Cannot Remove FBI CYBERCRIME DIVISION virus (MoneyPak Scam)
- Thread starter john R
- Start date
Fiery
Level 1
- Jan 11, 2011
- 2,007
Hi and welcome to MalwareTips! 
I'm Fiery and I would gladly assist you in removing the malware on your computer.
PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.
Before we start:
<hr>
Please print these instruction out so that you know what you are doing
I'm Fiery and I would gladly assist you in removing the malware on your computer.
PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
<hr>
Please print these instruction out so that you know what you are doing
- Download OTLPENet.exe to your desktop
- Download Farbar Recovery Scan Tool and save it to a flash drive.
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here - Wait for the CD to detect your hardware and load the operating system
- Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy - Insert the USB with FRST
- Locate the flash drive with FRST and double click
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
•Download OTLPENet.exe to your desktop
Can I download this to a flash drive? As my clean PC is a tablet
Can I download this to a flash drive? As my clean PC is a tablet
When I power up the laptop and no matter what "F" function I use I get the following message:
Windows could not start because the following file is missing or corrupt:
\Windows\system32\config\system
Windows could not start because the following file is missing or corrupt:
\Windows\system32\config\system
Fiery
Level 1
- Jan 11, 2011
- 2,007
Ok, please try this:
If you like some pictures to guide you, you can find the same instructions here: http://forums.majorgeeks.com/showthread.php?t=216844
IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save the USB/flash drive.
</li>
If you like some pictures to guide you, you can find the same instructions here: http://forums.majorgeeks.com/showthread.php?t=216844
IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
- Download OTLPE.iso from one of the following links and save it to your Desktop mirror1
- Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
- Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
- Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
- Please also decompress eeepcfr to your systemroot (usually C:\).
- Empty the flash drive you want to install OTLPE on.
- Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
- Press any key when asked to in the black window that opens.
- As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
For Drive Label: type in OTLPE.
Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
Finally check Enable File Copy.
- Click on Start, accept the disclaimers and wait for the program to finish.
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save the USB/flash drive.
</li>
- Reboot your system using the bootable flash drive you just created.
- Note : If you do not know how to set your computer to boot from Flash drive follow the steps here
- Your system should now display a REATOGO-X-PE desktop.
- Locate the flash drive with FRST and double click
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Last edited by a moderator:
Fiery said:Ok, please try this:
If you like some pictures to guide you, you can find the same instructions here: http://forums.majorgeeks.com/showthread.php?t=216844
IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
- Download OTLPE.iso from one of the following links and save it to your Desktop mirror1
- Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
- Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
- Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
- Please also decompress eeepcfr to your systemroot (usually C:\).
- Empty the flash drive you want to install OTLPE on.
- Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
- Press any key when asked to in the black window that opens.
- As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
For Drive Label: type in OTLPE.
Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
Finally check Enable File Copy.
- Click on Start, accept the disclaimers and wait for the program to finish.
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save the USB/flash drive.
</li>
- Reboot your system using the bootable flash drive you just created.
- Note : If you do not know how to set your computer to boot from Flash drive follow the steps here
- Your system should now display a REATOGO-X-PE desktop.
- Locate the flash drive with FRST and double click
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2013 03
Ran by spike (administrator) on spike-PC on 17-09-2013 00:11:19
Running from E:\
Microsoft Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
==================== Processes (Whitelisted) ===================
==================== Registry (Whitelisted) ==================
==================== Internet (Whitelisted) ====================
========================== Services (Whitelisted) =================
==================== Drivers (Whitelisted) ====================
R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-09-17 02:56 - 2013-09-17 00:09 - 00000000 ____D C:\Windows\Panther
2013-09-17 02:40 - 2013-09-17 02:40 - 00000000 ____D C:\Windows.old.000
2013-09-17 02:00 - 2013-09-17 02:55 - 00008192 __RSH C:\BOOTSECT.BAK
2013-09-17 02:00 - 2013-09-17 00:09 - 00010954 _____ C:\Windows\WindowsUpdate.log
2013-09-17 02:00 - 2009-07-13 20:38 - 00383562 __RSH C:\bootmgr
2013-09-17 02:00 - 2008-06-19 15:42 - 00000211 ____H C:\Boot.BAK
2013-09-17 01:59 - 2013-09-17 01:59 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-09-17 01:57 - 2013-09-17 02:01 - 00001313 _____ C:\Windows\TSSysprep.log
2013-09-17 01:45 - 2013-09-17 01:45 - 00000000 ____D C:\Windows.old
2013-09-17 00:11 - 2013-09-17 00:11 - 00000000 ____D C:\FRST
2013-09-17 00:10 - 2013-09-17 00:10 - 00001413 _____ C:\Users\spike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-17 00:09 - 2013-09-17 00:10 - 00000000 ____D C:\Users\spike
2013-09-17 00:09 - 2013-09-17 00:09 - 00000020 ___SH C:\Users\spike\ntuser.ini
2013-09-17 00:09 - 2013-09-17 00:09 - 00000000 __SHD C:\Recovery
2013-09-17 00:09 - 2013-09-17 00:09 - 00000000 ____D C:\Users\spike\AppData\Local\VirtualStore
2013-09-17 00:09 - 2009-07-13 23:42 - 00000000 ___RD C:\Users\spike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-17 00:09 - 2009-07-13 23:37 - 00000000 ___RD C:\Users\spike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
==================== One Month Modified Files and Folders =======
2013-09-17 02:55 - 2013-09-17 02:00 - 00008192 __RSH C:\BOOTSECT.BAK
2013-09-17 02:55 - 2009-07-13 23:57 - 00025600 ___SH C:\Windows\system32\config\BCD-Template.LOG
2013-09-17 02:55 - 2009-07-13 23:52 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2013-09-17 02:40 - 2013-09-17 02:40 - 00000000 ____D C:\Windows.old.000
2013-09-17 02:08 - 2009-07-13 23:34 - 00012208 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-17 02:08 - 2009-07-13 23:34 - 00012208 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-17 02:08 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\rescache
2013-09-17 02:07 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-17 02:06 - 2009-07-13 23:39 - 00020466 _____ C:\Windows\setupact.log
2013-09-17 02:06 - 2009-07-13 23:33 - 00266808 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-17 02:02 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-17 02:01 - 2013-09-17 01:57 - 00001313 _____ C:\Windows\TSSysprep.log
2013-09-17 02:00 - 2004-08-11 17:00 - 00000355 __RSH C:\Boot.ini.saved
2013-09-17 01:59 - 2013-09-17 01:59 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-09-17 01:57 - 2009-07-13 23:34 - 00001774 _____ C:\Windows\DtcInstall.log
2013-09-17 01:45 - 2013-09-17 01:45 - 00000000 ____D C:\Windows.old
2013-09-17 00:11 - 2013-09-17 00:11 - 00000000 ____D C:\FRST
2013-09-17 00:10 - 2013-09-17 00:10 - 00001413 _____ C:\Users\spike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-17 00:10 - 2013-09-17 00:09 - 00000000 ____D C:\Users\spike
2013-09-17 00:09 - 2013-09-17 02:56 - 00000000 ____D C:\Windows\Panther
2013-09-17 00:09 - 2013-09-17 02:00 - 00010954 _____ C:\Windows\WindowsUpdate.log
2013-09-17 00:09 - 2013-09-17 00:09 - 00000020 ___SH C:\Users\spike\ntuser.ini
2013-09-17 00:09 - 2013-09-17 00:09 - 00000000 __SHD C:\Recovery
2013-09-17 00:09 - 2013-09-17 00:09 - 00000000 ____D C:\Users\spike\AppData\Local\VirtualStore
2013-09-17 00:09 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\Recovery
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
LastRegBack: 2013-09-17 01:56
==================== End Of Log ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-09-2013 03
Ran by spike at 2013-09-17 00:11:48
Running from E:\
Boot Mode: Normal
==========================================================
==================== Installed Programs =======================
==================== Restore Points =========================
==================== Hosts content: ==========================
2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {0D9B5D92-3A22-486D-A887-3AA21597CF27} - System32\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime => Sc.exe start w32time task_started
Task: {191232AD-26C4-49F7-BBEF-4B28DE2DEA14} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => C:\Program Files\Windows Defender\MpCmdRun.exe [2009-07-13] (Microsoft Corporation)
Task: {DED983CA-C2B2-4F3B-BD78-0A6450DE3F95} - System32\Tasks\Microsoft\Windows Defender\Mp Scheduled Scan => C:\Program Files\Windows Defender\MpCmdRun.exe [2009-07-13] (Microsoft Corporation)
==================== Loaded Modules (whitelisted) =============
2009-07-13 18:21 - 2009-07-13 20:15 - 00016384 _____ (Microsoft Corporation) C:\Windows\ehome\ehssetup.dll
==================== Faulty Device Manager Devices =============
Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
==================== Event log errors: =========================
Application errors:
==================
System errors:
=============
Error: (09/17/2013 02:05:04 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following error:
%%19
Microsoft Office Sessions:
=========================
==================== Memory info ===========================
Percentage of memory in use: 19%
Total physical RAM: 3062.04 MB
Available physical RAM: 2451.91 MB
Total Pagefile: 6122.36 MB
Available Pagefile: 5464.83 MB
Total Virtual: 2047.88 MB
Available Virtual: 1882.25 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:230.3 GB) (Free:162.17 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: () (Removable) (Total:1.88 GB) (Free:1.76 GB) FAT
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Active) - (Size=230 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=2 GB) - (Type=OF Extended)
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: FCD4315B)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)
==================== End Of Log ============================
Last edited by a moderator:
Fiery
Level 1
- Jan 11, 2011
- 2,007
Your system seems to be corrupted. Do you have any files that require backing up? YOu will most likely require to reformat.
But before we do that, boot into OTLPE
While in OTLPE, double click the OTLPE icon.
But before we do that, boot into OTLPE
While in OTLPE, double click the OTLPE icon.
- Select the Windows folder of the infected drive if it asks for a location.
- When asked Do you wish to load the remote registry, select Yes.
- When asked Do you wish to load remote user profile(s) for scanning, select Yes.
- Ensure the box Automatically Load All Remaining Users is checked and press OK.
- OTL should now start
- Check the boxes beside LOP Check and Purity Check
- Press the Run Scan button
- When finished, the file will be saved in drive C:\OTL.txt
- Copy this file to a USB drive if you do not have internet connection on the system.
- Please attach the content of OTL.txt in your next reply.
Similar threads
