Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This damn FBI $200 Virus....Please Help!


  • This topic is locked This topic is locked
60 replies to this topic

#1 cy31

cy31

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 24 August 2012 - 02:05 PM

am new to this forum and I sincerely appreciate all the help and advice I can get!!
I am a novice, and don't understand some basic things like even how to access and post some of these "logs" that everyone is doing.....so when I was trying to read up and learn what I could do to fix my problem, I couldn't quite get started.

I have a virus or malware where everytime I start my laptop, a white screen comes up saying "Loading in 30 seconds", then the "FBI Moneypack $200" scam comes up.
My REAL PROBLEM is that it also comes up in SAFE MODE or SAFE MODE with networking!!! I have no clue what to do!! Please please please help me!!

I can access safe mode command prompt, but have never had to do that before, so don't really know what I am doing on that page.
I have used your site before and HAD programs like Mbam, and Rkill on there already (but can not get to it

I have a Windows 7 Home Premium system32

Thank you so much in advance for any help. You guys have an awesome site, and awesome forum here. You should be commended (while idiots that send these viruses should be punched in the face!...lol)


UPDATE: (On advice of someone on here.... who is great, I just haven't been able to get on and talk to him in a while) I used a windows defender offline CD boot, and was able to run a scan. It wiped SEVERAL viruses and trojans. I tried to restart the computer and reboot using the hard drive (to see if that FBI page was still taking it hostage) and I only get a black screen with a small underscore line _ at the top left. What did I do wrong? PLEASE help......

BC AdBot (Login to Remove)

 


#2 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 24 August 2012 - 02:07 PM

They ALL say alert level "severe", and they are alllll removed except one:
Virus:win32/sirefef.R (quarantined)
Exploit:JS/REjave.A (removed)
Exploit:JS/Blacole.GB
Exploit:Java/Blacole.FK
Exploit:Java/CVE-2012-1723.CD
Exploit:Java/CVE-2012-1723.CC
Exploit:Java/CVE-2012-1723.BN
Exploit:Java/CVE-2012-1723.CB
Exploit:Java/Blacole.ET
Exploit:Java/CVE-2010-0840.QE
Exploit:Java/CVE-2011-3544.CR
Exploit:Java/CVE-2012-0507.F
Trojan:JS/BlacoleRef.W
Trojan:Win32/Sirefef.AO
Trojan:Win32/Sirefef.AG
Trojan:Win32/Sirefef.AN
Trojan:JS/Redirector.KL
Trojan:Win32/Medfos.B
Trojan:Win32/Sirefef
Trojan:Win32/Medfos.A
Trojan:Win32/Sirefef.AQ
Trojan:JS/Medfos.A
Trojan:Win32/Sirefef.AB
Trojan:Win32/EyeStye.C!cfg
Trojan:DOS/Alureon.K
Trojan:Win32/Sirefef.AH
Virus:Win32/Sirefef.R
DDoS:Win32/Abot.A
DDoS:Win32/Abot.A (this one was listed twice)

Hope this helps!! When I loaded it again, it ran another quick scan and didn't come up with anything this time

I still can't boot into safe mode btw.......

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 PM

Posted 26 August 2012 - 02:09 PM

Hello cy31,

Welcome to the forum.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#4 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 02:12 PM

ok, I did the FRS recovery tool, and here is the log:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 26-08-2012 01
Ran by SYSTEM at 26-08-2012 13:52:21
Running from G:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKU\Chris\...\Policies\system: [DisableTaskMgr] 1
HKU\Chris\...\Policies\system: [DisableRegistryTools] 1
HKU\Chris\...\Policies\Explorer: [NoDesktop] 1
HKU\Chris\...\Winlogon: [Shell] C:\Users\Chris\AppData\Roaming\exJKPhHT.exe [x]
HKLM\...\Winlogon: [Shell] C:\Users\Chris\AppData\Roaming\exJKPhHT.exe [x ] ()

========================== Services (Whitelisted) ========================

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 IHCserver; "C:\Program Files\Instant Housecall\InstantHousecall.exe" -service [1498736 2011-09-16] (Instant Housecall)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [226624 2011-01-27] ()

==================== Drivers (Whitelisted) ===================

3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-08-02] (Malwarebytes Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]

