FBI Moneypack - Missing files in System32 folder!

[raccarva]

Hi,

I've got the nasty FBI Virus and the situation is:

- Can't access the internet;
- Can't boot Windows in Safe mode. It goes immediately to shutdown after booting;
- I could go to command prompt under "System Recovery Options" and can run 64 bit programs. Could not run OTL.exe.
- It looks like many files in the system32 folder are gone.

Can you give me any advice? I've run FRST64 and the log generated is below:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-05-2013
Ran by SYSTEM on 14-05-2013 11:05:57
Running from F:\
WIN_7 (X64) OS Language: English(US)
Boot Mode: RecoveryAttention: Could not load system hive.
Attention: System hive is missing.

==================== Registry (Whitelisted) ==================

Attention: Software hive is missing.

ATTENTION: Software hive is not loaded.

BootExecute:

==================== Services (Whitelisted) =================


==================== Drivers (Whitelisted) ====================


==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========


==================== One Month Modified Files and Folders =======


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 8%
Total physical RAM: 8142.33 MB
Available physical RAM: 7444.71 MB
Total Pagefile: 8140.48 MB
Available Pagefile: 7426.62 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive f: (HITMANPRO) (Removable) (Total:7.48 GB) (Free:7.44 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: A0753CB5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 0BEDF1BC)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================

Regards.

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

 

[raccarva]

Hi, kuttus.

Thanks for the prompt reply.

I´ve read your recomendations but i have the following difficulties:

- I can´t do any backup because my files are on an encrypted partition. I could map a drive to it in the prompt but it does not recognize the file system. It looks like this partition is only recognizable when a driver is loaded for it at Windows boot time.

- I just went through the described process with the Hitmanpro.Kickstart but when i try to boot Windows by using option 1, i get windows boot manager Error 0xc000000f. Option 2 also gets a boot error.

Regards.

raccarva.

 

[kuttus]

HI,

Please back up your files using Kaspersky Rescue Disk. Find the Details here. http://malwaretips.com/Announcement-Computer-won-t-boot-up-Hard-to-remove-malware-Learn-how-to-create-and-use-a-Kaspersky-Rescue-Disk

After the backup try this...

Download and burn Partition Wizard Boot Disc

• Boot infected machine from CD you just burn.
• Push enter to choose Boot from Partition Wizard Boot Disc.
  
  
• Be patient and wait.
• On the left panel select Partition Recovery Wizard.
  
  
• On first screen, cilck Next.
• Select your hard drive, then click Next.
  
  
• On two next screen don't change anything, just click Next.
• Now the most important part:
  • Select only 100MB partition (Windows 7 files are on hidden partition) and your partition/s - look the size column.
  
• Click Finish.
• Back on the main menu, click on your disk click on your disk, on left panel choose Rebuild MBR
• Click Apply on up.
• When done click X on up right corner to reboot. Remove Partition WIzard Boot Disk.