1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved FBI Greendot Moneypak virus

Discussion in 'Malware and Virus Removal Archive' started by Bucksone, 2013/05/16.

Page 1 of 3
  1. 2013/05/16
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    [Resolved] FBI Greendot Moneypak virus

    My elderly mother-in-law's computer has been infected with the FBI ransomware virus. When she turns the computer on this official-looking page comes up purporting to be from the FBI. It says the computer has been used for various bad things, like ****, spam, copyright violations, etc. It says her computer has been locked and she has to pay the FBI, through MoneyPak, $200 to unlock it. The only true part of this is that her computer has indeed been locked. I tried to open Task Manager to make it go away but that didn't work. I had to hold down the on/off button and do a hard shutdown. When I rebooted, I tried to go into Safe Mode but that didn't work. I was able to get into Safe Mode with Command Prompt, but I didn't know what to do next. Prior to going over to her house I downloaded Spyhunter and Malwarebytes onto a cd and took it with me. I couldn't figure out a way to get those to open and install on her computer.

    So, I'm hoping for some help in fixing her computer. This site has come through for me in the past. Usually it's to fix something with her computer, not mine!

    She's running Vista Home Premium. Thanks in advance for any help.
     
    Bucksone,
    #1
  2. 2013/05/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    [color= "#0000FF"]To enter System Recovery Options from the Advanced Boot Options:[/color]
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    [color= "#0000FF"]To enter System Recovery Options by using Windows installation disc:[/color]
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    [color= "#008000"]On the System Recovery Options menu you will get the following options:[/color]


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type [color= "#FF0000"]e[/color]:\frst (for x64 bit version type [color= "#FF0000"]e[/color]:\frst64) and press Enter
      Note: Replace letter [color= "#FF0000"]e[/color] with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
    broni,
    #2


  3. to hide this advert.

  4. 2013/05/16
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    A couple of questions.

    How do I know if her computer is 32 bit or 64 bit?

    Is there any chance of infecting my own computer if I am using a flash drive to transfer the downloaded program(s) from my computer to her's?

    I will do my best to make timely replies. Since the computer is at her house, though, I'll have to go over there once a day to do the next step of your instructions. That might drag things out a bit, but rest assured that I appreciate your help.
     
    Bucksone,
    #3
  5. 2013/05/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If you try to run wrong version it'll just error on you.

    Yes.
    Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.
     
    broni,
    #4
  6. 2013/05/18
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    Ok, I've followed the instructions and the log is below.

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-05-2013
    Ran by SYSTEM on 18-05-2013 13:16:56
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-18] (Microsoft Corporation)
    HKLM\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
    HKLM\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
    HKLM\...\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [118784 2007-02-15] (OsdMaestro)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [x]
    HKLM\...\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" [54936 2007-04-07] (Sun Microsystems, Inc.)
    HKLM\...\Run: [] [x]
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13539872 2008-05-22] (NVIDIA Corporation)
    HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-05-22] (NVIDIA Corporation)
    HKLM\...\Run: [hpqSRMon] [x]
    HKLM\...\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe [2345592 2012-08-01] (AVG Technologies CZ, s.r.o.)
    HKLM\...\Run: [vProt] "C:\Program Files\AVG SafeGuard toolbar\vprot.exe" [1219248 2013-04-25] ()
    HKLM\...\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe [44168 2007-10-09] (soft thinks)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2009-08-05] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2009-08-05] (Hewlett-Packard)
    HKU\Eckenrodes\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
    HKU\Eckenrodes\...\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe [x]
    HKU\Eckenrodes\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2009-08-05] (Hewlett-Packard)
    HKU\Eckenrodes\...\Run: [ROC_ROC_APR2013_AV] C:\Users\Eckenrodes\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 24249f456628c7a53a0f935db126f971-6c356f2d5d44e6e8510e23e0447fc50db02a80ae --CMPID ROC_APR2013_AV [x]
    HKU\Eckenrodes\...\Run: [Temp] rundll32 "C:\Users\Eckenrodes\AppData\Local\HP Guide\Temp\gfygsit.dll ",DllRegisterServer [x]
    HKU\Eckenrodes\...\Run: [Microsoft] RUNDLL32.EXE C:\Users\Eckenrodes\AppData\Local\Microsoft\zuslfybq.dll,dsvmojnmnetllhedkw [x]
    HKU\Eckenrodes\...\Winlogon: [Shell] explorer.exe,C:\Users\Eckenrodes\AppData\Roaming\skype.dat <==== ATTENTION
    Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Lotus QuickStart.lnk
    ShortcutTarget: Lotus QuickStart.lnk -> C:\lotus\wordpro\ltsstart.exe (Lotus Development Corporation)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
    ShortcutTarget: Snapfish Media Detector.lnk -> C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe ()
    BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /syncC:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart

    ========================== Services (Whitelisted) =================

    S2 AVGIDSAgent; C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
    S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2007-09-19] (Hewlett-Packard)
    S2 IBUpdaterService; C:\ProgramData\IBUpdaterService\ibsvc.exe [698680 2013-02-11] ()
    S2 LexBceS; C:\Windows\System32\LEXBCES.EXE [307200 2003-08-29] (Lexmark International, Inc.)
    S2 lxbl_device; C:\Windows\system32\lxblcoms.exe [537520 2007-04-20] ( )
    S2 vToolbarUpdater15.0.1; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.0.1\ToolbarUpdater.exe [990896 2013-04-25] ()
    S3 msiserver; %systemroot%\system32\msiexec /V [x]

    ==================== Drivers (Whitelisted) ====================

    S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )
    S0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-22] (AVG Technologies CZ, s.r.o. )
    S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-10] (AVG Technologies CZ, s.r.o. )
    S3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [28624 2011-02-10] (AVG Technologies CZ, s.r.o. )
    S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [255968 2012-11-12] (AVG Technologies CZ, s.r.o.)
    S1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
    S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
    S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)
    S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [33624 2013-04-25] (AVG Technologies)
    S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
    S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
    S3 SymIM; system32\DRIVERS\SymIM.sys [x]
    S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-05-18 13:16 - 2013-05-18 13:16 - 00000000 ____D C:\FRST
    2013-05-13 16:40 - 2013-05-16 06:54 - 00000004 ____A C:\Users\Eckenrodes\Application Data\skype.ini
    2013-05-13 16:40 - 2013-05-16 06:54 - 00000004 ____A C:\Users\Eckenrodes\AppData\Roaming\skype.ini
    2013-04-25 13:06 - 2013-04-25 13:06 - 00000000 ____D C:\Users\Eckenrodes\Local Settings\AVG SafeGuard toolbar
    2013-04-25 13:06 - 2013-04-25 13:06 - 00000000 ____D C:\Users\Eckenrodes\Local Settings\Application Data\AVG SafeGuard toolbar
    2013-04-25 13:06 - 2013-04-25 13:06 - 00000000 ____D C:\Users\Eckenrodes\AppData\Local\AVG SafeGuard toolbar
    2013-04-25 13:05 - 2013-04-25 13:05 - 00000000 ____D C:\ProgramData\AVG Security Toolbar
    2013-04-25 13:05 - 2013-04-25 13:05 - 00000000 ____D C:\ProgramData\Application Data\AVG Security Toolbar
    2013-04-25 13:04 - 2013-04-25 13:05 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
    2013-04-25 13:04 - 2013-04-25 13:05 - 00000000 ____D C:\ProgramData\Application Data\AVG SafeGuard toolbar
    2013-04-25 13:04 - 2013-04-25 13:02 - 00033624 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
    2013-04-25 13:03 - 2013-04-25 13:04 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
    2013-04-25 13:03 - 2013-04-25 13:03 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
    2013-04-23 12:22 - 2013-03-03 11:07 - 01082232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
    2013-04-20 08:43 - 2013-04-20 08:43 - 00447150 ___AT C:\Users\Eckenrodes\Desktop\bob evans

    ==================== One Month Modified Files and Folders ========

    2013-05-18 13:16 - 2013-05-18 13:16 - 00000000 ____D C:\FRST
    2013-05-16 07:10 - 2006-11-02 02:33 - 00703516 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-05-16 06:57 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-05-16 06:57 - 2006-11-02 04:47 - 00337352 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-05-16 06:57 - 2006-11-02 04:47 - 00003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2013-05-16 06:57 - 2006-11-02 04:47 - 00003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2013-05-16 06:54 - 2013-05-13 16:40 - 00000004 ____A C:\Users\Eckenrodes\Application Data\skype.ini
    2013-05-16 06:54 - 2013-05-13 16:40 - 00000004 ____A C:\Users\Eckenrodes\AppData\Roaming\skype.ini
    2013-05-16 06:53 - 2007-11-19 21:00 - 00000000 ____D C:\Windows\SMINST
    2013-05-16 06:49 - 2006-11-02 05:01 - 00032538 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-05-16 06:48 - 2007-11-30 04:35 - 01777635 ____A C:\Windows\WindowsUpdate.log
    2013-05-16 06:39 - 2010-10-21 11:52 - 00000000 ____D C:\Windows\System32\Drivers\AVG
    2013-05-09 09:44 - 2008-01-25 10:44 - 00002587 ____A C:\Users\Eckenrodes\Desktop\Microsoft Office Word 2007.lnk
    2013-05-08 03:27 - 2011-05-13 17:09 - 00000000 ____D C:\Program Files\WildTangent Games
    2013-05-07 17:21 - 2006-11-02 04:52 - 00052815 ____A C:\Windows\setupact.log
    2013-05-05 16:08 - 2010-10-21 11:52 - 00000000 ____D C:\ProgramData\AVG10
    2013-05-05 16:08 - 2010-10-21 11:52 - 00000000 ____D C:\ProgramData\Application Data\AVG10
    2013-05-05 16:07 - 2008-01-25 09:04 - 00321940 ____A C:\Windows\PFRO.log
    2013-05-05 04:36 - 2008-06-01 14:55 - 00000000 ____D C:\Users\Eckenrodes\Local Settings\HP Guide
    2013-05-05 04:36 - 2008-06-01 14:55 - 00000000 ____D C:\Users\Eckenrodes\Local Settings\Application Data\HP Guide
    2013-05-05 04:36 - 2008-06-01 14:55 - 00000000 ____D C:\Users\Eckenrodes\AppData\Local\HP Guide
    2013-04-25 13:06 - 2013-04-25 13:06 - 00000000 ____D C:\Users\Eckenrodes\Local Settings\AVG SafeGuard toolbar
    2013-04-25 13:06 - 2013-04-25 13:06 - 00000000 ____D C:\Users\Eckenrodes\Local Settings\Application Data\AVG SafeGuard toolbar
    2013-04-25 13:06 - 2013-04-25 13:06 - 00000000 ____D C:\Users\Eckenrodes\AppData\Local\AVG SafeGuard toolbar
    2013-04-25 13:05 - 2013-04-25 13:05 - 00000000 ____D C:\ProgramData\AVG Security Toolbar
    2013-04-25 13:05 - 2013-04-25 13:05 - 00000000 ____D C:\ProgramData\Application Data\AVG Security Toolbar
    2013-04-25 13:05 - 2013-04-25 13:04 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
    2013-04-25 13:05 - 2013-04-25 13:04 - 00000000 ____D C:\ProgramData\Application Data\AVG SafeGuard toolbar
    2013-04-25 13:04 - 2013-04-25 13:03 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
    2013-04-25 13:03 - 2013-04-25 13:03 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
    2013-04-25 13:02 - 2013-04-25 13:04 - 00033624 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
    2013-04-20 08:43 - 2013-04-20 08:43 - 00447150 ___AT C:\Users\Eckenrodes\Desktop\bob evans

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc\@
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc\L
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc\U
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc\U\00000001.@
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc\U\80000000.@
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc\U\800000cb.@

    Other Malware:
    ===========
    C:\Users\Eckenrodes\AppData\Roaming\skype.dat
    C:\Users\Eckenrodes\AppData\Roaming\skype.ini
    C:\Users\Eckenrodes\Application Data\skype.dat
    C:\Users\Eckenrodes\Application Data\skype.ini

    ==================== Known DLLs (Whitelisted) ============


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-03-14 06:45:25
    Restore point made on: 2013-03-15 13:41:36
    Restore point made on: 2013-03-18 07:41:31
    Restore point made on: 2013-03-24 13:26:28
    Restore point made on: 2013-03-26 04:10:54
    Restore point made on: 2013-03-28 09:51:11
    Restore point made on: 2013-03-29 11:01:12
    Restore point made on: 2013-03-30 07:06:26
    Restore point made on: 2013-04-02 07:00:18
    Restore point made on: 2013-04-05 11:34:40
    Restore point made on: 2013-04-11 06:15:42
    Restore point made on: 2013-04-12 11:32:04
    Restore point made on: 2013-04-17 12:12:09
    Restore point made on: 2013-04-19 08:03:56
    Restore point made on: 2013-04-20 04:12:14
    Restore point made on: 2013-04-22 12:25:02
    Restore point made on: 2013-04-24 10:00:12
    Restore point made on: 2013-04-25 13:46:32
    Restore point made on: 2013-04-26 04:51:19
    Restore point made on: 2013-04-27 07:22:55
    Restore point made on: 2013-04-28 15:27:13
    Restore point made on: 2013-04-29 05:48:24
    Restore point made on: 2013-05-02 08:09:46
    Restore point made on: 2013-05-03 15:40:09
    Restore point made on: 2013-05-04 19:18:57
    Restore point made on: 2013-05-06 03:38:23
    Restore point made on: 2013-05-06 20:00:29
    Restore point made on: 2013-05-07 10:32:09
    Restore point made on: 2013-05-08 04:44:34
    Restore point made on: 2013-05-09 09:30:53
    Restore point made on: 2013-05-10 05:38:11
    Restore point made on: 2013-05-10 20:04:36
    Restore point made on: 2013-05-11 20:00:30
    Restore point made on: 2013-05-12 20:00:33

    ==================== Memory info ===========================

    Percentage of memory in use: 25%
    Total physical RAM: 1916.56 MB
    Available physical RAM: 1432.46 MB
    Total Pagefile: 1654.93 MB
    Available Pagefile: 1485.59 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1975.51 MB

    ==================== Drives ================================

    Drive c: (HP) (Fixed) (Total:456.28 GB) (Free:350.45 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    Drive d: (FACTORY_IMAGE) (Fixed) (Total:9.48 GB) (Free:1.28 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive f: () (Removable) (Total:3.73 GB) (Free:3.67 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 466 GB) (Disk ID: 1549F232)
    Partition 1: (Active) - (Size=456 GB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=9 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
    Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


    Last Boot: 2013-05-16 07:11

    ==================== End Of Log ============================
     
    Bucksone,
    #5
  7. 2013/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run [color= "#0000FF"]FRST/FRST64[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can start normally.

    If so...

    Please, complete all steps listed HERE
     

    Attached Files:

    broni,
    #6
  8. 2013/05/18
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I seemed to have run into a problem.

    I downloaded the attached fixlist.txt and saved it to the flash drive.

    I plugged it into the sick machine and entered System Recovery Options.

    I clicked Command Prompt.

    I typed f:\FRST and hit enter.

    Farbar Recovery Scan Tool opened.

    I clicked Fix. It said, "no fixlist.txt found. The fixlist.txt should be made and saved in the same directory the tool is located. "

    I shut it down and came home to type this on my computer. I see on the flash drive there is something called 3555d11368900147-active-fbi-greendot-m.. on the drive.

    I await the next suggestion.
     
    Bucksone,
    #7
  9. 2013/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do you see fixlist.txt file there?
     
    broni,
    #8
  10. 2013/05/18
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    The file I mentioned above that starts with the numbers3555d... is the fixlist.txt file attached in your earlier post. If I right click on it in your post and click properties, that is what I see.

    I hope this makes sense.
     
    Bucksone,
    #9
  11. 2013/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm not sure how it happened but rename it to fixlist.txt
     
    broni,
    #10
  12. 2013/05/18
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I've renamed it as directed. I notice that if I right click on the file on the flash drive, it says for type of file that it is a Chrome HTML Document (.htm). It says it opens with Google Chrome. Is that correct?

    Since I've already driven over to my mother-in-law's house twice today, I probably won't get back over there to try any of this until tomorrow.
     
    Bucksone,
    #11
  13. 2013/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete that file.
    Redownload file from my reply #6.
    Put it on the flash drive.
    Make sure FRST and fixlist.txt are located in USB drive root directory not in any subfolder.
    Make sure that the file is named fixlist.txt and you can open it in a Notepad.
    It should look like this:

    HKLM\...\Run: [] [x]
    HKU\Eckenrodes\...\Run: [Temp] rundll32 "C:\Users\Eckenrodes\AppData\Local\HP Guide\Temp\gfygsit.dll ",DllRegisterServer [x]
    C:\Users\Eckenrodes\AppData\Local\HP Guide\Temp\gfygsit.dll
    HKU\Eckenrodes\...\Run: [Microsoft] RUNDLL32.EXE C:\Users\Eckenrodes\AppData\Local\Microsoft\zuslfybq.dll,dsvmojnmnetllhedkw [x]
    C:\Users\Eckenrodes\AppData\Local\Microsoft\zuslfybq.dll
    HKU\Eckenrodes\...\Winlogon: [Shell] explorer.exe,C:\Users\Eckenrodes\AppData\Roaming\skype.dat <==== ATTENTION
    C:\Users\Eckenrodes\AppData\Roaming\skype.dat
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc
    C:\Users\Eckenrodes\AppData\Roaming\skype.dat
    C:\Users\Eckenrodes\AppData\Roaming\skype.ini
    C:\Users\Eckenrodes\Application Data\skype.dat
    C:\Users\Eckenrodes\Application Data\skype.ini
     
    broni,
    #12
  14. 2013/05/18
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I downloaded it again into the flash drive, renamed it fixlist.txt, made it so it would open in Notepad. Below is what it looks like.

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> <html dir= "ltr" lang= "en "> <head>
    <base href= "http://www.windowsbbs.com/" /><!--[if IE]></base><![endif]--> <meta name= "robots" content= "noindex,follow" /> <meta http-equiv= "Content-Type" content= "text/html; charset=ISO-8859-1" /> <meta name= "generator" content= "vBulletin 3.8.7" /> <meta name= "keywords" content= "windows technical support, windows 8, windows 7, windows vista, windows xp, microsoft windows, free help, support, networking, windows security, malware removal, problems, computer problems, computer crashes" /> <meta name= "description" content= "Windows BBS: Get Free Help with Windows 8, Windows 7, Vista, XP, and other products." /> <style type= "text/css" id= "vbulletin_css ">
    /**
    * vBulletin 3.8.7 CSS
    * Style: 'Default'; Style ID: 24
    */
    @import url( "http://www.windowsbbs.com/clientscript/vbulletin_css/style-18a67d05-00024.css ");
    </style> <link rel= "stylesheet" type= "text/css" href= "http://www.windowsbbs.com/clientscript/vbulletin_important.css?v=387" /> <script type= "text/javascript" src= "http://yui.yahooapis.com/2.9.0/build/yahoo-dom-event/yahoo-dom-event.js?v=387 "></script> <script type= "text/javascript" src= "http://yui.yahooapis.com/2.9.0/build/connection/connection-min.js?v=387 "></script> <script type= "text/javascript "> <!--
    var SESSIONURL = " ";
    var SECURITYTOKEN = "guest ";
    var IMGDIR_MISC = "images/ca_evo_royalblue/misc ";
    var vb_disable_ajax = parseInt( "0 ", 10);
    // --> </script> <script type= "text/javascript" src= "http://www.windowsbbs.com/clientscript/vbulletin_global.js?v=387 "></script> <script type= "text/javascript" src= "http://www.windowsbbs.com/clientscript/vbulletin_menu.js?v=387 "></script> <link rel= "alternate" type= "application/rss+xml" title= "Windows BBS RSS Feed" href= "http://www.windowsbbs.com/external.php?type=RSS2" /> <link rel= "image_src" href= "http://www.windowsbbs.com/images/misc/bbs-logo.jpg" /> <script type= "text/javascript ">//<![CDATA[
    document.write('<meta property= "og:type" content= "article" /><meta property= "og:image" content= "http://windowsbbs.com/images/misc/bbs-icon.png" /><meta property= "og:site_name" content= "WindowsBBS.com" /><meta property= "og:title" content=" " /><meta property= "og:url" content= "http://www.windowsbbs.com/showthread.php?t=" /><meta property= "og:description" content=" " /><meta property= "fb:app_id" content= "345105195531620 "/>'); //]]></script> <title>Windows BBS</title>
    <script type= "text/javascript ">
    //<![CDATA[

    window.google_analytics_uacct = "UA-5041620-1 ";


    //]]>
    </script>
    </head> <body>
    <script type= "text/javascript "><!--
    var _gaq = _gaq || [];
    _gaq.push(
    ['_setDomainName', '.windowsbbs.com'],
    ['_setAccount', 'UA-5041620-1'],
    ['_setVar', 'usergroup-1-Unregistered / Not Logged In'],
    ['_trackPageview']
    );
    (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
    })();
    //-->
    </script>
    <a name= "top "></a> <div style= "align:center;margin-top:0px;margin-bottom:0px; "><a href='http://ads.fdma-media.com/server/www/delivery/ck.php?oaparams=2__bannerid=554__zoneid=0__cb=112ff597b4__oadest=http%3A%2F%2Fwww.remoteittechsupport.com%2F' target='_blank'><img src='http://ads.fdma-media.com/server/www/images/b16bd4c4c000615c091082cf4584c9b6.jpg' width='728' height='90' alt='Having problems with your computer? Does it crash or freeze? Is your pc slow? Our technicians can identify and fix your PC in the shortest possible time.' title='Having problems with your computer? Does it crash or freeze? Is your pc slow? Our technicians can identify and fix your PC in the shortest possible time.' border='0' /></a><div id='beacon_112ff597b4' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='http://ads.fdma-media.com/server/www/delivery/lg.php?bannerid=554&amp;campaignid=25&amp;zoneid=0&amp;OABLOCK=86400&amp;OASCAP=3&amp;loc=http%3A%2F%2Fwww.windowsbbs.com%2Fattachments%2Fmalware-virus-removal%2F3555-active-fbi-greendot-moneypak-virus-fixlist.txt&amp;cb=112ff597b4' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div></div> <table border= "0" width= "100%" cellpadding= "0" cellspacing= "0" align= "center" class= "maintable "> <tr> <td> <table border= "0" width= "100%" cellpadding= "0" cellspacing= "0" align= "center "> <tr> <td class= "header-row "><table border= "0" cellspacing= "0" cellpadding= "0" class= "header-table" width= "100% "> <tr> <td class= "header-table-left" width= "9 "><img src= "http://www.windowsbbs.com/clear.gif" width= "9" height= "1" border= "0" alt=" " /></td> <td align= "left" class= "header-table-logo "><a href= "http://www.windowsbbs.com/ "><img src= "http://www.windowsbbs.com/images/misc/bbs-logo.jpg" border= "0" width= "350" height= "90" alt= "Windows BBS The Place for Microsoft Windows Support!" /></a> <img src= "http://www.windowsbbs.com/clear.gif" width= "10" height= "1" border= "0" alt= "Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site" /> </td><td> <img src= "http://www.windowsbbs.com/clear.gif" width= "10" height= "1" border= "0" alt= "Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site" /> </td><td><a href= "https://www.facebook.com/WindowsBBS" target= "_blank "><img src= "http://www.windowsbbs.com/images/misc/facebook.png" width= "32" height= "32" border= "0" alt= "Check Our Facebook Page!" /></a> <script type= "text/javascript ">//<![CDATA[
    document.write('<div class= "fb-like" data-href= "http://www.facebook.com/WindowsBBS" data-send= "false" data-layout= "button_count" data-width= "450" data-show-faces= "false" data-colorscheme= "light" data-font= "segoe ui "></div>'); //]]></script></td> <td align= "right" valign= "bottom" width= "100%" nowrap= "nowrap" class= "header-table-login "> <div style= "padding-bottom:6px;text-align:right; "> <a rel= "nofollow" href= "http://www.windowsbbs.com/attachments/malware-virus-removal/3555-active-fbi-greendot-moneypak-virus-fixlist.txt?styleid=23 ">Mobile Style</a></div> <form action= "http://www.windowsbbs.com/login.php?do=login" method= "post" onsubmit= "md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0) "> <script type= "text/javascript" src= "http://www.windowsbbs.com/clientscript/vbulletin_md5.js?v=387 "></script> <table cellpadding= "0" cellspacing= "3" border= "0 "> <tr> <td class= "smallfont" style= "white-space: nowrap; "><label for= "navbar_username ">User Name</label></td> <td><input type= "text" class= "bginput" style= "font-size: 11px" name= "vb_login_username" id= "navbar_username" size= "10" accesskey= "u" tabindex= "101" value= "User Name" onfocus= "if (this.value == 'User Name') this.value = '';" /></td> <td class= "smallfont" nowrap= "nowrap "><label for= "cb_cookieuser_navbar "><input type= "checkbox" name= "cookieuser" value= "1" tabindex= "103" id= "cb_cookieuser_navbar" accesskey= "c" />Remember Me?</label></td> </tr> <tr> <td class= "smallfont "><label for= "navbar_password ">Password</label></td> <td><input type= "password" class= "bginput" style= "font-size: 11px" name= "vb_login_password" id= "navbar_password" size= "10" tabindex= "102" /></td> <td><input type= "submit" class= "button" value= "Log in" tabindex= "104" title= "Enter your username and password in the boxes provided to login, or click the 'register' button to create a profile for yourself." accesskey= "s" /></td> </tr> </table> <input type= "hidden" name= "s" value=" " /> <input type= "hidden" name= "securitytoken" value= "guest" /> <input type= "hidden" name= "do" value= "login" /> <input type= "hidden" name= "vb_login_md5password" /> <input type= "hidden" name= "vb_login_md5password_utf" /> </form> </td> <td width= "9" class= "header-table-right "><img src= "http://www.windowsbbs.com/clear.gif" width= "9" height= "1" border= "0" alt=" " /></td> </tr> </table></td> </tr> <tr> <td style= "border: none; padding: 0; "><table border= "0" cellspacing= "0" cellpadding= "0" width= "100% "> <tr> <td width= "9" align= "right" valign= "bottom "><img src= "http://www.windowsbbs.com/images/ca_evo_royalblue/misc/nav_top_left.gif" width= "9" height= "2" border= "0" alt=" " /></td> <td width= "100%" class= "navbar-top-row "><img src= "http://www.windowsbbs.com/clear.gif" width= "1" height= "2" border= "0" alt=" " /></td> <td width= "9" align= "left" valign= "bottom "><img src= "http://www.windowsbbs.com/images/ca_evo_royalblue/misc/nav_top_right.gif" width= "9" height= "2" border= "0" alt=" " /></td> </tr> </table></td> </tr> <tr> <td class= "navbar-row" align= "center "><table cellpadding= "4" cellspacing= "0" border= "0" width= "100%" align= "center" class= "navbar-row-table "> <tr align= "center" class= "vbmenu_dark "> <td width= "9" align= "right" style= "padding: 0; "><img src= "http://www.windowsbbs.com/images/ca_evo_royalblue/misc/nav_left.gif" width= "9" height= "21" border= "0" alt=" " /></td> <td class= "vbmenu_control "><a href= "http://www.windowsbbs.com/register.php" rel= "nofollow ">Register</a></td> <td class= "vbmenu_control "><a rel= "help" href= "http://www.windowsbbs.com/faq.php" accesskey= "5 ">FAQ</a></td><td class= "vbmenu_control "><a rel= "nofollow" href= "http://www.windowsbbs.com/misc.php?do=donate" style= "color:#66ff00 ">Donate</a></td> <td class= "vbmenu_control "><a id= "community" href= "http://www.windowsbbs.com/attachments/malware-virus-removal/3555-active-fbi-greendot-moneypak-virus-fixlist.txt?nojs=1#community" rel= "nofollow" accesskey= "6 ">Community</a> <script type= "text/javascript "> vbmenu_register( "community "); </script></td> <td class= "vbmenu_control "><a id= "navbar_search" href= "http://www.windowsbbs.com/search.php" accesskey= "4" rel= "nofollow ">Search</a> </td> <td width= "9" align= "left" style= "padding: 0; "><img src= "http://www.windowsbbs.com/images/ca_evo_royalblue/misc/nav_right.gif" width= "9" height= "21" border= "0" alt=" " /></td> </tr> </table></td> </tr> </table> <div class= "vbmenu_popup" id= "community_menu" style= "display:none;margin-top:3px" align= "left "> <table cellpadding= "4" cellspacing= "1" border= "0 "> <tr><td class= "thead ">Community Links</td></tr> <tr><td class= "vbmenu_option "><a href= "http://www.windowsbbs.com/members/list/ ">Members List</a></td></tr> </table> </div> <div class= "vbmenu_popup" id= "navbar_search_menu" style= "display:none;margin-top:3px" align= "left "> <table cellpadding= "4" cellspacing= "1" border= "0 "> <tr> <td class= "thead ">Search Forums</td> </tr> <tr> <td class= "vbmenu_option" title= "nohilite "> <form action= "http://www.windowsbbs.com/search.php?do=process" method= "post "> <input type= "hidden" name= "do" value= "process" /> <input type= "hidden" name= "quicksearch" value= "1" /> <input type= "hidden" name= "childforums" value= "1" /> <input type= "hidden" name= "exactname" value= "1" /> <input type= "hidden" name= "s" value=" " /> <input type= "hidden" name= "securitytoken" value= "guest" /> <div><input type= "text" class= "bginput" name= "query" size= "25" tabindex= "1001" /><input type= "submit" class= "button" value= "Go" tabindex= "1004" /></div> <div style= "margin-top:4px "> <label for= "rb_nb_sp0 "><input type= "radio" name= "showposts" value= "0" id= "rb_nb_sp0" tabindex= "1002" checked= "checked" />Show Threads</label>
    &nbsp;
    <label for= "rb_nb_sp1 "><input type= "radio" name= "showposts" value= "1" id= "rb_nb_sp1" tabindex= "1003" />Show Posts</label> </div> </form> </td> </tr> <tr> <td class= "vbmenu_option "><a href= "http://www.windowsbbs.com/search.php" accesskey= "4" rel= "nofollow ">Advanced Search</a></td> </tr> </table> </div> <div class= "vbmenu_popup" id= "pagenav_menu" style= "display:none "> <table cellpadding= "4" cellspacing= "1" border= "0 "> <tr> <td class= "thead" nowrap= "nowrap ">Go to Page...</td> </tr> <tr> <td class= "vbmenu_option" title= "nohilite "> <form action= "http://www.windowsbbs.com/" method= "get" onsubmit= "return this.gotopage()" id= "pagenav_form "> <input type= "text" class= "bginput" id= "pagenav_itxt" style= "font-size:11px" size= "4" /> <input type= "button" class= "button" id= "pagenav_ibtn" value= "Go" /> </form> </td> </tr> </table> </div> <table border= "0" width= "100%" cellpadding= "0" cellspacing= "0" align= "center "> <tr> <td class= "content-row" valign= "top "> <div id= "navbar-row "> <div class= "navbar navbar-top "><a href= "http://www.windowsbbs.com/" accesskey= "1 ">Windows BBS</a>
    &raquo; <strong>
    vBulletin Message
    </strong></div> </div> <br class= "spacer8" /> <table class= "tcat-rounded" cellpadding= "0" cellspacing= "0" border= "0" width= "100%" align= "center "> <tr> <td width= "25" class= "tcat-rounded-left "><img src= "http://www.windowsbbs.com/images/ca_evo_royalblue/misc/spacer.gif" width= "25" height= "27" border= "0" alt=" " /></td> <td class= "tcat" width= "100% ">vBulletin Message</td> <td width= "10" class= "tcat-rounded-right "><img src= "http://www.windowsbbs.com/images/ca_evo_royalblue/misc/spacer.gif" width= "10" height= "27" border= "0" alt=" " /></td> </tr> </table> <table class= "tborder" cellpadding= "4" cellspacing= "0" border= "0" width= "100%" align= "center" style= "border-top-width: 0; "> <tr> <td class= "panelsurround" align= "center "> <div class= "panel "> <div align= "left "> <script type= "text/javascript" src= "http://www.windowsbbs.com/clientscript/vbulletin_md5.js?v=387 "></script> <form action= "http://www.windowsbbs.com/login.php?do=login" method= "post" onsubmit= "md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0) "> <input type= "hidden" name= "do" value= "login" /> <input type= "hidden" name= "url" value= "/attachment.php?attachmentid=3555" /> <input type= "hidden" name= "vb_login_md5password" /> <input type= "hidden" name= "vb_login_md5password_utf" /> <input type= "hidden" name= "s" value=" " /> <input type= "hidden" name= "securitytoken" value= "guest" /> <div class= "smallfont ">You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:</div> <ol> <li class= "smallfont ">You are not logged in. Fill in the form at the bottom of this page and try again.</li> <li class= "smallfont ">You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?</li> <li class= "smallfont ">If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.</li> </ol> <fieldset class= "fieldset "> <legend>Log in</legend> <table cellpadding= "0" cellspacing= "3" border= "0" align= "center "> <tr> <td>User Name:<br /><input type= "text" class= "bginput" name= "vb_login_username" size= "50" accesskey= "u" tabindex= "1" /></td> </tr> <tr> <td>Password:<br /><input type= "password" class= "bginput" name= "vb_login_password" size= "50" tabindex= "1" /></td> </tr> <tr> <td> <span style= "float:right "><a rel= "nofollow" href= "http://www.windowsbbs.com/login.php?do=lostpw ">Forgotten Your Password?</a></span> <label for= "cb_cookieuser "><input type= "checkbox" name= "cookieuser" value= "1" id= "cb_cookieuser" tabindex= "1" />Remember Me?</label> </td> </tr> <tr> <td align= "right "> <input type= "submit" class= "button" value= "Log in" accesskey= "s" tabindex= "1" /> <input type= "reset" class= "button" value= "Reset Fields" accesskey= "r" tabindex= "1" /> </td> </tr> </table> </fieldset> <div class= "smallfont ">The administrator may have required you to <a href= "http://www.windowsbbs.com/register.php?do=signup" rel= "nofollow ">register</a> before you can view this page.</div> </form> </div> </div> </td> </tr> </table> <br /> <table cellpadding= "0" cellspacing= "0" border= "0" align= "center "> <tr> <td></td> </tr> </table> <br /> <div class= "smallfont" align= "center "> <a href= "https://www.facebook.com/WindowsBBS" target= "_blank "><img src= "http://www.windowsbbs.com/images/misc/find-us-on-fb.jpg" width= "128" height= "39" alt= "Find us on Facebook" /></a> &nbsp; <a href= "http://www.mywot.com/scorecard/windowsbbs.com" title= "WOT Community Badge for windowsbbs.com" target= "_blank "><img src= "http://ctn.mywot.com/b/windowsbbs.com" alt= "Web Of Trust Rating" /></a> <br /><br />
    All times are GMT. The time now is <span class= "time ">03:29</span>.</div> <br /> </td> </tr> </table> <br /><br /> <form action= "http://www.windowsbbs.com/" method= "get" style= "clear:left "> <table cellpadding= "4" cellspacing= "0" border= "0" width= "100%" class= "page" align= "center "> <tr> <td class= "footer-row "><table cellpadding= "4" cellspacing= "0" border= "0" width= "100%" class= "page" align= "center "> <tr> <td class= "tfoot" style= "border-right-width: 0; "> <select name= "styleid" onchange= "switch_id(this, 'style') "> <optgroup label= "Quick Style Chooser "> <option value= "24" class=" " selected= "selected ">-- Default</option> <option value= "23" class=" " >-- Mobile</option> </optgroup> </select> </td> <td class= "tfoot" align= "right" width= "100%" style= "border-left-width: 0; "> <div class= "smallfont "> <strong> <a href= "/Advertising/" rel= "nofollow ">Advertise</a> -
    <a href= "http://www.windowsbbs.com/sendmessage.php" rel= "nofollow" accesskey= "9 ">Contact Us</a> -
    <a href= "http://www.windowsbbs.com ">Windows BBS</a> -