==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============

2012-08-07 13:29 - 2012-08-07 17:34 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-08-07 09:05 - 2012-08-07 09:05 - 00000000 ____D C:\FRST
2012-08-02 10:29 - 2012-08-02 10:29 - 00000000 ____A C:\Windows\System32\run
2012-08-02 07:10 - 2012-08-02 07:10 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-07-31 17:50 - 2012-01-22 08:05 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-31 17:50 - 2011-12-21 10:33 - 00001815 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-07-31 17:50 - 2011-12-10 18:41 - 00001989 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-07-31 17:38 - 2012-07-31 17:38 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Chris\Desktop\unhide.exe
2012-07-31 16:30 - 2012-07-13 19:40 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-31 16:28 - 2012-07-31 16:29 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Chris\Desktop\mbam-setup.exe
2012-07-31 16:17 - 2012-08-02 07:08 - 00002696 ____A C:\Users\Chris\Desktop\Rkill.txt
2012-07-31 16:17 - 2012-07-31 16:17 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Chris\Desktop\iExplore.exe
2012-07-31 15:14 - 2012-07-31 16:05 - 00015628 ____A C:\Users\Chris\govlog.dat
2012-07-29 10:54 - 2012-07-29 10:54 - 00007604 ____A C:\Users\Chris\AppData\Local\Resmon.ResmonCfg
2012-07-29 10:45 - 2012-07-29 10:45 - 00000081 ____A C:\Users\Chris\AppData\Roaming\mbam.context.scan
2012-07-29 10:35 - 2012-07-29 10:39 - 00000064 ____A C:\Users\All Users\-s1gepooZRGrtAmr
2012-07-29 10:35 - 2012-07-29 10:39 - 00000064 ____A C:\Users\All Users\-s1gepooZRGrtAm
2012-07-29 10:35 - 2012-07-29 10:35 - 00000368 ____A C:\Users\All Users\s1gepooZRGrtAm
2012-07-27 06:13 - 2012-07-31 16:01 - 00000000 ____D C:\Windows\Minidump
2012-07-27 06:13 - 2012-07-27 06:13 - 239973384 ____A C:\Windows\MEMORY.DMP
2012-07-27 06:13 - 2012-07-27 06:13 - 00390152 ____A C:\Windows\Minidump\072712-18501-01.dmp

============ 3 Months Modified Files ========================

2012-08-07 09:25 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-07 09:24 - 2009-07-13 20:39 - 00027325 ____A C:\Windows\setupact.log
2012-08-07 09:06 - 2011-12-10 15:28 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-02 10:29 - 2012-08-02 10:29 - 00000000 ____A C:\Windows\System32\run
2012-08-02 09:29 - 2009-07-13 20:34 - 00014240 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-02 09:29 - 2009-07-13 20:34 - 00014240 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-02 07:31 - 2011-12-10 16:52 - 00018368 ____A C:\Windows\PFRO.log
2012-08-02 07:25 - 2011-12-10 18:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-02 07:10 - 2012-08-02 07:10 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-08-02 07:08 - 2012-07-31 16:17 - 00002696 ____A C:\Users\Chris\Desktop\Rkill.txt
2012-07-31 17:38 - 2012-07-31 17:38 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Chris\Desktop\unhide.exe
2012-07-31 16:29 - 2012-07-31 16:28 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Chris\Desktop\mbam-setup.exe
2012-07-31 16:17 - 2012-07-31 16:17 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Chris\Desktop\iExplore.exe
2012-07-31 16:05 - 2012-07-31 15:14 - 00015628 ____A C:\Users\Chris\govlog.dat
2012-07-31 15:54 - 2011-12-10 11:19 - 01861246 ____A C:\Windows\WindowsUpdate.log
2012-07-31 15:02 - 2012-05-17 15:17 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-31 15:02 - 2011-12-10 18:28 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-29 11:08 - 2012-07-13 19:35 - 00000639 ____A C:\rkill.log
2012-07-29 10:54 - 2012-07-29 10:54 - 00007604 ____A C:\Users\Chris\AppData\Local\Resmon.ResmonCfg
2012-07-29 10:45 - 2012-07-29 10:45 - 00000081 ____A C:\Users\Chris\AppData\Roaming\mbam.context.scan
2012-07-29 10:39 - 2012-07-29 10:35 - 00000064 ____A C:\Users\All Users\-s1gepooZRGrtAmr
2012-07-29 10:39 - 2012-07-29 10:35 - 00000064 ____A C:\Users\All Users\-s1gepooZRGrtAm
2012-07-29 10:35 - 2012-07-29 10:35 - 00000368 ____A C:\Users\All Users\s1gepooZRGrtAm
2012-07-27 06:13 - 2012-07-27 06:13 - 239973384 ____A C:\Windows\MEMORY.DMP
2012-07-27 06:13 - 2012-07-27 06:13 - 00390152 ____A C:\Windows\Minidump\072712-18501-01.dmp
2012-07-13 19:40 - 2012-07-31 16:30 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-13 07:10 - 2009-07-13 20:33 - 00406272 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 06:50 - 2011-12-10 15:43 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-02 14:19 - 2012-06-20 20:09 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 20:09 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 20:09 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 20:09 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 20:09 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-20 20:09 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-20 20:09 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-20 20:08 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-20 20:08 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

