Jump to content

Police virus! Please help!


Recommended Posts

OK, you have heard this thing probably before, but I'm infected with the UKash police virus. I have already tried some things that you can find about it on the internet. But I cannot start in any of the three safe modes. I tried creating a Hitmanpro Kickstart USB, but once I try to boot from that USB, he doesn't let me. The same goes from those CD's. I tried with Windows Bit Defender, but once I go to the boot menu and try to boot from that CD, it's just the same as it was before. Also, after a couple of days, I don't get the police virus screen anymore, but I just get w white screen! Does anybody have an idea of what's happening and how to resolve it? I have an Asus laptop and my OS is Windows 7. Thanks a lot!

Link to post
Share on other sites

Run Farbar Recovery Scan Tool, download and save the appropriate version for your system to a USB stick:

Download http://www.bleepingc...can-tool/dl/81/ <-- 32 bit version

Download http://www.bleepingc...can-tool/dl/82/ <-- 64 bit version

Plug the USB stick into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version of Windows7, press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Kevin

Link to post
Share on other sites

Hi Kevin. Thank, I will try it later today. Maybe usefull to note that it seems to be a pretty new version of the virus (I think). In this version of the virus, they also take a picture of you with the webcam, and display it in the notification where they are talking about the crime. Don't know if it makes any difference, but since there are several versions of the virus, and though several deleting methods, it might be useful information.

Bart

Link to post
Share on other sites

Here is the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012 (ATTENTION: FRST version is 6 days old)

Ran by SYSTEM at 17-12-2012 20:40:57

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3 [2189416 2011-03-01] (Realtek Semiconductor)

HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-08-10] (Alcor Micro Corp.)

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2587944 2010-12-13] (ELAN Microelectronics Corp.)

HKLM\...\Run: [intelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()

HKLM\...\Run: [setwallpaper] c:\programdata\SetWallpaper.cmd [x]

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)

HKLM-x32\...\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [2018032 2011-04-12] (ASUSTek Computer Inc.)

HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe /S [731472 2011-02-23] (ecareme)

HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)

HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)

HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)

HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1601536 2010-09-23] ()

HKLM-x32\...\Run: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2221352 2008-06-09] (Nero AG)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-08-09] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-08-31] (Apple Inc.)

HKLM-x32\...\Run: [facemoods] "C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I [362200 2011-09-05] (facemoods.com)

HKLM-x32\...\Run: [EasyDownloads] "C:\Program Files (x86)\Easy Downloads\easydownloads.exe" -tray [854040 2011-10-25] (http://izloader.com/)

HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3508624 2011-12-27] (Samsung Electronics Co., Ltd.)

HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKLM-x32\...\Run: [sweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe [115032 2012-10-04] (SweetIM Technologies Ltd.)

HKLM-x32\...\Run: [sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe [231768 2012-08-15] (SweetIM Technologies Ltd.)

HKU\Bart\...\Run: [ZoomText] "C:\Program Files (x86)\ZoomText 9.1\ZT.exe" /AUTOSTART [3536192 2011-03-15] (Ai Squared )

HKU\Bart\...\Run: [msnmsgr] ~"C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4283256 2011-05-13] (Microsoft Corporation)

HKU\Bart\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17418928 2012-07-13] (Skype Technologies S.A.)

HKU\Bart\...\Run: [spotify] "C:\Users\Bart\Spotify Installer.exe" /uri spotify:autostart [6818944 2012-01-11] (Spotify Ltd)

HKU\Bart\...\Run: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s [937360 2011-12-27] (Samsung)

HKU\Bart\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21392 2011-12-27] ()

HKU\Bart\...\Run: [update] C:\Users\Bart\AppData\Roaming\cgs8h0.exe [x]

HKU\Bart\...\Run: [spotify Web Helper] "C:\Users\Bart\Data\SpotifyWebHelper.exe" [1199576 2012-12-10] (Spotify Ltd)

HKU\Bart\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin [247968 2011-12-06] (Adobe Systems, Inc.)

