Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Polizei Crime Investigation Department Virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 ComputerNewb101

ComputerNewb101

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 May 2013 - 05:10 PM

Can someone help me? I've been trying the Kaspersky thing to rid of this virus but it isn't working :(. Please help!



BC AdBot (Login to Remove)

 


#2 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 May 2013 - 05:49 PM

Anyone?  :(



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 06 May 2013 - 06:16 PM


Hello ComputerNewb101

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
  • Second Type the following in the edit box after "Search:". services.exe
  • Click the Search button
  • It will make a log (Search.txt)
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 May 2013 - 06:20 PM

Thanks Gringo :). I shall start right now!



#5 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 May 2013 - 06:21 PM

Does it matter how big the flash drive is? 



#6 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 May 2013 - 06:30 PM

It's currently running a  CHKDSK. 



#7 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 06 May 2013 - 06:54 PM

I cant get to the home screen due to the virus automatically opening up a page. When I try to run windows with networking, It will restart right after I log in. Prior to me asking for help here, I used Kaspersky Windows unlocker but I didn't quite understand it. 


Edited by ComputerNewb101, 06 May 2013 - 06:55 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 06 May 2013 - 08:34 PM

Hello


read the instructions above and it will tell you how to get into the recovery environment to help me get the report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 07 May 2013 - 02:41 PM

Hello


read the instructions above and it will tell you how to get into the recovery environment to help me get the report


gringo

Gringo, It should say Farbar Recovery Scan Tool as it scans my system right? :)



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 07 May 2013 - 02:57 PM

Yes that is correct
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 07 May 2013 - 04:01 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2013
Ran by SYSTEM on 07-05-2013 18:40:51
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3203440 2010-04-06] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [560128 2011-02-08] (Dell)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-01-22] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1675160 2012-03-21] (McAfee, Inc.)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807680 2010-02-09] ()
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "c:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-04-27] (Apple Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1686528 2012-03-27] (Wondershare)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
HKU\Geoffrey\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\Geoffrey\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-11-30] (Google Inc.)
HKU\Geoffrey\...\Run: [AdobeBridge]  [x]
HKU\Geoffrey\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Geoffrey\Documents\1d92f2a0.exe [35328 2013-05-06] (Intel Corporation)
HKU\Geoffrey\...\Winlogon: [Shell] explorer.exe,C:\Users\Geoffrey\AppData\Roaming\skype.dat [114688 2011-11-17] () <==== ATTENTION 
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Geoffrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
==================== Services (Whitelisted) =================
 