ZeroAccess:
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\@
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\L
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\U
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\L\00000004.@
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\L\201d3dde

ZeroAccess:
C:\Users\Chris\AppData\Local\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}
C:\Users\Chris\AppData\Local\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\@
C:\Users\Chris\AppData\Local\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\L
C:\Users\Chris\AppData\Local\{e94e864c-fc97-8c3f-670f-0e46346dc2b1}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-06-08 04:35:35
Restore point made on: 2012-06-13 06:46:31
Restore point made on: 2012-06-20 14:46:14
Restore point made on: 2012-06-20 20:08:48
Restore point made on: 2012-06-28 19:18:28
Restore point made on: 2012-07-08 15:53:54
Restore point made on: 2012-07-16 17:06:36
Restore point made on: 2012-07-27 08:39:46
Restore point made on: 2012-07-29 11:14:28

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 3892.52 MB
Available physical RAM: 3393.63 MB
Total Pagefile: 3890.8 MB
Available Pagefile: 3402.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.22 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:450.98 GB) (Free:408.4 GB) NTFS
2 Drive e: (Repair disc Windows 7 32-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
4 Drive g: (WDO_Media32) (Removable) (Total:3.65 GB) (Free:3.61 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:5.94 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 3745 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 101 MB 31 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 450 GB 14 GB
Partition 4 Primary 10 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 101 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 450 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3741 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G WDO_Media32 NTFS Removable 3741 MB Healthy

==================================================================================

Last Boot: 2012-07-29 13:21

==================== End Of Log =============================

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 PM

Posted 26 August 2012 - 02:14 PM

Well done.

UPDATE: (On advice of someone on here.... who is great, I just haven't been able to get on and talk to him in a while) I used a windows defender offline CD boot, and was able to run a scan. It wiped SEVERAL viruses and trojans. I tried to restart the computer and reboot using the hard drive (to see if that FBI page was still taking it hostage) and I only get a black screen with a small underscore line _ at the top left. What did I do wrong? PLEASE help......


We will fix the issue next round. Could you give me some feedback about the person who is giving you advise and how he is giving you advise and if the person is a member here or is qualified to give advise.

#6 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 02:16 PM

YEs, it was Rui PAz (now his handle is sleepy dude). He is really great and is still asking around on ways to help me.

#7 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 02:18 PM

He has been very very helpful so far, and stays in touch with a lot of the guys that work on the site as well. When he isn't sure, he sends me to the proper people. I am just a rookie, and (like I said before) will take any advice I can get. I just want the thing fixed...lol. This has been an issue for almost a month. He and JsTgRvr were helping me before but I disappeared for a while because I couldn't get on a clean desktop until recently. Now I am back. I think I got everything wiped....only problem is that I wiped something in operating system because when I boot, it just goes to a black screen with the line cursor at the top left.....

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 PM

Posted 26 August 2012 - 02:44 PM

JSntgRvr is a good colleague of mine. In fact he could help you with this. But I don't know Rui PAz.

I would like to make sure you refrain from taking advice from anyone from now on and refrain from doing anything on your own unless you decide you can do the rest on your own without my assistance. Please tell me if you agree with this.

  • Please download Listparts
    Save it on the flash drive.
  • Download Attached File  fix.txt   60bytes   27 downloads
    Save the fix.list also on the flash drive.
    Boot to System Recovery Options and select "Command prompt".
    Run ListParts, to that type g:\listparts in the command prompt and click Fix.
    When it is finished click Scan and post the log (Result.txt) it makes.
  • While still in Recovery Options environment run FRST.

