Virus also recording me from my video lens..Help ?

system · March 13, 2013, 2:03am

While on the net all of a sudden my laptop was hi-jacked.

It also was recording me and telling me it was. Good thing I had red tape over the lens . You could see the window of it actually watching me.

I’m very careful where I surf and only visit a handful of web forums
and Amazon and youtube.

The name of it is called… ICE The ice cyber crime center. It says your computer has been suspended on the grounds of the violation of the law of the United States of America.

Plus a whole bunch of other crap and mentions prison time and porn. It also tells you how to pay the $400 .

The whole screen said bunch of crazy s**t and wants $400 in 48hrs otherwise they are reporting me WTF ? Also had my IP and where I live…WTF ?

I ran avast and it found 3 high risk items and was put in the chest.

So to be safe I ran a boot scan . Then the same virus popped up.(See pics below). I couldn’t get out of it.

I noticed if I tapped the power button quickly without holding power button down and then hit cancel real fast before it shut down it was gone (viruse screen pop up) and was able to access desktop and now able to access web.

So I ran another scan (full) and it said no virus was found other than
tons of adobe crap and some other stuff that says password protected as always with all my scans.

I know the virus it’s still in my system because avast doesn’t even start up anymore upon booting up.

The last time it popped up I took pictures of my screen. Had to take several so to show the entire page without it being blurry.

I also ran Mal and adware and nothing showed up.

I’m running a full scan as I type this but I’m freaking out that it has even taken over my video and was watching me. It couldn’t see me because I had the lens covered for over a year but when i put my hand over the lens you could see the video window (on their page) go dark red (tape is red that’s covering lens) and when i pulled away my hand it got lighter.

Please help and thanks so very much for helping us people out when
a virus hi-jacks our systems.

Thanks

system · March 13, 2013, 2:20am

Sorry I couldn’t get a whole screen picture to come out clear with
my cell phone.

You can see the video screen of it recording/ monitoring me
where it kind of looks red from my tape. Also some reflection of me in some of the pics.

http://imageshack.us/a/img705/6112/1363152945798.jpg

http://imageshack.us/a/img560/6397/1363152984792.jpg

http://imageshack.us/a/img853/2883/cam00067y.jpg

http://imageshack.us/a/img823/8246/cam00069z.jpg

http://imageshack.us/a/img546/9460/cam00072z.jpg

http://imageshack.us/a/img69/9470/cam00073l.jpg

http://imageshack.us/a/img26/4707/cam00074m.jpg

http://imageshack.us/a/img132/5943/cam00075k.jpg

http://imageshack.us/a/img5/6647/cam00077f.jpg

http://imageshack.us/a/img442/4601/cam00080k.jpg

system · March 13, 2013, 5:30am

Seriously i need help…now posting from my cell because laptop is really screwed up now.
I tried that adwcleaner in help thread and downloaded it and ran it.
I hit delet it rebooted and that same virus keeps coming up.

Only way to get rid of it is to hit power button then i have to hit cancel.real fast before my laptop reboots.

Now i have a new problem after running that adwcleaner .

My screen is totally empty… no desktop or anything. All i see is my screen saver.

No icons for anything …nothing…its completely blank so i can’t access anything because there’s nothing to click on.

I don’t know whats happening now.

Help?

Before i ran this adwxleaner i sent the virus files from avast log to avast.

What to do now …help ?

system · March 13, 2013, 5:48am

Ok after several reboots and hitting power button then hitting cancel real fast before it rebotted my desktop is back up.

I then looked at the results for adwcleaner and here it is. There are several of them (maybe from rebooting several times i don’t know) and here it is.

AdwCleaner v2.114 - Logfile created 03/12/2013 at 23:54:49

Updated 05/03/2013 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : RainerRocks - RAINERROCKS-PC

Boot Mode : Normal

Running from : C:\Users\RainerRocks\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N3VNMRXA\adwcleaner[1].exe

Option [Search]

***** [Services] *****

***** [Files / Folders] *****

File Found : C:\Users\RAINER~1\AppData\Local\Temp\Searchqu.ini
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\ProgramData\Partner
Folder Found : C:\Users\RAINER~1\AppData\Local\Temp\AskSearch
Folder Found : C:\Users\RainerRocks\AppData\Local\Ilivid Player
Folder Found : C:\Users\RainerRocks\AppData\Local\OpenCandy
Folder Found : C:\Users\RainerRocks\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\Alexa Internet
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{EA582743-9076-4178-9AA6-7393FDF4D5CE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{EA582743-9076-4178-9AA6-7393FDF4D5CE}
Key Found : HKCU\Software\vShare
Key Found : HKCU\Software\Zugo
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Interface{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\Software\Microsoft\Internet Explorer\SearchScopes{043C5167-00BB-4324-AF7E-62013FAEDACF}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\ Google Chrome v25.0.1364.152

File : C:\Users\RainerRocks\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

AdwCleaner[R1].txt - [3765 octets] - [01/02/2013 10:33:53]
AdwCleaner[R2].txt - [3825 octets] - [01/02/2013 10:38:18]
AdwCleaner[R3].txt - [3453 octets] - [12/03/2013 23:54:49]

########## EOF - C:\AdwCleaner[R3].txt - [3513 octets] ##########

system · March 13, 2013, 6:11am

I’m Now running full malware scan and will report back.

Funny thing is when doing all the reboots avast no longer shows in the start up in the right hand corner. It starts to show there then it’s gone as if something is keeping it from
starting up.

Neither does malware but my ad-aware does show.

