Solved FBI computer locked. $200 moneypak virus

[Sprinter]

ESET Scan

C:\Documents and Settings\atinker\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\54\457ee5f6-79839a4f a variant of Java/Exploit.CVE-2012-4681.D trojan deleted - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP574\A0045556.exe a variant of Win32/Kryptik.ALDT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP574\A0045557.scr a variant of Win32/Injector.VTS trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\31.08.2012_03.45.21\necurs0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.OC trojan cleaned by deleting - quarantined

 

[Broni]

Security Check?

 

[Sprinter]

Oops I missed that scan in there. here is the log. thanks for reminding me

Results of screen317's Security Check version 0.99.49
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI
Malwarebytes Anti-Malware version 1.62.0.1300
JavaFX 2.1.1
Java(TM) 6 Update 22
Java(TM) 7 Update 5
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (15.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

[Broni]

Uninstall Java(TM) 6 Update 22.

Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

=================================

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

===============================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Sprinter]

I dont know exactly where this is haha. Java(TM) 6 Update 22.

also I play games online that use java now and then. wont uninstalling this mean I cant play them?

also the adobe reader, you said to uninstall old versions... I just clicked the icon for it to update it. not really how to remove the old versions but keep the new one

 

[Broni]

You have current Java version - Java(TM) 7 Update .
Check Add\Remove for the old version - Java(TM) 6 Update 22.
If it's there uninstall it. If it's not leave it alone.

 

[Sprinter]

OTL log

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users
->Temp folder emptied: 0 bytes

User: atinker
->Temp folder emptied: 3990518 bytes
->Temporary Internet Files folder emptied: 20404450 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: gtinker
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: atinker
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: gtinker

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: atinker
->Java cache emptied: 0 bytes

User: Default User

User: gtinker

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.59.1 log created on 09022012_212619
Files\Folders moved on Reboot...
C:\Documents and Settings\atinker\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temp\clclean.0001.dir.0001\~efe2.tmp moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temp\REGA.tmp moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temp\REGD.tmp moved successfully.
File\Folder C:\Documents and Settings\atinker\Local Settings\Temp\~DF7A58.tmp not found!
File\Folder C:\Documents and Settings\atinker\Local Settings\Temp\~DF7A68.tmp not found!
C:\Documents and Settings\atinker\Local Settings\Temporary Internet Files\Content.IE5\ZUVHDSRN\page-2[1].htm moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temporary Internet Files\Content.IE5\6P0I9FT2\partner[1].htm moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temporary Internet Files\Content.IE5\6P0I9FT2\partner[2].htm moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temporary Internet Files\Content.IE5\6P0I9FT2\partner[3].htm moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temporary Internet Files\Content.IE5\55DLAAX4\918[1].htm moved successfully.
C:\Documents and Settings\atinker\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

 

[Sprinter]

Can I use the previous link you gave me to re-download TFC? or do I need a new one for that? OTL took the program off when I ran the cleanup mode as you instructed. Everything looks good and working well. have done all the steps just about except defragging which I'll do tomorrow I think. Am I all set? I remember one of the top posts on the forum said you'd give me the green light when im done with everything. I dont want to quit this procress early and risk future help. I'll also be reposting if the problems shows up again in a few days, but everything looks to be running well right now.

Thanks so much for your time and effort. I greatly appreciate it.
-Sprinter

 

[Sprinter]

Ahhhh might have an issue. I was playing some games online on a few sites and a pop-up in the lower corner said it detected an infection and prompted me to run anti-virus software. Guess I wont be playing games on some of these sites any longer. To sum things up... it didnt look like a detection program I use. it looked fishy. I previously had turned on the windows firewall. not sure if this program is a part of it. I dont remember downloading it. It was called "Live Security Platinum" . So I attempted to run TFC or malwarebytes AM and a tiny bubble pop up in the lower right corner said " The application cannot be excuted. the file mfevtps.exe is infected, Please activate your anti-virus software".

So I restarted in safemode and ran the TFC and then malwarebytes AM. malwarebytes AM noticed a few things and I deleted/quarantined them. then I restarted to remove them completely as prompted and "Live Security Platinum" is now gone.
soo I think I have fixed everything. here is a log if it helps anything.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4994
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
10/29/2010 8:30:38 PM
mbam-log-2010-10-29 (20-30-38).txt
Scan type: Quick scan
Objects scanned: 160238
Time elapsed: 11 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upd32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\atinker\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ldinfo.ldr (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\atinker\Application Data\dsfsds.bat (Malware.Trace) -> Quarantined and deleted successfully.

