united states department of justice virus

Gamtu · Feb 9, 2013

see what steps I have taken.

Fiery · Feb 9, 2013

Hi and welcome to MalwareTips!

I'n Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
The absence of symptoms does not mean your PC is fully disinfected.
If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

What device are you using to post on this forum? Is there a friend or family member who has a PC you can access so you can burn a bootable CD with diagnostic and virus removal tools to? Are you sure the disk you were using is a bootable copy of windows?

Also, do you have Recovery Console installed on the machine?

Gamtu · Feb 9, 2013

I'm using a PC. The issue is with my fathers computer. He lives 1400 miles from me.

Yes there is a laptop computer available that can burn CD's

I'm not 100% positive that the Windows XP Home Edition CD was a bootable CD. The CD was provided by Gateway with the machine.

Recovery Console is installed.

Fiery · Feb 9, 2013

That's going to be a challenge. If somehow you can relay this information to your father and instruct him to do the following then we can start fixing it.

Download OTLPE to your desktop
Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Wait for the CD to detect your hardware and load the operating system
Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy
While in OTLPE, double click the OTLPE icon.
- Select the Windows folder of the infected drive if it asks for a location.
- When asked Do you wish to load the remote registry, select Yes.
- When asked Do you wish to load remote user profile(s) for scanning, select Yes.
- Ensure the box Automatically Load All Remaining Users is checked and press OK.
- OTL should now start
- Check the boxes beside LOP Check and Purity Check
- Press the Run Scan button
- When finished, the file will be saved in drive C:\OTL.txt
- Copy this file to a USB drive if you do not have internet connection on the system.
- Please attach the content of OTL.txt in your next reply.

Gamtu · Feb 10, 2013

I've attatched a copy of the OTL.txt[/code][/quote]

Gamtu · Feb 10, 2013

I'll be attempting to bring my fathers wife into this conversation. With luck she'll be able to post replys with her progress on this. I dont know yet what screen name she'll choose however at the time I'll identify her if necessary.

Fiery · Feb 10, 2013

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
[2012/10/01 09:01:48 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\lsass.exe
[2013/02/07 09:14:03 | 000,058,696 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\ifgxpers.exe
[2013/02/07 09:44:34 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/02/07 09:44:20 | 000,350,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg

:Files
C:\Documents and Settings\All Users\Application Data\taborca.pad
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Post the log afterwards. Then if your parents have a USB,

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

Also download List Parts

<li>Plug the flashdrive into the infected PC.</li>

In the Reatogo Desktop (using the bootable CD we made ealier), click start > computer. Navigate to the USB drive.

Locate the flash drive with FRST and double click

The tool will start to run.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next click List Parts and then click Scan
It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

Gamtu · Feb 10, 2013

The runfix OTL log has been lost. I assume its on the computer but cant be located. I asked her to search for OTL.txt and she's gotten dozens of results so.. we dont know which one it is that you need to see or if theyre all the same? They all have the same modified time stamp.

Have attatched these:

FRST.txt

and

Result.txt

The computer boots into Windows XP Home Edition now with no sign of the virus being active.

Fiery · Feb 10, 2013

Ok, the log should be in C:\OTL that's similar to 02102013_******.txt where the ****** is the time you ran the fix {hr:mm: ss}. If you can't find the log, do another OTL scan after completing the fix below.

Open notepad and copy & paste the following:

start
2013-02-07 09:14 - 2013-02-07 09:13 - 00058696 ____A (Microsoft Corporation) C:\Documents and Settings\All Users\Application Data\ifgxpers.exe
2013-02-07 09:44 - 2013-02-07 09:44 - 02250054 ____A C:\Documents and Settings\All Users\Application Data\1.bmp
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!
end

and save it as fixlist.txt onto your flash drive.

Then, in the Reatogo Desktop, plug in your flash drive, open FRST and click fix. Post the generated log.

Gamtu · Feb 10, 2013

Let me know if this is correct.

Fiery · Feb 10, 2013

Yes that's what I wanted. Please do a new OTL scan now to check if it removed the infection.

Gamtu · Feb 10, 2013

This is what she told me. Does this mean the infection is likely gone?

I ran the otl scan with no custom information where it says Custom Scan/Fix. It went through quickly.

Fiery · Feb 10, 2013

Most likely there are still some left overs. I think she pressed "run fix" thats why it ran qyickly. Ask her to press "run scan" and post the log after.

Gamtu · Feb 10, 2013

OK here is another OTL.txt

Fiery · Feb 10, 2013

Ok, try rebooting the computer to normal mode now. (remember to pull the OTLPE disk and set the boot option to boot from harddrive)

Fiery · Feb 11, 2013

Just letting you know, if you are able to boot up normally, that doesn't mean the computer is clean yet, we still have some work to do.

Gamtu · Feb 17, 2013

Hello again. Just wanted to let you know the PC seems to be working OK (or at least normally) now. You say there is more work to do?

Fiery · Feb 17, 2013

Yes, we need to do a few more scans before we can say your PC is clean.

Follow the instructions in this post to download and run a scan with Malwarebytes

http://malwaretips.com/Thread-Babylon-removal?pid=100208#pid100208

Gamtu · Feb 19, 2013

Attached are the results from the Malwarebytes scan.

Fiery · Feb 19, 2013

Ok, nothing serious there. One last scan and we will cleanup and I'll give you some suggestions on how to protect the PC better.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
- Scan unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Click Scan
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

united states department of justice virus

New Member

Level 1

New Member

Level 1

New Member

Attachments

New Member

Level 1

New Member

Attachments

Level 1

New Member

Attachments

Level 1

New Member

Level 1

New Member

Attachments

Level 1

Level 1

New Member

Level 1

New Member

Attachments

Level 1

Similar threads