HKU\Bart\...\CurrentVersion\Windows: [Load] C:\Users\Bart\LOCALS~1\Temp\msbbqtiuf.pif

HKU\Bart\...\Winlogon: [shell] explorer.exe,C:\Users\Bart\AppData\Roaming\skype.dat [65536 2011-11-16] ()

HKU\UpdatusUser\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [x]

HKLM\...\Policies\Explorer\Run: [45253] C:\PROGRA~3\LOCALS~1\Temp\msfiufky.com

Tcpip\Parameters: [DhcpNameServer] 87.216.1.65 87.216.1.66

AppInit_DLLs: C:\Windows\system32\nvinitx.dll

Startup: C:\Users\All Users\Start Menu\Programs\Startup\AsusVibeLauncher.lnk

ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe ()

Startup: C:\Users\All Users\Start Menu\Programs\Startup\FancyStart daemon.lnk

ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()

Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)

==================== Services (Whitelisted) ===================

2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)

2 Crypkey License; crypserv.exe [122880 2007-05-23] (CrypKey (Canada) Ltd.)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)

2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-06-09] (Nero AG)

2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)

2 ZoomText Helper Service; C:\Program Files (x86)\ZoomText 9.1\ZoomTextHelperService.exe [11776 2011-03-15] (Ai Squared )

4 Browser Manager; C:\ProgramData\Browser Manager\2.3.765.24\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [x]

==================== Drivers (Whitelisted) =====================

1 Ai2Chroniker; C:\Windows\System32\Drivers\Ai2Chroniker.sys [12872 2011-01-26] (Ai Squared )

3 Ai2Mmpd; C:\Windows\System32\Drivers\Ai2Mmpd.sys [11848 2011-01-26] (Ai Squared )

1 Ai2sXP; C:\Windows\SysWow64\Drivers\Ai2sXP.sys [7680 2011-03-15] (Ai Squared )

1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17024 2010-07-26] (ASUS)

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20111014.001\BHDrvx64.sys [1155704 2011-10-14] (Symantec Corporation)

1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1309000.009\ccSetx64.sys [167072 2012-06-06] (Symantec Corporation)

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-09-29] (Symantec Corporation)

1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20111028.030\IDSvia64.sys [488568 2011-09-27] (Symantec Corporation)

3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)

3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20111028.002\ENG64.SYS [117880 2011-10-28] (Symantec Corporation)

3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20111028.002\EX64.SYS [2048632 2011-10-28] (Symantec Corporation)

1 NetworkX; C:\Windows\system32\ckldrv.sys [27904 2007-05-17] ()

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)

3 SRTSP; C:\Windows\System32\Drivers\NISx64\1309000.009\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation)

1 SRTSPX; C:\Windows\system32\drivers\NISx64\1309000.009\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation)

0 SymDS; C:\Windows\System32\drivers\NISx64\1309000.009\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)

0 SymEFA; C:\Windows\System32\drivers\NISx64\1309000.009\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation)

3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-03-26] (Symantec Corporation)

1 SymIRON; C:\Windows\system32\drivers\NISx64\1309000.009\Ironx64.SYS [190072 2012-04-17] (Symantec Corporation)

1 SymNetS; C:\Windows\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS [405624 2012-04-17] (Symantec Corporation)

2 TMAgent; [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-17 20:40 - 2012-12-17 20:40 - 00000000 ____D C:\FRST

2012-12-16 10:53 - 2012-12-16 10:53 - 00000000 __SHD C:\found.004

2012-12-16 10:42 - 2012-12-16 10:42 - 00000000 ____D C:\Users\Bart\AppData\Local\{3EF0CCAB-916C-40FE-B35E-BE355400DE57}

