PCeu virus leading to an entire system crash

[Harry]

I just wanted to say thanks in advance to all the people who give up their time to come and help here, I joined the forum because it looks like there have been so many great solutions.

My PC picked up the PCeu virus when I clicked on a google search engine news link in advanced search options earlier today.

After this, the PC would not let me start in safe mode, safe mode with networking, or safe mode with command prompts; in order to take the necessary steps to removal explained in other threads with the help of Farbar. When selecting any type of safe mode the computer will crash and go back to the beginning of reboot, despite me pressing F8 afterwards.

When pressing F8, as well as the safe mode options, I am also given these additional options : Enable boot logging, Enable low res video, Last known good configuration*, Directory services restore mode*, Debugging mode, Disable automatic restart on system failure*, Disable driver signature enforcement, Start windows normally*.
(* = Most of which I have tried and result in another system failure and reboot).

The only other option on the F8 menu is 'repair' and this is the only option that works. It sends me to the HP menu restore page with a few other options. These options include : 1) Microsoft system restore, 2) microsoft startup repair tool, or 3) system recovery. After selecting 1), you are able to select a restore point which loads, but right at the end it says the restore has failed. Option 2), tells me I am already in startup repair. The only other option is 3), which I do not fully understand, because after it tells me that I will lose all of my information following restore, and would I like to save my information? - It either says that I have too much info to save, or when I select less it says that I have to burn it to as disk (F drive), which will not fit over 50 GB in any case. It does not give me any different options other than Frive for saving.

I would really like someone to explain to me how I can access the command prompt and use the farbar program as explained before, but I seem to have exhausted every option in order to do this.

I would really like to avoid the system restore because I know it will wipe everything. I really don't want to lose all our family pictures over the last 3 years.... but I know that it is an inevitability that I am going to anyway. Because I am pretty sure this problem cannot be solved. It has all happened so quickly. Any advice would be very appreciated. I would even pay for someone to come and look at my computer if anyone knows of a service or anyone who could get it fixed.

Thank you.

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

 

[Harry]

Thanks very much Kuttus. By pressing the windows button at the bottom of the keyboard repeatedly as a last resort during reboot I managed to get through to the screen that allowed me to select the 'command prompt', since my last post.

This is the FRST.txt - It seem it has a very large amount to tell me...



Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-05-2013 01
Ran by SYSTEM on 12-05-2013 01:47:55
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610360 2009-07-08] ()
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\SysWOW64\userinit.exe, [26624 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [581480 2009-05-12] (Symantec Corporation)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run [167936 2011-03-23] (Applian Technologies, Inc.)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [371864 2012-04-05] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Iminent] C:\Program Files (x86)\Iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C" [1074736 2013-04-25] (Iminent)
HKLM-x32\...\Run: [IminentMessenger] C:\Program Files (x86)\Iminent\Iminent.Messengers.exe [884784 2013-04-25] (Iminent)
HKU\Default\...\Run: [HPADVISOR] [x]
HKU\Default User\...\Run: [HPADVISOR] [x]
HKU\Magnall\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1689144 2010-06-29] (Hewlett-Packard)
HKU\Magnall\...\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe [81952 2012-10-30] (PC Utilities Pro)
HKU\Magnall\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Magnall\Documents\79bf9f2f.exe [30208 2013-05-11] ()
HKU\Magnall\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe [28762 2010-08-10] (MyWebSearch.com)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1124184 2013-02-13] (Trusteer Ltd.)
S2 SProtection; C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe [2795048 2013-04-24] (Iminent)
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-03-28] (Wajam)
S2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [x]

==================== Drivers (Whitelisted) ====================

S1 acedrv09; C:\Windows\system32\drivers\acedrv09.sys [134880 2012-03-13] ()
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\BASHDefs\20130502.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-09-15] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-03-14] (Symantec Corporation)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130510.022\ENG64.SYS [126192 2013-03-14] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130510.022\EX64.SYS [2087664 2013-03-14] (Symantec Corporation)
S3 nmwcdcx64; C:\Windows\System32\drivers\ccdcmbox64.sys [25088 2009-10-06] (Nokia)
S3 nmwcdx64; C:\Windows\System32\drivers\ccdcmbx64.sys [18944 2009-10-06] (Nokia)
S1 RapportCerberus_50414; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_50414.sys [585944 2013-03-14] ()
S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [228760 2013-02-13] (Trusteer Ltd.)
S3 RapportIaso; c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [175352 2013-03-14] (Trusteer Ltd.)
S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [357272 2013-02-13] (Trusteer Ltd.)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2012-09-15] (Symantec Corporation)
S1 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1403010.016\ccSetx64.sys [x]
S1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\IPSDefs\20130503.001\IDSvia64.sys [x]
S0 RapportKE64; System32\Drivers\RapportKE64.sys [x]
S0 sr;
S1 SRTSP; \SystemRoot\System32\Drivers\NISx64\1403010.016\SRTSP64.SYS [x]
S1 SRTSPX; \SystemRoot\system32\drivers\NISx64\1403010.016\SRTSPX64.SYS [x]
S0 SymDS; system32\drivers\NISx64\1403010.016\SYMDS64.SYS [x]
S0 SymEFA; system32\drivers\NISx64\1403010.016\SYMEFA64.SYS [x]
S1 SymIRON; \SystemRoot\system32\drivers\NISx64\1403010.016\Ironx64.SYS [x]
S1 SymNetS; \SystemRoot\System32\Drivers\NISx64\1403010.016\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-12 01:47 - 2013-05-12 01:47 - 00000000 ____D C:\FRST
2013-05-11 11:06 - 2013-05-11 11:06 - 01038447 ____A C:\Users\Magnall\AppData\Roaming\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038410 ____A C:\ProgramData\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038392 ____A C:\Users\Magnall\AppData\Local\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 00030208 ____A C:\Users\Magnall\Documents\79bf9f2f.exe
2013-05-09 05:48 - 2013-05-09 05:48 - 00276232 ____A C:\Windows\Minidump\050913-74381-01.dmp
2013-05-01 14:58 - 2013-05-01 14:58 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Optimizer Pro
2013-05-01 14:54 - 2013-05-11 23:35 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-05-01 14:54 - 2013-05-11 11:59 - 00000000 ____A C:\end
2013-05-01 14:54 - 2013-05-01 14:54 - 00000000 ____D C:\Users\Magnall\AppData\Local\Wajam
2013-05-01 14:52 - 2013-05-11 23:35 - 00000000 ____D C:\Program Files (x86)\Optimizer Pro
2013-05-01 14:52 - 2013-05-01 14:52 - 00001024 ____A C:\Users\Magnall\Desktop\Optimizer Pro.lnk
2013-05-01 14:52 - 2013-05-01 14:52 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Iminent
2013-05-01 14:51 - 2013-05-01 14:51 - 00000000 ____D C:\ProgramData\Iminent
2013-05-01 14:50 - 2013-05-01 14:51 - 00000620 ____A C:\Windows\SysWOW64\InstallUtil.InstallLog
2013-05-01 14:49 - 2013-05-11 23:35 - 00000000 ____D C:\Program Files (x86)\Iminent
2013-05-01 14:45 - 2012-09-12 06:20 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fssfltr.sys
2013-04-23 13:53 - 2013-04-23 13:53 - 00219575 ____A C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis.htm
2013-04-23 13:53 - 2013-04-23 13:53 - 00000000 ____D C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis_files
2013-04-23 11:08 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-20 08:16 - 2013-04-20 08:16 - 00276232 ____A C:\Windows\Minidump\042013-80012-01.dmp
2013-04-12 07:31 - 2013-04-12 07:31 - 00276232 ____A C:\Windows\Minidump\041213-55005-01.dmp

