Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: FBI Locked computer scam virus

24 Feb 2013   #11
revmike

windows 7
 
 

Thanks Cottonball and everyone else for the help. I'm going to do as suggested. As for counting the days in away I am, she's my youngest (18) and is ready to leave the nest, whereas son at 25 still lives at home.


My System SpecsSystem Spec
.
24 Feb 2013   #12
M1GU31

Windows 10 64bit
 
 

I noticed the thread was solved but another way to remove this is using windows defender offline and scanning and removing from a usb stick. I removed this ransom ware off my aunts pc using this method. Hitman pro didn't help in this situation for me.

Has a download link for 32 and 64bit and talks to you about the program and how to use it
http://blogs.technet.com/b/security/...r-offline.aspx
My System SpecsSystem Spec
25 Feb 2013   #13
revmike

windows 7
 
 

Cottonball,
For some reason the computer would not boot from the flash drive, so i just installed hitmanPro and ran the scan. It found and removed the ransomware. I then used roquekiller and it produced the following report.

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : sydni [Admin rights]
Mode : Scan -- Date : 02/25/2013 10:43:37
| ARK || FAK || MBR |
Bad processes : 0
Registry Entries : 6
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Microsoft Games (rundll32.exe "C:\Users\sydni\AppData\Local\Microsoft Help\Microsoft Games\afqxk.dll",DllRegisterServer) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Adobe (rundll32.exe "C:\Users\sydni\AppData\Local\AOL\Adobe\ymkqqtz.dll",CreateInstance) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : AOL (rundll32.exe "C:\Users\sydni\AppData\Local\assembly\AOL\nyshiwys.dll",winampGetInModule2W) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : WeatherBug (rundll32.exe "C:\Users\sydni\AppData\Local\Yahoo\WeatherBug\jloebxo.dll",svn_lock_createW) [x] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
Particular Files / Folders:
Driver : [LOADED]
SSDT[13] : NtAlertResumeThread @ 0x824E1591 -> HOOKED (Unknown @ 0x89475068)
SSDT[14] : NtAlertThread @ 0x8245A1F5 -> HOOKED (Unknown @ 0x895D9118)
SSDT[18] : NtAllocateVirtualMemory @ 0x8249647D -> HOOKED (Unknown @ 0x897117D8)
SSDT[21] : NtAlpcConnectPort @ 0x82438824 -> HOOKED (Unknown @ 0x88B1F7B0)
SSDT[42] : NtAssignProcessToJobObject @ 0x8240BB08 -> HOOKED (Unknown @ 0x8956F110)
SSDT[67] : NtCreateMutant @ 0x8246E7A2 -> HOOKED (Unknown @ 0x897125B8)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8240E31F -> HOOKED (Unknown @ 0x89714998)
SSDT[78] : NtCreateThread @ 0x824DFBA4 -> HOOKED (Unknown @ 0x89711C68)
SSDT[116] : NtDebugActiveProcess @ 0x824B2CA0 -> HOOKED (Unknown @ 0x89656120)
SSDT[129] : NtDuplicateObject @ 0x824464E1 -> HOOKED (Unknown @ 0x89711970)
SSDT[147] : NtFreeVirtualMemory @ 0x822D2F1D -> HOOKED (Unknown @ 0x89712F00)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82408F15 -> HOOKED (Unknown @ 0x895C1388)
SSDT[158] : NtImpersonateThread @ 0x8241E50F -> HOOKED (Unknown @ 0x8947C2F0)
SSDT[165] : NtLoadDriver @ 0x823B9DEE -> HOOKED (Unknown @ 0x88B1F738)
SSDT[177] : NtMapViewOfSection @ 0x8245E83A -> HOOKED (Unknown @ 0x89712DE0)
SSDT[184] : NtOpenEvent @ 0x82447D5F -> HOOKED (Unknown @ 0x89366108)
SSDT[194] : NtOpenProcess @ 0x8246EF3E -> HOOKED (Unknown @ 0x89711B10)
SSDT[195] : NtOpenProcessToken @ 0x8244F9C0 -> HOOKED (Unknown @ 0x89562DA8)
SSDT[197] : NtOpenSection @ 0x8245F60D -> HOOKED (Unknown @ 0x895A4120)
SSDT[201] : NtOpenThread @ 0x8246A48F -> HOOKED (Unknown @ 0x89711A40)
SSDT[210] : NtProtectVirtualMemory @ 0x82468272 -> HOOKED (Unknown @ 0x89714B88)
SSDT[282] : NtResumeThread @ 0x82469ADA -> HOOKED (Unknown @ 0x8947E068)
SSDT[289] : NtSetContextThread @ 0x824E103F -> HOOKED (Unknown @ 0x89355118)
SSDT[305] : NtSetInformationProcess @ 0x82462868 -> HOOKED (Unknown @ 0x89712C08)
SSDT[317] : NtSetSystemInformation @ 0x82434E9B -> HOOKED (Unknown @ 0x895B6120)
SSDT[330] : NtSuspendProcess @ 0x824E14CB -> HOOKED (Unknown @ 0x895A2118)
SSDT[331] : NtSuspendThread @ 0x823E8921 -> HOOKED (Unknown @ 0x8947B110)
SSDT[334] : NtTerminateProcess @ 0x8243F0D3 -> HOOKED (Unknown @ 0x88D56DA8)
SSDT[335] : NtTerminateThread @ 0x8246A4C4 -> HOOKED (Unknown @ 0x8936A110)
SSDT[348] : NtUnmapViewOfSection @ 0x8245EAFD -> HOOKED (Unknown @ 0x89561DA8)
SSDT[358] : NtWriteVirtualMemory @ 0x8245B8CD -> HOOKED (Unknown @ 0x89711680)
SSDT[382] : NtCreateThreadEx @ 0x82469F79 -> HOOKED (Unknown @ 0x89714A68)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8999EE78)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8999EC28)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8999EB68)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8999ECE8)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8999EDA8)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8999E8F8)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x8999EA98)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8999E9C8)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8999EF38)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87C483E0)
_INLINE_ : NtAllocateVirtualMemory -> HOOKED (\??\C:\Windows\system32\drivers\hitmanpro37.sys @ 0xB0542566)
HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

