FBI Moneypak virus reinfections

katz

katz

Well-Known Member
Reaction score
498
Location
Usa
This is the third time that this client has become infected with the FBI Moneypak virus. First time they were running Norton, second time I replaced w/ AVG free, and this time I have Trend Micro installed.

A couple in their mid 50's, no porn or music downloads, no nefarious browsing habits that I can see. Internet history reveals a few Equine sites/forums (they breed horses), a little bit of facebook, credit union/bank, USPS, weather, home & garden & general browsing habits like that.

Nothing obvious jumps out at me. Each time I have completely nuked the drive using Active Killdisk or similar & reinstalled OS from factory DVD's/Win 7.

They are very patient with me & haven't been accusatory with my service at all, but I kinda feel bad for them being bitten this frequently by the same virus that I know cannot survive the disk wipe.

Each time I back up their data (a few word docs & pics) run multiple scans on that backup on my bench pc, all comes up clean.

My only other thought is that they are possibly being reinfected by using a friend's USB drive - I'll have to ask if they do that.

I'm thinking of bringing out the big guns & installing Kaspersky on it this time. Or, will M-bytes or SAS catch this thing before infection if they use the paid version?

Any ideas/comments/suggestions?
 
You know some time ago a virus changed the DNS in my router (I know I left the default password on it). Anyhow point being is I kept getting reinfected and it took me a day or to to figure it out. Seething to check anyway. You also could disable flash and java to make sure they aren't getting it drove by from there. External media maybe a USB drive they backup to or maybe more likely their email.
 
I'd start by going "upwards" in AV selections, not downward.

Also a strong possibility that it's remaining on their machine...coming back in a month or several months....so that they're not getting reinfected, it's just "still on their machine". (N/M noticed you nuked)

Web players all being correctly maintained? (java, flash, shockwave, PDF reader).
 
Last edited:
Good points Boston Pro.

We have a custom password set for the router, good idea to change it again though. I'll question them a bit more on their habits & see if I pick up on anything else that they may be doing to inadvertently re-infect.
 
Maybe the hubby has figured out porn mode! You should be able to tell from the files when they got infected, match that to the history and you have your culprit. If you can't match to history then there's more going on than meets the eye.
 
The other thing is I know you nuked and paved, did you play in the ie temp or other browser temp folders? Maybe look by date open some images see of porn is in there, not to snoop but... Obviously the browser history but I find many people delete that before they bring it in lol as if that really matters. Whenever I hear "I don't know where I got it" my mind heard "I was looking at porn" hahah
 
katz said:
This is the third time that this client has become infected with the FBI Moneypak virus. First time they were running Norton, second time I replaced w/ AVG free, and this time I have Trend Micro installed.

A couple in their mid 50's, no porn or music downloads, no nefarious browsing habits that I can see. Internet history reveals a few Equine sites/forums (they breed horses), a little bit of facebook, credit union/bank, USPS, weather, home & garden & general browsing habits like that.

Nothing obvious jumps out at me. Each time I have completely nuked the drive using Active Killdisk or similar & reinstalled OS from factory DVD's/Win 7.

They are very patient with me & haven't been accusatory with my service at all, but I kinda feel bad for them being bitten this frequently by the same virus that I know cannot survive the disk wipe.

Each time I back up their data (a few word docs & pics) run multiple scans on that backup on my bench pc, all comes up clean.

My only other thought is that they are possibly being reinfected by using a friend's USB drive - I'll have to ask if they do that.

I'm thinking of bringing out the big guns & installing Kaspersky on it this time. Or, will M-bytes or SAS catch this thing before infection if they use the paid version?

Any ideas/comments/suggestions?
Click to expand...


Might be coming from e-mail.

A lot of "junk" out there and people still open them........"Just to see what's there".

Make sure they know how to use their e-mail securely.

Kids....Grandkids......any access this computer. There are a lot of smart "kids" that know how to cover their tracks, so Mom, Dad, Grandma or Grandpa don't see what they are doing.

If others are using, set-up a separate limited account for them to use.

If using Java, Flash, and/or Adobe Reader, make sure they are set to auto update and let the customer know to let them update. When these come back are they up to date? I've seen people "confused" about what to update and what is legit....so they ignore them all.

I don't think I've ever seen a fully patched, fully updated, "good" virus protected computer come in. I'm sure they exist, I just don't remember any.
Also, are they using a "limited" account.......might be installing something without knowing it.
 
