Jump to content

Dept of Justice holding me hostage


Recommended Posts

I have a desktop computer running Windows 7 and have been unable to boot my computer for several days.  I cannot enter safe mode, have tried Windows Defender, Kickstart, Kasparsky and AVG with no success.  Kasparsky removed a number of malware/virus but it did not repair the boot problem.

 

I would really appreciate some help!

 

I have attached Farber Scan results.

FRST.txt

Link to post
Share on other sites

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKU\Aragorn\...\Policies\Explorer: [Run] "C:\Users\Aragorn\AppData\Roaming\Microsoft\Windows\IEUpdate\syskey.exe"C:\Users\Aragorn\AppData\Roaming\Microsoft\Windows\IEUpdate


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Boot int owindows now!

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

i found the copy/paste problem.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:19-08-2014
Ran by SYSTEM at 2014-08-20 20:27:20 Run:1
Running from h:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKU\Aragorn\...\Policies\Explorer: [Run] "C:\Users\Aragorn\AppData\Roaming\Microsoft\Windows\IEUpdate\syskey.exe"
C:\Users\Aragorn\AppData\Roaming\Microsoft\Windows\IEUpdate
*****************

HKU\Aragorn\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\Run => value deleted successfully.
C:\Users\Aragorn\AppData\Roaming\Microsoft\Windows\IEUpdate => Moved successfully.

==== End of Fixlog ===

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:19-08-2014
Ran by SYSTEM on MININT-3UURH8C on 20-08-2014 20:35:01
Running from H:\
Platform: Windows 7 Home Premium Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\Aragorn\...\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
HKU\Aragorn\...\Run: [TomTomHOME.exe] => C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [248176 2014-06-05] (TomTom)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 lxbc_device; C:\Windows\system32\lxbccoms.exe [537520 2007-03-15] ( )

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 PxHelp20; System32\Drivers\PxHelp20.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-18 14:22 - 2014-08-20 20:35 - 00000000 ____D () C:\FRST
2014-08-17 10:53 - 2014-08-17 15:27 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-08-16 22:49 - 2014-08-16 22:49 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-08-16 08:31 - 2014-08-16 08:31 - 00000000 ____D () C:\NPE
2014-08-16 03:25 - 2014-08-16 03:26 - 00000000 ____D () C:\NBRT
2014-08-15 00:45 - 2014-08-15 00:45 - 00000000 ____D () C:\Temp
2014-08-11 12:12 - 2014-08-11 17:56 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-08-03 07:59 - 2014-05-14 08:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2014-08-03 07:59 - 2014-05-14 08:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2014-08-03 07:59 - 2014-05-14 08:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2014-08-03 07:59 - 2014-05-14 08:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\System32\wups2.dll
2014-08-03 07:59 - 2014-05-14 08:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\System32\wups.dll
2014-08-03 07:59 - 2014-05-14 08:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2014-08-03 07:59 - 2014-05-14 08:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2014-08-03 07:59 - 2014-05-14 05:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2014-08-03 07:59 - 2014-05-14 05:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\wuapp.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-20 20:35 - 2014-08-18 14:22 - 00000000 ____D () C:\FRST
2014-08-17 15:27 - 2014-08-17 10:53 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-08-17 00:23 - 2008-08-17 12:21 - 00000000 ____D () C:\Backed Up Stuff
2014-08-16 22:49 - 2014-08-16 22:49 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-08-16 08:31 - 2014-08-16 08:31 - 00000000 ____D () C:\NPE
2014-08-16 03:26 - 2014-08-16 03:25 - 00000000 ____D () C:\NBRT
2014-08-15 00:45 - 2014-08-15 00:45 - 00000000 ____D () C:\Temp
2014-08-12 22:50 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\LogFiles
2014-08-12 18:44 - 2012-10-20 11:30 - 00000905 _____ () C:\Windows\MSOFFICE.INI
2014-08-12 18:44 - 2009-07-13 20:34 - 00020496 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-12 18:44 - 2009-07-13 20:34 - 00020496 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-12 18:44 - 2001-12-31 23:26 - 01141146 _____ () C:\Windows\WindowsUpdate.log
2014-08-12 18:41 - 2010-11-20 13:48 - 00045932 _____ () C:\Windows\PFRO.log
2014-08-12 18:41 - 2009-07-13 20:39 - 00044723 _____ () C:\Windows\setupact.log
2014-08-11 17:56 - 2014-08-11 12:12 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-07-27 18:35 - 2012-10-20 11:30 - 00001600 _____ () C:\Windows\EXCEL5.INI
2014-07-27 13:34 - 2012-06-01 15:32 - 00000000 ____D () C:\Program Files\Microsoft Silverlight

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 3967.3 MB
Available physical RAM: 3462.03 MB
Total Pagefile: 3965.59 MB
Available Pagefile: 3464 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.21 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:213.34 GB) (Free:162.24 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (New Volume) (Fixed) (Total:19.54 GB) (Free:9.81 GB) NTFS
Drive e: (GSP1RMCHPFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
Drive h: (KINGSTON) (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 66396639)
Partition 1: (Active) - (Size=213.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=19.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 3.8 GB) (Disk ID: 04030201)
Partition 1: (Active) - (Size=3.8 GB) - (Type=0B)

LastRegBack: 2014-08-08 05:00

==================== End Of Log ============================

Link to post
Share on other sites

Create/USe Boot-Repair-Disc

  1. DOWNLOAD BOOT-REPAIR-DISK
    Note: Select the right version depending on which windows is installed on your system.
  2. Then burn it on CD or put it on USB key via Unetbootin
  3. Insert the Boot-Repair-Disk and reboot the PC,
  4. Choose your language,
  5. Connect internet if possible
  6. Click "Recommended repair"
  7. When finished, you are provided a link to paste.ubuntu.com - write it down somewhere
  8. Reboot the pc --> solves the majority of bootsector/GRUB/MBR problems
  9. Post up the link you wrote down at step 6.