    <a href= "http://www.windowsbbs.com/tos.php ">Privacy Statement</a> -

    <a href= "http://www.windowsbbs.com/attachments/malware-virus-removal/3555d1368900147-active-fbi-greendot-moneypak-virus-fixlist.txt#top" onclick= "self.scrollTo(0, 0); return false; ">Top</a> </strong> </div> </td> </tr> </table></td> </tr> </table> </form> <br /> <div align= "center "> <div class= "smallfont" align= "center ">
    Powered by vBulletin&reg; Copyright &copy;2000 - 2013, Jelsoft Enterprises Ltd.
    </div> <div class= "smallfont" align= "center ">

    Copyright © 2002 - 2013 WindowsBBS.com. All rights reserved.<br />FDMA Media LLC <a href= "/secretstuff/secret.php "></a><br /><a href= "http://www.windowsbbs.com/tos.php" target= "_blank "><strong>Terms of Use, Legal Information &amp; Privacy Policy</strong></a> </div> </div> <script type= "text/javascript "> <!--
    // Main vBulletin Javascript Initialization
    vBulletin_init();
    //--> </script> <div id= "fb-root "></div> <script type= "text/javascript ">(function(d, s, id) {
    var js, fjs = d.getElementsByTagName(s)[0];
    if (d.getElementById(id)) return;
    js = d.createElement(s); js.id = id;
    js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&amp;appId=345105195531620 ";
    fjs.parentNode.insertBefore(js, fjs);
    }(document, 'script', 'facebook-jssdk'));</script> <center><span class= "smallfont ">Page generated in <b>0.02200</b> seconds with <b>7</b> queries</span></center></body> </html>

    Is this correct, or did I do something wrong?
     
    Bucksone,
    #13
  15. 2013/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No.
    I posted how exactly inside of that file looks like.
    I'm not sure what you're doing.
    When you download my file to your healthy computer it changes its name so you have to rename it or what's going on?
     
    broni,
    #14
  16. 2013/05/19
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I didn't think that was right as it obviously looks different from what you posted. Here is what I did.

    Right click on fixlist.txt in your post

    I click on Save Target As

    Save as box opens, the path is Computer/Removable Disk (J), the file name is 3555d1368900147-active-fbi-greendot-moneypak-virus-fixlist, Save as type is HTM file (only other choice is All Files)

    After saving it, if I go to the flash drive and right click and open it, it opens in Notepad as what I posted above.

    Not sure what is going on. I tried it again this morning with the same result.
     
    Bucksone,
    #15
  17. 2013/05/19
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    Ok, new development. I'd been doing all of this in Internet Explorer, which is what I usually use. I just tried to download the file using Google Chrome and it seems to have worked correctly. I will go to my mother-in-law's this afternoon and see what I can do.
     
    Bucksone,
    #16
  18. 2013/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No, left click on it and save.
     
    broni,
    #17
  19. 2013/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I didn't see your last reply so I'm glad to see you fixed it.
     
    broni,
    #18
  20. 2013/05/19
    Bucksone

    Bucksone Well-Known Member Thread Starter

    Joined:
    2003/07/28
    Messages:
    507
    Likes Received:
    2
    I'm still working on this, but I wanted to post an update.

    I was able to run the fixlist. I will post the log below.

    I confirmed that the Windows firewall was turned on.

    I updated and ran her antivirus program, AVG. It found one threat and moved it to the virus vault. The object name was C:\Users\Eckenrodes\AppData\Local\Temp\trwiwfk. The detection name was Trojan horse Generic33.JNY.

    I've run into a problem downloading Malwarebytes. The link takes me to the Malwarebytes page, I click on Download Now on the free version, at first a page popped up wanting me to update Flash, I clicked out of it as the instructions here say to not make any other changes to the computer except to follow the instructions here. Now when I click on download now I get the Internet Explorer cannot display the webpage.

    My plan is to skip this step while awaiting further instructions and move on to step 2, downloading DDS.

    Also, while I think about it, step 3 says to provide logs from Malwarebytes, MBRCheck, and DDS (2 logs.) What is MBRCheck?

    Here is the fixlog.txt.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-05-2013
    Ran by SYSTEM at 2013-05-19 13:59:37 Run:1
    Running from F:\
    Boot Mode: Recovery

    ==============================================

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
    HKEY_USERS\Eckenrodes\Software\Microsoft\Windows\CurrentVersion\Run\\Temp => Value deleted successfully.
    C:\Users\Eckenrodes\AppData\Local\HP Guide\Temp\gfygsit.dll => Moved successfully.
    HKEY_USERS\Eckenrodes\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft => Value deleted successfully.
    C:\Users\Eckenrodes\AppData\Local\Microsoft\zuslfybq.dll => Moved successfully.
    HKEY_USERS\Eckenrodes\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
    C:\Users\Eckenrodes\AppData\Roaming\skype.dat => Moved successfully.
    C:\$Recycle.Bin\S-1-5-21-2819196422-3095570112-1250074678-1000\$b7fd1a77ae82c209d4d50d15d2eb99bc => Moved successfully.
    C:\Users\Eckenrodes\AppData\Roaming\skype.dat => File/Directory not found.
    C:\Users\Eckenrodes\AppData\Roaming\skype.ini => Moved successfully.
    C:\Users\Eckenrodes\Application Data\skype.dat => File/Directory not found.
    C:\Users\Eckenrodes\Application Data\skype.ini => File/Directory not found.

    ==== End of Fixlog ====
     
    Bucksone,
    #19
  21. 2013/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...