FBI Moneypak - no safe mode

[Vrinsk]

I read article at malwaretips.com titled: "Remove FBI CyberCrime Division virus (ICSPA Scam)". Tried methods 1-5 on step 1 "Remove FBI CyberCrime Division (ICSPA) lock screen from your computer".
They did not work. Read a thread about a similar support situation (guy with trojan: "lecohen123", MalwareTips support guy: "fiery") where it was adviced to install FRST64.exe. I have done this scan now.

Hope there is someone here that can help me get rid of this trojan

 

[Vrinsk]

Hi again. A little update. I tried to run hitmanpro_x64.exe from the command prompt, but during the scan it stops and goes back to command prompt.

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open notepad and copy & paste the following:

start
HKU\BIGBADPC\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\BIGBADPC\Documents\4b8f7c9a.exe [37888 2013-05-22] ()
HKU\BIGBADPC\...\Run: [ctfmon.exe] C:\PROGRA~3\rundll32.exe C:\PROGRA~3\ejdo4.dat,FG00 [172544 2013-05-22] (Hilgraeve, Inc.)
HKU\BIGBADPC\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
2013-05-22 10:00 - 2013-05-22 10:01 - 95023320 ___AT C:\ProgramData\4odje.pad
2013-05-22 10:00 - 2013-05-22 10:00 - 00172544 ____A (Hilgraeve, Inc.) C:\ProgramData\ejdo4.dat
2013-05-22 10:00 - 2013-05-22 10:00 - 00044544 ____A (Microsoft Corporation) C:\ProgramData\rundll32.exe
2013-05-22 10:00 - 2013-05-22 10:00 - 00000151 ____A C:\ProgramData\4odje.reg
2013-05-22 10:00 - 2013-05-22 10:00 - 00000055 ____A C:\ProgramData\4odje.bat
2013-05-22 10:00 - 2013-05-22 10:00 - 00000000 ____A C:\ProgramData\as98213.txt
2013-05-22 09:57 - 2013-05-22 09:57 - 01211271 ____A C:\Users\BIGBADPC\AppData\Roaming\2433f433
2013-05-22 09:57 - 2013-05-22 09:57 - 01211253 ____A C:\Users\BIGBADPC\AppData\Local\2433f433
2013-05-22 09:57 - 2013-05-22 09:57 - 01211222 ____A C:\ProgramData\2433f433
2013-05-22 09:57 - 2013-05-22 09:57 - 00037888 ____A C:\Users\BIGBADPC\Documents\4b8f7c9a.exe
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Then attempt to boot normally. If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[Vrinsk]

Hi Fiery! Awesome that you can help me! fixlog.txt as follows:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-05-2013
Ran by SYSTEM at 2013-05-27 20:45:36 Run:1
Running from M:\
Boot Mode: Recovery
==============================================

HKEY_USERS\BIGBADPC\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKEY_USERS\BIGBADPC\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe => Value deleted successfully.
HKEY_USERS\BIGBADPC\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\ProgramData\4odje.pad => Moved successfully.
C:\ProgramData\ejdo4.dat => Moved successfully.
C:\ProgramData\rundll32.exe => Moved successfully.
C:\ProgramData\4odje.reg => Moved successfully.
C:\ProgramData\4odje.bat => Moved successfully.
C:\ProgramData\as98213.txt => Moved successfully.
C:\Users\BIGBADPC\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\BIGBADPC\AppData\Local\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\BIGBADPC\Documents\4b8f7c9a.exe => Moved successfully.

==== End of Fixlog ====

 

[Vrinsk]

ITS MAGIC! Got my desktop back. Currently scanning with Malwarebytes Anti-Rootkit. Found 1 Malware so far; Trojan:FakeMS.INC.

Got a couple of messages as I opened up:
"problem starting ejdo4.dat, specified module could not be found"

"recovery has completed, do you want to restore your user files" Should I restore my files or cancel for now?

(Also I allready had an outdated version of Malwarebytes anti-malware installed. I updated it, but did not yet scan.)

 

[Vrinsk]

FYI: McAfee popped up with a message saying: "file deleted: - 0.4650904846095306.bfg RDN/Ransom!cq"

 

[Fiery]

Good to hear that your desktop is back!

"recovery has completed, do you want to restore your user files" Should I restore my files or cancel for now?

What is that for? Did you attempt a system restore before or is that from a program you use?

Got a couple of messages as I opened up:

That is normal. There are registry entries that needs to be cleaned out.


Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download OTL by Old Timer from here and save it to your Desktop.

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please attach the contents of these 2 Notepad files in your next reply.

 

[Vrinsk]

I did try a system restore a few days back, but nothing happened...

During anti rootkit scan, it was found two Trojan.fakeMS.inc. and one Trojan.agent.tpl
I did cleanup, and it asked for reboot which I did. Now I am doing another scan as previously instruced. Let me know if I should cancel 2nd scan and do Rogue killer now instead etc..

 

[Fiery]

Do the second scan.