==================== One Month Modified Files and Folders =======

2013-05-12 01:47 - 2013-05-12 01:47 - 00000000 ____D C:\FRST
2013-05-12 01:35 - 2010-03-16 13:22 - 00000000 ____D C:\ProgramData\Recovery
2013-05-11 23:35 - 2013-05-01 14:54 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-05-11 23:35 - 2013-05-01 14:52 - 00000000 ____D C:\Program Files (x86)\Optimizer Pro
2013-05-11 23:35 - 2013-05-01 14:49 - 00000000 ____D C:\Program Files (x86)\Iminent
2013-05-11 23:35 - 2012-12-12 10:48 - 00000000 ____D C:\Program Files\Windows Live
2013-05-11 23:35 - 2009-08-26 10:03 - 00000000 ____D C:\ProgramData\Norton
2013-05-11 23:34 - 2011-07-31 15:06 - 00000000 ____D C:\Users\Magnall\AppData\Local\FLVService
2013-05-11 23:34 - 2010-03-07 08:40 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\ArcSoft
2013-05-11 23:34 - 2009-12-22 13:01 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\ICAClient
2013-05-11 23:34 - 2009-12-21 05:09 - 00000000 ____D C:\Users\Magnall\AppData\Local\Hewlett-Packard
2013-05-11 23:34 - 2009-12-21 05:02 - 00000000 ____D C:\users\Magnall
2013-05-11 23:33 - 2010-08-12 23:15 - 00000000 ____D C:\Windows\Minidump
2013-05-11 12:00 - 2009-10-19 02:49 - 01262773 ____A C:\Windows\WindowsUpdate.log
2013-05-11 11:59 - 2013-05-01 14:54 - 00000000 ____A C:\end
2013-05-11 11:58 - 2009-12-23 14:31 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-11 11:57 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-11 11:57 - 2009-07-13 20:51 - 00069462 ____A C:\Windows\setupact.log
2013-05-11 11:06 - 2013-05-11 11:06 - 01038447 ____A C:\Users\Magnall\AppData\Roaming\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038410 ____A C:\ProgramData\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038392 ____A C:\Users\Magnall\AppData\Local\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 00030208 ____A C:\Users\Magnall\Documents\79bf9f2f.exe
2013-05-11 11:03 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-11 11:03 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-11 10:55 - 2009-12-23 14:31 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-11 10:52 - 2012-06-27 09:44 - 00000340 ____A C:\Windows\Tasks\HPCeeScheduleForMagnall.job
2013-05-11 04:16 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-11 01:45 - 2009-12-22 02:39 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-05-11 01:44 - 2011-11-12 00:26 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-05-11 01:40 - 2009-12-22 02:38 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\HpUpdate
2013-05-11 01:40 - 2009-12-22 02:38 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\HP Support Assistant
2013-05-10 11:27 - 2010-10-04 13:13 - 00000000 ____D C:\Users\Magnall\AppData\Local\Windows Live
2013-05-09 05:48 - 2013-05-09 05:48 - 00276232 ____A C:\Windows\Minidump\050913-74381-01.dmp
2013-05-09 05:48 - 2010-08-12 23:15 - 414128006 ____A C:\Windows\MEMORY.DMP
2013-05-07 23:13 - 2010-01-25 09:56 - 00000362 ____A C:\Windows\Tasks\File Helper.job
2013-05-05 05:03 - 2012-07-30 09:16 - 00000000 ____D C:\Users\Magnall\Desktop\Courses
2013-05-02 14:50 - 2010-02-21 08:25 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Skype
2013-05-01 14:58 - 2013-05-01 14:58 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Optimizer Pro
2013-05-01 14:54 - 2013-05-01 14:54 - 00000000 ____D C:\Users\Magnall\AppData\Local\Wajam
2013-05-01 14:52 - 2013-05-01 14:52 - 00001024 ____A C:\Users\Magnall\Desktop\Optimizer Pro.lnk
2013-05-01 14:52 - 2013-05-01 14:52 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Iminent
2013-05-01 14:51 - 2013-05-01 14:51 - 00000000 ____D C:\ProgramData\Iminent
2013-05-01 14:51 - 2013-05-01 14:50 - 00000620 ____A C:\Windows\SysWOW64\InstallUtil.InstallLog
2013-05-01 14:45 - 2009-12-22 11:45 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-05-01 14:38 - 2010-03-30 07:38 - 00000000 ____D C:\Users\Magnall\AppData\Local\CrashDumps
2013-05-01 14:16 - 2010-02-21 08:24 - 00000000 ____D C:\ProgramData\Skype
2013-05-01 14:15 - 2010-02-21 08:24 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-05-01 14:12 - 2009-12-22 12:49 - 00000000 ____D C:\Users\Magnall\Tracing
2013-04-30 10:37 - 2009-12-22 13:31 - 00000552 ____A C:\Windows\Tasks\PCDRScheduledMaintenance.job
2013-04-23 13:53 - 2013-04-23 13:53 - 00219575 ____A C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis.htm
2013-04-23 13:53 - 2013-04-23 13:53 - 00000000 ____D C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis_files
2013-04-20 08:16 - 2013-04-20 08:16 - 00276232 ____A C:\Windows\Minidump\042013-80012-01.dmp
2013-04-18 14:45 - 2010-03-12 13:42 - 00002481 ____A C:\Users\Magnall\Desktop\Norton Internet Security.lnk
2013-04-18 14:45 - 2009-08-26 10:03 - 00000000 ____D C:\Windows\System32\Drivers\NISx64
2013-04-12 07:31 - 2013-04-12 07:31 - 00276232 ____A C:\Windows\Minidump\041213-55005-01.dmp
2013-04-12 06:45 - 2013-04-23 11:08 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