2012-12-16 10:30 - 2012-12-16 10:30 - 00000000 ____D C:\Users\Bart\AppData\Local\{05D6555B-FBEF-42DF-AA9E-5F81B0B4D4AC}

2012-12-16 10:21 - 2012-12-16 10:21 - 00000000 ____D C:\Users\Bart\AppData\Local\{35E6D69B-D80B-4EFA-94F6-12AB221C8269}

2012-12-14 13:28 - 2012-12-14 13:28 - 00000000 ____D C:\Users\Bart\AppData\Local\{939EED2D-AB4E-45AA-95AE-AE52D39E95AF}

2012-12-14 13:13 - 2012-12-14 13:13 - 00000000 ____D C:\Users\Bart\AppData\Local\{3EB5FAE5-3745-43FB-819C-5D7D83C515F5}

2012-12-14 11:12 - 2012-12-14 11:12 - 00000000 ____D C:\Users\Bart\AppData\Local\{80BA97E8-C8D3-425D-8B28-14168DB835F7}

2012-12-14 11:07 - 2012-12-14 11:07 - 00016376 ____N C:\bootsqm.dat

2012-12-10 15:13 - 2012-12-16 10:46 - 00000004 ____A C:\Users\Bart\AppData\Roaming\skype.ini

2012-12-10 15:12 - 2012-12-10 15:12 - 00000000 ____D C:\Windows\Sun

2012-12-10 14:20 - 2012-12-10 14:20 - 00000000 ____D C:\Users\Bart\AppData\Local\{CF9437E2-7515-499B-A6E2-803D5004A866}

2012-12-07 08:51 - 2012-12-08 05:58 - 00000000 ____D C:\Users\Bart\Documents\Piso Vallcarca

2012-12-07 06:59 - 2012-12-08 05:09 - 00000000 ____D C:\Users\Bart\AppData\Local\{F71D5597-A387-48B3-9C5F-1F9993328722}

2012-12-04 13:20 - 2012-12-04 13:20 - 00000000 ____D C:\Users\Bart\AppData\Local\{921DC5D8-2443-46A7-92FB-7D93FEB26036}

2012-12-02 10:41 - 2012-12-02 10:41 - 00000000 ____D C:\Users\Bart\AppData\Local\{32498AFE-22E5-4536-B70D-9715F5934280}

2012-11-29 14:37 - 2012-11-29 14:37 - 00000000 ____D C:\Users\Bart\AppData\Local\{E6F9C60E-4989-4721-BBD1-6B5362FDBB18}

2012-11-26 13:05 - 2012-11-26 13:05 - 00000000 ____D C:\Users\Bart\AppData\Local\{8FC59FF3-0A90-4380-B620-0FCD48683A61}

2012-11-18 06:34 - 2012-11-25 13:05 - 00000000 ____D C:\Users\Bart\AppData\Local\{406BE732-ADC0-446B-88BE-01FD7F79566F}

2012-11-17 04:40 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-17 04:40 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-17 04:40 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-17 04:40 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-17 04:30 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-17 04:30 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-17 04:30 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-17 04:30 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-17 04:30 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-17 04:30 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-17 04:30 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-17 04:30 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-17 04:30 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-17 04:30 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-17 04:30 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-17 04:30 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-17 04:30 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-17 04:30 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-17 04:30 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-17 04:30 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-17 04:30 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-17 04:30 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-17 04:29 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-17 04:29 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-17 04:29 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-17 04:29 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-17 04:29 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-17 04:29 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-17 04:29 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-17 04:29 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-17 04:29 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-17 04:29 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-17 04:29 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-17 04:29 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-17 04:29 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-17 04:29 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-17 04:28 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-17 04:28 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-17 04:28 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-17 04:28 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-17 04:28 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-17 04:28 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-17 04:28 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-17 04:28 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

==================== One Month Modified Files and Folders =======

2012-12-17 20:40 - 2012-12-17 20:40 - 00000000 ____D C:\FRST

2012-12-16 11:38 - 2011-07-23 13:40 - 01364596 ____A C:\Windows\WindowsUpdate.log

