FBI virus

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

FBI virus

Post by Celina268 on Fri Jan 25, 2013 7:17 pm

We are infected with the FBI virus. I cannot start in safe mode. I know I need a boot disc so I am out buying a CD and flash now. After that, I have no idea how to make a boot disc or what to do next. Of course this happens with my presentation due Monday!!! Thank you for your help! (We have Windows 7 desktop)

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Fri Jan 25, 2013 7:27 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Download [You must be registered and logged in to see this link.] and save it to a flash drive.

Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. [You must be registered and logged in to see this link.]

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.


Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Fri Jan 25, 2013 10:10 pm

When I did that, the computer response was "The subsystem needed to support the image type is not present." I used a cd. I tried a flash, but the computer would not recognize it was there.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Fri Jan 25, 2013 10:15 pm

I out the flash in the laptop, it's shot. Sad tearing Brand new too. Dang virus. We'll have to rely on CDs from now on. I am out of flashes.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Fri Jan 25, 2013 10:32 pm

I should also note that when I open the disc in the infected computer, it's empty, but if I check it on a non-infected comuter, it shows the farbar Recovery Scan tool.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Fri Jan 25, 2013 11:15 pm

Ok. Let's try a different recovery disk.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

  • Place a blank CD-R disc in to your CD burning drive.
  • Download [You must be registered and logged in to see this link.] and double-click on it to burn to a CD using an ISO Burner. One can be found [You must be registered and logged in to see this link.]
  • Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps [You must be registered and logged in to see this link.]
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.


Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sat Jan 26, 2013 4:59 am

Ok, I can't get it to boot from the cd more than once, (i don't think anyway.) I get to the boot screen by pressing F12. and I get a screen that says Please select boot device:
ST3750528AS
HL-DT-ST DVDRAM GH41N
Generic- Compact
Generic- SM/xD-Picture
Generic- SD/MMC
Generic- MS/MS-Pro/HG
Generic- SD/MMC/MS/MSPRO

I choose the DVDRAM one and it brought my to the windows login. I put in my password...and it white screened and gave my the FBI thing again. Sooooo, I don't know what I did wrong. I have the burnt cd with the OTLPE on ii in the drive. Ugh. I am getting frustuated now.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sat Jan 26, 2013 5:02 am

I can tap F8 too, try opening in safemode and the same thing happens. Sad tearing

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sat Jan 26, 2013 7:22 pm

Please try your OTLPE recovery disk in another computer to see if it was created correctly.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sat Jan 26, 2013 11:20 pm

When I put in in my laptap it loads and opens and you can see the FRST Farbar File, so I assume it burned onto the disc. It's there when I put it in the laptop.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sat Jan 26, 2013 11:25 pm

[You must be registered and logged in to see this link.] wrote:When I put in in my laptap it loads and opens and you can see the FRST Farbar File, so I assume it burned onto the disc. It's there when I put it in the laptop.
If your going with the Farbar Recovery Scan tool you will need to use a flashdrive.
If you use the OTLPE Recovery disk you can use a disk.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sat Jan 26, 2013 11:30 pm

Smile BLech, I had something else in there. The OTLPE didn't burn right. I am trying again.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sat Jan 26, 2013 11:48 pm

[You must be registered and logged in to see this link.] wrote:Smile BLech, I had something else in there. The OTLPE didn't burn right. I am trying again.
Remember, the OTLPE is an ISO image and will need to be burned using an ISO image burner. There is one in the instructions.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sat Jan 26, 2013 11:51 pm

I have burned it twice. with Active ISo burner

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sat Jan 26, 2013 11:54 pm

The first time I burned it, I went through the files and added it to the spot. THe second time I burned it I dragged it from the desktop into the burner. Each time it said it burn succesfully and ejected. When I open the CD there isn't anything in there. I don't have rewritables (and I only have 2 CDs left). I tried to reuse the CD but it won't let me, so there is something on it.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sun Jan 27, 2013 12:18 am

[You must be registered and logged in to see this link.] wrote:The first time I burned it, I went through the files and added it to the spot. THe second time I burned it I dragged it from the desktop into the burner. Each time it said it burn succesfully and ejected. When I open the CD there isn't anything in there. I don't have rewritables (and I only have 2 CDs left). I tried to reuse the CD but it won't let me, so there is something on it.
That's why I always use RW's. You will know it is burned correctly when you can boot your computer with the disk. Don't forget you may have to re-configure your BIOS to boot from the disk.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sun Jan 27, 2013 12:34 am