Other Malware:
===========
C:\Users\Magnall\GoToAssistDownloadHelper.exe
C:\ProgramData\6874135.pad

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-23 23:15:10
Restore point made on: 2013-05-01 14:43:06
Restore point made on: 2013-05-01 14:44:35

==================== Memory info ===========================

Percentage of memory in use: 37%
Total physical RAM: 1790.43 MB
Available physical RAM: 1124.47 MB
Total Pagefile: 1790.43 MB
Available Pagefile: 1146.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:285.06 GB) (Free:69.86 GB) NTFS (Disk=0 Partition=2)
Drive e: (FACTORY_IMAGE) (Fixed) (Total:12.93 GB) (Free:2.3 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive g: (FRONT USB R) (Removable) (Total:1.92 GB) (Free:0.06 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 2099962C)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0E)


Last Boot: 2013-05-11 20:31

==================== End Of Log ============================

 

[Harry]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

Thanks very much Kuttus. By pressing the windows button at the bottom of the keyboard repeatedly as a last resort during reboot I managed to get through to the screen that allowed me to select the 'command prompt', since my last post.

This is the FRST.txt - It seem it has a very large amount to tell me...



Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-05-2013 01
Ran by SYSTEM on 12-05-2013 01:47:55
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610360 2009-07-08] ()
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\SysWOW64\userinit.exe, [26624 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [581480 2009-05-12] (Symantec Corporation)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run [167936 2011-03-23] (Applian Technologies, Inc.)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [371864 2012-04-05] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Iminent] C:\Program Files (x86)\Iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C" [1074736 2013-04-25] (Iminent)
HKLM-x32\...\Run: [IminentMessenger] C:\Program Files (x86)\Iminent\Iminent.Messengers.exe [884784 2013-04-25] (Iminent)
HKU\Default\...\Run: [HPADVISOR] [x]
HKU\Default User\...\Run: [HPADVISOR] [x]
HKU\Magnall\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1689144 2010-06-29] (Hewlett-Packard)
HKU\Magnall\...\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe [81952 2012-10-30] (PC Utilities Pro)
HKU\Magnall\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Magnall\Documents\79bf9f2f.exe [30208 2013-05-11] ()
HKU\Magnall\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe [28762 2010-08-10] (MyWebSearch.com)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1124184 2013-02-13] (Trusteer Ltd.)
S2 SProtection; C:\Program Files (x86)\Common Files\Umbrella\umbrella.exe [2795048 2013-04-24] (Iminent)
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
S2 WajamUpdater; C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe [109064 2013-03-28] (Wajam)
S2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [x]

