Frozen FBI Moneypack Screen Zero Access

Discussion in 'Malware Help (A Specialist Will Reply)' started by wildflowergal, Aug 29, 2013.

  1. wildflowergal

    wildflowergal Private E-2

    Please help me on this. Tried to reboot in safe mode but it went right back to regular mode and the FBI Screen. Windows 7.

    Thank you
     
    wildflowergal, Aug 29, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Option1: Enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Option2: Enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    TimW, Aug 29, 2013
    #2
  3. wildflowergal

    wildflowergal Private E-2

    Hi there, ok I did it. Let me know if it's ok please.
     

    Attached Files:

    wildflowergal, Aug 29, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Save fixlist.txt to your flash drive.

    • You should now have both fixlist.txt and FRST.exe on your flash drive.

    Now reboot back into the System Recovery Options as you did previously.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.

    Running MGTools.
     

    Attached Files:

    TimW, Aug 30, 2013
    #4
  5. wildflowergal

    wildflowergal Private E-2

    No fixlist file show up and it keeps telling me that. Just FRST.txt & Addition.txt, how do I make a fixlist.txt

    It says I should make one and then fix.
     
    wildflowergal, Aug 30, 2013
    #5
  6. wildflowergal

    wildflowergal Private E-2

    Well it's funny, it all turned to white screen and the only way to shut down was control alt delete. But when I would do it, I would see my regular desktop and the avg anti virus alert flashing, but never had enough time to click the remove button. Then yesterday I did another shut down and the little buttons came up" force close and cancel" so I hit cancel real fast and low and behold, my desktop came back and I was able to run every mal and spyware I had. So now I'm able to run anything, however I see 2 zero access files after running roguehkiller, but wanted to get guidance before doing a big cleanup. Please let me know the run down.

    Thank you so much for your great help, you are a nice person. Deborah
     
    Last edited: Aug 31, 2013
    wildflowergal, Aug 31, 2013
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Aug 31, 2013
    #7
  8. wildflowergal

    wildflowergal Private E-2

    Here's the first log:

    RogueKiller V8.6.7 _x64_ [Aug 28 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : TEST [Admin rights]
    Mode : Scan -- Date : 08/31/2013 00:50:35
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 12 ¤¤¤
    [RUN][ZeroAccess] HKUS\.DEFAULT\[...]\Run : Google Update ("C:\Windows\system32\config\systemprofile\AppData\Local\Google\Desktop\Install\{2866e762-6a40-e9a4-3466-3797a275df6a}\?��?��?��\?��?��?��\???ﯹ๛\{2866e762-6a40-e9a4-3466-3797a275df6a}\GoogleUpdate.exe" >) -> FOUND
    [RUN][ZeroAccess] HKUS\S-1-5-18\[...]\Run : Google Update ("C:\Windows\system32\config\systemprofile\AppData\Local\Google\Desktop\Install\{2866e762-6a40-e9a4-3466-3797a275df6a}\?��?��?��\?��?��?��\???ﯹ๛\{2866e762-6a40-e9a4-3466-3797a275df6a}\GoogleUpdate.exe" >) -> FOUND
    [HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

    ¤¤¤ Scheduled tasks : 1 ¤¤¤
    [V2][ROGUE ST] 4501 : wscript.exe - C:\Users\TEST\AppData\Local\Temp\launchie.vbs //B -> FOUND

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
    [ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    ÿþ1

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: FUJITSU MJA2500BH G2 +++++
    --- User ---
    [MBR] 68fa4a3d81dfa5d7805f2a44a8901259
    [BSP] 714f928a877dd24861807a49fca66eab : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33556480 | Size: 200 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33966080 | Size: 230177 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 505368576 | Size: 230177 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: FUJITSU MJA2500BH G2 +++++
    --- User ---
    [MBR] 741608d92d0d514c3ab62573bb9a9cef
    [BSP] a83a24340e59ea8cbbf2d8eaa19e98b0 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7701 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[0]_S_08312013_005035.txt >>
     
    wildflowergal, Aug 31, 2013
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please attach your logs.
     
    TimW, Aug 31, 2013
    #9
  10. wildflowergal

    wildflowergal Private E-2

    Hi Tim,

    Ok here are the logs. Let me know if you need anything else. Thank you so much :0)

    Deborah
     

    Attached Files:

    wildflowergal, Aug 31, 2013
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][ZeroAccess] HKUS\.DEFAULT\[...]\Run : Google Update ("C:\Windows\system32\config\systemprofile\AppData\Local\Google\Desktop\Install\{2866e762-6a40-e9a4-3466-3797a275df6a}\?��?��?��\?��?��?��\???ﯹ๛\{2866e762-6a40-e9a4-3466-3797a275df6a}\GoogleUpdate.exe" >) -> FOUND
      [RUN][ZeroAccess] HKUS\S-1-5-18\[...]\Run : Google Update ("C:\Windows\system32\config\systemprofile\AppData\Local\Google\Desktop\Install\{2866e762-6a40-e9a4-3466-3797a275df6a}\?��?��?��\?��?��?��\???ﯹ๛\{2866e762-6a40-e9a4-3466-3797a275df6a}\GoogleUpdate.exe" >) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now fix this:
    ¤¤¤ Scheduled tasks : 1 ¤¤¤
    [V2][ROGUE ST] 4501 : wscript.exe - C:\Users\TEST\AppData\Local\Temp\launchie.vbs //B -> FOUND

    Now click the Files/folders tab and locate these detections:


    • [ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
      [ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND

      Now run Hitman and delete these items:
      Code:
      ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
      Then remove everything under the PUP/s.