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [502032 2012-03-22] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [199272 2012-03-20] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [210584 2012-03-20] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [162192 2012-03-20] (McAfee, Inc.)
S2 szserver; C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe [62928 2011-03-31] (iS3, Inc.)
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65264 2012-02-22] (McAfee, Inc.)
S3 EagleX64; C:\Windows\system32\drivers\EagleX64.sys [138328 2011-08-26] (AhnLab, Inc.)
S0 is3srv; C:\Windows\SysWow64\drivers\is3srv64.sys [74768 2010-01-15] (iS3 Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [160792 2012-02-22] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [229528 2012-02-22] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [487296 2012-02-22] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [647208 2012-02-22] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75936 2012-02-22] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [100912 2012-02-22] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [289664 2012-02-22] (McAfee, Inc.)
S0 szkg5; C:\Windows\SysWow64\DRIVERS\szkg64.sys [74768 2010-01-15] (iS3 Inc.)
S2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13784 2009-11-02] ()
S3 mfeavfk01; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-05-07 17:12 - 2013-05-07 17:12 - 00000000 ____D C:\FRST
2013-05-06 18:39 - 2013-05-06 18:39 - 00003288 ____N C:\bootsqm.dat
2013-05-06 15:47 - 2013-05-07 15:02 - 00000004 ____A C:\Users\Geoffrey\Application Data\skype.ini
2013-05-06 15:47 - 2013-05-07 15:02 - 00000004 ____A C:\Users\Geoffrey\AppData\Roaming\skype.ini
2013-05-06 15:43 - 2013-05-06 15:43 - 01069425 ____A C:\Users\Geoffrey\Local Settings\Application Data\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069425 ____A C:\Users\Geoffrey\Local Settings\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069425 ____A C:\Users\Geoffrey\AppData\Local\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069417 ____A C:\Users\Geoffrey\Application Data\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069417 ____A C:\Users\Geoffrey\AppData\Roaming\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069397 ____A C:\ProgramData\Application Data\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069397 ____A C:\ProgramData\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 00035328 ____A (Intel Corporation) C:\Users\Geoffrey\My Documents\1d92f2a0.exe
2013-05-06 15:43 - 2013-05-06 15:43 - 00035328 ____A (Intel Corporation) C:\Users\Geoffrey\Documents\1d92f2a0.exe
2013-05-06 15:40 - 2013-05-06 15:43 - 00000000 ____D C:\Users\Geoffrey\Desktop\Preity Zinta
2013-04-28 09:51 - 2013-04-12 09:36 - 01653096 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-28 09:37 - 2013-04-28 09:37 - 00275520 ____A C:\Windows\Minidump\042813-26145-01.dmp
2013-04-28 09:30 - 2013-04-28 09:30 - 00275520 ____A C:\Windows\Minidump\042813-26644-01.dmp
2013-04-12 21:24 - 2013-02-22 01:57 - 17817088 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-12 21:24 - 2013-02-22 01:29 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-12 21:24 - 2013-02-22 01:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-12 21:24 - 2013-02-22 01:21 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-12 21:24 - 2013-02-22 01:20 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-12 21:24 - 2013-02-22 01:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-12 21:24 - 2013-02-22 01:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-12 21:24 - 2013-02-22 01:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-12 21:24 - 2013-02-22 01:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-12 21:24 - 2013-02-22 01:15 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-12 21:24 - 2013-02-22 01:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-12 21:24 - 2013-02-22 01:14 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-12 21:24 - 2013-02-22 01:13 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-12 21:24 - 2013-02-22 01:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-12 21:24 - 2013-02-22 01:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-12 21:24 - 2013-02-22 01:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-12 21:24 - 2013-02-21 23:05 - 12324352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-12 21:24 - 2013-02-21 22:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-12 21:24 - 2013-02-21 22:46 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-12 21:24 - 2013-02-21 22:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-12 21:24 - 2013-02-21 22:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-12 21:24 - 2013-02-21 22:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-04-12 21:24 - 2013-02-21 22:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-04-12 21:24 - 2013-02-21 22:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-12 21:24 - 2013-02-21 22:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-12 21:24 - 2013-02-21 22:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-04-12 21:24 - 2013-02-21 22:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-04-12 21:24 - 2013-02-21 22:33 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-12 21:24 - 2013-02-21 22:32 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-12 21:24 - 2013-02-21 22:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-12 21:24 - 2013-02-21 22:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-04-12 21:24 - 2013-02-21 22:28 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-11 20:56 - 2013-04-11 20:57 - 00000660 ____A C:\Users\Geoffrey\Desktop\Nim2.class
2013-04-11 20:56 - 2013-04-11 20:56 - 00000743 ____A C:\Users\Geoffrey\Desktop\Nim2.java
2013-04-11 20:55 - 2013-04-11 20:57 - 00001281 ____A C:\Users\Geoffrey\Desktop\Nim2Game.class
2013-04-11 20:55 - 2013-04-11 20:55 - 00002244 ____A C:\Users\Geoffrey\Desktop\Nim2Game.java
2013-04-11 20:55 - 2013-04-11 20:55 - 00000743 ____A C:\Users\Geoffrey\Downloads\Nim2.java
2013-04-11 20:26 - 2013-03-19 01:05 - 05466472 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-11 20:26 - 2013-03-19 00:54 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-11 20:26 - 2013-03-19 00:51 - 00058368 ____A (Microsoft Corporation) C:\Windows\System32\appidapi.dll
2013-04-11 20:26 - 2013-03-19 00:51 - 00034304 ____A (Microsoft Corporation) C:\Windows\System32\appidsvc.dll
2013-04-11 20:26 - 2013-03-19 00:04 - 03971432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-11 20:26 - 2013-03-19 00:04 - 03915608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-11 20:26 - 2013-03-18 23:53 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-11 20:26 - 2013-03-18 23:49 - 00050688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2013-04-11 20:26 - 2013-03-18 22:57 - 00148480 ____A (Microsoft Corporation) C:\Windows\System32\appidpolicyconverter.exe
2013-04-11 20:26 - 2013-03-18 22:57 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\appid.sys
2013-04-11 20:26 - 2013-03-18 22:57 - 00017920 ____A (Microsoft Corporation) C:\Windows\System32\appidcertstorecheck.exe
2013-04-11 20:26 - 2013-03-18 22:19 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-11 20:26 - 2013-02-28 22:32 - 03150848 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-11 20:26 - 2013-02-12 10:42 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-11 20:26 - 2013-02-12 10:37 - 03138048 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-11 20:26 - 2013-02-12 10:31 - 00158208 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-11 20:26 - 2013-02-12 10:13 - 02691072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-11 20:26 - 2013-02-12 10:07 - 00131072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-11 20:26 - 2013-02-12 08:59 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-11 20:26 - 2013-01-24 00:41 - 00223752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
 
