[Symmetrix]

Hello my girlfriends laptop has the FBI virus. It is a Dell Inspiron 1545. Tried a few fixes but cant get into safe mode cause it keeps restarting. Dont know what to do at this point...

[Advertisements]

Hello Symmetrix,

My name is Teima and I'll be happy to assist you with this issue. Before we commence I'd like to ask that you take into careful thought of the points which I've listed below as they will beneficial to the guidance as to which I'll present yourself with here on Geekstogo.

Notes before we commence:

• It's important that you reply within four days. If you haven't replied within that time, the thread will be closed.
  
• As the process of malware removal is often challenging at times I'd like you to take into consideration that it may take multiple replies in order to resolve the issue/issues present.
  
• If you are uncertain about any of the steps as to which I present yourself with. Please feel free to ask myself for further clarification.
  
• It's important that you don't use tools which have been recommended for other users of the forum, failure to follow these guidelines will most likely result in an unbootable machine.
  
• These steps only apply for the user "Symmetrix". If you're reading this thread and you're requiring assistance, then read this thread and follow the listed steps carefully.
  
• The absence of symptoms does not necessarily mean that your system is clean. Please stick with me until I state that your system is clean.
  
• If It's been a total of three days and you've yet to receive a response from myself. Please send myself a reminder by clicking here and attaching the appropriate thread link where I can respond.

Extra

Please be patient with me as I am currently in training, and all of my responses to you have to be reviewed by my instructor before I post them. Just keep in mind that you get the advantage as you have two people examining your issue. Thanks for your consideration.

[Teima]

Hello Symmetrix,

My name is Teima and I'll be happy to assist you with this issue. Before we commence I'd like to ask that you take into careful thought of the points which I've listed below as they will beneficial to the guidance as to which I'll present yourself with here on Geekstogo.

Notes before we commence:

• It's important that you reply within four days. If you haven't replied within that time, the thread will be closed.
  
• As the process of malware removal is often challenging at times I'd like you to take into consideration that it may take multiple replies in order to resolve the issue/issues present.
  
• If you are uncertain about any of the steps as to which I present yourself with. Please feel free to ask myself for further clarification.
  
• It's important that you don't use tools which have been recommended for other users of the forum, failure to follow these guidelines will most likely result in an unbootable machine.
  
• These steps only apply for the user "Symmetrix". If you're reading this thread and you're requiring assistance, then read this thread and follow the listed steps carefully.
  
• The absence of symptoms does not necessarily mean that your system is clean. Please stick with me until I state that your system is clean.
  
• If It's been a total of three days and you've yet to receive a response from myself. Please send myself a reminder by clicking here and attaching the appropriate thread link where I can respond.

Extra

Please be patient with me as I am currently in training, and all of my responses to you have to be reviewed by my instructor before I post them. Just keep in mind that you get the advantage as you have two people examining your issue. Thanks for your consideration.

[Symmetrix]

The forum has helped me before. The laptop on start up gives the fbi warning message and asks to send money. I can not run any utilities. It will also not boot into safe mode either.

[Teima]

Hello Symmetrix,

I can not run any utilities. It will also not boot into safe mode either.

Ok no worries. My instructions have been catered to this situation.

The laptop on start up gives the fbi warning message and asks to send money.

Yes. This is part of the infection. Please don't follow the instructions which are contained on the FBI screen as this will make the situation worse and important credentials will be taken.

Step One

Your machine has a nasty back door infection.

Assume that all your passwords and sensitive security information have been looked at from an outside source. If your computer is/was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Step Two

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

[Symmetrix]

Here is the log:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-10-2013
Ran by SYSTEM on MININT-UU294RR on 22-10-2013 07:17:03
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [AVG_TRAY] - C:\Program Files (x86)\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Secure Search\vprot.exe [2314416 2013-08-15] ()
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKU\Janelle\...\Winlogon: [Shell] explorer.exe,C:\Users\Janelle\AppData\Roaming\cache.dat [82432 2013-07-08] () <==== ATTENTION
Startup: C:\Users\Janelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S3 COMSysApp; C:\Windows\SysWow64\dllhost.exe [7168 2009-07-13] (Microsoft Corporation)
S3 msiserver; C:\Windows\SysWow64\msiexec.exe [73216 2010-11-20] (Microsoft Corporation)
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 UtilityChest_49Service; C:\PROGRA~2\UTILIT~2\bar\1.bin\49barsvc.exe [42504 2013-02-25] (COMPANYVERS_NAME)
S2 vToolbarUpdater15.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-15] (AVG Secure Search)
S2 WSearch; C:\Windows\SysWow64\SearchIndexer.exe [428032 2009-07-13] (Microsoft Corporation)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{7344f193-4334-372f-9d01-f84f59d8b2d4}\ \...\???\{7344f193-4334-372f-9d01-f84f59d8b2d4}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-11] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-15] (AVG Technologies)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-22 07:15 - 2013-10-22 07:15 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-10-22 07:15 - 2013-10-22 07:15 - 00000000 ____D C:\FRST
2013-10-22 06:06 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-22 06:06 - 2009-07-13 20:51 - 00034507 _____ C:\Windows\setupact.log

Files to move or delete:
====================
C:\Users\Janelle\AppData\Roaming\cache.dat
C:\Users\Janelle\AppData\Roaming\cache.ini
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

5
Restore point made on: 2013-07-12 06:46:32
Restore point made on: 2013-07-17 15:21:38
Restore point made on: 2013-07-18 15:45:56
Restore point made on: 2013-08-06 06:47:13
Restore point made on: 2013-08-16 08:10:21

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 4056.36 MB
Available physical RAM: 3238.8 MB
Total Pagefile: 4054.51 MB
Available Pagefile: 3232.22 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:136.03 GB) NTFS
Drive f: (CanonDC1090W) (CDROM) (Total:0.18 GB) (Free:0 GB) CDFS
Drive g: () (Removable) (Total:1.9 GB) (Free:1.88 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.99 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 430A03C8)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=283 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0B)


LastRegBack: 2012-10-03 10:05

==================== End Of Log ============================

[Teima]

Step One

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Start
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{7344f193-4334-372f-9d01-f84f59d8b2d4}\ \...\???\{7344f193-4334-372f-9d01-f84f59d8b2d4}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "" <==== ATTENTION (ZeroAccess)
C:\Users\Janelle\AppData\Roaming\cache.dat
C:\Users\Janelle\AppData\Roaming\cache.ini
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
ZeroAccess:
C:\Users\Janelle\AppData\Local\Google\Desktop\Install
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system.

• On Vista or Windows 7: Now please enter System Recovery Options.

• Run FRST/FRST64 and press the Fix button just once and wait.

• The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your next response.

Step Two

Download OTL to your desktop.

Right-click on OTL.exe and select Run As Administrator to start the program. If prompted by UAC, please allow it.

• Please check the box next to Scan All Users.
  
• Make sure Use SafeList is selected under Extra Registry.
  
• Under the Custom Scans/Fixes box at the bottom, paste in the following:

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir C:\ /S /A:L /C
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your reply. If both log won't fit in the same post, you may post them in two separate posts.

[Symmetrix]

A couple things aren't clear. What do i do with the fixlist.txt file on the flash drive? In system recovery options, do I go to command prompt and enter FRST64? I think the fixlist.txt file needs to be loaded into the FRST64 fix. Then hopefully it will let me download OTL. Please clarify...

[Teima]

Hello Symmetrix,

A couple things aren't clear. What do i do with the fixlist.txt file on the flash drive? In system recovery options, do I go to command prompt and enter FRST64? I think the fixlist.txt file needs to be loaded into the FRST64 fix. Then hopefully it will let me download OTL. Please clarify...

Once fixlist.txt is situated on the flash drive. You will need to use the instructions situated within the former response (Post #4) to enter the System Recovery Options. Once that is complete:

On the System Recovery Options menu you will get the following options:

• 
  
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Fix button.
• It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

[Symmetrix]

when running the g:\frst64, after pressing fix i get an error message: AutoIt Error - Line 10136 (file "G:\FRST64.exe": Error: Subscript used with non-Array variable. I hit ok and the tool goes away...

[Teima]

Hello Symmetrix. That's odd. Would you be able to replace the existing copy of FRST from the one situated at this link? Once complete. Would you be able to try the fix a second time and see if the issue is still faced?

[Teima]

Hello Symmetrix. Are you still with me here?

[Symmetrix]

Sry, I get busy with work as a restaurant manager. Redid the program but got the same error message.

[Teima]

Hello Symmetrix,

No worries. I have checked with my instructor and we have come to the conclusion to switch to a different tool and perform a fix via that as apposed to FRST. This should work without any issues.

Step One

Before starting you might like to print these instruction out so that you know what you are doing during the process.

• Download OTLPE.iso and save it somewhere you can get it.
• Insert a writable blank CD/DVD in your CD drive and click on the OTPLE.iso to burn a CD. NOTE:
• Reboot your infected system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here
The CD needs to detect your hardware and load the operating system. This might take awhile.

• Your system should now display a Reatogo desktop.
• Note: as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• If asked "Do you wish to load the remote registry", select Yes
• If asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.

• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[Symmetrix]

Do you have another link, it's not letting me fully download the program...

[Teima]

Hello Symmetrix. Would you be able to try this link in a browser such as Firefox and let me know if it is able to work fine?