Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI virus - HELP PLEASE! THANK YOU


  • This topic is locked This topic is locked
34 replies to this topic

#1 bonnielj

bonnielj

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 10 May 2013 - 05:21 PM

Hello everyone,

 

I sure hope someone can help me solve this problem...

 

I have the FBI virus on my Toshiba Laptop Satellite M35X-S111with XP professional installed on it...

Cannot get into any safe mode...

I have installed OTLPE...ran the scan, and copy/pasted a fix script from a post from Gringo...

No help...can open Task Manager, but FBI screen still comes up...

 

I have been playing with this for days and tried numerous fixes.....nothing I have tried has worked. 

 

Can someone please help...I will be leaving for out of town next Friday (May 17th) and need my laptop working.

 

I am attaching a Notepad file of the OTL log after I Ran Scan and copied/pasted script and Ran Fix.

 

BonnieJ

Attached Files


Edited by hamluis, 10 May 2013 - 06:00 PM.
Moved from XP to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 10 May 2013 - 08:26 PM



Hello bonnielj

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this custom script for me now and when it is complete please let me have the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    O4 - HKU\bonnie_ON_C..\Run: [] C:\Documents and Settings\bonnie\acrobat.exe ()
    [2013/05/04 12:13:12 | 000,041,127 | ---- | M] () -- C:\Documents and Settings\bonnie\chrome.exe
    [2013/05/04 12:12:30 | 000,110,247 | ---- | M] () -- C:\Documents and Settings\bonnie\acrobat.exe
    [2013/05/04 12:00:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\PerfectOptimizer_home.job
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.
Let me know How things are doing

Gringo
]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 11 May 2013 - 07:07 PM

Here is log requested Gringo...really hoping you can help me....this is so very frustrating...

Computer is complete locked.

 

Error: Unable to interpret <:OTL
O4 - HKU\bonnie_ON_C..\Run: [] C:\Documents and Settings\bonnie\acrobat.exe ()
[2013/05/04 12:13:12 | 000,041,127 | ---- | M] () -- C:\Documents and Settings\bonnie\chrome.exe
[2013/05/04 12:12:30 | 000,110,247 | ---- | M] () -- C:\Documents and Settings\bonnie\acrobat.exe
[2013/05/04 12:00:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\PerfectOptimizer_home.job
:Files
ipconfig /flushdns /c

:Commands
[PURITY]
[emptyjava]
[EMPTYFLASH]
[reboot]> in the current context!
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 05122013_030001



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 11 May 2013 - 08:07 PM

Hello bonnielj

I have uploaded a file - I want you to save this file to the usb Attached File  fix.txt   469bytes   7 downloads



Run OTL Script
  • Double-click OTL.exe to start the program.
  • Then click the Run Fix button at the top.
  • it will say that no fix was listed and if you want to load it from a file click on "OK"
  • point it to the file that you saved to the usb
  • Click btnOK.png.
  • click on run fix again
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


  • Let me know How things are doing

    Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 11 May 2013 - 09:53 PM

I am trying to do this between my desktop (Win7) and my laptop XP Professional (the infected computer). Copied your fix.txt file to usb...followed your instructions and it placed info in Custom Scans/Fixes....when I click Run Fix...it feels like it will not click...it does absolutely nothing.  I exited out of OTL PE and repeated your instructions....same result.

 

I tried to copy the info in OTL PE and it will not let me do it.....the program seems to be stuck.



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 11 May 2013 - 10:12 PM

once you have the script to the infected computer I want you to open it and copy all of it into the window of OTL and click on fix


something happened the first time you ran it, there was something extra or something missing in the script that caused it to fail



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 11 May 2013 - 10:32 PM

========== OTL ==========
Registry value HKEY_USERS\bonnie_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\Documents and Settings\bonnie\acrobat.exe moved successfully.
File C:\Documents and not found.
File C:\Documents and not found.
File 13/05/04 12:00:00 | 000,000,382 | ---- | M] () -- not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The system cannot find the file specified.
 
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to open registry key for tcpip.
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
File\Folder :Commands not found.
File\Folder [PURITY] not found.
File\Folder [emptyjava] not found.
File\Folder [EMPTYFLASH] not found.
File\Folder [reboot] not found.
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 05122013_072602



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 11 May 2013 - 11:20 PM

It still does not look right

can you boot into windows now?


can you send me a new scan from OTL if you cannot



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 12 May 2013 - 12:17 AM

I booted up through Hard Disk...it boots up...gives Welcome....desktop comes up fine with icons and taskbar....did not get FBI page...connected to internet....went into several sites...got into control panel....played around with different things....NO FBI page...seems to be working ok now...is there anyway to check if the FBI virus was actually removed????



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 12 May 2013 - 12:33 AM



Hello bonnielj

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 12 May 2013 - 12:59 PM

Laptop working okay except it seems very slow in booting up and opening web sites.

 

# AdwCleaner v2.300 - Logfile created 05/12/2013 at 21:30:28
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : bonnie - BONNIE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\bonnie\desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\bonnie\Application Data\iWin
Folder Deleted : C:\Documents and Settings\bonnie\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E08A9998-D98F-476F-8F5C-37C80FE0A4DA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.13 (en-US)

File : C:\Documents and Settings\bonnie\Application Data\Mozilla\Firefox\Profiles\52h47ymu.default\prefs.js

Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\");
Deleted : user_pref("extensions.asktb.abar-war-timeout", "4000");
Deleted : user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
Deleted : user_pref("extensions.asktb.autofill-text-highlight-enabled", true);
Deleted : user_pref("extensions.asktb.cbid", "GL");
Deleted : user_pref("extensions.asktb.config-updated", false);
Deleted : user_pref("extensions.asktb.crumb", "2011.11.19+05.47.34-toolbar002iad-US-Q2FwaXRvbCBIZWlnaHRzLE1ELF[...]
Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Deleted : user_pref("extensions.asktb.displaybehavior", "");
Deleted : user_pref("extensions.asktb.displaytext", "");
Deleted : user_pref("extensions.asktb.dtid", "YYYYYYYYUS");
Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", false);
Deleted : user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "USMD0069");
Deleted : user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "F");
Deleted : user_pref("extensions.asktb.fresh-install", false);
Deleted : user_pref("extensions.asktb.guid", "C0F93E20-00F2-44A9-BF5A-16D41C0E7C8B");
Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Deleted : user_pref("extensions.asktb.if", "first");
Deleted : user_pref("extensions.asktb.l", "dis");
Deleted : user_pref("extensions.asktb.last-config-req", "1322195458580");
Deleted : user_pref("extensions.asktb.last-v", "3.11.3.100008");
Deleted : user_pref("extensions.asktb.locale", "en_US");
Deleted : user_pref("extensions.asktb.location", "Capitol Heights,MD,United States");
Deleted : user_pref("extensions.asktb.lstation", "");
Deleted : user_pref("extensions.asktb.new-tab-enabled", true);
Deleted : user_pref("extensions.asktb.o", "10168");
Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Deleted : user_pref("extensions.asktb.pstate", "");
Deleted : user_pref("extensions.asktb.qsrc", "2871");
Deleted : user_pref("extensions.asktb.r", "4");
Deleted : user_pref("extensions.asktb.sa", "NO");
Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
Deleted : user_pref("extensions.asktb.silent-upgrade", true);
Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
Deleted : user_pref("extensions.asktb.socialmini-first", true);
Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000");
Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
Deleted : user_pref("extensions.asktb.socialmini-max-items", "30");
Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
Deleted : user_pref("extensions.asktb.socialmini-speed", "5000");
Deleted : user_pref("extensions.asktb.socialmini-transition-first-open", false);
Deleted : user_pref("extensions.asktb.themeid", "");
Deleted : user_pref("extensions.asktb.to", "");
Deleted : user_pref("extensions.asktb.volume", "");

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\bonnie\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [6237 octets] - [12/05/2013 21:30:28]

########## EOF - C:\AdwCleaner[S1].txt - [6297 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by bonnie on Sun 05/12/2013 at 21:43:30.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE2A}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE2B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{02E61D96-F93E-436A-BDC6-8EEF989ECBE2}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3A735F35-6E11-4800-A976-EB9B2A4655B8}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{86777417-EABF-419A-A57F-D6E541DCA466}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\bonnie\start menu\programs\free window registry repair"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 05/12/2013 at 21:47:50.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 12 May 2013 - 01:14 PM


Hello bonnielj

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 12 May 2013 - 02:12 PM

No problems running Combofix...everything fine with computer so far, except the extreme slowness booting and opening sites

 

ComboFix 13-05-12.01 - bonnie 05/12/2013  22:42:52.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2014.1634 [GMT -4:00]
Running from: c:\documents and settings\bonnie\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Starware325
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\bonnie\Application Data\Starware325
c:\documents and settings\bonnie\chrome.exe
c:\program files\Starware325
c:\program files\Starware325\icons\star_16.ico
c:\program files\Starware325\Starware325Uninstall.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\msvcr71.dll.int
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-13 to 2013-05-13  )))))))))))))))))))))))))))))))
.
.
2013-05-13 01:43 . 2013-05-13 01:43 -------- d-----w- c:\windows\ERUNT
2013-05-13 01:43 . 2013-05-13 01:43 -------- d-----w- C:\JRT
2013-05-13 00:27 . 2013-05-13 00:27 -------- d-----w- c:\documents and settings\bonnie\Application Data\AVG2013
2013-05-13 00:26 . 2013-05-13 00:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2013
2013-05-13 00:25 . 2013-05-13 00:25 -------- d-----w- c:\documents and settings\bonnie\Application Data\TuneUp Software
2013-05-13 00:24 . 2013-05-13 00:24 -------- d-----w- C:\$AVG
2013-05-13 00:24 . 2013-05-13 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
2013-05-13 00:22 . 2013-05-13 00:22 -------- d-----w- c:\program files\AVG
2013-05-13 00:17 . 2013-05-13 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2013-05-13 00:17 . 2013-05-13 00:26 -------- d-----w- c:\documents and settings\bonnie\Local Settings\Application Data\Avg2013
2013-05-13 00:17 . 2013-05-13 00:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2013-05-13 00:17 . 2013-05-13 00:17 -------- d-----w- c:\documents and settings\bonnie\Local Settings\Application Data\MFAData
2013-05-11 03:35 . 2013-05-11 03:35 -------- d-----w- C:\_OTL
2013-05-09 16:17 . 2013-05-12 01:38 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-05-04 16:13 . 2013-05-04 16:13 -------- d-----w- C:\avast! sandbox
2013-05-04 03:15 . 2013-05-04 03:15 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-30 21:52 . 2013-03-06 22:33 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-04-30 21:52 . 2013-03-06 22:33 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-04-30 21:52 . 2013-03-06 22:33 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-04-29 22:04 . 2013-04-29 22:04 -------- d-----w- c:\documents and settings\bonnie\Application Data\MSN6
2013-04-26 04:17 . 2013-04-26 04:17 16486616 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-26 04:17 . 2012-05-06 22:10 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-26 04:17 . 2011-09-09 03:43 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-29 06:53 . 2013-03-29 06:53 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-03-21 07:08 . 2013-03-21 07:08 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-03-08 08:36 . 2001-08-23 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28 . 2001-08-23 12:00 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2001-08-17 13:48 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2005-06-18 03:49 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2005-01-15 23:07 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2005-01-15 23:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2001-08-23 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2005-09-12 17:41 385024 ------w- c:\windows\system32\html.iec
2013-03-01 14:32 . 2013-03-01 14:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-02-27 07:56 . 2005-01-15 23:08 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-26 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 135168]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-04-29 4408368]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^bonnie^Start Menu^Programs^Startup^DeskPins.lnk]
backup=c:\windows\pss\DeskPins.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2007-04-18 06:49 50736 -c--a-w- c:\program files\AOL 9.0\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-10-30 21:46 192512 -c--a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 18:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\aol\1217982928\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-11-18 06:11 118784 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-11-18 06:24 155648 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 15:56 286720 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1217982928\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pogo Games\\PogoDGC.exe"=
"c:\\Program Files\\Pogo Games\\WebUpdater.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [4/30/2013 5:52 PM 49248]
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2/8/2013 4:37 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2/8/2013 4:37 AM 245048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2/8/2013 4:37 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [3/29/2013 2:53 AM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [3/1/2013 10:32 AM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/8/2013 4:37 AM 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/21/2013 3:08 AM 182072]
R2 ASANYs_mdemo;Adaptive Server Anywhere - mdemo;c:\program files\Sybase\SQL Anywhere 9\win32\dbsrv9.exe -hvASANYs_mdemo --> c:\program files\Sybase\SQL Anywhere 9\win32\dbsrv9.exe -hvASANYs_mdemo [?]
R2 ASANYs_mobilink_mdemo;Adaptive Server Anywhere - mobilink_mdemo;c:\program files\Sybase\SQL Anywhere 9\win32\dbmlsrv9.exe -hvASANYs_mobilink_mdemo --> c:\program files\Sybase\SQL Anywhere 9\win32\dbmlsrv9.exe -hvASANYs_mobilink_mdemo [?]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [4/30/2013 5:52 PM 66336]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [4/18/2013 4:34 AM 283136]
R2 PGMTrusted;PGMTrusted;c:\program files\Pogo Games\PGMTrusted.exe [10/29/2012 1:25 PM 519920]
R3 LSWPCv4;Wireless-B Notebook Adapter Driver;c:\windows\system32\drivers\rtl8180.sys [10/1/2003 10:54 AM 184832]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [4/25/2013 1:41 PM 4936752]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [4/30/2013 5:52 PM 164736]
S3 BLKWGN;Belkin Wireless G Notebook Card Service;c:\windows\system32\DRIVERS\BLKWGN.sys --> c:\windows\system32\DRIVERS\BLKWGN.sys [?]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-06 04:17]
.
2012-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
2013-05-13 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-12-25 01:09]
.
2012-06-22 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-11-05 20:45]
.
2013-05-13 c:\windows\Tasks\User_Feed_Synchronization-{1C4AAD3A-64C9-4289-813B-443C659A483E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - hxxp://download1.answers.com/pub/AnswersSetup.cab
FF - ProfilePath - c:\documents and settings\bonnie\Application Data\Mozilla\Firefox\Profiles\52h47ymu.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Instant Text 7 Pro - c:\program files/it7pro\Exe_v7\UndoIT7
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-12 22:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-05-12  22:56:19
ComboFix-quarantined-files.txt  2013-05-13 02:56
.
Pre-Run: 22,264,582,144 bytes free
Post-Run: 22,319,443,968 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - AC23F7FDC86F6D118C13A7FEDCC9E492
 



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 PM

Posted 12 May 2013 - 06:29 PM


Hello


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 bonnielj

bonnielj
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:01 PM

Posted 12 May 2013 - 07:41 PM

DMA ran fine...computer is not too slow when booting until it reaches the Welcome page...then it seems like forever to get to the desktop...when desktop appears there are no icons just the background...seems like it takes forever to load.complete desktop






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users