FBI Randsome Ware

Hello,

I am running Windows 7 Professionals on my laptop, and my laptop has gotten infected. The symptoms appear almost same as http://forum.avast.com/index.php?topic=100171.msg800022#msg800022). Unless I log on using a safe mode, I cannot use my laptop.

To fix this, I followed instructions on the web to remove this virus, but nothing worked. (e.g., Youtube video introduced in http://forum.avast.com/index.php?topic=100171.msg824103#msg824103, and instructions on http://www.fixpcyourself.com/how-to-unlock-computer-from-fbi-moneypak-virus/).

What I tried include:

  • rkills.exe
  • Malwarebytes’ Anti-Malware - full scan on a safe mode
  • CCleaner

Because I cannot fix it on my own, I need you help! I followed the directions on http://forum.avast.com/index.php?topic=53253.0. Please see attached for the log files.

Thank you so much in advance for your help.

Here are files from OTL.

On completion of the OTL run could you log into normal windows to run RogueKiller

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O4 - HKU\S-1-5-21-1600153690-1634306226-2364451382-1001..\Run: [xmlfilter] C:\Users\Joon\AppData\Local\Microsoft\Windows\2503\xmlfilter.exe ()
O4 - Startup: C:\Users\Joon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeyboardLocker.exe - Shortcut.lnk = C:\Users\Joon\Desktop\Keyboard Locker\Keyboard Locker\KeyboardLocker.exe ()
[2012/08/31 02:26:06 | 000,000,000 | ---D | C] -- C:\Users\Joon\Desktop\[±Ù·ÎÀÚÁ÷¹«´É·ÂÇâ»óÁö¿ø±ÝÈÆ·Ã]°ü·Ã ¼­½Ä ¹× ±ÔÁ¤
@Alternate Data Stream - 1106 bytes -> C:\Users\Joon\AppData\Local\wnnmKloN:x1ZmL3AxwXbT62pO3J

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Malwarebytes' Anti-Malware - full scan on a safe mode
just so you know, Malwarebytes is designed to work best in normal mode ;)

Thanks you, essexboy!

Please see attached for the log files that you requested. FYI, Rogue killer found out ZeroAccess. I was afraid to turn on wifi after finding it. I will work on the solutions on a safe mode and will keep you updated.

To Pondus:
I have ran it in normal mode too, yesterday. However, I got the FBI warning again after running it. At that time, I somehow managed to shout the warning sign down before running Malwarebytes. I did not use CCleaner right after running it, though.

A page related to ZeroAccess is written in french, and the Youtube video developed using French. See http://tigzyrk.blogspot.com/2011/09/rootkit-zeroaccess-max.html

Any suggestions?

Thanks.

How is the computer, can you access all your files now. Zero access is now dead

Everything looks fine now except for the fact that I cannot connect to the Internet. The FBI warning screen is gone. I hope it won’t come back after connecting to the Internet.

It says “Wireless Nerwork Connection” does not have a valid IP configuration. Is this familiar to you? I hope that this is not something related to a virus.

Anyway, thank you so much. You are a life savior.

one more network issue was detected. It says, “windows could not automatically detect this network’s proxy settings” Any clue?

Yep lets reset the net connections

Download Complete Internet Repair to your desktop

Unzip all the files to their own folder on the desktop
Within the folder double click CIntRep
The programme will then run
Select the items I have highlighted
Press go
Let me know if it is able to conduct the repair, there is a log at the bottom

https://dl.dropbox.com/u/73555776/Int%20repair.JPG

Thank you. But I still have the same problem. I still have the two issues mentioned above. Attached is the log file.

OK lets work through the necessary elements :

Please check if the Proxy Server option is not selected:

Check Internet Options (from Control Panel or Internet Explorer Tools / Options /Connections Tab / LAN Settings) and make sure Proxy Server is unchecked.

Then reset IE by going to the advanced tab in internet options and select reset

If that still fails then using OTL

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

:Files
netsh winsock reset
ipconfig /release
ipconfig /renew
ipconfig /all

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you.

I am running a quick scan now after doing “run fix.” I think that some custom commands did not work. Please see the log file.

I will post a quick scan results shortly after it completes.

Here’s the quick scan log file. I still do not have an internet access. Also, I did check the internet setting, and it was fine.

Thanks!

OK that is my stupid fault :-[ I missed one letter

netsh winsock reset /c
ipconfig /release /c
ipconfig /renew /c
ipconfig /all /c[/b]

Could you re-run an OTL fix with the above script

Thank you. Attached are the logs 1) log after a fix using your files: command 2) log after a quick scan. Internet is still now working. Last night, I downloaded and executed a program that was intened to resolve the network error from Microsoft, but it did not work.

I am awaiting for your response. At the same time, I am seriously thinking about reinstalling the OS.

At the same time, I am seriously thinking about reinstalling the OS.
dont give up before Essexboy do ;)

Thanks, Pondus. That gives me hope. :slight_smile:

< netsh winsock reset /c > Access is denied.
This is the problem the registry key has had the permissions changed

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

It did not work… I ran OTL fix to see how it responds to “netsh winsock reset /c” and I got the following error message in the log.

“Error: Unable to interpret <netsh winsock reset /c> in the current context!”

Awaiting your response.