Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Security Pro will not allow me to boot up in Safe Mode


  • Please log in to reply
7 replies to this topic

#1 KellyV6726

KellyV6726

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 28 October 2013 - 11:19 PM

Computer infected with Antivirus Security Pro; cannot successfully log on with Safe Mode as computer reboots at log on.



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:16 AM

Posted 29 October 2013 - 03:38 PM

KellyV6726,

 

:welcome: to BC Forums!

 

When you start the computer and tap the F8 key until you get to the Advanced Boot Options menu, are you able to use
the arrow keys to select the Repair your computer menu item?

 

From there...
Select your language settings, and click: Next
Select your User account and click: OK (If you did not set a password, leave blank.)

 

On the System Recovery Options menu do you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors
Command Prompt

 

Are you able to select the Command Prompt?


Old duck...


#3 KellyV6726

KellyV6726
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 30 October 2013 - 12:52 AM

Yes, selected Repair Your Computer
Yes, Yes, ... Am able to select Command Prompt



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:16 AM

Posted 30 October 2013 - 08:24 AM

Good!!

 

Let's press on...

 

You may want to print these instructions so you can have access to them. Also, you may want to read them once before you apply them.

 

Please plug in a USB pen drive into a working computer.

 

Go to the the Farbar Recovery Scan Tool Download:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Select the download that applies to your system.

Save the program to the >> USB pen drive.

Remove USB pen drive when done.

 

Now, go to the problem computer.

Plug in the USB pen drive which has FRST.

 

Boot to the System Recovery Options

Select: Command Prompt

 

In the Command Prompt window, at the blinking cursor type notepad and press: Enter

In Notepad, under the File menu select: Open

Double-click the Computer icon on the left.

Find the pen drive letter, remember what letter it is, click on it, and press: Open

Close out of Notepad.

 

Click the Command Prompt window

Type x:\frst.exe, or  x:\frst64.exe (depending on your system), and press: Enter

Note: Replace the drive letter x with the drive letter of your pen drive!

 

FRST starts, and prepares to run. Follow the prompts.

Click Yes to the Disclaimer.

 

Press the Scan button.

 

The scan runs, and, the program saves the FRST.txt, on the pen drive.

 

When done, click the Command Prompt window, type exit, and press: Enter

 

Back at the System Recovery Options, press: Shutdown

Remove the USB pen drive.

 

 Plug the USB pen drive in the working computer, and please provide the FRST.txt in your reply.


Old duck...


#5 KellyV6726

KellyV6726
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 31 October 2013 - 12:21 AM

Thanks Aaflac,

Here is the frst:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-10-2013

Ran by SYSTEM on MININT-UEPEJKJ on 30-10-2013 22:05:30
Running from K:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [hpsysdrv] - C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [568888 2010-01-18] ()
HKLM\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\n3VUpaVV\n3VUpaVV.exe -sm,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [MSN Toolbar] - C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0369.0\mswinext.exe [240472 2009-11-30] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288080 2009-07-17] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\datamngrUI.exe [1700272 2011-09-15] (iMesh, Inc)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [CanonQuickMenu] - C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1279120 2012-09-27] (CANON INC.)
HKU\Akeely\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
HKU\Akeely\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKU\Charlie\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
HKU\Charlie\...\Run: [GameServer33] - C:\Users\Charlie\AppData\Roaming\Hewlett-Packard\WIN7082.exe [124928 2013-09-20] ()
HKU\Default\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
HKU\Default User\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
HKU\Madeline\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
HKU\Madeline\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-02-14] (Google Inc.)
HKU\Spike1770\...\Run: [Weather] - C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1
HKU\Spike1770\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKU\Tamara\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
HKU\Tamara\...\Run: [Google Update] - [x]
HKU\Tamara\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\SEARCH~1\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\SEARCH~1\x64\IEBHO.dll  [535176 2013-10-23] ()
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\SEARCH~1\datamngr.dll C:\PROGRA~2\SEARCH~1\SEARCH~1\IEBHO.dll  [ ] ()
Startup: C:\Users\Tamara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jacquie Lawson Circus.lnk
ShortcutTarget: Jacquie Lawson Circus.lnk -> C:\Program Files (x86)\Jacquie Lawson Circus\Jacquie Lawson Circus.exe ()
 
