Computer blocked

[jim.mar]

My wife got a message on her laptop saying that her computer ( with correct IP number ) was blocked by the FBI for violation of some copyright.  Demanding a fine payment of $300.00 thru "MoneyPak"    Is this some bug or somebody hacking or what do I need to know here??    To our knowledge, she has not violated any copyrights.  Can anyone help here.    Need advice?? 

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
I had that on my laptop a few weeks back. Please run MBAM in Safe mode with NetWorking and run it again in Normal mode as well as adwCleaner and post the logs.

Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[jim.mar]

Thank you SuperDave:   Following are thee MBAM logs and the AdCleaner log.

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.04.09

Windows Vista Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6001.18000
JIM :: MARIAN [administrator]

3/4/2013 11:06:41 AM
mbam-log-2013-03-04 (11-06-41).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 477879
Time elapsed: 1 hour(s), 11 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\ProgramData\Microsoft\Windows\DRM\34F4.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\DRM\4E8D.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Marian\AppData\Local\Temp\4AF5.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Marian\AppData\Local\Temp\565B.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Marian\AppData\Local\Temp\NEI4V.exe (Backdoor.Agent.RS) -> Quarantined and deleted successfully.
C:\Users\Marian\AppData\Local\Temp\~!#34A7.tmp (Backdoor.Agent.RS) -> Quarantined and deleted successfully.
C:\Users\Marian\AppData\Roaming\secrfi.dll (Trojan.Medfos) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.04.09

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
JIM :: MARIAN [administrator]

3/4/2013 1:34:19 PM
mbam-log-2013-03-04 (13-34-19).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 480127
Time elapsed: 3 hour(s), 11 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

# AdwCleaner v2.113 - Logfile created 03/04/2013 at 13:32:10
# Updated 23/02/2013 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 1 (32 bits)
# User : JIM - MARIAN
# Boot Mode : Normal
# Running from : C:\Users\JIM\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZF7IIPX8\2-adwcleaner[1].exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\ProgramData\APN
Folder Found : C:\Users\JIM\AppData\Roaming\Mozilla\Firefox\Profiles\96ql58d1.default\extensions\{1fd91a9c-410c-4090-bbcc-55d3450ef433}

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BrowserProtect

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6001.18639

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\JIM\AppData\Roaming\Mozilla\Firefox\Profiles\96ql58d1.default\prefs.js

[OK] File is clean.

File : C:\Users\Marian\AppData\Roaming\Mozilla\Firefox\Profiles\mq7wcnk1.default\prefs.js

[OK] File is clean.

File : C:\Users\poof\AppData\Roaming\Mozilla\Firefox\Profiles\6firb15f.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Users\JIM\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Marian\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\poof\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [23554 octets] - [31/01/2013 12:50:22]
AdwCleaner[R2].txt - [1869 octets] - [01/02/2013 13:26:39]
AdwCleaner[R3].txt - [1986 octets] - [04/03/2013 10:57:43]
AdwCleaner[R4].txt - [4015 octets] - [04/03/2013 10:58:48]
AdwCleaner[R5].txt - [1839 octets] - [04/03/2013 13:32:11]
AdwCleaner[S1].txt - [24032 octets] - [31/01/2013 12:51:08]
AdwCleaner[S2].txt - [1836 octets] - [01/02/2013 13:27:24]

########## EOF - C:\AdwCleaner[R5].txt - [2020 octets] ##########

[SuperDave]

I'm required to give you this warning.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
*************************************************************
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply.

[jim.mar]

SuperDave:  WOW,,      Thank you so much for your warning.  About ten days ago I lent my wife's laptop to a friend to do some music work that we were working on.   He returned it about 5 days later and my wife started to use it to surf the net for jokes when she got the "Computer blocked" message.      After your warning I called him and found out that he had used it to check his bank accounts.   That must have been when he got hacked.
He was using my wife's user account which does not have any pertinent info on it but  -------IT IS ON THE COMPUTER IN MY USER ACCOUNT----.
I have decided to change my passwords & cancel and renew all cards that have been used on the internet.
I have also decided to reformat my OS.   I have  "VISTA" restore on my hard drive..  Would that be sufficient or do I need to use a different installation intirely?      I would have to buy it I guess, I didn't get a CD for the OS when I bought the laptop.      Or maybe could I use an old version of XP that i have laying around  from an old machine..

Following is the aswMBR log.:

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-03-05 10:58:20
-----------------------------
10:58:20.097    OS Version: Windows 6.0.6001 Service Pack 1
10:58:20.097    Number of processors: 2 586 0xF06
10:58:20.099    ComputerName: MARIAN  UserName: JIM
10:58:22.441    Initialize success
10:59:20.297    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
10:59:20.302    Disk 0 Vendor: FUJITSU_MHV2100BH_PL 892C Size: 95396MB BusType: 3
10:59:20.307    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-3
10:59:20.311    Disk 1 Vendor: FUJITSU_MHV2100BH_PL 892C Size: 95396MB BusType: 3
10:59:20.326    Disk 0 MBR read successfully
10:59:20.332    Disk 0 MBR scan
10:59:20.338    Disk 0 unknown MBR code
10:59:20.345    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        88639 MB offset 63
10:59:20.382    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS         6753 MB offset 181534500
10:59:20.391    Disk 0 scanning sectors +195366465
10:59:20.460    Disk 0 scanning C:\Windows\system32\drivers
10:59:29.403    Service scanning
10:59:53.064    Modules scanning
11:00:02.435    Disk 0 trace - called modules:
11:00:02.466    ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
11:00:02.475    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861e7820]
11:00:02.487    3 CLASSPNP.SYS[893a3745] -> nt!IofCallDriver -> [0x85e25320]
11:00:02.500    5 PCTCore.sys[88c7defb] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x85c218a8]
11:00:02.513    Scan finished successfully
11:01:21.797    Disk 0 MBR has been saved successfully to "C:\Users\JIM\Desktop\clean pc 3-4-13\MBR.dat"
11:01:21.807    The log file has been saved successfully to "C:\Users\JIM\Desktop\clean pc 3-4-13\aswMBR.txt"

[SuperDave]

I have  "VISTA" restore on my hard drive..  Would that be sufficient or do I need to use a different installation intirely?

Yes, the Recovery Console will restore your computer back to the date it was purchased. I would recommend doing the Recovery because the MBR also has been infected. We can repair that but the computer will never be trustworthy.

[jim.mar]

SuperDave, OK, thanks....   I thought that maybe it would leave some corrrupted files in the machine if I used the onboard "Recovery"..     Should i click the "FixMBR" button before I do that or will it mess things up??

[SuperDave]

SuperDave, OK, thanks....   I thought that maybe it would leave some corrrupted files in the machine if I used the onboard "Recovery"..     Should i click the "FixMBR" button before I do that or will it mess things up??

No, just run the Recovery. Make sure you save your important documents, files, videos and music before running it.