Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

fbi moneypack [Closed]


  • This topic is locked This topic is locked

#1
babyruth757

babyruth757

    New Member

  • Member
  • Pip
  • 7 posts
My PC has been infected with the FBI MONEYPACK trojan. Ive read many and tried at least five different fixes. The problem is, I cannot get to a useable screen.....it immediately locks up! Tried every safe mode and can't enter anything before the trojan freezes the screen. Please help.
Thanks in advance.
  • 0

Advertisements


#2
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Hi, babyruth757! :welcome: My nick name is CompCav and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any questions or you are unsure about anything, just ask and I will help you out. :)

If you have resolved the issues you were originally experiencing, or have received help elsewhere, please let me know so that this topic can be closed.


Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. One of the steps I will be asking you to do requires you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.

If you are ready to get started, please review and follow these guidelines so that we resolve your issues in a timely and effective manner:
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instructions that I give you. Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. These instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. However, the one thing that you should always do, is to make sure your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Just do a Copy/Paste of the entire contents of the log file inside your post and submit.
  • You must reply within four days failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. PM me only if I have not responded to your last post in 2 days.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to ultimately reformat your hard drive and reinstall the operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Please have the software and storage media for backing up your data available.



What operating system (XP, Vista, or Windows 7) do you have?

Is it 32 or 64 bit?

Do you have a clean computer that you can make CD's on?

Do you have a 1 Gig or higher USB flash drive we can use?


Regards,

CompCav
  • 0

#3
babyruth757

babyruth757

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks in advance CompCav.
Its a Dell 1505 win XP laptop
I have no idea if its 32 or 64 bit
We do have a fairly new desktop w/ win 7 and burnability. I can get a gig flash, might take a couple of days.

Regards,
Babyruth757
  • 0

#4
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
OK lets go in outside of windows. We will need to create a CD and additionally use a USB drive

Any size USB flash drive will work of this exercise since FRST.exe is relatively compact.

Please print these instruction out so that you know what you are doing

  • Download OTLPENet.exe to your desktop
  • Download Farbar Recovery Scan Tool and save it to a flash drive.
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
  • Your system should now display a Reatogo desktop
    Note : as you are running from CD it is not exactly speedy
  • Insert the USB with FRST
  • Locate the flash drive with FRST and double click
  • The tool will start to run.
    Posted Image
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • 1

#5
babyruth757

babyruth757

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-09-2012
Ran by Babyruth at 24-09-2012 09:52:25
Running from G:\
Service Pack 3 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The process cannot access the file because it is being used by another process.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-09-24 09:52 - 2012-09-24 09:52 - 00000000 ___DC C:\FRST
2012-09-23 14:59 - 2012-09-23 14:59 - 00000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-23 14:59 - 2012-09-23 14:59 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-09-23 14:59 - 2012-09-23 14:59 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-09-23 14:59 - 2012-09-23 14:59 - 00000000 ____D C:\Documents and Settings\Babyruth\Application Data\Malwarebytes
2012-09-23 14:59 - 2012-09-07 17:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-23 14:35 - 2012-09-23 14:35 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
2012-09-23 14:35 - 2012-09-23 14:35 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
2012-09-23 14:31 - 2012-09-24 09:49 - 00000370 ____A C:\Windows\Tasks\MotoHelper Initial Update.job
2012-09-22 13:01 - 2012-09-23 21:11 - 00011753 ____A C:\Windows\WindowsUpdate.log
2012-09-21 17:46 - 2012-09-21 17:46 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2012-09-21 17:46 - 2012-09-21 17:46 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2012-09-21 17:46 - 2012-09-21 17:46 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2012-09-21 17:44 - 2012-09-21 17:44 - 00184836 ____A C:\Windows\System32\c_726575.nls
2012-09-21 17:43 - 2012-09-24 09:49 - 00000000 ____A C:\Documents and Settings\Babyruth\Local Settings\Application Data\
2012-09-21 17:43 - 2012-09-21 19:54 - 00000048 ____A C:\Documents and Settings\Babyruth\Application Data\AF2EA9.dat
2012-09-21 17:43 - 2012-09-21 18:26 - 00000000 ___DC C:\Documents and Settings\All Users\Application Data\0BACF564A254109300710BAC84C92126
2012-09-21 17:43 - 2012-09-21 17:43 - 00435712 ____A (Alps Electric Co., Ltd.) C:\Documents and Settings\Babyruth\Application Data\nftark.dll
2012-09-21 17:43 - 2012-09-21 17:43 - 00000000 ____D C:\Documents and Settings\Babyruth\Local Settings\Application Data\{2DD2B4C5-0435-11E2-8271-B8AC6F996F26}
2012-09-21 17:42 - 2012-09-21 17:42 - 00172544 ____A (Blue Ripple Sound ) C:\Documents and Settings\Babyruth\Application Data\hecag.dll
2012-09-21 17:42 - 2012-09-21 17:42 - 00000054 ____A C:\Documents and Settings\Babyruth\inv.vbs
2012-09-21 17:42 - 2012-09-21 17:42 - 00000035 ____A C:\Documents and Settings\Babyruth\Application Data\Filesop.txt.block
2012-09-20 19:16 - 2012-09-20 19:16 - 00000000 ____D C:\Program Files\Graboid
2012-09-20 19:09 - 2011-11-28 22:28 - 00133616 ____N (Sonic Solutions) C:\Windows\System32\pxafs.dll
2012-09-20 19:08 - 2012-09-20 19:09 - 00000000 ____D C:\Program Files\Common Files\DivX Shared
2012-09-20 19:01 - 2012-09-20 19:01 - 00000676 ____A C:\Documents and Settings\All Users\Desktop\iLivid.lnk
2012-09-20 18:28 - 2012-09-23 18:33 - 00000938 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4075544739-132596853-1568394129-1006Core1cd977f3db422ce.job
2012-09-16 10:12 - 2012-09-16 10:12 - 00000000 __HDC C:\Windows\$NtUninstallKB2736233$
2012-09-12 20:52 - 2012-09-24 09:51 - 00000159 ____A C:\Windows\wiadebug.log
2012-09-12 20:52 - 2012-09-24 09:51 - 00000049 ____A C:\Windows\wiaservc.log
2012-09-12 20:52 - 2012-09-12 20:52 - 00000000 ____N C:\Windows\Sti_Trace.log
2012-09-10 08:00 - 2012-09-10 08:00 - 00000000 ___DC C:\image_5.7
2012-09-01 21:35 - 2012-09-12 20:50 - 00000000 ____D C:\Program Files\CCleaner

