Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus on Windows XP ("Police Report")


  • This topic is locked This topic is locked
30 replies to this topic

#1 GardenGuy

GardenGuy

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 20 October 2014 - 08:26 PM

I wanted to add the following to my previous message:

 

I noticed that before the FBI virus takes control, the title of the Window that is being opened up is "Police Report". While I was running Kaspersky, I tried searching for a file that had the name "police" in it and came up with nothing. I also tried searching for a file that had within the contents of the file itself the word "police" and also came up with nothing. Is there any way that I can use the fact that I know the title of the Window being opened?

 

Original Message:

 

I have the FBI (Money Pak) virus on my Windows XP computer. I have been trying to remove it for over a week with no success. I ran the Kaspersky Rescue Disk and it found nothing. I cannot boot into any kind of Safe Mode. If I try to do so, it re-boots the computer before I even leave the black and white screen.

 

You can assume that I have used Kaspersky correctly. I also ran Kaspersky's WindowsUnlocker with no success.

 

My computer guy tried connecting my hard drive directly to another computer and searching for a virus on it and he said it came up clean.

 

Any suggestions?



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 21 October 2014 - 10:01 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi GardenGuy,
 
Do you have a Windows CD which we could use?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 21 October 2014 - 03:31 PM

I do have a Windows CD

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 22 October 2014 - 11:26 AM

Hi GardenGuy,

 

You will need the following:
1. A Clean computer with a CD Burner
2. Windows XP CD
3. Blank CD
4. USB pen drive
 
Please follow the steps below. If you are unable to create the UBCD4WIN, please provide any error messages, and/or what step you cannot follow.
 
Phase I - Creating the ISO file
 
1. Please select a mirror and download the Ultimate Boot CD for Windows to the Desktop

  • Double-Click on the UBCD4Win.exe file downloaded to the Desktop.
  • Follow all of its instructions/prompts

Note: Do not install to a folder with spaces in it's name. It is best to use the default name C:\UBCD4Win
Note: Your Antivirus may report viruses or trojans when you extract UBCD4Win. These are False-Positives.
Read here for information regarding the files that normally trigger AV software.

  • At the very end, uncheck: Run UBCD4WinBuilder.exe when installation is complete
  • Click: Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD ROM drive

  • Open My Computer, and navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Select No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, press OK
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)

Note: Leave the default filename and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso). If you change it make sure it is
 a folder without spaces in the name.

  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Click on each option, then click Enable/Disable so the correct value is displayed.
 
Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

3. Click on the Build button.

  • When you see the Windows EULA message. Click on I Agree
  • At the Build Screen, let it run its course.
  • When the Build is finished, click close, then exit.

4. Burn your ISO file to CD

Phase II - Download Farbar's Recovery Scan Tool (FRST)
 
From the clean computer, download Farbar Recovery Scan Tool and save it to the USB pen drive.
 
Note: You need the 32-bit version to run with UBCD4Win
 
Now, plug the USB pen drive back into the ransomed computer and move on to the next step.
 
Phase III - Booting to the UBCD4Win CD
 
Restart the ransomed Computer Using the UBCD4Win disc created.

  • Insert the UBCD4Win disc into a CD/DVD drive
  • Restart the computer. It should boot from the UBCD4Win CD automatically
  • If it doesn't, and you are asked if you want to boot from CD, then, select that option

Note: Information on booting from CD > here

  • In the window that appears select Launch The Ultimate Boot CD For Windows, and press: Enter
  • It may take a longer for the Desktop to appear than it does when you start the computer normally, but, just let the process run itself until the Desktop appears
  • Once the Desktop appears, a message appers asking: Do you want to start Network support?, click Yes
  • You should now have a Desktop that looks like this:

Main.jpg
 
Phase IV - Running the FRST scan

  • Single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer

Note: If prompted to download the latest version, please do so from the link in Phase II

  • Click on the Scan button
  • When done scanning, the tool makes a log, FRST.txt on the pen drive. You can now close the pen drive, and safely remove it.
  • Insert the USB pen drive into your clean computer, and post the FRST.txt in your reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 22 October 2014 - 12:32 PM

I clicked on the Ultimate Boot CD for Windows link from your line  "Please select a mirror and download the Ultimate Boot CD for Windows to the Desktop".  This takes me to an infected site.

 

I then tried looking for a site to download "UBCD4WinBuilder.exe".  The only sites that came up are ones I'm not familiar with (and thus, don't trust).



