Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: FBI Locked computer scam virus

24 Feb 2013   #11
revmike

windows 7
 
 

Thanks Cottonball and everyone else for the help. I'm going to do as suggested. As for counting the days in away I am, she's my youngest (18) and is ready to leave the nest, whereas son at 25 still lives at home.


My System SpecsSystem Spec
.
24 Feb 2013   #12
M1GU31

Windows 10 64bit
 
 

I noticed the thread was solved but another way to remove this is using windows defender offline and scanning and removing from a usb stick. I removed this ransom ware off my aunts pc using this method. Hitman pro didn't help in this situation for me.

Has a download link for 32 and 64bit and talks to you about the program and how to use it
http://blogs.technet.com/b/security/...r-offline.aspx
My System SpecsSystem Spec
25 Feb 2013   #13
revmike

windows 7
 
 

Cottonball,
For some reason the computer would not boot from the flash drive, so i just installed hitmanPro and ran the scan. It found and removed the ransomware. I then used roquekiller and it produced the following report.

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : sydni [Admin rights]
Mode : Scan -- Date : 02/25/2013 10:43:37
| ARK || FAK || MBR |
Bad processes : 0
Registry Entries : 6
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Microsoft Games (rundll32.exe "C:\Users\sydni\AppData\Local\Microsoft Help\Microsoft Games\afqxk.dll",DllRegisterServer) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Adobe (rundll32.exe "C:\Users\sydni\AppData\Local\AOL\Adobe\ymkqqtz.dll",CreateInstance) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : AOL (rundll32.exe "C:\Users\sydni\AppData\Local\assembly\AOL\nyshiwys.dll",winampGetInModule2W) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : WeatherBug (rundll32.exe "C:\Users\sydni\AppData\Local\Yahoo\WeatherBug\jloebxo.dll",svn_lock_createW) [x] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
Particular Files / Folders:
Driver : [LOADED]
SSDT[13] : NtAlertResumeThread @ 0x824E1591 -> HOOKED (Unknown @ 0x89475068)
SSDT[14] : NtAlertThread @ 0x8245A1F5 -> HOOKED (Unknown @ 0x895D9118)
SSDT[18] : NtAllocateVirtualMemory @ 0x8249647D -> HOOKED (Unknown @ 0x897117D8)
SSDT[21] : NtAlpcConnectPort @ 0x82438824 -> HOOKED (Unknown @ 0x88B1F7B0)
SSDT[42] : NtAssignProcessToJobObject @ 0x8240BB08 -> HOOKED (Unknown @ 0x8956F110)
SSDT[67] : NtCreateMutant @ 0x8246E7A2 -> HOOKED (Unknown @ 0x897125B8)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8240E31F -> HOOKED (Unknown @ 0x89714998)
SSDT[78] : NtCreateThread @ 0x824DFBA4 -> HOOKED (Unknown @ 0x89711C68)
SSDT[116] : NtDebugActiveProcess @ 0x824B2CA0 -> HOOKED (Unknown @ 0x89656120)
SSDT[129] : NtDuplicateObject @ 0x824464E1 -> HOOKED (Unknown @ 0x89711970)
SSDT[147] : NtFreeVirtualMemory @ 0x822D2F1D -> HOOKED (Unknown @ 0x89712F00)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82408F15 -> HOOKED (Unknown @ 0x895C1388)
SSDT[158] : NtImpersonateThread @ 0x8241E50F -> HOOKED (Unknown @ 0x8947C2F0)
SSDT[165] : NtLoadDriver @ 0x823B9DEE -> HOOKED (Unknown @ 0x88B1F738)
SSDT[177] : NtMapViewOfSection @ 0x8245E83A -> HOOKED (Unknown @ 0x89712DE0)
SSDT[184] : NtOpenEvent @ 0x82447D5F -> HOOKED (Unknown @ 0x89366108)
SSDT[194] : NtOpenProcess @ 0x8246EF3E -> HOOKED (Unknown @ 0x89711B10)
SSDT[195] : NtOpenProcessToken @ 0x8244F9C0 -> HOOKED (Unknown @ 0x89562DA8)
SSDT[197] : NtOpenSection @ 0x8245F60D -> HOOKED (Unknown @ 0x895A4120)
SSDT[201] : NtOpenThread @ 0x8246A48F -> HOOKED (Unknown @ 0x89711A40)
SSDT[210] : NtProtectVirtualMemory @ 0x82468272 -> HOOKED (Unknown @ 0x89714B88)
SSDT[282] : NtResumeThread @ 0x82469ADA -> HOOKED (Unknown @ 0x8947E068)
SSDT[289] : NtSetContextThread @ 0x824E103F -> HOOKED (Unknown @ 0x89355118)
SSDT[305] : NtSetInformationProcess @ 0x82462868 -> HOOKED (Unknown @ 0x89712C08)
SSDT[317] : NtSetSystemInformation @ 0x82434E9B -> HOOKED (Unknown @ 0x895B6120)
SSDT[330] : NtSuspendProcess @ 0x824E14CB -> HOOKED (Unknown @ 0x895A2118)
SSDT[331] : NtSuspendThread @ 0x823E8921 -> HOOKED (Unknown @ 0x8947B110)
SSDT[334] : NtTerminateProcess @ 0x8243F0D3 -> HOOKED (Unknown @ 0x88D56DA8)
SSDT[335] : NtTerminateThread @ 0x8246A4C4 -> HOOKED (Unknown @ 0x8936A110)
SSDT[348] : NtUnmapViewOfSection @ 0x8245EAFD -> HOOKED (Unknown @ 0x89561DA8)
SSDT[358] : NtWriteVirtualMemory @ 0x8245B8CD -> HOOKED (Unknown @ 0x89711680)
SSDT[382] : NtCreateThreadEx @ 0x82469F79 -> HOOKED (Unknown @ 0x89714A68)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8999EE78)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8999EC28)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8999EB68)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8999ECE8)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8999EDA8)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8999E8F8)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x8999EA98)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8999E9C8)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8999EF38)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87C483E0)
_INLINE_ : NtAllocateVirtualMemory -> HOOKED (\??\C:\Windows\system32\drivers\hitmanpro37.sys @ 0xB0542566)
HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

MBR Check:
+++++ PhysicalDrive0: ST9250827AS +++++
--- User ---
[MBR] b53a47771bf5e1c78ce5a2a891eab856
[BSP] 7aa6a89907a87e66c4d8b33fd195b1e7 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 228263 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 467484672 | Size: 10208 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] 6f24357292dfcf2f4126c3dad1ca9445
[BSP] b0aa0a426751b111cace3c8865469653 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7436 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_02252013_02d1043.txt >>
RKreport[1]_S_02252013_02d1043.txt

Thanks again everyone
My System SpecsSystem Spec
.

26 Feb 2013   #14
cottonball

Windows 7 Home Premium
 
 

As long as the ransomeware is gone, we're good.

Please run RogueKiller again.

Click the Registry tab.
Make sure the entries there are checked.

Then, press the [Delete] button.

Please post the new RKreport (Mode: Delete) in your reply.
(The RKreport also opens using the Report button on the console.)
My System SpecsSystem Spec
Reply

 FBI Locked computer scam virus




Thread Tools




Similar help and support threads
Thread Forum
Scam calls saying computer is infected
I have been getting calls from someone claiming they are from Dell and sometimes they say "Windows Tech Support" The most recent was today less than an hour ago. The idiot told me he could prove he was from Dell. I told him to prove it he said he could tell me my service tag. I told him That...
System Security
Pop up computer virus scam
Ok so I was surfing and I got that pop scam. the white window had a bunch of mumbo jumbo about security alert with a phone number to call to ensure your security then make sure you check you bank accts and so on. Underneath that window you could see the bright blue screen that if you click to...
System Security
Computer locked up with a virus!!
I think I have a big time virus. I'm on an hp laptop running Windows 7. Soon as I go online I get a pop up : "WARNING! Your computer may be highly infected! " it goes on to tell me to call a 1-800 number ruIght away. I know it's a scam. But I can't get rid of this thing! I tried running panda and...
System Security
Son duped! How do I know if computer is infected by infosis.net scam?
Hi-- I am in need of technical expertise to assess for whether my computer has been attacked! My 13 yr old son was duped by someone calling claiming to be a Microsoft technician with knowledge that our computer was hacked. I was not home... He did much of what they asked, typing windows + R,...
System Security
Postal Service "Package Waiting" Scam.... Trojan Dropper Virus.
My Dad told me that he click on an e mail that was supposedly from the USPS and indicated that he had a package waiting for him that was delayed due to an address confirmation issue. The e mail indicated that he download a address label bring it to the USPS for confirmation. Well luckily my Dad...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:23.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App