Jump to content

FBI Virus/White Screen

JoystickWizard
 Share

Recommended Posts

JoystickWizard

JoystickWizard

Posted
Posted

Hello, I have a computer that apparently has been infected by the FBI Virus. (Toshiba Satellite Windows 7 64 bit) I was told it had the FBI Virus, although I have not seen it. The person that brought it to me described the warning and the picture of her taken by webcam. When she brought the computer to me, it only displays a white screen with a cursor in Windows.

When I boot it, I log in to windows normally, I can see the desktop and icons, then the white screen pops up with cursor. Ctrl+Alt+Delete gets me to the change user/task manager screen, but cannot start the task manager. I have tried going into safe mode, and it works momentarily, but kicks me out and restarts the computer almost instantly.

I cannot create a log from windows, but read up and created one using FarBar. Any help would be appreciated.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-04-2013

Ran by SYSTEM on 24-04-2013 13:35:49

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] [x]

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-20] (Synaptics Incorporated)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [497504 2009-08-21] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [909624 2009-08-05] (TOSHIBA Corporation)

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [711000 2009-08-04] (TOSHIBA Corporation)

HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-07-29] (TOSHIBA Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1482080 2009-08-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-08-03] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2009-10-28] (TOSHIBA Corporation)

HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)

HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-29] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-08-17] (TOSHIBA Corporation)

HKLM-x32\...\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2446648 2009-08-11] (TOSHIBA CORPORATION.)

HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-07-12] ()

HKU\wlber\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-11-12] (Google Inc.)

HKU\wlber\...\Run: [gfugencv] C:\Users\wlber\AppData\Local\mebwnqqpg\wwfmtfltssd.exe [x]

HKU\wlber\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)

HKU\wlber\...\Run: [searchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe [591248 2011-03-03] (Oberon Media )

Startup: C:ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk

ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) =================

S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

==================== Drivers (Whitelisted) ====================

S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [x]

S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]

S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-24 13:35 - 2013-04-24 13:35 - 00000000 ____D C:\FRST

2013-03-26 18:42 - 2013-04-24 13:28 - 00000000 ____D C:\b1924ca1962cb1497fe6

2013-03-26 18:42 - 2013-03-26 18:42 - 00000000 ____D C:\Windows\System32\EventProviders

==================== One Month Modified Files and Folders =======

2013-04-24 13:35 - 2013-04-24 13:35 - 00000000 ____D C:\FRST

2013-04-24 13:30 - 2010-05-23 16:29 - 00000000 ____D C:\users\wlber

2013-04-24 13:30 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker

2013-04-24 13:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz

2013-04-24 13:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore

2013-04-24 13:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism

2013-04-24 13:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe

2013-04-24 13:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz

2013-04-24 13:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore

2013-04-24 13:29 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal

2013-04-24 13:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar

2013-04-24 13:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices

2013-04-24 13:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer

2013-04-24 13:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender

2013-04-24 13:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar

2013-04-24 13:29 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ___AD C:\Windows\System32\sysprep

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\TAPI

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Speech

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\MUI

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spp

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Speech

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\MUI

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing

2013-04-24 13:29 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System

2013-04-24 13:28 - 2013-03-26 18:42 - 00000000 ____D C:\b1924ca1962cb1497fe6

2013-04-24 13:28 - 2012-01-15 13:30 - 00000000 ____D C:ProgramData\McAfee Security Scan

2013-04-24 13:28 - 2010-05-23 15:13 - 00000000 ____D C:\Users\wlber\AppData\Local\TOSHIBA_Corporation

2013-04-24 13:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security

2013-04-24 13:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-04-24 08:31 - 2011-02-11 20:41 - 00000000 ___HD C:\Users\wlber\Tracing

2013-04-03 12:04 - 2011-06-18 12:22 - 00000000 ___AD C:ProgramData\TEMP

2013-03-31 11:48 - 2010-06-17 22:12 - 00000000 ___HD C:\Users\wlber\AppData\Local\CrashDumps

2013-03-30 11:24 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices

2013-03-26 18:42 - 2013-03-26 18:42 - 00000000 ____D C:\Windows\System32\EventProviders

2013-03-26 18:42 - 2010-02-07 03:54 - 01097071 ____A C:\Windows\WindowsUpdate.log

2013-03-26 18:32 - 2010-05-23 14:41 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-03-26 17:50 - 2012-12-27 09:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-03-26 17:32 - 2010-05-23 14:41 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-03-26 15:13 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-03-26 15:13 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-03-26 15:11 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-03-26 15:04 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-03-26 15:04 - 2009-07-13 20:51 - 00052444 ____A C:\Windows\setupact.log

Other Malware:

===========

C:\Users\wlber\AppData\Roaming\skype.dat

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-26 18:44:06

Restore point made on: 2013-03-30 13:11:56

==================== Memory info ===========================

Percentage of memory in use: 14%

Total physical RAM: 3836.17 MB

Available physical RAM: 3287.39 MB

Total Pagefile: 3834.32 MB

Available Pagefile: 3274.28 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (TI105736W0B) (Fixed) (Total:287.61 GB) (Free:229.35 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

Drive f: (USB DISK) (Removable) (Total:7.28 GB) (Free:7.27 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 7457 MB 0 B

Partitions of Disk 0:

===============

Disk ID: D6CF2304

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 287 GB 1501 MB

Partition 3 Primary 9 GB 289 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C TI105736W0B NTFS Partition 287 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 17

Hidden: Yes

Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:

===============

Disk ID: 00000000

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7453 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F USB DISK FAT32 Removable 7453 MB Healthy

=========================================================

============================== MBR & Partition Table ==================

====================================================================

Disk: 0 (MBR Code: Windows Vista) (Size: 298 GB) (Disk ID: D6CF2304)

Partition 1: (Active) - (Size=1 GB) - (Type=27)

Partition 2: (Not Active) - (Size=288 GB) - (Type=07) (NTFS)

Partition 3: (Not Active) - (Size=9 GB) - (Type=17)

====================================================================

Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0C)

Last Boot: 2013-01-06 16:41

==================== End Of Log ============================

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.