How will I know it's booting through the disc properly? I did that last night, changed the BIOS to boot from DVDRAM, but I think it only let me do it once. Each time I tried to restart, I had to re-configure again. Also, I only get one screen, (i posted previous) and pick DVDRAM. That's correct, right? THe other question I have is I wasn't sure when to place the CD in the infected computer since it's off and has to boot throught the disk and I have to reconfigure it to reboot through the disk, and all that. So those steps might be helpful. What was happening was after I re-configured, it went right to my login screen. I wasn't sure if it should have restarted itself to boot through the disk or not??

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sun Jan 27, 2013 1:18 am

How will I know it's booting through the disc properly? I did that last night, changed the BIOS to boot from DVDRAM, but I think it only let me do it once. Each time I tried to restart, I had to re-configure again. Also, I only get one screen, (i posted previous) and pick DVDRAM. That's correct, right?
Yes, your BIOS should always be set to boot from the disk drive.
THe other question I have is I wasn't sure when to place the CD in the infected computer since it's off and has to boot throught the disk and I have to reconfigure it to reboot through the disk, and all that
You should place the disk in the drive then re-boot.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sun Jan 27, 2013 1:57 am

Ok, I inserted the CD, which I believed burned correctly, and booted the infected computer and did NOT get REATOGO-X-PE so I am thinking it didn't burn correctly. (i inserted the CD, made sure it was booting from DVDRAM and shut it down and turned it back on. When I turned it on it came to my log in screen, I entered my password nad then it acted like it was going to my desktop and turned white again.) I think I may need a different ISO Burner. Or maybe I am not using the burner correctly. With the iso link, which one would you pick?

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sun Jan 27, 2013 3:02 am

I think I may need a different ISO Burner. Or maybe I am not using the burner correctly. With the iso link, which one would you pick?
Imgburner is my favourite burner. Just double-click on the OTLPE file and it should load Imgburner and then burn the ISO.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sun Jan 27, 2013 4:47 am

Ok, I've downloaded Imgburner. I've never used this one before. When I double click on OTLPE it comes up with a box the wants me to run or cancel. If I open Imgburner I have the option(s) to "write image file to disk" or "write files/folders to disk" (and the others-which I am sure you are versed in). I didn't chose an option since I haven't used this before. Can I drag OTLPE into Imgburner? Or is there a different way to burn it?

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sun Jan 27, 2013 7:20 pm

[You must be registered and logged in to see this link.] wrote:Ok, I've downloaded Imgburner. I've never used this one before. When I double click on OTLPE it comes up with a box the wants me to run or cancel. If I open Imgburner I have the option(s) to "write image file to disk" or "write files/folders to disk" (and the others-which I am sure you are versed in). I didn't chose an option since I haven't used this before. Can I drag OTLPE into Imgburner? Or is there a different way to burn it?
You need to choose "write image file to disk" because it's a ISO file. Double-click on the OTLPE file and it will open Imgburner and the ISO file path will be there at the top. Insert your disk and click "write" at the bottom.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sun Jan 27, 2013 10:24 pm

When I double click on OTLPE it says "invalid or unsupported image file format"

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sun Jan 27, 2013 10:49 pm

OK....I don't know why I decided to try, but I decided to try booting the infected computer in safe mode with comand prompt and it did! I typed 'explorer' in the command (because I remember that from somewhere) and now I sit waiting. I don't want to do anything because I have no idea what to do next, but I am in a safe mode. I hope you're back soon!

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Sun Jan 27, 2013 11:02 pm

Ok. Please try running this is Safe Mode. If successful, try running it in Normal Mode.

Malwarebytes' Anti-Malware (MBAM)

If you already have Malwarebytes be sure to check for updates before scanning!


Download [You must be registered and logged in to see this link.] and save it to your desktop. [You must be registered and logged in to see this link.]

•Double-click mbam-setup.exe and follow the prompts to install the program.

•Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If you encounter any problems while downloading the updates, manually download them from [You must be registered and logged in to see this link.] and just double-click on mbam-rules.exe to install.

