Jump to content

Change Mode

FBI Blocked Computer Virus - Please Help!


Recommended Posts

My friend called and told me she thought she was in trouble with the FBI because they had blocked her computer and were requesting $300 before it could be unblocked. It sounded a little fishy to me, so I came over to check it out. Sure enough, the screen was blocked. I couldn't do anything with it. As soon as i turned it on, a screen popped up stating that the FBI had blocked this computer. I must say, the hackers have done a great job with making it look legit with their page all decorated with official looking emblems and such. After some research I found out it was indeed a virus and it could be fixed. She only had one profile on her computer, so I looked online and found out how to put the computer into command prompt mode and made another profile that isn't infected, so I am using her laptop now. This is as far as I can get on my own. I need to know how to eradicate this virus. I ran a scan from another site, but they charge to fix anything it finds. Can anyone please help me?

Link to comment
Share on other sites

Hi rednek_gurl80,

Welcome to the pit!

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • [*]I will be working on your Malware issues, this may or may not, solve other issues you have with your machine. [*]The fixes are specific to
your problem and should only be used for the issues on this machine. [*]Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. [*]It's often worth reading through these instructions and printing them for ease of reference. [*]If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. [*]Please reply to this thread. Do not start a new topic.


Please download Malwarebytes' Anti-Malware to your desktop.

  • [*]Double-click
mbam-setup.exe and follow the prompts to install the program. [*]At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. [*]If an update is found, it will download and install the latest version. [*]Once the program has loaded, select Perform quick scan, then click Scan. [*]When the scan is complete, click OK, then Show Results to view the results. [*]Be sure that everything is checked, and click Remove Selected. [*]When completed, a log will open in Notepad. Please save it to a convenient location and post the results. [*]Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).


Link to comment
Share on other sites

Malwarebytes Anti-Malware (Trial)

Database version: v2013.04.02.11

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
removevirus :: OWNER-PC [limited]

Protection: Enabled

4/2/2013 12:31:48 PM
mbam-log-2013-04-02 (12-31-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 234362
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:UsersOwnerAppDataRoamingskype.dat (Trojan.Ransom.SKY) -> Quarantined and deleted successfully.
C:UsersOwnerfsfhgdgalip.exe (Trojan.Ransom.SKY) -> Quarantined and deleted successfully.


Link to comment
Share on other sites

Hopefully that got it... but I'd like to dig a little deeper to make sure.


Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • [*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link -->
[*]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:ComboFix.txt in your next reply.


1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Link to comment
Share on other sites

Tomk_, although MBAM and other utilities can remove this and similar ransomewares, System Restore can revert the computer to a date prior to the invasion. I believe this is the first repair method that should be used, for fairly obvious reasons. My own practise is to select a restore point created two days before the problem occurred.

Edited by TomGL2
Link to comment
Share on other sites

This apparently isn't obvious to me. Why is this a better method?


The most obvious reason for using System Restore first is that it's included with Windows and immediately available. This brings the secondary advantages that the entire download / install / update / scan phase is avoided — and downloading by an infected system can be difficult or impossible.


Since System Restore does not scan for problems, but performs a wholesale replacement of the Registry, there is no possibility of unrecognized infection vectors remaining. Nor is there a risk of false positives and the resultant removal of valid files.

Edited by TomGL2
Link to comment
Share on other sites

That is a valid analysis... but also consider that many of the variants of this infection disable system restore, some variants lay dormant for a period of time (I've seen up to 10 days), and that tools like Mbam are very selective and it's actions can be reversed. I do not agree that there is anything wrong with my approach. Frankly, I've seen to many logs where the OP uses system restore back a couple days... all seems well for a couple days, and then they are back reinfected. I haven't had that happen with the approach I've taken on this thread.


That is not to say that restoring to a previous point has not and will not be successful in the majority of the cases.