==================== Drivers (Whitelisted) ====================

S1 acedrv09; C:\Windows\system32\drivers\acedrv09.sys [134880 2012-03-13] ()
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\BASHDefs\20130502.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-09-15] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-03-14] (Symantec Corporation)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130510.022\ENG64.SYS [126192 2013-03-14] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130510.022\EX64.SYS [2087664 2013-03-14] (Symantec Corporation)
S3 nmwcdcx64; C:\Windows\System32\drivers\ccdcmbox64.sys [25088 2009-10-06] (Nokia)
S3 nmwcdx64; C:\Windows\System32\drivers\ccdcmbx64.sys [18944 2009-10-06] (Nokia)
S1 RapportCerberus_50414; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_50414.sys [585944 2013-03-14] ()
S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [228760 2013-02-13] (Trusteer Ltd.)
S3 RapportIaso; c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [175352 2013-03-14] (Trusteer Ltd.)
S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [357272 2013-02-13] (Trusteer Ltd.)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2012-09-15] (Symantec Corporation)
S1 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1403010.016\ccSetx64.sys [x]
S1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\IPSDefs\20130503.001\IDSvia64.sys [x]
S0 RapportKE64; System32\Drivers\RapportKE64.sys [x]
S0 sr;
S1 SRTSP; \SystemRoot\System32\Drivers\NISx64\1403010.016\SRTSP64.SYS [x]
S1 SRTSPX; \SystemRoot\system32\drivers\NISx64\1403010.016\SRTSPX64.SYS [x]
S0 SymDS; system32\drivers\NISx64\1403010.016\SYMDS64.SYS [x]
S0 SymEFA; system32\drivers\NISx64\1403010.016\SYMEFA64.SYS [x]
S1 SymIRON; \SystemRoot\system32\drivers\NISx64\1403010.016\Ironx64.SYS [x]
S1 SymNetS; \SystemRoot\System32\Drivers\NISx64\1403010.016\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-12 01:47 - 2013-05-12 01:47 - 00000000 ____D C:\FRST
2013-05-11 11:06 - 2013-05-11 11:06 - 01038447 ____A C:\Users\Magnall\AppData\Roaming\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038410 ____A C:\ProgramData\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038392 ____A C:\Users\Magnall\AppData\Local\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 00030208 ____A C:\Users\Magnall\Documents\79bf9f2f.exe
2013-05-09 05:48 - 2013-05-09 05:48 - 00276232 ____A C:\Windows\Minidump\050913-74381-01.dmp
2013-05-01 14:58 - 2013-05-01 14:58 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Optimizer Pro
2013-05-01 14:54 - 2013-05-11 23:35 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-05-01 14:54 - 2013-05-11 11:59 - 00000000 ____A C:\end
2013-05-01 14:54 - 2013-05-01 14:54 - 00000000 ____D C:\Users\Magnall\AppData\Local\Wajam
2013-05-01 14:52 - 2013-05-11 23:35 - 00000000 ____D C:\Program Files (x86)\Optimizer Pro
2013-05-01 14:52 - 2013-05-01 14:52 - 00001024 ____A C:\Users\Magnall\Desktop\Optimizer Pro.lnk
2013-05-01 14:52 - 2013-05-01 14:52 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Iminent
2013-05-01 14:51 - 2013-05-01 14:51 - 00000000 ____D C:\ProgramData\Iminent
2013-05-01 14:50 - 2013-05-01 14:51 - 00000620 ____A C:\Windows\SysWOW64\InstallUtil.InstallLog
2013-05-01 14:49 - 2013-05-11 23:35 - 00000000 ____D C:\Program Files (x86)\Iminent
2013-05-01 14:45 - 2012-09-12 06:20 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fssfltr.sys
2013-04-23 13:53 - 2013-04-23 13:53 - 00219575 ____A C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis.htm
2013-04-23 13:53 - 2013-04-23 13:53 - 00000000 ____D C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis_files
2013-04-23 11:08 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-20 08:16 - 2013-04-20 08:16 - 00276232 ____A C:\Windows\Minidump\042013-80012-01.dmp
2013-04-12 07:31 - 2013-04-12 07:31 - 00276232 ____A C:\Windows\Minidump\041213-55005-01.dmp

