Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

new FBI/DOJ moneypak variant


  • Please log in to reply
No replies to this topic

#1 spameaterz

spameaterz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 August 2014 - 04:09 PM

user winblows posted elsewhere about it... seems to work like the previous ones, but no AV software is catching/killing it yet (updated my tools this morning !)

 

i found that safe mode w/command prompt would let me IN - but as soon as i tried to run anything, the ruddy DOJ screen would blow up and freeze the machine.... but i could ctrl-alt-del and logout, then relogin and get the command prompt again.

after much searching and cursing, i ran farbar from Recovery Mode and noticed that the user32.dll in SYSWOW64 wasn't passing hash checks (the same as his post)... so i hit that directory and noticed that there was a second file - user32.ini which was ALMOST the same size (and mighty frick'n huge for a INI file - guessing the virus made a backup there before patching itself into user32.dll.

renamed user32.dll to user32.bad and copied user32.ini to user32.dll, then ran SFC /scannow /frombootdir=c: /fromwindir=c:\windows and let it do its thing.  when it finished, i rebooted into safe mode w/command prompt - and NOW i can run my scanning tools (running right now, in fact).  when they get done, i'll boot into normal mode and see what happens  :)

hope this helps someone else out there !!



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users