Avast WEBforum
Other => Viruses and worms => Topic started by: drmtree on September 11, 2012, 05:13:57 PM
-
Hello,
I am running Windows 7 Professionals on my laptop, and my laptop has gotten infected. The symptoms appear almost same as http://forum.avast.com/index.php?topic=100171.msg800022#msg800022). Unless I log on using a safe mode, I cannot use my laptop.
To fix this, I followed instructions on the web to remove this virus, but nothing worked. (e.g., Youtube video introduced in http://forum.avast.com/index.php?topic=100171.msg824103#msg824103, and instructions on http://www.fixpcyourself.com/how-to-unlock-computer-from-fbi-moneypak-virus/).
What I tried include:
- rkills.exe
- Malwarebytes' Anti-Malware - full scan on a safe mode
- CCleaner
Because I cannot fix it on my own, I need you help! I followed the directions on http://forum.avast.com/index.php?topic=53253.0. Please see attached for the log files.
Thank you so much in advance for your help.
-
Here are files from OTL.
-
On completion of the OTL run could you log into normal windows to run RogueKiller
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O4 - HKU\S-1-5-21-1600153690-1634306226-2364451382-1001..\Run: [xmlfilter] C:\Users\Joon\AppData\Local\Microsoft\Windows\2503\xmlfilter.exe ()
O4 - Startup: C:\Users\Joon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeyboardLocker.exe - Shortcut.lnk = C:\Users\Joon\Desktop\Keyboard Locker\Keyboard Locker\KeyboardLocker.exe ()
[2012/08/31 02:26:06 | 000,000,000 | ---D | C] -- C:\Users\Joon\Desktop\[±Ù·ÎÀÚÁ÷¹«´É·ÂÇâ»óÁö¿ø±ÝÈÆ·Ã]°ü·Ã ¼½Ä ¹× ±ÔÁ¤
@Alternate Data Stream - 1106 bytes -> C:\Users\Joon\AppData\Local\wnnmKloN:x1ZmL3AxwXbT62pO3J
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(https://dl.dropbox.com/u/73555776/RKDelete.GIF)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
Malwarebytes' Anti-Malware - full scan on a safe mode
just so you know, Malwarebytes is designed to work best in normal mode ;)
-
Thanks you, essexboy!
Please see attached for the log files that you requested. FYI, Rogue killer found out ZeroAccess. I was afraid to turn on wifi after finding it. I will work on the solutions on a safe mode and will keep you updated.
To Pondus:
I have ran it in normal mode too, yesterday. However, I got the FBI warning again after running it. At that time, I somehow managed to shout the warning sign down before running Malwarebytes. I did not use CCleaner right after running it, though.
-
A page related to ZeroAccess is written in french, and the Youtube video developed using French. See http://tigzyrk.blogspot.com/2011/09/rootkit-zeroaccess-max.html
Any suggestions?
Thanks.
-
How is the computer, can you access all your files now. Zero access is now dead
-
Everything looks fine now except for the fact that I cannot connect to the Internet. The FBI warning screen is gone. I hope it won't come back after connecting to the Internet.
It says "Wireless Nerwork Connection" does not have a valid IP configuration. Is this familiar to you? I hope that this is not something related to a virus.
Anyway, thank you so much. You are a life savior.
-
one more network issue was detected. It says, "windows could not automatically detect this network's proxy settings" Any clue?
-
Yep lets reset the net connections
Download Complete Internet Repair (http://www.datum-forensics.com/down/comintrep.exe) to your desktop
Unzip all the files to their own folder on the desktop
Within the folder double click CIntRep
The programme will then run
Select the items I have highlighted
Press go
Let me know if it is able to conduct the repair, there is a log at the bottom
(https://dl.dropbox.com/u/73555776/Int%20repair.JPG)
-
Thank you. But I still have the same problem. I still have the two issues mentioned above. Attached is the log file.
-
OK lets work through the necessary elements :
Please check if the Proxy Server option is not selected:
Check Internet Options (from Control Panel or Internet Explorer Tools / Options /Connections Tab / LAN Settings) and make sure Proxy Server is unchecked.
Then reset IE by going to the advanced tab in internet options and select reset
If that still fails then using OTL
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]
:Files
netsh winsock reset
ipconfig /release
ipconfig /renew
ipconfig /all
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Thank you.
I am running a quick scan now after doing "run fix." I think that some custom commands did not work. Please see the log file.
I will post a quick scan results shortly after it completes.
-
Here's the quick scan log file. I still do not have an internet access. Also, I did check the internet setting, and it was fine.
Thanks!
-
OK that is my stupid fault :-[ I missed one letter
:Files
netsh winsock reset /c
ipconfig /release /c
ipconfig /renew /c
ipconfig /all /c
Could you re-run an OTL fix with the above script
-
Thank you. Attached are the logs 1) log after a fix using your files: command 2) log after a quick scan. Internet is still now working. Last night, I downloaded and executed a program that was intened to resolve the network error from Microsoft, but it did not work.
I am awaiting for your response. At the same time, I am seriously thinking about reinstalling the OS.
-
At the same time, I am seriously thinking about reinstalling the OS.
dont give up before Essexboy do ;)
-
Thanks, Pondus. That gives me hope. :)
-
< netsh winsock reset /c >
Access is denied.
This is the problem the registry key has had the permissions changed
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
It did not work... I ran OTL fix to see how it responds to "netsh winsock reset /c" and I got the following error message in the log.
"Error: Unable to interpret <netsh winsock reset /c> in the current context!"
Awaiting your response.
-
Still no net connection ?
-
No internet connection. It appears that winsock.dll has been deleted or missing. I ran cmd to see if how it responds, and it says "The system cannot find the file specified."
-
FYI
- As a follow up, I used Compete Internet Repair - no luck
- Also used MicrosoftFixit50203, which is intended to fix the internet connection error including reinstalling winsock. - no luck
- Ran OTL and CMD, and used netsh winsock reset /c, and got "The system cannot find the file specified".
The file is still missing.
-
You have to be careful,this is the only type of ransomware that can repair its files and come back.
Please see this youtube video http://www.youtube.com/watch?v=KNJNsRBtwxM
Fix Windows Errors by Re-registering All Your DLL's
-
OK lets get a spare winsock.dll
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
/md5start
winsock.*
/md5stop
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- Attach the log
-
Please see attached for the OTL quick scan log.
-
Here is a complete guide that works all the time.
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware
-
Aventador does that replace the missing file... Please read the entire thread before jumping in with unrelated fixes
drmtree
Download the file from the link below to your windows/system32 folder
https://dl.dropbox.com/u/73555776/wsock32.dll
Then re-run Internet repair