FBI Screen Virus + Safe Mode Does Not Work (shuts down)

gene23baltimore · March 2, 2013

Hi,

I am getting an FBI Virus and the Safe Mode shuts down immediately and does not work.

I ran the FRST tool from Notepad as suggested in another thread. Here is my output. What should I fix? Thanks

FRST Tool Output:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-02-2013

Ran by SYSTEM at 02-03-2013 13:36:26

Running from L:\

Windows 7 Ultimate (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7833120 2009-05-23] (Realtek Semiconductor)

HKLM\...\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [x]

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-02-22] (Adobe Systems Incorporated)

HKLM\...\Run: [sBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe" [x]

HKLM-x32\...\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-06-14] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2009-07-17] (Alcor Micro Corp.)

HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-21] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] ()

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

HKU\Eugene\...\Run: [AdobeBridge] [x]

HKU\Eugene\...\Run: [{4239BFB4-06B3-446A-AFEE-081F6C92B83D}] rundll32 "C:\Users\Eugene\AppData\Local\ATI\{4239BFB4-06B3-446A-AFEE-081F6C92B83D}\epecoro.dll",DllRegisterServerW [638976 2013-02-16] (Microsoft Corporation)

HKU\Eugene\...\Run: [wesvie] rundll32.exe "C:\Users\Eugene\AppData\Roaming\wesvie.dll",ExecuteSql [169984 2013-03-01] ()

HKU\Eugene\...\Run: [ifamp] rundll32.exe "C:\Users\Eugene\AppData\Roaming\ifamp.dll",get_pCAL [530432 2013-03-01] (Time Technology Ltd.)

HKU\Eugene\...\Run: [acper] rundll32.exe "C:\Users\Eugene\AppData\Roaming\acper.dll",EvalFrameEx [339456 2013-03-01] ()

HKU\Eugene\...\RunOnce: [E8319CC3EAD5FE6F0000E830B499043D] C:\ProgramData\E8319CC3EAD5FE6F0000E830B499043D\E8319CC3EAD5FE6F0000E830B499043D.exe [401408 2013-03-01] ()

HKU\Eugene\...\Winlogon: [shell] explorer.exe,C:\Users\Eugene\AppData\Roaming\skype.dat [89600 2011-11-16] ()

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

4 NMSAccess; "C:\Program Files (x86)\Blaze Media Pro\NMSAccess32.exe" [71096 2009-01-12] ()

4 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]

==================== Drivers (Whitelisted) =====================

1 ElRawDisk; \??\C:\Windows\system32\drivers\rsdrvx64.sys [26024 2009-02-12] (EldoS Corporation)

3 gfiark; C:\Windows\System32\Drivers\gfiark.sys [38096 2012-12-17] (GFI Software)

0 gfibto; C:\Windows\System32\Drivers\gfibto.sys [14456 2013-01-12] (GFI Software)

3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-10-06] ()

3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()

3 pmxdrv; C:\Windows\System32\Drivers\pmxdrv.sys [38536 2012-03-17] ()

3 synusb64; C:\Windows\System32\Drivers\synusb64.sys [30352 2009-06-26] (Steinberg Media Technologies GmbH)

3 VIRUSUSB; C:\Windows\System32\Drivers\VIRUSUSB.sys [468032 2010-05-27] (access)

3 VTIAUDIO; C:\Windows\System32\Drivers\VTIAUDIO.sys [49728 2010-05-27] (usb-audio.de)

3 VTIMIDEV01; C:\Windows\System32\drivers\vtimidi.sys [32768 2010-05-11] (Kemper Digital Gmbh)

3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]

3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]

3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-03-02 06:31 - 2013-03-02 06:31 - 00002062 ____A C:\Users\Eugene\Desktop\Disk Antivirus Professional.lnk

2013-03-01 18:31 - 2013-03-02 06:36 - 00000004 ____A C:\Users\Eugene\AppData\Roaming\skype.ini

2013-03-01 18:27 - 2013-03-02 06:31 - 00006522 ____A C:\Users\Eugene\AppData\Local\56fe6125-4a0b-46a3-8a00-9f6d6c1201b1.crx

2013-03-01 18:27 - 2013-03-02 06:31 - 00000000 ____D C:\ProgramData\E8319CC3EAD5FE6F0000E830B499043D

2013-03-01 18:27 - 2013-03-01 18:27 - 00530432 ____A (Time Technology Ltd.) C:\Users\Eugene\AppData\Roaming\ifamp.dll

2013-03-01 18:27 - 2013-03-01 18:27 - 00339456 ____A () C:\Users\Eugene\AppData\Roaming\acper.dll

2013-03-01 18:26 - 2013-03-01 18:26 - 00169984 ____A () C:\Users\Eugene\AppData\Roaming\wesvie.dll

2013-02-27 05:04 - 2013-01-13 13:17 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:17 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:16 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:12 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:11 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:35 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:35 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:35 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:31 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2013-02-27 05:04 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:31 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-02-27 05:04 - 2013-01-13 12:22 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll

2013-02-27 05:04 - 2013-01-13 12:20 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll

2013-02-27 05:04 - 2013-01-13 12:09 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll

2013-02-27 05:04 - 2013-01-13 12:08 - 01504768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll

2013-02-27 05:04 - 2013-01-13 12:08 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll

2013-02-27 05:04 - 2013-01-13 11:59 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2013-02-27 05:04 - 2013-01-13 11:58 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll

2013-02-27 05:04 - 2013-01-13 11:54 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2013-02-27 05:04 - 2013-01-13 11:53 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll

2013-02-27 05:04 - 2013-01-13 11:53 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll

2013-02-27 05:04 - 2013-01-13 11:51 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2013-02-27 05:04 - 2013-01-13 11:49 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll

2013-02-27 05:04 - 2013-01-13 11:48 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll

2013-02-27 05:04 - 2013-01-13 11:46 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll

2013-02-27 05:04 - 2013-01-13 11:43 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll

2013-02-27 05:04 - 2013-01-13 11:38 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

2013-02-27 05:04 - 2013-01-13 11:38 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2013-02-27 05:04 - 2013-01-13 11:38 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll

2013-02-27 05:04 - 2013-01-13 11:37 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll

2013-02-27 05:04 - 2013-01-13 11:25 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll

2013-02-27 05:04 - 2013-01-13 11:24 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2013-02-27 05:04 - 2013-01-13 11:24 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll

2013-02-27 05:04 - 2013-01-13 11:20 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll

2013-02-27 05:04 - 2013-01-13 11:20 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2013-02-27 05:04 - 2013-01-13 11:15 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll

2013-02-27 05:04 - 2013-01-13 11:10 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2013-02-27 05:04 - 2013-01-13 11:02 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll

2013-02-27 05:04 - 2013-01-13 10:34 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll

2013-02-27 05:04 - 2013-01-13 10:32 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll

2013-02-27 05:04 - 2013-01-13 10:09 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll

2013-02-27 05:04 - 2013-01-13 09:26 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll

2013-02-27 05:04 - 2013-01-13 09:05 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll

2013-02-27 05:04 - 2013-01-03 22:11 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll

2013-02-27 05:04 - 2013-01-03 22:11 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll

2013-02-18 16:42 - 2013-02-18 16:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-02-12 15:49 - 2013-01-07 21:40 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-02-12 15:49 - 2013-01-07 20:39 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-02-12 15:49 - 2013-01-04 21:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2013-02-12 15:49 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2013-02-12 15:49 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2013-02-12 15:49 - 2013-01-03 21:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2013-02-12 15:49 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2013-02-12 15:49 - 2013-01-03 19:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-02-12 15:49 - 2013-01-03 18:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2013-02-12 15:49 - 2013-01-03 18:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2013-02-12 15:49 - 2013-01-03 18:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2013-02-12 15:49 - 2013-01-03 18:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2013-02-12 15:49 - 2013-01-02 22:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2013-02-12 15:49 - 2013-01-02 22:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS

2013-02-12 15:49 - 2012-12-20 05:59 - 01492992 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-02-12 15:49 - 2012-12-20 05:59 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-02-12 15:49 - 2012-12-20 05:59 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-02-12 15:49 - 2012-12-20 05:56 - 09058304 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-02-12 15:49 - 2012-12-20 05:56 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-02-12 15:49 - 2012-12-20 05:55 - 12295168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-02-12 15:49 - 2012-12-20 05:55 - 02458112 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-02-12 15:49 - 2012-12-20 05:55 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-02-12 15:49 - 2012-12-20 05:55 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-02-12 15:49 - 2012-12-20 04:53 - 01231872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-02-12 15:49 - 2012-12-20 04:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-02-12 15:49 - 2012-12-20 04:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-02-12 15:49 - 2012-12-20 04:50 - 06030336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-02-12 15:49 - 2012-12-20 04:50 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-02-12 15:49 - 2012-12-20 04:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-02-12 15:49 - 2012-12-20 04:49 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-02-12 15:49 - 2012-12-20 04:49 - 02078208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-02-12 15:49 - 2012-12-20 04:49 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-02-12 15:49 - 2012-12-20 04:02 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-02-12 15:49 - 2012-12-20 03:20 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-02-09 08:37 - 2013-02-09 08:37 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-02-09 08:37 - 2012-08-21 10:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys

2013-02-09 08:36 - 2013-02-09 08:37 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-02-09 08:36 - 2013-02-09 08:37 - 00000000 ____D C:\Program Files\iTunes

2013-02-09 08:36 - 2013-02-09 08:36 - 00000000 ____D C:\Program Files\iPod

2013-02-03 14:00 - 2013-02-03 14:00 - 00000000 ____D C:\ProgramData\flgynadmvpanvwu

2013-02-03 13:58 - 2013-02-03 13:58 - 00108266 ____A C:\ProgramData\phnrreoovtslony

2013-02-03 13:57 - 2013-02-03 14:00 - 00108308 ____A C:\ProgramData\erkhohvrtctmsjm

==================== One Month Modified Files and Folders =======

2013-03-02 10:32 - 2010-01-06 23:34 - 01555268 ____A C:\Windows\PFRO.log

2013-03-02 09:26 - 2010-02-02 18:36 - 00000000 ____D C:\Users\Eugene\AppData\Roaming\dvdcss

2013-03-02 09:26 - 2010-01-19 18:05 - 00000000 ____D C:\Users\Eugene\AppData\Roaming\vlc

2013-03-02 09:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK

2013-03-02 09:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR

2013-03-02 09:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK

2013-03-02 09:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR

2013-03-02 09:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-03-02 09:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-03-02 06:36 - 2013-03-01 18:31 - 00000004 ____A C:\Users\Eugene\AppData\Roaming\skype.ini

2013-03-02 06:35 - 2012-04-28 07:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-03-02 06:33 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-03-02 06:33 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-03-02 06:31 - 2013-03-02 06:31 - 00002062 ____A C:\Users\Eugene\Desktop\Disk Antivirus Professional.lnk

2013-03-02 06:31 - 2013-03-01 18:27 - 00006522 ____A C:\Users\Eugene\AppData\Local\56fe6125-4a0b-46a3-8a00-9f6d6c1201b1.crx

2013-03-02 06:31 - 2013-03-01 18:27 - 00000000 ____D C:\ProgramData\E8319CC3EAD5FE6F0000E830B499043D

2013-03-02 06:31 - 2010-02-05 15:09 - 00065536 _____ C:\Windows\System32\Ikeext.etl

2013-03-02 06:31 - 2010-02-02 15:25 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs

2013-03-02 06:31 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-03-02 06:31 - 2009-07-13 20:51 - 00201860 ____A C:\Windows\setupact.log

2013-03-02 06:29 - 2010-01-16 11:30 - 00000000 ____D C:\users\Eugene

2013-03-01 20:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing

2013-03-01 18:30 - 2010-03-03 16:49 - 00000000 ____D C:\programming

2013-03-01 18:29 - 2010-01-16 14:19 - 00000000 ____D C:\Eugene

2013-03-01 18:27 - 2013-03-01 18:27 - 00530432 ____A (Time Technology Ltd.) C:\Users\Eugene\AppData\Roaming\ifamp.dll

