BertArnett
Members-
Posts
2 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by BertArnett
-
My dad has the FBI Ransom Virus
BertArnett replied to BertArnett's topic in Resolved Malware Removal Logs
Worked great! My parents thank you After I got it back up ran Malewarebytes rootkit tool. Then I ran AVG again everything came up clean. For your request. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04 Ran by SYSTEM at 2013-06-12 22:08:44 Run:1 Running from F:\ Boot Mode: Recovery ============================================== HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully. HKU\user\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. C:\Users\user\AppData\Roaming\skype.dat => Moved successfully. C:\Users\user\AppData\Roaming\skype.ini => Moved successfully. C:\Users\user\Application Data\skype.dat => File/Directory not found. C:\Users\user\Application Data\skype.ini => File/Directory not found. C:\Windows\Tasks\SA.DAT => Moved successfully. C:\Users\user\AppData\Roaming\skype.ini => File/Directory not found. C:\Windows\Tasks\qoln.job => Moved successfully. C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully. ==== End of Fixlog ==== Once again thanks! -
Hi my dads computer got the new FBI Ransom virus would like some help. It is the one that shuts down safe mode and also blocks resetting computer to a previous version. here are the logs you have asked from others with the same issue. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04 Ran by SYSTEM on 12-06-2013 20:39:12 Running from F:\ Windows 7 Professional (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-11] (Realtek Semiconductor) HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.) HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [997320 2012-11-12] () HKLM\...\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction [36960 2012-07-18] () HKLM\...\Run: [] [x] HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1644680 2013-02-08] (Ask) HKU\user\...\Winlogon: [shell] explorer.exe,C:\Users\user\AppData\Roaming\skype.dat <==== ATTENTION Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled () Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Alpine Advent Calendar.lnk ShortcutTarget: JL Alpine Advent Calendar.lnk -> C:\Program Files\JL Alpine Advent Calendar\JL Alpine Advent Calendar.exe () BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart ========================== Services (Whitelisted) ================= S4 Adobe Version Cue CS4; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [284016 2008-08-15] (Adobe Systems Incorporated) S2 avgfws; C:\Program Files\AVG\AVG2012\avgfws.exe [2321520 2012-03-23] (AVG Technologies CZ, s.r.o.) S2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5106744 2012-04-30] (AVG Technologies CZ, s.r.o.) S2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.) S4 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2010-07-23] (Nuance Communications, Inc.) S4 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-29] (Malwarebytes Corporation) S4 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-29] (Malwarebytes Corporation) ==================== Drivers (Whitelisted) ==================== S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [47968 2011-05-22] (AVG Technologies CZ, s.r.o.) S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [139856 2011-12-23] (AVG Technologies CZ, s.r.o. ) S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. ) S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. ) S3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. ) S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [235216 2012-02-22] (AVG Technologies CZ, s.r.o.) S1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.) S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.) S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [301248 2012-03-19] (AVG Technologies CZ, s.r.o.) S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [26984 2012-11-12] (AVG Technologies) S4 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation) S3 PCDSRVC{E9D79540-57D5953E-06020200}_0; \??\c:\program files\dell support center\pcdsrvc.pkms [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-06-12 20:38 - 2013-06-12 20:38 - 00000000 ____D C:\FRST 2013-06-12 14:00 - 2013-06-12 16:42 - 00000004 ____A C:\Users\user\AppData\Roaming\skype.ini 2013-05-17 08:04 - 2013-05-17 08:04 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-05-16 06:16 - 2013-02-26 21:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe 2013-05-16 06:16 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2013-05-16 06:16 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll 2013-05-16 06:16 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll 2013-05-16 06:16 - 2013-02-26 20:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll 2013-05-16 00:04 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-05-16 00:04 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-05-16 00:04 - 2013-04-04 21:28 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-05-16 00:04 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2013-05-16 00:04 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2013-05-16 00:04 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-05-16 