Polistyran Virus (like FBI virus but Swedish Version)

[prun]

Hi, I've hit a brick wall with this police scam virus. Have removed it once before with ease from another computer but this time, it appears to have embedded itself in a more destructive manner and I can't figure out how to get to it. Computer will not start in safe mode and the best I can get is the F key options prior to start up. I am not sure why it won't give me the option to boot from USB drive so basically, I feel there is nothing more I can do without some guidance. I didn't manage to do a scan as I'm not sure how to get my computer to read the Flash??

Any suggestions,

Tx,

P

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

 

[prun]

Hi, so I've managed to get this far, hope it helps. Thanks, P :

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 21 days old)
Ran by SYSTEM at 03-04-2013 18:17:05
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [192520 2010-10-12] (Trend Micro Inc.)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [322176 2012-02-16] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-24] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2321072 2012-02-02] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKU\Mikael\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [1021840 2012-06-22] (BitTorrent, Inc.)
HKU\Mikael\...\Run: [Google Update] "C:\Users\Mikael\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-06-22] (Google Inc.)
HKU\Mikael\...\Run: [Spotify Web Helper] "C:\Users\Mikael\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-12-06] (Spotify Ltd)
HKU\Mikael\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18705664 2013-01-08] (Skype Technologies S.A.)
HKU\Mikael\...\Run: [DriverScanner] "C:\Program Files (x86)\Uniblue\DriverScanner\launcher.exe" delay 20000 [338848 2012-07-10] (Uniblue Systems Limited)
HKU\Mikael\...\Run: [Browser Infrastructure Helper] C:\Users\Mikael\AppData\Local\Smartbar\Application\SnapDo.exe startup [20992 2013-03-05] (Smartbar)
HKU\Mikael\...\Winlogon: [Shell] explorer.exe,C:\Users\Mikael\AppData\Roaming\skype.dat [102400 2013-03-20] ()
Tcpip\Parameters: [DhcpNameServer] 193.150.193.150 83.255.245.11
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}\_77B5857C27147149171BE7.exe ()
Startup: C:\Users\Mikael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skärmurklipp och start för OneNote 2010.lnk
ShortcutTarget: Skärmurklipp och start för OneNote 2010.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

4 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [138400 2011-03-13] (Atheros)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2011-11-21] (ASUS)
4 CLKMSVC10_38F51D56; "C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe" /svc [241648 2011-04-20] (CyberLink)
4 TiMiniService; C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [241488 2010-09-17] (Trend Micro Inc.)
4 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [x]

==================== Drivers (Whitelisted) =====================

1 ATKWMIACPIIO_; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-06] (ASUS)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
3 Tdsshbecr; C:\Windows\System32\DRIVERS\shbecr.sys [50176 2008-09-28] (Todos Data System AB)
2 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [90704 2010-09-17] (Trend Micro Inc.)
2 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [144464 2010-09-17] (Trend Micro Inc.)
2 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [67664 2010-09-17] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [105552 2010-09-17] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-03 18:16 - 2013-04-03 18:16 - 00000000 ____D C:\FRST
2013-03-20 11:00 - 2013-03-20 09:18 - 00102400 ___RA C:\Users\Mikael\AppData\Roaming\skype.dat
2013-03-20 09:34 - 2013-03-20 09:34 - 00003352 ____N C:\bootsqm.dat
2013-03-20 09:23 - 2013-03-20 13:36 - 00000004 ____A C:\Users\Mikael\AppData\Roaming\skype.ini
2013-03-20 07:42 - 2013-03-20 07:42 - 00002351 ____A C:\Users\Mikael\Desktop\Search.lnk
2013-03-19 12:19 - 2013-03-20 07:42 - 00000000 ____D C:\Users\Mikael\AppData\Local\Smartbar
2013-03-19 12:17 - 2013-03-19 12:17 - 00001241 ____A C:\Users\Public\Desktop\DVDVideoSoft Free Studio.lnk
2013-03-19 12:16 - 2013-03-19 12:16 - 00000000 ____D C:\ProgramData\Uniblue
2013-03-19 12:15 - 2013-03-20 13:46 - 00000342 ____A C:\Windows\Tasks\DriverScanner.job
2013-03-19 12:15 - 2013-03-19 12:15 - 00001191 ____A C:\Users\Public\Desktop\DriverScanner.lnk
2013-03-19 12:15 - 2013-03-19 12:15 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\Uniblue
2013-03-19 12:15 - 2013-03-19 12:15 - 00000000 ____D C:\Program Files (x86)\Uniblue
2013-03-19 12:14 - 2013-03-19 12:14 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\OpenCandy
2013-03-18 04:54 - 2013-03-18 04:54 - 00000000 ____D C:\Users\Mikael\AppData\Local\Adobe
2013-03-18 04:50 - 2013-03-20 13:34 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-18 04:50 - 2013-03-20 09:00 - 00000994 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-18 04:50 - 2013-03-18 04:50 - 00000000 ____D C:\ProgramData\Google
2013-03-18 04:50 - 2013-03-18 04:50 - 00000000 ____D C:\Program Files\Google
2013-03-18 04:50 - 2013-03-18 04:50 - 00000000 ____D C:\Program Files (x86)\Google
2013-03-18 04:49 - 2013-03-18 04:49 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-03-18 04:48 - 2013-03-19 12:21 - 00000000 ____D C:\ProgramData\Adobe
2013-03-17 12:07 - 2013-03-17 12:07 - 00000000 ____D C:\Users\Mikael\AppData\Local\{959F1B82-8ADA-40B3-8FED-B7C142DA09A4}
2013-03-15 00:26 - 2013-02-01 23:31 - 17815040 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-15 00:26 - 2013-02-01 22:58 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-15 00:26 - 2013-02-01 22:57 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-03-15 00:26 - 2013-02-01 22:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-15 00:26 - 2013-02-01 22:47 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-03-15 00:26 - 2013-02-01 22:47 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-15 00:26 - 2013-02-01 22:46 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-15 00:26 - 2013-02-01 22:43 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-15 00:26 - 2013-02-01 22:42 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-03-15 00:26 - 2013-02-01 22:42 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-03-15 00:26 - 2013-02-01 22:41 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-03-15 00:26 - 2013-02-01 22:40 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-15 00:26 - 2013-02-01 22:39 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-15 00:26 - 2013-02-01 22:38 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-15 00:26 - 2013-02-01 22:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-15 00:26 - 2013-02-01 22:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-15 00:26 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-03-15 00:26 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-03-15 00:26 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-03-15 00:26 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-03-15 00:26 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-03-15 00:26 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-03-15 00:26 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-03-15 00:26 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-03-15 00:26 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-03-15 00:26 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-03-15 00:26 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-03-15 00:26 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-03-15 00:26 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-03-15 00:26 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-03-15 00:26 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-03-15 00:26 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-03-15 00:23 - 2013-03-15 00:23 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-15 00:23 - 2013-03-15 00:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-03-08 00:31 - 2013-03-08 00:31 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2013-03-06 06:23 - 2013-03-07 01:30 - 00000000 ____D C:\Users\Mikael\AppData\Local\{EE2978B1-1F90-4870-BA3E-33B36625CC80}