Pondus · March 13, 2013, 6:46am

attach the logs…not copy and paste

the AdwCleaner log you posted show you did a search when running AdwCleaner click delete button
and you only have to run Malwarebytes quick scan…not full as it may take hours

we also need OTL and aswMBR logs. see guide
http://forum.avast.com/index.php?board=4.0

system · March 13, 2013, 7:01am

Yes the first time I did do a search so I did it again and clicked delete. I must have
posted the wrong one.

I’ll try again when malware is finished…it’s already showing 1 item so far.

Sorry about the copy and paste.

Yes I’m following the order in that link you posted.

I’m just afraid everytime I reboot I can’t get back on.

system · March 13, 2013, 7:05am

if you cant run the tools then just await for further instructions form essexboy

system · March 13, 2013, 8:03am

Ok Malware finished ( 1hr 40 mins doh !) it found 2 bad guys. Oh Pc rebooted ok after malware .

This is the adwcleaner (Delete) that I ran before the malware.

I’ll post the malware next.

system · March 13, 2013, 8:12am

This is the newest adwcleaner delete that I ran right after the malwaare that found 2 bad guys.

Also the malware results with the 2 bad guys.

PS: Now running OTL …will report back.

system · March 13, 2013, 9:07am

Ok here is the OTL logs…

Pondus · March 13, 2013, 9:15am

do you have McAfee installed?..i see some McAfee files in there
never install multiple AV as this will give you a slow system, mysterious windows errors and false detections

uninstall it, when done run McAfee removal tool to clear any leftover files that may conflict
tool found here. nr #22a. http://singularlabs.com/uninstallers/security-software/

malware removers are notified. they are usually here after work hours european time

system · March 13, 2013, 9:44am

Oh freaking McAfee…I noticed it also.

I dleted/uninstalled it almost 2 years ago but I can’t get rid of it.I hate them.

PS: I ran aswMBR and when finished it said something about avast
not able to access root or something. So it closed down and I wasn’t able to see the finished log.

I’m running it gain to see what happens.

Should i have shut down avast/malware and adaware ?

Thanks so much !

PS: Great …I will run the tool to get rid of McAfee once and for all.Companies shouldn’t be allowed to leave stuff on your PC when you uninstall it.

Pondus · March 13, 2013, 9:48am

if problems try run aswMBR from safe mode

system · March 13, 2013, 9:54am

OK here is the aswMBR file…

Thanks again

system · March 13, 2013, 10:35am

A while ago I used Veetle to watch MMA . I have since deleted it because it screwed with my laptop .

So I uninstalled it but I still see it showing up in these reports.

I want it removed but don’t know how to because it doesn’t show up any longer
in my programs because I deleted it.

It’s a shady program and I should have known better.

Thanks a million.

PS: I used the program to delete the McAfee kernels . Which program should I run to make sure that monster is gone once and for all.

system · March 13, 2013, 10:53am

Malwarebytes seems to have done the job nicely there and now lets wait for essexboy to give the green signal

system · March 13, 2013, 11:11am

Ok true indian

PS: I been racking my brains out trying to figure out where this virus came from and it can only be 2 places .

Was viewing youtube and video wouldn’t play (some did and some didn’t) and link showed up
on youtube video window saying I needed to install Adobe -Flash
even tho I had it installed.

So I figured I needed to update and did. Since that my PC was acting strange.

magna86 · March 13, 2013, 11:44am

Hi,

@RainerRocks
Hello and welcome to avast!

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.

Attach here MBAM.txt log

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
IE - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\..\SearchScopes\{18092453-1A5D-443C-99D3-CDAD419B1A83}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=SPC2&o=15004&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=PW&apn_dtid=YYYYYYYYUS&apn_uid=25667EC4-F38C-4D22-8931-AE82B09C0138&apn_sauid=18DDCC39-9B0A-4A9A-B732-C3C7953AB74A
IE - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\..\SearchScopes\{7990EA36-AFD2-41C8-AFA3-A5C8589C8E70}: "URL" = https://startpage.com/do/search?query={searchTerms}&cat=web&pl=ie&language=&language=english&prfh=font_sizeEEEmediumN1Nrecent_results_filterEEE1N1Nlanguage_uiEEEenglishN1Ndisable_open_in_new_windowEEE1N1NlanguageEEEenglishN1NsslEEE1N1Nnum_of_resultsEEE10N1Npicture_privacyEEEonN1NsuggestionsEEE1N1N
IE - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\..\SearchScopes\{A3EEDFD0-1629-40A9-AF54-2BC65D448E14}: "URL" = http://www.pricestalker.net/ProductSearch.aspx?keyword={searchTerms}
IE - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\..\SearchScopes\{AEFEFC1F-EFD2-48A7-92E4-B5C96F2DCAD3}: "URL" = http://addons.alltheinternet.com/texis/open/search?q={searchTerms}
IE - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\..\SearchScopes\{BB7753FB-F0CE-418A-9849-F249F082026C}: "URL" = https://startpage.com/do/search?query={searchTerms}&cat=web&pl=ie&language=english
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1918482796-3435808618-3437081748-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:files
C:\ProgramData\6063536.reg
C:\ProgramData\6063536.bat
C:\ProgramData\6063536.pad
C:\install.exe
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]

[list]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Go here and read&run RogueKiller. Attach here all RK reports.

http://forum.avast.com/index.php?topic=53253.0

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: AVAST Software
AV: McAfee, Inc.
AV: Lavasoft Ad-Aware.

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

Then go to this webpage:
http://singularlabs.com/uninstallers/security-software/

Download &run antivirus removal tool to remove leftovers.

Re-run OTL , just click on RunScan and attach here fresh OTL.txt log

system · March 13, 2013, 11:54am

http://news.softpedia.com/news/Fake-Adobe-Flash-Player-Websites-Distribute-Ransomlock-Ransomware-333127.shtml

You should know the only legit flash player site is adobe.com anything else is faked!! :o