2012-12-16 11:36 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-16 11:36 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-16 11:28 - 2011-09-30 09:51 - 00049724 ____A C:\Windows\error.log

2012-12-16 11:28 - 2011-09-28 08:06 - 00045056 ____A C:\Windows\System32\acovcnt.exe

2012-12-16 11:28 - 2011-04-12 18:33 - 00001066 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-16 11:28 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-16 11:27 - 2009-07-13 20:51 - 00104083 ____A C:\Windows\setupact.log

2012-12-16 10:53 - 2012-12-16 10:53 - 00000000 __SHD C:\found.004

2012-12-16 10:46 - 2012-12-10 15:13 - 00000004 ____A C:\Users\Bart\AppData\Roaming\skype.ini

2012-12-16 10:42 - 2012-12-16 10:42 - 00000000 ____D C:\Users\Bart\AppData\Local\{3EF0CCAB-916C-40FE-B35E-BE355400DE57}

2012-12-16 10:42 - 2011-10-10 18:03 - 00000000 ____D C:\Users\Bart\Tracing

2012-12-16 10:30 - 2012-12-16 10:30 - 00000000 ____D C:\Users\Bart\AppData\Local\{05D6555B-FBEF-42DF-AA9E-5F81B0B4D4AC}

2012-12-16 10:21 - 2012-12-16 10:21 - 00000000 ____D C:\Users\Bart\AppData\Local\{35E6D69B-D80B-4EFA-94F6-12AB221C8269}

2012-12-14 21:33 - 2011-04-12 17:38 - 00004606 ____A C:\Windows\AsRecoveryHD.log

2012-12-14 21:33 - 2009-07-28 21:20 - 00000000 ____D C:\Windows\Log

2012-12-14 21:30 - 2011-04-12 17:38 - 00032777 ____A C:\Windows\AsFac.log

2012-12-14 13:28 - 2012-12-14 13:28 - 00000000 ____D C:\Users\Bart\AppData\Local\{939EED2D-AB4E-45AA-95AE-AE52D39E95AF}

2012-12-14 13:13 - 2012-12-14 13:13 - 00000000 ____D C:\Users\Bart\AppData\Local\{3EB5FAE5-3745-43FB-819C-5D7D83C515F5}

2012-12-14 13:05 - 2011-04-12 18:33 - 00001070 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-14 11:12 - 2012-12-14 11:12 - 00000000 ____D C:\Users\Bart\AppData\Local\{80BA97E8-C8D3-425D-8B28-14168DB835F7}

2012-12-14 11:07 - 2012-12-14 11:07 - 00016376 ____N C:\bootsqm.dat

2012-12-10 15:19 - 2011-09-29 07:02 - 00000000 ____D C:\Users\Bart\AppData\Roaming\DivX

2012-12-10 15:12 - 2012-12-10 15:12 - 00000000 ____D C:\Windows\Sun

2012-12-10 14:35 - 2011-10-20 04:04 - 00000000 ____D C:\Users\Bart\AppData\Roaming\Spotify

2012-12-10 14:34 - 2011-10-20 04:04 - 00000000 ____D C:\Users\Bart\AppData\Local\Spotify

2012-12-10 14:34 - 2011-09-29 07:11 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-12-10 14:20 - 2012-12-10 14:20 - 00000000 ____D C:\Users\Bart\AppData\Local\{CF9437E2-7515-499B-A6E2-803D5004A866}

2012-12-10 14:19 - 2012-07-06 18:14 - 00117208 ____A (Spotify Ltd) C:\Users\Bart\SpotifyLauncher.exe

2012-12-10 14:19 - 2011-12-20 19:38 - 07880664 ____A (Spotify Ltd) C:\Users\Bart\spotify.exe

