Is someone sharing Windows 7 with me?

VistaKing · 24 Apr 2013

You're missing the FRST.log . Upload that log as well.

Here is a link that will show you how to upload a photo and a file onto the forum

Screenshots and Files - Upload and Post in Seven Forums

nottaclue9 · 24 Apr 2013

FRST.txt

VistaKing · 24 Apr 2013

nottaclue9

I notice you still have some files left over from the FBI randsom ware virus you had . Lets wait until Cottonball comes on and tells you the next steps .

cottonball · 24 Apr 2013

nottaclue9,

Thanks for the FRST reports.

There are entries showing in them that need removed from your computer.
So, here is what we need to do...

We need to make sure that FRST is on the >>Desktop<<, and not in the Temporary Internet Files Folder where it is now:
Running from C:\Users\xxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JD5UOB86
Otherwise, what we are going to do will not work.

To get FRST on the Desktop, let's delete it, and download a new file, as follows:
Press the Start globe, and in the Search Programs and Files box right above the Start globe, type: FRST
Above it you will see a list with Programs, Documents or Files.
Right-click the FRST icon, and select: Delete
You can also right-click and Delete any Document or File that has FRST in its name.

Now, please download the program once again: Farbar Recovery Scan Tool Download
Select the 32-bit version

When you see the download on the screen, press the drop arrow by Save, and select: Save as...
In the Save as prompt, the blank space right at the top needs to have the Desktop selected.
If there is something else there, click in the space, and use the Backspace key to remove it. Then, type: Desktop
At the bottom of the prompt, press: Save

Now, check the Desktop, and make sure you see FRST there.
If there are any FRST or Addition reports on the Desktop, right-click and: Delete

Double-click FRST to run it once again, and press: Scan

Please post the new FRST.txt that appears on the Desktop.

I will be able to tell if the program is in the right location, and then we will engage in fixing things.

nottaclue9 · 25 Apr 2013

Life has gotten interesting, so I'll probably wait till the week-end to try this. Just didn't want y'all to think I was being an ingrate; I just need a chunk of time to myself when I can think.

cottonball · 25 Apr 2013

Whenever you are ready!!

That is fine with us.

cottonball · 25 Apr 2013

Do you think you can provide the RogueKiller log (RKreport.txt) you provided in Post #18, and instead of an image, copy/paste the text in a reply?

Would like to work with that, and make all this easier for you, if possible.
It would be the easiest thing yo do at this point.

nottaclue9 · 26 Apr 2013

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Judy [Admin rights]
Mode : Scan -- Date : 04/26/2013 01:24:43
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Policies\Explorer\Run : aefbfeaead (C:\Users\Judy\AppData\Roaming\ae70f096-0091-4777-bf93-94615e57a0e6ad\aefbfeaead.exe) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2438601110-3927464551-1267722977-1000[...]\Policies\Explorer\Run : aefbfeaead (C:\Users\Judy\AppData\Roaming\ae70f096-0091-4777-bf93-94615e57a0e6ad\aefbfeaead.exe) [-] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-2438601110-3927464551-1267722977-1000\$e753789c7b028571c64e689ed4db51bd\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$e753789c7b028571c64e689ed4db51bd\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2438601110-3927464551-1267722977-1000\$e753789c7b028571c64e689ed4db51bd\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$e753789c7b028571c64e689ed4db51bd\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2438601110-3927464551-1267722977-1000\$e753789c7b028571c64e689ed4db51bd\L --> FOUND
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST500DM0 02-1BD142 SATA Disk Device +++++
--- User ---
[MBR] 65448ab472fbcfd6f689b590a0e5436e
[BSP] bc8352d5af846e1bd0127f659f7692ae : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Lexar USB Flash Drive USB Device +++++
--- User ---
[MBR] 7ff2a1acbc680c812ef961808b542c37
[BSP] 4b8b702b557e3455c4e0f1b634afd5c4 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 2192 | Size: 15274 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_04262013_02d0124.txt >>
RKreport[1]_S_04262013_02d0124.txt

I have a feeling this isn't right.

cottonball · 26 Apr 2013

That's it. :)

Please run RogueKiller once again:

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'
Wait until the Prescan finishes
The Status box shows: PreScan Finished

Press: Scan

When done, on the right, click: Delete
Wait until the Status box shows: Deleting Finished

Click on Report and provide the content of the new Rkreport (Mode: Delete) in your reply.

nottaclue9 · 28 Apr 2013

So I sat down tonight to try to do the removal procedure when Windows Security Essentials sent me a red pop-up saying that it had detected suspicious items and that my computer needed to be cleaned. So I clicked on the proper button and then restarted as instructed. I then had a red window in the center of my screen (not lower right-hand like the first warning) that listed these three threats:

Trojan.PSW.Win32launch
HacToolWin32/Welevate.A
Adware.Win32.Fraud

Again, I was told I needed to clean my computer. But when I clicked on the button, I got the ribbon notice at the bottom of my screen, telling me that running the program would harm my computer. I didn't know whether to trust anything that had happened, and I didn't feel safe going on line to contact you guys, so I ran a full Malware Bytes scan. It detected two items:

Trojan.agentKB
Trogan.agentKD

Meanwhile, there has been activity I didn't allow on my third credit card in the last two months. I am about to give up, as dealing with this and the fallout from it has taken immense amounts of my time and made me really paranoid. I am ready to drop-kick the HP over my back fence & get a Mac.