Need help removing the FBI MoneyPak Virus. Locked out of computer completely where i cannot turn on safe start mode or start from USB mode.
Malware attack - Locked out of computer - need assistance
- Thread starter julian.sinisterra
- Start date
Fiery
Level 1
- Jan 11, 2011
- 2,007
Hi and welcome
Please print these instruction out so that you know what you are doing
Please print these instruction out so that you know what you are doing
- Download OTLPE from here to your desktop
- Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here - Wait for the CD to detect your hardware and load the operating system
- Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy
While in OTLPE, double click the OTLPE icon.
- Select the Windows folder of the infected drive if it asks for a location.
- When asked Do you wish to load the remote registry, select Yes.
- When asked Do you wish to load remote user profile(s) for scanning, select Yes.
- Ensure the box Automatically Load All Remaining Users is checked and press OK.
- OTL should now start
- Check the boxes beside LOP Check and Purity Check
- Press the Run Scan button
- When finished, the file will be saved in drive C:\OTL.txt
- Copy this file to a USB drive if you do not have internet connection on the system.
- Please attach the content of OTL.txt in your next reply.
Thank you for your response. I was able to create the CD but am unable to get the system to boot from CD Rom. I followed the instruction and was able to select boot from CD but it gives me a failure and then proceeds to boot from HD. I suspect that my CD drive is bad as it was giving me issues before. I am also unable to do a safe boot as when the computer starts booting up and I press F8 to go in it locks me out and goes straight to HD regular bootup. I did notice that I am able to log in and use the other 2 users set up on the computer and I can even go online with them with no problem. I also tried to do a boot from USB after creating a bootable USB with the anti-malware program but it is not working either.
Is there another way to gain safe mode entry?
Is there another way to gain safe mode entry?
Fiery
Level 1
- Jan 11, 2011
- 2,007
Ok go on the clean user account and do the following in either one of them.
Download OTL by Old Timer from here and save it to your Desktop.
If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
Download OTL by Old Timer from here and save it to your Desktop.
- Double click on OTL.exe to run it.
- Click the Scan All Users checkbox.
- Check the boxes beside LOP Check and Purity Check
- Click on Run Scan at the top left hand corner.
- When done, two Notepad files will open.
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized
- Please attach the contents of these 2 Notepad files in your next reply.
If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
Fiery
Level 1
- Jan 11, 2011
- 2,007
Excellent 
Before we start:
Go back to the account you ran OTL. Open OTL and under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode on your regular account (the one that has been infected). If you are able to access it, a new log will be created automatically, post the content in the next reply. Next, do the following in the same account.
Download TDSSkiller from here
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Please download AdwCleaner by Xplode onto your desktop.
Download & SAVE to your Desktop RogueKiller or from here
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
Go back to the account you ran OTL. Open OTL and under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode on your regular account (the one that has been infected). If you are able to access it, a new log will be created automatically, post the content in the next reply. Next, do the following in the same account.
Download TDSSkiller from here
- Double-Click on TDSSKiller.exe to run the application
- When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
- After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
- click Start scan .
- If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
- If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Please download AdwCleaner by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
- Click delete
- Please post the content of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt
Download & SAVE to your Desktop RogueKiller or from here
- Quit all programs that you may have started.
- Please disconnect any USB or external drives from the computer before you run this scan!
- For Vista or Windows 7, right-click and select Run as Administrator to start
- Wait until Prescan has finished, then click on "Scan" button
- Wait until the Status box shows "Scan Finished"
- Click on "Report" and copy/paste the content of the Notepad into your next reply.
- The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+
Thanks for the update. I went ahead and ran OTL with the new fix, rebooted and opened the infected user account but it still went directly to the virus screen. Still cannot enter in safe mode either.
The other accounts do not have admin access. I downloaded and ran the TDSSKiller, when I selected the loaded modules and went to reboot i received an error message saying that "can't install extended monitoring driver" and then it does not allow for either a reboot or a scan.
Fiery
Level 1
- Jan 11, 2011
- 2,007
Download avenger.zip... © by Swandog46
- Unzip/extract it to a folder on your desktop.
- Double click on avenger.exe to run it. Click "OK"...at the prompt.
