DoJ MoneyPak Virus- Solution
Tags:
- Safe Mode
- Virus
- Windows 7
Last response: in Windows 7
Mitchell Horton
August 4, 2014 9:53:42 AM
Hey guys- I'm an IT professional who just got a new DoJ Moneypak virus'd computer in. All standard methods failed (new profile, safe mode) any application run in safe mode would trigger the virus- ending ctfmon and deleting files solved nothing. Booted into safemode with command prompt and ran "sfc /scannow" when the scan was completed we could boot in and run rkill/combofix.
Just wanted to put it out there for those who are running into a wall trying to run things in Windows to solve this.
Just wanted to put it out there for those who are running into a wall trying to run things in Windows to solve this.
More about : doj moneypak virus solution
-
Reply to Mitchell Horton
Mitchell Horton
August 4, 2014 9:54:43 AM
Calaghan Grainger
August 6, 2014 9:06:59 PM
First off ditch avg its useless. huge resource hog, poor detection rate, high false positive rate, and pop ups about upgrading account. I suggest Avast free. Second in your browser navigate to malwarbytes.org download the free version (orange button) install and run a threat scan. It will find a delete everything and prompt a reboot. Next download adwcleaner from bleeping computer and install. The installer is in french but the GUI is English. When installing select J'Accepte. After it install click scan then click clean. It will force you to restart. Finally download JRT (junkware removal tool) and run it. It is a command line application so it will run from cmd except when backing up your registry and extracting itself. Do that for all accounts on the PC after that you should be good.
-
Reply to Calaghan Grainger
m
0
l
Related resources
- My niece has fbi moneypak virus on her laptop. I can login to safe mode but cannot get a command prompt as it is blackscreen - Forum
- Free Antivirus that prevents Moneypak virus? - Forum
- virus for solution - Forum
- Help me narrow down an Anti-Virus solution! - Forum
- Looking for virus solution - Forum
Mitchell Horton
August 6, 2014 10:03:24 PM
It's like you didn't even read.
I don't HAVE AVG. I used their boot CD, which worked on the first generation of this virus.
None of your suggestions are possible with the newest generation of the virus- activating any application within SAFEMODE causes the splash screen to lock it.
In addition, both Combofix and Rkill error out when attempted to run in SAFEMODE (i could see the error messages before the virus splash screen came up.
I wasn't actually asking a question- I found a new solution that I hadn't seen before and I was providing it to others.
You should read people's posts before answering.
I don't HAVE AVG. I used their boot CD, which worked on the first generation of this virus.
None of your suggestions are possible with the newest generation of the virus- activating any application within SAFEMODE causes the splash screen to lock it.
In addition, both Combofix and Rkill error out when attempted to run in SAFEMODE (i could see the error messages before the virus splash screen came up.
I wasn't actually asking a question- I found a new solution that I hadn't seen before and I was providing it to others.
You should read people's posts before answering.
-
Reply to Mitchell Horton
m
0
l
Calaghan Grainger
August 6, 2014 10:24:56 PM
Wow um okay well it does work because I've cleaned this infection before. FYI maybe you should structure your post better as this post seems like your asking for help and using the worlds most useless fix for it. BTW i never mentioned safemode (because you said anything that runs in safemode is effected. Besides you would have known that if you saw JRT buddy. It does not run in safemode and prompts you to boot regularly. so you read before answering.
and you say your an IT Professional.
and you say your an IT Professional.
-
Reply to Calaghan Grainger
m
0
l
Mitchell Horton
August 6, 2014 10:58:22 PM
Yeah, you cleaned an older version of it.
I ran into the new version of it last week.
How do you expect me to open a browser that is locked by the virus? Do you even know what this virus does? It locks your computer with a splash screen at login.
JRT might be useful? I didn't need it, because I solved the problem with a simple Windows Command.
"Besides you would have known that if you saw JRT buddy. It does not run in safemode and prompts you to boot regularly."
I would have known what?
I ran into the new version of it last week.
How do you expect me to open a browser that is locked by the virus? Do you even know what this virus does? It locks your computer with a splash screen at login.
JRT might be useful? I didn't need it, because I solved the problem with a simple Windows Command.
"Besides you would have known that if you saw JRT buddy. It does not run in safemode and prompts you to boot regularly."
I would have known what?
-
Reply to Mitchell Horton
m
0
l
Mitchell Horton
August 6, 2014 11:00:57 PM
As I said- IN THE ORIGINAL POST- this is clearly a new generation of this virus. Previous versions were easily defeated by safemode, and after safemode stopped working, simply using the command prompt to create a new administrator profile worked.
Once I realized that new profiles were infected as soon as they were fully created, I reasoned that it must be a corrupted Windows file itself- otherwise it wouldn't jump profiles.
So, I triggered Windows built in corruption detector (Not even a virus scan, just a file verification tool) and this crippled the virus completely from what I can tell.
