Jump to content


Photo
- - - - -

Need help with FBI Moneypak virus! Can't get it to go away!


  • This topic is locked This topic is locked
22 replies to this topic

#1 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 December 2012 - 02:07 PM

My computer got the FBI Moneypak virus a few days ago. I ran rKill and Malwarebytes and removed the affected files mbam found. A few hours later it showed up again. I did the same thing. Went to a web page and it happened again. It starts with Adobe flash player asking to make changes to the computer. If I choose "no" the virus takes over. The first 2 times I was able to Ctrl-alt-delete to get out of it and run mbam. The last time a black screen took over. Restarted in safe mode and ran rKill and mbam. Found several threats includung in recycle bin. Restarted computer and did scan again. found different threats. I restarted again and got message about recycle bin being corrupted. Emptied recycle bin and am scanning again. Malwarebytes doesn't seem to be completely getting rid of the virus. What do I do now?

#2 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 18 December 2012 - 03:16 PM

Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



Download DDS and save it to your desktop from here.
Double click DDS to run the tool and press Start
Don't change any stettings without instruction
  • When done, DDS will save two (2) logs to your desktop:
    • DDS.txt
    • Attach.txt
  • .Please post them in your next reply

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#3 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 December 2012 - 10:07 PM

Hi,
Thanks for your help! Here are the files you requested. I restarted my computer in normal mode today and so far the virus has not taken over. However, I have not run mbam yet since restarting the computer. Yesterday every time I ran the program it kept finding the same virus and did not seem to remove it: (PUM.UserWLoad) and (Trojan.Ransom). McAfee was also disabled. Since restarting my computer McAfee seems to be running fine today.

Attached Files



#4 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 20 December 2012 - 01:43 AM

Download ComboFix from this location:

Link 1



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#5 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 20 December 2012 - 01:41 PM

Here is the combofix log. Thanks!

Attached Files



#6 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 20 December 2012 - 02:04 PM

You are welcome.
Still any open issues ? :)

Open notepad and copy/paste the text in the Code-box below into it:

DirLook::
c:\users\Swaims\AppData\Roaming\Utpora
c:\users\Swaims\AppData\Roaming\Uklus
c:\users\Swaims\AppData\Roaming\Ovtu
c:\users\Swaims\AppData\Roaming\Gaxo
c:\users\Swaims\AppData\Roaming\Tate
c:\users\Swaims\AppData\Roaming\Ebexi


  • Save this as CFScript.txt, in the same location as ComboFix.exe.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#7 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 20 December 2012 - 04:14 PM

Here is the new combofix.

Attached Files



#8 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 21 December 2012 - 07:28 AM

Open notepad and copy/paste the text in the Code-box below into it:

Folder::
c:\users\Swaims\AppData\Roaming\Utpora
c:\users\Swaims\AppData\Roaming\Uklus
c:\users\Swaims\AppData\Roaming\Ovtu
c:\users\Swaims\AppData\Roaming\Gaxo
c:\users\Swaims\AppData\Roaming\Tate
c:\users\Swaims\AppData\Roaming\Ebexi
ClearJavaCache::


  • Save this as CFScript.txt, in the same location as ComboFix.exe.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.



Please download SecurityCheck and save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
Please post the contents of that document in your next reply.

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#9 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 21 December 2012 - 01:59 PM

I attached the ComboFix Report.


ESET did find a threat:
C:\Qoobox\Quarantine\C\ProgramData\ms026309FB.dat.vir a variant of Win32/Kryptik.AQPB trojan


Here is the results from Security Check:

Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x64 (UAC is enabled)
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 15
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.3 Adobe Reader out of Date!
Mozilla Firefox (3.6.12) Firefox out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
McAfee Online Backup MOBKbackup.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Attached Files



#10 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 December 2012 - 10:04 AM

Do you know why I cannot use Powerpoint? I try to load the program and Office 2010 comes up and says it's configuring. Then it says there is an error and it can't find the files or connect to the network. It directs me to a temp file for more information. I didn't go to that file. Then it tries to connect to update and install and says there is an error. Then it shuts down. Is this connected to the virus? Or to one of the programs we ran? I really need this program for work ASAP! Thanks.

