FBI lock out malware

stlsnow · May 21, 2013

The FBI Moneypak scam decided to hop onto my computer around 2 this afternoon. I have tried to use the guides on youtube, to go in safe mode, but it goes to my login screen, I log in, the for a split second a coding screen pops up, the disappears and my laptop restarts. It the goes back to the regular login screen and logs in to the locked screen. Can someone help me get rid of this virus? Thanks in advance!!

stlsnow · May 21, 2013

oh, and I have an Acer Aspire one, 64-bit.

MrCharlie · May 21, 2013

Welcome to the forum, here's how we deal with that malware:

Please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Plug the flash drive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
  Select Command Prompt
  Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

stlsnow · May 22, 2013

I got to step 2, and right after I selected my keyboard language as US, It said "To access recovery options, log on as a local user. To access the command prompt as well, log on using an administrator account." It asked for a user name and password. the two user name options were "Acer", and "HomeGroupUser$". Which should I select? Also, Where and when would I have set my password?

MrCharlie · May 22, 2013

Try either one and if there's a password enter it if not continue on.

MrC

stlsnow · May 22, 2013

so I managed to get through this time. I opened the command prompt, and entered "g:\frst64", and a small window opens that says "There is no disk in the drive. Please insert disk in to drive \Device\Harddisk2\DR2."

MrCharlie · May 22, 2013

You probably didn't enter the correct letter for your flash drive:

g:\frst64

Try again....MrC

stlsnow · May 22, 2013

nope, its the right letter...the name of the flash drive I used is Lexar (G:)

stlsnow · May 22, 2013

and I've also plugged it into all 3 flash drive ports on my lap top.

stlsnow · May 22, 2013

would restoring my laptop to an earlier point in time do anything?

MrCharlie · May 22, 2013

Yes, if you have a good system restore point...here's how to do it:

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Type the word "explorer" in black screen

Step 3: Then Navigate to:

Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

Step 5: Run Malwarebytes

Let me know, MrC

stlsnow · May 22, 2013

will any point in time before I got the virus work? the restore points are either windows updates or Automatic restore points. I was not able to go through safe mode command prompt, it asks me to login then restarts. I had to go through the system recovery options to get to the restore point screen.

MrCharlie · May 22, 2013

Yes any of those will work.....MrC

stlsnow · May 22, 2013

I tried it and It says it did not complete successfully. my computer's system files and settings were not changed. "an unspecified error occurred during system Restore. (0x800700b7)"

stlsnow · May 22, 2013

I thank you sir for your patience. I, on the other hand, have had a bout of incompetence today. here is the log the farbar scan: Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-05-2013 01

Ran by SYSTEM on 22-05-2013 14:06:58

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2588968 2010-11-11] (ELAN Microelectronics Corp.)

HKLM\...\Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1831016 2011-08-02] (Acer Incorporated)

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1151152 2013-02-18] ()

HKU\Acer\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil64_11_1_102_ActiveX.exe -update activex [465568 2012-03-12] (Adobe Systems, Inc.)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()

BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S4 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [198784 2010-12-16] (Conexant Systems Inc.)

S2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [1070080 2013-03-17] (iolo technologies, LLC)

S4 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)

S4 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)

S2 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-18] ()

S2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]

==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-11] (AVG Technologies CZ, s.r.o.)

S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-18] (AVG Technologies)

S1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2012-12-06] (EldoS Corporation)

S3 PCDSRVC{D1725DDC-2812BDD5-06020101}_0; \??\c:\users\acer\appdata\local\temp\u2cs7ohjp6kr\pcdrdiag\bin\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-22 14:06 - 2013-05-22 14:06 - 00000000 ____D C:\FRST

2013-05-21 10:49 - 2013-05-21 10:49 - 01096074 ____A C:\Users\Acer\AppData\Local\2433f433

2013-05-21 10:49 - 2013-05-21 10:49 - 01096047 ____A C:\ProgramData\2433f433

2013-05-21 10:49 - 2013-05-21 10:49 - 01096037 ____A C:\Users\Acer\AppData\Roaming\2433f433

