Jump to content

FBI ransomware - launches after 2 seconds


cthor

Recommended Posts

  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
    If you are using Vista or Windows 7 enter System Recovery Options.
    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforu...isc-create.html

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

  • On the System Recovery Options menu you will get the following options:


      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
        Select Command Prompt
        Once in the Command Prompt:

      [*]In the command window type in notepad and press Enter.

      [*]The notepad opens. Under File menu select Open.

      [*]Select "Computer" and find your flash drive letter and close the notepad.

      [*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

      [*]The tool will start to run.

      [*]When the tool opens click Yes to disclaimer.

      [*]Press Scan button.

      [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    MrC

Link to post
Share on other sites

I was able to run "frst" via "Safe Mode w/ Command Prompt", but I have a feeling it doesn't give you what you need. I did however notice some suspicious looking file names that are time stamped near when the virus first appeared:

2013-01-18 04:44 - 2013-01-18 14:42 - 95023320 ___AT C:\Users\All Users\dsgsdgdsgdsgw.pad

2013-01-18 04:44 - 2013-01-18 14:42 - 00002965 ____A C:\Users\All Users\dsgsdgdsgdsgw.js

2013-01-18 04:44 - 2013-01-18 04:44 - 00165888 ____A C:\Users\Christopher\wgsdgsdgdsgsd.exe

Anyway, here is the log I was able to get. Unfortunatly, as I said, there isn't a "Repair" prompt in the advanced boot options.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-01-2013

Ran by Christopher at 18-01-2013 14:52:00

Running from E:\

Service Pack 2 (X86) OS Language: English(US)

Attention: Could not load system hive.

ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2013-01-18 14:51 - 2013-01-18 14:52 - 00000000 ____D C:\FRST

2013-01-18 06:36 - 2013-01-18 06:36 - 00135000 ____A C:\Windows\Minidump\Mini011813-01.dmp

2013-01-18 04:51 - 2013-01-18 04:51 - 00000552 ____A C:\Users\Christopher\AppData\Local\d3d8caps.dat

2013-01-18 04:44 - 2013-01-18 14:42 - 95023320 ___AT C:\Users\All Users\dsgsdgdsgdsgw.pad

2013-01-18 04:44 - 2013-01-18 14:42 - 00002965 ____A C:\Users\All Users\dsgsdgdsgdsgw.js

2013-01-18 04:44 - 2013-01-18 04:44 - 00165888 ____A C:\Users\Christopher\wgsdgsdgdsgsd.exe

2013-01-17 20:21 - 2013-01-17 20:21 - 00000860 ____A C:\Users\Christopher\Desktop\Patcher - Shortcut.lnk

2013-01-17 20:20 - 2013-01-17 20:20 - 00000000 ____D C:\Users\Christopher\Desktop\Gather

2013-01-17 20:10 - 2013-01-17 20:10 - 00000000 ____D C:\Users\Christopher\Desktop\gatherer

2013-01-16 21:58 - 2013-01-16 21:58 - 00139072 ____A C:\Windows\Minidump\Mini011613-01.dmp

2013-01-15 19:05 - 2013-01-15 19:05 - 00000000 ____D C:\Users\Christopher\Desktop\Albums

2013-01-15 14:21 - 2013-01-15 14:21 - 00001875 ____A C:\Users\Christopher\Desktop\Wordpad.lnk

2013-01-15 14:06 - 2013-01-15 14:06 - 00004544 ____A C:\Users\Christopher\Desktop\New Journal Document.jnt

2013-01-14 02:26 - 2013-01-14 02:26 - 00000047 ____A C:\Users\Christopher\Desktop\Ancient Mariner.txt

2013-01-11 18:55 - 2013-01-11 18:56 - 00000000 ____D C:\Users\Christopher\Desktop\Anti-Virus and Spyware

2013-01-11 18:52 - 2013-01-11 18:57 - 00000000 ____D C:\Users\Christopher\Desktop\VoIP

2013-01-10 11:42 - 2013-01-10 11:42 - 00139072 ____A C:\Windows\Minidump\Mini011013-01.dmp

2013-01-08 23:18 - 2010-10-21 00:00 - 00695296 ____A (AnjoCaido) C:\Users\Christopher\Desktop\Minecraft SP 2.exe

2013-01-08 23:12 - 2012-11-22 20:35 - 02048000 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-08 22:55 - 2012-11-19 23:22 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-08 22:53 - 2012-11-02 05:19 - 01400832 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-04 12:52 - 2013-01-04 12:53 - 00000000 ____D C:\Users\Christopher\Downloads\Game.of.Thrones.S02

2012-12-31 17:53 - 2013-01-18 04:51 - 00000000 ____A C:\Windows\System32\filetrace.log

2012-12-30 02:19 - 2012-12-30 02:23 - 00000000 ____D C:\Program Files\RaidCall

2012-12-30 02:19 - 2012-12-30 02:19 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\raidcall