==================== One Month Modified Files and Folders =======
 
2013-05-07 17:12 - 2013-05-07 17:12 - 00000000 ____D C:\FRST
2013-05-07 15:08 - 2011-04-09 18:09 - 00110869 ____A C:\Windows\setupact.log
2013-05-07 15:08 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-07 15:02 - 2013-05-06 15:47 - 00000004 ____A C:\Users\Geoffrey\Application Data\skype.ini
2013-05-07 15:02 - 2013-05-06 15:47 - 00000004 ____A C:\Users\Geoffrey\AppData\Roaming\skype.ini
2013-05-07 15:01 - 2011-11-30 19:37 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-07 15:01 - 2011-04-02 10:13 - 00000000 ____D C:\ProgramData\STOPzilla!
2013-05-07 15:01 - 2011-04-02 10:13 - 00000000 ____D C:\ProgramData\Application Data\STOPzilla!
2013-05-06 18:39 - 2013-05-06 18:39 - 00003288 ____N C:\bootsqm.dat
2013-05-06 15:44 - 2009-07-14 00:10 - 01225658 ____A C:\Windows\WindowsUpdate.log
2013-05-06 15:43 - 2013-05-06 15:43 - 01069425 ____A C:\Users\Geoffrey\Local Settings\Application Data\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069425 ____A C:\Users\Geoffrey\Local Settings\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069425 ____A C:\Users\Geoffrey\AppData\Local\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069417 ____A C:\Users\Geoffrey\Application Data\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069417 ____A C:\Users\Geoffrey\AppData\Roaming\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069397 ____A C:\ProgramData\Application Data\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 01069397 ____A C:\ProgramData\2433f433
2013-05-06 15:43 - 2013-05-06 15:43 - 00035328 ____A (Intel Corporation) C:\Users\Geoffrey\My Documents\1d92f2a0.exe
2013-05-06 15:43 - 2013-05-06 15:43 - 00035328 ____A (Intel Corporation) C:\Users\Geoffrey\Documents\1d92f2a0.exe
2013-05-06 15:43 - 2013-05-06 15:40 - 00000000 ____D C:\Users\Geoffrey\Desktop\Preity Zinta
2013-05-06 15:33 - 2011-11-30 19:37 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-06 15:23 - 2012-09-11 21:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-06 15:07 - 2012-08-30 19:32 - 00000132 ____A C:\Users\Geoffrey\Application Data\Adobe PNG Format CS5 Prefs
2013-05-06 15:07 - 2012-08-30 19:32 - 00000132 ____A C:\Users\Geoffrey\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-05-06 14:58 - 2013-03-15 17:52 - 00000000 ____D C:\Users\Geoffrey\Desktop\Soccer Renders
2013-05-06 13:51 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-06 13:51 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-04 11:27 - 2009-07-14 00:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-02 23:11 - 2011-02-07 20:26 - 00000000 ____D C:\Users\Geoffrey\Application Data\SoftGrid Client
2013-05-02 23:11 - 2011-02-07 20:26 - 00000000 ____D C:\Users\Geoffrey\AppData\Roaming\SoftGrid Client
2013-04-28 09:37 - 2013-04-28 09:37 - 00275520 ____A C:\Windows\Minidump\042813-26145-01.dmp
2013-04-28 09:37 - 2011-04-26 20:15 - 00000000 ____D C:\Windows\Minidump
2013-04-28 09:37 - 2011-04-26 20:14 - 521358594 ____A C:\Windows\MEMORY.DMP
2013-04-28 09:30 - 2013-04-28 09:30 - 00275520 ____A C:\Windows\Minidump\042813-26644-01.dmp
2013-04-13 21:22 - 2009-07-13 23:45 - 04829056 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-12 21:27 - 2011-03-05 09:46 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-12 09:36 - 2013-04-28 09:51 - 01653096 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-11 20:57 - 2013-04-11 20:56 - 00000660 ____A C:\Users\Geoffrey\Desktop\Nim2.class
2013-04-11 20:57 - 2013-04-11 20:55 - 00001281 ____A C:\Users\Geoffrey\Desktop\Nim2Game.class
2013-04-11 20:56 - 2013-04-11 20:56 - 00000743 ____A C:\Users\Geoffrey\Desktop\Nim2.java
2013-04-11 20:55 - 2013-04-11 20:55 - 00002244 ____A C:\Users\Geoffrey\Desktop\Nim2Game.java
2013-04-11 20:55 - 2013-04-11 20:55 - 00000743 ____A C:\Users\Geoffrey\Downloads\Nim2.java
 
