Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I got infected by the celas virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 Rachel1234

Rachel1234

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 24 May 2012 - 03:48 PM

Hello I have a seriouse problem,

I tried everything in my power to solve this problem and failed. I really need your help!

I got infected with the Celas virus, they wanna make me pay 50€ fine, know i canīt access my computer at all, only BIOS. Operating system: windows 7, 32 bit.

Guys, again, I really need your help...

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 24 May 2012 - 11:52 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 27 May 2012 - 11:13 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Rachel1234

Rachel1234
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 29 May 2012 - 02:42 PM

We tried the instruction you provided and we came to the step: In the command window type e:\frst.exe and press Enter. Command promt want accept this command. It says: "f" is not recognized as an internal or external command, operable program or batch file.

#5 Rachel1234

Rachel1234
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 29 May 2012 - 02:58 PM

we fixed the problem, it was about language. We scaned the computer and will send the file in half an hour.

#6 Rachel1234

Rachel1234
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 29 May 2012 - 03:43 PM

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 29-05-2012 02
Ran by SYSTEM at 29-05-2012 21:50:22
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Free USB Security] E:\programi\Free USB Disk Security\USBSecurity.exe [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe [114992 2011-08-01] (SweetIM Technologies Ltd.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [983904 2012-04-23] (Spigot, Inc.)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-11-03] (Advanced Micro Devices, Inc.)
HKU\Fabijan\...\Run: [BitTorrent] "E:\torrent\BitTorrent.exe" /MINIMIZED [x]
HKU\Fabijan\...\Run: [Google Update] "C:\Users\Fabijan\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-03] (Google Inc.)
HKU\Fabijan\...\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart [574296 2012-03-06] (IObit)
HKU\Fabijan\...\Run: [Google] C:\Users\Fabijan\AppData\Roaming\googleoez.exe [102400 2012-04-02] ()
HKU\Fabijan\...\Run: [DAEMON Tools Lite] "E:\programi\DAEMON Tools Lite\DTLite.exe" -autorun [x]
HKU\Fabijan\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [1242448 2012-05-07] (Valve Corporation)
HKLM\...\Winlogon: [Shell] C:\Windows\Temp\elofqh\setup.exe [390051 2012-05-17] () ATTENTION! ====> Celas
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> E:\programi\Rainmeter.exe (No File)
Startup: C:\Users\Fabijan\Start Menu\Programs\Startup\AeroRainbow.lnk
ShortcutTarget: AeroRainbow.lnk -> E:\programi\AeroRainbow\AeroRainbow.exe (No File)

================================ Services (Whitelisted) ==================

2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe [913752 2012-03-14] (IObit)
2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [176128 2011-10-16] (AMD)
2 AMService; C:\Windows\TEMP\nghsni\setup.exe run [59392 2012-05-08] () ATTENTION! ====> Celas
2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [785304 2012-04-23] (Spigot, Inc.)
2 hshld; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [542040 2012-03-26] ()
2 HssSrv; C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe [363336 2012-03-26] (AnchorFree Inc.)
3 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [77520 2012-03-26] ()
2 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe -product HSS [329544 2012-03-26] ()
2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [820568 2011-07-20] (IObit)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [29178224 2007-02-10] (Microsoft Corporation)
4 MSSQLServerADHelper; "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [45272 2005-10-14] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-02-14] ()
2 rtl8139; C:\Windows\System32\SetupNT.dll [5632 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
4 SQLBrowser; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [242544 2007-02-10] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [89968 2007-02-09] (Microsoft Corporation)
3 StorSvc; C:\Windows\System32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
2 AMD FUEL Service; C:\ATI.ACE\Fuel\Fuel.Service.exe /launchService [x]
4 msvsmon90; "C:\Visual Studio 2008 Professional Edition (x86 and x64 WoW) - DVD (English)\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 [x]

========================== Drivers (Whitelisted) =============

3 amdiox86; C:\Windows\System32\DRIVERS\amdiox86.sys [37944 2010-02-18] (Advanced Micro Devices)
3 amdkmdap; C:\Windows\System32\DRIVERS\atikmpag.sys [257024 2011-10-16] (Advanced Micro Devices, Inc.)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdW73.sys [211984 2011-06-06] (Advanced Micro Devices)
3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [8598528 2011-10-16] (ATI Technologies Inc.)
0 AtiPcie; C:\Windows\System32\DRIVERS\AtiPcie.sys [14392 2010-06-17] (Advanced Micro Devices Inc.)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x32.sys [21992 2010-11-09] (CPUID)
1 CSC; C:\Windows\System32\drivers\csc.sys [387584 2009-07-13] ()
1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-05-07] (DT Soft Ltd)
3 Ph3xIB32; C:\Windows\System32\DRIVERS\Ph3xIB32.sys [1311232 2009-07-13] (NXP Semiconductors)
3 RivaTuner32; \??\C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys [9088 2009-08-22] ()
3 RTCore32; \??\C:\Program Files\MSI Afterburner\RTCore32.sys [5632 2011-09-06] ()
0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [15672 2010-11-26] ()
3 usbfilter; C:\Windows\System32\DRIVERS\usbfilter.sys [41600 2011-08-17] (Advanced Micro Devices)
2 AODDriver4.01; \??\E:\ATI.ACE\Fuel\i386\AODDriver2.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: rtl8139

============ One Month Created Files and Folders ==============

2012-05-29 21:50 - 2012-05-29 21:50 - 0000000 ____D C:\FRST
2012-05-17 13:01 - 2012-05-17 13:01 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
2012-05-17 12:22 - 2012-05-17 12:28 - 0295434 ____A C:\Windows\ntbtlog.txt
2012-05-17 12:16 - 2012-05-17 12:16 - 0000304 ____A C:\Windows\PFRO.log
2012-05-14 20:21 - 2012-05-14 20:22 - 0000000 ____D C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2012-05-14 20:09 - 2012-05-17 14:38 - 0000504 ____A C:\Windows\setupact.log
2012-05-14 20:09 - 2012-05-14 20:09 - 0000000 ____A C:\Windows\setuperr.log
2012-05-14 19:51 - 2012-05-14 19:51 - 0000000 ____D C:\Program Files\Geeks3D
2012-05-14 19:45 - 2012-05-16 19:08 - 0000000 ____D C:\Program Files\MSI Afterburner
2012-05-14 19:45 - 2012-05-14 19:45 - 0001044 ____A C:\Users\Fabijan\Desktop\MSI Afterburner.lnk
2012-05-14 19:42 - 2012-05-14 19:42 - 0000000 ____D C:\Program Files\MSI Kombustor 2.3
2012-05-14 19:38 - 2012-05-14 19:38 - 0001083 ____A C:\Users\Public\Desktop\CPUID HWMonitor.lnk
2012-05-14 19:38 - 2012-05-14 19:38 - 0000000 ____D C:\Program Files\CPUID
2012-05-14 19:38 - 2010-11-09 04:35 - 0021992 ____A (CPUID) C:\Windows\System32\Drivers\cpuz135_x32.sys
2012-05-14 19:37 - 2012-05-14 19:37 - 3579408 ____A ( ) C:\Users\Fabijan\Desktop\hwmonitor_1.17-setup.exe
2012-05-14 19:36 - 2012-05-14 19:45 - 0000000 ____D C:\Windows\System32\directx
2012-05-14 19:36 - 2012-05-14 19:36 - 0001032 ____A C:\Users\Fabijan\Desktop\EVGA Precision.lnk
2012-05-14 19:36 - 2012-05-14 19:36 - 0000000 ____D C:\Program Files\EVGA Precision
2012-05-14 19:24 - 2012-05-14 19:24 - 0000965 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-05-14 19:23 - 2012-05-14 19:24 - 0000000 ____D C:\Program Files\CCleaner
2012-05-14 14:07 - 2012-05-14 14:07 - 0000000 ____D C:\Users\All Users\ATI
2012-05-14 14:05 - 2012-05-14 14:05 - 0018349 ____A C:\Windows\System32\CCCInstall_201205150005267675.log
2012-05-14 12:20 - 2012-05-14 12:20 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-12 18:33 - 2012-05-14 10:15 - 0000000 ____D C:\Users\Fabijan\Desktop\kremic place
2012-05-08 02:15 - 2012-05-08 02:16 - 0000000 ____D C:\Users\Fabijan\AppData\Local\SniperV2
2012-05-08 02:14 - 2012-05-08 02:14 - 0000000 ____D C:\Users\Fabijan\AppData\Local\SKIDROW
2012-05-08 02:13 - 2012-05-08 02:13 - 0000884 ____A C:\Users\Public\Desktop\Sniper Elite V2.lnk
2012-05-07 11:35 - 2012-05-07 11:36 - 0000000 ____D C:\Users\Fabijan\AppData\Local\SniperV2 Demo
2012-05-07 09:59 - 2012-05-07 09:59 - 0000216 ____A C:\Users\Fabijan\Desktop\Sniper Elite V2 Demo.url
2012-05-07 09:51 - 2012-05-15 08:54 - 0000000 ____D C:\Program Files\Steam
2012-05-07 09:51 - 2012-05-07 09:51 - 0000875 ____A C:\Users\Public\Desktop\Steam.lnk
2012-05-07 09:51 - 2012-05-07 09:51 - 0000000 ____D C:\Program Files\Common Files\Steam
2012-05-07 08:54 - 2012-05-14 19:24 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\DAEMON Tools Lite
2012-05-07 08:54 - 2012-05-07 08:54 - 0242240 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-05-07 08:54 - 2012-05-07 08:54 - 0000785 ____A C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2012-05-07 08:53 - 2012-05-07 08:53 - 0001112 ____A C:\Users\Public\Desktop\Hotspot Shield Launch.lnk
2012-05-07 08:53 - 2012-05-07 08:53 - 0000000 ____D C:\Users\All Users\Hotspot Shield
2012-05-07 08:52 - 2012-05-07 08:57 - 0000000 ____D C:\Users\All Users\DAEMON Tools Lite
2012-05-07 08:50 - 2012-05-07 08:53 - 0000000 ____D C:\Program Files\Hotspot Shield
2012-05-07 08:50 - 2012-05-07 08:53 - 0000000 ____D C:\Hotspot Shield
2012-05-07 08:41 - 2012-05-07 08:41 - 0001769 ____A C:\Users\Fabijan\Desktop\MagicISO.lnk
2012-05-07 08:41 - 2012-05-07 08:41 - 0000000 ____D C:\Program Files\MagicISO
2012-05-07 08:39 - 2012-05-17 14:38 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-07 08:38 - 2012-05-07 08:38 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\Google
2012-05-07 08:38 - 2012-04-02 12:17 - 0102400 ____A C:\Users\Fabijan\AppData\Roaming\googleoez.exe
2012-05-04 03:59 - 2012-05-04 03:59 - 0000000 ____D C:\Program Files\IObit Toolbar
2012-05-04 03:59 - 2012-05-04 03:59 - 0000000 ____D C:\Program Files\Common Files\Spigot
2012-05-04 03:59 - 2012-05-04 03:59 - 0000000 ____D C:\Program Files\Application Updater

============ 3 Months Modified Files and Folders ===============

2012-05-29 21:50 - 2012-05-29 21:50 - 0000000 ____D C:\FRST
2012-05-17 14:38 - 2012-05-14 20:09 - 0000504 ____A C:\Windows\setupact.log
2012-05-17 14:38 - 2012-05-07 08:39 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-17 14:38 - 2012-01-26 12:18 - 0000934 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-05-17 14:38 - 2011-11-04 12:35 - 2616057856 __ASH C:\hiberfil.sys
2012-05-17 14:38 - 2011-11-03 20:56 - 0000000 ____D C:\users\Fabijan
2012-05-17 14:38 - 2009-07-13 20:53 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-17 14:07 - 2011-11-04 04:54 - 0792124 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-17 13:58 - 2011-11-03 22:02 - 0000966 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3944905931-36856565-1905732250-1000UA.job
2012-05-17 13:43 - 2012-01-26 12:18 - 0000938 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-17 13:43 - 2011-11-04 12:38 - 1751871 ____A C:\Windows\WindowsUpdate.log
2012-05-17 13:01 - 2012-05-17 13:01 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf
2012-05-17 12:28 - 2012-05-17 12:22 - 0295434 ____A C:\Windows\ntbtlog.txt
2012-05-17 12:16 - 2012-05-17 12:16 - 0000304 ____A C:\Windows\PFRO.log
2012-05-17 11:55 - 2011-11-03 22:02 - 0000914 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3944905931-36856565-1905732250-1000Core.job
2012-05-16 19:09 - 2011-11-03 22:45 - 0140800 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2012-05-16 19:08 - 2012-05-14 19:45 - 0000000 ____D C:\Program Files\MSI Afterburner
2012-05-16 19:08 - 2011-11-03 22:47 - 0283304 ____A C:\Windows\System32\PnkBstrB.xtr
2012-05-16 19:08 - 2011-11-03 22:45 - 0283304 ____A C:\Windows\System32\PnkBstrB.exe
2012-05-16 18:08 - 2011-11-03 21:28 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\BitTorrent
2012-05-16 16:39 - 2011-11-03 22:45 - 0283304 ____A C:\Windows\System32\PnkBstrB.ex0
2012-05-15 08:54 - 2012-05-07 09:51 - 0000000 ____D C:\Program Files\Steam
2012-05-14 20:22 - 2012-05-14 20:21 - 0000000 ____D C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2012-05-14 20:09 - 2012-05-14 20:09 - 0000000 ____A C:\Windows\setuperr.log
2012-05-14 20:09 - 2011-10-13 17:04 - 0000000 __SHD C:\Config.Msi
2012-05-14 19:51 - 2012-05-14 19:51 - 0000000 ____D C:\Program Files\Geeks3D
2012-05-14 19:45 - 2012-05-14 19:45 - 0001044 ____A C:\Users\Fabijan\Desktop\MSI Afterburner.lnk
2012-05-14 19:45 - 2012-05-14 19:36 - 0000000 ____D C:\Windows\System32\directx
2012-05-14 19:42 - 2012-05-14 19:42 - 0000000 ____D C:\Program Files\MSI Kombustor 2.3
2012-05-14 19:38 - 2012-05-14 19:38 - 0001083 ____A C:\Users\Public\Desktop\CPUID HWMonitor.lnk
2012-05-14 19:38 - 2012-05-14 19:38 - 0000000 ____D C:\Program Files\CPUID
2012-05-14 19:37 - 2012-05-14 19:37 - 3579408 ____A ( ) C:\Users\Fabijan\Desktop\hwmonitor_1.17-setup.exe
2012-05-14 19:36 - 2012-05-14 19:36 - 0001032 ____A C:\Users\Fabijan\Desktop\EVGA Precision.lnk
2012-05-14 19:36 - 2012-05-14 19:36 - 0000000 ____D C:\Program Files\EVGA Precision
2012-05-14 19:24 - 2012-05-14 19:24 - 0000965 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-05-14 19:24 - 2012-05-14 19:23 - 0000000 ____D C:\Program Files\CCleaner
2012-05-14 19:24 - 2012-05-07 08:54 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\DAEMON Tools Lite
2012-05-14 19:24 - 2011-11-04 13:34 - 0000000 ____D C:\Windows\Panther
2012-05-14 19:18 - 2009-07-13 20:34 - 0014112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-14 19:18 - 2009-07-13 20:34 - 0014112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-14 14:07 - 2012-05-14 14:07 - 0000000 ____D C:\Users\All Users\ATI
2012-05-14 14:06 - 2011-12-07 10:57 - 0000000 ____D C:\Program Files\ATI Technologies
2012-05-14 14:05 - 2012-05-14 14:05 - 0018349 ____A C:\Windows\System32\CCCInstall_201205150005267675.log
2012-05-14 13:48 - 2009-11-04 13:25 - 0000000 ____D C:\AMD
2012-05-14 12:20 - 2012-05-14 12:20 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-14 10:15 - 2012-05-12 18:33 - 0000000 ____D C:\Users\Fabijan\Desktop\kremic place
2012-05-09 14:36 - 2011-11-04 13:29 - 0000000 ____D C:\Windows.old
2012-05-08 02:16 - 2012-05-08 02:15 - 0000000 ____D C:\Users\Fabijan\AppData\Local\SniperV2
2012-05-08 02:14 - 2012-05-08 02:14 - 0000000 ____D C:\Users\Fabijan\AppData\Local\SKIDROW
2012-05-08 02:13 - 2012-05-08 02:13 - 0000884 ____A C:\Users\Public\Desktop\Sniper Elite V2.lnk
2012-05-07 11:36 - 2012-05-07 11:35 - 0000000 ____D C:\Users\Fabijan\AppData\Local\SniperV2 Demo
2012-05-07 09:59 - 2012-05-07 09:59 - 0000216 ____A C:\Users\Fabijan\Desktop\Sniper Elite V2 Demo.url
2012-05-07 09:51 - 2012-05-07 09:51 - 0000875 ____A C:\Users\Public\Desktop\Steam.lnk
2012-05-07 09:51 - 2012-05-07 09:51 - 0000000 ____D C:\Program Files\Common Files\Steam
2012-05-07 08:57 - 2012-05-07 08:52 - 0000000 ____D C:\Users\All Users\DAEMON Tools Lite
2012-05-07 08:54 - 2012-05-07 08:54 - 0242240 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-05-07 08:54 - 2012-05-07 08:54 - 0000785 ____A C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2012-05-07 08:54 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\DriverStore
2012-05-07 08:53 - 2012-05-07 08:53 - 0001112 ____A C:\Users\Public\Desktop\Hotspot Shield Launch.lnk
2012-05-07 08:53 - 2012-05-07 08:53 - 0000000 ____D C:\Users\All Users\Hotspot Shield
2012-05-07 08:53 - 2012-05-07 08:50 - 0000000 ____D C:\Program Files\Hotspot Shield
2012-05-07 08:53 - 2012-05-07 08:50 - 0000000 ____D C:\Hotspot Shield
2012-05-07 08:41 - 2012-05-07 08:41 - 0001769 ____A C:\Users\Fabijan\Desktop\MagicISO.lnk
2012-05-07 08:41 - 2012-05-07 08:41 - 0000000 ____D C:\Program Files\MagicISO
2012-05-07 08:38 - 2012-05-07 08:38 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\Google
2012-05-04 03:59 - 2012-05-04 03:59 - 0000000 ____D C:\Program Files\IObit Toolbar
2012-05-04 03:59 - 2012-05-04 03:59 - 0000000 ____D C:\Program Files\Common Files\Spigot
2012-05-04 03:59 - 2012-05-04 03:59 - 0000000 ____D C:\Program Files\Application Updater
2012-05-04 03:59 - 2011-11-03 20:56 - 0000000 ____D C:\Users\Fabijan\AppData\LocalLow
2012-05-01 23:18 - 2011-11-03 22:04 - 0002402 ____A C:\Users\Fabijan\Desktop\Google Chrome.lnk
2012-04-26 23:23 - 2012-04-26 23:23 - 0013112 ____A C:\Users\Fabijan\Documents\održ.docx
2012-04-24 03:27 - 2012-04-24 03:23 - 0000000 ____D C:\Users\Fabijan\Desktop\irac solaze
2012-04-20 12:34 - 2012-01-26 12:18 - 0000000 ____D C:\Program Files\Google
2012-04-17 16:57 - 2012-04-17 16:57 - 0000237 ____A C:\user.js
2012-04-17 16:56 - 2012-04-17 16:56 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\Babylon
2012-04-17 16:56 - 2012-04-17 16:56 - 0000000 ____D C:\Users\Fabijan\AppData\Local\Babylon
2012-04-17 16:56 - 2012-04-17 16:56 - 0000000 ____D C:\Users\All Users\Premium
2012-04-17 16:56 - 2012-04-17 16:56 - 0000000 ____D C:\Users\All Users\InstallMate
2012-04-17 16:56 - 2012-04-17 16:56 - 0000000 ____D C:\Users\All Users\Babylon
2012-04-13 00:30 - 2012-04-13 00:29 - 0001962 ____A C:\Users\Fabijan\Desktop\prog.txt
2012-04-12 10:14 - 2011-11-08 12:51 - 0000000 ____D C:\Program Files\Common Files\Adobe
2012-04-05 10:41 - 2012-04-05 10:41 - 47562752 ____A C:\Windows\System32\config\SOFTWARE.iobit
2012-04-05 10:41 - 2012-04-05 10:41 - 14090240 ____A C:\Windows\System32\config\SYSTEM.iobit
2012-04-05 10:41 - 2012-04-05 10:41 - 0208896 ____A C:\Windows\System32\config\DEFAULT.iobit
2012-04-05 10:41 - 2012-04-05 10:41 - 0065536 ____A C:\Windows\System32\config\SAM.iobit
2012-04-05 10:41 - 2012-04-05 10:41 - 0024576 ____A C:\Windows\System32\config\SECURITY.iobit
2012-04-05 10:40 - 2011-11-03 21:52 - 0000000 ____D C:\Users\All Users\IObit
2012-04-05 10:39 - 2012-04-05 10:39 - 0001230 ____A C:\Users\Public\Desktop\Uninstaller.lnk
2012-04-05 10:39 - 2012-04-05 10:39 - 0001179 ____A C:\Users\Public\Desktop\Advanced SystemCare 5.lnk
2012-04-05 10:39 - 2011-11-03 21:53 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\IObit
2012-04-05 10:39 - 2011-11-03 21:53 - 0000000 ____D C:\Program Files\IObit
2012-04-04 17:03 - 2011-11-03 21:52 - 0000604 ____A C:\Users\Public\Desktop\Switch to Gaming Mode.lnk
2012-04-04 17:03 - 2011-11-03 21:52 - 0000592 ____A C:\Users\Public\Desktop\Game Booster 3.lnk
2012-04-02 12:17 - 2012-05-07 08:38 - 0102400 ____A C:\Users\Fabijan\AppData\Roaming\googleoez.exe
2012-04-02 12:17 - 2012-04-02 12:17 - 0040985 ____A C:\Users\Fabijan\AppData\Roaming\a.7z
2012-03-27 06:00 - 2011-11-14 08:00 - 0000000 ____D C:\Program Files\Battlelog Web Plugins
2012-03-27 04:25 - 2011-11-03 21:29 - 0000000 ____D C:\Users\Fabijan\AppData\Local\Conduit
2012-03-26 13:45 - 2012-03-26 13:45 - 0037376 ____A (AnchorFree Inc.) C:\Windows\System32\Drivers\HssDrv.sys
2012-03-25 07:59 - 2012-03-25 07:59 - 0000000 ____D C:\Users\Fabijan\Desktop\krematorium gitarjada
2012-03-25 06:18 - 2011-11-03 21:58 - 0000000 ____D C:\Users\Fabijan\AppData\Roaming\BSplayer
2012-03-16 06:38 - 2012-03-16 06:39 - 0070191 ____A C:\Users\Fabijan\Desktop\422466_296698423736251_138293809576714_708816_201546011_n.jpg
2012-03-11 17:53 - 2012-01-23 14:19 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-03-02 04:51 - 2012-03-02 04:51 - 0000000 ____D C:\Users\Fabijan\Desktop\OFFICE CRO PACK


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 4094.49 MB
Available physical RAM: 3635.41 MB
Total Pagefile: 4092.77 MB
Available Pagefile: 3632.12 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.49 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:39.06 GB) (Free:8.2 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Pizdarije) (Fixed) (Total:426.7 GB) (Free:161.56 GB) NTFS
4 Drive f: () (Removable) (Total:1.81 GB) (Free:1.59 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 1854 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 39 GB 31 KB
Partition 0 Extended 426 GB 39 GB
Partition 2 Logical 426 GB 39 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 39 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Pizdarije NTFS Partition 426 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 1854 MB 0 B

======================================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

======================================================================================================

==========================================================

Last Boot: 2012-05-09 18:13

======================= End Of Log ==========================

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 29 May 2012 - 09:00 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [983904 2012-04-23] (Spigot, Inc.)
HKLM\...\Winlogon: [Shell] C:\Windows\Temp\elofqh\setup.exe [390051 2012-05-17] () ATTENTION! ====> Celas
2 AMService; C:\Windows\TEMP\nghsni\setup.exe run [59392 2012-05-08] () ATTENTION! ====> Celas
2 rtl8139; C:\Windows\System32\SetupNT.dll [5632 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: rtl8139
C:\Windows\Temp\elofqh\setup.exe
C:\Windows\TEMP\nghsni\setup.exe
C:\Windows\System32\SetupNT.dll


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Rachel1234

Rachel1234
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 30 May 2012 - 12:04 AM

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 29-05-2012 02
Ran by SYSTEM at 2012-05-30 07:02:07 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.
AMService service deleted successfully.
rtl8139 service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs rtl8139 Deleted successfully.
C:\Windows\Temp\elofqh\setup.exe moved successfully.
C:\Windows\TEMP\nghsni\setup.exe moved successfully.
C:\Windows\System32\SetupNT.dll moved successfully.

==== End of Fixlog ====

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 30 May 2012 - 12:05 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 05 June 2012 - 12:58 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 07 June 2012 - 11:30 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:04 AM

Posted 10 June 2012 - 11:30 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users