Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with newest ver. FBI virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 baldeagle79

baldeagle79

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 May 2013 - 01:24 PM

Ok, i've got this virus in the past and had removed it via safe mode, but this new one it a tricky SOB. All three safe mode result in loop rebooting. I've tried Hitman pro, ran the scan and it found some trojans and got rid of them, after hitting close on hitman pro it rebooted with literally no effect. new scans find nothing pertaining to the FBI virus. I've tried Kaspersky boot usb, everytime on boot from USB(with Kasperksy iso on it) says either Operating system not found or missing operating system. I've tried having HHD as primary and hitting F11/F12 to get boot selection and choose USB, i've tried switching USB to boot before HDD's with same result of the OS missing(I assume its not reading the USB correctly) I've formatted and retried the usb rescue disk maker 5 times with same result. CD drive is busted so even if i could burn a cd on someones PC i cant read it. Thanks in advance for any help!

 

*Moderator Edit: Moved topic from Windows 7 to the appropriate forum. ~ Queen-Evie*


Edited by Queen-Evie, 15 May 2013 - 02:07 PM.


BC AdBot (Login to Remove)

 


#2 baldeagle79

baldeagle79
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 May 2013 - 02:19 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013
Ran by SYSTEM on 15-05-2013 13:34:11
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [OSD CC] %ProgramFiles%\OSD\Launch_CC.exe [20480 2009-02-19] (Alienware Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-14] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2009-08-25] (IDT, Inc.)
HKLM\...\Run: [AlienFX Controller] "C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe" [63304 2010-05-21] (Alienware Corporation)
HKLM\...\Run: []  [x]
HKLM\...\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe [291360 2009-04-29] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet [1694016 2011-10-15] ()
HKLM\...\Run: [FG_Monitor] C:\PROGRAMS\FGUARD\FGKey64.exe /Start [143688 2009-01-30] (WinAbility® Software Corporation)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice [6330568 2013-03-21] (ESET)
HKLM\...\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$afe4b345aebc1cf6ffff527fce0e88d0\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [FATrayAlert] C:\Program Files\Alienware\Command Center\AlienSense\FATrayMon.exe [95560 2010-04-04] (Sensible Vision )
HKLM-x32\...\Run: [FAStartup]  [x]
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [41208 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKU\KC\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\KC\Documents\7fbc1c9a.exe [25088 2013-05-14] ()
HKU\KC\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
Lsa: [Notification Packages] scecli FAPassSync
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} -  No File
 