Other Malware:
===========
C:\Users\Geoffrey\AppData\Roaming\skype.dat
C:\Users\Geoffrey\AppData\Roaming\skype.ini
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-02-09 22:13:46
Restore point made on: 2013-02-13 01:04:49
Restore point made on: 2013-02-17 23:03:34
Restore point made on: 2013-02-18 21:29:44
Restore point made on: 2013-03-03 22:28:13
Restore point made on: 2013-03-15 21:09:04
Restore point made on: 2013-03-19 23:02:09
Restore point made on: 2013-03-23 21:34:37
Restore point made on: 2013-03-27 22:16:12
Restore point made on: 2013-03-30 10:13:05
Restore point made on: 2013-04-12 21:19:46
Restore point made on: 2013-04-13 21:32:23
Restore point made on: 2013-04-28 11:35:08
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 3956.52 MB
Available physical RAM: 3337.58 MB
Total Pagefile: 3954.67 MB
Available Pagefile: 3337.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:345.52 GB) NTFS (Disk=0 Partition=3)
Drive e: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT (Disk=1 Partition=1)
Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.01 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
 
====================================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 466 GB) (Disk ID: 07F2837E)
Partition 1: (Not Active) - (Size=102 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)
 
====================================================================
Disk: 1 (Size: 962 MB) (Disk ID: 8CC49147)
Partition 1: (Active) - (Size=962 MB) - (Type=06)
 
 
Last Boot: 2013-02-01 10:02
 
==================== End Of Log ============================
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Farbar Recovery Scan Tool (x64) Version: 06-05-2013
Ran by SYSTEM at 2013-05-07 19:45:45
Running from E:\
Boot Mode: Recovery
 
================== Search: "services.exe" ===================
 
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
 
C:\Windows\System32\services.exe
[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
 
====== End Of Search ======

Edited by ComputerNewb101, 07 May 2013 - 04:01 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 07 May 2013 - 05:40 PM



Hello ComputerNewb101



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKU\Geoffrey\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\Geoffrey\Documents\1d92f2a0.exe [35328 2013-05-06] (Intel Corporation)
HKU\Geoffrey\...\Winlogon: [Shell] explorer.exe,C:\Users\Geoffrey\AppData\Roaming\skype.dat [114688 2011-11-17] () <==== ATTENTION
C:\Users\Geoffrey\Application Data\skype.ini
C:\Users\Geoffrey\AppData\Roaming\skype.ini
C:\Users\Geoffrey\Local Settings\Application Data\2433f433
C:\Users\Geoffrey\Local Settings\2433f433
C:\Users\Geoffrey\AppData\Local\2433f433
C:\Users\Geoffrey\Application Data\2433f433
C:\Users\Geoffrey\AppData\Roaming\2433f433
C:\ProgramData\Application Data\2433f433
C:\ProgramData\2433f433
C:\Users\Geoffrey\My Documents\1d92f2a0.exe
C:\Users\Geoffrey\Documents\1d92f2a0.exe
C:\Users\Geoffrey\AppData\Roaming\skype.dat
C:\Users\Geoffrey\AppData\Roaming\skype.ini
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 07 May 2013 - 08:59 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2013
Ran by SYSTEM at 2013-05-08 01:56:28 Run:1
Running from E:\
Boot Mode: Recovery
==============================================
 
HKEY_USERS\Geoffrey\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value not found.
HKEY_USERS\Geoffrey\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Geoffrey\Application Data\skype.ini => Moved successfully.
C:\Users\Geoffrey\AppData\Roaming\skype.ini => File/Directory not found.
C:\Users\Geoffrey\Local Settings\Application Data\2433f433 => Moved successfully.
C:\Users\Geoffrey\Local Settings\2433f433 => File/Directory not found.
C:\Users\Geoffrey\AppData\Local\2433f433 => File/Directory not found.
C:\Users\Geoffrey\Application Data\2433f433 => Moved successfully.
C:\Users\Geoffrey\AppData\Roaming\2433f433 => File/Directory not found.
C:\ProgramData\Application Data\2433f433 => Moved successfully.
C:\ProgramData\2433f433 => File/Directory not found.
C:\Users\Geoffrey\My Documents\1d92f2a0.exe => Moved successfully.
C:\Users\Geoffrey\Documents\1d92f2a0.exe => File/Directory not found.
C:\Users\Geoffrey\AppData\Roaming\skype.dat => Moved successfully.
C:\Users\Geoffrey\AppData\Roaming\skype.ini => File/Directory not found.
 
==== End of Fixlog ====

 

I havent booted it to normal mode yet which I shall soon :)



#14 ComputerNewb101

ComputerNewb101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 07 May 2013 - 09:10 PM

Before I post this, I'd really like to thank you , Gringo :). I really appreciate what you've done for me these two days as you've helped a big noob such as I when it comes to computers. Even though I've been taking Computer Science/programming, I have to admit I am a gruesome programmer and inept when it comes to anything computer-related.

 

As I booted it normally, my home screen appeared and the Polizei page doesn't appear. My internet explorer is working fine as well :)

 

Geoff


Edited by ComputerNewb101, 07 May 2013 - 09:11 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 07 May 2013 - 09:10 PM

boot into normal mode and let me know please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users