When it's finished, then proceed to roguekiller and the other tools

 

[Vrinsk]

Did 2nd scan. Nothing found

Rogue report>

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : BIGBADPC [Admin rights]
Mode : Scan -- Date : 05/27/2013 22:08:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[STARTUP][BLACKLISTDLL] msconfig.lnk @BIGBADPC : C:\Windows\System32\rundll32.exe|C:\PROGRA~3\ejdo4.dat,FG00 -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorUser (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\Command Processor : AutoRun ("C:\Users\BIGBADPC\Documents\4b8f7c9a.exe") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS722020ALA330 +++++
--- User ---
[MBR] a28a61c1bf689e9ca6705a9f1ca414cd
[BSP] 3db310729c1c10071d3904fe47aed6b7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 1893916 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3878946816 | Size: 13711 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS722020ALA330 +++++
--- User ---
[MBR] 7a096466e52654b08594b85c89b70454
[BSP] 3f1229ea1b312104da32dcbddac6a7eb : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05272013_02d2208.txt >>
RKreport[1]_S_05272013_02d2208.txt

 

[Vrinsk]

ADWCLEANER . Logfile popped up in a notpad file upon restart>

# AdwCleaner v2.301 - Logfile created 05/27/2013 at 22:13:07
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : BIGBADPC - BIGBADPC-HP
# Boot Mode : Normal
# Running from : C:\Users\BIGBADPC\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\BIGBADPC\AppData\Local\funmoods-speeddial.crx
File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mkndcbhcgphcfkkddanakjiepeknbgle
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{3C5F0F00-683D-4847-89C8-E7AF64FD1CFB}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzutAtN2Y1L1Qzu0EtDyCzyzyyDyD0B0ByBzy0F0F0BtDyCtN0D0TzutBtDtCtBtDyDtAtD&cr=1391502670 --> hxxp://www.google.com

-\\ Google Chrome v26.0.1410.64

File : C:\Users\BIGBADPC\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4979 octets] - [27/05/2013 22:13:07]

########## EOF - C:\AdwCleaner[S1].txt - [5039 octets] ##########

 

[Fiery]

Looking good. Did you click delete in RogueKiller after the scan? That will get rid of the error messages at startup. How is your PC now? After the OTL scan, do the following. I'm heading off to bed now

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

 

[Vrinsk]

Attached are otl.txt and extras.txt :huh:

 

[Fiery]

Acknowledged I won't be able to reply until tomorrow as I have work and am heading off to bed. I'll look at the otl logs tomorrow but in the meantime, do the scans with malwarebyes and ESET.

 

[Vrinsk]

Sounds good Fiery! Thank you VERY much for your help so far.

I went back in with Rogue and deleted the files.

I will do those next scans tomorrow. Thanks again!

 

[Vrinsk]

I did the Malwarebytes scan, and it found nothing

Here is the log>

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.28.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
BIGBADPC :: BIGBADPC-HP [administrator]

5/28/2013 8:47:08 AM
mbam-log-2013-05-28 (08-47-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243785
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Vrinsk]

ESET online virus scan foud this:

C:\FRST\Quarantine\4b8f7c9a.exe Win32/TrojanDownloader.Moure.L trojan
C:\FRST\Quarantine\4odje.bat Win32/Reveton.M trojan
C:\FRST\Quarantine\ejdo4.dat a variant of Win32/Kryptik.BBZX trojan
C:\Users\BIGBADPC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\284fe7c4-50fb9ebf a variant of Win32/Kryptik.BBZX trojan
E:\My Pictures\OLD\Morro\MONA.EXE Joke.Mona.A application

Regarding the last one mona.exe : As far as I remember this is some kind of a goofy humour program I received many years ago. I cannot open it with Windows 7 though, so we might as well delete it. But to my knowledge it is not a virus program.

 

[Fiery]

Hi,

Most of what ESET found were already quarantined. The trojan is a exploit since you have an outdated Java version

Open OTL. Under custom scan/fixes, copy and paste the following:

:Files
C:\Users\BIGBADPC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\284fe7c4-50fb9ebf
E:\My Pictures\OLD\Morro\MONA.EXE


:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

How is your PC running? Everything fine?

 

[Vrinsk]

Good eve, Fiery!

PC is running great, but have not used it much in case the trojan was still present.

That last trojan, will it disappear when Java is updated? I got an error message yesterday when I tried to update it. Now there is no java icon in lower right corner.

Here is the latest logfile.

Files\Folders moved on Reboot...
C:\Users\BIGBADPC\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\BIGBADPC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
File\Folder C:\Users\BIGBADPC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SB0RZZY2\planting[1].htm not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Fiery]

All your logs indicate that the trojan is gone!

Regarding Java, follow the steps below to completely remove it and reinstalling it. This way, it will be updated and older versions are deleted.

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

---

Keep your system updated
Delete older Java version from your computer by downloading JavaRa

• Run JavaRa.exe, then click Remove JRE.
• Let the tool run
• Once it finishes, close JavaRa

Currently, the following programs on your PC are outdated:

• Java - Update Java here

Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:

• Download and install Update Checker. It will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

• avast! 8 Free Antivirus
• Avira AntiVir Personal
• Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker. However, adding one of these programs may slow down performance. It is for you to decide the trade off between more security and a faster PC.

• Online Armor
• Comodo Firewall - If you are an advance user
• ZoneAlarm Free Firewall
• PC Tool Firewall Plus

Other steps that you may want to do to further protect your system/files:

• Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
• Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
​