•If an update is found, it will download and install the latest version.
•Once the program has loaded, select Perform Quick Scan, then click Scan.

•When the scan is complete, click OK, then Show Results to view the results.

•Be sure that everything is checked, and click Remove Selected.

•When completed, a log will open in Notepad. Save it to a convenient location like the Desktop.

•The log is also automatically saved and can be viewed later by clicking the Logs tab in MBAM.

Copy and Paste the contents of the report in your reply.

•Exit MBAM.
.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Sun Jan 27, 2013 11:57 pm

I got the scan to run in safe mode and it is currently running the scan in normal mode. I'll post the logs when it's finished. I am debating whether to risk going online on the infected comp since I don't have a flash. I do, but for some reason the infected comp isn't recognizing them. I know the usb port is working because I can plug the mouse in there and it works, but any flash, and it doesn't recognize it. I wonder if that was maybe what was happening when I was trying the Farbar a few days ago.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 12:02 am

First scan in safe mode:

Malwarebytes Anti-Malware 1.70.0.1100
[You must be registered and logged in to see this link.]

Database version: v2013.01.21.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Clark :: CLARK-PC [administrator]

1/27/2013 5:26:21 PM
mbam-log-2013-01-27 (17-26-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247029
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|shell (Hijack.Shell.Gen) -> Data: C:\Users\Clark\AppData\Roaming\ldr.mcb,explorer.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\$RECYCLE.BIN\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\n (Trojan.0Access) -> Delete on reboot.
C:\Users\Clark\AppData\Local\Temp\97846993.exe (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Users\Clark\AppData\Local\Temp\msimg32.dll (Backdoor.0Access) -> Quarantined and deleted successfully.
C:\Users\Clark\Local Settings\Application Data\Temp\97846993.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 12:03 am

Second scan in Normal mode:

Malwarebytes Anti-Malware 1.70.0.1100
[You must be registered and logged in to see this link.]

Database version: v2013.01.21.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Clark :: CLARK-PC [administrator]

1/27/2013 5:53:43 PM
mbam-log-2013-01-27 (17-53-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248450
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Mon Jan 28, 2013 1:42 am

but for some reason the infected comp isn't recognizing them.
If you disconnect your computer from the power supply for about 30 secs. that might fix that problem.
I can plug the mouse in there and it works, but any flash, and it doesn't recognize it.
You should try it on another computer.

Download Combofix from any of the links below, and save it to your DESKTOP.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 2:45 am

Um, well....I have the log on the infected computer....I tried to open IE.....it's marked for deletion now. So, I can't get the log to you as easily. Windows is also marked for deletion. :/

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 2:48 am

Sorry, I mean Firefox is also marked for deletion. Pretty much everything says, "Illegal operation attempted on a regristry key that has been marked for deletion."

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Mon Jan 28, 2013 2:49 am

I tried to open IE.....it's marked for deletion now. So, I can't get the log to you as easily. Windows is also marked for deletion. :/
Re-boot and that problem should go away.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 2:53 am

I was just typing that when it said a new message was posted and to review to see if I wanted to still post. Smile

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 2:56 am

And, it worked. The ComboFix log:

ComboFix 13-01-27.03 - Clark 01/27/2013 20:10:30.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.4647 [GMT -6:00]
Running from: c:\users\Clark\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\@
c:\$recycle.bin\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\U\00000001.@
c:\$recycle.bin\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\U\80000000.@
c:\$recycle.bin\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\U\800000cb.@
c:\users\Clark\AppData\Local\MSoft
c:\users\Clark\AppData\Local\MSoft\VerCheck\NDde.dll
c:\users\Clark\AppData\Roaming\ldr.mcb
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-28 )))))))))))))))))))))))))))))))
.
.
2013-01-28 02:24 . 2013-01-28 02:24 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{42147B49-CDDA-43C8-9A03-6D5742755EFA}\offreg.dll
2013-01-28 02:21 . 2013-01-28 02:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-01-28 02:21 . 2013-01-28 02:21 -------- d-----w- c:\users\Mcx1-CLARK-PC\AppData\Local\temp
2013-01-28 02:21 . 2013-01-28 02:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-28 02:21 . 2013-01-28 02:21 -------- d-----w- c:\users\AppData\AppData\Local\temp
2013-01-28 00:00 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{42147B49-CDDA-43C8-9A03-6D5742755EFA}\mpengine.dll
2013-01-16 07:18 . 2013-01-16 07:18 -------- d-----w- c:\users\Clark\AppData\Local\Unity
2013-01-09 14:25 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 14:25 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 14:25 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe
2013-01-09 14:22 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 14:22 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2013-01-09 14:22 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll
2013-01-09 14:22 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll
2013-01-04 16:22 . 2013-01-04 16:22 -------- d-----w- c:\users\Clark\AppData\Roaming\PDAppFlex
2013-01-04 16:07 . 2013-01-04 16:07 -------- d-----w- c:\users\Public\Roaming
2013-01-04 07:39 . 2013-01-04 07:39 -------- d-----w- c:\program files (x86)\Adobe Download Assistant
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-10 09:03 . 2011-08-03 15:47 67599240 ----a-w- c:\windows\system32\MRT.exe
2013-01-09 19:25 . 2012-11-12 16:40 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 19:25 . 2011-07-12 03:56 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-16 17:11 . 2012-12-22 09:00 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-22 09:00 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-22 09:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-22 09:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-14 22:49 . 2010-07-04 06:22 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-30 04:45 . 2013-01-09 14:24 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-14 07:06 . 2012-12-12 09:01 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-12 09:01 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-12 09:01 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-12 09:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-12 09:01 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-12 09:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-12 09:01 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-12 09:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-12 09:01 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-12 09:01 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-12 09:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-12 09:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-12 09:01 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-12 09:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-12 09:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-12 09:01 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-12 09:01 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-12 09:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 09:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-12 09:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 09:01 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-12 09:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-09 05:45 . 2012-12-12 02:26 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-12 02:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-02 05:59 . 2012-12-12 02:26 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 05:11 . 2012-12-12 02:26 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 21:54 175912 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
2011-01-17 21:54 175912 ----a-w- c:\program files (x86)\Swag_Bucks\prxtbSwag.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-24 39408]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-10-19 17875120]
"InstallIQUpdater"="c:\program files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-06-22 2408448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-06 195072]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
.
c:\users\Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_.lnk - c:\users\Clark\AppData\Local\Temp\_uninst_.bat [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-10-19 160944]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2008-04-25 19968]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\6E3B.tmp [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NISx64\1008000.029\SYMNDISV.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-10 1255736]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS [2009-11-24 402992]
S1 BHDrvx64;Symantec Heuristics Driver;c:\windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys [2010-01-20 334384]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys [2011-10-11 561800]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100415.001\IDSvia64.sys [2009-10-28 466992]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-01-08 140672]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-09-22 117648]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-12 19:25]
.
2013-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 06:50]
.
2013-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 06:50]
.
2013-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-464309943-274483538-4150013216-1000Core.job
- c:\users\Clark\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-25 12:18]
.
2013-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-464309943-274483538-4150013216-1000UA.job
- c:\users\Clark\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-25 12:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uLocal Page = c:\windows\system32\blank.htm
mStart Page = [You must be registered and logged in to see this link.]
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\Clark\AppData\Roaming\Mozilla\Firefox\Profiles\0gxht7t9.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn
FF - Ext: Adobe Acrobat - Create PDF: [You must be registered and logged in to see this link.] - c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Toolbar-Locked - (no file)
WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Kakuro Mania! 10,000 - c:\program files (x86)\Kakuro Mania! 10
AddRemove-Lexmark 2300 Series - c:\program files (x86) (x86)\Lexmark 2300 Series\Install\x64\Uninst.exe
AddRemove-{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App - c:\program files (x86)\WildTangent Games\App\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6E3B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.download\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariDownload"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.safariextz\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariExtension"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webarchive\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-464309943-274483538-4150013216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2013-01-27 20:38:49 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-28 02:38
.
Pre-Run: 610,449,137,664 bytes free
Post-Run: 610,248,966,144 bytes free
.
- - End Of File - - D1F172A97BCC5E3F291EDA98F2484ADD

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Mon Jan 28, 2013 6:50 pm

ConduitEngine is not a reputable program to have on your computer.

Please download [You must be registered and logged in to see this link.] and Save it to your desktop.

