Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All files in My Documents corrupt after FBI Moneypak malware


  • Please log in to reply
3 replies to this topic

#1 zarudert

zarudert

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 AM

Posted 12 November 2013 - 06:51 PM

Hello. Hopefully, I am posting this in the appropriate forum.

 

I've been attempting to help a friend with some malware issues. Basically, he had the FBI Moneypak bit that runs fullscreen and won't let you do much of anything. This is on a system running Vista Ultimate SP2. The problem is no longer the malware, as I've reloaded the OS and restored his data. The problem is that most of his user-created data files appear to be corrupt somehow. Here are some brief details on what I've already done:

 

1. Removed hard drive from his system, installed it in another system as a secondary drive (I have one of those USB adapters that lets you connect an internal hard drive to a USB port), ran MalwareBytes from there on it. I actually still have that MalwareBytes log and can post it if anyone is curious, but the only thing it found was this:

G:\Users\Owner\AppData\Local\Temp\hevns\hevns.dll (Trojan.Tracur.s) -> Quarantined and deleted successfully.

 

2. Put drive back in his system, verified that it at least boots and seems to get to his desktop without the ugly FBI window taking over.

3. Backed up all his data that I could find (Documents, IE Favorites, various files he had scattered around his desktop, etc) to an external USB drive. Also ran a quick Belarc Advisor profile and saved that.

4. Installed a new hard drive (he had a bigger one that he'd been wanting to use as his main boot drive) and installed Vista on that drive. Copied his data to the appropriate locations (My Documents, etc).

 

Problem is, when you attempt to open pretty much any file that's located in the Documents folder, it fails. All give various different error messages that basically say the file is corrupt and can't be opened. There is a big mix of various different file types from Word/Excel/PowerPoint files to PDF files to .mpeg videos that open with QuickTime, and they won't open. Some other facts:

 

- This only seems to be happening with stuff in the My Documents folder. He had some various folders files scattered around on his Desktop, and I can still open all of those fine.

- Some .txt files in My Documents seem to open and display their contents okay, but out of like 2000 various file types, a few txt files seem to be the only ones that open.

- I've attempted to open the problem files from a couple of other systems and get the same thing.

- I have done quite a bit of Google searching and found a tool called decrypt_mdlblock.exe that is supposed to help if the files were actually encrypted in some way, but it didn't find any problems.

 

I apologize for the lengthy post but didn't want to leave out anything. Has anyone seen anything similar or maybe have some ideas on how to regain access to those files? Apparently, his habits of running backups weren't the greatest (I imagine that's going to change from here on), so restoring from backup won't be an option. I do still have his original hard drive in an unaltered state and haven't reformatted it yet, if that could potentially help anything. I have a feeling those files are probably history, but I'm just curious if there's any hope for him at all. As mentioned above, he had quite a lot of stuff (around 2000 files) in that My Documents folder.


Edited by zarudert, 12 November 2013 - 06:53 PM.


BC AdBot (Login to Remove)

 


#2 zarudert

zarudert
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 AM

Posted 21 November 2013 - 03:43 PM

Never mind on this. I've determined that his files are likely gone. Sucks, but the one good thing to come out of it is that he'll probably get in the habit of doing at least occasional backups now.

 

I at first thought this was just the FBI Moneypak malware, but after doing some research and checking some registry keys (on the old hard drive from a different system, through LoadHive), I've determined that he must've also had a CryptoLocker infection. He had the deal with the fullscreen FBI Moneypak logo on the system, but there are also CryptoLocker registry keys that show the list of encrypted files, the public key, etc. So apparently, somehow, he must've got hit with both.

 

Anyway, if any mods/admins want to go ahead and lock this thread, feel free. I initially didn't realize that this was a CryptoLocker infection, and after reading up more on CryptoLocker, I've realized that he's pretty much hosed without a proper backup. Plus, there are already enough topics out there about CryptoLocker anyway.


Edited by zarudert, 21 November 2013 - 03:44 PM.


#3 Chuck Devlin

Chuck Devlin

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 21 November 2013 - 03:58 PM

A couple of thoughts.  I think you said the operating system is Vista.  If so, once you get rid of the viruses you can you shadow files to hopefully recover your data from the shadow's point in time.  Try several malware removal tools within Safe Mode with Networking.  Use Malwarebytes quick and then full scan.  Try Superspyware antivirus, and possibly spypot Search and Destroy.  Also try downloading HitManPro and run it.  They are all free.

 

Now download Shadow Explorer and run it.  Pick your C Drive, then which shadow version you want by a given date prior to the infection.  I have Vista and Shadow Explorer showed 2 months of shadow files available.  I picked User Folder, then picked a version - it took a while and I "exported" it to my desktop.  When complete I looked at the files / folders within User Folder - all data was there from that point in time.  Thus if I had been infected by Cryptolocker I could have recovered my data from that point in time.  Shadow Explorer is a free downloadable utility.  You right click on desired folder, then "export " to whereever.

 

This should work - just make sure machine is clean of viruses / malware.

 

Vista Ultimate may support "prior version" with right click on folder.  I have Vista Home Premium, and that does not have "prior version " as a folder option with a right click.  If you do, then you can use either one.

 

Hope this helps - good luck.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:55 AM

Posted 21 November 2013 - 09:55 PM

Yes, some victims of crypto malware infection have reported success recovering data using Windows Previous Versions or Shadow Explorer if system restore was enabled (turned on). However, newer variants have been reported to erase all shadow copies as part of its routine.


 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users