Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Working fix for FBI moneypak rogue? 2

Status
Not open for further replies.

mandywls

Technical User
Jun 27, 2012
2
US
Hi all,

Can someone recommend a working fix (with a free tool or manual removal instructions) for this fake antivirus? I checked at least twenty sites found on Google, most of them having same "solutions" but so far nothing works (I simply can not find anything wrong under running processes, like AI983d4f.exe, but still I get the rogue window poping). The virus run in Safe mod too, so it is kinda hard to clean. I repeat - nothing suspicious in the running processes (used Process explorer by Sysinternals).

Thanks in advance
 
Run the following from safe mode if they won't run from regular mode.
Download apps from another computer onto memory stick if internet is not cooperating on infected PC.

Reboot as asked - don't proceed to next step if asked to reboot
1. Run CCleaner and clean out all temp files that it finds.
2. Download and run RKILL (rkill.scr or rill.com)
3. Run TDSSKiller
4. Run MalwareByte's Anti-Malware

Report back.
 
Another method you might want to use that we often forget about:
[ol 1]
[li]Use Windows System Restore (if able) to recover to a time prior to the virus' known existence on the PC. So, if you knew it happened last Friday, or at least by then, perhaps go back another week or two prior to that, at least.[/li]
[li]After running system restore, then run a few cleaners - Malwarebytes, SuperAntispyware, CCleaner, or others of your choosing. If you go with SuperAntispyware, you may want to kill off the startup options from within that application (application starting up with Windows), and also kill off the service (it's listed as SAS Core... something another..). I usually stop the service, and set it to manual just in case SAS needs it when I do scan with it.[/li]
[li]Make sure your antivirus is up to date, and make sure you're using a pretty good one if its in your power to choose. You can check out various reviews online, and there are lots of good charts, lists, and what not to read here: [/li]
[/ol]


"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
Thank you goombawaho and kjv for the quick replies. I did as goombawaho suggested. When I run TDSSKiller it said it found something and then removed it. Malwarebytes found the actual FBI virus and cleaned it too. Surprisingly, yesterday FBI moneypak appeared again. I tried to remove it again with Malwarebytes but this time it didn`t find the virus. I run 2 scans in a row - no luck. Today I tried these and these instructions, again with no luck. BTW, this time TDSSKiller did not find anything. Is this a new, more hard to remove version of FBI virus?


Thanks in advance,
Mandy
 
You might have a trojan downloading more stuff (worse stuff, different stuff??) behind your back.

I'd say it's time to do the following.
1. Disconnect PC from network/internet
2. Download combofix onto a memory stick
3. Remove your anti-virus program (YES, remove and reboot computer)
4. Run combofix from regular mode as administrator user. If it won't run, try safe mode.

Fair warning: In very few instances, I've seen Combofix hose a computer to where it won't boot usually due to removing a needed and infected DLL and not getting it replaced. But I'd say it happened twice out of using it about 100 times.

It's either try Combofix, post your problem at BleepingComputer where it will take a week to get started with the process of them helping you or format/reload. Decision time.
 
Had the same problem on a users PC - Malwarebytes found it and removed it but is came back. Finally removed it with "Autoruns".

Scott
 
Autoruns will only list auto-start programs that are not doing a good job of hiding, also Autorun detect is part of Malwarebytes function. So I would suspect that the infection is still present, and if Malwarebytes still cannot see anything, I would run Combofix. (see previous posts)

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
to quote someone: "I'd say it's time to do the following."

I'd say, instead, do a clean install...
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.
Source: "Help: I Got Hacked. Now What Do I Do?"

with that in mind, boot to a Linux LiveCD or a BartPE/WinPE CD/DVD, and save your personal DATA to an external drive (so that they can be scanned before transferring them back to the fresh installed OS)...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
The OP hasn't checked back since July, so MAYBE it's resolved << (sarcasm)
 
I had an opportunity to fight this one today and win. Turned out the actual screen that bothers the !@#! out of you was launched from here (see below). Removing it from the registry and deleting the file fixed it. You have to be able to boot to something like a BartPE, Windows PE, etc. where you can delete a file and preferably edit the registry.

This was an XP machine, FYI

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe", C:\Documents and Settings\All Users\Application Data\MalwareName.exe

It was named something funky with an underscore to start the file name.

 
Thanks for the update there Goom, luckily I never had to deal with that trash myself. I don't do much private PC cleanups these days anymore...

thus knowing what fixed it, is always appreciated, although here in Germany, I've not seen it yet (the FBI one) but we have a similar one called the GEMA Virus...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Try RogueKiller

Description : RogueKiller is a program written in C++ and able to :
[ul]
[li] Kill malicious processes[/li]
[li] Stop malicious services[/li]
[li] Unload malicious DLLs from processes[/li]
[li] Kill malicious hidden processes[/li]
[li] Find and remove malicious autostart entries, including :[/li]
[li] Registry keys (RUN/RUNONCE, ...)[/li]
[li] Tasks (Scheduler 1.0/2.0)[/li]
[li] Startup folders[/li]
[li] Hijack entries, including :[/li]
[li] Shell / Load entries[/li]
[li] Extension association hijacks[/li]
[li] DLL hijacks[/li]
[li] Read / Fix DNS Hijacks (DNS Fix button)[/li]
[li] Read / Fix Proxy Hijacks (Proxy Fix button)[/li]
[li] Read / Fix Hosts Hijacks (Hosts Fix button)[/li]
[li] Restore shortcuts / files hidden by rogues of type "Fake HDD"[/li]
[li] Read / Fix malicious Master Boot Record (MBR) -- Even hidden by rootkit[/li]
[li] List / Fix SSDT - Shadow SSDT - IRP Hooks (Even with inline hooks)[/li]
[li] Find and restore system files patched / faked by a rootkit[/li]
[li][/li]
[/ul]

RogueKiller.PNG

Also able to remove lots of actual infections, including ZeroAccess, TDSS, all rogues, and many Ransomwares. Detections are Blacklist/Whitelist based or Heuristic based
 
So crackoo, I guess you missed the part of my post where I said I had removed the malware.

Everyone should be wary of the "new best anti-malware removal tool" from a google search. Lots of links are to crapware or actually more malware. Not saying the product above is crapware/malware, but just beware of what you click on as always.

I always try to use the manual removal method first before I turn software loose on someone's computer. I don't post that in the forums because it's more complicated, you have to have the right boot CDs and it's kind of different for each malware. Your average Joe is not going to be able to do it.
 
In defense of Crackoo, just out of curiosity, I had this same FBI virus & have been screwing with it for some time & was ready to do a reinstall, thought I will give it a try, nothing to lose, so downloaded & ran it, it found 5 files so those were deleted. I restarted XP & all is well, go figure, very small program, took less than 5 mins. to run. I will do a little more study on this program.

xit
 
My point was only that when removing malware, don't just download anything off the internet and end up making your life worse. There are lots of web pages with "fixes xyz, tunes up your computer", etc. Lots of it is just crapware but some is actually probably more like malware.
 
goombawaho, your point is well taken and you are 100% correct that most of those supposedly "helpful" programs are a problem waiting to happen. Over the years I have gathered just a handful of programs that have proven themselves as useful but I am always on the hunt for a new one. [smile]

xit
 
Thanks Ben, looks promising, anything Malwarebytes puts out is usually top notch, I will give it a whirl the next opportunity.
 
Malwarebytes anti-rootkit detects COMODO's guard64.dll as possible rootkit activity in appinit_dlls, they probably need to fix this.

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
SG,

haven't tested it on my Win7 X64 rig yet, just on my work PC (XP 32bit) and there it did not detect anything (clean PC to start with) and nothing from Comodo as a false positive...

but then again it is still in the BETA stage...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top