==================== 3 Months Modified Files ==================
  • 0

#6
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
You need to boot from the CD, this file is incomplete because you ran it from normal windows.


Please boot from the CD you can select F12 which is the boot menu on startup and then select your CD (optical) drive to boot from.
  • 0

#7
babyruth757

babyruth757

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK, I'll give that a try...thanks.
  • 0

#8
babyruth757

babyruth757

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I've got to be doing something wrong. Was able, using F12, to boot from C/D, but windows comes up none the less. Incomplete C/D? Properties say there is 121mb on the cd.version 4.65.00.
  • 0

#9
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
If you can get into normal windows do the following:


  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
  • Note: If RogueKiller will not run please try it several times, if it still does not run rename it winlogon.com and try it several times.
Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on ShortcutsFix

    Posted Image
  • The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.



If you cannot get into Windows then reburn the disk and try it again, you may have had a bad burn.
  • 0

#10
babyruth757

babyruth757

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for your patience. I struggled with the boot issue....the puter just would not do what I commanded:-)

I'll give rouge killer a shot tomorrow with a fresh brain....

Thanks, Steve
  • 0

#11
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Steve,

One thing a boot disk may show on the screen briefly is:

Press any key to boot from CD/DVD...

If you see that you need to hit a key immediately or it will boot from the hard drive.


Good luck with RogueKiller, when you read the instructions if at first it will not run then try to rename it as noted in the instructions.



Regards,

CompCav
  • 0

#12
babyruth757

babyruth757

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Rouge Killer seemed to find more bad stuff on the puter......the report is greek to me, but here goes...thanks.

RogueKiller V8.1.0 [09/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com


Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Babyruth [Admin rights]
Mode : Remove -- Date : 09/30/2012 10:54:08


Bad processes : 0


Registry Entries : 7
[RUN][SUSP PATH] HKCU\[...]\Run : Google Live (C:\Documents and Settings\Babyruth\Local Settings\Application Data\google_update.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : Google Live (C:\Documents and Settings\Babyruth\Local Settings\Application Data\google_update.exe) -> DELETED
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Babyruth\Local Settings\Application Data\google_update.exe,) -> REPLACED (C:\WINDOWS\system32\userinit.exe,)
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\3259 (\??\C:\DOCUME~1\Babyruth\LOCALS~1\Temp\3259.sys) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\3259 (\??\C:\DOCUME~1\Babyruth\LOCALS~1\Temp\3259.sys) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\3259 (\??\C:\DOCUME~1\Babyruth\LOCALS~1\Temp\3259.sys) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)


Particular Files / Folders:
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-4075544739-132596853-1568394129-1006\$f05a7ecc86235b4a480ad5b7bd24195b\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f05a7ecc86235b4a480ad5b7bd24195b\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-4075544739-132596853-1568394129-1006\$f05a7ecc86235b4a480ad5b7bd24195b\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$f05a7ecc86235b4a480ad5b7bd24195b\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-4075544739-132596853-1568394129-1006\$f05a7ecc86235b4a480ad5b7bd24195b\L --> REMOVED


Driver : [LOADED]
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([INLINE] atapi.sys @ 0xF73E6852)


Infection : ZeroAccess


HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts


127.0.0.1 localhost
::1 localhost




MBR Check:


+++++ PhysicalDrive0: SAMSUNG HM060HI +++++
--- User ---
[MBR] fa08457c9838c6e93f8d91ddd23d878d
[BSP] 6a16940a05e78a8357108e829835cd80 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 38130 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 78204420 | Size: 12848 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 104518890 | Size: 4753 Mo
User = LL1 ... OK!
User = LL2 ... OK!


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
  • 0

#13
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
OK please run RogueKiller again or if you did it and post the ShortcutsFix log.
  • 0

#14
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP