Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Working fix for FBI moneypak rogue?Helpful Member!(2) 

mandywls (TechnicalUser)
27 Jun 12 8:45
Hi all,

Can someone recommend a working fix (with a free tool or manual removal instructions) for this fake antivirus? I checked at least twenty sites found on Google, most of them having same "solutions" but so far nothing works (I simply can not find anything wrong under running processes, like AI983d4f.exe, but still I get the rogue window poping). The virus run in Safe mod too, so it is kinda hard to clean. I repeat - nothing suspicious in the running processes (used Process explorer by Sysinternals).

Thanks in advance
goombawaho (MIS)
28 Jun 12 9:25
Run the following from safe mode if they won't run from regular mode.
Download apps from another computer onto memory stick if internet is not cooperating on infected PC.

Reboot as asked - don't proceed to next step if asked to reboot
1. Run CCleaner and clean out all temp files that it finds.
2. Download and run RKILL (rkill.scr or rill.com)
3. Run TDSSKiller
4. Run MalwareByte's Anti-Malware

Report back.
kjv1611 (TechnicalUser)
28 Jun 12 15:29
Another method you might want to use that we often forget about:
  1. Use Windows System Restore (if able) to recover to a time prior to the virus' known existence on the PC. So, if you knew it happened last Friday, or at least by then, perhaps go back another week or two prior to that, at least.
  2. After running system restore, then run a few cleaners - Malwarebytes, SuperAntispyware, CCleaner, or others of your choosing. If you go with SuperAntispyware, you may want to kill off the startup options from within that application (application starting up with Windows), and also kill off the service (it's listed as SAS Core... something another..). I usually stop the service, and set it to manual just in case SAS needs it when I do scan with it.
  3. Make sure your antivirus is up to date, and make sure you're using a pretty good one if its in your power to choose. You can check out various reviews online, and there are lots of good charts, lists, and what not to read here: http://www.av-comparatives.org/

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57

mandywls (TechnicalUser)
12 Jul 12 5:56
Thank you goombawaho and kjv for the quick replies. I did as goombawaho suggested. When I run TDSSKiller it said it found something and then removed it. Malwarebytes found the actual FBI virus and cleaned it too. Surprisingly, yesterday FBI moneypak appeared again. I tried to remove it again with Malwarebytes but this time it didn`t find the virus. I run 2 scans in a row - no luck. Today I tried these and these instructions, again with no luck. BTW, this time TDSSKiller did not find anything. Is this a new, more hard to remove version of FBI virus?


Thanks in advance,
Mandy
goombawaho (MIS)
12 Jul 12 8:25
You might have a trojan downloading more stuff (worse stuff, different stuff??) behind your back.

I'd say it's time to do the following.
1. Disconnect PC from network/internet
2. Download combofix onto a memory stick
3. Remove your anti-virus program (YES, remove and reboot computer)
4. Run combofix from regular mode as administrator user. If it won't run, try safe mode.

Fair warning: In very few instances, I've seen Combofix hose a computer to where it won't boot usually due to removing a needed and infected DLL and not getting it replaced. But I'd say it happened twice out of using it about 100 times.

It's either try Combofix, post your problem at BleepingComputer where it will take a week to get started with the process of them helping you or format/reload. Decision time.
SJohnson4611 (TechnicalUser)
25 Oct 12 16:07
Had the same problem on a users PC - Malwarebytes found it and removed it but is came back. Finally removed it with "Autoruns".

Scott
sggaunt (Programmer)
29 Oct 12 13:33
Autoruns will only list auto-start programs that are not doing a good job of hiding, also Autorun detect is part of Malwarebytes function. So I would suspect that the infection is still present, and if Malwarebytes still cannot see anything, I would run Combofix. (see previous posts)

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

BadBigBen (MIS)
29 Oct 12 19:36
to quote someone: "I'd say it's time to do the following."

I'd say, instead, do a clean install...

Quote:

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.
Source: "Help: I Got Hacked. Now What Do I Do?"
http://technet.microsoft.com/library/cc512587.aspx

with that in mind, boot to a Linux LiveCD or a BartPE/WinPE CD/DVD, and save your personal DATA to an external drive (so that they can be scanned before transferring them back to the fresh installed OS)...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

goombawaho (MIS)
30 Oct 12 7:28
The OP hasn't checked back since July, so MAYBE it's resolved << (sarcasm)
goombawaho (MIS)
31 Oct 12 14:02
I had an opportunity to fight this one today and win. Turned out the actual screen that bothers the !@#! out of you was launched from here (see below). Removing it from the registry and deleting the file fixed it. You have to be able to boot to something like a BartPE, Windows PE, etc. where you can delete a file and preferably edit the registry.

This was an XP machine, FYI

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe", C:\Documents and Settings\All Users\Application Data\MalwareName.exe

It was named something funky with an underscore to start the file name.