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 22 October 2014 - 01:24 PM

Hi GardenGuy,

 

I am most sorry about. It seems the website's lease has recently run out and has been brought by another company.

 

MajorGeeks has a copy here, they are a site like BC, just make sure to avoid the adverts.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 22 October 2014 - 04:45 PM

I did the Hash Verification that comes with this.  I get and MD5 Fail error.  See the attached files.

 

I tried this three times.

Attached Files



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 23 October 2014 - 12:51 PM

Hi GardenGuy,

 

Looks like the md5 check failed because the program which checks for the md5 is broken. It should be fine to go ahead and run the program.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 24 October 2014 - 04:20 AM

OK, I'll let you know where this takes me.  Thank you.



#10 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 24 October 2014 - 08:06 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-10-2014
Ran by SYSTEM on MININT-JVC on 24-10-2014 21:00:36
Running from D:\
Platform: Microsoft Windows XP Service Pack 2 (X86) OS Language: Georgian
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [339968 2005-03-23] (ATI Technologies, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [36975 2005-03-04] (Sun Microsystems, Inc.)
HKLM\...\Run: [hpWirelessAssistant] => C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [794624 2005-04-11] (Hewlett-Packard Company)
HKLM\...\Run: [SynTPLpr] => C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [102492 2005-02-02] (Synaptics, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [692316 2005-02-02] (Synaptics, Inc.)
HKLM\...\Run: [eabconfg.cpl] => C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [290816 2004-12-03] (Hewlett-Packard )
HKLM\...\Run: [Cpqset] => C:\Program Files\HPQ\Default Settings\cpqset.exe    8 2 8 3  ðý
  ÷B         hLC  
HKLM\...\Run: [BJCFD] => C:\Program Files\BroadJump\Client Foundation\CFD.exe [368706 2002-09-11] (BroadJump, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [98304 2005-05-12] (Apple Computer, Inc.)
HKLM\...\Winlogon: [UIHost] C:\Windows\system32\logonui.exe [514560 2008-04-14] ( (Microsoft Corporation))
Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Default User\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\NetworkService.NT AUTHORITY\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Silvia\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2008-08-16] (Google Inc.)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [1135728 2004-04-07] (America Online, Inc.)
S3 hpqwmi; C:\Program Files\HPQ\SHARED\HPQWMI.exe [98304 2005-03-04] (Hewlett-Packard Development Company, L.P.)
S4 iPodService; C:\Program Files\iPod\bin\iPodService.exe [327680 2004-10-13] (Apple Computer, Inc.)
S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [38912 2005-02-22] ()
S2 UtilityChest_49Service; C:\PROGRA~1\UTILIT~2\bar\1.bin\49barsvc.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [39424 2004-08-11] (Advanced Micro Devices)
S2 ASCTRM; C:\Windows\System32\Drivers\ASCTRM.sys [8552 2005-07-24] (Windows ® 2000 DDK provider)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [371712 2005-03-10] (Broadcom Corporation)
S1 eabfiltr; C:\WINDOWS\system32\drivers\EABFiltr.sys [7432 2004-04-14] (Hewlett-Packard Company)
S3 eabusb; C:\WINDOWS\system32\drivers\eabusb.sys [5220 2003-06-06] (Hewlett-Packard Company)
S3 HSFHWATI; C:\Windows\System32\DRIVERS\HSFHWATI.sys [200192 2005-03-22] (Conexant Systems, Inc.)
S3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [62592 2006-11-25] (Chic Tech.)
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtlnicxp.sys [69760 2004-06-28] (Realtek Semiconductor Corporation                           )
S3 SMCIRDA; C:\Windows\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
S3 BVRPMPR5; \??\D:\INSTAL~E\Core\BVRPMPR5.SYS [X]
S3 catchme; \??\C:\DOCUME~1\Silvia\LOCALS~1\Temp\catchme.sys [X]
S5 P3; C:\Windows\System32\Drivers\P3.sys [42752 2008-04-13] (Microsoft Corporation)
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 TlntSvr; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-24 21:00 - 2014-10-24 21:00 - 00000000 ____D () C:\FRST
2014-10-19 13:39 - 2014-10-19 13:39 - 00000070 _____ () C:\Documents and Settings\Silvia\Local Settings\Application Data\.directory
2014-10-19 02:39 - 2014-10-19 02:42 - 00000000 ___SD () C:\32788R22FWJFW
2014-10-19 02:33 - 2014-10-19 02:34 - 00000000 ___SD () C:\ComboFix
2014-10-19 01:42 - 2014-10-19 01:42 - 00000000 __SHD () C:\found.000
2014-10-16 14:05 - 2014-10-16 14:05 - 00000069 _____ () C:\Documents and Settings\Silvia\Application Data\.directory
2014-10-16 03:30 - 2014-10-16 14:08 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-10-16 03:29 - 2014-10-16 03:29 - 00000000 ____D () C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temp
2014-10-16 03:29 - 2010-07-05 15:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2014-10-16 03:29 - 2010-07-05 15:47 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2014-10-16 03:29 - 2005-05-12 07:24 - 00000178 ___SH () C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.ini
2014-10-16 03:29 - 2005-05-12 07:24 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-10-16 03:29 - 2005-05-12 07:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-10-16 03:29 - 2005-05-12 07:12 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\LightScribe
2014-10-16 03:29 - 2005-05-12 07:08 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Symantec
2014-10-16 03:29 - 2005-05-12 07:05 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2014-10-16 03:29 - 2005-05-12 07:05 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Apple Computer
2014-10-16 03:29 - 2005-05-12 07:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2014-10-16 03:29 - 2005-05-12 06:38 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}
2014-10-15 22:04 - 2014-10-15 22:05 - 00000000 ____D () C:\$HBCDTmp
2014-10-15 20:20 - 2014-10-15 20:23 - 00000000 ____D () C:\Windows\rer
2014-10-15 12:28 - 2014-10-19 14:53 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-10-12 09:40 - 2014-10-15 21:44 - 00000000 ____D () C:\Documents and Settings\Silvia\Desktop\rermine

