Possible Reveton or FBI Malware Problem

While using internet explorer a message popped up with the appearance of an FBI website stating that I had engaged in various types of illegal activity and that I would have to pay a fine. The screen then turned white. I have tried to reboot in Safe Mode but the screen flashes from white to black and ends with a black Safe Mode screen but no icons are present. I had just ran Malwarebytes in the last two days. Can you help?

malware removers are notified…should be here soon

What operating system do you have ? i.e. XP/Vista/7/8 also is it 32 or 64 bit

The system is running Vista…I believe 32-bit.

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows Vista RC
  3. Farbar Recovery Scan Tool x64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Ok…I made the USB files and booted it up in the infected system. I got to “Select your operating system”. It comes up with Microsoft Windows Vista, on location (D:) Local Disk.

I have 2 hard drives in this system. My MAIN drive is (C:) and it is NOT listed…only my backup (D:) is listed. Not sure if I should proceed??

Select the option listed and let me know the result

Selected local drive (D:) and then selected command prompt (C:). Took me to X:\sources>. Should I proceed from there and type in notepad?

Yes X sources is the recovery console

OK…frst.txt attached.

Download the attached fixlist.txt to the same usb as FRST

Run FRST as previously
This time press FIX
Once the fix has completed there will be a log on the USB

Now reboot to normal windows
Run RogueKiller

fixlog.txt attached

Ran Roguekiller. RKreport attached. Rougekiller says 4 problems found…should I hit delete? Also, for some reason my “infected” system will not recognize my USB anymore.

OK we will now run the full RogueKiller scan and follow that with an OTL to see what remains. We will check out the USB later

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Attached are the 3 RKreports.

Thanks for your help so far! Attached are the 2 OTL logs.

OK that looks to be most of it … How is the computer behaving… There are a few repairs to run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-4247701468-2985291210-1972710796-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Just wanting to ask…I pasted in the script into OTL and it says on the screen “Resetting HOSTS file. DO NOT INTERRUPT.” It has been at this point for about 45-50 minutes now. It does not seem as though anything is processing on the infected system. Should I be more patient or is it perhaps locked up?

That is probably one of your programmes blocking it, close OTL and continue with combofix please

Ok…I had to do a hard boot while OTL was running…program was not responding and therefore no report was produced.

Ran Combofix…report attached.

System seems to be running good. When I went into Internet Explorer it gave me some security warning stating that if I proceeded my content would not be protected. Don’t know what to think about that???

Also, my USB drive is now working but not exactly how it worked before as far as the system recognizing that I inserted it and detected a new device.