Solved Moneypak Virus, Dept of Justice version, 5 days fighting

[TwinHeadedEagle]

Also, follow these instructions and attach frst report


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
• Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

• In the command window type in notepad and press Enter.
• When notepad opens, click File and select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

• The tool will start to run. When the tool opens click Yes to disclaimer.
• Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

 

[typicaldani]

Safe mode - virus loads quickly

Safe mode w/networking, appears normal, however if I try to run any exe program the virus image comes and takes over. If I don't try to load a program, for example, if I just navigate windows explorer things appear fine. I can access things like msconfig.

Safe mode command prompt, boots normal mode instead, virus comes up immediately on logon

Edit: sorry didn't see latest, give me a couple minutes

 

[typicaldani]

Here's the frst log.

 

[TwinHeadedEagle]

Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your USB flashdrive.

>> Exit out of Recovery Environment and post me the log please.



Try to boot Windows normally...

 

[typicaldani]

Unfortunately it's still there, this time the virus loaded the takeover image like it normally does, no freezing.

 

[TwinHeadedEagle]

It is late now, will continue tomorrow...

 

[TwinHeadedEagle]

Run FRST and attach fresh report, so I can think of something when I sit to PC again.

 

[typicaldani]

Here it is, have a good night and thanks

 

[TwinHeadedEagle]

I am here, so let's begin

First I want you to disconnect infected computer from internet. We several times removed malware, and it keeps getting back somehow. So please, disconnect it from internet, until I tell you to enable it again.


Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your USB flashdrive.

>> Exit out of Recovery Environment and post me the log please.



Try to boot Windows normally...

 

[typicaldani]

OK, i unplugged ethernet and I can boot into windows now and nothing comes up! I can't access the task manager (it immediately closes if I try to open it), but I was able to run an old, benign program with no problems. Attached fixlog.

 

[TwinHeadedEagle]

Very good, we're making progress

What program are you talking about?

Don't activate Internet yet...


Now run FRST from normal Windows, check Addition.txt, press Scan and attach both reports.

 

[typicaldani]

The program is just a Bible program, doesn't do anything but let the person read scriptures. One of the first things installed on this computer. But it wouldn't be allowed to open before in safe mode without triggering the virus.

Frst got hung up and I didn't realize it had finished making the logs until 30 minutes after they were done, here they are.

 

[TwinHeadedEagle]

First, go to Control Panel and uninstall following (skip lines that cannot be uninstalled):
- CouponBar
- Adobe Reader X
- BTGuard 2.6
- IB Updater 2.0.0.530
- MovieDownloader
- Java 7 Update 6
- KeyBar 1.8 Toolbar for IE
- PricePeep
- Produtools Manuals 2.1 Toolbar
- ShoppingChip
- SweetPacks A10 Toolbar for IE
- Wajam

Latest versions of Java and Adobe Reader available here --> http://www.java.com/en/ and here http://get.adobe.com/uk/reader/
Make sure to uncheck optional offers.

***** NEXT *****​

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Post logfile will also be saved in the C:\AdwCleaner folder.

***** NEXT *****​

Run FRST again, check Addition.txt, press Scan and attach both reports.

 

[typicaldani]

The adwcleaner link doesn't work

 

[TwinHeadedEagle]

It works for me

Go here --> http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

 

[typicaldani]

I had a few issues. I couldn't uninstall java, sweet packs or keybar through control panel. Adwcleaner may have defeated the last two. Trying to uninstall java just caused windows installer to hang, but it's what I've been doing these last few hours until I gave up and ran adwcleaner. Java concerns me because it's exploitable. The other issue was adwcleaner crashed during clean so I ran it again, but between the two runs I think it got everything. I attached both reports.

 

[TwinHeadedEagle]

Very good, every time, we're one step closer to solve your problem 100%

About Java, go and download JavaRa. Extract archive, start JavaRa.exe , and click Remove. Then wait for it to finish. Next try to install new Java version from link I provided.

Link for download --> http://download.thewebatom.net/5353b66683256/JavaRa-2.6.zip

***** NEXT *****​

Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Open FRST, and click Fix. Attach me that report after it is finished.

***** NEXT *****​

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

• Press Start Scan
• If Suspicious object is detected, the default action will be Skip, click on Continue.
• If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

 

[typicaldani]

Here are fixlog and tdss log. Something is still wrong because task manager closes immediately upon opening.

 

[TwinHeadedEagle]

OK, one more tool:


1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[typicaldani]

How can I save combofix directly to the desktop when that computer is not connected to internet? I have to transfer it via USB, is that OK?