2012-12-10 14:19 - 2011-12-20 19:38 - 00000020 ____A C:\Users\Bart\inst_ver.dat

2012-12-10 14:19 - 2011-12-20 19:38 - 00000000 ____D C:\Users\Bart\Data

2012-12-10 14:19 - 2011-09-28 08:06 - 00000000 ____D C:\users\Bart

2012-12-08 05:58 - 2012-12-07 08:51 - 00000000 ____D C:\Users\Bart\Documents\Piso Vallcarca

2012-12-08 05:47 - 2011-10-16 03:53 - 00000000 ____D C:\Users\Bart\AppData\Roaming\Skype

2012-12-08 05:09 - 2012-12-07 06:59 - 00000000 ____D C:\Users\Bart\AppData\Local\{F71D5597-A387-48B3-9C5F-1F9993328722}

2012-12-07 08:57 - 2011-02-18 20:40 - 00713210 ____A C:\Windows\System32\perfh013.dat

2012-12-07 08:57 - 2011-02-18 20:40 - 00137550 ____A C:\Windows\System32\perfc013.dat

2012-12-07 08:57 - 2009-07-13 21:13 - 01580258 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-07 06:58 - 2011-07-23 13:54 - 00005674 ____A C:\Windows\System32\AutoRunFilter.ini

2012-12-04 13:20 - 2012-12-04 13:20 - 00000000 ____D C:\Users\Bart\AppData\Local\{921DC5D8-2443-46A7-92FB-7D93FEB26036}

2012-12-02 10:41 - 2012-12-02 10:41 - 00000000 ____D C:\Users\Bart\AppData\Local\{32498AFE-22E5-4536-B70D-9715F5934280}

2012-11-29 14:37 - 2012-11-29 14:37 - 00000000 ____D C:\Users\Bart\AppData\Local\{E6F9C60E-4989-4721-BBD1-6B5362FDBB18}

2012-11-26 13:05 - 2012-11-26 13:05 - 00000000 ____D C:\Users\Bart\AppData\Local\{8FC59FF3-0A90-4380-B620-0FCD48683A61}

2012-11-26 13:05 - 2011-10-16 03:53 - 00000000 ____D C:\Users\All Users\Skype

2012-11-25 13:05 - 2012-11-18 06:34 - 00000000 ____D C:\Users\Bart\AppData\Local\{406BE732-ADC0-446B-88BE-01FD7F79566F}

2012-11-17 05:07 - 2011-09-28 08:06 - 00117496 ____A C:\Users\Bart\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-17 05:05 - 2009-07-13 20:45 - 00450944 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-17 04:26 - 2012-11-16 11:48 - 00000000 ____D C:\Users\Bart\AppData\Local\{83014041-911F-48C2-9BC8-D56093704F15}

2012-11-17 04:26 - 2011-09-28 09:42 - 00000000 ____D C:\Users\All Users\Microsoft Help

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 9%

Total physical RAM: 8104.16 MB

Available physical RAM: 7305.76 MB

Total Pagefile: 8102.31 MB

Available Pagefile: 7302.57 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:186.3 GB) (Free:30.48 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (DATA) (Fixed) (Total:254.45 GB) (Free:253.8 GB) NTFS

3 Drive f: (SDATA2) (Fixed) (Total:232.89 GB) (Free:232.79 GB) NTFS

5 Drive h: (USB DISK) (Removable) (Total:7.44 GB) (Free:7.44 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (SDATA1) (Fixed) (Total:232.87 GB) (Free:232.72 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 465 GB 1024 KB

Disk 2 Online 7627 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 232 GB 1024 KB

Partition 2 Primary 232 GB 232 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SDATA1 NTFS Partition 232 GB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 F SDATA2 NTFS Partition 232 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 25 GB 1024 KB

Partition 2 Primary 186 GB 25 GB

Partition 0 Extended 254 GB 211 GB

Partition 3 Logical 254 GB 211 GB

==================================================================================

Disk: 1

Partition 1

Type : 1C

Hidden: Yes

Active: No

There is no volume associated with this partition.

=========================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C OS NTFS Partition 186 GB Healthy

=========================================================

Disk: 1

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E DATA NTFS Partition 254 GB Healthy

=========================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7623 MB 4032 KB

==================================================================================

Disk: 2

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H USB DISK FAT32 Removable 7623 MB Healthy

=========================================================

Last Boot: 2012-11-20 13:35

==================== End Of Log =============================

Thanks a lot,

Bart

Link to post
Share on other sites

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


start
HKU\Bart\...\CurrentVersion\Windows: [Load] C:\Users\Bart\LOCALS~1\Temp\msbbqtiuf.pif
C:\Users\Bart\LOCALS~1\Temp\msbbqtiuf.pif
HKLM\...\Policies\Explorer\Run: [45253] C:\PROGRA~3\LOCALS~1\Temp\msfiufky.com
C:\PROGRA~3\LOCALS~1\Temp\msfiufky.com
end

Now please enter System Recovery Options as you did to get the log.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Post that log, will your system boot ok?

Link to post
Share on other sites

So here the log... It still doesn't boot OK.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012

Ran by SYSTEM at 2012-12-18 20:40:48 Run:3

Running from H:\

==============================================

HKEY_USERS\Bart\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load Value not found.

C:\Users\Bart\LOCALS~1\Temp\msbbqtiuf.pif not found.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\45253 Value not found.

C:\PROGRA~3\LOCALS~1\Temp\msfiufky.com not found.

==== End of Fixlog ====

Link to post
Share on other sites

It gives exactly the same thing... Don't know what it can be. I did the scan, saved the fixlist to the USB drive, clicked on Fix and this is the log I get (twice).

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012

Ran by SYSTEM at 2012-12-18 21:36:39 Run:4

Running from H:\

==============================================

HKEY_USERS\Bart\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load Value not found.

C:\Users\Bart\LOCALS~1\Temp\msbbqtiuf.pif not found.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\45253 Value not found.

C:\PROGRA~3\LOCALS~1\Temp\msfiufky.com not found.

==== End of Fixlog ====

Link to post
Share on other sites

And this is the fixlog I got from another fixlist on another forum. I did that one first.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012

Ran by SYSTEM at 2012-12-18 20:21:04 Run:2

Running from H:\

==============================================

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\facemoods Value deleted successfully.

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SweetIM Value deleted successfully.

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Sweetpacks Communicator Value deleted successfully.

HKEY_USERS\Bart\Software\Microsoft\Windows\CurrentVersion\Run\\Update Value deleted successfully.

HKEY_USERS\Bart\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load Value not found.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\45253 Value not found.

==== End of Fixlog ====

This was his fixlist.txt:

Still two as 'Not found' though.

start

HKLM-x32\...\Run: [facemoods] "C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I [362200 2011-09-05] (facemoods.com)

HKLM-x32\...\Run: [sweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe [115032 2012-10-04] (SweetIM Technologies Ltd.)

HKLM-x32\...\Run: [sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe [231768 2012-08-15] (SweetIM Technologies Ltd.)

HKU\Bart\...\Run: [update] C:\Users\Bart\AppData\Roaming\cgs8h0.exe [x]

HKU\Bart\...\CurrentVersion\Windows: [Load] C:\Users\Bart\LOCALS~1\Temp\msbbqtiuf.pif

HKLM\...\Policies\Explorer\Run: [45253] C:\PROGRA~3\LOCALS~1\Temp\msfiufky.com

end

Link to post
Share on other sites

What exactly are you doing, Facemoods and Sweetpacks are not the cause of the major problem you have. They are just adware and could have been cleaned up later.. If you are receiving help at another forum then this thread must be closed. It is wrong to receving help from two different places. Only confusion can happen...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.