==================== One Month Modified Files and Folders =======

2013-05-12 01:47 - 2013-05-12 01:47 - 00000000 ____D C:\FRST
2013-05-12 01:35 - 2010-03-16 13:22 - 00000000 ____D C:\ProgramData\Recovery
2013-05-11 23:35 - 2013-05-01 14:54 - 00000000 ____D C:\Program Files (x86)\Wajam
2013-05-11 23:35 - 2013-05-01 14:52 - 00000000 ____D C:\Program Files (x86)\Optimizer Pro
2013-05-11 23:35 - 2013-05-01 14:49 - 00000000 ____D C:\Program Files (x86)\Iminent
2013-05-11 23:35 - 2012-12-12 10:48 - 00000000 ____D C:\Program Files\Windows Live
2013-05-11 23:35 - 2009-08-26 10:03 - 00000000 ____D C:\ProgramData\Norton
2013-05-11 23:34 - 2011-07-31 15:06 - 00000000 ____D C:\Users\Magnall\AppData\Local\FLVService
2013-05-11 23:34 - 2010-03-07 08:40 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\ArcSoft
2013-05-11 23:34 - 2009-12-22 13:01 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\ICAClient
2013-05-11 23:34 - 2009-12-21 05:09 - 00000000 ____D C:\Users\Magnall\AppData\Local\Hewlett-Packard
2013-05-11 23:34 - 2009-12-21 05:02 - 00000000 ____D C:\users\Magnall
2013-05-11 23:33 - 2010-08-12 23:15 - 00000000 ____D C:\Windows\Minidump
2013-05-11 12:00 - 2009-10-19 02:49 - 01262773 ____A C:\Windows\WindowsUpdate.log
2013-05-11 11:59 - 2013-05-01 14:54 - 00000000 ____A C:\end
2013-05-11 11:58 - 2009-12-23 14:31 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-11 11:57 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-11 11:57 - 2009-07-13 20:51 - 00069462 ____A C:\Windows\setupact.log
2013-05-11 11:06 - 2013-05-11 11:06 - 01038447 ____A C:\Users\Magnall\AppData\Roaming\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038410 ____A C:\ProgramData\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 01038392 ____A C:\Users\Magnall\AppData\Local\2433f433
2013-05-11 11:06 - 2013-05-11 11:06 - 00030208 ____A C:\Users\Magnall\Documents\79bf9f2f.exe
2013-05-11 11:03 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-11 11:03 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-11 10:55 - 2009-12-23 14:31 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-11 10:52 - 2012-06-27 09:44 - 00000340 ____A C:\Windows\Tasks\HPCeeScheduleForMagnall.job
2013-05-11 04:16 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-11 01:45 - 2009-12-22 02:39 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-05-11 01:44 - 2011-11-12 00:26 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-05-11 01:40 - 2009-12-22 02:38 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\HpUpdate
2013-05-11 01:40 - 2009-12-22 02:38 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\HP Support Assistant
2013-05-10 11:27 - 2010-10-04 13:13 - 00000000 ____D C:\Users\Magnall\AppData\Local\Windows Live
2013-05-09 05:48 - 2013-05-09 05:48 - 00276232 ____A C:\Windows\Minidump\050913-74381-01.dmp
2013-05-09 05:48 - 2010-08-12 23:15 - 414128006 ____A C:\Windows\MEMORY.DMP
2013-05-07 23:13 - 2010-01-25 09:56 - 00000362 ____A C:\Windows\Tasks\File Helper.job
2013-05-05 05:03 - 2012-07-30 09:16 - 00000000 ____D C:\Users\Magnall\Desktop\Courses
2013-05-02 14:50 - 2010-02-21 08:25 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Skype
2013-05-01 14:58 - 2013-05-01 14:58 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Optimizer Pro
2013-05-01 14:54 - 2013-05-01 14:54 - 00000000 ____D C:\Users\Magnall\AppData\Local\Wajam
2013-05-01 14:52 - 2013-05-01 14:52 - 00001024 ____A C:\Users\Magnall\Desktop\Optimizer Pro.lnk
2013-05-01 14:52 - 2013-05-01 14:52 - 00000000 ____D C:\Users\Magnall\AppData\Roaming\Iminent
2013-05-01 14:51 - 2013-05-01 14:51 - 00000000 ____D C:\ProgramData\Iminent
2013-05-01 14:51 - 2013-05-01 14:50 - 00000620 ____A C:\Windows\SysWOW64\InstallUtil.InstallLog
2013-05-01 14:45 - 2009-12-22 11:45 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-05-01 14:38 - 2010-03-30 07:38 - 00000000 ____D C:\Users\Magnall\AppData\Local\CrashDumps
2013-05-01 14:16 - 2010-02-21 08:24 - 00000000 ____D C:\ProgramData\Skype
2013-05-01 14:15 - 2010-02-21 08:24 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-05-01 14:12 - 2009-12-22 12:49 - 00000000 ____D C:\Users\Magnall\Tracing
2013-04-30 10:37 - 2009-12-22 13:31 - 00000552 ____A C:\Windows\Tasks\PCDRScheduledMaintenance.job
2013-04-23 13:53 - 2013-04-23 13:53 - 00219575 ____A C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis.htm
2013-04-23 13:53 - 2013-04-23 13:53 - 00000000 ____D C:\Users\Magnall\Desktop\ACL reco_ hamstring graft results is hamstring tendonitis_files
2013-04-20 08:16 - 2013-04-20 08:16 - 00276232 ____A C:\Windows\Minidump\042013-80012-01.dmp
2013-04-18 14:45 - 2010-03-12 13:42 - 00002481 ____A C:\Users\Magnall\Desktop\Norton Internet Security.lnk
2013-04-18 14:45 - 2009-08-26 10:03 - 00000000 ____D C:\Windows\System32\Drivers\NISx64
2013-04-12 07:31 - 2013-04-12 07:31 - 00276232 ____A C:\Windows\Minidump\041213-55005-01.dmp
2013-04-12 06:45 - 2013-04-23 11:08 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