2012-12-21 03:01 - 2012-12-16 08:12 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-21 03:01 - 2012-12-16 05:50 - 00293376 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-20 13:23 - 2012-12-20 13:23 - 00000000 ____D C:\Users\Christopher\Desktop\random pic

==================== One Month Modified Files and Folders ========

2013-01-18 14:43 - 2006-11-02 08:01 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-01-18 14:43 - 2006-11-02 08:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-18 14:42 - 2013-01-18 04:44 - 95023320 ___AT C:\Users\All Users\dsgsdgdsgdsgw.pad

2013-01-18 14:42 - 2013-01-18 04:44 - 00002965 ____A C:\Users\All Users\dsgsdgdsgdsgw.js

2013-01-18 14:42 - 2010-07-30 22:45 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-01-18 06:36 - 2013-01-18 06:36 - 00135000 ____A C:\Windows\Minidump\Mini011813-01.dmp

2013-01-18 06:36 - 2008-02-17 20:26 - 150773581 ____A C:\Windows\MEMORY.DMP

2013-01-18 06:36 - 2008-02-17 20:26 - 00000000 ____D C:\Windows\Minidump

2013-01-18 05:00 - 2006-11-02 07:47 - 00003664 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-18 05:00 - 2006-11-02 07:47 - 00003664 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-18 04:58 - 2009-11-30 01:08 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\uTorrent

2013-01-18 04:58 - 2008-02-17 05:09 - 00001356 ____A C:\Users\Christopher\AppData\Local\d3d9caps.dat

2013-01-18 04:58 - 2006-11-02 07:52 - 02094535 ____A C:\Windows\WindowsUpdate.log

2013-01-18 04:57 - 2010-07-30 22:45 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-01-18 04:52 - 2011-11-20 19:53 - 00000000 ____D C:\Program Files\Steam

2013-01-18 04:51 - 2013-01-18 04:51 - 00000552 ____A C:\Users\Christopher\AppData\Local\d3d8caps.dat

2013-01-18 04:51 - 2012-12-31 17:53 - 00000000 ____A C:\Windows\System32\filetrace.log

2013-01-18 04:51 - 2011-06-19 22:31 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\DMCache

2013-01-18 04:51 - 2009-09-28 02:36 - 00000000 ____D C:\Users\Christopher\Tracing

2013-01-18 04:44 - 2013-01-18 04:44 - 00165888 ____A C:\Users\Christopher\wgsdgsdgdsgsd.exe

2013-01-18 04:44 - 2008-02-17 05:09 - 00000000 ____D C:\users\Christopher

2013-01-17 20:21 - 2013-01-17 20:21 - 00000860 ____A C:\Users\Christopher\Desktop\Patcher - Shortcut.lnk

2013-01-17 20:20 - 2013-01-17 20:20 - 00000000 ____D C:\Users\Christopher\Desktop\Gather

2013-01-17 20:10 - 2013-01-17 20:10 - 00000000 ____D C:\Users\Christopher\Desktop\gatherer

2013-01-16 22:03 - 2006-11-02 05:33 - 00767710 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-16 22:01 - 2008-02-17 05:09 - 00071896 ____A C:\Users\Christopher\AppData\Local\GDIPFONTCACHEV1.DAT

2013-01-16 21:59 - 2006-11-02 07:47 - 04530040 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-16 21:58 - 2013-01-16 21:58 - 00139072 ____A C:\Windows\Minidump\Mini011613-01.dmp

2013-01-16 21:58 - 2008-05-28 12:03 - 00095122 ____A C:\Windows\PFRO.log

2013-01-15 19:05 - 2013-01-15 19:05 - 00000000 ____D C:\Users\Christopher\Desktop\Albums

2013-01-15 14:21 - 2013-01-15 14:21 - 00001875 ____A C:\Users\Christopher\Desktop\Wordpad.lnk

2013-01-15 14:06 - 2013-01-15 14:06 - 00004544 ____A C:\Users\Christopher\Desktop\New Journal Document.jnt

2013-01-14 02:26 - 2013-01-14 02:26 - 00000047 ____A C:\Users\Christopher\Desktop\Ancient Mariner.txt

2013-01-13 02:50 - 2012-11-22 11:24 - 00000000 ____D C:\Program Files\World of Warcraft

2013-01-11 19:25 - 2008-02-17 22:23 - 00158208 ____A C:\Users\Christopher\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-01-11 19:08 - 2008-02-17 22:03 - 00000000 ___HD C:\Program Files\InstallShield Installation Information

2013-01-11 19:06 - 2011-04-03 18:48 - 00000000 ____D C:\Program Files\DOOM 3

2013-01-11 19:05 - 2010-03-15 15:47 - 00000000 ____D C:\Program Files\AutoIt3

2013-01-11 19:05 - 2006-11-02 07:37 - 00000000 ____D C:\Windows\ShellNew

2013-01-11 19:04 - 2010-11-24 12:44 - 00000000 ____D C:\Users\Christopher\Desktop\EVERYTHING