Link to comment
Share on other sites

My personal opinion is disable system restore all together. It has been my experience that it often gets infected or already made restore points that were infected and it often just restores the malware.


Needless to say I would follow TomK_'s advice the tools he mentioned work. System restore is hit or miss and most often is a "miss" ;)

Link to comment
Share on other sites

Pasting is a little tricky on this forum. You have to be careful where you click. If you click in front of, or below the cursor... you won't get the paste option. You have to click right behind (to the right) of the cursor.




you can hold the Ctrl key and press the V key to paste.



ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.htmll]here[/url].

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go http://www.eset.com/onlinescan/]here[/url] then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:Program FilesESETEsetOnlineScannerlog.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Link to comment
Share on other sites

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=bb2890bd0b6116488d9b2b88293a9b14
# engine=13597
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-04-11 02:26:33
# local_time=2013-04-11 09:26:33 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 712469 117235184 0 0
# scanned=90453
# found=2
# cleaned=0
# scan_time=2336
sh=A7B4578A01C7E0F41ADE31194AA67FD2F37CFE4F ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:UsersOwnerAppDataLocalLowSunJavaDeploymentcache6.048112e22b0-4d719afc"
sh=10C624B66780DAE2B23C7BA379949A8772826B1B ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NRA trojan" ac=I fn="C:UsersOwnerAppDataLocalLowSunJavaDeploymentcache6.0531fde1475-420596cc"

Link to comment
Share on other sites


  • [*]Please open
Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

[*]Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Posted Image [*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". [*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. [*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. [*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Also please let me know how things seem to be running now.

Link to comment
Share on other sites

ComboFix 13-04-08.04 - Owner 04/11/2013 15:48:03.4.2 - x86Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3579.2540 [GMT -5:00]Running from: c:usersOwnerDesktopComboFix.exeCommand switches used :: c:usersOwnerDesktopCFScript.txtAV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2013-03-11 to 2013-04-11 )))))))))))))))))))))))))))))))..2013-04-11 20:55 . 2013-04-11 20:55 -------- d-----w- c:windowssystem32configsystemprofileAppDataLocaltemp2013-04-04 19:31 . 2013-03-15 07:21 7108640 ----a-w- c:programdataMicrosoftMicrosoft AntimalwareDefinition UpdatesBackupmpengine.dll2013-04-02 17:28 . 2013-04-02 17:28 -------- d-----w- c:programdataMalwarebytes2013-04-02 17:28 . 2012-12-14 21:49 21104 ----a-w- c:windowssystem32driversmbam.sys2013-04-02 17:28 . 2013-04-02 17:29 -------- d-----w- c:program filesMalwarebytes' Anti-Malware2013-04-02 14:45 . 2013-04-02 14:45 -------- d-----w- C:sh4ldr2013-04-02 14:45 . 2013-04-02 14:45 -------- d-----w- c:program filesEnigma Software Group2013-04-02 14:42 . 2013-04-02 14:45 -------- d-----w- c:windows0AC0F1B261C74B6EACEF58FCC0B94835.TMP2013-04-02 14:42 . 2013-04-02 14:42 -------- d-----w- c:program filesCommon FilesWise Installation Wizard2013-04-02 14:29 . 2013-04-02 14:29 -------- d-----w- c:usersremovevirus2013-03-31 17:13 . 2013-04-02 19:23 -------- d-----w- c:usersOwnerAppDataLocalvghd2013-03-27 00:11 . 2013-02-12 03:32 15872 ----a-w- c:windowssystem32driversusb8023.sys2013-03-24 15:55 . 2012-08-22 17:16 712048 ----a-w- c:windowssystem32driversndis.sys2013-03-24 15:55 . 2012-07-04 19:45 33280 ----a-w- c:windowssystem32driversRNDISMP.sys2013-03-24 15:52 . 2012-08-21 20:12 245760 ----a-w- c:windowssystem32OxpsConverter.exe2013-03-24 15:52 . 2012-10-03 16:42 156672 ----a-w- c:windowssystem32ncsi.dll2013-03-24 15:52 . 2012-10-03 16:42 242176 ----a-w- c:windowssystem32nlasvc.dll2013-03-24 15:52 . 2012-10-03 16:42 175104 ----a-w- c:windowssystem32netcorehc.dll2013-03-24 15:52 . 2012-10-03 16:40 499712 ----a-w- c:windowssystem32iphlpsvc.dll2013-03-24 15:52 . 2012-10-03 15:21 35328 ----a-w- c:windowssystem32driverstcpipreg.sys2013-03-24 15:52 . 2012-10-03 16:42 52224 ----a-w- c:windowssystem32nlaapi.dll2013-03-24 15:52 . 2012-10-03 16:42 18944 ----a-w- c:windowssystem32netevent.dll2013-03-24 15:50 . 2012-11-23 02:48 49152 ----a-w- c:windowssystem32taskhost.exe2013-03-24 15:50 . 2012-10-09 17:40 44032 ----a-w- c:windowssystem32dhcpcsvc6.dll2013-03-24 15:50 . 2012-10-09 17:40 193536 ----a-w- c:windowssystem32dhcpcore6.dll2013-03-23 15:53 . 2013-03-23 15:53 -------- d-----w- c:windowssystem32SPReview2013-03-23 15:52 . 2013-03-23 15:52 -------- d-----w- c:windowssystem32EventProviders2013-03-22 00:51 . 2012-11-28 16:49 740840 ------w- c:programdataMicrosoftMicrosoft AntimalwareDefinition Updates{38D78401-15CA-4E98-9DD0-1B811C029915}gapaengine.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-04-02 10:33 . 2012-09-10 22:39 237088 ------w- c:windowssystem32MpSigStub.exe2013-03-23 16:09 . 2009-07-14 02:05 152576 ----a-w- c:windowssystem32msclmd.dll2013-03-14 15:27 . 2012-09-11 03:10 73432 ----a-w- c:windowssystem32FlashPlayerCPLApp.cpl2013-03-14 15:27 . 2012-09-11 03:10 693976 ----a-w- c:windowssystem32FlashPlayerApp.exe2013-02-12 04:48 . 2013-03-24 15:50 474112 ----a-w- c:windowsapppatchAcSpecfc.dll2013-02-12 04:48 . 2013-03-24 15:50 2176512 ----a-w- c:windowsapppatchAcGenral.dll2013-02-06 14:45 . 2013-02-06 14:46 477616 ----a-w- c:windowssystem32npdeployJava1.dll2013-02-06 14:45 . 2013-02-06 14:46 473520 ----a-w- c:windowssystem32deployJava1.dll2013-01-20 20:59 . 2013-01-20 20:59 195296 ----a-w- c:windowssystem32driversMpFilter.sys2013-01-20 20:59 . 2012-03-21 01:44 100328 ----a-w- c:windowssystem32driversNisDrvWFP.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]"Messenger (Yahoo!)"="c:progra~1Yahoo!MessengerYahooMessenger.exe" [2012-05-25 6595928]"Facebook Update"="c:usersOwnerAppDataLocalFacebookUpdateFacebookUpdate.exe" [2012-10-06 138096].[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]"StartCCC"="c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe" [2011-08-10 343168]"MSC"="c:program filesMicrosoft Security Clientmsseces.exe" [2013-01-27 947152]"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2012-12-03 946352]"APSDaemon"="c:program filesCommon FilesAppleApple Application SupportAPSDaemon.exe" [2012-11-28 59280]"iTunesHelper"="c:program filesiTunesiTunesHelper.exe" [2012-12-12 152544]"SunJavaUpdateSched"="c:program filesCommon FilesJavaJava Updatejusched.exe" [2012-09-17 254896].[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]"SPReview"="c:windowsSystem32SPReviewSPReview.exe" [2013-03-23 280576].c:usersOwnerAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupMonitor Ink Alerts - HP Officejet 4620 series.lnk - c:windowssystem32RunDll32.exe [2009-7-13 44544]MyUltimateOrganizer Reminder.lnk - c:program filesMySoftwareMyUltimateOrganizer7Reminder.exe [2012-9-19 126976].[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMsMpSvc]@="Service".R2 MBAMScheduler;MBAMScheduler;c:program filesMalwarebytes' Anti-Malwarembamscheduler.exe [x]R2 MBAMService;MBAMService;c:program filesMalwarebytes' Anti-Malwarembamservice.exe [x]R2 SpyHunter 4 Service;SpyHunter 4 Service;c:progra~1ENIGMA~1SPYHUN~1SH4SER~1.EXE [x]R3 esgiguard;esgiguard;c:program filesEnigma Software GroupSpyHunteresgiguard.sys [x]R3 EsgScanner;EsgScanner;c:windowssystem32DRIVERSEsgScanner.sys [x]R3 GamesAppService;GamesAppService;c:program filesWildTangent GamesAppGamesAppService.exe [x]R3 MBAMProtector;MBAMProtector;c:windowssystem32driversmbam.sys [x]R3 NisDrv;Microsoft Network Inspection System;c:windowssystem32DRIVERSNisDrvWFP.sys [x]R3 NisSrv;Microsoft Network Inspection;c:program filesMicrosoft Security ClientNisSrv.exe [x]R3 TsUsbFlt;TsUsbFlt;c:windowssystem32driverstsusbflt.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:windowssystem32WatWatAdminSvc.exe [x]S0 amd_sata;amd_sata;c:windowssystem32DRIVERSamd_sata.sys [x]S0 amd_xata;amd_xata;c:windowssystem32DRIVERSamd_xata.sys [x]S2 AMD External Events Utility;AMD External Events Utility;c:windowssystem32atiesrxx.exe [x]S2 AMD FUEL Service;AMD FUEL Service;c:program filesATI TechnologiesATI.ACEFuelFuel.Service.exe [x]S2 IconMan_R;IconMan_R;c:program filesRealtekRealtek PCIE Card ReaderRIconMan.exe [x]S3 amdiox86;AMD IO Driver;c:windowssystem32DRIVERSamdiox86.sys [x]S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:windowssystem32DRIVERSnetr28.sys [x]S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:windowssystem32DRIVERSRtsPStor.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:windowssystem32DRIVERSRt86win7.sys [x]S3 usbfilter;AMD USB Filter Driver;c:windowssystem32DRIVERSusbfilter.sys [x]..Contents of the 'Scheduled Tasks' folder.2013-04-11 c:windowsTasksAdobe Flash Player Updater.job- c:windowssystem32MacromedFlashFlashPlayerUpdateService.exe [2012-09-11 15:27].2013-04-11 c:windowsTasksFacebookUpdateTaskUserS-1-5-21-3230538682-1339120202-3475958834-1000Core.job- c:usersOwnerAppDataLocalFacebookUpdateFacebookUpdate.exe [2012-10-06 01:55].2013-04-11 c:windowsTasksFacebookUpdateTaskUserS-1-5-21-3230538682-1339120202-3475958834-1000UA.job- c:usersOwnerAppDataLocalFacebookUpdateFacebookUpdate.exe [2012-10-06 01:55]..------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/mStart Page = hxxp://www.yahoo.com/?ilc=8uInternet Settings,ProxyOverride = *.localTCP: DhcpNameServer = LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlPCWSecurity]@Denied: (Full) (Everyone).Completion time: 2013-04-11 15:58:58ComboFix-quarantined-files.txt 2013-04-11 20:58ComboFix2.txt 2013-04-09 14:06ComboFix3.txt 2012-09-14 16:44ComboFix4.txt 2012-09-13 19:01.Pre-Run: 471,260,061,696 bytes freePost-Run: 471,308,288,000 bytes free.- - End Of File - - F232694E24A22F7438DE48E9D47C3F49

Link to comment
Share on other sites

I'd like to see one more log.


This is a quick one.


Please download Farbar Service Scanner and run it by double clicking

[*]Make sure the following options are checked:

[*]Internet Services

[*]Windows Firewall

[*]System Restore

[*]Security Center

[*]Windows Update

[*]Windows Defender

[*]Press "Scan".

[*]It will create a log (FSS.txt) in the same directory the tool is run.

[*]Please copy and paste the log to your reply.

Link to comment
Share on other sites

Farbar Service Scanner Version: 14-04-2013Ran by Owner (administrator) on 15-04-2013 at 08:11:30Running from "C:UsersOwnerAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5F9V4RYTQ"Windows 7 Home Premium Service Pack 1 (X86)Boot Mode: Normal****************************************************************

Internet Services:============

Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Google.com is accessible.Attempt to access Yahoo IP returned error. Yahoo IP is offlineYahoo.com is accessible.

Windows Firewall:=============

Firewall Disabled Policy:==================

System Restore:============

System Restore Disabled Policy:========================

Action Center:============

Windows Update:============

Windows Autoupdate Disabled Policy:============================

Windows Defender:==============WinDefend Service is not running. Checking service configuration:The start type of WinDefend service is set to Demand. The default start type is Auto.The ImagePath of WinDefend service is OK.The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:==========================[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Defender]"DisableAntiSpyware"=DWORD:1

Other Services:==============

File Check:========C:Windowssystem32nsisvc.dll => MD5 is legitC:Windowssystem32Driversnsiproxy.sys => MD5 is legitC:Windowssystem32dhcpcore.dll => MD5 is legitC:Windowssystem32Driversafd.sys => MD5 is legitC:Windowssystem32Driverstdx.sys => MD5 is legitC:Windowssystem32Driverstcpip.sys => MD5 is legitC:Windowssystem32dnsrslvr.dll => MD5 is legitC:Windowssystem32mpssvc.dll => MD5 is legitC:Windowssystem32bfe.dll => MD5 is legitC:Windowssystem32Driversmpsdrv.sys => MD5 is legitC:Windowssystem32SDRSVC.dll => MD5 is legitC:Windowssystem32vssvc.exe => MD5 is legitC:Windowssystem32wscsvc.dll => MD5 is legitC:Windowssystem32wbemWMIsvc.dll => MD5 is legitC:Windowssystem32wuaueng.dll => MD5 is legitC:Windowssystem32qmgr.dll => MD5 is legitC:Windowssystem32es.dll => MD5 is legitC:Windowssystem32cryptsvc.dll => MD5 is legitC:Program FilesWindows DefenderMpSvc.dll => MD5 is legitC:Windowssystem32svchost.exe => MD5 is legitC:Windowssystem32rpcss.dll => MD5 is legit

**** End of log ****

Link to comment
Share on other sites

That all looks fine.


A little housekeeping and she should be good to go.


Log looks good :D

Time for some housekeeping

  • [*]Click
START then RUN [*] [*]Now type ComboFix /Uninstall in the runbox and click OK. [*]Note the space between the X and the U, it needs to be there. [*]Posted Image

The above procedure will:

  • [*]Implement some cleanup procedures. [*]Reset System Restore.



Now to remove most of the tools that we have used in fixing your machine:

  • [*]Make sure you have an Internet Connection. [*]Download
OTC to your desktop and run it [*]A list of tool components used in the cleanup of malware will be downloaded. [*]If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so. [*]Click Yes to begin the cleanup process and remove these components, including this application. [*]You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.



Any tools or logs left over can just be deleted.

Please re-enable any security that was disabled.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

Link to comment
Share on other sites


  • Create New...