Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove "Your Computer Has Been Blocked" FBI MoneyPak


  • This topic is locked This topic is locked
3 replies to this topic

#1 BoboBriskey

BoboBriskey

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 15 February 2013 - 12:05 PM

I have been trying to remove this virus from a friends computer and I'm not having any luck.  I have tried Emsisoft.  I was able to scan the computer and remove the infections but they came right back.  I also tried AnviSoft.  No luck with that either.
 
I also system restore.  Message came back after the reboot that it was not able to complete.
 
The window pops up in Safe Mode also.  I am only able to do things from Safe Mode with a command prompt.
 
Thanks for any help.
 
DDS (Ver_2012-11-20.01) - NTFS_x86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by removevirus at 10:49:06 on 2013-02-15
.
============== Running Processes ================
.
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [Autodesk Sync] c:\program files\autodesk\autodesk sync\AdSync.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRunOnce: [*Restore] c:\windows\system32\restore\rstrui.exe -i
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: MaxRecentDocs = dword:0
mPolicies-Explorer: NoWinKey = dword:0
mPolicies-Explorer: NoNetConnextDisconnect = dword:0
mPolicies-Explorer: NoWindowsUpdate = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:-1
mPolicies-Explorer: NoSMConfigurePrograms = dword:0
mPolicies-Explorer: NoControlPanle = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: NoAdminPage = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190749018390
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 76.10.67.2 64.21.232.212 172.16.1.1
TCP: Interfaces\{361133DC-1B71-4B09-83AD-EF6FA7AD8A06} : DHCPNameServer = 24.220.0.10 24.220.0.11
TCP: Interfaces\{EC646AC0-A490-4B4E-AD48-1A26804BB14E} : DHCPNameServer = 76.10.67.2 64.21.232.212 172.16.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R? 46234366;46234366
R? A2DDA;A2 Direct Disk Access Support Driver
R? aswFsBlk;aswFsBlk
R? aswSnx;aswSnx
R? aswSP;aswSP
R? avast! Antivirus;avast! Antivirus
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? dsiarhwprog;dsiarhwprog
R? mitsijm2013;Autodesk Moldflow Inventor Tool Suite Integration 2013 Job Manager
R? supersafer;supersafer
R? UNS;Intel® Active Management Technology User Notification Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
.
=============== Created Last 30 ================
.
2013-02-15 16:48:43 -------- d-----w- C:\dds
2013-02-15 16:00:28 -------- d-sh--w- c:\documents and settings\removevirus.daktech-d49bac3\PrivacIE
2013-02-15 15:54:32 -------- d-----w- c:\documents and settings\removevirus.daktech-d49bac3\local settings\application data\Microsoft Help
2013-02-15 15:49:51 -------- d-sh--w- c:\documents and settings\removevirus.daktech-d49bac3\IETldCache
2013-02-15 15:49:51 -------- d-----w- c:\documents and settings\removevirus.daktech-d49bac3\local settings\application data\Microsoft
2013-02-14 19:23:58 -------- d---a-w- C:\$Anvi Rescue Disk$
2013-02-14 00:09:56 -------- d-----w- C:\EmsisoftEmergencyKit
2013-01-16 23:08:33 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-16 23:08:11 41224 ----a-w- c:\windows\avastSS.scr
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 10:50:35.96 ===============

Attached Files


Edited by jntkwx, 16 February 2013 - 10:11 AM.
Including DDS log in post (easier to read)


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:43 AM

Posted 16 February 2013 - 10:15 AM

BoboBriskey,

welcome.gif to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.
  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.
  • In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

    Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

     

    FRST
    • Please download Farbar Recovery Scan Tool and save it to a flash drive.

      Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

      Plug the flash drive into the infected PC.
    • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

      If you are using Vista or Windows 7 enter System Recovery Options.

      To enter System Recovery Options from the Advanced Boot Options:
      • Restart the computer.
      • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
      • Use the arrow keys to select the Repair your computer menu item.
      • Select US as the keyboard language settings, and then click Next.
      • Select the operating system you want to repair, and then click Next.
      • Select your user account an click Next.
      Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
      To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



      To enter System Recovery Options by using Windows installation disc:
      • Insert the installation disc.
      • Restart your computer.
      • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
      • Click Repair your computer.
      • Select US as the keyboard language settings, and then click Next.
      • Select the operating system you want to repair, and then click Next.
      • Select your user account and click Next.
    • On the System Recovery Options menu you will get the following options:
        • Startup Repair
          System Restore
          Windows Complete PC Restore
          Windows Memory Diagnostic Tool
          Command Prompt


          Select Command Prompt

          Once in the Command Prompt:
      • In the command window type in notepad and press Enter.
      • The notepad opens. Under File menu select Open.
      • Select "Computer" and find your flash drive letter and close the notepad.
      • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
        Note: Replace letter e with the drive letter of your flash drive.
      • The tool will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 BoboBriskey

BoboBriskey
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 18 February 2013 - 10:58 AM

Hi Jason,

 

Thanks for the help, but I got it figured out before I got back to this post.  I thought I had exhausted all of my capabilities, but I tried one more thing and

it worked.

 

I ran the EmsiSoft scanner from a command line while in command prompt safe mode and it sucessfully quarantined the virus.  Here's the command

I ran:

 

a2cmd.exe /f="c:\" /m /t /c /h /a /q

 

When it was done, it had quarantined 500+ items.  Most of them were cookies, but apparently, the source of this virus was found also. 

 

Thanks for the help.  I am going to move on and be done with this.



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:43 AM

Posted 18 February 2013 - 11:12 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users