Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing moneypak virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 pulpfictionado

pulpfictionado

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North East USA
  • Local time:06:42 PM

Posted 18 June 2014 - 01:59 PM

Hi all. I'm at my wits end. I have a computer with the moneypak virus. Safemode, safemode with networking, and command prompt all reboot before I can reach the desktop. I tried all three options for hitman pro's kickstart. It seems to find the trojan (something to do with user32.dll) but after a reboot the virus just comes back. I also tried using a windows install cd but every time I start recovery console, it reboots the computer. 

 

The system is running windows XP Pro. I'd really like not having to wipe and re-install if at all possible.

 

Thanks for looking.

 

 



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:42 PM

Posted 18 June 2014 - 02:32 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi pulpfictionado,
 
Do you have a windows CD for your version of windows?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 pulpfictionado

pulpfictionado
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North East USA
  • Local time:06:42 PM

Posted 19 June 2014 - 05:16 AM

Thanks for responding. Yes I do.

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:42 PM

Posted 19 June 2014 - 07:46 AM

Hi pulpfictionado,
 
Okay good, let's try this.
 
Need the following:
1. clean computer with a CD Burner
2. Windows XP CD
3. blank CD
4. USB pen drive
 
Please follow the steps below. If you are unable to create the UBCD4WIN, please provide any error messages, and/or what step you cannot follow.
 
 
Phase I - Creating the ISO file
 
1. Please select a mirror and download the Ultimate Boot CD for Windows to the Desktop

  • Double-Click on the UBCD4Win.exe file downloaded to the Desktop.
  • Follow all of its instructions/prompts

Note: Do not install to a folder with spaces in it's name. It is best to use the default name C:\UBCD4Win
Note: Your Anti-Virus may report viruses or trojans when you extract UBCD4Win. These are False-Positives.
Read here for information regarding the files that normally trigger AV software.

  • At the very end, uncheck: Run UBCD4WinBuilder.exe when installation is complete
  • Click: Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD ROM drive

  • Open My Computer, and navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Select No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, press OK
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)

Note: Leave the default file name and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso). If you change it make sure it is
 a folder without spaces in the name.

  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Click on each option, then click Enable/Disable so the correct value is displayed.
 
Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

3. Click on the Build button.

  • When you see the Windows EULA message. Click on I Agree
  • At the Build Screen, let it run its course.
  • When the Build is finished, click close, then exit.

4. Burn your ISO file to CD

Phase II - Downloading Farbar's Recovery Scan Tool (FRST)
 
From the clean computer, download Farbar Recovery Scan Tool and save it to the USB pen drive.
 
Note: You need the 32-bit version to run with UBCD4Win
 
Now, plug the USB pen drive back into the ransomed computer and move on to the next step.
 
 
Phase III - Booting to the UBCD4Win CD
 
Restart the ransomed Computer Using the UBCD4Win disc created.

  • Insert the UBCD4Win disc into a CD/DVD drive
  • Restart the computer. It should boot from the UBCD4Win CD automatically
  • If it doesn't, and you are asked if you want to boot from CD, then, select that option

Note: Information on booting from CD > here

  • In the window that appears select Launch The Ultimate Boot CD For Windows, and press: Enter
  • It may take a longer for the Desktop to appear than it does when you start the computer normally, but, just let the process run itself until the Desktop appears
  • Once the Desktop appears, a message appers asking: Do you want to start Network support?, click Yes
  • You should now have a Desktop that looks like this:

Main.jpg
 
 
 
 
Phase IV - Running the FRST scan

  • Single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer

Note: If prompted to download the latest version, please do so from the link in Phase II

  • Click on the Scan button
  • When done scanning, the tool makes a log, FRST.txt on the pen drive. You can now close the pen drive, and safely remove it.
  • Insert the USB pen drive into your clean computer, and post the FRST.txt in your reply.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 pulpfictionado

pulpfictionado
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North East USA
  • Local time:06:42 PM

Posted 19 June 2014 - 09:30 AM

Hi Toffee. Last night before I went to bed (before i saw your reply, I ran Kasperky's rescue disk. It found a couple rouge dll files. Once I rebooted, the virus wasn't there. (or at least i can see my desktop now) Should i still run FRST at this point or is there another tool you would like me to run?



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:42 PM

Posted 19 June 2014 - 09:33 AM

Hi pulpfictionado,
 
Lets run FRST in normal mode instead to check whether everything malicious.
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:42 PM

Posted 25 June 2014 - 01:26 PM

Hi pulpfictionado,
 
This is a 3 day bump:
 
It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:42 PM

Posted 29 June 2014 - 01:40 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users