Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with FBI Moneypak virus or similar and can't start computer in safe mod


  • Please log in to reply
42 replies to this topic

#1 ssjphd

ssjphd

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 13 September 2014 - 03:59 PM

Windows xp pro service pack 3.  Browser hijacked by the virus.  I turned off the computer and could not restart.  It continues to cycle through the Windows start up screen, then goes blank, then short timed screens of unintelligible (to me) white letters on black screen, a blue letter on black screen saying something about corrupt file(s), etc.

 

I created a HitmanPro boot flashdrive.  It would only let me make a 64-bit version on my laptop, and I think my tower that has the virus is a 32-bit system.  I can get to the boot screen, and I get a message that HitmanPro is booting the computer, but it just goes back to the "Start in safe mode" screen.  No matter which option I choose, the screen freezes.  If I hit the Alt, CTRL, Delete sequence, it goes back to the boot screen.

 

I do not have a boot disk.

 

Please help.


Edited by hamluis, 13 September 2014 - 04:07 PM.
Moved from Win 7 to Am I Infected - Hamluis..


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 14 September 2014 - 12:47 PM

Hi ssjphd,
 
Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

  • Insert your USB drive
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    user32.*

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

​xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 ssjphd

ssjphd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 16 September 2014 - 06:12 AM

Hello again, xXToffeeXx,

 

Great! and thank you. I went through all the instructions and ended with the filefind.txt file on my infected computer in xPUD. 

I am having a fair amount of trouble navigating the site, but at least I found my way here for now.  Here is my next question:

What should I do next? Take out the flashdrive and try rebooting the infected computer? Did what I did remove the virus or just get me back where I can boot the computer? Sorry, but I don't know the result of completing your instructions. Please help some more.

 

The flash drive is back in the clean computer.

Thanks again.

ssjphd



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 16 September 2014 - 01:52 PM

Hi ssjphd,

 

No, we haven't fixed anything yet, this is just to get information which I need to fix the computer.

 

You need to insert the USB into the clean computer you are using and then go to this topic. Click on Reply to this topic at the top, then copy and paste the contents of the filefind.txt on the USB into the reply box and once you are done then click Add reply.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 ssjphd

ssjphd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 17 September 2014 - 07:26 PM

  Wow!  This is frustrating.  I can't find a way to copy the file contents.  I will try to type the contents here.

 

7aa4f6c00405dfc4b70ed4214e7d687b/mnt/sda1/windows/$hf_mig$/kb925902/sp2qfe/user32.dll

564.5k Mar 8 2007

 

de2db164bbb35db061af0997e4499054 /mnt/sdal/WINDOWS/$hf_mig$/kb890859/sp2gdr/user.dll

563.5k mar 2 2005

 

1800f293bccc8ede8a70e12b88d80036 /mnt/sda1/windows/$hf_mig$/kb890859/sp2qfe/user32.dll

563.5k mar 2 2005

 

b26b135ff1b9f60c9388b4a7d16f600b /mnt/sda1/windows/ServicePackFiles/i386/user32.dll

565.0k Apr 14 2008

 

c72661f8552ace7c5c85e16a3cf505c4 /mnt/sda1/windows/$NtUninstallkb890859$/user32.dll

563.5k Aug 4 2004

 

dd9269230c21ee8fb7fd3fccc3b1cfcb /mnt/sda1/windows/$NtUninstallkb890859_0$/user32.dll

547.0k Aug 29 2002

 

de2db164bbb35db061af0997e4499054 /mnt/sda1/windows/$NtUninstallkb925902$/user32.dll

563.5k Mar 2 2005

 

b26b135ff1b9f60c9388b4a7d16f600b /mnt/sda1/windows/system32/user32.

565.0k Apr 14 2008

 

b26b135ff1b9f60c9388b4a7d16f600b /mnt/sda1/windows/system32/dllcache/user32.dll

565.0k Apr 14 2008

 

b409909f6e2e8a7067076ed748abf1e7 /mnt/sda1/windows/$NtServicePackUninstall$/user32.dll

564.0 Mar 8 2007

 

c72661f8552ace7c5c85e16a3cf505c4 /mnt/sda1/windows/$NtServicePackUninstall$/user32.dll.000

563.5k Aug 4 2004

 

 



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 18 September 2014 - 02:35 PM

Hi ssjphd,

 

Give me some times to think over what to do and I will get back to you tomorrow.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 19 September 2014 - 12:44 PM

Hi ssjphd,
 
Please start the computer and begin pressing F8 on the keyboard. If done correctly then you should get to a menu which looks like this. Use the arrow keys to move the highlighted box down to the option which says Disable automatic restart on system failure. Reboot the computer and when it restarts do you get a blue screen?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 ssjphd

ssjphd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 19 September 2014 - 02:34 PM

Well, I get a blue screen with white writing that says:

 

STOP: c0000218 {Registry File Failure}

The registry cannot load the hive (file):

\SystemRoot\System32\Config\SOFTWARE

or its log or alternate.

