[crazy4laptops]

I am stumped as to how to find a reliable resource for destroying the FBI Moneypak virus. Running XP Pro on a domain. It has not been detected by MalwareBytes, Super Anti-Spyware or MSE.

All of them are up to date.

I've been able to suppress it from starting, but it's still lurking on the system... somewhere

Should I just format and re-install?

[LiveBrianD]

With something that nasty, I would definitely reinstall. That said, have you tried scanning in safe mode?

[Flashorn]

Hey crazy !

That Ransomeware has been around for a while now. It has the ability to infect Out-Of-Date programs
such as Flash Player and Java. Are yours up-to-date ??

You might want to try this scanner in safe mode:

http://www.emsisoft....n/software/eek/

Run as Administrator if necessary.

It's a Big download so, be patient.

No install needed. You can also run from a USB stick.

Also, update if it asks.

Quarantine what it finds. Do Not delete any infected files.

A few instructions from BleepingComputers :

http://www.bleepingc...-emergency-kit/


If this fails, run ComboFix.in Normal mode. You might want to rename it before you download

BUT, it HAS to be on your Desktop. Run as Administrator if needed.

Be very careful that you DO NOT touch the mouse while ComboFix is scanning. It will stall and fail.

Download from here :

http://majorgeeks.co...ofix_d6402.html

You should find the log on C:// root.

Run MalwareBytes' after Emsisoft if it finds the infected files.
If it can't find the files , run ComboFix and then run MalwareBytes' .


Post the logs from all please.



FLASHORN.

This post has been edited by Flashorn: 04 November 2012 - 02:28 PM

[crazy4laptops]

Attached is Combofix

Still running EEK

Attached File(s)

•  Killlog.txt (15.9K)
  Number of downloads: 29

[mjd420nova]

I think this recent spate of virus attacks smacks of some old resurrected trojans. Short of a format and reinstall, a restore may solve the problem (from safe mode) without loss of data.A recent client had the PC Defender Plus and only a restore would let the anti-virus programs work. Ransomware is an apt term. All system tools were disabled and the pop-ups wanted you to go to their site to removed the virus. All the while pop-ups keep telling you your financial data is being stolen and some other FAKE messages aimed to get you to give them your credit card number. The only virus was that program. The user said he was attempting to download the Adobe Reader when it just stopped and flashed the fake warning. I heard of this before, inserting a redirection in a google link and other search engines.

[Flashorn]

crazy4laptops, on 04 November 2012 - 06:47 PM, said:

Attached is Combofix

Still running EEK

Hey crazy !

Please do not attempt to Restore as we don't know When this Trojan was installed

Is the keyboard and mouse still working?

Combo seems to have deleted some of the junk deposited by the Trojan.
Doesn't mean it's all gone and there is still one entry that I would like too see
if HijackThis will detect. It should be in the startup folder and named ctfmon.lnk
instead of the real one ctfmon.exe .

Could you run HijackThis :

http://sourceforge.net/projects/hjt/

and post or paste the log from it please.

Can you connect to the web after the scan of MalwareBytes' ?

Has EEK finished it's scan and did it find any of the infected files?
If you have the FBI Trojan, the scan should com back with

Trojan.Win32.Reveton

Although , it might have mutated to some other name, this is the one we know of for now.

Please post or paste the log file from the scan.

Did I see a Java 6 update still installed or are you running the Java update 7 revision 9 ?

All programs have to kept up to date or you face the possibility of infection by multiple Trojans
and not just this one.


FLASHORN.

This post has been edited by Flashorn: 04 November 2012 - 10:12 PM

[LincolnSpector]

Hi, Crazy.

My recommendation: Use a bootable, Linux-based anti-malware program. I recommend Kaspersky Rescue Disk or the F-Secure Rescue CD. Or both.

Another possibility: Follow these directions: http://www.spywarehe...l-instructions/.

Lincoln

[crazy4laptops]

running HJThis soon

heres the EEK log

the internet works fine, im doing these scans remotely.

Attached File(s)

•  a2scan_121104-204828.txt (814bytes)
  Number of downloads: 4

[Flashorn]

LincolnSpector, on 05 November 2012 - 08:38 AM, said:

Hi, Crazy.

My recommendation: Use a bootable, Linux-based anti-malware program. I recommend Kaspersky Rescue Disk or the F-Secure Rescue CD. Or both.

Another possibility: Follow these directions: http://www.spywarehe...l-instructions/.

Lincoln

Hey Lincoln !

You know, if it's going to a free tool then why should we have to do anything else than just download and use.

On your last recommended link, if you read down to # 9 , you'll see that this is not the case :

Quote

9
After you click “Fix Checked” you are going to need to register PC Tools to remove FBI MoneyPak Virus. Please register PC Tools and the FBI MoneyPak Virus will be removed.

I don't like being asked to give any particulars to anyone if I can avoid it.

In this case, this is totally unacceptable.



FLASHORN.

