Solved Moneypak Virus - Dept of Justice

[That1guy2007]

I have researched other threads on this forum and my problem is eerily similar to the thread at http://malwaretips.com/threads/moneypak-virus-dept-of-justice-version-5-days-fighting.28980/

I have taken steps to remove the virus but none seem to help. I am Security + certified and a Network Engineer, this is not easy for me to reach out for help.

Attached are the initial FRST logs. Interesting to note that the moneypak screen will not show up in normal mode. Within Safe mode it will show up and do what it was coded for, not let me navigate anywhere within windows. This is the same with Safe mode with Command Prompt. I have also ran TDSS Killer along with MalwareBytes rootkit scanner, both come back clean as well.

I have also attached some screenshots of ComboFix falling on its face as well as the initial MoneyPak Virus not working correctly (lol), along with the directory it resides.

Note: My harrdrive was fully encrypted, I decrypted it last night to dig in deeper, reason for any signs of TrueCrypt.sys files.

Thanks

 

[TwinHeadedEagle]

Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
• Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
• In the Choose Recovery Tool menu select Command Prompt.
• You will see a big black window with a blinking cursor (command prompt).
  
  
  
  
  
  Access the notepad and identify your USB drive
  
  In the Command Prompt please type in:
  

  notepad

  and press Enter.
• When the notepad opens, go to File menu.
• Select Open.
• Go to Computer and search there for your USB drive letter.
• Note down the letter and close the notepad.
  
  
  
  
  
  Scan with Farbar Recovery Scan Tool
  
  Once back in the command prompt window, please do the following:
• Type in e:\frst64.exe and press Enter.
  You need to replace e with the letter of your USB drive taken from notepad!
• FRST will start to run. Give him a minute or so to load itself.
• Click Yes to Disclaimer.
• In the main console, please click Scan and wait.
• When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.
  
  Transfer it to your clean machine and include it in your next reply.

 

[That1guy2007]

Attached are the FRST log files, User32.dll is the syswow64 is looking suspect.

Thanks in advance.

 

[TwinHeadedEagle]

Yes, this file is infected and we will have to replace it:

First go and download this file:

http://www41.zippyshare.com/v/38528305/file.html


Put it on your USB along with FRST tool.



Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your USB flashdrive.

>> Exit out of Recovery Environment and post me the log please.



Try to boot Windows normally...

 

[That1guy2007]

I replaced the user32.dll in the system32 yesterday but I believe I missed the syswow64 folder, I will replace this file once I get home and let you know.

Thanks

 

[TwinHeadedEagle]

Use my instructions.

 

[That1guy2007]

Will do.

 

[That1guy2007]

That file appears to be rpcss.dll not user32.dll. Do you want me to reaplace rpcss.dll or user32.dll?

 

[That1guy2007]

I replaced the user32.dll in the syswow 64 folder using Farbar from a winsxs copy of user32.dll. All appears to be good now. No more pop-up for moneypak and computer is acting normal. Attached are fresh FRST logs and a combofix log after replacing the file.

Thanks

 

[TwinHeadedEagle]

Ok, one more step:

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Follow the prompts and click Scan.
• When finished, please click Clean.
• Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

 

[That1guy2007]

Here are the AdwCleaner logs

 

[TwinHeadedEagle]

Good, we're done




Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

Recommended reading:
​

MUST READ - security tips: Computer Security - a short guide to staying safer online. Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance: What to do if your Computer is running slowly?

Recommended additional software:
​

TFC - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

FiheHippo.com Update Checker - to keep your programs up-to-date.

Adblock - to surf the web without annoying ads!



• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle

 

[TwinHeadedEagle]

Since this issue appears to be resolved, I am closing the topic. If that is not the case and you need or wish to continue with this topic, please contact me or any staff member with the address of the thread.

Other members who need assistance please start your own topic in a new thread. Thanks!