THINKPOINT removed, hopefully?? BUT, now another problem arrived...

do i start to panic now??

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4876

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/18/2010 10:25:31 PM
mbam-log-2010-10-18 (22-25-31).txt

Scan type: Quick scan
Objects scanned: 138112
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis
  
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  
• When finished, a message will be displayed at the bottom advising if any viruses were found.
  
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found.
  If so, click it, then click the next icon right below and select Move incurable.
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit when you have finished.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

still scanning... =(

ok

is it normal to take this long? I just glanced at the screen and it's only halfway through the custom scan...

Yes, it takes a while. It is well worth it, believe me.

alright, you're the resident expert, I just follow instructions, lol... I just don't get how this happened? all I had open was gmail and ch131.com which I was told is virus / Trojan free? lol

Actually, it is a phishing site:

Info Via: http://www.mywot.com/en/scorecard/ch131.com

how sad is it that I just had to wikipedia "phishing" ?? lol... *sigh*

is it over?? please tell me good news... i'm gonna pass out now, the damn dr.web JUST finished...

Fdc.sys;C:\WINDOWS\system32\drivers;Trojan.Packed.140;Deleted.;
A0002015.dll;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.20961;Incurable.Moved.;
A0002016.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002017.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002018.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002019.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002020.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002021.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002022.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002023.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002024.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002025.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002026.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002027.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002028.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002029.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002030.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002031.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002032.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002033.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002034.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002035.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002036.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002037.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002038.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002039.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002040.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002041.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002042.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002043.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002044.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002045.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002046.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
A0002048.exe;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Siggen2.5194;Incurable.Moved.;
A0009099.sys;C:\System Volume Information\_restore{6E532223-F595-472D-9374-5FBA01B53D99}\RP0;Trojan.Packed.140;Deleted.;
Fdc.sys;C:\WINDOWS\system32\drivers;Trojan.Packed.140;Deleted.;

Good work. Let's move on. I need to check something.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  fdc.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

doing it now... but the blue screen still pops up incidentally... =(

okay, so there is still definately something wrong with my computer still... when i try to go to GeekPolice website, it keeps directing me elsewhere, even if i try going through google and the long way to the website, AND, i am still getting that blue screen when i'm not in safe mode... =( but here is the info you requested...

SystemLook 04.09.10 by jpshortstuff
Log created at 13:24 on 19/10/2010 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "fdc.sys"
C:\WINDOWS\system32\drivers\Fdc.sys --a---- 841216 bytes [12:00 14/04/2008] [20:28 19/10/2010] (Unable to calculate MD5)

-= EOF =-

anyone help please?? i just got a notice from road runner internet that i have 24 hours to fix the virus otherwise they might suspend / cancel my internet service, lol...

bump?? :sad:

Please be patient. We all work very busy lives, and forums are just our hobby work. However, still taking all of our tasks seriously, we cannot compete by ourselves with all of the virus makers. We have tons to work for, so we cannot usually get to everyone more than once a day.

Do you have a XP cd?

We need to replace a file that is infected. It is the same file that keeps on spawning the blue screen of death.

sorry if i seem impatient, but i have never seen the warning message from an internet provider before... i don't want to find out if they are bluffing about cancelling my internet service, lol...

and no, i no longer have any of the xp disks...

If they did not tell you directly, then I would not worry about it. It may be a scare tactic by the malware.

It may be able to be disinfected with this removal disc:

• Kaspersky RescueDisk
  If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.
  

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

they did tell me directly, it was a message from roadrunner themselves... *crap* thank you though for all your assistance and patience...

Contact them back, and tell them to hold off, as you are in the process of getting professional help on removal. Tell them it takes a bit longer than just a day or two to get it disinfected.

Let me know on the progress of the Kaspersky rescue disc.

running it again as we speak... said some of the viruses are "postponed" ?? option B is to take a bullet to the laptop...

so this is from the first scan... what does the malfunction and postponed mean??

Objects Scan: malfunction (events: 3, objects: 2, time: Unknown)

10/20/10 3:18 AM Task started

10/20/10 4:49 AM Detected: Trojan.Win32.Clicker.hd C:/Documents and Settings/Owner/DoctorWeb/Quarantine/A0002048.exe/data0004

10/20/10 4:49 AM Untreated: Trojan.Win32.Clicker.hd C:/Documents and Settings/Owner/DoctorWeb/Quarantine/A0002048.exe/data0004 Postponed


Objects Scan: completed 1 hour ago (events: 17, objects: 368315, time: 06:43:17)

10/20/10 6:35 AM Task started

10/20/10 7:58 AM Detected: HEUR:Trojan.Win32.Generic C:/Documents and Settings/Owner/DoctorWeb/Quarantine/A0002015.dll

10/20/10 7:58 AM Untreated: HEUR:Trojan.Win32.Generic C:/Documents and Settings/Owner/DoctorWeb/Quarantine/A0002015.dll Postponed

10/20/10 8:23 AM Detected: Trojan.Win32.Clicker.hd C:/Qoobox/Quarantine/C/Program Files/Mozilla Firefox/searchplugins/google_search.xml.vir

10/20/10 8:23 AM Untreated: Trojan.Win32.Clicker.hd C:/Qoobox/Quarantine/C/Program Files/Mozilla Firefox/searchplugins/google_search.xml.vir Postponed

10/20/10 8:26 AM Detected: Trojan-Spy.Win32.SpyEyes.crp C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002049.exe/UPX

10/20/10 8:26 AM Untreated: Trojan-Spy.Win32.SpyEyes.crp C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002049.exe/UPX Postponed

10/20/10 8:26 AM Detected: Trojan.Win32.FakeAV.ngj C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002047.exe

10/20/10 8:26 AM Untreated: Trojan.Win32.FakeAV.ngj C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002047.exe Postponed

10/20/10 8:35 AM Detected: HEUR:Trojan.Win32.Generic C:/Documents and Settings/Owner/DoctorWeb/Quarantine/A0002015.dll

10/20/10 1:18 PM Detected: Trojan.Win32.Clicker.hd C:/Qoobox/Quarantine/C/Program Files/Mozilla Firefox/searchplugins/google_search.xml.vir

10/20/10 1:18 PM Deleted: Trojan.Win32.Clicker.hd C:/Qoobox/Quarantine/C/Program Files/Mozilla Firefox/searchplugins/google_search.xml.vir

10/20/10 1:18 PM Detected: Trojan.Win32.FakeAV.ngj C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002047.exe

10/20/10 1:18 PM Deleted: Trojan.Win32.FakeAV.ngj C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002047.exe

10/20/10 1:18 PM Detected: Trojan-Spy.Win32.SpyEyes.crp C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002049.exe/UPX

10/20/10 1:18 PM Deleted: Trojan-Spy.Win32.SpyEyes.crp C:/System Volume Information/_restore{6E532223-F595-472D-9374-5FBA01B53D99}/RP0/A0002049.exe

10/20/10 1:18 PM Task completed


Objects Scan: running (events: 3, objects: 158691, time: 01:21:47)

10/20/10 1:23 PM Task started

10/20/10 1:25 PM Task stopped

10/20/10 1:29 PM Task started

It means that the removal tool found the threats in a Quarantine folder (where they belong), but cannot remove them, because the quarantine is locked. But, they are safe to be in quarantine, so that is not a big deal.

We need to figure out how to disinfect fdc.sys.

Please give me a few hours, as I have to contact a couple of colleagues on obtaining the correct file replacement for your operating system.

As of right now, you can tell RoadRunner, that your computer is disinfected.

thank you for the better news !!! lol... look forward to your reply...

Hi.

Thanks for your patience. I have obtained a copy of the file.

Please download ComboFix from BleepingComputer.com

Save it to your Desktop, and do NOT run it, yet.


===========

Then, download this file: http://www.mediafire.com/?q8dg8ahclu4wlom
and save it to your Desktop, and do NOT run it, either.

===========

Running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  FCopy::
  C:\documents and settings\owner\desktop\fdc.sys | C:\windows\system32\drivers\fdc.sys
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

NOTE:

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

Well, I'm not sure what to do at this point... roadrunner shut me down, and the department they need me to speak with is already closed for the day... =( I got slapped with the "unacceptable activity" notice...

I'm responding from my blackberry incidently, so if it takes me awhile to respond or you don't hear anything for awhile, you know why... I hate viruses, I hate hackers (the bad ones, lol) and I hate channel 131... and I guess I can blame myself as well, lol...

i can't download the FDC thing... getting an error message and it says it can't download from the source file or disk...

Are you sure you clicked Save and not Open when the file began download?

yes...

I'm back up and running on the Internet, now I just need the blue screen of death to go away...

Let's try this once more...

(If you have ComboFix already downloaded...good, no need to download again.)

Please download ComboFix from BleepingComputer.com

Save it to your Desktop, and do NOT run it, yet.


===========

Then, download this file: ftp://ftp.GeekPolice.net/GPUser/DragonMasterJay/fdc.sys
and save it to your Desktop, and do NOT run it, either.

===========

Running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  FCopy::
  C:\documents and settings\owner\desktop\fdc.sys | C:\windows\system32\drivers\fdc.sys
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

NOTE:

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

sorry for the delay, i had to go out of town for a couple of days... but i'm back now and the link didn't work... won't let me download, gives me the same error message... :sad:

here is what it says...

"cannot copy FDC[1]: cannot read from source file or disk..."

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

I've been doing all this from safe mode unfortunately, otherwise I can't get onto the computer, or rather log into windows... I get that blue screen shortly after logging in...

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\documents and settings\owner\desktop\fdc.sys | C:\windows\system32\drivers\fdc.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

on reboot, hits the blue screen of death... and i tried running the program and rebooting back into safemode, and it does nothing...

i'm seriously contemplating taking a .40 bullet to the laptop right about now, lol...