      Reboot and rescan with both RogueKiller and Hitman and attach those new logs as well.

      Be sure to tell me how things are running now.
     
    TimW, Sep 1, 2013
    #11
  12. wildflowergal

    wildflowergal Private E-2

    I can't seem to be able to access these directories for the list you mentioned. Where are they? On RK the files tab has nothing under it. IE stops at the dll ext and won't let me go any further past that ext. I'm sorry, what can I do?
     
    Last edited: Sep 1, 2013
    wildflowergal, Sep 1, 2013
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you run Hitman? Did you run RogueKiller and delete the items under registry?

    You need to tell me exactly what you did and what happened.
     
    TimW, Sep 2, 2013
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just an FYI of instructions I use to remove this new ZA stuff. You may find the below alot more straight forward.


     
    chaslang, Sep 2, 2013
    #14
  15. wildflowergal

    wildflowergal Private E-2

    On RogueKiller, there was no other files that looked like the ZA files you had pasted and deleted the two ZA files on top. Then I think I was confused on the hit man log. I had to go to an appt so I need to go back to that one. I tried to look for the files in Win Explorer too. I'll do hitman again and really consentrate on the files. Sorry:( I will try again.

     
    Last edited: Sep 2, 2013
    wildflowergal, Sep 2, 2013
    #15
  16. wildflowergal

    wildflowergal Private E-2

    So the files on RK didn't have extentions, but were picked up on the scan. They were kind of masked. Are those all files, I should have deleted. There were no files under the files tab on RK, just registry.
     
    wildflowergal, Sep 2, 2013
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just run RogueKiller exactly the way I quoted in msg # 14 and attach the new log.

    Then reboot your PC and run new scans with both RogueKiller and Hitman Pro and attach these new logs.
     
    chaslang, Sep 2, 2013
    #17
  18. wildflowergal

    wildflowergal Private E-2

    Ok then I will, thank you. I'm usually somewhat tech savvy, but seem to be a little dumb blond on this one :0)

     
    wildflowergal, Sep 3, 2013
    #18
  19. wildflowergal

    wildflowergal Private E-2

    Ok here it is. Thank you

    RogueKiller V8.6.7 _x64_ [Aug 28 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : TEST [Admin rights]
    Mode : Remove -- Date : 09/03/2013 19:54:56
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤
    [HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    ÿþ1

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: FUJITSU MJA2500BH G2 +++++
    --- User ---
    [MBR] 68fa4a3d81dfa5d7805f2a44a8901259
    [BSP] 714f928a877dd24861807a49fca66eab : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33556480 | Size: 200 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33966080 | Size: 230177 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 505368576 | Size: 230177 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_09032013_195456.txt >>
    RKreport[0]_S_09032013_195438.txt
     

    Attached Files:

    wildflowergal, Sep 3, 2013
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please remember that all logs should be attachments only. You should not be posting them inline and then also as attachements.


    Okay that took care of the ZeroAccess infection. Now to continue with the rest.
    Uninstall the below programs. If they do not uninstall or you do not find them just keep going.
    DefaultTab
    Sendori


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\QooBox
C:\TDSSKiller_Quarantine
C:\PROGRA~2\BEARSH~1
C:\Program Files (x86)\Sendori
C:\Windows\SysWOW64\Sendori.dll
C:\Windows\TEMP\*.*
C:\Users\TEST\AppData\Local\Temp\*.*
dir C:\ProgramData\ychw /c
 
:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7A3174DB-1826-4F1E-926D-C1FC47DE15BE}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9E0E057E-97D4-49F2-8013-133F35958AA5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}"=-
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 4, 2013
    #20
  21. wildflowergal

    wildflowergal Private E-2

    Hi again,

    So sorry for the delay. When I ran OTM, it all went ok, until I restarted and was unable to use IE to sign on. Also my email outlook wouldn't work, even though I had a strong internet connection. So after trouble shooting, I restored back to a few days ealier. Then downloaded IE 10, thinking if I ran it again, I could install that and get on IE. But today when I did that, no go. So I copied the OTM log on a jump drive and went to my desktop to attach it to this reply before I did anything else. Maybe the OTM move took away a needed thing to get on the internet. My internet is working fine, it's in the computer im sure. Would you check the log and see if theres anything anything that may have been deleted that I need back on the computer, please? Thank you so much.

