Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Interpol Virus infection


  • Please log in to reply
5 replies to this topic

#1 Paul W. Beckett

Paul W. Beckett

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 07 December 2013 - 11:18 PM

Hello

 

I"m 100% sure that my father's computer -- an HP running Windows 7 with Service Pack 1 -- was infected by the "Interpol Virus" earlier today.  He was browsing with Firefox when he got a full-screen pop-up message with the Interpol logo informing him that his computer was being locked up because it had been used for allegedly illegal activities of some sort and that he needed to pay a $300 "fine" in order to unlock it.  I did some Googling and found out that this was the work of a particularly nasty bit of malware.

 

I was able to Ctrl-Alt-Delete out of Firefox, restart my father's computer in Safe Mode and run a full system scan with Malwarebytes. It found and deleted something called "CodecPerformerSetup.exe." Everything is now running normally.

 

I've used Malwarebytes before and have always found that it does its job well. However, the fact that it deleted just that one file (and didn't remove any registry keys, etc.) makes we wonder whether it really got rid of this virus, or if it's still lurking in the system somewhere.  Supposedly, this thing can thwart commercial AV software, so I wonder if Malwarebytes can miss it, too.

 

Any help would be much appreciated.

 

Thank you.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:15 PM

Posted 08 December 2013 - 12:02 AM

Hello Paul W. Beckett and Welcome -
Please make sure you Update your copy of Malwarebytes, and then run a Full Scan in Normal Mode,  just to be sure that it is clean.

 

Next -
Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

 

Next -
Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.
If a log is produced, save it, or post it back here -

 

Important: Do not reboot your computer until you complete the next step.

 

Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* NEXT - Click on the Clean button. (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
+ Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Next -
Shut down your protection software now to avoid potential conflicts.
* How To Temporarily Disable Your Anti-virus
* Please download Junkware Removal Tool to your desktop.
* Run the tool by double-clicking it.
* If you are using Windows Vista, 7, or 8, right click JRT.exe and select "Run as Administrator".
* The tool will open and start scanning your system.
* Please be patient as this can take a while to complete depending on your system's specifications.
* On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
* Post the contents of JRT.txt into your next message.

 

Next -
Please scan your computer with ESET Online Scanner
Disable active Antivirus and Antimalware programs How To Temporarily Disable Your Anti-virus
This scan is best performed with Internet Explorer, as it uses ActiveX
If you will not use Internet Explorer, then please read item 3 in this post
1 - Open Internet Explorer and hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 - Click the ESET Online Scanner button.
3 - For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- a - Click on eset.exe to download the ESET Smart Installer. Save it to your desktop.
- b - Double click on the  icon on your desktop.
4 - Check "YES, I accept the Terms of Use."
5 - Click the Start button.
6 - Accept any security warnings from your browser.
7 - Under scan settings, check "Scan Archives" and "Remove found threats"
8 - Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 - ESET will then download updates for itself, install itself, and begin scanning your computer.
10 - Please be patient as this will take some time (first time scans are always longer).
11 - When the scan completes, click List Threats
12 - Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13 - Click the Back button and then Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.
If you lose the log it can be found at C:\Program Files\ESET\EsetOnlineScanner\log.txt
If no infections are found then please tell me -
You can ignore any ESET detection of AdwCleaner...it is a false positive detection.

 

Next -

Please download Temp File Cleaner by Old Timer
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program opens, click on the Start button. 
  • TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press OK and reboot your computer to finish the cleanup.

 

 

Thank You -



#3 Paul W. Beckett

Paul W. Beckett
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 08 December 2013 - 12:37 PM

Paul W. Beckett

 

Thanks for the reply, noknojon.

 

I did the Malwarebytes scan in Normal Mode.  It found nothing.

 

Here are the logs you asked for:

 

 Results of screen317's Security Check version 0.99.77 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton Internet Security  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Flash Player 11.9.900.117 
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 Symantec Norton Online Backup NOBuAgent.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

 

 

 

Rkill 2.6.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/08/2013 09:16:20 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Philip W. Beckett\Desktop\rkill\rkill-12-08-2013-09-16-23.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/08/2013 09:16:43 AM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)

 

 

 

# AdwCleaner v3.014 - Report created 08/12/2013 at 09:39:35
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Philip W. Beckett - DADSBEAST
# Running from : C:\Users\Philip W. Beckett\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Philip W. Beckett\AppData\Roaming\Mozilla\Firefox\Profiles\vy65ehwb.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [2424 octets] - [08/12/2013 09:18:42]
AdwCleaner[R1].txt - [2484 octets] - [08/12/2013 09:20:29]
AdwCleaner[S0].txt - [2080 octets] - [08/12/2013 09:39:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2140 octets] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by Philip W. Beckett on Sun 12/08/2013 at  9:52:06.26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B8A02889-7511-4DA0-A599-72AB8F8D7E6B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B8A02889-7511-4DA0-A599-72AB8F8D7E6B}

 

~~~ Files

Successfully deleted: [File] C:\Windows\syswow64\sho8D25.tmp

 

~~~ Folders

 

~~~ FireFox

Emptied folder: C:\Users\Philip W. Beckett\AppData\Roaming\mozilla\firefox\profiles\vy65ehwb.default\minidumps [108 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/08/2013 at  9:57:47.03
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

And here's what the ESET scan turned up:

 

C:\Users\Philip W. Beckett\AppData\Local\Temp\Thb0zFwM.exe.part multiple threats cleaned by deleting - quarantined

 

 

 

Thank you very much.
 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:15 PM

Posted 08 December 2013 - 03:01 PM

Hi -

Looks good now, are there any more problems ?

 

Thank You -



#5 Paul W. Beckett

Paul W. Beckett
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 08 December 2013 - 03:08 PM

No, everything seems to be working fine now.  If you think everything looks OK, I'll tell my dad it's safe to use his computer.

 

 

Thank you very much for your time and attention.



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:15 PM

Posted 08 December 2013 - 03:23 PM

You are welcome .................






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users