Facebook Virus ~ cannot get c:\windows/fbtre9.exe out of my Registry

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ann MacNaughton, Nov 27, 2008.

  1. Ann MacNaughton

    Ann MacNaughton Private E-2

    In August I made the mistake of clicking on that fake video and then spent a day searching for windows/fbrre9.exe, windows/fmark2.dat, et al. Spybot could identify it but could not get rid of it. I upgraded Nortons, and then finally concluded I had gotten rid of it by searching for and deleting each named file.

    BUT yesterday Malwarebyte's Anti-Malware identified c:\windows/fbtre9.exe. And it has tried to delete it 10 times, but each time ~ even using it in Windows Safe Mode ~ c:\windows/fbtre9.exe comes back into the Registry.

    SO finally I figured out how to access the Registry, by entering REGEDIT in the 'Run" box, and located the sysftray2 REG.SZ entry c:\windows/fbtre9.exe. I have deleted it 5 times myself, but it keeps coming back.

    How do I kill the d*mn Registry entry?
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    [​IMG]Welcome! to MajorGeeks.com![​IMG]

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:
    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
  3. Ann MacNaughton

    Ann MacNaughton Private E-2

    Thanks. "Add or remove" identified only these 2 programs on your list, which I deleted before running Hijack This:
    (1) "SearchAssist"
    (2) "Viewpoint Media Player".

    I also expected to see "Wild Tangent", because I have seen in it various search lists since since starting 2 days ago to get rid of fbre9.exe. It did not show up in my "Add or Remove" list, but when I entered it at 'Search", all these did show up. Including the JRE file, though I had gone through "Add or Remove" to remove all JRE and then loaded the newest java 10. Anyway, I did nothing with these files that were listed when I searched for "Wild Tangent" (just moved on to Hijack This, notepad pasted further below):
    Program Files\Java\jre 1.50.06/lib/ext
    Documents & Settings\Administrator\Local Settings\Application Data
    Documents & Settings\Default User
    Documents & Settings\Tech Support
    Documents & Settings\All Users\Application Data\Spybot-Search & Destroy\Recovery


    Only one other thing......for some reason, Windows Installer keeps launching on re-start, trying to load "Sonic" and complaining that whatever it needs to complete launch is on an external drive. Don't know what it's talking about, or why it's trying to launch. Possibly because the computer froze during initial download yesterday of Anti-VIRUS Plus? Still not sure that loaded correctly, but REgCure interrupts the start-up dialing only temporarily. Cannot now get the computer to stop freezing, and have made repeated hard re-boots (using the 'off' button).

    Here is the HiJack This list:

    • Edit by bjgarrick: Inline HJT log removed. READ & RUN ME sticky still not followed.
     
    Last edited by a moderator: Nov 29, 2008
  4. Ann MacNaughton

    Ann MacNaughton Private E-2

    Posting Hijack Log (re: cannot get c:\windows/fbtre9.exe out of my Registry)

    Reposting with different subject, POSTING HIJACK LOG

    Thanks. "Add or remove" identified only these 2 programs on your list, which I deleted before running Hijack This:
    (1) "SearchAssist"
    (2) "Viewpoint Media Player".

    I also expected to see "Wild Tangent", because I have seen in it various search lists since since starting 2 days ago to get rid of fbre9.exe. It did not show up in my "Add or Remove" list, but when I entered it at 'Search", all these did show up. Including the JRE file, though I had gone through "Add or Remove" to remove all JRE and then loaded the newest java 10. Anyway, I did nothing with these files that were listed when I searched for "Wild Tangent" (just moved on to Hijack This, notepad pasted further below):
    Program Files\Java\jre 1.50.06/lib/ext
    Documents & Settings\Administrator\Local Settings\Application Data
    Documents & Settings\Default User
    Documents & Settings\Tech Support
    Documents & Settings\All Users\Application Data\Spybot-Search & Destroy\Recovery


    Only one other thing......for some reason, Windows Installer keeps launching on re-start, trying to load "Sonic" and complaining that whatever it needs to complete launch is on an external drive. Don't know what it's talking about, or why it's trying to launch. Possibly because the computer froze during initial download yesterday of Anti-VIRUS Plus? Still not sure that loaded correctly, but REgCure interrupts the start-up dialing only temporarily. Cannot now get the computer to stop freezing, and have made repeated hard re-boots (using the 'off' button).

