Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


need advice then maybe help

  • This topic is locked This topic is locked
2 replies to this topic

#1 ithinkmycpuismestup


  • Members
  • 1 posts
  • Local time:02:29 PM

Posted 27 March 2011 - 06:19 AM

Hello! I'm probably doing thing wrong but of well I need your help! my computer was running kind of strange after downloading some bit torrent files. I thought to myself Oh crap what have I done. so I scaned wit my AV and it came up blank. I thought that I was just imagining it but my gut told me differnt. so I poked around for a little bit trying to see if anything was differnt and I came across this

FBI StartUp at ->Tue Feb 23 14:38:28 2010<- aka ->1266964708
This should be the first start of FBI - 1.60.31
SM v1.60.31
[14:38:29.519] Notice: FBIDMLOG.DLL loaded DMVIEWER.DLL
Log started on Tue Feb 23 14:38:29 2010
[14:38:29.784] Unable to open file ->C:\SYSTEM.SAV\FBI\CUSTOM.INI -- Error #2 -- switching to A:\AUTOTEST.INI
[14:38:29.784] attempting to merge autotest.ini file defined as ->C:\SYSTEM.SAV\FBI\AUTOTEST.INI
[14:38:29.784] Unable to open file ->C:\SYSTEM.SAV\FBI\AUTOTEST.INI -- Error #2 -- switching to A:\AUTOTEST.INI
[14:38:29.784] defaulting to attempt to open file ->A:\AUTOTEST.INI
[14:38:29.784] Unable to open file ->A:\AUTOTEST.INI -- Error #3
[14:38:29.894] FBI is starting in Retail mode
[14:38:29.894] FBI was unable to find SMBIOS. Trying WMI.
[14:38:30.128] Successfully raised privileges to allow FBI to restart/shutdown machine
[14:38:30.128] Loading Internal FBI Toolbox functions
[14:38:30.221] LoadFBIKB_NT - FBIKB_NT.SYS load Successful
[14:38:30.221] ...MOSProc module detected
[14:38:30.221] ...MOSProc still appears to be processing
[14:38:30.221] Loading Internal FBI Script functions
[14:38:30.284] FBIDATE.DLL did not load
[14:38:30.284] Done Loading FBI Environment
[14:38:31.376] AllowSetForegroundWindow succeded
[14:38:31.500] LockSetForegroundWindow succeded - LOCKED
[14:38:33.450] No Startup Delay defined
[14:38:33.450] Task Manager thread is starting, current section is ->
[14:38:33.450] No delay defined...
[14:38:33.575] Task Manager thread is starting, current section is ->FBI.Init.General
[14:38:33.575] No delay defined...
[14:38:33.575] Processing ->CMD1 ->CheckMachine
[14:38:33.575] Processing ->CMD2 ->SetVar(UIA,ErrorCode,940)
[14:38:33.575] Processing ->CMD3 ->WriteUIAErrorCode
[14:38:33.575] attempting to open: '\\.\PHYSICALDRIVE0'
[14:38:33.575] successfully opened: '\\.\PHYSICALDRIVE0' -- as FixedMedia
[14:38:33.575] successfully closed hard drive
[14:38:33.575] attempting to open: '\\.\PHYSICALDRIVE0'
[14:38:33.575] successfully opened: '\\.\PHYSICALDRIVE0' -- as FixedMedia
[14:38:33.606] successfully closed hard drive
[14:38:33.606] Processing ->CMD4 ->C:\System.sav\Scripts\Chk_Dev.BTO
[14:38:33.606] WARNING-=-Path not found - c:\system.sav\scripts\chk_dev.bto
[14:38:33.606] WARNING-=- ProcessBTO(c:\system.sav\scripts\chk_dev.bto) 2-The system cannot find the file specified.
[14:38:33.606] Processing ->CMD5 ->SetVar(FBITB.ProcessTools,ErrorFlagPath,C:\CTOERROR.FLG)
