Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Lockdown Virus without safe mode


  • This topic is locked This topic is locked
148 replies to this topic

#121 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 09 April 2013 - 07:07 PM

Looks OK.  Please don't forget to answer this question:

 

When it's slow, press Ctrl-Shift-Esc...click the Process tab then the column header that says CPU to sort by CPU usage.  Scroll to see if any process is has a CPU number higher than 05 and let me know which, if any processes have that.  Do you hear the hard drive working?  Are the fans working hard?

 

 

-etavares



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


BC AdBot (Login to Remove)

 


#122 Jeff Roberts

Jeff Roberts
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 10 April 2013 - 09:38 AM

The iexplore.exe is running at about 50 CPU when I am moving from one site to another on the internet.  I hear the hard drive working.  The fans don't appear to working to hard.

 

Jeff



#123 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 10 April 2013 - 08:03 PM

Do you have another browser installed besides IE?  e.g. Chrome or Firefox?  Does it happen with those or just IE?



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#124 Jeff Roberts

Jeff Roberts
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 12 April 2013 - 12:36 PM

I installed Firefox.  It is slow as well.  I didn't notice it before but System Idle Process is often at 99 cpu or between 50 and 99 on both Explorer and Firefox.

 

Jeff



#125 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 13 April 2013 - 06:05 AM

Hi Jeff,

 

System Idle Process is what it sounds like...just the spare capacity on the processor.  Higher is better.  :)  Bad that you're seeing the same issue with Firefox too.  What's interesting is that you said you upgraded to IE8, but your logs after that still show IE7.  Launch IE...press Alt-T then Help --> About Internet Explorer and tell me what version you have.  It will tell you in the window that pops up.

 

-etavares



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#126 Jeff Roberts

Jeff Roberts
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 15 April 2013 - 01:51 PM

It says I am running IE 7.  I cannot open FIrefox anymore - I don't know why. When I open IE my home page is MSN and it will not open.  I can go to other sites like Google , but it is very slow.  This keeps coming up from Malwarebytes -  "Successfuly blocked access to a potentially maliciaous website  207.232.2260  Type: outgoing.

 

Jeff



#127 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 AM

Posted 15 April 2013 - 07:37 PM

Hello, Jeff Roberts.
 
OK, time to start over a bit since you were unprotected for a bit.  I don't like that MBAM warning.
 
 
Step 1
 
  • Download TDSSKiller.exe  and save it to your desktop.  
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
  • for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply
  •  
     
     
    Step 2
     
     
     
    Next, please download ComboFix from one of these locations:
    * IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
       
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  •    
  • Double click on etavaresCF.exe & follow the prompts.
  •    
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  •    
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
     
     
    RcAuto1.gif
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     
    whatnext.png
     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.
     
    Note:  After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion."  If you receive this error, please reboot and it should disappear.
     
    etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    unite_teal.png
    Unified Network of Instructors and Trusted Eliminators
     


    #128 Jeff Roberts

    Jeff Roberts
    • Topic Starter

    • Members
    • 92 posts
    • OFFLINE
    •  
    • Local time:04:04 AM

    Posted 16 April 2013 - 01:09 PM

    I have run the scans.  Logs attached.  The computer is working much better.  I am not sure it is as fast as before but I can't be sure - it is a older machine.  After I send this reply I will do more on it.

     

    I have worked on the computer some more and it is stlll not working properly.  Some sites (like MSN and Bleeping computer) will not open, and other are very slow to load.

     

    Ok - I just tried Firefox and it is working great! So Maybe part of the problem is fixed and now there is a problem with IE. Let me know if I should try to upgrade it to IE8.  

     

    Jeff

    Attached Files


    Edited by Jeff Roberts, 16 April 2013 - 01:41 PM.


    #129 etavares

    etavares

      Bleepin' Remover


    • Malware Response Instructor
    • 14,136 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:05:04 AM

    Posted 17 April 2013 - 07:26 PM

    Hello, Jeff Roberts.


