Fbi freeze .....

Discussion in 'Malware Help (A Specialist Will Reply)' started by javamama, Oct 22, 2012.

  1. javamama

    javamama Private E-2

    A DAY and a half AGO I clicked on a picture on my facebook page and BOOM, the dreaded
    FBI Virus thingie popped up. I immediately cut off my internet and rebooted in SAFE MODE with NETWORKING (cause i recently had read somewhere to do that) I ran my Malwarebytes, AVG and SUPERantispyware scans. I had to leave for a wedding but was afraid to turn off my computer. When I got home, (late last night ) I ran all those programs again, ....... and THEN this morning I decided to see what my "Major" had to say about this. I DID ALL THE PRE-STEPS YOU STATE TO DO BEFORE POSTING HERE,
    (at least I BELIEVE I did, AND I did TRY TO DO IT PRECISELY IN ORDER)
    ( DEFFINATELY downloaded all the programs, saved the logs, did NOT have anything fixed, removed, or deleted)
    SO NOW HERE I AM ...
    COMPUTER STILL HAS NOT BEEN TURNED OFF
    COMPUTER IS STILL RUNNING IN SAFE MODE with NETWORKING
    I HOPE YOU CAN HELP ME.
    I'M A Travel Agent and need my computer.
    I WON'T repost or add to my thread. I'LL JUST keep rechecking my thread as I work from time to time.
    THANX MAJOR !!:major
     
    javamama, Oct 22, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you have done the Read and Run First instruction and have the requested logs, please attach them to your next message.
     
    TimW, Oct 22, 2012
    #2
  3. javamama

    javamama Private E-2

    Here are the attached logs/reports/files you requested.
    Keep in mind the last step (mg tools) was done without turning off the computer or making any changes to my computer.
    (everything/status still remains the same/still has not been turned off/rebooted yet.)

    java
     

    Attached Files:

    javamama, Oct 22, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Apple (rundll32.exe "C:\Users\Selear2\AppData\Local\Apps\Apple\rsdbkta.dll",fltInfoW) -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-3448384662-314311692-134589477-1002[...]\Run : Apple (rundll32.exe "C:\Users\Selear2\AppData\Local\Apps\Apple\rsdbkta.dll",fltInfoW) -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-3448384662-314311692-134589477-1002_Classes[...]\Run : Apple (rundll32.exe "C:\Users\Selear2\AppData\Local\Apps\Apple\rsdbkta.dll",fltInfoW) -> FOUND
      [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3448384662-314311692-134589477-1002\$c12ae097b34622b9e8c820dd60954359\n.) -> FOUND
      [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c12ae097b34622b9e8c820dd60954359\n.) -> FOUND
      [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c12ae097b34622b9e8c820dd60954359\n.) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click the Files/folders tab and locate these detections:

    • [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$c12ae097b34622b9e8c820dd60954359\@ --> FOUND
      [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3448384662-314311692-134589477-1002\$c12ae097b34622b9e8c820dd60954359\@ --> FOUND
      [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$c12ae097b34622b9e8c820dd60954359\U --> FOUND
      [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3448384662-314311692-134589477-1002\$c12ae097b34622b9e8c820dd60954359\U --> FOUND
      [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$c12ae097b34622b9e8c820dd60954359\L --> FOUND
      [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3448384662-314311692-134589477-1002\$c12ae097b34622b9e8c820dd60954359\L --> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Rescan with HitmanPro.
    Choose to Delete these files if they are detected:

    • C:\Users\Selear2\AppData\Local\Temp\is1438683437\zgInstaller.exe
      C:\Users\Selear2\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\links@freeworkz.com\components\FreeWorkzFirefox.dll
      HKLM\SOFTWARE\Classes\Interface\{01947140-417F-46B6-8751-A3A2B8345E1A}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\TypeLib\{819FFE20-35C7-4925-8CDA-4E0E2DB94302}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\TypeLib\{8FFDF636-0D87-4B33-B9E9-79A53F6E1DAE}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{799391D3-EB86-4bac-9BD3-CBFEA58A0E15}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{819FFE22-35C7-4925-8CDA-4E0E2DB94302}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D858DAFC-9573-4811-B323-7011A3AA7E61}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{01947140-417F-46B6-8751-A3A2B8345E1A}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{DB507187-9746-458C-97DA-C458131EEDE7}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{819FFE20-35C7-4925-8CDA-4E0E2DB94302}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{8FFDF636-0D87-4B33-B9E9-79A53F6E1DAE}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}\ (Adware.MyWebSearch)
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch)
      HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions\m3ffxtbr@mywebsearch.com (Adware.MyWebSearch)
      HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@mywebsearch.com/Plugin\ (Adware.MyWebSearch)
    Ignore all other detections.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

    After the reboot, rescan with both RogueKiller and Hitman and attach both those logs as well.
     
    TimW, Oct 22, 2012
    #4
  5. javamama

    javamama Private E-2

    I deleted everything you said in the registry. When I went files to delete those "zero access" files and folders there were not places for checkmarks, so in an attempt to delete them one by one (only choice allowed) i deleted the first file and then they all disappeared. Was this supposed to happen? Should I proceed with your next step (the Hitman Pro scan) ?
     

    Attached Files:

    javamama, Oct 22, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, do all that I asked you to do. Then rescan with both and attach those new logs as well.
     
    TimW, Oct 23, 2012
    #6
  7. javamama

    javamama Private E-2

    Okay here you go.
    i believe i did everything you asked and in the order that you said.
    BUT i DID acidently do just a scan with the TDSS by mistake. I did not delete, quarantine, or do anything... when i realized my mistake, i quickly closed the program.
    one more question, when i started the hitman scan, it asked for a key or if this was the 30 free trial, i had to choose the 30 day free trial, was that ok ?
     

    Attached Files:

    javamama, Oct 23, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Tell me what issues you may still be having, if any.
     
    TimW, Oct 23, 2012
    #8
  9. javamama

    javamama Private E-2

    i don't see any "problems" .... yet ..... but My AVG kept notifying me that something "trojan" is trying to change something on my computer. I do not have any other programs running at the moment, so i sent it to quarantine.i was too scared to hit the ignore or the allow. is that ok ? should i keep those programs that you had me install on my computer ? and if i keep them should i always have to right click to run as admin or could i just click on them to start ?(if i keep them) ... please advise.
     
    javamama, Oct 23, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can attach the log from AVG so I can see what it is blocking. I will give you final cleanup steps once we are sure you are malware free.
     
    TimW, Oct 24, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds