32 replies to this topic

[Frontier]

Screen is locked to subject page (topic).  Cannot remove page, reappears on every normal mode start-up.  Similar scenario described for the FBI virus asking for MoneyPak.   Pop up keeps asking if I want to allow registry changes. Have indicated no to registry changes.  Currently running via safe mode with networking.  Per site instructions I have downloaded and run OTL.  Reports are ready to transmit when instructed.  Infected computer is Lenovo Thinkpad 420, Win 7 Pro x64, Norton 360.  Not too smart at this, so hoping you can share some of your expertise and gentle guidance.  Warren

[jeffce]

Hi and Welcome!!   

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
• Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that....      Let's get going!!  
----------
 
What we need to do is work outside of the Windows environment to really get a look at this thing.  We will do this by using the tool below.  Please follow the instructions carefully and post the log when you get it. 
 
FRST

Download the 64 bit version for your system of FRST and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    
  • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

----------

[Frontier]

Thanks Jeff.  Can't see to get the copy/paste to work. Just reinforces lack of expertise. Have attached frst.txt.

Attached Files

•  FRST.txt   20.64KB   289 downloads

[jeffce]

Hi,
 
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
 

HKU\Default\...\RunOnce: [] - [x]
HKU\Default User\...\RunOnce: [] - [x]
Startup: C:\Users\Warren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rjtljrf.lnk
ShortcutTarget: rjtljrf.lnk -> C:\ProgramData\frjltjr.jss (Lauscha, Inc)
2013-12-12 09:13 - 2013-12-12 09:14 - 00000279 _____ C:\ProgramData\rjtljrf.reg
2013-12-11 21:11 - 2013-12-11 21:11 - 00061536 ____T (Microsoft Corporation) C:\ProgramData\rjtljrf.zvv
2013-12-11 21:09 - 2013-12-12 09:14 - 95025368 ____T C:\ProgramData\rjtljrf.fee
2013-12-11 21:09 - 2013-12-12 09:13 - 00000000 _____ C:\ProgramData\rjtljrf.odd
2013-12-11 21:09 - 2013-12-11 21:09 - 00194048 _____ (Lauscha, Inc) C:\ProgramData\frjltjr.jss
2013-12-12 09:14 - 2013-12-12 09:13 - 00000279 _____ C:\ProgramData\rjtljrf.reg
2013-12-12 09:14 - 2013-12-11 21:09 - 95025368 ____T C:\ProgramData\rjtljrf.fee
2013-12-12 09:13 - 2013-12-11 21:09 - 00000000 _____ C:\ProgramData\rjtljrf.odd
2013-12-11 21:11 - 2013-12-11 21:11 - 00061536 ____T (Microsoft Corporation) C:\ProgramData\rjtljrf.zvv
2013-12-11 21:09 - 2013-12-11 21:09 - 00194048 _____ (Lauscha, Inc) C:\ProgramData\frjltjr.jss
C:\ProgramData\rjtljrf.reg
C:\Users\Warren\AppData\Local\Temp\~tmf1549958272644245252.dll

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Windows 7: Now please enter System Recovery Options.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
----------
 
Post the new log that is made and see if you are able to access your system now. 

[Frontier]

Command prompt?  Is this where I need to be with the following = "x:\sources\recovery>g:\FRST/FRST64.exe" ??????

[jeffce]

Remember how you ran the scan with FRST earlier with downloading it to a thumbdrive and then running FRST from there?  Place the fixlist.txt on the thumbdrive as well and then do just what you did before when you did the scan, but this time press the Fix button. 

[Frontier]

Jeff.  For some reason I can't get the paste function to work on the reply.  It copies to the my clipboard ok, but will not load up into the reply page.  So another attachment.  Restarted Win 7 in normal mode and my desktop is visible.  Still on hold for your further instructions.  Just like Rolaids!

Attached Files

•  Fixlog.txt   2.53KB   294 downloads

[jeffce]

Hi,
 

For some reason I can't get the paste function to work on the reply.

LOL!!  Ok so it is just not me?  I was getting worried myself.  No need to copy/paste the logs.  You can attach them just like you have been doing.
 
Glad to see that you got back into your system. 
 
ComboFix

Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for further review.

[Frontier]

Alright.  disabled firewall and norton.  Right clicked link 1 and it automatically saved combofix to downloads.  Do you want me to remove it or can I try to send to desktop?

[Frontier]

Jeff,

 

I moved the combofix file from downloads to desktop.  Will run and send followup.  Warren

[Frontier]

Started Combofix.  Get a message that real time scanner is active:  antispyware:  Norton 360 Premier.  That's odd because I right clicked the Norton icon and disabled  the smart firewall and antivirus auto-protect for the 5 hour period???????????  Backing out of the combofix until I hear from you.

[Frontier]

Doesn't appear I can back out.....Clicked the red x to close however got another notice that scanner(s) still active but combofix will continue to run....own risk.  I'm not pressing anything at this point.

[jeffce]

Just go ahead and let it run.  

[Frontier]

Jeff,

Ran ComboFix.  Log attached.  Looking good so far.  Battery charge indicator seems to be off.  I have the wifi radio off and have not enabled firewall or auto protect, as of yet.  Will be out for a few hours.  Warren

Attached Files

•  combofix.txt   30.71KB   273 downloads

[jeffce]

Great job!! 
 
  AdwCleaner

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool
  Vista/Windows 7/8 users right-click and select Run As Administrator.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------