  • Double click it to start the tool.Vista and Windows7 run as administrator.
  • Click Scan.
  • Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

************************************************

  • Download [You must be registered and logged in to see this link.] on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again


Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 7:10 pm

Rooter log:

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..

.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - AMD64 Family 16 Model 6 Stepping 2, AuthenticAMD
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.0.8112.16421
Mozilla Firefox 3.6.27 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:686 Go - Free:568 Go )
D:\ [CD_Rom]
E:\ [Removable]
F:\ [Removable]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
.
Scan : 13:08.55
Path : C:\Users\Clark\Desktop\Rooter.exe
User : Clark ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (268)
Locked csrss.exe (400)
Locked wininit.exe (452)
Locked csrss.exe (488)
Locked services.exe (520)
Locked lsass.exe (536)
Locked lsm.exe (544)
Locked winlogon.exe (580)
Locked svchost.exe (704)
Locked nvvsvc.exe (764)
Locked svchost.exe (804)
Locked svchost.exe (868)
Locked svchost.exe (972)
Locked svchost.exe (1020)
Locked svchost.exe (316)
Locked svchost.exe (1064)
Locked nvvsvc.exe (1196)
Locked spoolsv.exe (1276)
Locked svchost.exe (1312)
Locked SASCORE64.EXE (1496)
Locked ACService.exe (1516)
Locked armsvc.exe (1540)
Locked AppleMobileDeviceService.exe (1584)
Locked mDNSResponder.exe (1628)
Locked GregHSRW.exe (1692)
Locked svchost.exe (1724)
Locked ccSvcHst.exe (1836)
Locked svchost.exe (1952)
Locked svchost.exe (2004)
Locked svchost.exe (2040)
______ ?????????? (1668)
Locked UpdaterService.exe (2176)
Locked svchost.exe (2200)
Locked nSvcAppFlt.exe (2452)
______ ?????????? (2544)
______ ?????????? (2572)
Locked nSvcIp.exe (2640)
Locked ccSvcHst.exe (2568)
______ ?????????? (3084)
Locked GoogleToolbarNotifier.exe (3100)
Locked svchost.exe (3164)
______ C:\Program Files (x86)\Skype\Phone\Skype.exe (3308)
______ C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe (3624)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (3696)
Locked WUDFHost.exe (3828)
______ C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (3960)
______ C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (3304)
______ C:\Program Files (x86)\iTunes\iTunesHelper.exe (3484)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (3500)
______ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (3552)
Locked SearchIndexer.exe (3764)
______ C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe (4064)
______ C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (4040)
______ C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (4188)
______ C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe (4196)
Locked iPodService.exe (4228)
Locked wmpnetwk.exe (4400)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe (4656)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe (4876)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe (4952)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe (4372)
Locked WmiPrvSE.exe (3024)
______ C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe (3808)
Locked audiodg.exe (1904)
______ ?????????? (3744)
Locked taskeng.exe (6140)
Locked taskhost.exe (1472)
______ C:\Users\Clark\Desktop\Rooter.exe (4104)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:1048576 | Length:12884901888)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:12885950464 | Length:104857600)
\Device\Harddisk0\Partition3 (Start_Offset:12990808064 | Length:737163608064)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-464309943-274483538-4150013216-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-464309943-274483538-4150013216-1000UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\Users\Clark\Desktop\Photoshop\cracks-2.zip
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 13:09.11
.
C:\Rooter$\Rooter_1.txt - (28/01/2013 | 13:09.11).c

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 7:14 pm

RogueKiller Report:

RogueKiller V8.4.3 [Jan 27 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : [You must be registered and logged in to see this link.]
Website : [You must be registered and logged in to see this link.]
Blog : [You must be registered and logged in to see this link.]

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Clark [Admin rights]
Mode : Scan -- Date : 01/28/2013 13:12:35
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[STARTUP][SUSP PATH] _uninst_.lnk @Clark : C:\Users\Clark\AppData\Local\Temp\_uninst_.bat -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST375052 8AS SCSI Disk Device +++++
--- User ---
[MBR] e95f18f1561eb3fedef24d6888f5d05a
[BSP] e1e278320f9566088945d540093819e9 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12288 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25167872 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25372672 | Size: 703014 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic- MS/MS-Pro/HG USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_01282013_02d1312.txt >>
RKreport[1]_S_01282013_02d1312.txt


Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 7:15 pm

There are five things that were found with RogueKiller. Should I delete these things?