So please, explain to me how I'm supposed to install programs when
1. In Normal Boot, it is locked from the moment you login- no actions available.
2. In Safe Mode, you can navigate files, even open some things like text files and other minor things that use required Windows software. However, running any application, be it Rkill (both regular and rename) Combofix, Mbam, Mbar, MbamC, Kaspersky, TDSS Killer, or a browser, causes the splash screen to lock the computer. It also causes the opened application to crash.
So please, explain to me how I'm supposed to "Second in your browser navigate to malwarbytes.org download the free version (orange button) install and run a threat scan."
I'm so curious to know.
Once I realized that new profiles were infected as soon as they were fully created, I reasoned that it must be a corrupted Windows file itself- otherwise it wouldn't jump profiles.
So, I triggered Windows built in corruption detector (Not even a virus scan, just a file verification tool) and this crippled the virus completely from what I can tell.
So please, explain to me how I'm supposed to install programs when
1. In Normal Boot, it is locked from the moment you login- no actions available.
2. In Safe Mode, you can navigate files, even open some things like text files and other minor things that use required Windows software. However, running any application, be it Rkill (both regular and rename) Combofix, Mbam, Mbar, MbamC, Kaspersky, TDSS Killer, or a browser, causes the splash screen to lock the computer. It also causes the opened application to crash.
So please, explain to me how I'm supposed to "Second in your browser navigate to malwarbytes.org download the free version (orange button) install and run a threat scan."
I'm so curious to know.
-
Reply to Mitchell Horton
m
0
l
The problem might be resident in the All Users/App Data folder so go back into Safe Mode with Command Prompt and enable the system Administrator account. Restart into Safe Mode with networking and log into that account. Manually delete anything abnormal in that folder. If you can get online, try ComboFix. You might have better luck this way.
-
Reply to Saga Lout
m
0
l
Mitchell Horton
August 7, 2014 7:04:25 AM
Calaghan Grainger said:
Wow um okay well it does work because I've cleaned this infection before. FYI maybe you should structure your post better as this post seems like your asking for help and using the worlds most useless fix for it. BTW i never mentioned safemode (because you said anything that runs in safemode is effected. Besides you would have known that if you saw JRT buddy. It does not run in safemode and prompts you to boot regularly. so you read before answering. and you say your an IT Professional.
Saga Lout said:
The problem might be resident in the All Users/App Data folder so go back into Safe Mode with Command Prompt and enable the system Administrator account. Restart into Safe Mode with networking and log into that account. Manually delete anything abnormal in that folder. If you can get online, try ComboFix. You might have better luck this way.That's a very interesting thought. I don't think that's the answer, because I doubt sfc /scannow would have solved it, but I'll keep that on my list of ideas to investigate for this virus.
As long as sfc /scannow continues to work this is a 10 minute fix, plus combofix.
-
Reply to Mitchell Horton
m
0
l
Let us know how you get on. This variant hasn't reached England yet - at least, not to any of my customers - but the original was bad enough. As you probably know, Safe with CP often works when all the others fail and if you can't enable the Admin account, you can sometimes get away with adding a new account.
As for sfc /scannow, as far as I'm aware that can't impact on any file that isn't a) missing or corrupt or b) part of the MS structure.
As for sfc /scannow, as far as I'm aware that can't impact on any file that isn't a) missing or corrupt or b) part of the MS structure.
-
Reply to Saga Lout
m
0
l
Mitchell Horton
August 7, 2014 11:31:04 AM
Oh the problem was completely solved.
I used Safemode with CP to create a new administrator (I prefer that to the system admin profile- shouldn't really matter though) and then logged in with Safemode. This variant doesn't seem to automatically start in safemode, it's triggered when an application runs. I tried deleting user files, and ctfmon and every other file I could find that people had tied to this virus.
In the end the sfc /scannow seemed to solve the issue of it opening the lock page when applications opened in safemode. I didn't have time to experiment around with it, really, but I believe I could have done that as the first step- this virus has always seemed to have a really easy fix once you knew it (Safemode, New account creation) and this looks like the same situation.
My suggestion would be to run your boot disc of preference and then sfc /scannow as your first line of defense- it's possible that AVG Boot's removal of files helped proc Windows into seeing the corrupted files.
But anyway! In summary
1. If Safemode is ineffective in allowing you to run your AV programs, try sfc /scannow from Safemode with Command Prompt
2. I believe the new set of corrupted files have to lie somewhere within the actual Windows files and folders- otherwise I don't believe sfc would have any effect at all, and it shut down the lockout page.
3. It IS possible that the boot disc I ran is an important step to this process- it doesn't feel like it, but I can't rule it out since that was my first step (even if it doesn't get the Moneypak virus I like not having to deal with other viruses at the same time)
4. Something I forgot to mention- Windows Update was damaged after this procedure, and I was forced to clear the update files and restart the service.
I used Safemode with CP to create a new administrator (I prefer that to the system admin profile- shouldn't really matter though) and then logged in with Safemode. This variant doesn't seem to automatically start in safemode, it's triggered when an application runs. I tried deleting user files, and ctfmon and every other file I could find that people had tied to this virus.
In the end the sfc /scannow seemed to solve the issue of it opening the lock page when applications opened in safemode. I didn't have time to experiment around with it, really, but I believe I could have done that as the first step- this virus has always seemed to have a really easy fix once you knew it (Safemode, New account creation) and this looks like the same situation.
My suggestion would be to run your boot disc of preference and then sfc /scannow as your first line of defense- it's possible that AVG Boot's removal of files helped proc Windows into seeing the corrupted files.
But anyway! In summary
1. If Safemode is ineffective in allowing you to run your AV programs, try sfc /scannow from Safemode with Command Prompt
2. I believe the new set of corrupted files have to lie somewhere within the actual Windows files and folders- otherwise I don't believe sfc would have any effect at all, and it shut down the lockout page.
3. It IS possible that the boot disc I ran is an important step to this process- it doesn't feel like it, but I can't rule it out since that was my first step (even if it doesn't get the Moneypak virus I like not having to deal with other viruses at the same time)
4. Something I forgot to mention- Windows Update was damaged after this procedure, and I was forced to clear the update files and restart the service.
-
Reply to Mitchell Horton
m
0
l
Mitchell Horton
August 7, 2014 11:58:59 AM
Calaghan Grainger
August 7, 2014 9:43:35 PM
Saga Lout said:
The problem might be resident in the All Users/App Data folder so go back into Safe Mode with Command Prompt and enable the system Administrator account. Restart into Safe Mode with networking and log into that account. Manually delete anything abnormal in that folder. If you can get online, try ComboFix. You might have better luck this way.Glad you got it fixed. I would have responded but I was swamped at work. What I personally would have done if safemode was compromised was booted from a Linux live USB/CD and gone into the folders and removed anything that way. I can assure you as well This was a new version I dealt with. I am wondering if I caught it before it actually did some real damage because windows refused to boot in a regular state which is what forced me to enter safemode in the first place. Also something that is noteworthy my version of malwarebytes does not require installation it runs directly off the usb and as we know so does adwcleaner and JRT.
-
Reply to Calaghan Grainger
m
0
l
Mitchell Horton
August 7, 2014 11:03:01 PM
Glad you got it fixed. I would have responded but I was swamped at work. What I personally would have done if safemode was compromised was booted from a Linux live USB/CD and gone into the folders and removed anything that way. I can assure you as well This was a new version I dealt with. I am wondering if I caught it before it actually did some real damage because windows refused to boot in a regular state which is what forced me to enter safemode in the first place. Also something that is noteworthy my version of malwarebytes does not require installation it runs directly off the usb and as we know so does adwcleaner and JRT.
[/quotemsg]
"going into the folders and removed anything" Doesn't help if you don't know what to remove. I'd already deleted every file I could find a record of being associated with the virus.
And it wasn't installing anything that caused the problem it was running applications. Rkill doesn't need to be installed, and Windows locked every time.
Please stop answering- You're either not reading, or not understanding what I'm posting, and after your insults, I'd rather not have your bad answers on this thread.
[/quotemsg]
"going into the folders and removed anything" Doesn't help if you don't know what to remove. I'd already deleted every file I could find a record of being associated with the virus.
And it wasn't installing anything that caused the problem it was running applications. Rkill doesn't need to be installed, and Windows locked every time.
Please stop answering- You're either not reading, or not understanding what I'm posting, and after your insults, I'd rather not have your bad answers on this thread.
-
Reply to Mitchell Horton
m
0
l
Linux is good but it's not that good - Windows problems need access to the Registry to wipe these threats out manually.
I came to this thread because of an argument building up - let's leave that behind us and we can all take something out of this experience for future dealings with this and other threats.
I came to this thread because of an argument building up - let's leave that behind us and we can all take something out of this experience for future dealings with this and other threats.
-
Reply to Saga Lout
m
0
l
Calaghan Grainger
August 9, 2014 2:28:34 PM
Saga Lout said:
Linux is good but it's not that good - Windows problems need access to the Registry to wipe these threats out manually.I came to this thread because of an argument building up - let's leave that behind us and we can all take something out of this experience for future dealings with this and other threats.
Agreed. I would rather not waste my time with this "IT Professional" anyways.
-
Reply to Calaghan Grainger
m
0
l
Mitchell Horton
August 9, 2014 3:32:13 PM
Saga Lout said:
Linux is good but it's not that good - Windows problems need access to the Registry to wipe these threats out manually.I came to this thread because of an argument building up - let's leave that behind us and we can all take something out of this experience for future dealings with this and other threats.
Calaghan Grainger said:
Saga Lout said:
Linux is good but it's not that good - Windows problems need access to the Registry to wipe these threats out manually.I came to this thread because of an argument building up - let's leave that behind us and we can all take something out of this experience for future dealings with this and other threats.
Agreed. I would rather not waste my time with this "IT Professional" anyways.
And the insults keep coming.
Learn to read, child.
-
Reply to Mitchell Horton
m
0
l
Related resources
Read discussions in other Windows 7 categories
!