Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak


  • This topic is locked This topic is locked
10 replies to this topic

#1 cyfi6

cyfi6

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 26 December 2012 - 02:42 PM

Hi etdigger, and welcome to Bleeping Computer! :thumbsup:

Could you please tell me if you're running Windows Vista 32 or 64-bit?

==========

If you cannot access safemode with the link above from hamluis, then please try these steps from normal mode.

Let's see if Rkill can stop the processes to subsequently remove the infection:

Step :step1:

Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, or you will need to run the application again.

==========

Step :step2:

Run RogueKiller

Download RogueKiller from here or here and save it to your desktop.

  • Close all programs and disconnect any USB or external drives before running the tool.
  • Right-click RogueKiller.exe and select Run as Administrator.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click Delete.
  • When the Status box shows "Deleting Finished", click Report and then copy and paste the log in your next reply.
  • The log can also be found at RKreport[1].txt on your desktop.

==========

In your next reply, please include the following:

  • The Rkill log
  • The RogueKiller log
bloopie


I am sort of confused by this post. When I start up my computer, regardless of the mode(safe mode, safe mode with networking, safe mode with command prompt, repair mode etc) the Internet crime virus blocks any use of the computer 100% once logged in. It takes up the entire screen an no amount of alt-tab, Carl alt del, windows key or anything else will allow use of the computer in any way. How do I run these applocations when I do not have access to anything on my computer? Is the boot disc my only option?
Also, I have a device that will allow me to connect my laptops hard drive to my pc via USB as a removable disk, can I use this to clean the drive with my pc, or do I run the risk of infecting my pc well? I am a little bit of a noob so please excuse me if any of these questions are noobish. Thanks for any help

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 26 December 2012 - 03:35 PM

Hello,

Each case is different.

Are you using Vista and have the option to select "Repair Your Computer" in the Advanced Boot Options menu?

Follow these instructions...you will need the use of a Flashdrive and another computer:

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]
bloopie

#3 cyfi6

cyfi6
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 26 December 2012 - 06:18 PM

Thanks so much bloopie for the thorough and clear instruction. The infected system is running win xp. I will give this all a shot and post back with any trouble I encounter, and of course will make sure to post back whether or not it has been resolved.

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 26 December 2012 - 07:01 PM

Hi again,

My pleasure! :)

Although these instructions will not resolve the issue just yet, but it will give me the log I need to post you the next instructions to clean the bulk of the infection and get you booting again. :thumbup2:

==========

Since this system is in Windows XP, you may need to follow a different set of instructions which I have created below. For these instructions you WILL need to create a boot disk, and this is purely because the system is Windows XP and you won't have the System Recovery Options to use from the previous post:



Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]
==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:

    Posted Image


==========

:step4:

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.

bloopie

#5 cyfi6

cyfi6
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 29 December 2012 - 02:18 AM

Hi Bloopie, one small issue I am having.
"2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive"
I purchased this laptop second had with a fresh copy of XP already installed. I do not have the original Windows installation disk that was used to install this copy of windows. Is there any other method to getting the proper files? I may have an XP installation disk somewhere that is not the same disk used to install this copy of windows on the infected computer, but it would be an XP install disk nonetheless. Would this work? Or is there any other way to go about this considering I do not have the original windows installation disk? Thanks.

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 29 December 2012 - 02:03 PM

Hi again,

I may have an XP installation disk somewhere that is not the same disk used to install this copy of windows on the infected computer, but it would be an XP install disk nonetheless. Would this work?

Yes, that would work. We need only to make a legal bootable CD to boot the computer from, so as long as it's Windows XP it will be fine. :thumbup2:

bloopie

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 02 January 2013 - 12:17 PM

Hello again,

Are you still with me? :)

This is a 4-Day Bump! If you still wish to receive help, then please follow the instructions above.

If you do not respond in another 24-48 hours, I will be forced to close this topic! If you need more time, then just let me know!

bloopie

#8 cyfi6

cyfi6
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 02 January 2013 - 04:20 PM

Sorry bloopie, lots of holiday traveling! I am with you still, and I have resolved the issue. I finally got access to my device which would allow me to run the drive as a removable disk. I assume a regular sized drive could be run as a slave on another PC if that were the case as well. I used AVG free to scan the drive and it found and resolved the issue. I also scanned with malwarebytes afterwards to verify, and no malicious files were found. I put the drive back in the laptop and it booted. I ran system restore to a previously known good spot and installed and ran AVG free again. The computer is working fine as of right now. I will back up all my files and format it if I notice any decrease in performance, but at least for now it is back to being functional.
Thanks for all your support, this forum is a great place.

#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 02 January 2013 - 05:00 PM

Thanks for letting me know! :thumbup2:

However, using system restore can reinfect the system as most infections exploit the system restore, so that it becomes an unsafe restore point!

==========

I will keep the thread open for a few days in case you need to post back. Please make sure you use MBAM as an antimalware solution regularly. This will help prevent reinfection, but I would still like you to do one more scan for me. This scan will check in the system restore folders for infected restore points:

It also may take a while to run, but be patient!


ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

bloopie

#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 06 January 2013 - 10:15 AM

Hello again,

Are you still with me? :)

This is a 4-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 24-48 hours, I will be forced to close this topic!

bloopie

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:56 PM

Posted 08 January 2013 - 10:41 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users