Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus


  • This topic is locked This topic is locked
41 replies to this topic

#1 focusedeyedoc

focusedeyedoc

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 27 October 2012 - 07:01 PM

Hi,

I belived my wireless laptop has been infected with an FBI virus. I have windows XP and when I try to start my computer in Safe Mode, it directs takes me to a white screen that says 'This Program Cannot Display the Webpage'. I have no options on this screen that amount to any beneficial command. I do not have my aircard in when I restart my computer. I have a feeling that whatever virus I have is trying to take me to an internet site but cannot since I am unable to access my descktop to gain internet access. Please help me if you can. Thank you!

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 29 October 2012 - 03:14 AM

Hello, focusedeyedoc
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.


Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.


Are you able to boot into safe mode with command prompt? Are you able to burn a cd with another system?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 29 October 2012 - 07:46 PM

Great! I'm glad you can help me!

I am able to boot in safe mode with command prompt. This takes me to a black screen. Administration CMD.EXE screen.
I am able to burn a CD or download onto a flash drive.

I look forward to your reply! Thanks again!

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 30 October 2012 - 01:43 AM

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]
==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:

    Posted Image


==========

:step4:

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 30 October 2012 - 11:29 PM

Before I dl the UBCD4, I do have a question for you. I was unable to locate the original XP CD I had for my infected laptop as I just recently moved. However, I do have a XP CD that came with a computer that I use at work. If I use this CD, eventhough it is not original XP CD for the laptop we are trying to fix, will this effect anything? (I just want to do everything possible to ensure I have a chance to save all my programs and data that I have saved on my laptop).

Thanks!

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 31 October 2012 - 01:20 AM

Is it an original windows cd? same system(xp home,preofessional)?

IF yes you can use it :)
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 01 November 2012 - 08:09 PM

My laptop is actually Vista. The CD i have is XP professional from work. Is there a work around if I am uanble to find the original Visa CD? Ill keep looking while I wait for your response. Thank you!

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 02 November 2012 - 01:25 AM

Please try the option with boot manager from the following instructions. If this will not work, you have to ask a friend or something for a CD.


For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 02 November 2012 - 07:52 PM

That seemed to have worked. Here is the log........

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2012
Ran by Michael at 02-11-2012 20:45:22
Running from G:\
Service Pack 2 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: Registry editing has been disabled by your administrator.
Attention: System hive is missing.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-11-02 20:44 - 2012-11-02 20:45 - 00000000 ____D C:\FRST
2012-10-16 00:33 - 2012-10-16 00:32 - 00273408 ____A (ICQ, LLC.) C:\Users\Michael\AppData\Roaming\stgserygres.exe
2012-10-16 00:32 - 2012-10-16 00:32 - 00273408 ____A (ICQ, LLC.) C:\Users\Michael\AppData\Local\yagtser56j.exe
2012-10-15 21:46 - 2012-10-15 21:46 - 04920954 ____A C:\Users\Michael\Downloads\wordpress-3.4.2.zip
2012-10-15 21:39 - 2012-10-15 21:39 - 00903721 ____A C:\Users\Michael\Downloads\mappress-google-maps-for-wordpress.2.38 (1).zip
2012-10-15 21:36 - 2012-10-15 21:36 - 00903721 ____A C:\Users\Michael\Downloads\mappress-google-maps-for-wordpress.2.38.zip
2012-10-14 22:42 - 2012-10-14 22:42 - 07431866 ____A C:\Users\Michael\Downloads\KCBS-TV_Los_Angeles_8210.wmv
2012-10-09 22:39 - 2012-09-13 09:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-10-09 22:39 - 2012-09-13 09:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-10-09 22:39 - 2012-08-24 11:53 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-10-09 22:39 - 2012-08-24 11:53 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-10-09 22:39 - 2012-06-01 20:02 - 00985088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-10-09 22:39 - 2012-06-01 20:02 - 00985088 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-10-09 22:39 - 2012-06-01 20:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-10-09 22:39 - 2012-06-01 20:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-10-09 22:39 - 2012-06-01 20:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-10-09 22:39 - 2012-06-01 20:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-10-05 01:00 - 2012-10-05 01:00 - 00021504 ____A C:\Users\Michael\Downloads\Sample P&L.xls
2012-10-05 00:16 - 2012-10-05 00:16 - 00057344 ____A C:\Users\Michael\Downloads\Cashflow projections 5-21-09.xls

==================== 3 Months Modified Files ==================

2012-11-01 22:01 - 2009-03-27 12:04 - 00102249 ____A C:\Users\All Users\nvModes.001
2012-11-01 22:01 - 2006-11-02 11:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-16 02:11 - 2008-10-20 01:53 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-10-16 02:11 - 2006-11-02 11:42 - 00032588 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-16 01:48 - 2009-05-11 14:10 - 00007592 ____A C:\Users\Michael\AppData\Local\d3d9caps.dat
2012-10-16 01:36 - 2009-02-22 08:49 - 01296212 ____A C:\Windows\WindowsUpdate.log
2012-10-16 00:32 - 2012-10-16 00:33 - 00273408 ____A (ICQ, LLC.) C:\Users\Michael\AppData\Roaming\stgserygres.exe
2012-10-16 00:32 - 2012-10-16 00:32 - 00273408 ____A (ICQ, LLC.) C:\Users\Michael\AppData\Local\yagtser56j.exe
2012-10-16 00:20 - 2012-04-12 21:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-16 00:16 - 2012-04-12 22:06 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-297768918-241284754-879130908-1000UA.job
2012-10-15 21:46 - 2012-10-15 21:46 - 04920954 ____A C:\Users\Michael\Downloads\wordpress-3.4.2.zip
2012-10-15 21:39 - 2012-10-15 21:39 - 00903721 ____A C:\Users\Michael\Downloads\mappress-google-maps-for-wordpress.2.38 (1).zip
2012-10-15 21:36 - 2012-10-15 21:36 - 00903721 ____A C:\Users\Michael\Downloads\mappress-google-maps-for-wordpress.2.38.zip
2012-10-15 20:29 - 2012-04-12 22:06 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-297768918-241284754-879130908-1000Core.job
2012-10-14 22:42 - 2012-10-14 22:42 - 07431866 ____A C:\Users\Michael\Downloads\KCBS-TV_Los_Angeles_8210.wmv
2012-10-11 23:59 - 2009-06-02 22:07 - 00000516 ____A C:\Windows\Tasks\Webroot Backup Online Backup - supers10572.job
2012-10-10 21:18 - 2012-04-12 22:06 - 00002052 ____A C:\Users\Michael\Desktop\Google Chrome.lnk
2012-10-08 22:20 - 2012-04-12 21:55 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-08 22:20 - 2012-04-12 21:55 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-08 22:20 - 2011-07-24 23:08 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-08 22:20 - 2011-07-24 23:08 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-10-05 02:30 - 2009-06-12 01:51 - 00040666 ____A C:\Users\Michael\Desktop\Cashflow projections 6-11-09.xlsx
2012-10-05 01:00 - 2012-10-05 01:00 - 00021504 ____A C:\Users\Michael\Downloads\Sample P&L.xls
2012-10-05 00:16 - 2012-10-05 00:16 - 00057344 ____A C:\Users\Michael\Downloads\Cashflow projections 5-21-09.xls
2012-09-25 22:15 - 2010-07-16 18:29 - 00003796 ____A C:\Windows\PFRO.log
2012-09-25 08:06 - 2011-09-24 20:40 - 00000832 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-09-24 18:57 - 2010-09-29 16:14 - 00006181 ____A C:\Windows\setupact.log
2012-09-24 18:51 - 2009-03-14 18:37 - 00111896 ____A C:\Users\Michael\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-23 22:19 - 2012-09-23 22:19 - 00009988 ____A C:\Users\Michael\Desktop\iPhone CC Processing.xlsx
2012-09-13 09:28 - 2012-10-09 22:39 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-09-13 09:28 - 2012-10-09 22:39 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-08-25 16:48 - 2012-08-23 13:45 - 00242688 ____A C:\Users\Michael\Downloads\IDOC_max_discount_printable.xls
2012-08-24 11:53 - 2012-10-09 22:39 - 00172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-08-24 11:53 - 2012-10-09 22:39 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-08-24 03:27 - 2012-09-24 19:00 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-24 03:27 - 2012-09-24 19:00 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 03:03 - 2012-09-24 19:00 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-24 03:03 - 2012-09-24 19:00 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:59 - 2012-09-24 19:00 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-24 02:59 - 2012-09-24 19:00 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:51 - 2012-09-24 19:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-24 02:51 - 2012-09-24 19:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:51 - 2012-09-24 19:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-24 02:51 - 2012-09-24 19:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:51 - 2012-09-24 19:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-24 02:51 - 2012-09-24 19:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:49 - 2012-09-24 19:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-24 02:49 - 2012-09-24 19:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:48 - 2012-09-24 19:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-24 02:48 - 2012-09-24 19:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:47 - 2012-09-24 19:01 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-24 02:47 - 2012-09-24 19:01 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:47 - 2012-09-24 19:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-24 02:47 - 2012-09-24 19:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:47 - 2012-09-24 19:00 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-24 02:47 - 2012-09-24 19:00 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:45 - 2012-09-24 19:00 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-24 02:45 - 2012-09-24 19:00 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:44 - 2012-09-24 19:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-24 02:44 - 2012-09-24 19:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:44 - 2012-09-24 19:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-24 02:44 - 2012-09-24 19:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:43 - 2012-09-24 19:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-24 02:43 - 2012-09-24 19:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:40 - 2012-09-24 19:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-24 02:40 - 2012-09-24 19:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 13:57 - 2012-08-23 13:55 - 00821984 ____A C:\Users\Michael\Downloads\Essilor_pricelist_2012.xls
2012-08-16 22:17 - 2012-08-16 22:17 - 00028317 ____A C:\Users\Michael\Downloads\pricingsheet.xlsx