00:04 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2013-05-15 10:08 - 2013-04-09 21:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys 2013-05-15 10:08 - 2013-04-09 21:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys 2013-05-15 10:08 - 2013-04-09 19:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-05-15 10:08 - 2013-03-18 20:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll 2013-05-15 10:08 - 2013-03-18 19:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll ==================== One Month Modified Files and Folders ======== 2013-06-12 20:38 - 2013-06-12 20:38 - 00000000 ____D C:\FRST 2013-06-12 19:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles 2013-06-12 16:42 - 2013-06-12 14:00 - 00000004 ____A C:\Users\user\AppData\Roaming\skype.ini 2013-06-12 16:39 - 2013-04-29 15:49 - 00000306 ____A C:\Windows\Tasks\qoln.job 2013-06-12 16:39 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-06-12 16:39 - 2009-07-13 20:39 - 00053830 ____A C:\Windows\setupact.log 2013-06-12 15:01 - 2009-07-13 20:55 - 01382999 ____A C:\Windows\WindowsUpdate.log 2013-06-12 14:39 - 2012-05-08 06:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-06-12 14:07 - 2011-01-10 19:15 - 00000000 ____D C:\Windows\System32\Drivers\AVG 2013-06-12 14:07 - 2011-01-10 18:30 - 00000000 ____D C:\ProgramData\MFAData 2013-06-11 21:42 - 2012-05-08 06:51 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-06-11 21:42 - 2011-10-17 20:06 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2013-06-11 14:17 - 2013-01-23 18:37 - 00000000 ____D C:\Users\user\Documents\10K 2013-06-10 17:59 - 2011-01-10 20:41 - 00000000 ____D C:\Users\user\Documents\Mom 2013-06-10 16:50 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-06-10 16:50 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-06-10 09:11 - 2011-01-10 20:34 - 00000000 ____D C:\Users\user\Documents\Mahlon's 2013-06-10 06:27 - 2011-05-07 09:21 - 00000000 ____D C:\Users\user\Documents\Pagan 2013-06-09 18:19 - 2011-01-09 15:53 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR 2013-06-09 18:19 - 2010-12-11 04:56 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI 2013-05-29 19:57 - 2011-01-13 06:57 - 00376832 __ASH C:\Users\user\Documents\Thumbs.db 2013-05-29 13:36 - 2009-07-13 20:53 - 00032648 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2013-05-29 10:09 - 2011-01-10 20:45 - 00000000 ____D C:\Users\user\Documents\Politics 2013-05-23 13:30 - 2011-01-10 20:22 - 00000000 ____D C:\Users\user\Documents\Arnett Farm 2013-05-20 00:53 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache 2013-05-19 13:57 - 2012-05-04 11:41 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2013-05-18 09:11 - 2011-01-10 20:24 - 00000000 ____D C:\Users\user\Documents\Farm 2013-05-17 08:04 - 2013-05-17 08:04 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-05-16 07:41 - 2011-01-10 20:31 - 00000000 ____D C:\Users\user\Documents\Hutto EdF 2013-05-16 00:29 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET 2013-05-16 00:22 - 2009-07-13 20:33 - 02373080 ____A C:\Windows\System32\FNTCACHE.DAT 2013-05-16 00:05 - 2011-01-09 15:43 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-05-16 00:00 - 2011-01-10 19:23 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe Files to move or delete: ==================== C:\Users\user\avg_isc_stb_all_2012_2180.exe C:\Users\user\AppData\Roaming\skype.dat C:\Users\user\AppData\Roaming\skype.ini C:\Users\user\Application Data\skype.dat C:\Users\user\Application Data\skype.ini ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 12% Total physical RAM: 4060.8 MB Available physical RAM: 3553.71 MB Total Pagefile: 4059.08 MB Available Pagefile: 3559.18 MB Total Virtual: 2047.88 MB Available Virtual: 1919.3 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:222.03 GB) (Free:146.22 GB) NTFS Drive e: (HP DJ1050_J410) (CDROM) (Total:0.15 GB) (Free:0 GB) CDFS Drive f: (STORE'N'GO) (Removable) (Total:3.76 GB) (Free:3.74 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (RECOVERY) (Fixed) (Total:10.76 GB) (Free:6.4 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 233 GB) (Disk ID: EC0328C2) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=11 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=222 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 4 GB) (Disk ID: 2C6B7369) Partition 1: (Not Active) - (Size=883 GB) - (Type=68) Partition 2: (Not Active) - (Size=257 GB) - (Type=79) Partition 3: (Not Active) - (Size=667 GB) - (Type=53) Partition 4: (Not Active) - (Size=10 MB) - (Type=49) LastRegBack: 2013-06-02 21:40 ==================== End Of Log ============================ and Farbar Recovery Scan Tool (x86) Version: 12-06-2013 04 Ran by SYSTEM at 2013-06-12 20:40:39 Running from F:\ Boot Mode: Recovery ================== Search: "services.exe" =================== C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 C:\Windows\System32\services.exe [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 === End Of Search === If you need anything else please let me know I will be checking back and e-mail. Thank you for any help in advance he is on SS and does not have a lot of money to spend if we can take care of this here.