Metropolitan Police Malware

C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
Any help with this would be greatly appreciated. Thanks for your time.

P.S. I've clicked that I added an 'OTL' log and an 'aswMBR' log, but because I cannot use the laptop AT ALL, I cannot upload these!
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem.

May I know which Operating System you are using in the infected computer?
 
C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
Hello! Thanks for your prompt reply, I'm using vista, although I'm unaware whether it's home, business etc.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay No issues......

Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
 
C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013 (ATTENTION: FRST version is 22 days old)
Ran by SYSTEM at 04-04-2013 06:48:42
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6609440 2008-10-31] (Realtek Semiconductor)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-06-18] (Google)
HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [690720 2008-12-18] (Acer Incorporated)
HKLM\...\Run: [EgisTecLiveUpdate] "C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe" [199464 2008-10-27] (EgisTec Inc.)
HKLM\...\Run: [mwlDaemon] C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe [346672 2008-10-27] (EgisTec Inc.)
HKLM\...\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [28672 2008-04-25] ()
HKLM\...\Run: [PLFSetI] C:\Windows\PLFSetI.exe [200704 2008-07-29] ()
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13601312 2008-11-21] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-11-21] (NVIDIA Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1418536 2009-01-08] (Synaptics, Inc.)
HKLM\...\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav.exe" -run [1163264 2008-05-30] (AuthenTec, Inc.)
HKLM\...\Run: [VitaKeyPdtWzd] C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe [3679744 2008-10-16] (Egis Technology Inc.)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [870920 2009-01-08] (Dritek System Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-19] (Apple Inc.)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2008-10-31] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice [2054360 2009-09-10] (ESET)
HKLM\...\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe [112600 2010-11-14] (PC Tools)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-23] (Apple Inc.)
HKLM\...\Run: [DATAMNGR] C:\PROGRA~1\SEARCH~1\Datamngr\DATAMN~1.EXE [1890744 2012-09-02] (Bandoo Media, inc)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Roger\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Roger\...\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan [x]
HKU\Roger\...\Run: [settdebugx.exe] C:\Users\Roger\AppData\Local\Temp\settdebugx.exe [x]
HKU\Roger\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [x]
HKU\Roger\...\Run: [Facebook Update] "C:\Users\Roger\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [x]
HKU\Roger\...\Run: [GameXN GO] "C:\ProgramData\GameXN\GameXNGO.exe" /startup [x]
HKU\Roger\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Roger\...\Winlogon: [Shell] explorer.exe,C:\Users\Roger\AppData\Roaming\skype.dat [94208 2011-11-18] ()
AppInit_DLLs: C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~1\SEARCH~1\Datamngr\IEBHO.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
IMEO: [Debugger] svchost.exe
Lsa: [Notification Packages] C:\Program Files\Acer\Acer Bio Protection\PwdFilter
Startup: C:\Users\Roger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HP SimpleSave Monitor.lnk
ShortcutTarget: HP SimpleSave Monitor.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 BackupService; C:\Users\Roger\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe [83512 2010-06-30] (ArcSoft, Inc.)
2 BUNAgentSvc; "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [16384 2008-03-03] (NewTech Infosystems, Inc.)
3 EhttpSrv; "C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe" [20680 2009-09-10] (ESET)
2 ekrn; "C:\Program Files\ESET\ESET Smart Security\ekrn.exe" [735960 2009-09-10] (ESET)
2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [653856 2008-12-18] (Acer Incorporated)
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-06-18] (Google)
2 gupdate1ca2176e45779a0; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-08-20] (Google Inc.)
2 IGBASVC; C:\Program Files\Acer\Acer Bio Protection\BASVC.exe [3602432 2008-10-16] ()
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [110592 2007-12-06] ()
2 MWLService; C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [306736 2008-10-27] (EgisTec Inc.)
2 NTISchedulerSvc; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-25] ()
2 PCToolsSSDMonitorSvc; C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe [632792 2011-01-27] (PC Tools)
2 RichVideo; "C:\Program Files\Cyberlink\Shared files\RichVideo.exe" [272024 2007-01-08] ()
2 McNASvc; "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe" [x]
2 McShield; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [x]
3 McSysmon; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [x]
2 MpfService; "C:\Program Files\McAfee\MPF\MPFSrv.exe" [x]
2 MSK80Service; "C:\Program Files\McAfee\MSK\MskSrver.exe" [x]

==================== Drivers (Whitelisted) ====================

0 AlfaFF; C:\Windows\System32\drivers\AlfaFF.sys [42608 2008-10-16] (Alfa Corporation)
3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [146944 2008-05-30] (AuthenTec, Inc.)
1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
2 eamon; C:\Windows\System32\DRIVERS\eamon.sys [116008 2009-09-10] (ESET)
1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [108792 2009-09-10] (ESET)
2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [135048 2009-09-10] (ESET)
3 Epfwndis; C:\Windows\System32\DRIVERS\Epfwndis.sys [33096 2009-06-18] (ESET)
2 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [38240 2009-09-10] (ESET)
2 int15; \??\C:\Windows\system32\drivers\int15.sys [69632 2008-10-16] ()
2 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [19504 2008-10-09] (Egis Incorporated.)
2 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16432 2008-10-09] (Egis Incorporated.)
2 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [59952 2008-10-09] (Egis Incorporated.)
3 b57nd60x; C:\Windows\System32\DRIVERS\b57nd60x.sys [x]
1 H8SRTd.sys; C:\Windows\system32\drivers\H8SRTxcgisnrpes.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 massfilter; C:\Windows\System32\drivers\massfilter.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 ZTEusbmdm6k; C:\Windows\System32\DRIVERS\ZTEusbmdm6k.sys [x]
3 ZTEusbnmea; C:\Windows\System32\DRIVERS\ZTEusbnmea.sys [x]
3 ZTEusbser6k; C:\Windows\System32\DRIVERS\ZTEusbser6k.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-04-04 06:48 - 2013-04-04 06:48 - 00000000 ___DC C:\FRST
2013-04-02 12:20 - 2013-04-03 12:44 - 00000004 ___AC C:\Users\Roger\AppData\Roaming\skype.ini
2013-03-14 09:09 - 2013-02-11 17:57 - 00015872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-13 10:10 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-03-13 10:10 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-13 10:10 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-13 10:10 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-13 10:10 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-03-13 10:10 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-03-13 10:10 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-03-13 10:10 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-13 10:10 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-13 10:10 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-13 10:10 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-13 10:10 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-13 09:04 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-13 09:04 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-03-13 09:03 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-13 09:03 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-11 08:06 - 2013-03-11 08:06 - 00018821 ____A C:\Users\Roger\Downloads\Jamies CV (2).docm

==================== One Month Modified Files and Folders ========

2013-04-04 06:48 - 2013-04-04 06:48 - 00000000 ___DC C:\FRST
2013-04-03 12:44 - 2013-04-02 12:20 - 00000004 ___AC C:\Users\Roger\AppData\Roaming\skype.ini
2013-04-03 12:35 - 2012-04-03 02:37 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-03 12:32 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-03 12:32 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-03 12:31 - 2009-08-20 20:10 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-03 12:31 - 2009-01-14 09:52 - 00000147 ____A C:\Windows\System32\agent.log
2013-04-03 12:30 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-03 12:00 - 2009-06-28 20:15 - 00000012 ____A C:\Windows\bthservsdp.dat
2013-04-03 12:00 - 2009-02-28 05:30 - 01086585 ____A C:\Windows\WindowsUpdate.log
2013-04-03 12:00 - 2006-11-02 05:01 - 00032618 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-03 11:16 - 2009-08-20 20:10 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-03 10:37 - 2011-11-10 22:18 - 00000254 ____A C:\Windows\Tasks\RMSchedule.job
2013-04-03 10:30 - 2011-12-24 00:49 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2308826561-886900448-1440512738-1000UA.job
2013-04-02 22:29 - 2013-01-10 09:00 - 00000680 ___AC C:\Users\Roger\AppData\Local\d3d9caps.dat
2013-04-02 13:20 - 2011-12-24 00:49 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2308826561-886900448-1440512738-1000Core.job
2013-04-02 11:44 - 2011-04-05 04:19 - 00000000 ____D C:\Users\Roger\AppData\Roaming\vlc
2013-04-01 03:39 - 2009-08-20 01:16 - 00000000 ____D C:\Users\Roger\AppData\Roaming\Skype
2013-03-24 03:03 - 2012-06-12 22:48 - 00000000 ____D C:\Users\Roger\AppData\Roaming\dvdcss
2013-03-18 06:54 - 2006-11-02 04:52 - 00112314 ____A C:\Windows\setupact.log
2013-03-13 10:34 - 2010-10-31 23:40 - 00000000 ___DC C:\Program Files\Microsoft Silverlight
2013-03-13 10:23 - 2006-11-02 02:24 - 69796088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-03-12 11:35 - 2012-04-03 02:37 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-03-12 11:35 - 2012-04-03 02:37 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-03-11 08:06 - 2013-03-11 08:06 - 00018821 ____A C:\Users\Roger\Downloads\Jamies CV (2).docm

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-11 23:01] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 1789.68 MB
Available physical RAM: 1484.3 MB
Total Pagefile: 1733.57 MB
Available Pagefile: 1601.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.31 MB

