Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MoneyPack Ransomware Ultra Evil


  • Please log in to reply
7 replies to this topic

#1 NickPatMel1

NickPatMel1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 05 August 2013 - 09:18 PM

Hey Guys n Gals,

 

I got myself a pretty brutal MoneyPack infection.  I have had them before and used safe mode, then safe mode with command prompt and weasled out of them.  But this time is different.  I can't use any safe modes including command prompt or it does an auto restart.  Perplexed, I read around and saw the Hitmanpro info, which looked like it was right up my alley.  So I downloaded it and put it on a flashdrive.  The directions say to go to boot menu, which i did, and boot from flash drive, which I did.  I am pretty sure this version of MoneyPack is actually blocking HitmanPro from loading up. Unbelievable.  I don't know how to approach this one. Any other tricks or programs to shut this awful program down? God I hate it.  If I could meet the anuses that created this I would tear their faces off with my bare hands...  Any help is appreciated!

Running XP on a bleepty ol work laptop...


Edited by NickPatMel1, 05 August 2013 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 06 August 2013 - 03:39 AM

:welcome:

 

One question what OS is installed on the infected computer? XP, Vista, Seven, 8?

 

Let's try this strategy:

 

Disconnect the LAN-cable so the infected machine hasn't internet. Ten start up your infected machine. Is the ransomware now there?

 

  1. Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.
    Note: With some computers, if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the “F8 key”, tap the “F8 key” continuously until you get the Advanced Boot Options screen.
     
  2. Use the arrow keys to select the Safe mode with a Command prompt option.

    safemode12.jpg
     
  3. In the command promp enter explorer.exe

 

Do you now have access to your computer environment?  

 

===

 

Transfer the tools with a flash drive if necessary. 

 

===

 

:step1: Run Rkill http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/

 

       Note: Sometimes AV's thinks Rkill is infected, this isn't true, it's just a false-positive. Just let it terminate the malware processes. 

 

:step2: Provide the Rkill log.

 

:step3: Download Emsisoft Emergency Kit

  • Open EmsisoftEmergencyKit by  double-click Start.exe.
  • A new window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Deep Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply

 

:step4:  Install and run MBAM

:step5:   Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================


Edited by GodfatherKing, 06 August 2013 - 03:40 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 NickPatMel1

NickPatMel1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 06 August 2013 - 08:00 AM

Hey Godfather,

 

Thanks for the timely response. Well, it doesn't look good.  I cut the internet off to the machine and the safe modes all still auto restart.  I am, however, able to go into normal startup and have about 40 seconds to a minute of time to do stuff.  I was able to run rkill, but it didn't finish.  It went through some stuff then the DOJ thing locked my screen.  I was able to see it say that it found a ZeroRootAccess infection, which I know is bad news.  Anyway, do you have any advice from here?

 

Nick



#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 06 August 2013 - 08:04 AM

Try again running Rkill and then again Rkill.

 

What you can try is this: Download again Rkill http://www.bleepingcomputer.com/download/rkill/

 

But this time try to use the name modification.

  • iExplore.exe Download Link <== Download this version of Rkill.

 

===

 

:step1: Read this topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

:step2: Post a new topic with the DDS-log if possible http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

 

:step3: A malware expert will help you there. 


Edited by GodfatherKing, 06 August 2013 - 08:05 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 NickPatMel1

NickPatMel1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 06 August 2013 - 08:08 AM

Whoa, thanks.  The first time I ran it, it created a log and I was able to send it to the flash drive, so here it is:

 

Rkill 2.5.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/06/2013 08:53:08 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Documents and Settings\nmeloni\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe (PID: 1252) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Documents and Settings\nmeloni\Local Settings\Application Data\{c635a07e-614d-8a45-ab2a-daca55b462fb}\ [ZA Dir]
     * C:\Documents and Settings\nmeloni\Local Settings\Application Data\{c635a07e-614d-8a45-ab2a-daca55b462fb}\@ [ZA File]
     * C:\Documents and Settings\nmeloni\Local Settings\Application Data\{c635a07e-614d-8a45-ab2a-daca55b462fb}\L\ [ZA Dir]
     * C:\Documents and Settings\nmeloni\Local Settings\Application Data\{c635a07e-614d-8a45-ab2a-daca55b462fb}\U\ [ZA Dir]
     * C:\WINDOWS\Installer\{c635a07e-614d-8a45-ab2a-daca55b462fb}\ [ZA Dir]
     * C:\WINDOWS\Installer\{c635a07e-614d-8a45-ab2a-daca55b462fb}\L\ [ZA Dir]
     * C:\WINDOWS\Installer\{c635a07e-614d-8a45-ab2a-daca55b462fb}\U\ [ZA Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 08/06/2013 08:54:52 AM
Execution time: 0 hours(s), 1 minute(s), and 43 seconds(s)

 

 

 

Thanks!



#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 06 August 2013 - 08:11 AM

:step1: Backdoor/Rootkit warning: ZeroAccess

 

This computer is infected with a rootkit called  ZeroAccess. You will need to change all passwords after this and pay attention to do not homebanking. Don't use the machine now for other goals then malware removal.

 

== 

 

If your able to run the tools (MBAM and TDSSKIller), try it out.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#7 NickPatMel1

NickPatMel1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 06 August 2013 - 08:23 AM

Hey Godfather,

 

The repeated attempts with Rkill are unsucessful.  Also, downloaded the modified explorer.exe Rkill and that didn't work either.  Same issue.  So should I do the DDS log and post in the other forum, or am I not going to be able to run it with this dumb Ransomware?



#8 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 06 August 2013 - 09:16 AM

Yes, try it if not succeeded, explain the issue in that topic, they have other tools available. 

 

Hey Godfather,

 

The repeated attempts with Rkill are unsucessful.  Also, downloaded the modified explorer.exe Rkill and that didn't work either.  Same issue.  So should I do the DDS log and post in the other forum, or am I not going to be able to run it with this dumb Ransomware?


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users