 

[Broni]

It looks like email notification missed me.
Sorry about it

How are things now?

 

[Sprinter]

No worries. ummm things seem to be working fine. im just trying to run the malwarebytes scan every few days just in case
Thank you,
-Sprinter

 

[Broni]

Very well then

 

[Sprinter]

I seem to be having issues again but I'm not sure its the same problem as before. I tried to run my computer in safe mode to run mbam but after logging in the screen goes white. even task manager wont pop up when I click it. when I go to restart my computer the screen/desktop comes back briefly before the computer restarts. is there a way to cancel or pause the restart after I click it? im kind of at a loss how to run a scan to remove the trouble. Sorry for the inconvience

Thank you

 

[Sprinter]

Also if I was supposed to create a new thread, im sorry and didnt know

 

[Broni]

MBAM should be run in normal mode so update it, run the scan and post new log.

 

[Sprinter]

The same problem happens if I run my computer in normal mode

 

[Broni]

Create new restore point before proceeding with the next step....
How to:
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

==============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  If restarting doesn't help use restore point you created prior to running Combofix.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

 

[Sprinter]

I cant create a restore point because I cant access the control panel or start menu when I log in. are you asking me to restore to a previous point and then run the scans?

 

[Broni]

No. Go ahead and run Combofix anyway.

 

[Sprinter]

I dont know how I am supposed to do that. when I log in the screen whites out and I cant access any program. this happens in safe mode and normal mode

 

[Broni]

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows

• Save it to your Desktop.
• Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
• Follow all of the instructions/prompts that come up.
  NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.

2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

• Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
• Click "I agree" to the Builders License.
• Click NO to Search for Windows Installation Files
• Make the following selections from the Main Screen that pops up:
  • Builder
    • Sourcepath to Windows installation files)
      • Enter the path to the drive where your XP CD is located.
      • You can click on the "..." button on the right to navigate to the path as well.
    • Custom: (include files and folders from this directory)
      • No information is necessary, leave blank.
    • Output: (C:\ubcd4win\BartPE)
      • Keep the default BartPE
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    
    
    Please note: If your XP install disc is SP1 then please .....
    
    1. Disable- DComLaunch Service
    2. Enable- LargeIDE Fix
       
       This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections
    
    Also note: If you have a Dell XP install disc you will need to follow the instructions here
    http://www.ubcd4win.com/faq.htm#dell
  
  3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
  
  
  4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.

==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

• Insert the UBCD4Win disc in to one of your CD/DVD drives.
• Restart your computer.
  • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
• In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
  • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
• Once the desktop appears, you will receive a message asking: Do you want to start Network support?
  • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
• You should now have a desktop that looks like this:
  
  

==========

:step4:

• Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
• Double click on it to begin running the tool.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.

 

[Sprinter]

I can't find my Xp disc. My friend thinks he has his around. would I be able to use his? in the event I can't. How would I go about running this method without an XP SP1/SP2/SP3 disc? I apologize for being so difficult.
Thank you,
Sprinter

 

[Broni]

Borrowed CD will do.

 

[Sprinter]

Broni,
I had two errors and one warning running UBCD4WinBuilder. I have pasted them below.

DecompressOrCopy file "D:\I386\FLTMGR.SYS" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\DRIVERS\FLTMGR.SYS"
Error: SetupDecompressOrCopyFile() "D:\I386\FLTMGR.SYS" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\DRIVERS\FLTMGR.SYS" 2: The system cannot find the file specified.
DecompressOrCopy file "D:\I386\FLTLIB.DLL" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\FLTLIB.DLL"
Error: SetupDecompressOrCopyFile() "D:\I386\FLTLIB.DLL" to "C:\UBCD4Win\BartPE\I386\SYSTEM32\FLTLIB.DLL" 2: The system cannot find the file specified.

Checking for missing files
Warning: File "fltmgr.sys" not found
Builder has stopped because there are 2 build errors
ISO image is not created, you must fix the errors!
Building done...
There where 2 errors and 1 warnings

 

[Broni]

Give it another shot.