==================== Services (Whitelisted) =================
 
S2 AdobeActiveFileMonitor10.0; C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [169624 2011-09-14] (Adobe Systems Incorporated)
S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ac576d174925c1c6\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
S2 CustomSvc; C:\Program Files\OSD\Service1.exe [13312 2009-02-20] ()
S2 ekrn; C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [1341664 2013-03-21] (ESET)
S2 FAService; C:\Program Files\Alienware\Command Center\AlienSense\FAService.exe [2409800 2010-04-04] (Sensible Vision )
S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-02-01] ()
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ac576d174925c1c6\STacSV64.exe [240640 2009-08-25] (IDT, Inc.)
S2 WinAbility Encryption Driver; C:\Program Files\WinAbility Encryption Driver.10.9.5.1309\WED64.EXE [170408 2010-09-15] (WinAbility® Software Corporation)
S2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe [3066368 2009-12-21] (Broadcom Corporation)
S2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [352144 2012-04-09] (EldoS Corporation)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [254528 2011-08-15] (DT Soft Ltd)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [213416 2013-02-20] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [150616 2013-01-10] (ESET)
S3 EMVSCARD; C:\Windows\System32\Drivers\EMVSCARD.sys [28544 2006-12-13] (USB Smart Card Reader)
S2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [190232 2013-01-10] (ESET)
S1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [59440 2013-01-10] (ESET)
S0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [58416 2013-02-20] (ESET)
S2 FGUARD64; C:\PROGRAMS\FGUARD\FGUARD64.SYS [70224 2009-01-30] (WinAbility® Software Corporation)
S3 GemCCID; C:\Windows\System32\Drivers\GemCCID.sys [119680 2009-08-10] (Gemalto)
S1 HWiNFO32; C:\Program Files (x86)\HWiNFO32\HWiNFO64A.SYS [28032 2011-05-22] (REALiX™)
S3 jumi; C:\Windows\System32\DRIVERS\jumi.sys [15160 2010-06-03] (Windows ® Codename Longhorn DDK provider)
S0 nvrd64; C:\Windows\System32\DRIVERS\nvrd64.sys [175136 2009-04-29] (NVIDIA Corporation)
S3 SaiK0CCB; C:\Windows\System32\DRIVERS\SaiK0CCB.sys [171016 2010-08-10] (Saitek)
S3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [22792 2010-08-10] (Saitek)
S3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [50056 2010-08-10] (Saitek)
S3 SaiU0CCB; C:\Windows\System32\DRIVERS\SaiU0CCB.sys [41096 2010-04-22] (Saitek)
S2 WED1309; C:\Program Files\WinAbility Encryption Driver.10.9.5.1309\WEDx64.sys [136368 2010-09-15] (WinAbility® Software Corporation)
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2009-04-15] (CyberLink Corp.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-05-15 13:33 - 2013-05-15 13:34 - 00000000 ____D C:\FRST
2013-05-14 18:45 - 2013-05-14 18:45 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-14 14:18 - 2013-05-14 14:18 - 00003618 ____A C:\Windows\System32\.crusader
2013-05-14 14:06 - 2013-05-14 14:18 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-14 13:01 - 2013-05-14 13:01 - 00405926 ____A C:\Users\KC\AppData\Local\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00405914 ____A C:\ProgramData\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00405893 ____A C:\Users\KC\AppData\Roaming\2433f433
2013-05-13 12:29 - 2013-02-21 22:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-13 12:29 - 2013-02-21 22:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-13 12:29 - 2013-02-21 22:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-13 12:29 - 2013-02-21 22:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-13 12:29 - 2013-02-21 22:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-13 12:29 - 2013-02-21 22:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-13 12:29 - 2013-02-21 22:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-13 12:29 - 2013-02-21 22:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-13 12:29 - 2013-02-21 22:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-13 12:29 - 2013-02-21 22:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-13 12:29 - 2013-02-21 22:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-13 12:29 - 2013-02-21 22:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-13 12:29 - 2013-02-21 22:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-13 12:29 - 2013-02-21 22:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-13 12:29 - 2013-02-21 22:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-13 12:29 - 2013-02-21 22:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-13 12:29 - 2013-02-21 20:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-13 12:29 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-13 12:29 - 2013-02-21 19:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-13 12:29 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-13 12:29 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-13 12:29 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-13 12:29 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-13 12:29 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-13 12:29 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-13 12:29 - 2013-02-21 19:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-13 12:29 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-13 12:29 - 2013-02-21 19:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-13 12:29 - 2013-02-21 19:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-13 12:29 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-13 12:29 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-13 12:29 - 2013-02-21 19:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-13 12:28 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-05-13 12:28 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-05-13 12:28 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-05-13 12:28 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-05-13 12:28 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-05-13 12:28 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-05-13 12:28 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-05-13 12:28 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-13 12:28 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-05-13 12:28 - 2013-01-23 22:01 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-05-12 01:45 - 2013-05-14 18:59 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1ce4ef56e6bf530.job
2013-05-12 01:45 - 2013-05-14 18:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA1ce4ef56f325270.job
2013-04-26 07:39 - 2013-04-26 07:39 - 00000273 ____A C:\Users\KC\Desktop\Midwest Industries 2-Piece Handguard Quad Rail Yugo Krinkov AK-47.url
2013-04-22 19:10 - 2013-04-22 19:10 - 00000160 ____A C:\Users\KC\Desktop\7.62x39, mm, tula, tulammo, 124, grain, fmj, full, metal, jacket, ulyanovsk, cartridge, works, ammo, ammunition, rifle, centerfire, 39, russian, 39, 762, 39, 762x39, ak, 814950010015, ULA076201, 2,396 fps,.url
 