BadBigBen (MIS)
1 Nov 12 16:47
Thanks for the update there Goom, luckily I never had to deal with that trash myself. I don't do much private PC cleanups these days anymore...

thus knowing what fixed it, is always appreciated, although here in Germany, I've not seen it yet (the FBI one) but we have a similar one called the GEMA Virus...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

Helpful Member!  crackoo (Programmer)
2 Nov 12 19:25
Try RogueKiller

Description : RogueKiller is a program written in C++ and able to :
  • Kill malicious processes
  • Stop malicious services
  • Unload malicious DLLs from processes
  • Kill malicious hidden processes
  • Find and remove malicious autostart entries, including :
  • Registry keys (RUN/RUNONCE, ...)
  • Tasks (Scheduler 1.0/2.0)
  • Startup folders
  • Hijack entries, including :
  • Shell / Load entries
  • Extension association hijacks
  • DLL hijacks
  • Read / Fix DNS Hijacks (DNS Fix button)
  • Read / Fix Proxy Hijacks (Proxy Fix button)
  • Read / Fix Hosts Hijacks (Hosts Fix button)
  • Restore shortcuts / files hidden by rogues of type "Fake HDD"
  • Read / Fix malicious Master Boot Record (MBR) -- Even hidden by rootkit
  • List / Fix SSDT - Shadow SSDT - IRP Hooks (Even with inline hooks)
  • Find and restore system files patched / faked by a rootkit

Also able to remove lots of actual infections, including ZeroAccess, TDSS, all rogues, and many Ransomwares. Detections are Blacklist/Whitelist based or Heuristic based
goombawaho (MIS)
3 Nov 12 8:30
So crackoo, I guess you missed the part of my post where I said I had removed the malware.

Everyone should be wary of the "new best anti-malware removal tool" from a google search. Lots of links are to crapware or actually more malware. Not saying the product above is crapware/malware, but just beware of what you click on as always.

I always try to use the manual removal method first before I turn software loose on someone's computer. I don't post that in the forums because it's more complicated, you have to have the right boot CDs and it's kind of different for each malware. Your average Joe is not going to be able to do it.
xit (TechnicalUser)
17 Nov 12 15:51
In defense of Crackoo, just out of curiosity, I had this same FBI virus & have been screwing with it for some time & was ready to do a reinstall, thought I will give it a try, nothing to lose, so downloaded & ran it, it found 5 files so those were deleted. I restarted XP & all is well, go figure, very small program, took less than 5 mins. to run. I will do a little more study on this program.

xit
goombawaho (MIS)
18 Nov 12 8:15
My point was only that when removing malware, don't just download anything off the internet and end up making your life worse. There are lots of web pages with "fixes xyz, tunes up your computer", etc. Lots of it is just crapware but some is actually probably more like malware.
xit (TechnicalUser)
18 Nov 12 9:21
goombawaho, your point is well taken and you are 100% correct that most of those supposedly "helpful" programs are a problem waiting to happen. Over the years I have gathered just a handful of programs that have proven themselves as useful but I am always on the hunt for a new one. smile

xit
BadBigBen (MIS)
18 Nov 12 12:09
>> but I am always on the hunt for a new one.

MBAR comes to mind. An Anti-Rootkit from Malwarebytes, note it is still BETA...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

xit (TechnicalUser)
18 Nov 12 12:27
Thanks Ben, looks promising, anything Malwarebytes puts out is usually top notch, I will give it a whirl the next opportunity.
sggaunt (Programmer)
18 Nov 12 15:40
Malwarebytes anti-rootkit detects COMODO's guard64.dll as possible rootkit activity in appinit_dlls, they probably need to fix this.

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

BadBigBen (MIS)
19 Nov 12 3:47
SG,

haven't tested it on my Win7 X64 rig yet, just on my work PC (XP 32bit) and there it did not detect anything (clean PC to start with) and nothing from Comodo as a false positive...

but then again it is still in the BETA stage...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

sggaunt (Programmer)
19 Nov 12 4:07
Sorry should have added running it on Windows 7

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

BadBigBen (MIS)
19 Nov 12 4:31
SG,

>> Sorry should have added running it on Windows 7

I gathered that from "guard64.dll" ;) ...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

DTracy (Programmer)
21 Nov 12 13:40
I just tried out the MBAR. Excellant product! Very well thought out, and it has contingency plans in case of catestrophic failure. As with previous MalwareBytes products, I'm sold.

Thanks and have a nice day,
David.
goombawaho (MIS)
22 Nov 12 9:04
Another update on the MoneyPak malware:
MBAM found nothing. MBAR found some things but didn't snuff it. Neither did Combofix, etc. I couldn't find where it was starting from in Windows 7 and/or remove it from the recovery environment command prompt.

Props to CRACKOO - Rogue Killer snuffed it out right now, like stepping on a roach.

It also fixed a bunch of screwed up links (like IE9 would not open when clicking on the big blue E). Very nice tool. The only issue is that the PC has to be bootable. I had two computers yesterday that both had the monypak malware and one was rendered non-bootable.
Helpful Member!  goombawaho (MIS)
22 Jan 13 12:24
UPDATE: Another successful slaying of this malware today by me using manual file system deletion and Rogue Killer. Here are some of the paths to check on a Windows 7 machine for any suspicious files. You're going to have to be a bit savvy to delete the files causing the problem. They're randomly named and AREN'T "malware.exe", but you can look at the modified date to see if it coincides with the infection.

Best bet is to try safe mode first, then safe mode command prompt, then a bootable CD of some type. These are the actual "finds" by Rogue Killer.
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell"="C:\Users\InfectedUserName\AppData\Roaming\ldr.mcb,explorer.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load"="C:\Users\InfectedUserName\LOCALS~1\Temp\msubovrs.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SonyAgent"="C:\Windows\Temp\temp78.exe"

Look in these folders to manually delete files if you can't get a windows gui
%appdata%\roaming\microsoft\windows\start menu\programs\startup
%userprofile%\appdata\local\temp

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close