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 7:20 pm

ConduitEngine is not a reputable program to have on your computer

I don't even know what that is.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 7:21 pm

I guess I didn't run the Rooter as an Admin. Here is the new log:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - AMD64 Family 16 Model 6 Stepping 2, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.0.8112.16421
Mozilla Firefox 3.6.27 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:686 Go - Free:568 Go )
D:\ [CD_Rom]
E:\ [Removable]
F:\ [Removable]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
.
Scan : 13:20.51
Path : C:\Users\Clark\Desktop\Rooter.exe
User : Clark ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ?????????? (268)
______ ?????????? (400)
______ ?????????? (452)
______ ?????????? (488)
______ ?????????? (520)
______ ?????????? (536)
______ ?????????? (544)
______ ?????????? (580)
______ ?????????? (704)
______ ?????????? (764)
______ ?????????? (804)
______ ?????????? (868)
______ ?????????? (972)
______ ?????????? (1020)
______ ?????????? (316)
______ ?????????? (1064)
______ ?????????? (1196)
______ ?????????? (1276)
______ ?????????? (1312)
______ ?????????? (1496)
______ C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (1516)
______ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (1540)
______ C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (1584)
______ ?????????? (1628)
______ C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe (1692)
______ C:\Windows\SysWOW64\svchost.exe (1724)
______ C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe (1836)
______ ?????????? (1952)
______ ?????????? (2004)
______ ?????????? (2040)
______ ?????????? (1668)
______ C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe (2176)
______ ?????????? (2200)
______ ?????????? (2452)
______ ?????????? (2544)
______ ?????????? (2572)
______ ?????????? (2640)
______ C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe (2568)
______ ?????????? (3084)
______ C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3100)
______ ?????????? (3164)
______ C:\Program Files (x86)\Skype\Phone\Skype.exe (3308)
______ C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe (3624)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (3696)
______ ?????????? (3828)
______ C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (3960)
______ C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (3304)
______ C:\Program Files (x86)\iTunes\iTunesHelper.exe (3484)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (3500)
______ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (3552)
______ ?????????? (3764)
______ C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe (4064)
______ C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (4040)
______ C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (4188)
______ C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe (4196)
______ ?????????? (4228)
______ ?????????? (4400)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe (4656)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe (4876)
______ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe (4952)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe (4372)
______ C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe (3808)
______ C:\Users\Clark\Desktop\RogueKiller.exe (4212)
Locked audiodg.exe (4544)
______ ?????????? (1992)
______ ?????????? (984)
______ C:\Users\Clark\Desktop\Rooter.exe (4176)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:1048576 | Length:12884901888)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:12885950464 | Length:104857600)
\Device\Harddisk0\Partition3 (Start_Offset:12990808064 | Length:737163608064)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-464309943-274483538-4150013216-1000Core.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-464309943-274483538-4150013216-1000UA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\Users\Clark\Desktop\Photoshop\cracks-2.zip
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 13:20.54
.
C:\Rooter$\Rooter_2.txt - (28/01/2013 | 13:20.54).c

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Mon Jan 28, 2013 11:21 pm

Your computer has keygens, which is a form of software piracy. What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?
C:\Users\Clark\Desktop\Photoshop\cracks-2.zip
==> Cracks & Keygens <==
Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware," which is a form of spyware or viruses or trojans that hide themselves inside the keygen or crack files. Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.

Lastly, it is illegal. I will counsel you that we do not report such incidents. However, it is not good practice to pirate software.
************************************************
There are five things that were found with RogueKiller. Should I delete these things?
yes, please.
I don't even know what that is.
It's usually loaded when you download another program. That's one reason why it's not reputable.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Mon Jan 28, 2013 11:44 pm

We do have Photoshop trail thing on our computer right now and our trial is set to expire in 6 days. It was a month long trial, could that be why it's a keygen attached to photoshop? 'Cause I gotta tell you, I couldn't even use the flippen isoburner right! LOL! We got the trial right off the Photoshop website. We are actually going to buy the program. Now you got me thinking that maybe it's not such a good idea....

