Help-Had FBI virus, removed it now on startup command prompt looks for an exe that isn't there.

page: 1
0
<<   2  3 >>

log in

join

posted on May, 13 2013 @ 08:40 AM
link   
Hello ATS, I need some quick help.

My friend had the FBI virus on his computer. We couldn't get in via safe mode (any version of safe mode at all-the virus was still active). After I ran the program and deleted this file called "1c54cad4.exe". Now when I start windows (safe mode or not) a command prompt opens and says that (the .exe that Hitman Pro deleted)
"1c54cad4.exe is not a recognized as an internal operable program or batch file".

So some program in the system is still calling that virus file-how can I find that program? How can I fine this entry in the system and tell the computer to ignore it? Is there a list of .exe's that run on startup that is in the registry somewhere? I checked in msconfig and nothing out of the ordinary is there. I also ran Hijackthis and the call for the exe wasn't in there either.




posted on May, 13 2013 @ 08:43 AM
link   
reply to post by samlf3rd
 


Start button, run or windows key R, type msconfig, go to start up tabe.. find it and uncheck box.



posted on May, 13 2013 @ 08:45 AM
link   
reply to post by Berzerked
 


Well I posted that I did that already:



I checked in msconfig and nothing out of the ordinary is there. I also ran Hijackthis and the call for the exe wasn't in there either.



posted on May, 13 2013 @ 08:48 AM
link   
Oh, I didnt see it..
I guess it could be in the registry then, other than that, I dont know.



posted on May, 13 2013 @ 08:54 AM
link   
Get a Malware detector/removers, Malware Bytes, also get a Registry Cleaner, probably you torrent it if you can't find a free one.

I had a similar attack, when i tried to "skip an ad" - It had an invisible layer, that made me acknowledge a virus file download.

FBI Web Cam Virus(ATS).



posted on May, 13 2013 @ 08:54 AM
link   
reply to post by samlf3rd
 


Have you seen this site, www.2-spyware.com...
It explains all you need to do.
edit on 13-5-2013 by creatives because: (no reason given)



posted on May, 13 2013 @ 08:58 AM
link   
you may have to use a live boot disk such as Ultimate Boot Disk for Windows, Linux Live (any distro may work), or even creating or finding a Pre-Installation Environment Disk with Windows 7 would work. Or if you can some how get into safe mode or similar, you will need to get to the registry. Regedit or similar registry editing software.

look under these reg keys for your little exe file.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce


Or you can run a search for your EXE file and delete it from your registry. Or you can try setting your PC back to another day.

If your PC is MS Windows, consider downloading Sysinternals Suite.



posted on May, 13 2013 @ 09:05 AM
link   
reply to post by Skada
 


Ditto to Skada's suggestion. If you don't get the whole suite, get "Autoruns" as a minimum. Make sure you run it as administrator. It comes from Microsoft directly so it's clean as far as that goes. It's the single best free Util I know of to see EVERYTHING starting and running on a machine. It's also the #1 thing, literally, #1 that I put on any clean format/install I do on a Windows machine.

Also...I hadn't seen you mention it. Are you using Malwarebytes? That is, believe it or not, what the IT department at the school was using to clean this little bugger. Safe-Mode then Malwarebytes on a full scan. It sounds almost too simplistic for how evil this one is ..but they've found it to work in most cases?



posted on May, 13 2013 @ 09:17 AM
link   

Originally posted by Wrabbit2000
reply to post by Skada
 


Ditto to Skada's suggestion. If you don't get the whole suite, get "Autoruns" as a minimum. Make sure you run it as administrator. It comes from Microsoft directly so it's clean as far as that goes. It's the single best free Util I know of to see EVERYTHING starting and running on a machine. It's also the #1 thing, literally, #1 that I put on any clean format/install I do on a Windows machine.

Also...I hadn't seen you mention it. Are you using Malwarebytes? That is, believe it or not, what the IT department at the school was using to clean this little bugger. Safe-Mode then Malwarebytes on a full scan. It sounds almost too simplistic for how evil this one is ..but they've found it to work in most cases?


I'm in IT and have had to remove this (or one of its several variants) several times and I have to agree with the suggestion of Malwarebytes run in Safe Mode. It's taken care of it in almost all the cases I've run into.



posted on May, 13 2013 @ 09:19 AM
link   
Thanks guys for the great tips. I have already ran spybot, hijackthis, avg, hitman pro, emeri emergency, and a few more.

I didn't see anything in the registry under run or run once (just normal stuff).

I will let you guys know in a few after I go through all of your suggestions.

Thank you very much ATS!
Sam



posted on May, 13 2013 @ 09:31 AM
link   
I had this same virus and payed my buddy to get rid of it. He cleaned up all the junk files, programs not used, and did a malwarebytes scan and found the location of the virus to delete it



posted on May, 13 2013 @ 09:32 AM
link   

Originally posted by luciddream
Get a Malware detector/removers, Malware Bytes, also get a Registry Cleaner, probably you torrent it if you can't find a free one.

I had a similar attack, when i tried to "skip an ad" - It had an invisible layer, that made me acknowledge a virus file download.

FBI Web Cam Virus(ATS).


Right, because downloading pirated software is a great way to remove malware



posted on May, 13 2013 @ 09:32 AM
link   

Originally posted by samlf3rd
Hello ATS, I need some quick help.

My friend had the FBI virus on his computer. We couldn't get in via safe mode (any version of safe mode at all-the virus was still active). After I ran the program and deleted this file called "1c54cad4.exe". Now when I start windows (safe mode or not) a command prompt opens and says that (the .exe that Hitman Pro deleted)
"1c54cad4.exe is not a recognized as an internal operable program or batch file".

So some program in the system is still calling that virus file-how can I find that program? How can I fine this entry in the system and tell the computer to ignore it? Is there a list of .exe's that run on startup that is in the registry somewhere? I checked in msconfig and nothing out of the ordinary is there. I also ran Hijackthis and the call for the exe wasn't in there either.


Look for lsass.exe in you ruser profile from the hijackthis logs.. or post the hijackthis logs..

if you checked msconfig for startup it will list the executables that start on your system, as you have checked. But it does not mean it has not assumed a known name, so you think it's normal.

lsass.exe in system32 is normal. elsewhere it can be part of the fbi virus.

post the log.



posted on May, 13 2013 @ 09:35 AM
link   

Originally posted by Skada
you may have to use a live boot disk such as Ultimate Boot Disk for Windows, Linux Live (any distro may work), or even creating or finding a Pre-Installation Environment Disk with Windows 7 would work. Or if you can some how get into safe mode or similar, you will need to get to the registry. Regedit or similar registry editing software.

look under these reg keys for your little exe file.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce


Or you can run a search for your EXE file and delete it from your registry. Or you can try setting your PC back to another day.

If your PC is MS Windows, consider downloading Sysinternals Suite.


It's unlikely to be the runonce key as that, as its name implies, runs once, and this seems to be a recurring issue for the op.

also, there is the hk_local_machine/.../Run key, and if they have a 64 bit OS, the Wow6432Node/../Run key.

But as they say they checked msconfig, which lists all programs in these keys, as well as the startup folder, it's likely something they're assuming is a normal executable, calling the randomly generated executable.



posted on May, 13 2013 @ 09:37 AM
link   

Originally posted by KeepYourAnonymity
I had this same virus and payed my buddy to get rid of it. He cleaned up all the junk files, programs not used, and did a malwarebytes scan and found the location of the virus to delete it


I need buddies who I pay .. lol

Actually, I need buddies who pay me! Oo



posted on May, 13 2013 @ 10:28 AM
link   
reply to post by winofiend
 


I put in the RunOnce because there could be a reoccurring "re-register this exe/dll in this temp location". Had to try to cover all the bases.



posted on May, 13 2013 @ 10:32 AM
link   
reply to post by samlf3rd
 


If you can get Windows or safe mode to load hit the CRTL-ALT-DEL to open the task manager. Have a look at the processes. Look for anything that doesn't make sense like files with numbers.exe or a combination of letters and numbers.exe.

Then do a search on your system for that file name. But just because you are able to find that file and delete does not mean that you will kill the issue.

If you really want to do it effortlessly .. Download COMBOFIX.exe from Bleeping Computers. com

About 5-10 minutes later you will be good to go and everything will be clean.

Keep in mind that allot of times antivirus programs do not work so well if you have a virus before you install the anti-virus.

P.S. .. . By thye way., .. you had better check that system for CHILD PORN since it has something to do with the FBI. .. . .. Just sayin'.
edit on 13-5-2013 by ShadellacZumbrum because: (no reason given)



posted on May, 13 2013 @ 10:50 AM
link   
reply to post by winofiend
 


Here is my hijackthis log if you can help that would be great.

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:44:06 AM, on 5/13/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)

FIREFOX: 11.0 (en-US)
Boot mode: Safe mode

Running processes:
C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Chris Montez\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = g.msn.com...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.conduit.com...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = g.msn.com...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = g.msn.com...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: IESpeakDoc - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Suppor



posted on May, 13 2013 @ 10:51 AM
link   
I am running MBAM right now If I find anything I will let you know.



posted on May, 13 2013 @ 10:53 AM
link   

Originally posted by ShadellacZumbrum
reply to post by samlf3rd
 


If you can get Windows or safe mode to load hit the CRTL-ALT-DEL to open the task manager. Have a look at the processes. Look for anything that doesn't make sense like files with numbers.exe or a combination of letters and numbers.exe.

Then do a search on your system for that file name. But just because you are able to find that file and delete does not mean that you will kill the issue.

If you really want to do it effortlessly .. Download COMBOFIX.exe from Bleeping Computers. com

About 5-10 minutes later you will be good to go and everything will be clean.

Keep in mind that allot of times antivirus programs do not work so well if you have a virus before you install the anti-virus.

P.S. .. . By thye way., .. you had better check that system for CHILD PORN since it has something to do with the FBI. .. . .. Just sayin'.
edit on 13-5-2013 by ShadellacZumbrum because: (no reason given)


He had so much porn in there it was crazy. I told him to just watch a stream-who the hell downloads porn? No bad porn though, I deleted every last bit of it.





 
0
<<   2  3 >>

log in

join