    Step 1



    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open Notepad and copy/paste the text in the codebox below into Notepad:
    RegLock::
    [HKEY_USERS\S-1-5-21-823518204-1614895754-682003330-500\Software\Microsoft\Internet Explorer\Approved Extensions]
    Registry::
    [HKEY_USERS\S-1-5-21-823518204-1614895754-682003330-500\Software\Microsoft\Internet Explorer\Approved Extensions]
    "{F2D6C718-7E52-428E-8852-365C4B1A6E36}"=-
    Firefox::
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yek2rks4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://isearch.fantastigames.com/465
    
    Save this as CFScript.txt, in the same location as ComboFix.exe


    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



    Step 2
    • Please open Notepad.
    • Copy and paste the text in the box below into Notepad.
      @echo off
      (ipconfig /all
      nslookup msn.com
      ping -n 2 msn.com
      nslookup bleepingcomputer.com
      ping -n 2 bleepingcomputer.com
      route print) >Log1.txt
      start Log1.txt
      This fix is custom made for this user's computer.
    • Select File-->Save As
    • Select File as Type: All Types (*.*)
    • Save it to your desktop as fixme.bat
    • Right-click on fixme.bat on your desktop and select "Run As Administrator". If Windows asks, click YES to allow it to proceed.
    • A window will briefly pop up then close.
    • A log will open, please copy and paste it into your response.
    • etavares


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    unite_teal.png
    Unified Network of Instructors and Trusted Eliminators
     


    #130 Jeff Roberts

    Jeff Roberts
    • Topic Starter

    • Members
    • 92 posts
    • OFFLINE
    •  
    • Local time:04:04 AM

    Posted 18 April 2013 - 09:31 AM

    Here you go.

     

    Jeff

    Attached Files



    #131 etavares

    etavares

      Bleepin' Remover


    • Malware Response Instructor
    • 14,136 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:05:04 AM

    Posted 20 April 2013 - 05:49 AM

    Hi Jeff Roberts-

    OK, the ping is being blocked. Let's try a local ping. It may be firewall settings.

    Follow the instructions in Step 2 in my previous post, except replace the script with this:

    @ECHO OFF
    ping 127.0.0.1 > Log2.txt
    start Log2.txt
    del %0
    
    and post the resulting log.


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    unite_teal.png
    Unified Network of Instructors and Trusted Eliminators
     


    #132 Jeff Roberts

    Jeff Roberts
    • Topic Starter

    • Members
    • 92 posts
    • OFFLINE
    •  
    • Local time:04:04 AM

    Posted 22 April 2013 - 09:59 AM

    Here you go.

     

    Jeff

    Attached Files

    • Attached File  Log2.txt   443bytes   1 downloads


    #133 etavares

    etavares

      Bleepin' Remover


    • Malware Response Instructor
    • 14,136 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:05:04 AM

    Posted 22 April 2013 - 07:10 PM

    OK, temporarily disable Norton's firewall:

    1. Right-click the Norton icon by the clock.
    2. Select Disable Smart Firewall
    3. Set it for 5 minutes or so for the duration.
    4. Click OK.
    5. Try to access bleepingcomputer.com and msn.com during that 5 minutes.  Are you able to connect OK or do you still have the same issue?

    -etavares



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    unite_teal.png
    Unified Network of Instructors and Trusted Eliminators
     


    #134 Jeff Roberts

    Jeff Roberts
    • Topic Starter

    • Members
    • 92 posts
    • OFFLINE
    •  
    • Local time:04:04 AM

    Posted 24 April 2013 - 02:25 PM

    I cannot access Bleeping computer with  IE. It says a non responsive script is running and a security warning keeps popping up.  I can access it with Firefox. IE also seems very slow and unresponsive.

     

    I will be traveling till Monday May 29.

     

    Thanks,

     

    Jeff



    #135 etavares

    etavares

      Bleepin' Remover


    • Malware Response Instructor
    • 14,136 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:05:04 AM

    Posted 24 April 2013 - 07:48 PM

    How is it in Firefox, does it load quick?  If so, that's helpful to narrow down to one browser.  And thanks for the heads up re: Travel.



    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    unite_teal.png
    Unified Network of Instructors and Trusted Eliminators
     





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users