==================== One Month Modified Files and Folders =======
 
2013-05-15 13:34 - 2013-05-15 13:33 - 00000000 ____D C:\FRST
2013-05-14 19:22 - 2012-09-26 09:20 - 00007266 ____A C:\Windows\setupact.log
2013-05-14 19:22 - 2012-02-26 22:53 - 00000000 ____D C:\ProgramData\NVIDIA
2013-05-14 19:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-14 18:59 - 2013-05-12 01:45 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1ce4ef56e6bf530.job
2013-05-14 18:57 - 2012-09-26 09:23 - 01510943 ____A C:\Windows\WindowsUpdate.log
2013-05-14 18:52 - 2009-07-13 20:45 - 00018928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-14 18:52 - 2009-07-13 20:45 - 00018928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-14 18:50 - 2013-05-12 01:45 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA1ce4ef56f325270.job
2013-05-14 18:47 - 2012-10-26 15:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-14 18:45 - 2013-05-14 18:45 - 00000000 ____D C:\Program Files\HitmanPro
2013-05-14 14:18 - 2013-05-14 14:18 - 00003618 ____A C:\Windows\System32\.crusader
2013-05-14 14:18 - 2013-05-14 14:06 - 00000000 ____D C:\ProgramData\HitmanPro
2013-05-14 13:02 - 2011-02-28 10:07 - 00000000 ____D C:\Users\KC\AppData\Roaming\SoftGrid Client
2013-05-14 13:01 - 2013-05-14 13:01 - 00405926 ____A C:\Users\KC\AppData\Local\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00405914 ____A C:\ProgramData\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00405893 ____A C:\Users\KC\AppData\Roaming\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00025088 ____A C:\Users\KC\Documents\7fbc1c9a.exe
2013-05-14 12:49 - 2012-09-26 22:34 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-05-14 12:49 - 2012-09-26 22:34 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-05-14 12:49 - 2012-08-22 11:14 - 00000332 ____A C:\Windows\Tasks\HP Photo Creations Communicator.job
2013-05-14 03:54 - 2011-02-06 20:13 - 00000000 ____D C:\Users\KC\AppData\Roaming\vlc
2013-05-13 12:39 - 2009-12-21 07:50 - 00000000 ____D C:\ProgramData\Adobe
2013-05-13 12:36 - 2009-07-13 20:45 - 00427152 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-13 12:30 - 2011-02-07 17:17 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-10 17:15 - 2013-03-11 15:50 - 00000000 ____D C:\Users\KC\Desktop\860OKMZO
2013-05-10 04:19 - 2013-04-12 19:05 - 00291088 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2013-05-10 04:19 - 2012-01-19 19:39 - 00291088 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2013-05-10 04:18 - 2012-01-19 19:38 - 00280904 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2013-05-01 23:06 - 2011-02-06 20:08 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-05-01 21:58 - 2013-05-01 21:58 - 00000214 ____A C:\Users\KC\Desktop\Dimensions.url
2013-05-01 21:58 - 2013-05-01 21:58 - 00000208 ____A C:\Users\KC\Desktop\Zombie Squad • View topic - AK SBR Project  Yugo M92 PAP.url
Other Malware:
===========
C:\Users\KC\taskmgr.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 9%
Total physical RAM: 7934.35 MB
Available physical RAM: 7178.29 MB
Total Pagefile: 7932.5 MB
Available Pagefile: 7167.92 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:918.08 GB) (Free:55.19 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
Drive e: (GENTOO) (Removable) (Total:3.71 GB) (Free:3.71 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 196125A3)
Partition 1: (Active) - (Size=918 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=13 GB) - (Type=12)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)
 
 
Last Boot: 2013-05-05 02:13
 
==================== End Of Log ============================


#3 Adam Pollard

Adam Pollard

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:10:38 AM

Posted 15 May 2013 - 03:15 PM

If you choose the option - disable restart on system failure, does it give an error message?



#4 baldeagle79

baldeagle79
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 May 2013 - 03:36 PM

Not sure what you mean by that Adam.....the looping issue happens after I log in under my user name, CMD prompt blinks on the screen then "logging off", "shutting down"(restarts). It doesn't seem like a system failure because it only loops when I attempt either three of the safe modes. If i start normally, log in, the money pak screen is there with FBI warning's.



#5 Adam Pollard

Adam Pollard

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:10:38 AM

Posted 15 May 2013 - 03:53 PM

Ok, when you start up, and keep pressing f8, you get the screen that allows safe mode, safe mode with networking etc, see http://windows.microsoft.com/en-gb/windows-vista/advanced-startup-options-including-safe-mode for more.

 

However, if you can get into normal mode, it isn't a system failure as such.

 

Can you download and run rkill from http://www.bleepingcomputer.com/download/rkill/ - on a different pc, and also malware bytes.

Try running rkill, this may allow you to install and update malware bytes.


Edited by Adam Pollard, 15 May 2013 - 03:53 PM.


#6 Adam Pollard

Adam Pollard

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:10:38 AM

Posted 15 May 2013 - 03:58 PM

This site has a guide to removing this malware here http://www.bleepingcomputer.com/virus-removal/remove-fbi-anti-piracy-warning-ransomware - but you will have to try it in normal mode.



#7 baldeagle79

baldeagle79
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 15 May 2013 - 04:07 PM

Thanks for the replies Adam. At this time starting normally results in the PC being locked after log in with the FBI warning screen, preventing me from downloading anything to help remove the virus. Also all 3 of my safe modes result in PC rebooting after log in.



#8 Adam Pollard

Adam Pollard

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:10:38 AM

Posted 16 May 2013 - 02:49 AM

Ok, try booting up from a linux live usb stick, eg PartedMagic, http://www.pendrivelinux.com/usb-parted-magic-flash-drive-creation-windows/

Try the manual removal instructions by deleting the relevant folders+files. While you're at it, copy your personal data to another stick.

 

This may allow you to get into normal mode to run something like malware bytes.

 

You could also take a look at clamav (ANTIVIRUS), which comes with PartedMagic. However, it is pretty tricky to use and understand.

 

Failing this, you will have to reinstall. It you have had previous infections, this is the best option anyway, as you never know if some obscure unknown  trojan gets left behind.



#9 M_Moe

M_Moe

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 16 May 2013 - 04:52 AM

Hey Bald Eagle 79, I've managed to disinfect the machines running the newerish variants of the FBI Virus / Ransomware.
 
First you will have to download and make a USB - Kaspersky Rescue Disk 10.
Iso Download: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
 
Install Rescue Disk 10 to USB Guide - http://support.kaspersky.com/8092
 
Boot computer using USB
Update the Virus Database and Run a Scan, make sure to click on the settings(gears in the top right corenr) and set the option to Delete if Infection found.
 
After that you will have the ability to boot your machine. If when you turn on the machine you are presented with a comand promt and blank screen, you will have to press ctrl + alt + delete, open the task manager and then to click New and in the box type in explorer.exe  | This will allow for you to be able to see your desktop again.
 
Go to Control Panel - > System - > Advanced System Settings - > Protection - > Click off the System Restore ( delete all restore points, you can renable this after infections have been cleared)
 
From here you will want to Run the Following Software.
 
Rkill - Rkill will search for known malware process and terminate them
http://www.bleepingcomputer.com/download/rkill/
Usage: Run the Application and wait for it to process. If it does not run download a variant of the tool renamed IEexplorer.exe
 
Hitman Pro - Make sure you are connected to the internet. When you are ready to launch the application hold down the CTRL key it will terminate all running apps.
http://www.bleepingcomputer.com/download/hitmanpro/
Usage: Click Next - > Accept Agreement - > Click that you want to run a one time scan - > Scan Objects - > When down click drop down arrow, select apply to all and select delete - > click that you want to activate a 30 day license -> click next and the items will be removed.
 
Tdss Killer -
http://www.bleepingcomputer.com/download/tdsskiller/
Usage: Click Scan and check and see if it locates anything, if it does have it removed and restarted.
 
Malware Bytes Anti Rootkit -
http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/
Usage: Update the Database and Run a Full Scan.
 

Adw Cleaner - Will remove and Search Toolbars and or other Useless Data.
http://www.bleepingcomputer.com/download/adwcleaner/
Usage: To Run click Search and then wait for the Log and Click Delete. Machine will be restarted.
 
Emsisoft Anti Malware - Tool with a High Detection Rate
https://www.emsisoft.com/en/software/antimalware/download/
Usage: Instal using your preffered settings - Update Database  - Run a Full Scan.
 
Using these tools I have managed to completely clean out the infection. I believe the time required would be about 2 - 3 hours. In the mean time while the applications are running I would uninstall any outdated version of Adobe Flash - Reader and or Java.
 
Run CCleaner - Delete Junk - Fix Unwanted Registry - Check Startup - Remove Unwanted Entries - Uninstall Uneeded Software - https://www.piriform.com/ccleaner
Download the Latest Flash Directly from Adobe: http://get2.adobe.com/flashplayer/
Update Java and Adobe Reader from Ninite: Click Java and Reader Download Installer and Run, it will skip the installation of Free Addons.- https://ninite.com/
Don't forget to change your wallpaper, the old one will remind you of the virus, how about a trip to the beach - Interfacelift.com http://interfacelift.com/wallpaper/downloads/date/any/
 
 
Good luck mate, if you have any questions on these tools and or of their use, feel free to let me know.

*Moderator Edit: Removed instructions to run Rogue Killer and Combofix. These are not allowed to be used in Am I Infected. ~ Queen-Evie*

Edited by Queen-Evie, 16 May 2013 - 11:23 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:38 PM

Posted 16 May 2013 - 04:16 PM

Hello,
Because a FRST log was posted I am moving this topic to the malware removal forum.

On a working computer please press windows key + R, type notepad and press enter.
Copy paste the following into notepad and save it to your usb drive as fixlist.txt.
HKU\KC\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\KC\Documents\7fbc1c9a.exe [25088 2013-05-14] ()
2013-05-14 13:01 - 2013-05-14 13:01 - 00405926 ____A C:\Users\KC\AppData\Local\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00405914 ____A C:\ProgramData\2433f433
2013-05-14 13:01 - 2013-05-14 13:01 - 00405893 ____A C:\Users\KC\AppData\Roaming\2433f433
Now enter the recovery environment and rerun FRST. Be sure the fixlist.txt file is saved in the same location as frst.exe

Click the Fix button and post me the resulting log. Please verify if you can boot normally afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:38 PM

Posted 20 May 2013 - 01:46 PM

Hi, do you still need help?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:38 PM

Posted 23 June 2013 - 12:24 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users