    Deborah
     

    Attached Files:

    wildflowergal, Sep 10, 2013
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! It did not remove anything that would cause this. This is possibly residual effects from the ZeroAccess infection we have been removing. That is what ZeroAccess is notorious for doing. Now that you did a system restore you will have to start all over againn. We will need all scans from the READ & RUN ME to be run again and all new logs to be reposted. We have to start over again to see how much of the infections were possibly reinstalled.
     
    chaslang, Sep 11, 2013
    #22
  23. wildflowergal

    wildflowergal Private E-2

    Oh my gosh, your so smart. I actually ran OTM the second time without a restore back to a few days ago. So I can run all the scans and save to my jump drive for your review. I'm on my other computer, since I can't access the Internet from the Win 7 LapTop right now. Please let me know, if I should do anything diferent. Oh the log I sent you is after this 2nd OTM sweep.

    Thank you, Deborah
     
    wildflowergal, Sep 11, 2013
    #23
  24. wildflowergal

    wildflowergal Private E-2

    Well here's the latest since I did the OTM thing. Could it be some DNS thing? I can run the scans, with no updates. I did update them the last time I ran the scans though.

    I was only able to get on Internet Explorer finally, by going to Programs/IE 64bit/ right click, run as administrator. My email still doesn’t download into outlook express and no malware updates will download. See error code below.

    Computer will not update. Error has occurred in Malwarebytes the code is:
    PROGRAM_ERROR_UPDATING (0,0 DNS error)

    Also Windows updates won’t download. (Windows updade encountered an unknown error: Code 80246008
     
    wildflowergal, Sep 11, 2013
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You didn't attach the new logs.
     
    TimW, Sep 11, 2013
    #25
  26. wildflowergal

    wildflowergal Private E-2

    All my icons were frozen, I just had started to run everything. I just rebooted. Thank you for your help and patience :)
     
    wildflowergal, Sep 11, 2013
    #26
  27. wildflowergal

    wildflowergal Private E-2

    Ok here are the logs. Let me know if they're ok. Thank you
     

    Attached Files:

    wildflowergal, Sep 11, 2013
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I expected, your System Restore put back some of the junk we had already cleaned up. Let's first work on the network connection issue.

    Run the C:\MGtools\NetFWfix.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator). This will run very quickly and you may just notice a quick flash of a black command prompt window.


    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! Does your internet connection work? We still do have to remove the junkware that you restored, but first I wanted to complete the above.
     
    chaslang, Sep 11, 2013
    #28
  29. wildflowergal

    wildflowergal Private E-2

    Oh thank you so much. I did get just the internet working but nothing will download at all. I just found a link that was IE 64bit and it worked. I deleted all the others. No email on outlook either. At least I can work on it now. I'll get it started and keep you posted. It's early here, just 8pm. The internet is fine on the desktop connected to the same wyfi network.
     
    wildflowergal, Sep 11, 2013
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please finish my last instructions and we will continue once the new log is posted.
     
    chaslang, Sep 11, 2013
    #30
  31. wildflowergal

    wildflowergal Private E-2

    Ok Sorry, Never mind, I found it...
     
    Last edited: Sep 11, 2013
    wildflowergal, Sep 11, 2013
    #31
  32. wildflowergal

    wildflowergal Private E-2

    OK here's the MGlogs zip :)
     

    Attached Files:

    wildflowergal, Sep 12, 2013
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that fixed a bunch of issues related to networking and the Windows Firewall services, but we have some steps to redo.

    Uninstall the below programs. If they do not uninstall or you do not find them just keep going.
    DefaultTab
    Sendori


    Run OTM.exe that you previously downloaded by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\TEST\AppData\Roaming\DefaultTab
C:\ProgramData\Sendori
C:\ProgramData\ychw
C:\Program Files (x86)\Sendori
C:\Windows\SysWOW64\Sendori.dll
C:\Windows\TEMP\*.*
C:\Users\TEST\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sendori]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now rerun Junkware Removal Tool per the below instructions.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 12, 2013
    #33
  34. wildflowergal

    wildflowergal Private E-2

    Good Job :) here's the OTM Log. When I uninstalled Sindori, my computer freaked out and real quick just shut down on it's own. Like I cast a demon out of it LOL. Anyways, things are still working well. I thank you from the bottom of my heart for all of your hard work and being so caring for all the people like me. Also all of your fellow workers, dedicating all this time and effort to share your high tech knowledge with us. Thank you so much again. I will donate as soon as I get paid next week for sure. :wave
     

    Attached Files:

    wildflowergal, Sep 12, 2013
    #34
  35. wildflowergal

    wildflowergal Private E-2

    Ok well I guess I was overwhelmed by appreciation. So here are all the other 2 logs The OTM log is in my comment before this one. Thanks again, Deborah
     

    Attached Files:

    wildflowergal, Sep 12, 2013
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Sep 12, 2013
    #36

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds