FBI Moneypak virus corrupting the profiles on our server
Hi,
This is my first post so, forgive me for any missing information, I will try to clear anything up as best as I can.
We, as an organization are using windows xp Pro and Symantec Endpoint Protection Version 11.0.7000.975 and recently we have been getting the dreaded FBI Moneypak virus on 2 computers. I've done some research and found ways listed to remove the virus, (regedit, delete certain files on the infected computer etc.) But, the current version of the virus will still lock up the pc, not only when logging in as the main, probably infected, user but also as administrator, as well as all of the safe modes. So I cannot open any of the utilies that I would normally use. What's more, is if I log in as the infected user, (Let's call him patient 0, it sounds creepy and zombie-esque) in any other computers, now that computer is infected. So, while I still have to reformat the computer, because I can't do anything, I also have to rebuild patient 0's profile. Because logging in as him will just bring the virus back.
It's really very infuriating.
Now, here's my question, or maybe my list of questions:
Does anyone know exactly which files in the profile this particular virus is using?
Is there a way to remove the virus, or at least be able to work find and delete infected files while the computer is locked up?
Is there any way to find out which websites and infecting us?
Any help is truely appreciated.
Comments
Is your system infected?
Is your system infected? Symantec tools to help clear an infection
https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
hello, you my try suggested
hello,
you my try suggested SERT.... it can run via USB or Media drive.. or maybe you already tried this?
Hi, You can enter in safe
Hi,
You can enter in safe mode?
If you answered yes I'll go step by step how to get rid of it manually
hugs
Fabiano Pessoa
Systems Analyst - Forensic Expert
I am n safe mode
N safe can't do anything, Internet will not come up do I can download removal tools help
open a support ticket for
open a support ticket for identifying the suspicious file residing on the affected machine.
the removal toll will help , however its better to scan in safe mode.Do you know the threat name and based on that you can download the removal tool.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Hi, You can run this tool on
Hi,
You can run this tool on safemode with networking.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Hi, Killing processes
Hi,
Killing processes ROGUE_NAME:
[Random] exe.
Delete files from the FBI Moneypak:
%% Documents and Settings \ All Users \ Application Data \ [random] \ [random] exe.
%% Documents and Settings \ All Users \ Application Data \ [random] \ [random]. Mof
Remove entries FBI Moneypak record:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "DisableRegistryTools" = 0
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "DisableTaskMgr" = 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System "EnableLUA" = 0
hugs
Fabiano Pessoa
Systems Analyst - Forensic Expert
There are other versions of
There are other versions of the virus FBI.
One of the most annoying allows safe mode with command prompt only. This means that you can do very little, but you can repair your PC from it.
To repair your PC, do the following:
One. Reboot, press F8.
2nd. Choose Safe Mode with Command Prompt
3rd. run explorer.exe
4th. Run regedit
5th. Search all instances shell variable .. It should be under the tree WinLogon
6th. If the variable is explorer.exe shell, keep it. If there is something more and explorer.exe, explorer.exe just leave. Note another file name
7th. If the shell variable is blank, leave it as is
Eight. If it references some executables from user's folders, note the name and replace with explorer.exe
9th. Rename the file with the name you wrote
Fabiano Pessoa
Systems Analyst - Forensic Expert
Hello, You could try running
Hello,
You could try running the SERT Utility, if you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool. The tool is free, so there is no need for a Fileconnect account to download the software.
You could also try working on the steps provided below on collecting the suspicious files and submitting the same to the Symantec Security Response Team.
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
I would also recommend you to make sure you create a case with Symantec Technical Support.
You could either Create a Case OR contact Symantec Technical Support.
http://www.symantec.com/docs/TECH58873
How to update a support case and upload diagnostic files with MySupport
http://www.symantec.com/docs/TECH71023
OR
Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Agree with Mithun; as you
Agree with Mithun; as you cannot log in in safe mode, SERT is the tool you should use.
Additionally, you should really think about an upgrade to SEP 12.1. Ransomware and Fake AVs are very hard to detect with signatures (because of the time gap) or traditional heuristic methods such as Bloodhound. Thousands of them are appearing every day, so signature based detection lags behind, and heuristic detection is just overstrained--its hit ratio is far too low.
SEP 12.1 with its reputation database (Insight) is able to block files that aren't trustworthy, even if Auto-Protect or Bloodhound don't find anything. This is a good approach to strongly reduce the ransomware plague. It's not a panacea, but a step forward.
The problem is whether the
The problem is whether the vaccine is based File "father" of malicious code
this type of malicious code has many variations and not a single virus.
Example: model has 1, 2 and 3 of it.
hugs
Fabiano Pessoa
Systems Analyst - Forensic Expert
Hi all, Just used the
Hi all,
Just used the latest SERT disk (requires a PIN for use) on a system infected with the FBI MoneyPak ransomware. I made sure that the disk had the latest virus definitions and it still did not detect anything. Needless to say, I wasn't too impressed with SERT.
BTW, the client had SEP 12.1 RU1 installed with up to date AV definitions at the time of infection.
I was able to get into the system by launching serveral applications and command prompts before the FBI screeen took over the system. Once that screen took over, using Ctrl-Al-Del, allows you to log out. With some luck, one of your applications will hang the logout process and you'll be prompted to force-quite the applicaiton. Instead, cancel the logout, the FBI screen will be gone, and you can now go about deleting files, registry entries, or use other tools to eleminate the virus.
I realize that morphing viri make creating signatures difficult, but between the AV engine, Proactive Treat Protection, and Sonar, I'm disappointed that SEP could not detect and stop this thing.
Hello, If insight with
Hello,
If insight with correct settings are running and clients can submit/recieve Insight submissions,it may block due to rating of file.
You can also try to check with Norton Internet Security 2013, else it's better to create a technical case.
Regards,
Oykun
This new Security Response
This new Security Response whitepaper about Ransomware will be of interest to followers of this thread:
With thanks and best regards,
Mick
This new Security Response
This new Security Response blog post also adds some extra developments/details- be informed!
With thanks and best regards,
Mick
Would you like to reply?
Login or Register to post your comment.