    Here is the HiJack This list:

    • Edit by bjgarrick: Inline HJT log removed. READ & RUN ME sticky still not followed.
     
    Last edited by a moderator: Nov 29, 2008
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    As requested in my first post, please follow all of the instructions in the READ ME.

    Go back and run all of the steps and attach all of the requested logs once complete. We can't help you if you don't help us, remember we're not in front of your computer; these logs are our only way to see in your system.
     
  6. Ann MacNaughton

    Ann MacNaughton Private E-2

    MGLogs Attached re: cannot get c:\windows/fbtre9.exe out of my Registry

    Thank you very much for your help.

    Here (I hope) is
    (1) MGLogs.zip file.

    If i did all this correctly, these 3 will follow in next msg:
    (2) SASlog.txt,
    (3) Malwarebytes Anti-Malware log,
    (4) combofix.txt
     

    Attached Files:

  7. Ann MacNaughton

    Ann MacNaughton Private E-2

    SSAS, MBAM, Combofix logs for undeletable fbtre9.exe & fsysftray2 issues

    Attaching SAS, MBAM, Combofix logs. Could not find txt files in SAS or malwarebytes. Re-scanned, followed the 'save as' paths, and am attaching the new logs. ComboFix.txt was saved last night before these newer scans:

    MBAM log still (again and again) shows FB trojan in registry value, even though 'quarantined and fixed/removed' over and over. Also have tried deleting it directly from REGEDIT, just won't go away. Neither does fbre9.exe at Start-up. So I changed CONFIGSIS to star w/o fbre9.exe ~ but would like to restore to NORMAL if I can just get rid of these final remnants of that FB virus.

    SASlog.txt ~ same cookie keeps re-appearing, \administrator@tribalfusion[1]). Could this possibly be explained by anything that might have occurred when my PC's battery ran down after Hurricane Ike knocked out Houston's electrical grid in mid-Sept? Ever since, "File" frequently re-sets to "work offline" (on any re-boot, and often while working). Protecting against this or any other malware?

    ALSO, am worried because Wild Tangent files still show up in Registry, Program Files, etc, even though I un-installed at Add/Remove.

    Last but no idea whether least, today (but not before), I keep getting this error message (but, not always) when shut down to reboot ~ what does this mean? "The instruction at "0x0d6e5428 referenced memory at 0x7c90c4f4 could not be written......" ~ what? why?
     

    Attached Files:

    Last edited by a moderator: Nov 30, 2008
  8. Ann MacNaughton

    Ann MacNaughton Private E-2

    How long does it generally take, to get feedback, after logs are correctly posted? I wonder if I may have posted in the wrong way or the wrong place?
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We apologize for the delay..BJ has come down with the flu...the human form of malware.

    I will look at your logs and get back to you asap. :)

    You are running multiple AV programs...uninstall all but one.

    You need to disable spybot teatimer:
    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    c:\windows\fbtre9.exe

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and tell me what problems you are still having.
     
    Last edited: Dec 6, 2008
  10. Ann MacNaughton

    Ann MacNaughton Private E-2

    Thanks very much for getting back to me, Tim, and so sorry to hear about BJ's flu.

    Re: <<<running multiple AV programs>>>
    Also sorry to sound so dumb, but I'm not sure what AV is installed except for Norton's? Please advise, so I can be confident I'm uninstalling the right programs.
     
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You also have this installed:
    ParetoLogic Anti-Virus PLUS

    How are things running? Could you delete the file?

    You need to attach the new MGLogs.zip after doing my previous fix.
     
  12. Ann MacNaughton

    Ann MacNaughton Private E-2

    OIC, thanks. Yes, that loaded itself with my intending it to load, and caused my computer to lock up. It is uninstalled now, but I was waiting for reply before proceeding.

    No, each time I delete fbtre0.exe and sysftray2 from Registry Value, they keep coming back. Today PC-Cilling indicated another virus had arrived, but SpyBot and MBAM do not detect it. Am running Norton's tonight.

    Will take recommended next steps, and post log. But, difficult to allocate time to this except on week-ends. Hopefully maybe can run and post tomorrow.
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I will be here when you are ready. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds