Jump to content

Ukash virus - I can't start up in safe mode :-(


Recommended Posts

Hi there,

I'm new to this forum, so I hope this is posted in the right place.

Just about an hour ago, my computer screen went white and I get a screen by the Ukash virus saying that the Swiss police needs me to pay a fine to regain access to my computer :-(. It won't let me start up in safe mode or access the desktop at all, so everytime I turn the computer on, I just have the virus page and can't do anything. I don't understand what happened. I didn't even download anything earlier; I was just browsing the internet. Anywho, if someone could help me with this, I would really appreciate it as I am supposed to finish a report for school by the end of the week (*sigh* bad timing).

I saw another thread about the virus on this forum from the 26th of January, and I followed the described procedures (my computer has Windows XP and is 64 bit):

- I have downloaded the Farber Recovery Scan Tool and saved it to a flash drive, and plugged the flash drive into my infected PC.

- I restarted the computer, pressing F8 to reach the Advanced Boot Options. I chose Repair Your Computer. I could then chose from two users to repair: Nikki (normally the only user), and HomeGroupUser$ (never seen this user before). I chose to repair Nikki and gave in my password and hit OK. (By the way, is it possible that the virus has created a separate user? How would I delete that user without the password?)

- In the System Recovery Options menu, I chose Command Prompt. I knew that my flash drive letter was E, so I typed e:\frst64 and pressed Enter. I clicked yes to the disclaimer and clicked the Scan button.

- This is the FRST.txt log that it saved to my flash drive:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-02-2013

Ran by SYSTEM at 07-02-2013 08:30:37

Running from E:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3179288 2010-01-06] (Dell Inc.)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-17] (IDT, Inc.)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1890088 2010-03-17] (Synaptics Incorporated)

HKLM\...\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5712896 2010-02-03] (Dell Inc.)

HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2726728 2010-03-25] (CANON INC.)

HKLM\...\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch [1580368 2010-11-03] (Logitech, Inc.)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-12-23] (Intel Corporation)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [623992 2008-10-14] (Adobe Systems Inc.)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [Adobe_ID0EYTHM] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [1884160 2007-03-20] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [136512 2008-03-13] (McAfee, Inc.)

HKLM-x32\...\Run: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [124240 2010-01-06] (McAfee, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248552 2010-05-14] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-12-13] (Apple Inc.)

HKLM-x32\...\Run: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini [287 2011-03-14] ()

HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [599328 2010-03-24] (Sony Corporation)

HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310280 2012-12-20] (Samsung Electronics Co., Ltd.)

HKU\Nikki\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-22] (Google Inc.)

HKU\Nikki\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)

HKU\Nikki\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2010-07-29] (Acresso Corporation)

HKU\Nikki\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [844296 2012-12-20] (Samsung)

HKU\Nikki\...\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload [1476104 2012-12-20] (Samsung)

HKU\Nikki\...\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [844296 2012-12-20] (Samsung)

HKU\Nikki\...\Winlogon: [shell] explorer.exe,C:\Users\Nikki\AppData\Roaming\skype.dat [94208 2011-11-16] ()

HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-06] (Dell)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\vpngui.exe.lnk

ShortcutTarget: vpngui.exe.lnk -> C:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()

Startup: C:\Users\Nikki\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

Startup: C:\Users\Nikki\Start Menu\Programs\Startup\Update GreenWebPlayer.lnk

ShortcutTarget: Update GreenWebPlayer.lnk -> C:\Games\GreenWebPlayer\Updater.exe ()

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe [89600 2010-03-17] (Andrea Electronics Corporation)

2 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe" [20792 2010-01-06] (McAfee, Inc.)

2 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2008-03-13] (McAfee, Inc.)

2 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe" [180968 2010-01-06] (McAfee, Inc.)

2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe" [66896 2010-01-06] (McAfee, Inc.)

2 mfevtp; C:\windows\system32\mfevtps.exe [79504 2010-01-06] (McAfee, Inc.)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\STacSV64.exe [244736 2010-03-17] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [97576 2010-01-06] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [120096 2010-01-06] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [469400 2010-01-06] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [78896 2010-01-06] (McAfee, Inc.)

1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [84424 2010-01-06] (McAfee, Inc.)

0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [283232 2010-08-24] (McAfee, Inc.)

3 ssceserd; C:\Windows\System32\Drivers\ssceserd.sys [129024 2011-12-07] (MCCI Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-02-07 01:48 - 2013-02-07 02:20 - 00000004 ____A C:\Users\Nikki\Application Data\skype.ini

2013-02-07 01:48 - 2013-02-07 02:20 - 00000004 ____A C:\Users\Nikki\AppData\Roaming\skype.ini

2013-01-27 11:30 - 2013-01-27 11:30 - 00000000 ____D C:\Users\Nikki\Desktop\2013-01-27

2013-01-24 19:23 - 2013-01-24 19:25 - 00000000 ____D C:\Users\Nikki\Desktop\2013-01-25

2013-01-12 15:31 - 2013-01-12 15:31 - 00246272 ____H C:\Users\Nikki\Desktop\~WRL1503.tmp

2013-01-09 10:33 - 2012-11-08 23:34 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-09 10:33 - 2012-11-08 22:49 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-09 10:32 - 2012-12-06 23:41 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll

2013-01-09 10:32 - 2012-12-06 23:35 - 02745856 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll

2013-01-09 10:32 - 2012-12-06 23:04 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll

2013-01-09 10:32 - 2012-12-06 22:57 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll

2013-01-09 10:32 - 2012-12-06 21:45 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs

2013-01-09 10:32 - 2012-12-06 21:45 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs

2013-01-09 10:32 - 2012-12-06 21:21 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs

2013-01-09 10:32 - 2012-11-22 04:32 - 00801280 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll

2013-01-09 10:32 - 2012-11-22 03:33 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll

2013-01-09 10:32 - 2012-11-19 23:55 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-09 10:32 - 2012-11-19 23:10 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-09 10:32 - 2012-11-01 23:30 - 02001408 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-09 10:32 - 2012-11-01 23:30 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-09 10:32 - 2012-11-01 22:50 - 01388544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-09 10:32 - 2012-11-01 22:50 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-09 10:31 - 2012-11-29 23:50 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2013-01-09 10:31 - 2012-11-29 23:50 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2013-01-09 10:31 - 2012-11-29 23:50 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2013-01-09 10:31 - 2012-11-29 23:49 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-01-09 10:31 - 2012-11-29 23:46 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2013-01-09 10:31 - 2012-11-29 23:43 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2013-01-09 10:31 - 2012-11-29 23:43 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 23:06 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2013-01-09 10:31 - 2012-11-29 23:06 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2013-01-09 10:31 - 2012-11-29 23:06 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 22:56 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 21:33 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2013-01-09 10:31 - 2012-11-29 20:56 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-01-09 10:31 - 2012-11-29 20:56 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-01-09 10:31 - 2012-11-29 20:56 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-01-09 10:31 - 2012-11-29 20:56 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-01-09 10:31 - 2012-11-29 20:51 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 20:51 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 20:51 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 20:51 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2013-01-09 10:31 - 2012-11-29 17:21 - 00420032 ____A C:\Windows\SysWOW64\locale.nls

2013-01-09 10:31 - 2012-11-29 17:19 - 00420032 ____A C:\Windows\System32\locale.nls

2013-01-09 10:30 - 2012-11-22 21:45 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

==================== One Month Modified Files and Folders =======

2013-02-07 02:20 - 2013-02-07 01:48 - 00000004 ____A C:\Users\Nikki\Application Data\skype.ini

2013-02-07 02:20 - 2013-02-07 01:48 - 00000004 ____A C:\Users\Nikki\AppData\Roaming\skype.ini

2013-02-07 02:13 - 2009-07-13 22:45 - 00013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-07 02:13 - 2009-07-13 22:45 - 00013872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-02-07 02:10 - 2009-07-13 23:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-02-07 02:08 - 2010-09-22 06:22 - 00001108 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-02-07 02:07 - 2011-09-23 07:14 - 00000000 ___RD C:\Users\Nikki\Dropbox

2013-02-07 02:07 - 2011-09-23 07:12 - 00000000 ____D C:\Users\Nikki\Application Data\Dropbox

2013-02-07 02:07 - 2011-09-23 07:12 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\Dropbox

2013-02-07 02:07 - 2011-02-09 15:14 - 00000000 ____D C:\Users\Nikki\Tracing

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Nikki\Local Settings\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Nikki\Local Settings\Application Data\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Nikki\AppData\Local\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks

2013-02-07 02:06 - 2010-09-18 08:58 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks

2013-02-07 02:06 - 2010-07-08 04:22 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup

2013-02-07 02:05 - 2010-09-22 06:22 - 00001104 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-02-07 02:05 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-07 02:05 - 2009-07-13 22:51 - 00082203 ____A C:\Windows\setupact.log

2013-02-07 01:35 - 2012-05-27 09:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-06 15:37 - 2012-10-16 00:54 - 00000584 ____A C:\Users\Nikki\My Documents\grstyles.stl

2013-02-06 15:37 - 2012-10-16 00:54 - 00000584 ____A C:\Users\Nikki\Documents\grstyles.stl

2013-02-05 06:58 - 2010-07-08 03:42 - 01640234 ____A C:\Windows\WindowsUpdate.log

2013-01-31 15:16 - 2010-09-22 12:38 - 00000000 ____D C:\Users\Nikki\Application Data\Skype

2013-01-31 15:16 - 2010-09-22 12:38 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\Skype

2013-01-31 14:08 - 2011-09-23 07:14 - 00001021 ____A C:\Users\Nikki\Desktop\Dropbox.lnk

2013-01-31 09:55 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF

2013-01-31 09:29 - 2012-10-16 00:52 - 00000010 ____A C:\Users\Nikki\My Documents\LastLab.sk

2013-01-31 09:29 - 2012-10-16 00:52 - 00000010 ____A C:\Users\Nikki\Documents\LastLab.sk

2013-01-27 11:30 - 2013-01-27 11:30 - 00000000 ____D C:\Users\Nikki\Desktop\2013-01-27

2013-01-27 00:55 - 2011-01-08 14:22 - 00000000 ____D C:\Users\Nikki\Local Settings\Microsoft Games

2013-01-27 00:55 - 2011-01-08 14:22 - 00000000 ____D C:\Users\Nikki\Local Settings\Application Data\Microsoft Games

2013-01-27 00:55 - 2011-01-08 14:22 - 00000000 ____D C:\Users\Nikki\AppData\Local\Microsoft Games

2013-01-24 19:25 - 2013-01-24 19:23 - 00000000 ____D C:\Users\Nikki\Desktop\2013-01-25

2013-01-16 18:28 - 2010-09-22 05:31 - 00273840 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-01-16 06:46 - 2010-09-19 14:42 - 00000000 ____D C:\Users\Nikki\My Documents\1 UZH

2013-01-16 06:46 - 2010-09-19 14:42 - 00000000 ____D C:\Users\Nikki\Documents\1 UZH

2013-01-16 06:44 - 2011-03-21 13:09 - 00000000 ____D C:\Users\Nikki\Desktop\Alain

2013-01-15 15:17 - 2010-10-12 14:57 - 00000000 ____D C:\Users\Nikki\Application Data\Canon

2013-01-15 15:17 - 2010-10-12 14:57 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\Canon

2013-01-12 15:31 - 2013-01-12 15:31 - 00246272 ____H C:\Users\Nikki\Desktop\~WRL1503.tmp

2013-01-10 04:02 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache

2013-01-09 20:35 - 2009-07-13 22:45 - 02293112 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-09 20:16 - 2009-07-13 20:34 - 00000531 ____A C:\Windows\win.ini

2013-01-09 07:35 - 2012-05-27 09:31 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-01-09 07:35 - 2011-12-15 04:22 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 00:02] - [2012-09-06 11:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-15 00:19:14

Restore point made on: 2013-01-24 18:22:22

Restore point made on: 2013-01-28 11:01:04

Restore point made on: 2013-02-05 06:57:42

==================== Memory info ===========================

Percentage of memory in use: 20%

Total physical RAM: 2934.56 MB

Available physical RAM: 2341.47 MB

Total Pagefile: 2932.71 MB

Available Pagefile: 2335.21 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:283.34 GB) (Free:134.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.46 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive e: () (Removable) (Total:3.61 GB) (Free:0.07 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 3700 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 36AC85F9

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 100 MB 1024 KB

Partition 2 Primary 14 GB 101 MB

Partition 3 Primary 283 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 DELLUTILITY FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D Recovery NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 283 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: C449D1B5

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3699 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FAT32 Removable 3699 MB Healthy

=========================================================

Last Boot: 2013-01-24 18:14

==================== End Of Log =============================

Link to post
Share on other sites

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


start
HKU\Nikki\...\Winlogon: [Shell] explorer.exe,C:\Users\Nikki\AppData\Roaming\skype.dat [94208 2011-11-16] ()
C:\Users\Nikki\AppData\Roaming\skype.dat
2013-02-07 01:48 - 2013-02-07 02:20 - 00000004 ____A C:\Users\Nikki\Application Data\skype.ini
2013-02-07 01:48 - 2013-02-07 02:20 - 00000004 ____A C:\Users\Nikki\AppData\Roaming\skype.ini
end

Now please enter System Recovery Options as you did to get the log.

Run FRST64 or FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Will PC boot ok now?

Link to post
Share on other sites

Hi Kevinf80,

THANK YOU SOOO much for the help!!!! My PC has just booted normally :-). Oh man I'm exstatic!!! The first thing I will do is make a back-up copy of my thesis, which I haven't done in the past 100 hrs of work on it or so :s (stupid, I know).

So do I need any additional anti-virus programs on my computer? (preferrably free.. student budget here) I only have McAfee, which is free from the university.

Here is the Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-02-2013

Ran by SYSTEM at 2013-02-07 12:06:42 Run:1

Running from E:\

==============================================

HKEY_USERS\Nikki\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

C:\Users\Nikki\AppData\Roaming\skype.dat moved successfully.

C:\Users\Nikki\Application Data\skype.ini moved successfully.

C:\Users\Nikki\AppData\Roaming\skype.ini not found.

==== End of Fixlog ====

Link to post
Share on other sites

Just an update: I have downloaded the Malwarebytes anti-malware program and am running a full scan now. It has detected 3 objects so far. Also, during the scan, a box has popped up called "IDS_ALERTS_DIALOG_CAPTION" (I think this is from my McAfee antivirus) saying that it has detected and deleted the following trojans:

Exploit-CVE2012-0507 (jar_cache5232985943504537154.tmp)

PWS-Zbot.gen.afr (jar_cache4045050620451761.tmp)

PWS-Zbot.gen.afr (ax2h.exe)

PWS-Zbot.gen.uh (1b63310b-42e94675)

Is this box really my McAffee antivirus or is it a virus? Because it isn't labelled McAfee..

Link to post
Share on other sites

OK, continue and run Combofix:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.