==================== One Month Modified Files and Folders =======

2013-04-03 18:16 - 2013-04-03 18:16 - 00000000 ____D C:\FRST
2013-03-20 13:46 - 2013-03-19 12:15 - 00000342 ____A C:\Windows\Tasks\DriverScanner.job
2013-03-20 13:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-20 13:46 - 2009-07-13 20:51 - 00091044 ____A C:\Windows\setupact.log
2013-03-20 13:36 - 2013-03-20 09:23 - 00000004 ____A C:\Users\Mikael\AppData\Roaming\skype.ini
2013-03-20 13:35 - 2012-08-29 03:07 - 00000868 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-20 13:34 - 2013-03-18 04:50 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-20 13:34 - 2012-06-22 06:48 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\uTorrent
2013-03-20 13:34 - 2012-06-03 02:18 - 00000000 ___HD C:\ASUS.DAT
2013-03-20 13:34 - 2012-04-11 02:20 - 00045056 ____A C:\Windows\SysWOW64\acovcnt.exe
2013-03-20 13:18 - 2012-04-11 01:57 - 01593307 ____A C:\Windows\WindowsUpdate.log
2013-03-20 12:48 - 2011-02-18 19:49 - 00673156 ____A C:\Windows\System32\perfh01D.dat
2013-03-20 12:48 - 2011-02-18 19:49 - 00145266 ____A C:\Windows\System32\perfc01D.dat
2013-03-20 12:48 - 2009-07-13 21:13 - 01604140 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-20 09:42 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-20 09:42 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-20 09:34 - 2013-03-20 09:34 - 00003352 ____N C:\bootsqm.dat
2013-03-20 09:18 - 2013-03-20 11:00 - 00102400 ___RA C:\Users\Mikael\AppData\Roaming\skype.dat
2013-03-20 09:00 - 2013-03-18 04:50 - 00000994 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-20 08:29 - 2012-06-22 06:53 - 00001008 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3405421564-331882077-3349474539-1001UA.job
2013-03-20 07:42 - 2013-03-20 07:42 - 00002351 ____A C:\Users\Mikael\Desktop\Search.lnk
2013-03-20 07:42 - 2013-03-19 12:19 - 00000000 ____D C:\Users\Mikael\AppData\Local\Smartbar
2013-03-20 07:40 - 2012-10-08 15:32 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\Skype
2013-03-20 04:29 - 2012-06-22 06:52 - 00000956 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3405421564-331882077-3349474539-1001Core.job
2013-03-19 12:21 - 2013-03-18 04:48 - 00000000 ____D C:\ProgramData\Adobe
2013-03-19 12:20 - 2011-10-20 01:30 - 00150674 ____A C:\Windows\PFRO.log
2013-03-19 12:18 - 2012-06-22 02:29 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\DVDVideoSoft
2013-03-19 12:17 - 2013-03-19 12:17 - 00001241 ____A C:\Users\Public\Desktop\DVDVideoSoft Free Studio.lnk
2013-03-19 12:17 - 2012-06-22 02:30 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft
2013-03-19 12:16 - 2013-03-19 12:16 - 00000000 ____D C:\ProgramData\Uniblue
2013-03-19 12:15 - 2013-03-19 12:15 - 00001191 ____A C:\Users\Public\Desktop\DriverScanner.lnk
2013-03-19 12:15 - 2013-03-19 12:15 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\Uniblue
2013-03-19 12:15 - 2013-03-19 12:15 - 00000000 ____D C:\Program Files (x86)\Uniblue
2013-03-19 12:14 - 2013-03-19 12:14 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\OpenCandy
2013-03-18 05:20 - 2012-07-17 14:36 - 00000000 ____D C:\Users\Mikael\AppData\Local\CrashDumps
2013-03-18 04:54 - 2013-03-18 04:54 - 00000000 ____D C:\Users\Mikael\AppData\Local\Adobe
2013-03-18 04:54 - 2012-06-10 04:00 - 00000000 ____D C:\Users\Mikael\AppData\Roaming\Adobe
2013-03-18 04:50 - 2013-03-18 04:50 - 00000000 ____D C:\ProgramData\Google
2013-03-18 04:50 - 2013-03-18 04:50 - 00000000 ____D C:\Program Files\Google
2013-03-18 04:50 - 2013-03-18 04:50 - 00000000 ____D C:\Program Files (x86)\Google
2013-03-18 04:49 - 2013-03-18 04:49 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-03-18 04:49 - 2013-01-17 13:31 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-03-17 12:07 - 2013-03-17 12:07 - 00000000 ____D C:\Users\Mikael\AppData\Local\{959F1B82-8ADA-40B3-8FED-B7C142DA09A4}
2013-03-15 01:31 - 2012-12-23 11:56 - 00000000 ____D C:\Windows\rescache
2013-03-15 00:37 - 2012-06-12 02:03 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-03-15 00:30 - 2012-07-08 03:10 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-15 00:23 - 2013-03-15 00:23 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-15 00:23 - 2013-03-15 00:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-03-14 04:15 - 2012-08-29 03:07 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-14 04:15 - 2012-08-29 03:07 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-10 16:36 - 2012-09-13 03:56 - 00000000 ____D C:\Users\Mikael\Desktop\Songs
2013-03-08 00:31 - 2013-03-08 00:31 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2013-03-08 00:31 - 2012-10-08 15:32 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-03-08 00:31 - 2012-10-08 15:31 - 00000000 ____D C:\ProgramData\Skype
2013-03-07 01:30 - 2013-03-06 06:23 - 00000000 ____D C:\Users\Mikael\AppData\Local\{EE2978B1-1F90-4870-BA3E-33B36625CC80}


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3691.7 MB
Available physical RAM: 3135.11 MB
Total Pagefile: 3689.85 MB
Available Pagefile: 3124.38 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:128.18 GB) (Free:8.51 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:144.91 GB) (Free:123.45 GB) NTFS
5 Drive g: (KINGSTON) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 1909 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 125FC5E1

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 25 GB 1024 KB
Partition 2 Primary 128 GB 25 GB
Partition 3 Primary 144 GB 153 GB

==================================================================================

Disk: 0
Partition 1
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 128 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 144 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1905 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT Removable 1905 MB Healthy

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 125FC5E1

Partition 1:
=========
Hex: 002021001CFEFFFF0008000000002003
Active: NO
Type: 1C
Size: 25 GB

Partition 2:
=========
Hex: 80FEFFFF07FEFFFF0008200300B80510
Active: YES
Type: 07 (NTFS)
Size: 128 GB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF00C0251300281D12
Active: NO
Type: 07 (NTFS)
Size: 145 GB

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 80010C0F060F60D3801F000080883B00
Active: YES
Type: 06
Size: 2 GB


Last Boot: 2013-03-15 01:24

==================== End Of Log =============================

 

[kuttus]

Okay Cool... This one will work... Nice job

Now please download this file and save it to your Flash Drive.

[attachment=4130]

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Then attempt to boot to normal mode.

 

[prun]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-03 18:40:28 Run:1
Running from G:\

==============================================

HKEY_USERS\Mikael\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\\DhcpNameServer Value deleted successfully.
C:\Users\Mikael\AppData\Roaming\skype.dat moved successfully.
C:\Users\Mikael\AppData\Roaming\skype.ini moved successfully.
C:\Users\Mikael\AppData\Roaming\skype.ini not found.
C:\Users\Mikael\AppData\Roaming\skype.dat not found.

==== End of Fixlog ====

Looks good.. Thanks so much... Very much appreciated..

Much love,

P

 

[kuttus]

Okay Cool... Lets complete the rest of the steps also.......

STEP 1: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

<ol>
<li>Download <>Malwarebytes Chameleon from <a title="External link" href="http://downloads.malwarebytes.org/file/chameleon" rel="nofollow external">here</a> </>and extract it to a folder in a convenient location</li>
<li>Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.</li>
<li>If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window <em><>Note:</> Do not attempt to open <>mbam-killer</> as that is not a Chameleon executable and serves a different purpose)</em></li>
<li>Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo</li>
<li>Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click <>OK</> when it says that the database was updated successful</li>
<li>Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan</li>
<li>Upon completion of the scan, if anything has been detected, click on <>Show Result</></li>
<li>Have Malwarebytes Anti-Malware remove any threats that are detected and click <>Yes</> if prompted to reboot your computer to allow the removal process to complete</li>
<li>After your computer restarts, open <>Malwarebytes Anti-Malware</> and perform a Full System scan to verify that there are no remaining threats</li>
Please add both logs in your next reply.
</ol>

<hr />
STEP 3: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 4: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

---