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Tue Jan 29, 2013 2:15 am

C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\U\80000000.@.vir Win64/Sirefef.AW trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-464309943-274483538-4150013216-1000\$8a464240e4dd03d2d33472ab5ca05a42\U\800000cb.@.vir Win64/Sirefef.AH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Clark\AppData\Roaming\ldr.mcb.vir a variant of Win32/Kryptik.ASZE trojan cleaned by deleting - quarantined
C:\Users\Clark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\6956f6af-34e20b8b Win32/PSW.Fareit.A trojan cleaned by deleting - quarantined

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Tue Jan 29, 2013 2:37 am

We do have Photoshop trail thing on our computer right now and our trial is set to expire in 6 days. It was a month long trial, could that be why it's a keygen attached to photoshop? 'Cause I gotta tell you, I couldn't even use the flippen isoburner right! LOL! We got the trial right off the Photoshop website. We are actually going to buy the program. Now you got me thinking that maybe it's not such a good idea....
I find it strange that a trial version would come with a keygenerator. I've been trying to learn how to learn PhotoShop for about 2 mos. and there are lots of instructions on YouTube but it is a very difficult program to learn. About the only lesson I've learned so far is how to make a person slim.lol.
How's the computer running now?

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Tue Jan 29, 2013 2:56 am

It seems to be running fine. Much faster then it was too.

I find it strange that a trial version would come with a keygenerator

Me too. I didn't even know such things existed until you told me. As far as learning it, I am not very good and I am just using it for putting together collage type pictures for the end of season coach gifts. Nothing fancy. How do I get a keygen off my computer?

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Tue Jan 29, 2013 6:02 am

I talked to my husband and the 'cracks' part of the cracks and keygens of the photoshop log from rooter was from a paintbrush ap he downloaded as an extention to the photoshop. It literally gives the effect of cracks in walls of brick and such. Is that the same thing or is the 'cracks and keygens' a completely different thing?

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Tue Jan 29, 2013 7:45 pm

How do I get a keygen off my computer?
You will probably have to uninstall the program but if it expires in 6 days it will probably become unusable anyway. There are some really good, free photo editors/paint programs on line. I have Paint.net and it's almost as good as Photoshop.
Let's do some cleanup.


To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
************************************************
Go to [You must be registered and logged in to see this link.] and get all critical updates.

----------

I suggest using [You must be registered and logged in to see this link.]. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

[You must be registered and logged in to see this link.]- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* [You must be registered and logged in to see this link.] from Spyware and Malware
* If you don't know what ActiveX controls are, see [You must be registered and logged in to see this link.]

Protect yourself against spyware using the Immunize feature in [You must be registered and logged in to see this link.] Guide: [You must be registered and logged in to see this link.] to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. [You must be registered and logged in to see this link.]

Check out [You must be registered and logged in to see this link.] for tips and free tools to help keep you safe in the future.

Also see [You must be registered and logged in to see this link.] for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Tue Jan 29, 2013 9:05 pm

I typed Combofix /unistall in the field and hit enter. Combofix ran and completed and I have another log report. I did not unistall.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Superdave on Tue Jan 29, 2013 11:12 pm

Ok, use this.

Download this program and run it [You must be registered and logged in to see this link.] .It will remove ComboFix for you.

***********************************************
To set a new Restore Point.

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.
Click the Start button , click Control Panel, click System and Maintenance, and then click System.
In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.
This will give you a new, clean Restore Point.

Superdave
Captain
Captain

Posts Posts : 4202
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows 8.1 and a dual-boot with XP Home SP3
Protection Protection : MSE, Windows Defender, Windows firewall
Points Points : 83181
# Likes # Likes : 0

View user profile

Back to top Go down

Re: FBI virus

Post by Celina268 on Wed Jan 30, 2013 2:51 am

In my system protection tab I have a system restore button. A protection settion box that contains Available drives (C:)-with protection on and PQSERVICE-with protection off. Also, and button for configure restore settings, manage disk space, and delete restore points. And, lastly and button for Create a new restore point right now for the drives that have system protection turned on.

I could not find a place where I was to turn off system protection for the hard disk.

Celina268
Intermediate
Intermediate

Posts Posts : 175
Joined Joined : 2010-07-04
OS OS : Windows 7
Points Points : 26199
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum