Hi,

I’m sorry but I only have limited info on this. Last night Windows security centre popped up when I was browsing online saying firewall not on, then a fake (I assume) malware alert appeared…Avast definitians are up to date but hadn’t flagged anything up. So I shut down and ran a boot scan over night, but when I checked it in the morning the pop up was there again but now I can’t run any programmes to fix it, including avast hijackthis and firefox…

I know this is vague but I don’t know what else to do If I can’t even run any programmes, even in safe mode, can’t even access system restore.

ANY help you can give would be really appreciated, I just need to know where to start!

Thanks

Ollie

The fgrd.exe is a FGR NT Service Daemon.

This file is part of Fiberlink Global Remote. Fgrd.exe is developed by Fiberlink Communications Corporation. It’s a hidden file. Fgrd.exe is usually located in the %PROGRAM_FILES% sub-folder and its usual size is 57,344 bytes.

Company Name Fiberlink Communications Corporation
Legal Copyright Copyright © 2000-2003 Fiberlink

Process
ProcessName Fgrd.exe
Internal Name Fgrd
File Description FGR NT Service Daemon
Comments
Original File Name fgrd.ex
File versions
File Version File Size File Checksum Language Spyware/Malware prob Query Count
3, 3, 0, 6 57344 00000000 English - United States 0 2
3, 4, 1, 0 57344 00000000 English - United States 0 3
3, 5, 0, 2 69632 00000000 English - United States 0 2
3, 5, 2, 0 57344 00000000 English - United States 0

Recommendation
The fgrd.exe process is safe, and you can safely disable it. It could have been the cause of your FW alert there.

polonus

Thanks but I think it’s fgr.exe not fgrd.exe - when what looks like a fake virus scan/windows security scan comes up it was initially the only process running… If I end process/application it dissappears briefly but I still can’t run any programmes and before too long it rearppears…

Also, when I try to end other processes in task manager it won’t let me and says it is an essential process?

I’m just unsure how to proceed when I can’t even access programmes on it to run a fix?

Thanks

Hi there I have two programmes to use - the first will kill the process, but not remove it unless I confirm it is malware. If you reboot your computer you will need to re-run to stop the process again. The second will be an analysis programme - with this I will be able to see if a straightforward kill will work or whether I will need to remove other elements at the same time

Download RogueKiller to your desktop

[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

OK, then it is malware and could be found up somewhere like in this example:
C:\Documents and Settings\Default User.CPQ21785316179\fgr.exe
See: http://www.prevx.com/filenames/2060014233689444237-X1/FGR.EXE.html
That you cannot stop the process could mean it is locked as it starts up,
essexboy has a cure for that too,

Follow essexboys’ malware cleansing instructions,

polonus

I can’t access the internet on the infected PC so I downloaded Rogue Killer to a usb stick and transfered it to desktop in safe mode. But when I try to run it it says it can’t run RogueKiller.exe in safe mode.

When I try to boot normally fgr.exe appears over and over again in task manager before the whole thing becomes unusable.

Will renaming it winlogon work in safemode?

Thanks guys, managed to run both in the end. Attached are the logs.

As soon as I closed roguekiller the pop ups arrived again so I had to re-run it…Am I safer to keep my computer on now the process has been stopped for now?

(Sorry for the obvious questions)

Can anyone please advise on what to do next from the logs attatched in the above post? ^^^

Thanks

Ollie

Hi masono,

You have 20 postings, you now can PM essexboy himself with the link to this thread and ask him to have a look at the attached logs for you, and to give you further advice what to do next,

polonus

[list]OK I be here - somehow no notification for this –

OK this is one sneaky boy as I cannot see the launch point.

We will now let rogue killer remove the bad bit

Quit all running programs and run RogueKiller once again.

[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  08a4u2o670p0ms3ur18g20l873t74n -> C:\Documents and Settings\All Users\Application Data\08a4u2o670p0ms3ur18g20l873t74n
[Files - No Company Name]
NY ->  Remote Assistance.lnk -> C:\Documents and Settings\Administrator.OLIMA\Start Menu\Programs\Remote Assistance.lnk
NY ->  08a4u2o670p0ms3ur18g20l873t74n -> C:\Documents and Settings\All Users\Application Data\08a4u2o670p0ms3ur18g20l873t74n
[File - Lop Check]
NY ->  ~0 -> C:\Documents and Settings\All Users\Application Data\~0
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

FINALLY

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OK, attatched are the logs you asked for.

I don’t know if it’s relevant but so you know…I wasn’t able to run any application by double clicking (windows asks me to choose a programme to run any .exe) so had to run as administrator.

Also, when I ran OTS this time it asked me to re-start afterwards…which I did. When I turned it back on I had to run rogue killer again to allow me to get any functionality (this log is also attatched - RKreport[4].txt), then opened OTS and when I did the notepad appeared.

Finally, having run Combofix it is now showing me logged in as Administrator, apparently with none of my folders or program icons there… Hope this is normal!

Thanks again for your help, awaiting your instructions…

OK rogue killer on the run with option 2 should have removed the malware from Firefox.

Combofix took out one further bad boy

If my understanding is right you are no longer able to view any folders as they are not visible ?

If this is the case then re-run rogue killer and select Option 6 this should remove the registry hide marker on your folders

Once done can you let me know what problems remain

No when combofix finished I was logged on as administrator with a clean desktop etc…after I restarted my computer I was logged back on under my username and all icons are there…however… I still can’t open any programmes by double clicking them or right clicking and selecting open…it just asks me to choose a programme to open the programme with! It works if I right click > run as administrator.

Any ideas?

Yep could you re-run OTS please

And select all users along with the following tick boxes

Under additional scans select the following
Reg - ActiveX StubPath
Reg - Approved Shell Extensions
Reg - Desktop Components
Reg - Ext
Reg - File Associations
Reg - IE Explorer Bars
Reg - NetSvcs
Reg - Session Manager Settings
Reg - Shell Spawning

I selected everything you said and clicked run scan…was that correct? Seems to be stuck on “Scanning CD-ROM drives”?

*sorry “Scanning CDROM settings” that should be - it’s just sat there…shall I exit and re-run it?

*sorry “Scanning CDROM settings” that should be. Shall I exit and re-run it?

Intriguing - OT did fix that so that if it scanned one area for too long it jumped to the next sector

Lets try the otl version instead to see if that works - I feel I know where the problem is I just want to confirm it first

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

OK just checked OTS again and it says scan complete…but no note pad has been created. Will run OTL now anyway.

OK OTL did pretty much the same thing…got stuck for a long time on one section and then eventually said Scan Complete - but no log has been created as far as I can see…

Don’t know if it’s relevent but it seems to be runnig slow, even copying OTL from a memory stick to my desktop slowed everything up… since I’ve had the virus it’s done the same thing, where suddenly the computer looks like it’s going to shut down and everything dissappears, then reappears some time later and copys the file… I’ve left OTL open incase it is just increadibly slow…

Any ideas?