help with fbi lockout screen virus Please

[johnb35]

Wait, according to this entry you have installed malwarebytes with a keygen...

[2013/06/04 08:23:51 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\Malwarebytes Anti-Malware Pro v1.75.0.1300 Incl Keygen-BRD [TorDigger]

Thats a no no big time.

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)

Post the log that it gives you.

 

[pjoseph]

My mistake, my buddy gave me that today which was the first time i ran it.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : pamato [Admin rights]
Mode : Scan -- Date : 06/04/2013 21:58:38
| ARK || FAK || MBR |

¤¤¤ Bad processes : 3 ¤¤¤
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll [x] -> UNLOADED
[SUSP PATH] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe [7] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Widcomm (REGSVR32.EXE C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1417001333-1682526488-839522115-249927[...]\Run : Widcomm (REGSVR32.EXE C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll) [-] -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (enpusfpkinf01:8080) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C} : NameServer (10.16.64.11,10.20.64.11) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C} : NameServer (10.16.64.11,10.20.64.11) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82333DA5 -> HOOKED (Unknown @ 0x875EB9D8)
SSDT[14] : NtAlertThread @ 0x82286CC7 -> HOOKED (Unknown @ 0x875E96C0)
SSDT[19] : NtAllocateVirtualMemory @ 0x8227FCBC -> HOOKED (Unknown @ 0x875E7828)
SSDT[74] : NtCreateMutant @ 0x8226634C -> HOOKED (Unknown @ 0x875EB728)
SSDT[87] : NtCreateThread @ 0x82331FE2 -> HOOKED (Unknown @ 0x875E79B8)
SSDT[131] : NtFreeVirtualMemory @ 0x8210E81C -> HOOKED (Unknown @ 0x875E7688)
SSDT[145] : NtImpersonateAnonymousToken @ 0x8224B962 -> HOOKED (Unknown @ 0x875EB818)
SSDT[147] : NtImpersonateThread @ 0x822CF962 -> HOOKED (Unknown @ 0x875EB8F8)
SSDT[168] : NtMapViewOfSection @ 0x8229C5F1 -> HOOKED (Unknown @ 0x875E89B8)
SSDT[177] : NtOpenEvent @ 0x82265D48 -> HOOKED (Unknown @ 0x875EB648)
SSDT[191] : NtOpenProcessToken @ 0x822BA36F -> HOOKED (Unknown @ 0x875E78F8)
SSDT[199] : NtOpenThreadToken @ 0x822CE64B -> HOOKED (Unknown @ 0x875E8758)
SSDT[304] : NtResumeThread @ 0x822C66C2 -> HOOKED (Unknown @ 0x872C9B38)
SSDT[316] : NtSetContextThread @ 0x82333851 -> HOOKED (Unknown @ 0x875E8698)
SSDT[333] : NtSetInformationProcess @ 0x8228E875 -> HOOKED (Unknown @ 0x875E8828)
SSDT[335] : NtSetInformationThread @ 0x822BFE26 -> HOOKED (Unknown @ 0x875E99C8)
SSDT[366] : NtSuspendProcess @ 0x82333CDF -> HOOKED (Unknown @ 0x875ED978)
SSDT[367] : NtSuspendThread @ 0x822EB19B -> HOOKED (Unknown @ 0x875E9808)
SSDT[370] : NtTerminateProcess @ 0x822B0D86 -> HOOKED (Unknown @ 0x875EA6B8)
SSDT[371] : NtTerminateThread @ 0x822CE69B -> HOOKED (Unknown @ 0x875E98E8)
SSDT[385] : NtUnmapViewOfSection @ 0x822BA9AA -> HOOKED (Unknown @ 0x875E88F8)
SSDT[399] : NtWriteVirtualMemory @ 0x822B5A83 -> HOOKED (Unknown @ 0x875E7758)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEKT-75PVMT0 +++++
--- User ---
[MBR] 4cd91750ce87a9415415c8b7bc2671ad
[BSP] 942f3df21fcddc7c67a0dc58e20f1548 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 119999 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 245760000 | Size: 118473 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_06042013_02d2158.txt >>
RKreport[1]_S_06042013_02d2158.txt

 

[johnb35]

Are you still getting the popups?

 

[johnb35]

Please do a full scan with your symantec endpoint software to see if it detects anything.

 

[pjoseph]

actually no, no more popup

I still have RogueKller open becuase when i close it asks me if I want to delete what it found, should I delete them?

 

[johnb35]

Yes delete.

 

[pjoseph]

Ok, thanks again

Would you say im good now? just realized you said to scan with symantec I will start that tonight since it takes a while

Also what about the items ESET found which i never deleted?

 

[johnb35]

Yes, I would say you are good now. You can delete this one.

C:\Users\pamato\AppData\Roaming\wabEventSupport16\ {9a0cc1ab-a1bd-57af-3bb1-96043bca195a}.exe

The other items are in quarantine and can't harm you.

Now uninstall combofix by typing this in the search box in start menu.


Combofix /uninstall and press enter. There is a space between the x and the /.

Let me know if Symantec finds anything.

 

[pjoseph]

got it, i will follow up in the morning will run symantec overnight

Thanks again for all you help thus far appreciate it!

 

[pjoseph]

symantec found one tracking cookie

Cookie[email protected]/ Tracking Cookies

 

[johnb35]

Good to know. It seems you are ready to roll. Let me know if you have any more issues.

 

[pjoseph]

Thanks again for all your help, I really appreciate it!

Have a great weekend