Link to post
Share on other sites

when i try to load unebootin. I download unebootin to desktop of clean comuter.  then I run the program.  it offers two options: 1) go to an outside site. 2) make mirror.  I chose make mirror, load boot repair Iso. to uneboot. files are extracted and put into usb drive.  menu.c32  syslinux.cfg  ubnpath.txt ubnfilel.txt

 

I tried booting infected computer and got a page "Unebootin" with a cursor with "default" listed.  if I hit tab for menu a command line appears ubnkrn  initrd=/ubinit with a blinking cursor.

 

I am stuck

Link to post
Share on other sites

I see you have downloaded Kaspersky Rescue disk, but did you try it´s Unlocker?

 

Kaspersky Windows Unlocker
 

  • Download Kaspersky Rescue Disk (iso)
  • Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO Burner
  • Configure your computer to boot from CD/DVD
  • Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here
  • Once you have the cd/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus Note: If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter

krd5.jpg


  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally.
Link to post
Share on other sites

Let´s see what this folder contains...

 

 

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    Folder: C:\Users\Public\Documents\Report


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:21-08-2014
Ran by SYSTEM at 2014-08-23 09:48:08 Run:2
Running from f:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Folder: C:\Users\Public\Documents\Report

*****************

========================= Folder: C:\Users\Public\Documents\Report ========================

2014-08-11 17:56 - 2014-08-12 18:42 - 0003265 _____ () C:\Users\Public\Documents\Report\index.html
2014-08-11 17:56 - 2014-08-11 17:56 - 0456782 _____ () C:\Users\Public\Documents\Report\pic.jpg

====== End of Folder: ======

==== End of Fixlog ====

Link to post
Share on other sites

ListParts

  • For x32 (x86) bit systems download ListParts to a USB flash drive.
  • For x64 bit systems download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

    After rebooting into Recovery Environment...
  • ...single click My computer and navigate to the ListParts\ListParts64 you saved to your flash drive.
  • Double click on it to begin running the tool.
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
  • Post the log in your next reply.

Link to post
Share on other sites

ListParts by Farbar Version: 31-07-2014
Ran by SYSTEM (administrator) on 23-08-2014 at 11:31:31
Windows 7 (X86)
Running From: f:\
Language: English (United States)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 3967.3 MB
Available physical RAM: 3547.58 MB
Total Pagefile: 3965.59 MB
Available Pagefile: 3544.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1987.48 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:213.34 GB) (Free:162.22 GB) NTFS ==>[system with boot components (obtained from reading drive)]
2 Drive d: (New Volume) (Fixed) (Total:19.54 GB) (Free:9.81 GB) NTFS
3 Drive e: (GSP1RMCHPFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
4 Drive f: (NBRT) (Removable) (Total:3.72 GB) (Free:3.71 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          232 GB  1024 KB        
  Disk 1    Online         3819 MB      0 B        
  Disk 2    No Media           0 B      0 B        
  Disk 3    No Media           0 B      0 B        

Partitions of Disk 0:
===============

Disk ID: 66396639

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            213 GB    31 KB
  Partition 2    Primary             19 GB   213 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C                NTFS   Partition    213 GB  Healthy           

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   New Volume   NTFS   Partition     19 GB  Healthy           

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3812 MB    64 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   NBRT         FAT32  Removable   3812 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 66396639
Partition 1: (Active) - (Size=213 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=20 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition: GPT Partition Type.

****** End Of Log ******

Link to post
Share on other sites

I dont know what a bsod is.

When i try to boot, the xfx logo appears (my mother board) yhen disapears which is normal.

Then seconds later windows boot manager appears and i am asked to choose window 7 or xp to boot. I choose win 7 .

Then the windows logo appears with the little circles moving around appears. Then it goes dark for a second or two. Then a hear a single beep. Then a" no signal" notification appears. If i let it go it will start the boot cycle again.

I have not seen Dept justice page since first day.

Link to post
Share on other sites

I looked back and it was Windows Defender that removed the malware.  I don't have a text log automatically generated, but I took pics of the screens.  I will type the programs detected below. 

 

all threats were considered "severe" 

 

all threats were shown to be removed successfully by Windows defender

 

Exploit:Java/CVE-2009-3869.A   

 

TrojanDownloader:Java/OpenConn... 

 

Exploit:Java/Blacole.Et  alert level

 

Exploit:Java/CVE-2008-5353 

 

Exploit:Java/CVE-2012-0507 

 

Exploit:Java/CVE-2009-3867

 

Trojan:Win32/Sirefef(l or !)cfg   (I cant tell if the the symbol after Sirefef in parenthesis is an low case "L" or exclamation point)

 

Exploit:Java/CVE-2010-0840  

 

Exploit:Java/CVE-2010-0094 

 

Exploit:Java/CVE-2011-3544 

 

Trojan:Win32/Sisron!gmb

 

Exploit:Java/CVE-2009-3869.0

 

Exploit:Java/Blacole.ES

ByteVerify

 

Exploit:JavaCVE-2010-0842

 

the only other thing I can tell you is that early on, I went into the BIOS and changed default values to "fail safe" and then to "default" to try and get system booting.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.