While using internet explorer a message popped up with the appearance of an FBI website stating that I had engaged in various types of illegal activity and that I would have to pay a fine. The screen then turned white. I have tried to reboot in Safe Mode but the screen flashes from white to black and ends with a black Safe Mode screen but no icons are present. I had just ran Malwarebytes in the last two days. Can you help?
malware removers are notified…should be here soon
What operating system do you have ? i.e. XP/Vista/7/8 also is it 32 or 64 bit
The system is running Vista…I believe 32-bit.
Download the following three programmes to your desktop :
Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot
http://dl.dropbox.com/u/73555776/wintoboot.JPG
Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
http://dl.dropbox.com/u/73555776/usb%20progress.JPG
It will let you know when it is done
Then copy FRST to the same USB
http://dl.dropbox.com/u/73555776/frstwintoboot.JPG
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here
When you reboot you will see this.
Click repair my computer
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg
Select your operating system
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg
Select Command prompt
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Ok…I made the USB files and booted it up in the infected system. I got to “Select your operating system”. It comes up with Microsoft Windows Vista, on location (D:) Local Disk.
I have 2 hard drives in this system. My MAIN drive is (C:) and it is NOT listed…only my backup (D:) is listed. Not sure if I should proceed??
Select the option listed and let me know the result
Selected local drive (D:) and then selected command prompt (C:). Took me to X:\sources>. Should I proceed from there and type in notepad?
Yes X sources is the recovery console
OK…frst.txt attached.
Download the attached fixlist.txt to the same usb as FRST
Run FRST as previously
This time press FIX
Once the fix has completed there will be a log on the USB
Now reboot to normal windows
Run RogueKiller
fixlog.txt attached
Ran Roguekiller. RKreport attached. Rougekiller says 4 problems found…should I hit delete? Also, for some reason my “infected” system will not recognize my USB anymore.
OK we will now run the full RogueKiller scan and follow that with an OTL to see what remains. We will check out the USB later
[*] Download RogueKiller and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
https://dl.dropbox.com/u/73555776/RKScan.GIF
[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.
https://dl.dropbox.com/u/73555776/RKDelete.GIF
[*]The report has been created on the desktop.
[*]Next click on the ShortcutsFix
https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF
[*]The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
THEN
Download OTL to your Desktop
Secondary link
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
Attached are the 3 RKreports.
Thanks for your help so far! Attached are the 2 OTL logs.
OK that looks to be most of it … How is the computer behaving… There are a few repairs to run
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-4247701468-2985291210-1972710796-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Just wanting to ask…I pasted in the script into OTL and it says on the screen “Resetting HOSTS file. DO NOT INTERRUPT.” It has been at this point for about 45-50 minutes now. It does not seem as though anything is processing on the infected system. Should I be more patient or is it perhaps locked up?
That is probably one of your programmes blocking it, close OTL and continue with combofix please
Ok…I had to do a hard boot while OTL was running…program was not responding and therefore no report was produced.
Ran Combofix…report attached.
System seems to be running good. When I went into Internet Explorer it gave me some security warning stating that if I proceeded my content would not be protected. Don’t know what to think about that???
Also, my USB drive is now working but not exactly how it worked before as far as the system recognizing that I inserted it and detected a new device.