    Type the following in the edit box after "Search:".

    services.exe

    Click Search File(s) button and post the log it makes to your reply.


#9 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 06:10 PM

Hey Farbar, I understand and agree with you. Anything to get this computer running normal again :) I would like to hopefully get this solved tonight, because then I work all day tomorrow until about 7pm.......and I am VERY Sorry I am just getting back to you, we had to leave and do some work on the house (I am down here in Florida getting hit by this tropical storm)
Here is the listparts log from the scan:

ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 26-08-2012 at 19:07:40
Windows 7 (X86)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3892.52 MB
Available physical RAM: 3294.78 MB
Total Pagefile: 3890.8 MB
Available Pagefile: 3438.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.54 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:450.98 GB) (Free:408.4 GB) NTFS
2 Drive e: (Repair disc Windows 7 32-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
4 Drive g: (WDO_Media32) (Removable) (Total:3.65 GB) (Free:3.61 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:5.94 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 13 MB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3745 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 101 MB 31 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 450 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 101 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 450 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3741 MB 4032 KB

======================================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G WDO_Media32 NTFS Removable 3741 MB Healthy

======================================================================================================

****** End Of Log ******

HEre is the log that was saved after I did the services.exe search.....this is all there was. IS this correct?
Farbar Recovery Scan Tool Version: 26-08-2012 01

Ran by SYSTEM at 2012-08-26 19:03:03
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 PM

Posted 26 August 2012 - 06:21 PM

Well done. We removed a partition boot kit. Now we are going to remove two other infections, the ransom and ZeroAccess.

If you are fast we can resolve this tonight, otherwise I have to go to sleep and it is already too late here.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please download Attached File  fixlist.txt   942bytes   29 downloads
Save it to your flash drive.
Boot to System Recovery Options and select "Command Prompt".

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went. If there is no script at boot to undo what we have done the system should boot. In case the system didn't boot post a fresh scan of FRST otherwise just tell me how it went.

#11 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 06:40 PM

I totally understand. AGain, I thank you soooo much for your help. Below is the fixlog......also, when I tried to restart in normal mode, it actually let me log on this time. EXCEPT when I logged on, it was just a blank black screen....BUT it did have my windows icon at the bottom. ITs almost like everything was just wiped off the desktop of something.....

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 PM

Posted 26 August 2012 - 06:43 PM

You forgot to post the fixlog.txt please tell me what is the issue.

#13 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 06:47 PM

Im trying to boot into recovery options right now, to run the FRST fix again to get you that log....this time when I went back to it (system recovery options....bc I was on the normal log in to see what happend)...a message came up that said "windows found problems with your computer startup options, do you want to apply repairs and restart?" I clicked on it said:

"The following startup boot option will be repaired, Name: Boot manager. Following will be added: Windows recovery Environment (recovered) PAth: Recovery\wubdiwsRE\Winre.wim Windows Device"Partition=C: (15006 MB) A copy of current boot config data will be saved as C:\Boot\BCD.BAckup.0001" Didn't know if that would be helpful or not or what that meant???

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:39 PM

Posted 26 August 2012 - 06:49 PM

Im trying to boot into recovery options right now, to run the FRST fix again to get you that log

I don't get it. Why should you do that. If you like to carry on without me be my guest.:)

#15 cy31

cy31
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 26 August 2012 - 06:50 PM

Here is fix log!! finally got it

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 26-08-2012 01
Ran by SYSTEM at 2012-08-26 19:49:29 Run:3
Running from G:\

==============================================

HKEY_USERS\Chris\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value not found.
HKEY_USERS\Chris\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools Value not found.
HKEY_USERS\Chris\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDesktop Value not found.
HKEY_USERS\Chris\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
C:\Users\Chris\AppData\Roaming\exJKPhHT.exe not found.
C:\Users\All Users\-s1gepooZRGrtAmr not found.
C:\Users\All Users\-s1gepooZRGrtAm not found.
C:\Users\All Users\s1gepooZRGrtAm not found.
C:\Windows\Installer\{e94e864c-fc97-8c3f-670f-0e46346dc2b1} not found.
C:\Users\Chris\AppData\Local\{e94e864c-fc97-8c3f-670f-0e46346dc2b1} not found.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users