2013-01-11 19:04 - 2008-02-17 22:28 - 00000000 ____D C:\Users\Christopher\Desktop\Games

2013-01-11 18:57 - 2013-01-11 18:52 - 00000000 ____D C:\Users\Christopher\Desktop\VoIP

2013-01-11 18:56 - 2013-01-11 18:55 - 00000000 ____D C:\Users\Christopher\Desktop\Anti-Virus and Spyware

2013-01-11 18:56 - 2012-11-17 19:08 - 00000000 ____D C:\Users\Christopher\Desktop\NES

2013-01-11 18:50 - 2010-02-13 12:55 - 00000000 ____D C:\Users\Christopher\Desktop\Backup

2013-01-11 18:45 - 2011-05-22 13:44 - 00000000 ____D C:\Users\Christopher\Desktop\Trainers

2013-01-11 18:42 - 2012-07-13 12:31 - 00000000 ____D C:\Users\Christopher\Desktop\WoW updates

2013-01-11 18:39 - 2011-12-27 02:13 - 00000000 ____D C:\Users\Christopher\Desktop\Rosetta Stone V3 - Russian

2013-01-10 23:47 - 2006-11-02 07:52 - 00059043 ____A C:\Windows\setupact.log

2013-01-10 11:42 - 2013-01-10 11:42 - 00139072 ____A C:\Windows\Minidump\Mini011013-01.dmp

2013-01-09 05:57 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET

2013-01-09 03:17 - 2012-09-23 18:28 - 00000000 ____D C:\Users\All Users\Microsoft Help

2013-01-09 03:02 - 2006-11-02 05:24 - 65273848 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2013-01-08 15:55 - 2011-08-06 11:31 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\.minecraft

2012-12-30 14:39 - 2012-10-30 21:59 - 00000000 ____D C:\Users\Christopher\Desktop\Canon

2012-12-30 02:23 - 2012-12-30 02:19 - 00000000 ____D C:\Program Files\RaidCall

2012-12-30 02:19 - 2012-12-30 02:19 - 00000000 ____D C:\Users\Christopher\AppData\Roaming\raidcall

2012-12-20 13:23 - 2012-12-20 13:23 - 00000000 ____D C:\Users\Christopher\Desktop\random pic

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 21:48] - [2012-08-21 06:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A

==================== Memory info ===========================

Percentage of memory in use: 20%

Total physical RAM: 2036.91 MB

Available physical RAM: 1624.12 MB

Total Pagefile: 4310.83 MB

Available Pagefile: 4069.67 MB

Total Virtual: 2047.88 MB

Available Virtual: 1954.29 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.76 GB) (Free:38.82 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (DVDVolume) (CDROM) (Total:7.3 GB) (Free:0 GB) UDF

3 Drive e: (Samsung) (Removable) (Total:7.47 GB) (Free:7.4 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 466 GB 0 B

Disk 1 Online 7650 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 466 GB 1024 KB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 466 GB Healthy System (partition with boot components)

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7645 MB 5196 KB

=========================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 E Samsung NTFS Removable 7645 MB Healthy

=========================================================

Last Boot: 2013-01-18 06:55

==================== End Of Log ============================

Link to post
Share on other sites

You're correct, these are the bad ones:

2013-01-18 04:44 - 2013-01-18 14:42 - 95023320 ___AT C:\Users\All Users\dsgsdgdsgdsgw.pad

2013-01-18 04:44 - 2013-01-18 14:42 - 00002965 ____A C:\Users\All Users\dsgsdgdsgdsgw.js

2013-01-18 04:44 - 2013-01-18 04:44 - 00165888 ____A C:\Users\Christopher\wgsdgsdgdsgsd.exe

If you can get to "Safe Mode w/ Command Prompt"

We can try system restore:

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Type the word "explorer" in black screen

Step 3: Then Navigate to:

Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

If not, you'll have to create an OTLPE disk and scan the system with it as outlined in the link below:

http://forums.malwar...ndpost&p=627789

Let me know.....MrC

Link to post
Share on other sites

Well, I have some good news!

In using your idea about system restore, and the knowledge of DOS from my Doom/Heretic gaming days, I appear to be virus free! Here is how I did it in hopes it may help someone in the future:

1. Restart your machine into the advanced boot options by tapping F8 through/after the BIOS screen

2. Use arrow keys and select "Safe Mode w/ Command Prompt", hit enter

3. If your system is password protected (as mine is), login. *IMMEDIATELY after you submit your password, use ctrl+alt+delete to bring up your task manager. (For me, it prevented FBI Moneypak virus from taking over and locking everything)

4. In your command prompt, make sure your base directory is selected, which should look similar to this:

C:\

Next, type "cd windows\system32" so you're in the proper directory

5. Type "rstrui.exe" and wait for the system restore window to appear.

6. Select your desired restore point and wait for it to do its job.

Thank you very much for your help, MrC. This was my first encounter with having to remove a virus, and hopefully it'll be the last. If I have any additional questions, I'll be sure to come here!

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.