Other Malware:
===========
C:\Users\Magnall\GoToAssistDownloadHelper.exe
C:\ProgramData\6874135.pad

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-23 23:15:10
Restore point made on: 2013-05-01 14:43:06
Restore point made on: 2013-05-01 14:44:35

==================== Memory info ===========================

Percentage of memory in use: 37%
Total physical RAM: 1790.43 MB
Available physical RAM: 1124.47 MB
Total Pagefile: 1790.43 MB
Available Pagefile: 1146.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:285.06 GB) (Free:69.86 GB) NTFS (Disk=0 Partition=2)
Drive e: (FACTORY_IMAGE) (Fixed) (Total:12.93 GB) (Free:2.3 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive g: (FRONT USB R) (Removable) (Total:1.92 GB) (Free:0.06 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 2099962C)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0E)


Last Boot: 2013-05-11 20:31

==================== End Of Log ============================

 

[kuttus]

Now please download this file and save it to your Flash Drive.

[attachment=4440]


Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[Harry]

Hi Kuttus. Thank you again.

The System Recovery Options menu will no longer load today.

Yesterday I managed to get it after about 50 attempts, by pressing the windows button repeatedly during startup on one occassion. Today I can no longer get the System Recovery Options menu, where you select language US, and then command prompt.

Today all am getting is continual crash and reboot again, with the only option it gives on the 'HP menu' is full system recovery.

All I want is the System Recovery Options menu like I got yesterday on that one occassion, so that I can fix this.