[14:38:33.606] Processing ->CMD6 ->CheckForErrorFlag
[14:38:33.606] Processing ->CMD7 ->SetVar(FbiData,ProcessState,InMiniWindows)
[14:38:33.606] Processing ->CMD8 ->CheckForOsTransit
[14:38:33.606] Processing ->CMD9 ->SetVar(FBIData,BTOName,C:\appl.zip\FixUps)
[14:38:33.606] Processing ->CMD10 ->ProcessBTOName
[14:38:33.653] c:\appl.zip\fixups
[14:38:33.669] c:\appl.zip\fixups\AddProcIgnList.bto
[14:38:33.700] @REM Add to the ignored process list including those run early during WinPE
[14:38:33.700] @REM This file is copied to c:\appl.zip\cleanup.lp as well
[14:38:33.700] @AddToIgnoreList csrss.exe
[14:38:33.700] @AddToIgnoreList DBMON2.EXE
[14:38:33.700] @AddToIgnoreList EXPLORER.EXE
[14:38:33.700] @AddToIgnoreList FBIGUI.exe
[14:38:33.700] @AddToIgnoreList FBISM.exe
[14:38:33.700] @AddToIgnoreList lsass.exe
[14:38:33.700] @AddToIgnoreList lsm.exe
[14:38:33.700] @AddToIgnoreList services.exe
[14:38:33.700] @AddToIgnoreList smss.exe
[14:38:33.700] @AddToIgnoreList svchost.exe
[14:38:33.700] @AddToIgnoreList wininit.exe
[14:38:33.700] @AddToIgnoreList winlogon.exe
[14:38:33.700] @AddToIgnoreList winpeshl.exe
[14:38:33.700] @AddToIgnoreList WmiPrvSE.exe
[14:38:33.700] @AddToIgnoreList audit.exe
[14:38:33.700] @AddToIgnoreList audiodg.exe
[14:38:33.700] @AddToIgnoreList conime.exe
[14:38:33.700] @AddToIgnoreList dfsr.exe
[14:38:33.700] @AddToIgnoreList dwm.exe
[14:38:33.700] @AddToIgnoreList idwlog.exe
[14:38:33.700] @AddToIgnoreList issch.exe
[14:38:33.700] @AddToIgnoreList licenseui.exe
[14:38:33.700] @AddToIgnoreList LogonUI.exe
[14:38:33.700] @AddToIgnoreList MSASCui.exe
[14:38:33.700] @AddToIgnoreList mscorsvw.exe
[14:38:33.700] @AddToIgnoreList MSIEXEC.exe
[14:38:33.700] @AddToIgnoreList mssdmn.exe
[14:38:33.700] @AddToIgnoreList mssearch.exe
[14:38:33.700] @AddToIgnoreList mssfh.exe
[14:38:33.700] @AddToIgnoreList rundll32.exe
[14:38:33.700] @AddToIgnoreList runonce.exe
[14:38:33.700] @AddToIgnoreList SearchFilterHost.exe
[14:38:33.700] @AddToIgnoreList SearchIndexer.exe
[14:38:33.700] @AddToIgnoreList SearchProtocolHost.exe
[14:38:33.700] @AddToIgnoreList setupugc.exe
[14:38:33.700] @AddToIgnoreList sidebar.exe
[14:38:33.700] @AddToIgnoreList SLsvc.exe
[14:38:33.700] @AddToIgnoreList spoolsv.exe
[14:38:33.700] @AddToIgnoreList taskeng.exe
[14:38:33.700] @AddToIgnoreList TrustedInstaller.exe
[14:38:33.700] @AddToIgnoreList vds.exe
[14:38:33.700] @AddToIgnoreList vssvc.exe
[14:38:33.700] @REM @AddToIgnoreList wercon.exe
[14:38:33.700] @REM @AddToIgnoreList werfault.exe
[14:38:33.700] @REM @AddToIgnoreList wermgr.exe
[14:38:33.700] @AddToIgnoreList wmiadap.exe
[14:38:33.700] @AddToIgnoreList wmiapsrv.exe
[14:38:33.700] @AddToIgnoreList wpabaln.exe
[14:38:33.700] @AddToIgnoreList wpeinit.exe
[14:38:33.700] @AddToIgnoreList wuauclt.exe
[14:38:33.700] @AddToIgnoreList WUDFHost.exe
[14:38:33.700] @REM Adding for Vista SP1
[14:38:33.700] @AddToIgnoreList logon.scr
[14:38:33.700] @AddToIgnoreList wsqmcons.exe
[14:38:33.700] @AddToIgnoreList schtasks.exe
[14:38:33.700] @AddToIgnoreList Bthudtask.exe
[14:38:33.700] @AddToIgnoreList ehPrivJob.exe
[14:38:33.700] @REM Added for Sept 2008 refresh
[14:38:33.700] @AddToIgnoreList msdtc.exe
[14:38:33.700] @AddToIgnoreList sqlwriter.exe
[14:38:33.700] @AddToIgnoreList sqlservr.exe
[14:38:33.700] @AddToIgnoreList dllhost.exe
[14:38:33.700] @AddToIgnoreList wlanext.exe
[14:38:33.700] @REM Credential Manager had a typo.
[14:38:33.700] @AddToIgnoreList scardsvr.exe
[14:38:33.700] @REM Added for Windows 7
[14:38:33.700] @AddToIgnoreList PresentationFontCache.exe
[14:38:33.700] @AddToIgnoreList TaskHost.exe
[14:38:33.700] @AddToIgnoreList ConHost.exe
[14:38:33.700] @AddToIgnoreList SPPSVC.exe
[14:38:33.700] @AddToIgnoreList MPCMDRUN.EXE
[14:38:33.700] @AddToIgnoreList taskmgr.exe
[14:38:33.700] @REM Added for Windows 7 on 9/21/09
[14:38:33.700] @AddToIgnoreList ac.sharedstore.exe
[14:38:33.700] @AddToIgnoreList agrsmsvc.exe
[14:38:33.700] @AddToIgnoreList AERTSr64.exe
[14:38:33.700] @AddToIgnoreList AERTSrv.exe
[14:38:33.700] @AddToIgnoreList atieclxx.exe
[14:38:33.700] @AddToIgnoreList atiesrxx.exe
[14:38:33.700] @AddToIgnoreList BluetoothHeadsetProxy.exe
[14:38:33.700] @AddToIgnoreList coreshredder.exe
[14:38:33.700] @AddToIgnoreList ctfmon.exe
[14:38:33.700] @AddToIgnoreList dinotify.exe
[14:38:33.700] @AddToIgnoreList DVDAgent.exe
[14:38:33.700] @AddToIgnoreList HpFkCrypt.exe
[14:38:33.700] @AddToIgnoreList HPFSService.exe
[14:38:33.700] @AddToIgnoreList igfxpers.exe
[14:38:33.700] @AddToIgnoreList LSSrvc.exe
[14:38:33.700] @AddToIgnoreList McShield.exe
[14:38:33.700] @AddToIgnoreList nvsvc32.exe
[14:38:33.700] @AddToIgnoreList nvvsvc.exe
[14:38:33.700] @AddToIgnoreList SbHpAuthenticatorService.exe
[14:38:33.716] @AddToIgnoreList TabTip.exe
[14:38:33.716] @AddToIgnoreList TabTip32.exe
[14:38:33.716] @AddToIgnoreList wisptis.exe
[14:38:33.716] @REM Added for Windows 7 on 10/7/09
[14:38:33.716] @AddToIgnoreList InputPersonalization.exe
[14:38:33.716] @AddToIgnoreList notepad.exe
[14:38:33.716] @REM Added for Windows 7 on 1/17/10
[14:38:33.716] @AddToIgnoreList CTAudSvc.exe
[14:38:33.716] @AddtoIgnoreList hpwuschd2.exe
[14:38:33.716] @AddtoIgnoreList hpqWmiEx.exe
[14:38:33.716] @AddtoIgnoreList HPHC_Service.exe
[14:38:33.716] @AddtoIgnoreList HP_Remote_Solution.exe
[14:38:33.716] @AddtoIgnoreList btwdins.exe
[14:38:33.716] @AddtoIgnoreList BTTray.exe
[14:38:33.716] @AddtoIgnoreList BTStackServer.exe
[14:38:33.716] @REM Added for Windows 7 on 1/25/10
[14:38:33.716] @REM From c:\SWSETUP\APP\Applications\Chicony\Atlas\1430\install.cmd
[14:38:33.716] @AddtoIgnoreList CNYHKEY.exe
[14:38:33.716] @AddtoIgnoreList ModLEDKey.exe
[14:38:33.716] @AddtoIgnoreList BATINDICATOR.exe
[14:38:33.716] c:\appl.zip\fixups\CreateBypassesIfPersonalML.bto
[14:38:33.716] cmd.exe /c c:\appl.zip\tweaks\CreateBypassesIfPersonalML.cmd >> c:\system.sav\logs\CreateBypasses.txt 2>> c:\system.sav\logs\CreateBypasses.txt
[14:38:36.274] @IFNOTFILE(c:\system.sav\flags\RTM_ML.flg)
[14:38:36.274] Lines will be executed
[14:38:36.274] @SETVAR(MiniDiags,NoError,1)
[14:38:36.274] @SETVAR(Configuration,CDC_Bypass,TRUE)
[14:38:36.274] @ENDIF
[14:38:36.274] c:\appl.zip\fixups\DGPatches.bto
[14:38:36.274] @REM -----------------------------------------------------------------------
[14:38:36.274] @REM Start DGPatches.bto
[14:38:36.274] @REM -----------------------------------------------------------------------
[14:38:36.274] Lines will be skipped
[14:38:36.274] @ENDIF
[14:38:36.274] cmd.exe /c c:\appl.zip\tweaks\GetOSEdition.cmd >> c:\system.sav\logs\GetOSEdition.txt 2>&1
[14:38:38.255] @IFFILE(c:\SYSTEM.SAV\FLAGS\MissingOSEdition.flg)
[14:38:38.255] Lines will be skipped
[14:38:38.255] @ENDIF
[14:38:38.255] @REM cmd.exe /c C:\APPL.ZIP\Tweaks\SystemSavACL.cmd >> c:\SystemSavACL.txt 2>> c:\SystemSavACL.err
[14:38:38.255] @REM @MKDIR C:\SYSTEM.SAV\LOGS
[14:38:38.255] @REM @MOVE c:\SystemSavACL.txt c:\system.sav\logs\SystemSavACL.txt
[14:38:38.255] @REM @MOVE c:\SystemSavACL.err c:\system.sav\logs\SystemSavACL.err
[14:38:38.255] @REM @ENDIF
[14:38:38.255] Lines will be skipped
[14:38:38.255] @ENDIF
[14:38:38.255] @COPY c:\appl.zip\fixups\AddProcIgnList.don c:\appl.zip\fixups\AddProcIgnList.bto
[14:38:38.255] @COPY c:\appl.zip\fixups\AddProcIgnList.bto c:\appl.zip\fixups\AddProcIgnList.don
[14:38:38.255] @COPY c:\appl.zip\fixups\AddProcIgnList.bto c:\system.sav\cleanup.lp\AddProcIgnList.bto
[14:38:38.286] @IFFILE(C:\system.sav\scripts\Strings.BTO)
[14:38:38.286] Lines will be executed
[14:38:38.286] @ERASE C:\system.sav\scripts\Strings.BTO
[14:38:38.286] @ENDIF
[14:38:38.286] @IFFILE(C:\windows\setup\scripts\setupcomplete.cmd)
[14:38:38.286] Lines will be skipped
[14:38:38.286] @ENDIF
[14:38:38.286] @COPY c:\appl.zip\Tweaks\bootldr.bto c:\system.sav\scripts\bootldr.bto
[14:38:38.302] @COPY c:\appl.zip\Tweaks\tweaks_mbr.bto c:\system.sav\scripts\tweaks_mbr.bto
[14:38:38.349] @IFFILE(C:\SYSTEM.SAV\FLAGS\OSSKU\OS_Bitness\W732)
[14:38:38.349] Lines will be skipped
[14:38:38.349] @ELSE
[14:38:38.349] @IFFILE(C:\SYSTEM.SAV\FLAGS\OSSKU\OS_Bitness\W764)
[14:38:38.364] Lines will be executed
[14:38:38.364] cmd.exe /c echo W764 > C:\SYSTEM.SAV\FLAGS\WIN7FBI.flg
[14:38:40.018] @ENDIF
[14:38:40.018] @ENDIF
[14:38:40.018] @REM Move the CVA files from the build partition to the user partition.
[14:38:40.018] @REM Delete the \SWSetup directory only if just CVA files are present.
[14:38:40.018] @REM For some reason, the CMD-shell does not like to run the next two lines together...
[14:38:40.018] cmd.exe /c copy /y z:\swsetup\sw_ver\*.cva c:\swsetup\sw_ver
[14:38:42.296] cmd.exe /c erase /f /q z:\swsetup\sw_ver\*.cva & rmdir z:\swsetup\sw_ver & rmdir z:\swsetup
[14:38:44.261] Lines will be executed
[14:38:44.261] @ENDIF
[14:38:44.261] @REM -----------------------------------------------------------------------
[14:38:44.261] @REM End DGPatches.bto
[14:38:44.261] @REM -----------------------------------------------------------------------
[14:38:44.261] c:\appl.zip\fixups\FBILogLevel2.BTO
[14:38:44.308] @IFNOTFILE(c:\global\system.sav\autotest_app)
[14:38:44.308] Lines will be skipped
[14:38:44.308] @ENDIF
[14:38:44.308] c:\appl.zip\fixups\FBI_Debug_Mode.BTO
[14:38:44.308] @REM ==================================================================
[14:38:44.308] @REM This BTO will put FBI in debug mode during the unbundel process.
[14:38:44.308] @REM
[14:38:44.308] @REM Copyright 2006 Hewlett-Packard Development Company, L.P.
[14:38:44.308] @REM ==================================================================
[14:38:44.308] @REM
[14:38:44.308] @REM ==================================================================
[14:38:44.308] @REM Update the FBIData section of STATE.INI file.
[14:38:44.308] @REM ==================================================================
[14:38:44.308] @REM
[14:38:44.308] @SetVar(EditAppendLine,String1,[FBIData])
[14:38:44.308] @SetVar(EditAppendLine,String2,SafeSuspend=1)
[14:38:44.308] @EditAppendLine(C:\System.Sav\FBI\CIA.ini)
[14:38:44.308] WARNING-=-Aborting BTO Command
[14:38:44.308] WARNING-=-Unable to open file ->C:\System.Sav\FBI\CIA.ini
[14:38:44.308] CmdEditFile() - Exiting
[14:38:44.308] @SetVar(EditAppendLine,String2,OverRide=1)
[14:38:44.308] @EditAppendLine(C:\System.Sav\FBI\CIA.ini)
[14:38:44.308] WARNING-=-Aborting BTO Command
[14:38:44.308] WARNING-=-Unable to open file ->C:\System.Sav\FBI\CIA.ini
[14:38:44.308] CmdEditFile() - Exiting
[14:38:44.308] @REM ==================================================================
[14:38:44.308] @REM Create and update the FBIDebug section of STATE.INI file.
[14:38:44.308] @REM ==================================================================
[14:38:44.308] @REM
[14:38:44.308] @INIWrite(FBIDebug,DebugMode,1,C:\System.Sav\FBI\State.ini)
[14:38:44.308] @INIWrite(FBIDebug,LogLevel,1,C:\System.Sav\FBI\State.ini)
[14:38:44.324] @REM
[14:38:44.324] @REM -- End of FBI_Debug_Mode.BTO file.
[14:38:44.324] @REM
[14:38:44.324] c:\appl.zip\fixups\infobomgen.bto
[14:38:44.355] @REM -------------------------------------------
[14:38:44.355] @REM Copyright 2006 Hewlett-Packard Company.
[14:38:44.355] @REM ===========================================
[14:38:44.355] @IFFILE (C:\SYSTEM.SAV\CPQDL.INI)
[14:38:44.355] Lines will be executed
[14:38:53.200] @ENDIF
[14:38:53.200] c:\appl.zip\fixups\LangPacks.bto

the whole file is attached here! I don't think it is infected itself. I be leave it is a log file that was supposed toe be erased but wasn't
it wont let me up load cuz it's 360 pages long. I don't knot much about this kind of stuff but was in awe as I scrolled through it. if anyone would like to help me or just see whats it is please contact me. i really need some help here!!!!

Can you help me to find out what this is and what I can do? I've used my computer for online banking , mutual funds etc. I need to know if I have to worry for real

BC AdBot (Login to Remove)


#2 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:05:29 PM

Posted 02 April 2011 - 07:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



#3 Casey_boy


    Bleeping physicist

  • Malware Response Team
  • 7,765 posts
  • Gender:Male
  • Location:UK
  • Local time:09:29 PM

Posted 07 April 2011 - 10:12 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users