Cheshire police ( Lockout )

[drco09]

Can you help me remove this problem from my computer .

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Which Operating System are you using?

 

[drco09]

Hi

Thanks for getting back to me

the operating system is vista business 32 bit operating system

Regards

 

[kuttus]

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

 

[drco09]

Hello kuttus

I have a dell Laptop so it might be a bit different
I do not have a System Recovery Options in my
Advanced Boot Options

My Listing reads


Safe mode
Safe mode with networking
Safe mode with command prompt

Enable Boot Logging
Enable low-resolution Video
Last Known Good Configuration (advanced)
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement

Start Windows Normally

I would guess you want me to go to

Safe mode with command prompt

But I thought I would ask before going on

Regards

 

[kuttus]

If there is no Repair your computer then you are not using Windows Vista I think. Try this one now...

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Download List Parts and save it to the flash drive also.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
• Next click List Parts and then click Scan
• It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

 

[drco09]

Hi kuttus

Please find attached files as requested

Thanks for your help with this problem

Regards

 

[kuttus]

Now please download this file and save it to your Flash Drive.

[attachment=5265]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[drco09]

Hi

Log attached

laptop now boots up fine to my desktop without going to locked screen

thanks

 

[kuttus]

STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

---

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

---

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---

 

[drco09]

Hi Kuttus

I have followed instructions as asked and attached all files requested
i have put the second scan from Malwarebytes Anti-rootkit as well .

Can I ask is it ok to use the laptop normally or do I need to wait for you to say its ok to use laptop normally.

regards

 

[kuttus]

Now you can start the computer in normal mode......


STEP 1: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />


STEP 2: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />

STEP 3: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />

 

[drco09]

Hi Kuttus

I have had to copy the hitman file to the message as it would not attach in the file attachment part

I have attached the other 2 files requested
The Kapersky Virus result file is the first time run result . the program wanted me to delete the JRT.exe immediately which is what I did the on reboot the program restarted a new scan and at the end no threats was reported.

One thing i am a little upset to find a file you have asked me to download has a trojan in it ? JRT.exe ? ?



-----------------------------------------------------------------------

HitmanPro 3.7.6.201
www.hitmanpro.com

   Computer name . . . . : JPNB64
   Windows . . . . . . . : 6.0.2.6002.X86/2
   User name . . . . . . : JPNB64\Jeremy
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-08-03 01:36:16
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 16m 0s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 279

   Objects scanned . . . : 2,215,057
   Files scanned . . . . : 48,156
   Remnants scanned  . . : 623,005 files / 1,543,896 keys

Suspicious files ____________________________________________________________

   C:\QMSYS\bin\qmsvc.exe
      Size . . . . . . . : 174,080 bytes
      Age  . . . . . . . : 1446.7 days (2009-08-17 09:08:33)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : 3FD9E1B7DFC7311021E5E17B28D1D4009CAF1E90648EAFCE5C1688ED875C252D
      Service  . . . . . : QMSvc
      Parent Name  . . . : C:\Windows\system32\services.exe
      Running processes  : 2416
      Fuzzy  . . . . . . : 22.0
         The hidden file attribute bit is set. This is not common to most programs.
         This program is actively listening for inbound network connections.
         Starts automatically as a service during system bootup.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program starts automatically without user intervention.
         The file is in use by one or more active processes.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\QMSvc\
      Network Ports
         0.0.0.0:4242	
         0.0.0.0:4243	

   C:\Users\Jeremy\Documents\Downloads\sp23345.exe
      Size . . . . . . . : 849,208 bytes
      Age  . . . . . . . : 1253.1 days (2010-02-26 23:01:59)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : F2BFDEB0C4C0B876FC7EDFC732B7773712AF71598975F127A2CEA15E198AFD0B
      Product  . . . . . : ROMPaq for Evo D310/D320/D510 and W4000 SFF DDR (686O2 ROM) 
      Publisher  . . . . : Hewlett-Packard Company                                     
      Description  . . . :                                                             
      Version
      Copyright  . . . . :                                                             
      RSA Key Size . . . : 512
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 25.0
         Program is code signed with a weak certificate. This is common to malware.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.

   C:\Users\Jeremy\Downloads\FSCaptureSetup74.exe
      Size . . . . . . . : 2,499,922 bytes
      Age  . . . . . . . : 80.5 days (2013-05-14 14:03:21)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : F948F19E35DBAB0AA7172BC9046EC63F1CEFF5A31F9AF298904B2A6B17D89B21
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 22.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.

   C:\Windows\system32\WUDFUpdate_01009.dll
      Size . . . . . . . : 1,837,296 bytes
      Age  . . . . . . . : 1206.7 days (2010-04-14 09:26:58)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 6D63D31F77B9F56A70627720AA513C6FCD83117F71D3E1893966D88FF252B147
      Product  . . . . . : Microsoft® Windows® Operating System
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Windows Driver Foundation - User-mode Platform Device Update Co-Installer
      Version  . . . . . : 6.1.7600.16385
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 32.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Cookies _____________________________________________________________________

   C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Cookies\9XDXPO0W.txt
   C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Cookies\CGL10AT2.txt
   C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Cookies\EXTVE6RK.txt

 

[kuttus]

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

---

How's everything working now?

 

[drco09]

Hi Kuttus

All seems to be good now

thanks for your help

 

[kuttus]

Great to hear that......

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

---

Keep your system updated

• Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

• avast! 7 Home Edition - Don't use it with Online Armor
• Avira AntiVir Personal
• Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.

• Online Armor
• Comodo Firewall - If you are an advance user

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware
• Temp File Cleaner by OldTimer

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

<hr />
What's next?

1. Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
2. Learn how to avoid malware by reading this article <a href="http://malwaretips.com/blogs/how-to-easily-avoid-pc-infections/">How to easily avoid malware</a>
3. Be an active member in the MalwareTips community!

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.​