Would anyone know of any way in which I can avoid the 'HP menu', and simply be able to select 'command prompt', on the System Recovery Options menu?

Thank you in advance.

 

[Harry]

Ok.

I finally managed to get the command prompt again. Should I go through to notepad the same way I did before?

Are you saying I should only use FRST64 from here? What exactly must I do with the fixlist.txt in command prompt file? Nothing?

Thanks

 

[Harry]

Hi Kuttus.

I followed the instruction and hit 'fix'. The computer will still not boot in normal or safe mode, and it crashes every time I try to do this? Do you know why this crashing would be happening constantly?

This is the generated log (many items say file not found but I don't know if this makes any difference) :



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-05-2013 01
Ran by SYSTEM at 2013-05-12 16:14:08 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

HKEY_USERS\Magnall\Software\Microsoft\Windows\CurrentVersion\Run\\Optimizer Pro => Value deleted successfully.
HKEY_USERS\Magnall\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
MyWebSearchService => Service deleted successfully.
WajamUpdater => Service deleted successfully.
C:\Users\Magnall\AppData\Roaming\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Magnall\AppData\Local\2433f433 => Moved successfully.
C:\Users\Magnall\Documents\79bf9f2f.exe => Moved successfully.
C:\Windows\Minidump\050913-74381-01.dmp => Moved successfully.
C:\Users\Magnall\AppData\Roaming\Optimizer Pro => Moved successfully.
C:\Program Files (x86)\Wajam => Moved successfully.
C:\Users\Magnall\AppData\Local\Wajam => Moved successfully.
C:\Program Files (x86)\Optimizer Pro => Moved successfully.
C:\Users\Magnall\Desktop\Optimizer Pro.lnk => Moved successfully.
C:\Users\Magnall\AppData\Roaming\Iminent => Moved successfully.
C:\ProgramData\Iminent => Moved successfully.
C:\Windows\Minidump\042013-80012-01.dmp => Moved successfully.
C:\Windows\Minidump\041213-55005-01.dmp => Moved successfully.
C:\Program Files (x86)\Wajam => File/Directory not found.
C:\Program Files (x86)\Optimizer Pro => File/Directory not found.
C:\Program Files (x86)\Iminent => Moved successfully.
C:\Users\Magnall\AppData\Roaming\2433f433 => File/Directory not found.
C:\ProgramData\2433f433 => File/Directory not found.
C:\Users\Magnall\AppData\Local\2433f433 => File/Directory not found.
C:\Users\Magnall\Documents\79bf9f2f.exe => File/Directory not found.
C:\Users\Magnall\AppData\Roaming\Optimizer Pro => File/Directory not found.
C:\Users\Magnall\AppData\Local\Wajam => File/Directory not found.
C:\Users\Magnall\Desktop\Optimizer Pro.lnk => File/Directory not found.
C:\Users\Magnall\AppData\Roaming\Iminent => File/Directory not found.
C:\ProgramData\Iminent => File/Directory not found.
C:\ProgramData\6874135.pad => Moved successfully.

==== End of Fixlog ====

 

[kuttus]

Hi Harry,

I am sorry for the late replay. I was away from my computer...

After the above fixes is the computer starting up normally? Or you are getting any errors?

 

[Harry]

The computer will not start up normally. It crashes when you select normal boot and then it reboots. It crashes during boot for every single option other than F8 'repair' (that brings up the menu with command prompt), or the other the option where you dont press F8, and it simply brings up the HP options menu where all you can do it select system recover (which I want to avoid). Basically all I can get is a crash and reboot.

If you can suggest anything else I would be grateful.

 

[kuttus]

Are you getting any Error messages while this time?

 

[Harry]

When I try to restore to an earlier point (via HP menu), it says failure to restore, and then makes a reference to the antivirus software that is running, which may be preventing it from restoring.

When trying to start any form of safe mode, I get an error message on a blue screen saying failure to boot (this is before windows is able to load) then the system crashes again and goes into another cycle of rebooting.

 

[kuttus]

Which Antivirus Program are you using now? Is it possible to remove it?