- Check the box... "Scan for rootkits"
- Uncheck the box... "Automatically disable any rootkits found"...if checked.
- Copy all of the text in the code box below and paste it in the box "input script here"Ctrl+C.
Code:Files to delete: C:\Documents and Settings\All Users\Application Data\-lcrulcmPDdr C:\Documents and Settings\All Users\Application Data\-lcrulcmPDd C:\Documents and Settings\All Users\Application Data\lcrulcmPDd C:\Documents and Settings\All Users\Application Data\lcrulcmPDd.exe C:\Documents and Settings\All Users\Application Data\gla.pad - Click the Execute button.
- Reply "Yes" at the 2 prompts:
"Are you sure you want to execute the current script?".
"First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?". - Your PC will automatically reboot.
If that is the case, it will force a BSOD (Blue Screen of Death) error ...on the first reboot. This is normal & expected behavior. - After your PC has completed the necessary reboots, a log should automatically open.
If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
OK, just ran the avenger and when i click execute and press yes for the first prompt "are you sure you want to execute the current script?" I get the following error:
Error: Can't open file 'C:\Program Files\tcdaaluk.txt' (error 5: access is denied)
When I click OK to this message I get the following:
Error: Could not open script file: Aborting Execution! (Error 6: the handle is invalid.)
Error: Can't open file 'C:\Program Files\tcdaaluk.txt' (error 5: access is denied)
When I click OK to this message I get the following:
Error: Could not open script file: Aborting Execution! (Error 6: the handle is invalid.)
I am not sure if I can go into safe mode if command prompt. can you direct me to do that please.
Also not sure what recovery console is?
Also not sure what recovery console is?
Fiery
Level 1
- Jan 11, 2011
- 2,007
For recovery console, reboot your PC. As soon as it starts, do you see a screen like this?
For safe mode with command prompt, reboot your PC and keep tapping the F8 key until you reach the Advance boot option page. Use the arrow keys to select safe mode with command prompt
and press enter.
For safe mode with command prompt, reboot your PC and keep tapping the F8 key until you reach the Advance boot option page. Use the arrow keys to select safe mode with command prompt
and press enter.
when i reboot the pc and press F8 I don't go into advance boot option, it locks me out and then reboots normally. For recovery console i have never seen that screen before.
Fiery
Level 1
- Jan 11, 2011
- 2,007
Ok, let's give this a try.
IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
- Download OTLPE.iso from one of the following links and save it to your Desktop mirror1 or mirror2
- Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
- Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
- Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
- Please also decompress eeepcfr to your systemroot (usually C:\).
- Empty the flash drive you want to install OTLPE on.
- Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
- Press any key when asked to in the black window that opens.
- As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
For Drive Label: type in OTLPE.
Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
Finally check Enable File Copy.
- Click on Start, accept the disclaimers and wait for the program to finish.
- Reboot your system using the bootable flash drive you just created.
- Note : If you do not know how to set your computer to boot from Flash drive follow the steps here
- Your system should now display a REATOGO-X-PE desktop.
- Double-click on the OTLPE icon.
- Ensure the box "Automatically Load All Remaining Users" is checked
- and press OK
- OTL should now start.
- Under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode.
ok i was finally able to do this and it seems to have worked. i ran both Malwarebytes and Hitman Pro after the last restart to scan and came back all clean.
Thank you so much for all your assistance.
Thank you so much for all your assistance.
Fiery
Level 1
- Jan 11, 2011
- 2,007
Good to hear We are not quite done, we need to check for rootkits.
Download TDSSkiller from here
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Download & SAVE to your Desktop RogueKiller or from here
We are not quite done, we need to check for rootkits.Download TDSSkiller from here
- Double-Click on TDSSKiller.exe to run the application
- When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
- After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
- click Start scan .
- If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
- If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Download & SAVE to your Desktop RogueKiller or from here
- Quit all programs that you may have started.
- Please disconnect any USB or external drives from the computer before you run this scan!
- For Vista or Windows 7, right-click and select Run as Administrator to start
- Wait until Prescan has finished, then click on "Scan" button
- Wait until the Status box shows "Scan Finished"
- Click on "Report" and copy/paste the content of the Notepad into your next reply.
- The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+
Similar threads
- Locked
