Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Working fix for FBI moneypak rogue? 2

Status
Not open for further replies.

mandywls

Technical User
Jun 27, 2012
2
US
Hi all,

Can someone recommend a working fix (with a free tool or manual removal instructions) for this fake antivirus? I checked at least twenty sites found on Google, most of them having same "solutions" but so far nothing works (I simply can not find anything wrong under running processes, like AI983d4f.exe, but still I get the rogue window poping). The virus run in Safe mod too, so it is kinda hard to clean. I repeat - nothing suspicious in the running processes (used Process explorer by Sysinternals).

Thanks in advance
 
Sorry should have added running it on Windows 7


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
I just tried out the MBAR. Excellant product! Very well thought out, and it has contingency plans in case of catestrophic failure. As with previous MalwareBytes products, I'm sold.

Thanks and have a nice day,
David.
 
Another update on the MoneyPak malware:
MBAM found nothing. MBAR found some things but didn't snuff it. Neither did Combofix, etc. I couldn't find where it was starting from in Windows 7 and/or remove it from the recovery environment command prompt.

Props to CRACKOO - Rogue Killer snuffed it out right now, like stepping on a roach.

It also fixed a bunch of screwed up links (like IE9 would not open when clicking on the big blue E). Very nice tool. The only issue is that the PC has to be bootable. I had two computers yesterday that both had the monypak malware and one was rendered non-bootable.
 
UPDATE: Another successful slaying of this malware today by me using manual file system deletion and Rogue Killer. Here are some of the paths to check on a Windows 7 machine for any suspicious files. You're going to have to be a bit savvy to delete the files causing the problem. They're randomly named and AREN'T "malware.exe", but you can look at the modified date to see if it coincides with the infection.

Best bet is to try safe mode first, then safe mode command prompt, then a bootable CD of some type. These are the actual "finds" by Rogue Killer.
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell"="C:\Users\InfectedUserName\AppData\Roaming\ldr.mcb,explorer.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load"="C:\Users\InfectedUserName\LOCALS~1\Temp\msubovrs.com"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SonyAgent"="C:\Windows\Temp\temp78.exe"

Look in these folders to manually delete files if you can't get a windows gui
%appdata%\roaming\microsoft\windows\start menu\programs\startup
%userprofile%\appdata\local\temp
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top