MoneyPak FBI

It looks like I have finally ended up infected by a variation of this virus. It hasnt locked up my pc, but the page pops up whenever I try and run a flash video and then it locks my browser. I have run all the suggested programs and have attached all the logs to this post

Here is the malwarebytes log attached to this reply. In addition to the steps you folks recommend here I also ran a boot time scan via my avast free version. I also ran superantispyware.

Hi nothing visible however, it may be in the flash cache so we will clear that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-1214440339-573735546-682003330-1003\..\SearchScopes\{82B414F3-4753-43A2-A48A-DED78C053CBD}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289075&CUI=UN38090957521340263&UM=2
[2013/12/04 04:01:50 | 000,014,838 | ---- | M] () (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\17s3ccna.default\extensions\flvmoviesdownloader@rzll.xpi

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Im at work now. When I get home I’ll do that scan. Should I log into safe mode with networking to run the scan?

No requirement for that

Here’s the log you requested and also the log that was generated after I ran the fix you recommended. The OTL fix would not run under normal windows. Whenever I tried running the OTL fix under normal windows it froze completely. I had to reboot in the safe mode with networking in order to run the OTL fix. I also can only run the AdwCleaner’s clean process during safe mode with networking as well. I can scan just fine with AdwCleaner, but when I go to try using the clean option once it scan is complete it freezes. So far I am still getting that pop website like the other version of the moneypak fbi warning viruses. Whenever I try and run a flash video it will pop up. But now it only seems to happen on some flash video or tube sites while it doesn’t happen on others.

Edit To Add:

Everything I have been able to find out about this moneypak, mandiant, or ice virus (since it seems to be called all three depending on what you read or what version you have) says that it typically locks up ones pc completely. All I have gotten from it is that it occasionally shows up as a browser pop in a separate window on some flash video or tube sites when I click on a video. But it doesnt seem to do it on every tube site I go to and it has never locked up my pc. At worst it has forced my to close and restart my firefox browser. Other than that my pc is running just fine without any problems. So its got me wondering whether I am actually infected with it or if it is something that some sites are are just throwing up as pop-ups hoping some moron will click on it and purposely infect their system. So far I seem to be the only one I know who only has this problem as an occasional browser pop-up window occurring as I said on only some sites while not on others. Just food for thought, because if its just a matter of it showing up from certain sites then I just wont go to those sites.

There is something not quite right though… Run this programme from safe mode as well

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here"s the combofix text log you requested. I ran it in the safe mode. My pc is still running fine. I didnt attempt to return to any of the tube sites I had received that pop up from yet though.

I am still getting that popup window on some tube sites, but it isnt locking up my browser. I also ran every other scan I could with all of the other programs I listed earlier in this topic again last night while I slept and they didnt find anything. They are all up to date. So far just restarting my browser by control alt delete, and then restarting it closes that pop up. Other than that pop up everything else on my pc seems to be running fine.

Nothing showing on the log … Is it on specific sites or just any at random ?

Seems to be on specific sites

Could you give me one example so that I can visit… Please break the link to read hxxp or something similar

I think I’.ll just do a format and reload at this point. I’ve gotten tired of hunting this problem down

I tried going back to the sites I have had that pop up come up before and I saved the link of the particular video I clicked on and loaded. The flash do seem to bring some regular pop-ups whether its a porn tube I am on or not and those I always just click closed. So when I clicked on the video and a regular pop-up came up I clicked and closed it and the next window that popped up was the fbi one which is how this has been occurring since the first time it happenedd

So then I control alt deleted to close down my browser and restarted it and put that saved link to the video I just had the fbi window pop up on into the address bar and navigated to that same video, and did the same thing I did before by closing the first regular pop up windows that popped up but the fbi window didnt come up that time nor did it do it the next 4 times I repeated that process. I went to another site and tried the same thing and the fbi window came up then repeated the same process again and went back and it didnt happen. That leads me to believe now that this issue is not specific to any site.

I initially thought it was only a couple of sites that it was happening on, but its random and doesnt happen on the same sites everytime I go to them. One time it happens on one and then when I go back it doesnt happen. My guess is that it really must be something buried pretty deep in my system rather than any external bad code on a site.

It still bothers me that I couldnt run the adwcleaner’s “clean” option or the OTL fix you suggested in normal windows and had to resort to the safe made with networking in order to get the clean and the fix to run properly. Makes me think something on my system was preventing it. So since none of the logs are showing anything, then I am guessing I am overdue for a format and reload which is what I will be doing this weekend,

Thanks for you help essexboy. The programs you had me run are surely going to be saved again once my format/reload is done just incase I need them in the future.

The programmes are updated regularly so I would suggest you save the links and then download as needed :slight_smile:

Let me know how the format goes and if it cures the problem

Well my format/reload is done and my system is fine now. I dont get that window popping up at all anymore and my system comes up as clean with all my scans. So clearly whatever was causing that pop up window was buried deep in my system somewhere. So before formatting and reloading I ran darik’s boot and nuke to completely wipe my drive. My format/reload was initially problematic though due to the fact that windows update for xp sp3 now seems to have issues for most people still running it. Apparently since microsoft is discontinuing support for it completely in less than a month there is no fix for it. But even though I couldnt update via windows update, my automatic updates running in the background for a couple days did manage to download all the current updates for it.

Even though my system is clean and running fine now, I will still be upgrading to windows 7 soon.

It is advisable as XP will become the target of choice soon