#11 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 22 December 2012 - 10:42 AM

The threat found by ESET is in a quarantine folder from one of our tools.

I am not really familar with Office but could you give me the exact error message ?

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#12 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 22 December 2012 - 05:51 PM

I'm not able to copy the error message. What I am getting now is this when I try to open up Microsoft Word: "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'Office64WW.msi' in the box below."
Use source:
C:\MSOCache\All Users\{90140000-0012-0000-0000-0000000FF1CE}-C\

It's like the programs got uninstalled and need to be reinstalled with the cd-rom. These are programs we added to the computer after purchasing. Do you know if that is common? I can try that and see if it fixes the problem.

Is the virus gone now? Are there more steps I need to take? Thanks for your help!!

#13 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 23 December 2012 - 12:24 PM

Hy there.

Is MS Word installed on your Harddrive ? It sounds like that it has been installed on a Network Drive. You can try to reinstall it.

Lets fix some Security Holes now.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Enviroment 7 Update 10 and save it to your desktop.
  • Scroll down to where it says Java SE 7 Update 10
  • Click the red Download JRE button on the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u10-windows-i586 to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are three options in the window to clear the cache - Make sure all are checked
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.



To Update Firefox please follow the instructions here: http://www.mozilla.o...firefox/update/

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#14 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 26 December 2012 - 09:30 AM

I updated Adobe Reader and Java. With Java I get a pop-up saying "The Java plug-in SSV Helper add on is ready for use. Enable? Don't Enable?" Should I enable that add-on? Also, I uninstalled Adobe Acrobat X Pro 10.1.0. Is that ok?

Do I need to update Firefox if I don't use it?

Do I need to update my Flash Player? How do I do that?

Is there anything else I need to do?

Thanks for your help! I appreciate it!

#15 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 26 December 2012 - 10:17 AM

If you dont use Firefox, than uninstall it ;)
Each Software on your system must be up to date even you dont use it.

Sorry, I missed the instruction for Flash Player. --> http://www.adobe.com.../downloads.html

How about MS Word ? Did reinstalling it solve the issue ?

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#16 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 26 December 2012 - 01:08 PM

I uninstalled firefox and installed the new flash player. I'm still trying to find my product key for MS Word, so haven't gotten to reinstall that.

Do I need to remove any of the programs we used to clean up the computer, such as combofix?

Thanks!

#17 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 27 December 2012 - 09:02 AM

Hy there.
All tools will be removed after the cleanup.

Please bare in mind to defrag your Disk if it is not a SSD.


Please launch DDS.
Make sure that the following options are checked:
  • DDS.txt
  • attach.txt
Press the Start Button.
When done, DDS will open both logfiles which will also be saved on your desktop.
Please post them in your next reply.

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#18 KJK

KJK

    New Member

  • Members
  • Pip
  • 11 posts

Posted 27 December 2012 - 03:03 PM

I defragmented my hard drive. Here are the dds files. Thanks. Do you know anyone who would know something about what's going on with my microsoft office? On the dds file it shows that it's on my hard drive...that's where it's installed. But it can't access it.

Attached Files



#19 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 27 December 2012 - 09:48 PM

Hy there.

The new logfiles appears clean :)
I'll ask in our private area for advise about the MS Word issue.

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 


#20 Larusso

Larusso

    Selecta Jahrusso

  • Experts
  • PipPipPipPipPip
  • 905 posts
  • Gender:Male
  • Location:Austria
  • Interests:Dancehall DJing, Fighting against Babilon, Bodybuilding

Posted 02 January 2013 - 04:52 AM

Hy and sorry.
Ever tried to reinstall MS Word ?

regards, Daniel

There will never be peace in a war so I don't understand what they are fighting for

I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users