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-24 09:22 - 2005-07-24 20:15 - 00000178 ___SH () C:\Documents and Settings\Silvia\ntuser.ini
2014-10-24 09:22 - 2004-08-07 13:16 - 01506532 _____ () C:\Windows\WindowsUpdate.log
2014-10-24 09:22 - 2004-08-07 13:16 - 00032632 _____ () C:\Windows\SchedLgU.Txt
2014-10-24 09:19 - 2010-07-05 15:05 - 00000000 ____D () C:\Documents and Settings\Silvia\Local Settings\temp
2014-10-24 09:16 - 2004-08-07 13:16 - 00001158 _____ () C:\Windows\System32\wpa.dbl
2014-10-19 13:37 - 2005-11-15 14:15 - 00000000 ____D () C:\BLSInfo
2014-10-19 01:44 - 2005-05-12 05:23 - 00000000 ____D () C:\Windows\System32\Restore
2014-10-16 00:39 - 2004-08-07 13:02 - 00235168 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-10-15 21:49 - 2005-05-12 06:45 - 00000000 ____D () C:\Program Files\Adobe
2014-10-15 21:16 - 2005-05-12 05:23 - 00000000 ____D () C:\I386
2014-10-15 20:14 - 2004-08-07 12:51 - 00000281 __RSH () C:\boot.ini

Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-fdb46df0.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-04 08:00] - [2014-03-12 10:48] - 0613376 ____A (Microsoft Corporation) beea095243a52360f6ff65f1220aa6e5    

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================

RP: -> 2014-10-19 01:44 - 024576 _restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1

==================== Memory info ===========================

Percentage of memory in use: 58%
Total physical RAM: 382.48 MB
Available physical RAM: 158.82 MB
Total Pagefile: 326.13 MB
Available Pagefile: 177.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.46 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.09 GB) (Free:0.09 GB) FAT
Drive c: () (Fixed) (Total:55.88 GB) (Free:34.35 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (694-6946) (Removable) (Total:3.73 GB) (Free:2.56 GB) FAT32
Drive x: (UBCD4Windows) (CDROM) (Total:0.62 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 55.9 GB) (Disk ID: 94E494E4)
Partition 1: (Active) - (Size=55.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 3.7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=3.7 GB) - (Type=0C)

==================== End Of Log ============================



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 25 October 2014 - 02:33 PM

Hi GardenGuy,
 
We need to search for a file with FRST:

  • Boot into UBCD4Win like you did before and single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • In the search box, type the following: user32*
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 25 October 2014 - 08:20 PM

Here's the results of the Search.  Thank you for all of your help.  I'm looking forward to seeing what the next step is.

