fake police virus removal has left PC unable to reboot or use safe mode

[pepper1]

Hi and thanks in advance for any help you can offer. I think my problem is with rebooting after a malware removal.
While surfing I picked up a fake police virus. System restore did not work, leaving the computer unable to reboot.
I made a USB stick with HitmanPro and was able to delete several viruses and trojans from the PC.
However the computer still will not reboot (sad face)
I have tried to reset to original settings with the XP repair disc but it exited windows saying there was an error which may harm the computer.
Sorry I have not been able to do the OTL asw logs on the infected PC as I cannot access normal or safe modes.
Best wishes Pepper1

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Download List Parts and save it to the flash drive also.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
• Next click List Parts and then click Scan
• It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

 

[pepper1]

Thank you Kuttus, your instructions are very clear. I do not have a CD facility on the laptop I am using while my PC is infected, but I can find a friend or relative to burn the CD I need. I will get back to you when I have done this, best wishes Pepper1.

 

[kuttus]

Okay. Take your time...

 

[pepper1]

Okay. Take your time...

Hi, everything done and worked like a dream thanks. I have added the logs as attachments and in text here. Here is the FRST report -

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by SYSTEM on REATOGO on 09-10-2013 20:56:31
Running from I:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [snpstd3] - C:\Windows\vsnpstd3.exe [827392 2006-09-19] ()
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [689488 2008-03-10] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2114376 2008-03-03] (CANON INC.)
HKLM\...\Run: [itype] - C:\Program Files\Microsoft IntelliType Pro\itype.exe [2345848 2009-11-11] (Microsoft Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [The Shield Deluxe Antiphishing Helper] - C:\Program Files\The Shield Deluxe\The Shield Deluxe 2011\ieshow.exe [75848 2010-11-11] (PCSecurityShield)
HKLM\...\Run: [BDAgent] - C:\Program Files\The Shield Deluxe\The Shield Deluxe 2011\bdagent.exe [1642520 2010-12-22] (PCSecurityShield)
HKLM\...\RunOnce: [*Restore] - C:\Windows\System32\rstrui.exe /runonce [296960 2010-11-20] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$c6da8fd1bd562f3f34da9930f18fd71a\n. ATTENTION! ====> ZeroAccess?
HKU\Nicky\...\Run: [STManager] - "C:\Program Files (x86)\SpeedTouch\Dr SpeedTouch\drst.exe" -b
HKU\Nicky.000\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2011-02-24] (Google Inc.)
HKU\Richard\...\Run: [SetDefaultMIDI] - MIDIDef.exe
HKU\Richard\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2011-02-24] (Google Inc.)
HKU\Richard\...\Run: [Dism.exe] - C:\Users\Richard\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.naiadexports.com\bitsadmin.exe
HKU\Richard\...\Run: [Canon] - RunDLL32.exe C:\Users\Richard\AppData\Local\Canon\nbytvyip.dll,fCGNEJjWTYNZfBYlsxdatTwGeXq <===== ATTENTION
HKU\Richard\...\Winlogon: [Shell] explorer.exe <==== ATTENTION
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Nicky.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Nicky.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Nicky.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

========================== Services (Whitelisted) =================

S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [257416 2013-09-23] (Adobe Systems Incorporated)
S2 Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [57008 2012-12-21] (Apple Inc.)
S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)
S2 DailyBibleGuideService; C:\PROGRA~2\DAILYB~2\bar\2.bin\2vbarsvc.exe [36864 2011-06-30] (DailyBibleGuide)
S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42856 2010-11-04] (Microsoft Corporation)
S3 fsssvc; C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [1492840 2012-03-08] (Microsoft Corporation)
S3 GameConsoleService; C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe [250616 2009-06-05] (WildTangent, Inc.)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2011-02-24] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2011-02-24] (Google Inc.)
S3 gusvc; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [194032 2012-08-19] (Google)
S2 IAANTMON; C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe [354840 2009-06-04] (Intel Corporation)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856400 2010-11-04] (Microsoft Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe [116560 2009-06-10] (Microsoft Corporation)
S3 odserv; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [440696 2011-07-20] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-13] (Microsoft Corporation)
S2 SeaPort; C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [249136 2010-09-22] (Microsoft Corporation)
S2 SftService; C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE [689472 2010-08-20] (SoftThinks SAS)
S3 Update Server; C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [467248 2010-11-11] (The Shield Deluxe 2011)
S2 Updatesrv; C:\Program Files\The Shield Deluxe\The Shield Deluxe 2011\updatesrv.exe [52200 2010-11-11] (PCSecurityShield)
S2 VSSERV; C:\Program Files\The Shield Deluxe\The Shield Deluxe 2011\vsserv.exe [2539608 2010-12-22] (PCSecurityShield)
S3 SophosVirusRemovalTool; C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [x]