2013-05-14 16:27 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-12 11:02 - 2013-05-12 11:36 - 00021082 ____A C:\Users\Acer\Documents\book thief project.odt

2013-05-06 17:41 - 2013-05-06 17:41 - 00000000 ____D C:\Users\Acer\AppData\Local\Macromedia

2013-05-05 11:12 - 2013-05-05 13:13 - 00018425 ____A C:\Users\Acer\Documents\Book Thief.odt

2013-04-28 18:33 - 2013-05-09 18:02 - 00026251 ____A C:\Users\Acer\Documents\tienanmen square.odt

2013-04-27 12:20 - 2013-05-02 10:50 - 00020305 ____A C:\Users\Acer\Documents\CITR.odt

2013-04-26 12:40 - 2013-05-22 13:45 - 00000000 ____D C:\Users\Acer\AppData\Roaming\WildTangent

2013-04-23 18:34 - 2013-04-23 18:34 - 02141192 ____A (Solid State Networks) C:\Users\Acer\Downloads\install_flashplayer11x32_mssd_aih(1).exe

2013-04-23 10:50 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

2013-04-22 17:38 - 2013-05-22 13:48 - 00000000 ____D C:\ProgramData\BrowserProtect

2013-04-22 17:37 - 2013-04-22 17:37 - 00000000 ____D C:\Users\Acer\AppData\Roaming\Babylon

2013-04-22 17:37 - 2013-04-22 17:37 - 00000000 ____D C:\ProgramData\Babylon

2013-04-22 17:36 - 2013-04-22 18:08 - 00000000 ____D C:\Users\Acer\AppData\Roaming\ExpressFiles

==================== One Month Modified Files and Folders =======

2013-05-22 14:06 - 2013-05-22 14:06 - 00000000 ____D C:\FRST

2013-05-22 13:49 - 2012-03-12 12:27 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-05-22 13:49 - 2012-02-16 09:05 - 00000000 ____D C:\users\Acer

2013-05-22 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-05-22 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas

2013-05-22 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-05-22 13:48 - 2013-04-22 17:38 - 00000000 ____D C:\ProgramData\BrowserProtect

2013-05-22 13:48 - 2013-04-15 16:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-22 13:48 - 2012-06-07 16:04 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2013-05-22 13:48 - 2012-03-12 12:27 - 00000000 ____D C:\ProgramData\AVG2012

2013-05-22 13:48 - 2011-10-24 02:12 - 00000000 ____D C:\ProgramData\WildTangent

2013-05-22 13:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-05-22 13:48 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-05-22 13:45 - 2013-04-26 12:40 - 00000000 ____D C:\Users\Acer\AppData\Roaming\WildTangent

2013-05-22 13:34 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV

2013-05-21 10:49 - 2013-05-21 10:49 - 01096074 ____A C:\Users\Acer\AppData\Local\2433f433

2013-05-21 10:49 - 2013-05-21 10:49 - 01096047 ____A C:\ProgramData\2433f433

2013-05-21 10:49 - 2013-05-21 10:49 - 01096037 ____A C:\Users\Acer\AppData\Roaming\2433f433

2013-05-15 18:04 - 2012-04-12 18:09 - 00222720 __ASH C:\Users\Acer\Documents\Thumbs.db

2013-05-12 11:36 - 2013-05-12 11:02 - 00021082 ____A C:\Users\Acer\Documents\book thief project.odt

2013-05-09 18:02 - 2013-04-28 18:33 - 00026251 ____A C:\Users\Acer\Documents\tienanmen square.odt

2013-05-06 17:41 - 2013-05-06 17:41 - 00000000 ____D C:\Users\Acer\AppData\Local\Macromedia

2013-05-05 13:13 - 2013-05-05 11:12 - 00018425 ____A C:\Users\Acer\Documents\Book Thief.odt

2013-05-02 10:50 - 2013-04-27 12:20 - 00020305 ____A C:\Users\Acer\Documents\CITR.odt