 

Farbar Recovery Scan Tool (x86) Version: 23-10-2014
Ran by SYSTEM at 2014-10-25 21:01:05
Running from D:\
Boot Mode: Recovery

================== Search: "user32*" ===================

C:\WINDOWS\system32\user32.dll
[2004-08-04 08:00][2014-03-12 10:48] 0613376 ____A (Microsoft Corporation) beea095243a52360f6ff65f1220aa6e5    

C:\WINDOWS\system32\user32.ini
[2004-08-04 08:00][2014-03-12 10:48] 0578560 ____A () df74697fb06a25f2d119eca1ac4ae8c2    

C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2008-12-25 20:07][2014-03-12 10:48] 0613376 ____A (Microsoft Corporation) beea095243a52360f6ff65f1220aa6e5    

C:\WINDOWS\ServicePackFiles\i386\user32.ini
[2004-08-04 08:00][2014-03-12 10:48] 0578560 ____A () df74697fb06a25f2d119eca1ac4ae8c2    

C:\WINDOWS\ERDNT\cache\user32.dll
[2010-07-05 15:05][2008-04-14 00:12] 0578560 ____A (Microsoft Corporation) b26b135ff1b9f60c9388b4a7d16f600b    

C:\WINDOWS\$NtUninstallKB925902$\user32.dll
[2007-05-05 21:13][2005-03-02 18:09] 0577024 ____C (Microsoft Corporation) de2db164bbb35db061af0997e4499054    

C:\WINDOWS\$NtUninstallKB890859$\user32.dll
[2005-08-05 17:34][2004-08-04 08:00] 0577024 ____C (Microsoft Corporation) c72661f8552ace7c5c85e16a3cf505c4    

C:\WINDOWS\$NtServicePackUninstall$\user32.dll
[2010-06-28 17:32][2007-03-08 15:36] 0577536 ____C (Microsoft Corporation) b409909f6e2e8a7067076ed748abf1e7    

C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
[2007-03-08 15:48][2007-03-08 15:48] 0578048 ____A (Microsoft Corporation) 7aa4f6c00405dfc4b70ed4214e7d687b    

C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
[2005-03-02 18:19][2005-03-02 18:19] 0577024 ____A (Microsoft Corporation) 1800f293bccc8ede8a70e12b88d80036    

C:\I386\USER32.DL_
[2004-08-04 13:00][2004-08-04 13:00] 0263547 ____A () 5bf86149ab9ea650050375f25d0fa0c2    

X:\I386\SYSTEM32\USER32.DLL
[2004-08-12 14:08][2004-08-12 14:08] 0577024 ____R (Microsoft Corporation) c72661f8552ace7c5c85e16a3cf505c4    

=== End Of Search ===



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 26 October 2014 - 11:49 AM

Hi GardenGuy,
 
Now we replace the patched user32.dll with a clean version :)
 
We need to run a fix with FRST:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
Replace: C:\WINDOWS\ERDNT\cache\user32.dll C:\WINDOWS\system32\user32.dll
Replace: C:\WINDOWS\ERDNT\cache\user32.dll C:\WINDOWS\ServicePackFiles\i386\user32.dll
  • Boot into UBCD4Win like you did before and single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • Press the Fix button just once and wait
  • When finished, FRST will generate a log (Fixlog.txt) on the flashdrive
  • Please copy and paste the log in your next reply.

Please try and boot into normal mode, let me know whether you are successful or not.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 GardenGuy

GardenGuy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 October 2014 - 01:21 PM

It looks like you have solved the problem.  Thank you!!!!!  I will monitor this topic for a while in case you have more to tell me.  Thank you again.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-10-2014
Ran by SYSTEM at 2014-10-26 13:49:34 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Replace: C:\WINDOWS\ERDNT\cache\user32.dll C:\WINDOWS\system32\user32.dll
Replace: C:\WINDOWS\ERDNT\cache\user32.dll C:\WINDOWS\ServicePackFiles\i386\user32.dll
*****************

C:\WINDOWS\system32\user32.dll => Moved successfully.
C:\WINDOWS\ERDNT\cache\user32.dll copied successfully to C:\WINDOWS\system32\user32.dll
C:\WINDOWS\ServicePackFiles\i386\user32.dll => Moved successfully.
C:\WINDOWS\ERDNT\cache\user32.dll copied successfully to C:\WINDOWS\ServicePackFiles\i386\user32.dll

==== End of Fixlog ====



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:16 PM

Posted 26 October 2014 - 02:06 PM

Hi GardenGuy,
 
Good news and exactly what I wanted to hear :) Just a few scans to check the computer is clean:
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users