Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI malware


  • This topic is locked This topic is locked
40 replies to this topic

#1 BCord

BCord

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 03 July 2012 - 01:52 AM

Thanks in advance for your assistance.

When I went online today my Windows 7 PC was greeted by a fake FBI letter and request for $100 to fix the problem. I see that this is a new problem. Hopefully you have a solution. I have been unsuccessful using MBAM (it saw nothing) as did MSE. (I also run SuperAntiSpyware but have not tried that as yet.)

I attempted to run DDS but the notepad window filled with garbage. The only text that is readable says "this program cannot be run in DOS mode." I attempted to attach this file but was told this type of file is not allowed to be attached. Huh??? I can provide this file, if it is worth anything to you.

Also I attemptd to attach the GMER file but was told it was "too big to upload." However, "Services" "Registry" and "Files" were the only boxes that could be checked. All other boxes were grayed out. I can provide this file if you can tell me how to send it.

Please advise! Thanks.

Edited by BCord, 03 July 2012 - 11:59 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:04 AM

Posted 05 July 2012 - 07:43 AM

Hello BCord,

Please follow my guidance.
Restart the pc and tap F8 function key as it starts so that you can select and get into Safe Mode with Networking.

Step 1
1. Open Internet Explorer.
2. Click "Tools," and then click "Internet Options."
3. Click "Connections," and then click "LAN Settings."
4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected. Make sure Proxy server block is all un-checked.
5. Apply changes & OK

Step 2
  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller
Please always Copy and Paste the logs/reports into main-body of reply box. IF and Only IF the report is too large in size, then use the Attach This File method.



~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 12:38 PM

Thanks for your assistance "EdM"!!!
Here is the report:
ogueKiller V7.6.2 [07/02/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User: william [Admin rights]
Mode: Scan -- Date: 07/05/2012 12:36:49

Bad processes: 0

Registry Entries: 6
[SUSP PATH] ctfmon.lnk @william : C:\Windows\System32\rundll32.exe|C:\Users\william\AppData\Local\Temp\0_0u_l.exe -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [NOT LOADED]

Infection :

HOSTS File:


MBR Check:

+++++ PhysicalDrive0: WDC WD1001FAES-75W7A0 +++++
--- User ---
[MBR] aa718779635368455eab6cd64ba34b8f
[BSP] 2443d7138d44605c205800f5c869ff21 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 12542 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25767936 | Size: 941286 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:04 AM

Posted 05 July 2012 - 12:59 PM

  • Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-Click RogueKiller and select Run as Administrator.
  • Wait until Prescan finishes.
  • On the RogueKiller console, click the Registry tab.
  • Then press the Delete button.
  • IF and only if prompted for a reboot, then allow it.
  • The log will be found as RKreport
    Copy & Paste the contents into next reply.

Step 2
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

    NOTE: We want to be in Windows Normal mode, from here on out, as much as possible.

Step 3
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.
  • Link 2
    Link 3
    Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL
IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Step 4
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 5
To show all files:
  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.
Step 6
You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for member BCord only. If you are a casual viewer, do NOT try this on your system!
If you are not BCord and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system


Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop Posted Image and select "Run as Administrator".
  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.

    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.


A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

Reply with a copy of the C:\Combofix.txt log, AND tell me, How is your system now?
Any further "rogue" ransomware ?

Re-Enable your antivirus.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 01:53 PM

FYI--I ran RogueKiller again, this time doing as you asked with the Registry tab but nothing showed up in the window. So the "delete" button was grayed out and inoperable. At the moment I am running TFC.

#6 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 02:04 PM

Also, on rebooting I got an error message:

RunDLL
There was a problem starting
c:\users\william\AppData\local\temp\O_Oul.ext
The specified module could not be found

Because of this and my not finding anything in the RogueKiller Registry window I just want to make sure we are okay to proceed

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:04 AM

Posted 05 July 2012 - 02:14 PM

As long as you are in Windows, yes, please proceed forward.

The not finding the entries in RogueKiller is quite ok. Any other small hiccup (such file in temp area), we can cleanup.
Proceed forward, please.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 02:27 PM

Another little hiccup ... when attempting to run Rkill as admin (I have Windows 7) I don't have that option when I right-click on it. Suggestions???

#9 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 02:30 PM

By the way, I'm not in Safe mode anymore (so things are looking up)...but that may explain why I don't have that option

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:04 AM

Posted 05 July 2012 - 02:33 PM

Double-click to start. You can also try starting via Task Manager ..... CTRL+Shift +DEL keys and then select Task Manager.
Then New Task Run
and navigate to location of the program and start it.

If still no go, skip over and go to next Step
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 02:50 PM

Yet another question: Rkill ran fine, I think. But I'm not seeing a "computer icon" on my desktop to access to change setting to see all files. Is there another way to change that setting?

#12 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 02:56 PM

I don't keep the "My Computer" icon on my desktop. Can I get to the same place by going to Start > Computer > C:/ and right-clicking to Open?

#13 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 02:59 PM

Never mind...found it through the Control Panel
Phew.

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:04 AM

Posted 05 July 2012 - 03:04 PM

If you ever need to get to Desktop, press Windows-key & hold, then press D

Please keep moving forward.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#15 BCord

BCord
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 05 July 2012 - 03:41 PM

Hmmm. A setback, Maurice...

I ran Combofix and have the report. It's on my other computer, the PC that was not working. I tried to open Outlook and IE on it so I could reply to you but they would not open. The message: "illegal operation attempted on a registry key marked for deletion" was the message (or something close to that). Suggestions?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users