Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DOJ Moneypak virus XP HELP


  • This topic is locked This topic is locked
16 replies to this topic

#1 MADNUG

MADNUG

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 30 November 2015 - 07:01 PM

I have an machine running XP which I need to remove this ransomware from. I can't boot into safe mode and I've tried Avira rescue CD which didn't find anything and after Kaspersky rescue. I cannot boot into windows anymore. I cannot boot into my Hitman Kickstart usb either (it hangs on MBR and I tried Fix MBR with a windows xp disc). My last resort was booting into a Reatogo-PE and running farbar and hoping you fine gentleman can assist. Going by the Farbar log Kaspersky seemed to remove advapi32.dll which is why I can't normal boot anymore.

 

 

 

 

 

 

Attached Files

  • Attached File  FRST.txt   304.79KB   11 downloads


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 02 December 2015 - 01:34 PM

Greetings MADNUG and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run the following for me.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Boot to the System Recovery Options again and run FRST
  • Type the following in the Search Field
advapi32.dll
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 MADNUG

MADNUG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 03 December 2015 - 06:04 PM

Here is the log:

 

Farbar Recovery Scan Tool (x86) Version:30-11-2015
Ran by SYSTEM (2004-11-10 05:01:50)
Running from E:\
Boot Mode: Recovery
 
================== Search Files: "advapi32.dll" =============
 
C:\WINDOWS\system32\advapi32.dll
[2004-11-09 00:13][2004-08-04 06:00] 0616960 ____A (Microsoft Corporation) 1AFF244CA134956C54474F4E2433E4CE
 
C:\WINDOWS\$NtServicePackUninstall$\advapi32.dll
[2008-12-07 20:07][2004-08-04 06:00] 0616960 ____C (Microsoft Corporation) 1AFF244CA134956C54474F4E2433E4CE
 
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\advapi32.dll
[2009-02-10 18:26][2009-02-10 18:26] 0617472 ____A (Microsoft Corporation) C8A6C82F90B055149925DC7526B2D78C
 
C:\i386\advapi32.dll
[2005-02-27 12:07][2004-08-04 06:00] 0616960 ___AC (Microsoft Corporation) 1AFF244CA134956C54474F4E2433E4CE
 
X:\I386\SYSTEM32\ADVAPI32.DLL
[2004-08-03 20:07][2004-08-03 20:07] 0616960 ____R (Microsoft Corporation) 1AFF244CA134956C54474F4E2433E4CE
 
====== End of Search ======
 
 
Thanks so much!


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 03 December 2015 - 06:55 PM

Greetings,

That file is there. Please do this.

===================================================

Farbar's Recovery Scan Tool MBR Dump in the Recovery Environment

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
SaveMbr: Drive=0
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt
  • A mbrdump.txt file will be created on your desktop. Attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Attached mbrdump.txt file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 06 December 2015 - 09:33 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 MADNUG

MADNUG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 06 December 2015 - 10:35 PM

I will post the results later tomorrow, since the computer is at my office.

 

 

Thanks for the help!



#7 MADNUG

MADNUG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 09 December 2015 - 07:13 AM

Here is the log:

Attached Files



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 09 December 2015 - 03:28 PM

Thank you for the information.

We are getting conflicting information from the reports. One report says advapi32.dll is missing yet when we searched for it the report indicated it is where it is supposed to be. We are going to copy over a new file to the "missing" file location. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
cmd: copy /y C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\advapi32.dll C:\WINDOWS\system32
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Does your computer boot? If not, please describe exactly what happens and what the last thing is you see before it loops back

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 12 December 2015 - 04:07 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 MADNUG

MADNUG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 13 December 2015 - 10:11 PM

I will post the results tomorrow,

Thanks again!



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 15 December 2015 - 10:01 AM

Greetings,

Any progress?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 16 December 2015 - 11:47 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 18 December 2015 - 10:12 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 MADNUG

MADNUG
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 18 December 2015 - 05:00 PM

The computer will boot up to windows! I cannot access one of my user accounts named "mom" but everything seems to work properly other than that. Here are the results:

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:30-11-2015
Ran by SYSTEM (2004-11-22 00:42:50) Run:2
Running from E:\
Boot Mode: Recovery
 
==============================================
 
fixlist content:
*****************
cmd: copy /y C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\advapi32.dll C:\WINDOWS\system32
*****************
 
 
=========  copy /y C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\advapi32.dll C:\WINDOWS\system32 =========
 
        1 file(s) copied.
 
========= End of CMD: =========
 
 
==== End of Fixlog 00:42:51 ====



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:16 AM

Posted 19 December 2015 - 11:33 AM

That is good to hear. Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST.txt
  • Addition.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users