==================== Drivers (Whitelisted) ====================

S4 avc3; C:\Windows\System32\DRIVERS\avc3.sys [692816 2010-06-28] (BitDefender)
S4 avckf; C:\Windows\System32\DRIVERS\avckf.sys [1040976 2010-06-28] (BitDefender)
S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
S3 BDFM; C:\Windows\System32\DRIVERS\bdfm.sys [162896 2010-05-13] (BitDefender S.R.L. Bucharest, ROMANIA)
S0 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [388168 2010-07-09] (BitDefender)
S1 bdfwfpf; C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Firewall\bdfwfpf.sys [99408 2010-08-20] (BitDefender)
S0 CLFS; C:\Windows\System32\CLFS.sys [367696 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [10611552 2010-08-25] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHD64.sys [2012832 2009-10-20] (Realtek Semiconductor Corp.)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] (Microsoft Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [15752 2009-05-08] (Microsoft Corporation)
S0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [55280 2009-07-08] (Sonic Solutions)
S3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [236544 2009-07-30] (Realtek )
S2 RtNdPt60; C:\Windows\System32\DRIVERS\RtNdPt60.sys [27136 2009-07-20] (Realtek )
S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [43008 2008-10-24] (Realtek Corporation)
S3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [24064 2007-12-03] (Windows (R) Codename Longhorn DDK provider)
S3 SNPSTD3; C:\Windows\System32\DRIVERS\snpstd3.sys [10550272 2007-03-27] (Sonix Co. Ltd.)
S3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [43008 2008-10-24] (Realtek Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-09 20:56 - 2013-10-09 20:56 - 00000000 ____D C:\FRST
2013-10-05 23:39 - 2013-10-05 23:39 - 00000000 ____D C:\Program Files\HitmanPro
2013-10-05 22:49 - 2013-10-05 22:49 - 00004770 _____ C:\Windows\System32\.crusader
2013-10-05 21:27 - 2013-10-05 21:27 - 00116782 _____ C:\Users\Richard\AppData\Roaming\2433f433
2013-10-05 21:27 - 2013-10-05 21:27 - 00116733 _____ C:\Users\Richard\AppData\Local\2433f433
2013-10-05 13:29 - 2013-10-05 13:29 - 00000000 ____D C:\Users\Richard\AppData\Local\{940F4291-24F8-48FF-8DF3-20B017727360}
2013-10-01 17:11 - 2013-10-01 17:11 - 00020553 _____ C:\Users\Richard\Documents\reference for suzanne.odt
2013-09-29 12:43 - 2013-09-29 12:43 - 00000000 ____D C:\Users\Nicky.000\AppData\Local\{A2020E55-2D3A-41E7-AA03-9136AD98A166}
2013-09-29 09:42 - 2013-09-29 09:42 - 00000000 ____D C:\Users\Richard\AppData\Local\{A27AD039-635E-41E5-B0D6-09D161EAE7DA}
2013-09-20 22:49 - 2013-09-20 22:49 - 00000000 ____D C:\Users\Richard\Desktop\New folder
2013-09-17 03:10 - 2013-09-17 03:10 - 00022205 _____ C:\Users\Richard\Documents\besom leaflet.odt
2013-09-16 05:42 - 2013-09-16 05:42 - 00000000 ____D C:\Users\Nicky.000\AppData\Local\{FA2CB2C1-5CB2-4869-8300-87C68D9C18E9}
2013-09-15 09:42 - 2013-09-15 09:42 - 00000000 ____D C:\Users\Richard\AppData\Local\{F5FD529F-3F43-40D5-B1D6-E757DB260D92}
2013-09-14 16:22 - 2013-09-14 16:22 - 00000000 ____D C:\Users\Richard\AppData\Local\{DCA90132-57A3-4C23-AD12-1A77A8669EB1}
2013-09-10 16:54 - 2013-09-10 16:54 - 00000000 ____D C:\Users\Richard\AppData\Local\{9652043D-3D10-4533-9BCE-8E4937BD7C16}
2013-09-09 14:02 - 2013-10-04 13:48 - 00000000 ____D C:\Users\Nicky.000\Documents\Farncombe Friends

==================== One Month Modified Files and Folders =======

2013-10-09 20:56 - 2013-10-09 20:56 - 00000000 ____D C:\FRST
2013-10-06 04:50 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-06 04:50 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-05 23:39 - 2013-10-05 23:39 - 00000000 ____D C:\Program Files\HitmanPro
2013-10-05 22:49 - 2013-10-05 22:49 - 00004770 _____ C:\Windows\System32\.crusader
2013-10-05 21:46 - 2010-03-09 22:25 - 00072942 _____ C:\Windows\PFRO.log
2013-10-05 21:36 - 2009-07-14 00:51 - 00221234 _____ C:\Windows\setupact.log
2013-10-05 21:35 - 2010-03-21 18:51 - 00000000 ____D C:\users\Nicky.000
2013-10-05 21:35 - 2010-03-15 16:53 - 00000000 ____D C:\users\Richard
2013-10-05 21:35 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\AppCompat
2013-10-05 21:31 - 2011-11-21 04:56 - 00000000 ___RD C:\Users\Nicky.000\Dropbox
2013-10-05 21:31 - 2011-11-21 04:54 - 00000000 ____D C:\Users\Nicky.000\AppData\Roaming\Dropbox
2013-10-05 21:31 - 2009-07-14 01:10 - 01126645 _____ C:\Windows\WindowsUpdate.log
2013-10-05 21:30 - 2010-03-22 07:29 - 00115896 _____ C:\Users\Nicky.000\AppData\Local\GDIPFONTCACHEV1.DAT
2013-10-05 21:30 - 2010-03-21 18:51 - 00000000 ____D C:\Users\Nicky.000\AppData\Local\SoftThinks
2013-10-05 21:27 - 2013-10-05 21:27 - 00116782 _____ C:\Users\Richard\AppData\Roaming\2433f433
2013-10-05 21:27 - 2013-10-05 21:27 - 00116733 _____ C:\Users\Richard\AppData\Local\2433f433
2013-10-05 13:29 - 2013-10-05 13:29 - 00000000 ____D C:\Users\Richard\AppData\Local\{940F4291-24F8-48FF-8DF3-20B017727360}
2013-10-05 13:25 - 2010-03-15 16:59 - 00000000 ____D C:\Users\Richard\AppData\Local\SoftThinks
2013-10-04 16:51 - 2010-03-15 16:54 - 00115896 _____ C:\Users\Richard\AppData\Local\GDIPFONTCACHEV1.DAT
2013-10-04 15:56 - 2010-06-07 04:59 - 00000376 _____ C:\Users\Nicky.000\AppData\Roamingprivacy.xml
2013-10-04 13:48 - 2013-09-09 14:02 - 00000000 ____D C:\Users\Nicky.000\Documents\Farncombe Friends
2013-10-01 17:11 - 2013-10-01 17:11 - 00020553 _____ C:\Users\Richard\Documents\reference for suzanne.odt
2013-10-01 04:41 - 2011-10-03 07:17 - 00021266 _____ C:\Users\Richard\Documents\ebay to amazon.ods
2013-09-29 12:43 - 2013-09-29 12:43 - 00000000 ____D C:\Users\Nicky.000\AppData\Local\{A2020E55-2D3A-41E7-AA03-9136AD98A166}
2013-09-29 09:42 - 2013-09-29 09:42 - 00000000 ____D C:\Users\Richard\AppData\Local\{A27AD039-635E-41E5-B0D6-09D161EAE7DA}
2013-09-26 05:11 - 2009-07-14 00:45 - 00445320 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-23 18:44 - 2012-06-28 04:08 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-23 18:44 - 2012-02-21 11:22 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-23 18:44 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64
2013-09-20 22:49 - 2013-09-20 22:49 - 00000000 ____D C:\Users\Richard\Desktop\New folder
2013-09-20 07:27 - 2009-07-14 01:13 - 00726270 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-20 06:07 - 2012-11-28 05:36 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-09-19 18:03 - 2009-07-13 23:20 - 00000000 ___RD C:\Program Files (x86)
2013-09-19 16:28 - 2012-08-28 20:26 - 00001115 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-19 08:35 - 2013-05-30 15:56 - 00000000 ____D C:\Program Files\My Dell
2013-09-17 10:26 - 2011-04-19 11:41 - 00000000 ____D C:\Users\Nicky.000\AppData\Local\Windows Live
2013-09-17 03:10 - 2013-09-17 03:10 - 00022205 _____ C:\Users\Richard\Documents\besom leaflet.odt
2013-09-16 05:42 - 2013-09-16 05:42 - 00000000 ____D C:\Users\Nicky.000\AppData\Local\{FA2CB2C1-5CB2-4869-8300-87C68D9C18E9}
2013-09-15 09:42 - 2013-09-15 09:42 - 00000000 ____D C:\Users\Richard\AppData\Local\{F5FD529F-3F43-40D5-B1D6-E757DB260D92}
2013-09-14 16:22 - 2013-09-14 16:22 - 00000000 ____D C:\Users\Richard\AppData\Local\{DCA90132-57A3-4C23-AD12-1A77A8669EB1}
2013-09-10 16:54 - 2013-09-10 16:54 - 00000000 ____D C:\Users\Richard\AppData\Local\{9652043D-3D10-4533-9BCE-8E4937BD7C16}
2013-09-10 16:35 - 2010-12-10 15:46 - 00000000 ____D C:\Users\Richard\AppData\Roaming\PCDr

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3057790361-3513307974-1896236825-1000\$c6da8fd1bd562f3f34da9930f18fd71a

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$c6da8fd1bd562f3f34da9930f18fd71a

Files to move or delete:
====================
ZeroAccess:
C:\Users\Richard\AppData\Local\Google\Desktop\Install
C:\Users\Richard\flashplayer.exe


Some content of TEMP:
====================
C:\Users\Nicky.000\AppData\Local\Temp\contentDATs.exe
C:\Users\Nicky.000\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Nicky.000\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\Nicky.000\AppData\Local\Temp\GLF7801.tmp.ConduitEngineSetup.exe
C:\Users\Nicky.000\AppData\Local\Temp\install_flashplayer11x64ax_gtbp_chra_aih[1].exe
C:\Users\Nicky.000\AppData\Local\Temp\install_reader10_uk_air_gtbp_chra_aih[1].exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Nicky.000\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\Nicky.000\AppData\Local\Temp\prxGLF7801.tmp.tbElf_.dll
C:\Users\Nicky.000\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Richard\AppData\Local\Temp\0.6251192171251705.exe
C:\Users\Richard\AppData\Local\Temp\contentDATs.exe
C:\Users\Richard\AppData\Local\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Users\Richard\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Richard\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Richard\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Richard\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Richard\AppData\Local\Temp\MSNA22A.exe
C:\Users\Richard\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Richard\AppData\Local\Temp\tbElf_.dll


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2011-04-27 02:56] - [2011-02-25 02:19] - 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3

C:\Windows\System32\winlogon.exe
[2011-06-19 12:56] - [2010-11-20 09:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

C:\Windows\System32\wininit.exe
[2009-07-13 19:52] - [2009-07-13 21:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA

C:\Windows\System32\svchost.exe
[2009-07-13 19:31] - [2009-07-13 21:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\System32\services.exe
[2009-07-13 19:19] - [2009-07-13 21:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\User32.dll
[2011-06-19 12:56] - [2010-11-20 09:27] - 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B

C:\Windows\System32\userinit.exe
[2011-06-19 12:54] - [2010-11-20 09:25] - 0030720 ____A (Microsoft Corporation) BAFE84E637BF7388C96EF48D4D3FDD53

C:\Windows\System32\Drivers\volsnap.sys
[2011-06-19 12:55] - [2010-11-20 09:34] - 0295808 ____A (Microsoft Corporation) 0D08D2F3B3FF84E433346669B5E0F639


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

7
Restore point made on: 2013-09-24 05:21:06
Restore point made on: 2013-09-28 13:14:40
Restore point made on: 2013-09-29 12:52:12
Restore point made on: 2013-09-29 14:00:24
Restore point made on: 2013-10-02 06:25:18
Restore point made on: 2013-10-03 10:08:23
Restore point made on: 2013-10-04 15:25:42

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 2012.91 MB
Available physical RAM: 1693.25 MB
Total Pagefile: 1843.82 MB
Available Pagefile: 1778.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1988.76 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (OS) (Fixed) (Total:287.33 GB) (Free:138.47 GB) NTFS
Drive i: (HITMANPRO) (Removable) (Total:1.86 GB) (Free:1.84 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
Drive y: (RECOVERY) (Fixed) (Total:10.69 GB) (Free:4.54 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: B8000000)
Partition 1: (Not Active) - (Size=71 MB) - (Type=DE)
Partition 2: (Active) - (Size=11 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=287 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 2 GB) (Disk ID: 0BF5AEE6)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)


LastRegBack: 2013-09-30 19:10

==================== End Of Log ============================


And the Result log

ListParts by Farbar Version: 10-05-2013
Ran by SYSTEM (administrator) on 09-10-2013 at 21:03:25
Windows XP (X86)
Running From: I:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 2012.91 MB
Available physical RAM: 1774.91 MB
Total Pagefile: 1843.82 MB
Available Pagefile: 1774.19 MB
Total Virtual: 2047.88 MB
Available Virtual: 2007.38 MB

======================= Partitions =========================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: (OS) (Fixed) (Total:287.33 GB) (Free:138.47 GB) NTFS
7 Drive i: (HITMANPRO) (Removable) (Total:1.86 GB) (Free:1.84 GB) FAT32
8 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
9 Drive y: (RECOVERY) (Fixed) (Total:10.69 GB) (Free:4.54 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 71 MB 32 KB
Partition 2 Primary 11 GB 71 MB
Partition 3 Primary 287 GB 11 GB
======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 FAT Partition 71 MB Healthy
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y RECOVERY NTFS Partition 11 GB Healthy
======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C OS NTFS Partition 287 GB Healthy
======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: B8000000
Partition 1: (Not Active) - (Size=71 MB) - (Type=DE)
Partition 2: (Active) - (Size=11 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=287 GB) - (Type=07 NTFS)


****** End Of Log ******

Thanks, Pepper1

 

[kuttus]

Now please download this file and save it to your Flash Drive.

[attachment=5876]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[pepper1]

Hi, if you mean system recovery by pressing F10 that does not work. I can only enter F12 Boot options or F2 set up. Which one is best? Thanks, Pepper1

 

[pepper1]

Hi. I tried opening it in the Reatogo CD recovery mode, but it told me 'Looks like you don't know what you are doing' (I had to agree with it there) then when I tried reopening it I got a message 'file or directory C:/FRST is corrupt or unreadable. Please run Chkdsk utility.' So I gave up. I will await your reply. Many thanks, Pepper1

 

[kuttus]

Please delete everything from your Flash Drive and Start all over again...

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Download List Parts and save it to the flash drive also.

Then please download this file and save it to your Flash Drive.

[attachment=5876]

Then, boot to system recovery (The same way that you do to Scan the computer on 10-10-2013), plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[pepper1]

Hi, thanks again. I'm sorry I don't think the attachment 5876 was attached as I can't open it. Also, about the instruction 'post the generated log' Is it obvious how to do this? How do you do this? Thanks, Pepper1

 

[kuttus]

Now you can download the Attachment...
Do you Save the file on your Flash Drive?
Do you Open the FRST and press on FIX?

 

[pepper1]

Hi, I don't know what I'm doing wrong. I deleted all the files, I reloaded them. I put the attachment on the flash drive. But when I entered it on the infected PC I get the same messages as before - 'you don't know what you're doing/this application will exit/FRST is a corrupt file. Any suggestions? Thanks, Pepper1

 

[kuttus]

Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

 

[pepper1]

Hi, at the second attempt the Hitman opened on the infected computer. (At the first attempt the 'Start up Repair' opened on its own, I let this run but it could not fix the PC) When the Hitman opened it came up with a message 'No internet connection' and aborted after 5 minutes. Any suggestions? Thanks! Pepper1.

 

[kuttus]

Are you using a Wireless Internet Connection?

 

[pepper1]

No, it is not wireless.

 

[kuttus]

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.

1. 
   
   • Download OTLPE.iso from one of the following links and save it to your Desktop mirror1 or mirror2
   • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
   • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
2. Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
   
   
   
   
   
   
3. Please also decompress eeepcfr to your systemroot (usually C:\).
4. Empty the flash drive you want to install OTLPE on.
5. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
6. Press any key when asked to in the black window that opens.
7. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
   For Drive Label: type in OTLPE.
   Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
   Finally check Enable File Copy.
   
8. Click on Start, accept the disclaimers and wait for the program to finish.

• Reboot your system using the bootable flash drive you just created.
• Note : If you do not know how to set your computer to boot from Flash drive follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location.
• Ensure the box "Automatically Load All Remaining Users" is checked
• and press OK
• OTL should now start.
• Select the Windows folder of the infected drive if it asks for a location.
• When asked Do you wish to load the remote registry, select Yes.
• When asked Do you wish to load remote user profile(s) for scanning, select Yes.
• Ensure the box Automatically Load All Remaining Users is checked and press OK.
• OTL should now start
• Check the boxes beside LOP Check and Purity Check
• Press the Run Scan button
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to a USB drive if you do not have internet connection on the system.
• Please attach the content of OTL.txt in your next reply.

 

[pepper1]

Hi Kuttus, thank you very much for your patience with this issue. You have been an internet angel. I cannot get past step 1 with this. When I open PeToUSB it does not find the flash disc. I have emptied it completely. I have tried 2 different USB sticks. They are both large enough. I don't know what to do next.
Can I just check I am doing the correct things - I am loading these things onto my clean laptop.
I did not know what decompress to systemroot meant, but when I looked for c:\eeecpfr it was there, and opened fine - it just does not find my USB sticks.
Just for your information, mirror 1 and mirror 2 are broken links, but I found OTLPE on another site. Thanks, Pepper1.

 

[pepper1]

I suppose there is nothing else we can do? I have been without my PC for a long time and think I'd better bite the bullet and reformat everything. Thanks for your help in trying to fix this. Best wishes, Pepper1

 

[kuttus]

Ooops. Sorry Pepper1, I miss your Post...

Please try this steps...

Stage -1

• Download Norton Bootable Recovery Tool from this link.
• Save the Norton Bootable Recovery Tool on your computer Desktop.
• After completing the Download Open the File that you saved on the Desktop. It will start the Norton Download Manager as shown below.
  
  http://123pcworld.com/MalwareTips/DownloadManager.PNG
  
• When the download finishes, the Norton Bootable Recovery Tool Wizard starts automatically.
• In the Norton Bootable Recovery Tool Wizard, click Agree & Install to accept the User License Agreement.
  
  If you want to change the default install location, click Install Options, and then click Browse to locate the new install location.
  
• Follow the on-screen instructions to create the Norton Bootable Recovery Tool on a CD/DVD media or USB key.
  
  http://123pcworld.com/MalwareTips/NBRT.PNG
  
• It will by Default Select your CD/DVD Writer , if it is not select your CD/DVD Writer and click on Next...
  
  http://123pcworld.com/MalwareTips/NBRT-2.PNG
  
• Now you have to Insert a Blank CD/DVD into your CD/DVD Writer and press on Ok. It will take some time to complete the Bootable Recovery Drive Creation.
  
  http://123pcworld.com/MalwareTips/NBRT-3.PNG
  

Stage -2

• Insert the recovery media in the infected computer and start your computer from the recovery media. The recovery media can be a Norton Bootable Recovery Tool CD, DVD, USB key.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Read the License Agreement, type your product key, and then click I Agree. (I will send you product key in PM )
• In the Norton Bootable Recovery Tool window, click Norton Advanced Recovery Scan.
• Click Start Scan.
• When the scan finishes, remove the recovery media from the drive or USB port, and restart your computer.

<hr />