Full of great advice. I have had virus that have done some of what every person said. It is easy to forget about the router. E-mail that look like secure messages are easy to fake for the average computer user.

Even if they have another computer on the network that could be the carrier.
 
Rosco said:
...Even if they have another computer on the network that could be the carrier.
Click to expand...

Good point! I recall seeing a post about this virus infecting an entire office network not too long ago. Completely possible another computer on the network is causing the reinfection.
 
Good discussion, all great points.

There was very little in the temp folders, I went all over the pc, checking hidden files, etc.. Nothing to be found. I am petty sure the hubby is not porn surfing. This is a laptop that they use maybe a few times a week, it is the only one in the house.

They are using a web-based email - the one that Hugesnet provides, but they may be clicking on everything; will have to go over that practice with them to be sure they delete the garbage without first opening it.

There is a neighbor, mid 50's woman that "knows a little about computers" that gives the owner facebook tips & other internet/computing tips. That could be a problem I suppose.

Qwner says she doesn't share usb drives w/ anyone, doesn't bring drives home from work, and doesn't really install any programs - in fact, the pc hardly looks touched, software-wise since I last serviced it.

I'm going to install Kaspersky, and I'm thinking of going with Malwarebytes Pro for additional real-time security.
 
I'm a BitDefender guy myself, of course that could be because I was able to buy 2013 licenses for thirteen cents a few months back. I find that BitDefender Internet Security does a fantastic job on my clients with recurrent issues. (Teenagers on facebook, usually.) However I've got one client who runs a mechanic shop with an ancient system, and his techs are bad about clicking crap. The machine is a nightmare because his franchise software runs a full fledged SQL server on this ancient hardware, and wants constant realtime updates.

The solution I worked out for him was actually BitDefender + MalwareBytes Pro....I haven't had any clients run MBP and get new infections of the web-based garbage from ads/flash/etc.

Besides, lifetime licenses are regularly available for ~$11, and resell on them is at least $30.
 
I recently ran into this virus. It's nasty. I ran malware bytes and my av on full scans then used hitman pro. It helped wipe the fake av off and let me use windows again. Oh I also cleaned out all registry crappie associated with it.

It came up right after a Java security warning came up that asked you to update Java for security purposes.
 
I have removed this type of virus on over 20 machines in the last few months and have seen it it go through every antivirus out there, except Kaspersky. Matter of fack the first thing I due to remove these types of viruses is slave their hard drive to my bench machine and scan it with Kaspersky.
 
RoseburgHelpDesk said:
Anyone know how it infects systems beside how I mentioned?
Click to expand...

I don't think the warning to update Java caused it UNLESS the warning was at the time you visited a website and a popup told you to do it. Many "You need to update...." when you visit a website are just popups that never check your machine in the first place but were tricks from websites to get you to download and install something nasty.

Real Java updates are usually triggered by a scheduled task or a memory/startup resident task, not because Java somehow figured out you should. On rare occasion a installed version might need to be updated because of a version issue, but it would not update from a virus source.
 
Last edited:
I'm installing KAV Internet security on the pc as we speak...Of course, this is after I ran into that little snafu with Kaspersky & their danged "incompatible region software" nonsense... :rolleyes:

KAV was no help - fortunately the co. that I purchased the software from offered me another version.

Never had that occur with another software. Too much more of that & I would dump Kav like a hot rock...I don't need that aggravation.
 
Boston Pro Comp Serv LLC said:
The other thing is I know you nuked and paved, did you play in the ie temp or other browser temp folders? Maybe look by date open some images see of porn is in there, not to snoop but... Obviously the browser history but I find many people delete that before they bring it in lol as if that really matters. Whenever I hear "I don't know where I got it" my mind heard "I was looking at porn" hahah
Click to expand...

lol I had a customer recently who admitted to me, "I think I broke it because I was watching porn." Cracked up so hard :D
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Employee productivity monitoring software ...
Replies
7
Views
930
Diggs
Diggs
britechguy
Current "tech favorites" for mesh WiFi for a large home or business covering about the same square footage
Replies
12
Views
499
NETWizz
NETWizz
HCHTech
Excel Sorting, "My data has headers" checkbox
Replies
5
Views
369
Sky-Knight
Sky-Knight
callthatgirl
How to import calendars from Outlook Classic to New Outlook
Replies
0
Views
305
callthatgirl
callthatgirl
HCHTech
Microsoft signin issues - TPM
Replies
1
Views
242
Sky-Knight
Sky-Knight
Back
Top