MBR Check:
+++++ PhysicalDrive0: ST9250827AS +++++
--- User ---
[MBR] b53a47771bf5e1c78ce5a2a891eab856
[BSP] 7aa6a89907a87e66c4d8b33fd195b1e7 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 228263 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 467484672 | Size: 10208 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] 6f24357292dfcf2f4126c3dad1ca9445
[BSP] b0aa0a426751b111cace3c8865469653 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7436 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_02252013_02d1043.txt >>
RKreport[1]_S_02252013_02d1043.txt

Thanks again everyone
My System SpecsSystem Spec
.

26 Feb 2013   #14
cottonball

Windows 7 Home Premium
 
 

As long as the ransomeware is gone, we're good.

Please run RogueKiller again.

Click the Registry tab.
Make sure the entries there are checked.

Then, press the [Delete] button.

Please post the new RKreport (Mode: Delete) in your reply.
(The RKreport also opens using the Report button on the console.)
My System SpecsSystem Spec
Reply

 FBI Locked computer scam virus




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Son duped! How do I know if computer is infected by infosis.net scam?
Hi-- I am in need of technical expertise to assess for whether my computer has been attacked! My 13 yr old son was duped by someone calling claiming to be a Microsoft technician with knowledge that our computer was hacked. I was not home... He did much of what they asked, typing windows + R,...
System Security
locked out of computer :(
hey guys im very new to windows , i have always had a mac. i just got windows 7 ultimate .. and locked myself out of my computer , i have tryed going on the command thinger , and in safe mode but the computer never lets me . i also have tryed programs that say they can unlock the computer but it...
General Discussion
Postal Service "Package Waiting" Scam.... Trojan Dropper Virus.
My Dad told me that he click on an e mail that was supposedly from the USPS and indicated that he had a package waiting for him that was delayed due to an address confirmation issue. The e mail indicated that he download a address label bring it to the USPS for confirmation. Well luckily my Dad...
System Security
Regarding computer is locked
Hi, im using Win 7 32bit and never connected my pc to net.Yesterday, i connected to my aunt wifi and started IE and the homepage load fine but when i entered google url i got a message that my pc is locked from accessing google and i should complete a survey.So i googled using my aunt laptop about...
System Security
Been locked out of computer can't log in
Typing this on phone sorry for being curt I set up a pw on my admin account yesterday and when I turned on my comp today it said invalid username or pw when it got to the welcome screen before I even entered anything in. It says "kiosk" not even the name of the account I want to log in to. My...
General Discussion
locked up computer
My computer is locking up whenever anyone tries to take any files out of my shared folder, it also does this on games whenever i try to get on LAN it just freezes and i have to kill it. i have tried switching my switch out for a router. it seemed to work but the same thing happend in like a day....
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:04.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App