Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New FBI/MoneyPak virus?


  • Please log in to reply
5 replies to this topic

#1 schwartzm

schwartzm

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 15 August 2014 - 02:21 PM

I have a coworker trying to remove the usual FBI/MoneyPak virus. He has used Hitman Pro Bootable (which didn't even load before the MoneyPak popped up), has used Kaspersky Rescue Disc (which usually kills it when we have Hitman issues), and has put it on a different PC as a secondary drive and ran MBAM and Emsisoft. He has checked our known locations for the virus manually as well. MBAM and Emsisoft came back with 0 infections, with updated definitions.

 

Any ideas?

 

edit - safe modes haven't worked either.


Edited by schwartzm, 15 August 2014 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 schwartzm

schwartzm
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 15 August 2014 - 03:50 PM

We took care of it.

 

In short: ran FRST, found MD5 wasn't legit for user32.dll

 

A little research showed some moneypak variants don't run an .exe and instead infect user32.dll

 

Replaced user32.dll



#3 dadguy

dadguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 08 September 2014 - 10:17 AM

I also had this FBI Moneypak virus.  I work in the PC service industry, so I have removed this virus from many customer PCs.  However this NEW version was a real bugger to remove.  In the interest of helping others, I offer the following:

 

1.  This new version of the virus blocks Safe Mode and Safe Mode With Networking.  Safe Mode command prompt works unless you attempt to run any program from the DOS prompt that causes the Explorer shell to open, then it locks you again.  If I had known where the new virus version stores the infected file, I could have fixed it from there (it used to be in either %appdata%\Roaming  or  C:\Program Data).

 

2.  On Sept 4th I updated the Hitman Pro Kickstarter USB drive that I own and ran it.  IT DID NOT FIND OR DETECT THE VIRUS.

 

3.  On Sept 7th I undated the Hitman Pro Kickstarter USB drive, and a new update was loaded.  This time it detected the file that was infected.  So it seems that the Hitman people had learned how to fight this virus by then and they updated their software (whew).

 

4.  As the member above stated, the infected file was C:\Windows\SYSWOW\user32.dll.  For those of you that are having trouble fixing this virus, it is possible to simply copy the user32.dll from another Windows 7 (in my case) PC and copy it over the infected user32.dll from the Safe Mode command prompt (make sure you match the version of the file - either 32 bit or 64 bit).

 

Hope this helps!


Edited by dadguy, 08 September 2014 - 10:17 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 08 September 2014 - 05:55 PM

Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer created this guide for dealing with some types of the infection using HitmanPro to create a HitmanPro kickstart USB drive: Your computer has been locked Ransomware Removal Guide
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dadguy

dadguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 08 September 2014 - 07:34 PM

Nice! 

 

My comments are worth considering since FBI Moneypak is evolving and his guide is over a year old.  Like I mentioned, when it started around 2011, the infected files were in the %appdata% folders, then later they moved to the Program Data folders, and now they have a variant that replaces the C:\Windows\SYSWOW\user32.dll file (a file needed for Windows to operate).  He may want to update the last section which discusses what files are affected commonly, and where they are located.  Even Hitman-Pro didn't know about this latest location until this past weekend.

 

Cheers.


Edited by dadguy, 08 September 2014 - 07:35 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:16 AM

Posted 08 September 2014 - 07:46 PM

We appreciate your comments and those of schwartzm as they may help other victims looking for solutions.

I posted the BC Removal Guide and HitmanPro.Kickstart links in case others reading this topic need them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users