WiredWX Hobby Weather ToolsLog in

 


descriptionFBI Ciberdivision warning EmptyFBI Ciberdivision warning

more_horiz
Both my laptop and desktop are showing the FBI warning. The laptop auto restarts when I try to go into safe mode. The desktop will not even bring safe mode up. The only internet access I have is my cell phone.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Let's start with the desktop computer. It's too confusing trying to clean both computers at the same time.
After you boot the computer with the Rescue disk and run the scan you can take the opportunity to save your important data to an external drive or DVD's


We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

  • Place a blank CD-R disc in to your CD burning drive.
  • Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
  • Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
I downloaded ImgBurn to create CD and it gets stuck at "searching for SCSI/ATAPI devices" and will not allow access to anything. I tried another ISO burner and it did not work either. I don't know how to get them to work.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
I downloaded ImgBurn to create CD and it gets stuck at "searching for SCSI/ATAPI devices" and will not allow access to anything. I tried another ISO burner and it did not work either. I don't know how to get them to work.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
It would be best to create the repair disk on another computer.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
I was going to try the USB but when I turned on the computer the FBI warning screen is now gone and the computer is not locked. I'm assuming the virus is still there but I have internet now.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
Good news. Let's make sure that we get all of it.
Please download AdwCleaner by Xplode onto your Desktop.


  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

*********************************************
FBI Ciberdivision warning Mbamicontw5 Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**********************************************
Please download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete depending on your system's specifications.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Copy and Paste the JRT.txt log into your next message.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
# AdwCleaner v2.303 - Logfile created 06/17/2013 at 18:25:33
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium  (64 bits)
# User : Mark - WASHERSKING
# Boot Mode : Normal
# Running from : C:\Users\Mark\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
File Deleted : C:\Users\Mark\AppData\Local\Temp\Uninstall.exe
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Users\Mark\AppData\Local\PackageAware
***** [Registry] *****
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16476
[OK] Registry is clean.
*************************
AdwCleaner[S1].txt - [2854 octets] - [17/06/2013 18:25:33]
########## EOF - C:\AdwCleaner[S1].txt - [2914 octets] ##########

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
Database version: v2013.06.11.05
Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Mark :: WASHERSKING [administrator]
Protection: Enabled
6/17/2013 6:33:42 PM
mbam-log-2013-06-17 (18-33-42).txt
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 375319
Time elapsed: 31 minute(s), 34 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Mark\AppData\Local\Temp\cayspyh (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x64
Ran by Mark on Mon 06/17/2013 at 19:24:04.72
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files
Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"

~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Mark\appdata\local\best buy pc app"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"

~~~ Event Viewer Logs were cleared


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 06/17/2013 at 19:26:21.66
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.
Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.
Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:
 What danger is presented by rootkits?
 Rootkits and how to combat them
 r00tkit Analysis: What Is A Rootkit
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
 Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?
Guides for format and reinstall:
how-to-reformat-and-reinstall-your-operating-system-the-easy-way
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.
Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
Thanks, we will do the reformat on this computer. Will it be ok to save all my pics to a USB before reformat?

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
blueyze wrote:
Thanks, we will do the reformat on this computer. Will it be ok to save all my pics to a USB before reformat?

Yes, save all your important data to USB or DVD's and scan them with at least two AV programs before putting them back on the computer.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
I still cannot access the laptop. After reformatting I will try to create that recovery disk again. Thanks again for your help.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
You're welcome. Good luck.

descriptionFBI Ciberdivision warning EmptyRe: FBI Ciberdivision warning

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum