hit it.

 

As I said before, I did use the Hitman USB, but one of the infected files it removed was a system file. When I left it, Vista wasn't booting because of the missing file and it was stuck in a startup repair loop, attempting to replace the missing file with one from a shadow copy, but it wasn't working. I was about to simply copy the missing file from a working Vista machine, but I got frustrated and called it a night. 

 

 

 

Similar situation here as well ... currently unresolved as I (too) cannot get much past boot (via USB) into Windows (where Hitman has to run)

It appears that this version "may" not initiate in boot record, but immediately thereafter (?)

I would like to know whether docking (then scanning on a uninfected machine) actually works?!  These Dell laptops require a zillion screws to

disassemble / reassemble ... all with blue locktight!

 

I docked the hard drive and removed several items using MalwareBytes, SuperAntiSpyware, and Avast Anti-Virus. I ran the Hitman USB software after I re-installed the drive back into the laptop, which found two more trojans that neither of the other scanners I used before found. My new issue is that the laptop will not boot because of missing system files, so I'm not sure if the laptop is still infected. 

 

I had to try different versions of Safe Mode in order for Hitman USB to work. Try them all. According to the guides for Hitman, the machine will boot, the malware might load, but you need to give it a minute or two before Hitman actually loads and starts working. Try starting in Safe Mode with Networking as it seemed to try to connect and download something when it loaded. 

 

I'm assuming you're working on an Inspiron N-Series of some kind if you have to completely disassemble the laptop to get at the hard drive. In situations like this where I might have to remove the hard drive a few times, I don't bother completely re-assembling the whole thing until I'm done. I usually install the hard drive, re-install the motherboard (not using screws), then use a few screws to attach the upper assembly back to the base. Then just plop on the palmrest and connect the ribbon cables. Again, not using any of the screws. Just be very careful. The best thing about those laptops (and most Dells) is that most (if not all) of the screws are exactly the same.

 

I'm not sure about the comment about the blue locktight, you don't really need to replace that or anything. 

 

I'll post more news about what's going on tomorrow when I return to work. 



#10 Clarke123

Clarke123

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Atlanta
  • Local time:10:15 PM

Posted 28 May 2013 - 01:46 PM

OK,

 

This seems to be the right direction!  This version of the Virus (on my machine) redirects Safe Mode ... here's a work-around:

 

http://www.tech-recipes.com/rx/38039/remove-latest-fbi-money-pack-virus-despite-safe-mode-forced-restart/

 

This did the trick for me ^^^^

 

 

BTW: I used "Control Panel" in Step 3 instead of "controLexe"


Edited by Clarke123, 28 May 2013 - 03:35 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:15 PM

Posted 28 May 2013 - 01:48 PM

If you cannot get it out start a new topic here and we will get it.

 

Preparation Guide


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users