==================== Services (Whitelisted) =================
 
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [240736 2013-09-05] (WildTangent)
S2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-28] ()
 
==================== Drivers (Whitelisted) ====================
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-30 22:05 - 2013-10-30 22:05 - 00000000 ____D C:\FRST
2013-10-29 21:47 - 2013-10-29 21:47 - 00001668 _____ C:\Users\Akeely\Desktop\Antivirus Security Pro.lnk
2013-10-29 21:47 - 2013-10-29 21:47 - 00000118 _____ C:\Users\Akeely\Desktop\Antivirus Security Pro support.url
2013-10-24 11:17 - 2013-10-24 11:17 - 00000000 _____ C:\Users\Spike1770\Downloads\msert_exe.gyp1zys.partial
2013-10-23 16:24 - 2013-10-23 16:27 - 00001668 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro.lnk
2013-10-23 16:24 - 2013-10-23 16:27 - 00000118 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro support.url
2013-10-23 14:13 - 2013-10-29 21:47 - 00000000 ____D C:\ProgramData\n3VUpaVV
2013-10-21 17:49 - 2013-10-21 17:49 - 00011012 _____ C:\Users\Tamara\Downloads\attachment
2013-10-18 11:51 - 2013-10-18 11:51 - 00000000 ____D C:\Users\Tamara\AppData\Local\Microsoft Help
2013-10-07 20:09 - 2013-10-14 20:09 - 00000000 ____D C:\Users\Madeline\AppData\Roaming\Canon
2013-10-05 14:34 - 2013-10-05 14:36 - 00000000 ____D C:\Users\Tamara\Desktop\party
2013-10-03 18:47 - 2013-10-03 18:48 - 01143786 _____ C:\Users\Tamara\Downloads\fwdcirclebooster.zip
 
==================== One Month Modified Files and Folders =======
 
2013-10-30 22:05 - 2013-10-30 22:05 - 00000000 ____D C:\FRST
2013-10-29 21:47 - 2013-10-29 21:47 - 00001668 _____ C:\Users\Akeely\Desktop\Antivirus Security Pro.lnk
2013-10-29 21:47 - 2013-10-29 21:47 - 00000118 _____ C:\Users\Akeely\Desktop\Antivirus Security Pro support.url
2013-10-29 21:47 - 2013-10-23 14:13 - 00000000 ____D C:\ProgramData\n3VUpaVV
2013-10-29 21:47 - 2013-02-14 21:44 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-29 21:47 - 2013-02-14 21:44 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-29 21:47 - 2013-02-14 21:44 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-29 21:47 - 2011-10-11 13:53 - 00000418 _____ C:\Windows\Tasks\PC Optimizer Pro64 startups.job
2013-10-28 19:57 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-28 19:57 - 2009-07-13 20:45 - 00015792 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-28 19:50 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-28 19:50 - 2009-07-13 20:51 - 00144977 _____ C:\Windows\setupact.log
2013-10-24 11:17 - 2013-10-24 11:17 - 00000000 _____ C:\Users\Spike1770\Downloads\msert_exe.gyp1zys.partial
2013-10-24 10:44 - 2010-11-04 20:57 - 01365004 _____ C:\Windows\WindowsUpdate.log
2013-10-23 16:27 - 2013-10-23 16:24 - 00001668 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro.lnk
2013-10-23 16:27 - 2013-10-23 16:24 - 00000118 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro support.url
2013-10-23 14:13 - 2013-01-24 15:26 - 00000000 ____D C:\Users\Tamara\AppData\Local\Google
2013-10-22 07:37 - 2013-09-22 21:44 - 00000000 ____D C:\Users\Tamara\Documents\Circle
2013-10-21 17:49 - 2013-10-21 17:49 - 00011012 _____ C:\Users\Tamara\Downloads\attachment
2013-10-21 09:15 - 2010-12-11 18:08 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-10-21 09:14 - 2010-12-11 18:07 - 00000000 ____D C:\Users\Spike1770\AppData\Roaming\HP Support Assistant
2013-10-21 09:14 - 2010-11-06 18:33 - 00000000 ____D C:\Users\Spike1770\AppData\Roaming\HpUpdate
2013-10-19 19:32 - 2010-11-04 20:46 - 00276038 _____ C:\Windows\PFRO.log
2013-10-18 11:51 - 2013-10-18 11:51 - 00000000 ____D C:\Users\Tamara\AppData\Local\Microsoft Help
2013-10-18 11:38 - 2013-09-07 20:23 - 00000000 ____D C:\ProgramData\CanonIJPLM
2013-10-17 20:21 - 2013-02-14 21:45 - 00002145 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-15 16:42 - 2013-01-28 09:04 - 00003188 _____ C:\Windows\System32\Tasks\HPCeeScheduleForTamara
2013-10-15 16:42 - 2013-01-28 09:04 - 00000336 _____ C:\Windows\Tasks\HPCeeScheduleForTamara.job
2013-10-15 11:28 - 2013-04-09 18:29 - 00003194 _____ C:\Windows\System32\Tasks\HPCeeScheduleForCharlie
2013-10-15 11:28 - 2013-04-09 18:29 - 00000340 _____ C:\Windows\Tasks\HPCeeScheduleForCharlie.job
2013-10-14 20:09 - 2013-10-07 20:09 - 00000000 ____D C:\Users\Madeline\AppData\Roaming\Canon
2013-10-12 15:14 - 2013-02-14 21:44 - 00003900 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-12 15:14 - 2013-02-14 21:44 - 00003648 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-11 16:06 - 2013-05-09 15:03 - 00000000 ____D C:\Users\Madeline\AppData\Local\Google
2013-10-11 01:11 - 2013-02-14 19:29 - 00047482 _____ C:\Users\Tamara\Desktop\2013.xlsm
2013-10-08 15:31 - 2013-02-14 21:44 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-08 15:31 - 2013-02-14 21:44 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-08 15:31 - 2012-03-04 13:51 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-07 17:48 - 2010-11-04 20:13 - 00003210 _____ C:\Windows\System32\Tasks\HPCeeScheduleForSpike1770
2013-10-07 17:48 - 2010-11-04 20:13 - 00000348 _____ C:\Windows\Tasks\HPCeeScheduleForSpike1770.job
2013-10-06 17:01 - 2013-04-21 14:45 - 00000000 ____D C:\Users\Akeely\AppData\Local\Google
2013-10-06 15:01 - 2013-02-14 21:44 - 00000000 ____D C:\Users\Spike1770\AppData\Local\Google
2013-10-05 14:36 - 2013-10-05 14:34 - 00000000 ____D C:\Users\Tamara\Desktop\party
2013-10-05 06:04 - 2013-02-15 12:26 - 00000000 ____D C:\Users\Charlie\AppData\Local\Google
2013-10-03 18:48 - 2013-10-03 18:47 - 01143786 _____ C:\Users\Tamara\Downloads\fwdcirclebooster.zip
2013-09-30 18:14 - 2009-07-13 21:08 - 00032614 _____ C:\Windows\Tasks\SCHEDLGU.TXT
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\Tamara\AppData\Local\Google\Desktop\Install
 
 
Some content of TEMP:
====================
C:\Users\Akeely\AppData\Local\Temp\burnsetup.exe
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih[1].exe
C:\Users\Akeely\AppData\Local\Temp\mpsetup.exe
C:\Users\Akeely\AppData\Local\Temp\ripsetup.exe
C:\Users\Akeely\AppData\Local\Temp\soxdec.exe
C:\Users\Charlie\AppData\Local\Temp\14632675.exe
C:\Users\Charlie\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe
C:\Users\Spike1770\AppData\Local\Temp\ApnIC.dll
C:\Users\Spike1770\AppData\Local\Temp\ApnStub.exe
C:\Users\Spike1770\AppData\Local\Temp\ApnToolbarInstaller.exe
C:\Users\Spike1770\AppData\Local\Temp\BearShare_setup.exe
C:\Users\Spike1770\AppData\Local\Temp\iMesh_setup.exe
C:\Users\Spike1770\AppData\Local\Temp\Installhelper.dll
C:\Users\Spike1770\AppData\Local\Temp\jre-6u38-windows-i586-iftw.exe
C:\Users\Spike1770\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Spike1770\AppData\Local\Temp\setupa2.exe
C:\Users\Spike1770\AppData\Local\Temp\SetupAC.exe
C:\Users\Spike1770\AppData\Local\Temp\sp49905.exe.exe
C:\Users\Spike1770\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\Spike1770\AppData\Local\Temp\uninstall.exe
C:\Users\Spike1770\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Spike1770\AppData\Local\Temp\YontooSetup-Silent.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
4
Restore point made on: 2013-10-07 02:11:46
Restore point made on: 2013-10-10 07:26:54
Restore point made on: 2013-10-16 01:59:36
Restore point made on: 2013-10-23 15:24:11
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 5879.08 MB
Available physical RAM: 4943.41 MB
Total Pagefile: 5877.23 MB
Available Pagefile: 4963.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:920.06 GB) (Free:863.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (HP_RECOVERY) (Fixed) (Total:11.35 GB) (Free:1.38 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive k: (UDISK) (Removable) (Total:3.81 GB) (Free:3.81 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 5F724CCC)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=920 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (Size: 4 GB) (Disk ID: 04030201)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)
 
 
LastRegBack: 2013-10-21 10:36
 
==================== End Of Log ============================


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:16 AM

Posted 31 October 2013 - 08:20 AM

Please do the following...

In a good computer:

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents inside the code box below to Notepad.

 
start
HKLM\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\n3VUpaVV\n3VUpaVV.exe -sm,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Akeely\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKU\Spike1770\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKU\Tamara\...\Run: [Google Update] - [x]
HKU\Tamara\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
2013-10-23 16:27 - 2013-10-23 16:24 - 00001668 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro.lnk
2013-10-23 16:27 - 2013-10-23 16:24 - 00000118 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro support.url
C:\ProgramData\n3VUpaVV
C:\Users\Tamara\AppData\Local\Google\Desktop\Install
C:\Users\Akeely\AppData\Local\Temp\burnsetup.exe
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih[1].exe
C:\Users\Akeely\AppData\Local\Temp\mpsetup.exe
C:\Users\Akeely\AppData\Local\Temp\ripsetup.exe
C:\Users\Akeely\AppData\Local\Temp\soxdec.exe
C:\Users\Charlie\AppData\Local\Temp\14632675.exe
C:\Users\Charlie\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe
C:\Users\Spike1770\AppData\Local\Temp\ApnIC.dll
C:\Users\Spike1770\AppData\Local\Temp\ApnStub.exe
C:\Users\Spike1770\AppData\Local\Temp\ApnToolbarInstaller.exe
C:\Users\Spike1770\AppData\Local\Temp\BearShare_setup.exe
C:\Users\Spike1770\AppData\Local\Temp\iMesh_setup.exe
C:\Users\Spike1770\AppData\Local\Temp\Installhelper.dll
C:\Users\Spike1770\AppData\Local\Temp\jre-6u38-windows-i586-iftw.exe
C:\Users\Spike1770\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Spike1770\AppData\Local\Temp\setupa2.exe
C:\Users\Spike1770\AppData\Local\Temp\SetupAC.exe
C:\Users\Spike1770\AppData\Local\Temp\sp49905.exe.exe
C:\Users\Spike1770\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\Spike1770\AppData\Local\Temp\uninstall.exe
C:\Users\Spike1770\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Spike1770\AppData\Local\Temp\YontooSetup-Silent.exe
end 
  • In Notepad, go to File > Save as...
  • Save to: the USB pen drive.
  • In File name use: fixlist.txt
  • Click: Save
Both FRST.exe and the fixlist.txt must be on the pen drive.

Next, plug the pen drive into the infected computer.

Now, please enter System Recovery Options like you did previously:
  • >>> Restart the computer, etc. > select: Command Prompt
  • Type x:\frst64.exe, and press: Enter
  • Replace the drive letter x with the drive letter of your pen drive!
  • In FRST, this time press the Fix button.
  • The program saves a Fixlog.txt, on the pen drive.
  • Click the Command prompt window, type exit, and press: Enter
  • Back at the System Recovery Options, press: Restart
  • Let the computer boot normally.
Please copy/paste the Fixlog.txt in your reply.

Also, are you able to boot to Windows, normally?

Edited by Aaflac, 01 November 2013 - 06:24 PM.

Old duck...


#7 KellyV6726

KellyV6726
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 01 November 2013 - 06:32 PM

Yes, I can boot windows normally!!
 
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2013
Ran by SYSTEM at 2013-11-01 16:27:30 Run:1
Running from K:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
start
HKLM\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\n3VUpaVV\n3VUpaVV.exe -sm,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Akeely\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKU\Spike1770\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
HKU\Tamara\...\Run: [Google Update] - [x]
HKU\Tamara\...\Run: [AS2014] - C:\ProgramData\n3VUpaVV\n3VUpaVV.exe [535176 2013-10-23] ()
2013-10-23 16:27 - 2013-10-23 16:24 - 00001668 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro.lnk
2013-10-23 16:27 - 2013-10-23 16:24 - 00000118 _____ C:\Users\Tamara\Desktop\Antivirus Security Pro support.url
C:\Users\Tamara\AppData\Local\Google\Desktop\Install
C:\Users\Akeely\AppData\Local\Temp\burnsetup.exe
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih[1].exe
C:\Users\Akeely\AppData\Local\Temp\mpsetup.exe
C:\Users\Akeely\AppData\Local\Temp\ripsetup.exe
C:\Users\Akeely\AppData\Local\Temp\soxdec.exe
C:\Users\Charlie\AppData\Local\Temp\14632675.exe
C:\Users\Charlie\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe
C:\Users\Spike1770\AppData\Local\Temp\ApnIC.dll
C:\Users\Spike1770\AppData\Local\Temp\ApnStub.exe
C:\Users\Spike1770\AppData\Local\Temp\ApnToolbarInstaller.exe
C:\Users\Spike1770\AppData\Local\Temp\BearShare_setup.exe
C:\Users\Spike1770\AppData\Local\Temp\iMesh_setup.exe
C:\Users\Spike1770\AppData\Local\Temp\Installhelper.dll
C:\Users\Spike1770\AppData\Local\Temp\jre-6u38-windows-i586-iftw.exe
C:\Users\Spike1770\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Spike1770\AppData\Local\Temp\setupa2.exe
C:\Users\Spike1770\AppData\Local\Temp\SetupAC.exe
C:\Users\Spike1770\AppData\Local\Temp\sp49905.exe.exe
C:\Users\Spike1770\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\Spike1770\AppData\Local\Temp\uninstall.exe
C:\Users\Spike1770\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Spike1770\AppData\Local\Temp\YontooSetup-Silent.exe
end 
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\\\igfxcui => Value not found.
HKU\Akeely\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKU\Spike1770\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKU\Tamara\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => Value not found.
HKU\Tamara\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
C:\Users\Tamara\Desktop\Antivirus Security Pro.lnk => Moved successfully.
C:\Users\Tamara\Desktop\Antivirus Security Pro support.url => Moved successfully.
C:\Users\Tamara\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Users\Akeely\AppData\Local\Temp\burnsetup.exe => Moved successfully.
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe => Moved successfully.
C:\Users\Akeely\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih[1].exe => Moved successfully.
C:\Users\Akeely\AppData\Local\Temp\mpsetup.exe => Moved successfully.
C:\Users\Akeely\AppData\Local\Temp\ripsetup.exe => Moved successfully.
C:\Users\Akeely\AppData\Local\Temp\soxdec.exe => Moved successfully.
C:\Users\Charlie\AppData\Local\Temp\14632675.exe => Moved successfully.
C:\Users\Charlie\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\ApnIC.dll => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\ApnStub.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\ApnToolbarInstaller.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\BearShare_setup.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\iMesh_setup.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\Installhelper.dll => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\jre-6u38-windows-i586-iftw.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\MSETUP4.EXE => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\setupa2.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\SetupAC.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\sp49905.exe.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\SRAssetsHelper.dll => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\uninstall.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\UninstallHPTCA.exe => Moved successfully.
C:\Users\Spike1770\AppData\Local\Temp\YontooSetup-Silent.exe => Moved successfully.
 
==== End of Fixlog ====


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:16 AM

Posted 01 November 2013 - 07:13 PM

Please download a new copy ofthe Farbar Recovery Scan Tool to the Desktop:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

 

Run FRST...

Click Yes to the Disclaimer.

 

Press the Scan button.

 

The scan runs, and, the program saves the FRST.txt, on the Desktop.

 

Please provide the new FRST.txt in your reply.


Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users