Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Moneypak - can't boot into safe mode


  • Please log in to reply
171 replies to this topic

#1 alleycat99

alleycat99

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 02 November 2014 - 05:17 PM

My XP machine has a problem.  It gave me the Moneypak page on boot up and won't boot into safe mode.

 

I made a ubuntu startup disk and used that to backup my data files.  Also, ran some antivirus boot disks (Kaspersky, Bitdefender, and AVG), but it did not fix the problem.  However, they did get rid of the Moneypak page that was showing on startup.  Now when doing a normal boot, I see my desktop for about 1 or 2 seconds, then get a beige screen which changes quickly to a white screen and hear the hard drive spinning - probably loading things.  When I hold the power button to reboot, the blank page shuts down and I can briefly see my normal desktop full of icons again. Not enough time though to run any programs.

 

Since I can access my files by booting into Ubuntu, I assume the problem could be fixed by manually removing the right files or making some other changes, but I don't know which.

 

Can anyone help me get my machine working again?  Your assistance is much appreciated.

 

 



BC AdBot (Login to Remove)

 


#2 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 06 November 2014 - 03:09 PM

Hello and welcome to Bleeping Computer. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Are you booting Ubuntu from a CD? Do you have a USB flash drive available?

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#3 alleycat99

alleycat99
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 06 November 2014 - 03:39 PM

Bud -

 

Thanks for your assistance.  I look forward to working with you.

 

I do have a flash drive available, but in the past I had some problems making it bootable.  If you really need me to go that way, I sure I can make it work, but I have a Windows 7 machine handy that easily makes bootable CDs, so I find that simplest.

 

By the way, someone named Grooverism started a personal conversation with me on bleepingcomputer.  He didn't solve my problem, but he asked some questions which you might find relevant.  You can find his discussions with me here: http://www.bleepingcomputer.com/forums/index.php?app=members&module=messaging&section=view&do=showConversation&topicID=155124&st=0#msg236138

 

The main thing interesting there was he asked me what happens when I try booting into safe mode.  I got a message:

Stop:0x00000007B (0xF789E524, 0xC0000034, 0x00000000, 0x00000000).

 

When I googled that, I found:

 

0x7B is a common post-partial malware cleanup problem, for instance: the entry point for the malware is still there, say shell='infected system file', that file has been deleted during a cleanup but it's called at boot = BSOD.

 
This made sense to me because I did delete some files when I ran various rescue disks.  I deleted some files they said were infected, but if the comment above is correct, something more is needed.
 
Don't know if this helps you, but I figured I would mention it.


#4 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 06 November 2014 - 04:34 PM

Thank you for the information. Now that you are working with me, please refrain from following any other advice or doing any fixes on your own, as this can just make things confusing.

This made sense to me because I did delete some files when I ran various rescue disks. I deleted some files they said were infected, but if the comment above is correct, something more is needed.


Do you know which files you deleted, or do you have logs?

I do have a flash drive available, but in the past I had some problems making it bootable. If you really need me to go that way, I sure I can make it work, but I have a Windows 7 machine handy that easily makes bootable CDs, so I find that simplest.


We don't need to boot from the USB, I just want to use it to transfer files.

Please download this script to your USB drive. Then boot to Ubuntu and navigate to your USB drive in the File Manager. Then from the "Tools" menu at the top of the window, select "Open Current Folder in Terminal." In the terminal, type bash uhives.sh and press enter. When prompted, type software and press enter again. A file named ntbsoft should be created on your flash drive. Please attach it for me to your next post, or if it is too big, upload it to a file sharing service like Dropbox.

Let me know if you have any questions.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#5 alleycat99

alleycat99
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 06 November 2014 - 10:02 PM

Ok, I downloaded uhives.sh to my flash drive.  Didn't find "tools" in the ubuntu menu after navigating to it, so instead I opened a terminal, figured out how to navigate to my usb key from there, and then generated ntbsoft. As you suspected, it was too big to attach to my email - size is 48,384 kb.

 

I don't have dropbox, but I have a website, so I uploaded the file there.  You should be able to download here: www.youthchess.net/ntbsoft

 

As for what files I deleted, unfortunately, I didn't save the file names, and if there is a log, I don't know where.  Sorry.

 

Ntbsoft took quite a while to upload, but maybe that's my internet connection.  Hopefully you can download it more quickly.



#6 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 08 November 2014 - 11:29 AM

It downloaded fine for me, thank you. :) I haven't had a chance to look at it yet, been pretty busy. Hopefully today or tomorrow I will be able to look through it and find the malicious loading point.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#7 alleycat99

alleycat99
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 08 November 2014 - 06:18 PM

Sounds good.  Let me know when you find something.



#8 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 08 November 2014 - 06:25 PM

From a quick check, I don't see anything there. I think it may be hiding in the user hive. Could you please copy the file named ntuser.dat located at \Documents and Settings\[Your user name]\ntuser.dat using Ubuntu and the flash drive and upload for me? I think this one should be small enough to directly attach. Let me know if you need more detailed instructions.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#9 alleycat99

alleycat99
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 11 November 2014 - 01:27 AM

Sorry for the delay.

 

ntuser.dat was also too big to upload, so I put it here: www.youthchess.net/ntuser.dat

 

I took a look at it first with notepad, and unless I am mistaken, it has been overwritten with junk.



#10 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 11 November 2014 - 09:38 AM

I'll take a look at it.

It isn't a text file, so you can't view it in notepad. You have to use regedit or another registry editor. Can be dangerous if you don't know what you are doing.

I'll be back later on today. :)

Edited by Bud_91, 11 November 2014 - 09:38 AM.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#11 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 11 November 2014 - 09:48 AM

Do you have more than one user? If so, are all users affected?

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#12 alleycat99

alleycat99
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 11 November 2014 - 03:31 PM

No other users.  But I am thinking it's possible I may have deleted that file ntuser previously when I was deleting some files I thought infected, not that it made any difference.  Except, as I said, I get a blank screen instead of the moneypak screen.  But my normal desktop and icons are underneath and show up briefly when I am powering down.



#13 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 11 November 2014 - 06:22 PM

Just for kicks and giggles, can you try booting into Safe Mode with Command Prompt? If that works, type the command explorer.exe and see if you desktop comes up.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com


#14 alleycat99

alleycat99
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 12 November 2014 - 01:48 AM

Tried again just now.  Safe mode with command prompt still gives me: Stop:0x00000007B (0xF789E524, 0xC0000034, 0x00000000, 0x00000000).



#15 Bud_91

Bud_91

  • Malware Response Team
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 PM

Posted 12 November 2014 - 03:51 PM

I am not seeing any loading points in your registry. Just to be thorough, let's check the services. Could you please run the uhives.sh script again, and this time type system instead of software when prompted. Then you should get a ntbsys on the flash drive to upload for me.

Also, do you have an XP CD?

And a note of warning: If you deleted the file ntuser.dat, it could be bad as it contains all your user specific settings. Hopefully there will be a backup we can restore.

Edited by Bud_91, 12 November 2014 - 03:52 PM.

If I have not responded to your log in 36 hours, feel free to send me a PM.

If you would like to make a thank-you donation, please click here: btn_donate_SM.png

 

A.K.A. Buddierdl @ GeeksToGo.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users