==================== Partitions =============================

1 Drive c: (ACER) (Fixed) (Total:144.05 GB) (Free:0.23 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:144.04 GB) (Free:116.52 GB) NTFS
3 Drive e: (TAMARA_DREWE) (CDROM) (Total:7.56 GB) (Free:0 GB) UDF
4 Drive f: (ALEXDARBON) (Removable) (Total:3.72 GB) (Free:3.71 GB) FAT32
5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:0.97 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 144 GB 10 GB
Partition 3 Primary 144 GB 154 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 144 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 144 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3812 MB 32 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F ALEXDARBON FAT32 Removable 3812 MB Healthy

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 3EACA526

Partition 1:
=========
Hex: 0001010027FEFFFF3F0000005B244001
Active: NO
Type: 27
Size: 10 GB

Partition 2:
=========
Hex: 8000C1FF07FEFFFF9A24400174780112
Active: YES
Type: 07 (NTFS)
Size: 144 GB

Partition 3:
=========
Hex: 0000C1FF07FEFFFF0E9D4113B3390112
Active: NO
Type: 07 (NTFS)
Size: 144 GB

==============================
Partitions of Disk 1:
===============
Disk ID: C47F60A1

Partition 1:
=========
Hex: 800101000BFE7FE53F00000066227700
Active: YES
Type: 0B
Size: 4 GB


Last Boot: 2013-04-03 12:37

==================== End Of Log ============================
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay Now please do the following.

Now please download this file and save it to your Flash Drive.


[attachment=4131]


Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.
 

Attachments

  • fixlist.txt
    485 bytes · Views: 107
C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2013
Ran by SYSTEM at 2013-04-04 07:03:50 Run:1
Running from F:\

==============================================

HKEY_USERS\Roger\Software\Microsoft\Windows\CurrentVersion\Run\\settdebugx.exe Value deleted successfully.
HKEY_USERS\Roger\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
C:\Users\Roger\AppData\Roaming\skype.ini moved successfully.
C:\Users\Roger\AppData\Roaming\skype.ini not found.
C:\Users\Roger\AppData\Local\d3d9caps.dat moved successfully.

==== End of Fixlog ====
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Now try to start the computer back to Normal mode... Let me know after the reboot. We can try the reset of the troubleshooting after that.....
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay Cool... Lets complete the rest of the steps also.......

STEP 1: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

<ol>
<li>Download <>Malwarebytes Chameleon from <a title="External link" href="http://downloads.malwarebytes.org/file/chameleon" rel="nofollow external">here</a> </>and extract it to a folder in a convenient location</li>
<li>Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.</li>
<li>If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window <em><>Note:</> Do not attempt to open <>mbam-killer</> as that is not a Chameleon executable and serves a different purpose)</em></li>
<li>Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo</li>
<li>Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click <>OK</> when it says that the database was updated successful</li>
<li>Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan</li>
<li>Upon completion of the scan, if anything has been detected, click on <>Show Result</></li>
<li>Have Malwarebytes Anti-Malware remove any threats that are detected and click <>Yes</> if prompted to reboot your computer to allow the removal process to complete</li>
<li>After your computer restarts, open <>Malwarebytes Anti-Malware</> and perform a Full System scan to verify that there are no remaining threats</li>
Please add both logs in your next reply.
</ol>

<hr />
STEP 3: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 4: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply

 
Last edited by a moderator:
C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
How long should MBAM Chameleon take? It's taken about 15 minutes to 'kill known malicious processes'

Thanks.

EDIT: Not to worry, finally done that step. Am now doing the quick scan, will report back here shortly. Thanks for your help so far.
 
C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
It's currently taken 9 hours for the MBAM full computer scan! It takes a very long time.

NO!!!!!!!!!!!! It crashed! :-( Just randomly crashed and said MBAM has stopped responding. -> wait for the program -> close the program

Damn it. Other logs in next reply.
 
C

Ceiron9

New Member
Thread author
Apr 3, 2013
8
Not enough characters in the post to let me paste all four.

Please refer to this weblink:

http://pastebin.com/YQh0AsvD
 

Similar threads

Trustless
    • +Reputation
  • Locked
Trouble Removing a Chrome Redirecting Type Malware/Adware
Replies
4
Views
628
Windows Malware Removal Help & Support
nasdaq
nasdaq
Gandalf_The_Grey
    • Like
    • +Reputation
Security News Redline, Meta infostealer malware operations seized by police
Replies
0
Views
804
Security News
Gandalf_The_Grey
Gandalf_The_Grey
R
  • Locked
When I search in google is keeps redirecting me to bing or duckduckgo
Replies
6
Views
827
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top