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2009-09-18 07:24] - [2009-04-11 03:10] - 3079168 ____A (Microsoft Corporation) 6B08E54A451B3F95E4109DBA7E594270

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2009-09-18 07:25] - [2009-04-11 02:26] - 0648704 ____A (Microsoft Corporation) D29FDB5DEDBDC1BD882164DC6DC4DD53

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 6110.02 MB
Available physical RAM: 5446.71 MB
Total Pagefile: 12335.05 MB
Available Pagefile: 11854.81 MB
Total Virtual: 4095.88 MB
Available Virtual: 3987.83 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:451.78 GB) (Free:359.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:13.98 GB) (Free:2.12 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Oct 16 2012) (CDROM) (Total:0.69 GB) (Free:0.4 GB) UDF
4 Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
5 Drive g: (Cruzer) (Removable) (Total:7.47 GB) (Free:7.39 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1024 KB
Disk 1 Online 7664 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 452 GB 32 KB
Partition 2 Primary 14 GB 452 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 452 GB Healthy System (partition with boot components)

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 22 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G Cruzer FAT32 Removable 7656 MB Healthy

=========================================================
==================== End Of Log ============================

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 03 November 2012 - 06:09 AM

Hi,

How did you run FRST? Did you follow the instructions correctly to run it outside of windows from the computer repair options?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 03 November 2012 - 05:29 PM

I do not have the option to 'Repair Computer'. After repeatedly pressing f8, I have 4 options of safe mode, safe mode with networking, safe mode with command prompt, and start windows normally. I chose safe mode with command prompt and followed the rest of your instructions to run frst.exe exactly as you said.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 04 November 2012 - 05:59 AM

Hi,

FRST will not work correctly in safe mode, lets try something else. Please reboot into safe mode with command prompt. Download this tool to your flash drive.

http://www.trojaner-board.de/redirect-to/?redirect=http%3A%2F%2Flarusso.trojaner-board.de%2Fsrep.exe

now in command prompt, navigate to your flash drive like you did before when runninf FRST and type:

start srep.exe

Hit ok, the system will reboot automatically. Is Windows Normal Mode now working?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 04 November 2012 - 11:01 PM

Kind of.

I now can at least see my desktop although there are no icons on it and there is no tool bar at the bottom (except I do see the Windows Start Icon in the bottom left corner). There is a message on the screen from my AVG Identity Protection stating a 'Threat has been Detected'
File name: C:\Users|Michael\AppData\Local\Temp\an2ans.exe
Severity: 4 blocks

Its asking if I want to 'move to vault' or 'allow'. I have not done either yet because I do not know if this is itself a virus 'impostor' message. Please advise. Thanks!

#14 focusedeyedoc

focusedeyedoc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 04 November 2012 - 11:02 PM

Kind of.

I now can at least see my desktop although there are no icons on it and there is no tool bar at the bottom (except I do see the Windows Start Icon in the bottom left corner). There is a message on the screen from my AVG Identity Protection stating a 'Threat has been Detected'
File name: C:\Users|Michael\AppData\Local\Temp\an2ans.exe
Severity: 4 blocks

Its asking if I want to 'move to vault' or 'allow'. I have not done either yet because I do not know if this is itself a virus 'impostor' message. Please advise. Thanks!

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:08 PM

Posted 05 November 2012 - 03:57 AM

Move it and have a look if you can work in normal mode, otherwise please try safe mode with network.

If it works, please do this:


  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users