[Flashorn]

crazy4laptops, on 05 November 2012 - 10:28 AM, said:

running HJThis soon

heres the EEK log

the internet works fine, im doing these scans remotely.

Hey crazy !

OK, seems nothing was found. That is a good sign.

ComboFix did it's work once again.

Waiting for the HJT log.

Run MBAM and post log if anything is found.
Just let me know you ran the scan.

Are you getting any pop-ups ??

Will clean up with other tools than with CCleaner
and delete and uninstall tools already used.



FLASHORN.

[crazy4laptops]

HJThis log attached

MBAM quickscan has found Trojan.ransomware, re-running full scan just in case

Attached File(s)

•  hijackthis.txt (6.64K)
  Number of downloads: 36
•  mbam-log-2012-11-05 (17-44-08).txt (3.23K)
  Number of downloads: 10

[Flashorn]

Hey crazy !

A quick look at HJT .

Do you know of BCM.com ?

BCM.edu would be the college for medicine.

Is this PC at this school ??

Also, this item "

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

This is for Quickbooks which I see is installed on this PC and is it still in use ??

Will take a longer look a little bit latter.

Running ComboFix deleted the ability for the Ransomeware to hide. This is why MBAM was able to detect and delete.



FLASHORN.

This post has been edited by Flashorn: 05 November 2012 - 04:09 PM

[crazy4laptops]

Flashorn, on 05 November 2012 - 04:08 PM, said:

Running ComboFix deleted the ability for the Ransomeware to hide. This is why MBAM was able to detect and delete.

FLASHORN.

I did not know the powers of ComboFix. Thanks!

As far as BCM.com that's normal, this is a computer at a campus outreach group.

[Flashorn]

Hey crazy !

Yes, ComboFix is that powerful. It should also be handled with Extreme care.
Specific instructions (which I didn't give because I thought you knew how to handle it) should
have been :

If you are to use this security program, Please make sure to follow these directions completely.

Download to Desktop (a must)
Rename if before downloading if denied. (Do not run in Safe Mode.)
Disconnect from internet.
Disable ALL security programs and Not Exit. (Norton will give problems with this)
Run scan by Right Clicking and choose "Run as Administrator" (Vista and W7)
Double click on the .exe on the desktop to run for XP (all versions.)
In XP, you might be asked to download the Recovery Console. Please let it.
Run the program and Do Not Touch Mouse While It's Scanning.. This will stall the program and will fail to scan.
Collect the Log File from C:\\ root.
When done, uninstall ComboFix in this fashion:
In XP,
Start > All programs > Accessories > RUN. OR Windows Key plus "R"
Type or copy & paste this command line in the Run Box :

combofix /uninstall

Notice the space between combofix and slash. It has to be there.
Click on the OK button.
A Open File security warning will appear asking if you are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by


a dialog box stating that ComboFix has been uninstalled. You can now delete the ComboFix.exe program from your computer. ComboFix has


now been uninstalled from your Windows XP computer.


In Vista - W7 :

Click on the Start button and then in the Search field enter combofix /uninstall .
Once you have typed this in, (Copy & Paste would be safer) press Enter on your keyboard. A Open File security warning will appear asking if you


are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by


a dialog box stating that ComboFix has been uninstalled. Delete the .exe from your Desktop.





You always try the first responders in the opening volley, meaning, you scan with what we normally use such as the ones you
have scanned with initially.MBAM , SaS , MSE and then, if this didn't work , you would go on to something a little stronger.

There is also help from MS with this off line scanner :

http://technet.micro...e/hh547009.aspx

A Rootkit for example, would demand a scan with TDSSKiller from Kaspersky.

For stubborn Trojan I would download and run DrWeb CureIt

https://www.freedrwe...it+free/?lng=en

This is a big download but, no install and all downloads are up-to-date.
If you need to run it again a few days latter, you will be asked to re-download a new .exe as this is updated everyday.

Quote

As far as BCM.com that's normal, this is a computer at a campus outreach group.

OK then, the rest of the HJT log is clean.

You should now download and run this cleaner from :

http://www.softpedia...dwCleaner.shtml

Install and run this program by clicking on the Search button on the bottom

Please Do Not use the Delete button until I have had a chance to look at the Log which can be found on the C:\\Root
Or by clicking on the Report button on the Main GUI.

Please post that log.

You can follow the instructions above to uninstall ComboFix now if you choose too.



FLASHORN.

[smax013]

LincolnSpector, on 05 November 2012 - 08:38 AM, said:

Hi, Crazy.

My recommendation: Use a bootable, Linux-based anti-malware program. I recommend Kaspersky Rescue Disk or the F-Secure Rescue CD. Or both.

Another possibility: Follow these directions: http://www.spywarehe...l-instructions/.

Lincoln

I am using the Kaspersky Rescue Disk on a computer with the FBI Moneypak Trojan right now (basically what is labelled as "Method 3" on this page:http://malwaretips.com/blogs/remove-fbi-alert-moneypak-virus/). It allowed me back in, so now scanning with MBAM.