2013-05-01 15:11 - 2012-02-16 23:44 - 01525795 ____A C:\Windows\WindowsUpdate.log

2013-05-01 09:47 - 2009-07-13 21:13 - 00727310 ____A C:\Windows\System32\PerfStringBackup.INI

2013-04-28 16:58 - 2012-05-24 08:14 - 00016456 ____A C:\Users\Acer\Documents\coin collection.odt

2013-04-26 12:40 - 2011-10-24 02:12 - 00000000 ____D C:\Program Files (x86)\WildTangent Games

2013-04-26 10:55 - 2011-10-24 02:12 - 00002626 ____A C:\Users\Public\Desktop\WildTangent Games App - acer.lnk

2013-04-26 10:53 - 2012-03-18 16:49 - 00000000 ____D C:\Program Files (x86)\WildGames

2013-04-26 07:19 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-26 07:19 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-24 10:34 - 2009-07-13 20:51 - 00044520 ____A C:\Windows\setupact.log

2013-04-24 10:04 - 2010-11-20 19:47 - 00048706 ____A C:\Windows\PFRO.log

2013-04-24 10:04 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-23 18:34 - 2013-04-23 18:34 - 02141192 ____A (Solid State Networks) C:\Users\Acer\Downloads\install_flashplayer11x32_mssd_aih(1).exe

2013-04-22 18:08 - 2013-04-22 17:36 - 00000000 ____D C:\Users\Acer\AppData\Roaming\ExpressFiles

2013-04-22 17:37 - 2013-04-22 17:37 - 00000000 ____D C:\Users\Acer\AppData\Roaming\Babylon

2013-04-22 17:37 - 2013-04-22 17:37 - 00000000 ____D C:\ProgramData\Babylon

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-04 16:48:42

Restore point made on: 2013-04-11 04:03:27

Restore point made on: 2013-04-12 03:53:44

Restore point made on: 2013-04-15 17:00:20

Restore point made on: 2013-04-15 17:09:17

Restore point made on: 2013-04-24 04:36:57

Restore point made on: 2013-05-01 15:11:32

Restore point made on: 2013-05-10 13:58:12

Restore point made on: 2013-05-15 04:21:14

==================== Memory info ===========================

Percentage of memory in use: 32%

Total physical RAM: 1770.9 MB

Available physical RAM: 1196.08 MB

Total Pagefile: 1770.9 MB

Available Pagefile: 1185.66 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:219.79 GB) (Free:175.27 GB) NTFS (Disk=0 Partition=3)

Drive e: (PQSERVICE) (Fixed) (Total:13 GB) (Free:3.4 GB) NTFS (Disk=0 Partition=1)

Drive f: (Lexar) (Removable) (Total:3.73 GB) (Free:3.7 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 2BD2C32A)

Partition 1: (Not Active) - (Size=13 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=220 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=4 GB) - (Type=0C)

Last Boot: 2013-05-14 14:33

==================== End Of Log ============================

MrCharlie · May 22, 2013

I'm not seeing what I'm looking for in the log but give this a try:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now ....MrC

stlsnow · May 22, 2013

here are the results from the fix program: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-05-2013 01

Ran by SYSTEM at 2013-05-22 16:41:23 Run:1

Running from G:\

Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.

C:\Users\Acer\AppData\Local\2433f433 => Moved successfully.

C:\ProgramData\2433f433 => Moved successfully.

C:\Users\Acer\AppData\Roaming\2433f433 => Moved successfully.

==== End of Fixlog ====

MrCharlie · May 22, 2013

@stlsnow, does it boot??? MrC

stlsnow · May 22, 2013

no, it does not boot. I cycles through the loading screens that are before the login screen.

MrCharlie · May 22, 2013

I didn't think it would, there's no load point in the logs that I can see.

Run another scan with FRST and post the new log.....MrC

stlsnow · May 22, 2013

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-05-2013 01

Ran by SYSTEM on 22-05-2013 17:57:00