It is corrupt, absent, or not writable.

 

Beginning dump of physical memory

Physical memory dump complete.

Contact your system administrator or technical support group for further assistance.

 

Hope this helps.



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 20 September 2014 - 09:10 AM

Hi ssjphd,

 

That is helpful, lets see what I can do to fix this. Please do this for me:

 

Boot back into xPud:

  • Insert the usb into the computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1 or sda2 usually corresponds to your hard drive (it will have a number of folders; including Windows, Users, Program Files).
  • Click on the folder that represents your hard drive (should be sda1).
  • Then using the folders, navigate to WINDOWS\System32\config and there should be a folder called RegBack.
  • Shut down the computer and then in your next reply please tell me whether you see this folder or not.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 ssjphd

ssjphd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 20 September 2014 - 10:38 AM

Hello again xXToffeeXx,

 

I found /mnt/sda1/WINDOWS/system32/config, but there was only one folder (systemprofile) there and 25 files - no RegBack.  It was not in the systemprofile folder either.

 

ssjphd



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 20 September 2014 - 10:44 AM

Hi ssjphd,
 
Lets try another location instead
 
Boot back into xPud:

  • Insert the usb into the computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1 or sda2 usually corresponds to your hard drive (it will have a number of folders; including Windows, Users, Program Files).
  • Click on the folder that represents your hard drive (should be sda1).
  • Then using the folders, navigate to WINDOWS and there should be a folder called Repair.
  • Shut down the computer and then in your next reply please tell me whether you see this folder or not.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 ssjphd

ssjphd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 20 September 2014 - 12:28 PM

Hi xXToffeeXx,

 

The repair folder is there.

 

ssjphd



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 20 September 2014 - 01:01 PM

Hi ssjphd,
 
Boot back into xPud:

  • Insert the usb into the computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1 or sda2 usually corresponds to your hard drive (it will have a number of folders; including Windows, Users, Program Files).
  • Click on the folder that represents your hard drive (should be sda1).
  • Then using the folders, navigate to WINDOWS/Repair and there should be a file named SYSTEM.
  • Right-click on it and select copy.
  • Then go back to sda1 or sda2 (depending on which is your hard drive) using the green back arrow or selecting it from the menu on the left.
  • Using the folders again, navigate to WINDOWS\System32\config and you will see another file named SYSTEM (if not then ignore the next step, but continue from the one where you paste).
  • Right-click on it and select rename, type in SYSTEM.bak and click on OK.
  • Then right-click within the folder and select paste, you should see a file named SYSTEM appear.
  • Once you have completed this, please reboot your computer and attempt to boot into windows.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 ssjphd

ssjphd
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 20 September 2014 - 01:37 PM

Hi xXToffeeXx,

 

Phooey, it would not boot.  The computer kept cycling through to a screen with "start windows normally" and three other "safe mode" starting options.  Selecting the "normally" or any of the "safe" options gets me back to the "start windows normally" screen.

 

ssjphd



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:04 AM

Posted 21 September 2014 - 06:31 AM

Hi ssjphd,

 

Lets see if we have more luck with this:

 

Boot back into xPud:

  • Insert the usb into the computer.
  • Press F12 and choose to boot from the USB.
  • Follow the prompts.
  • Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1 or sda2 usually corresponds to your hard drive (it will have a number of folders; including Windows, Users, Program Files).
  • Click on the folder that represents your hard drive (should be sda1).
  • Then using the folders, navigate to WINDOWS/Repair and there should be a file named SOFTWARE.
  • Right-click on it and select copy.
  • Then go back to sda1 or sda2 (depending on which is your hard drive) using the green back arrow or selecting it from the menu on the left.
  • Using the folders again, navigate to WINDOWS\System32\config and you will see another file named SOFTWARE (if not then ignore the next step, but continue from the one where you paste).
  • Right-click on it and select rename, type in SOFTWARE.bak and click on OK.
  • Then right-click within the folder and select paste, you should see a file named SOFTWARE appear.
  • Once you have completed this, please reboot your computer and attempt to boot into windows.

xXToffeeXx~


Edited by xXToffeeXx, 21 September 2014 - 06:31 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users