2013-03-01 18:27 - 2013-03-01 18:27 - 00339456 ____A () C:\Users\Eugene\AppData\Roaming\acper.dll

2013-03-01 18:26 - 2013-03-01 18:26 - 00169984 ____A () C:\Users\Eugene\AppData\Roaming\wesvie.dll

2013-03-01 18:26 - 2013-01-11 16:02 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.txt

2013-03-01 17:38 - 2009-07-13 21:10 - 02034766 ____A C:\Windows\WindowsUpdate.log

2013-02-27 05:35 - 2012-04-28 07:46 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-02-27 05:35 - 2011-12-14 15:12 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-02-26 05:19 - 2012-11-04 06:18 - 00000000 ____D C:\Users\Eugene\AppData\Roaming\BitTorrent

2013-02-24 19:09 - 2010-01-24 11:22 - 00028672 ____A C:\Users\Eugene\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-02-24 15:58 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-02-23 19:21 - 2010-01-16 11:30 - 00000000 ____D C:\Users\Eugene\AppData\Local\VirtualStore

2013-02-19 20:23 - 2012-08-27 18:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2013-02-18 16:42 - 2013-02-18 16:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-02-17 14:43 - 2009-07-13 21:08 - 00032652 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-02-16 07:08 - 2010-01-16 11:31 - 00000000 ____D C:\Users\Eugene\AppData\Local\ATI

2013-02-13 14:30 - 2009-07-13 20:45 - 05018200 ____A C:\Windows\System32\FNTCACHE.DAT

2013-02-12 19:39 - 2009-07-13 18:34 - 00000499 ____A C:\Windows\win.ini

2013-02-12 19:37 - 2010-01-18 05:53 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-02-12 19:35 - 2011-03-06 14:30 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-02-10 06:27 - 2010-02-06 11:17 - 00000366 ____A C:\Windows\Tasks\Driver Fetch.job

2013-02-09 08:43 - 2010-01-18 19:01 - 00000000 ____D C:\mp3

2013-02-09 08:37 - 2013-02-09 08:37 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-02-09 08:37 - 2013-02-09 08:36 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-02-09 08:37 - 2013-02-09 08:36 - 00000000 ____D C:\Program Files\iTunes

2013-02-09 08:37 - 2010-08-14 10:53 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-02-09 08:36 - 2013-02-09 08:36 - 00000000 ____D C:\Program Files\iPod

2013-02-06 19:34 - 2010-01-16 11:31 - 00131376 ____A C:\Users\Eugene\AppData\Local\GDIPFONTCACHEV1.DAT

2013-02-03 14:00 - 2013-02-03 14:00 - 00000000 ____D C:\ProgramData\flgynadmvpanvwu

2013-02-03 14:00 - 2013-02-03 13:57 - 00108308 ____A C:\ProgramData\erkhohvrtctmsjm

2013-02-03 13:58 - 2013-02-03 13:58 - 00108266 ____A C:\ProgramData\phnrreoovtslony

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-3963059261-2004545127-1510009522-1000\$328b4b83b4e061038fa78729b5dddaab

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-01 18:31:31

Restore point made on: 2013-03-01 18:56:01

Restore point made on: 2013-03-02 06:36:04

==================== Memory info ===========================

Percentage of memory in use: 7%

Total physical RAM: 16375.12 MB

Available physical RAM: 15192.78 MB

Total Pagefile: 16373.27 MB

Available Pagefile: 15180.83 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:1.61 GB) NTFS

2 Drive d: (MYEXFAT) (Fixed) (Total:0.1 GB) (Free:0.1 GB) FAT

3 Drive f: () (Fixed) (Total:931.41 GB) (Free:439.77 GB) NTFS

9 Drive l: (USB20FD) (Removable) (Total:15.22 GB) (Free:15.22 GB) FAT32

10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

11 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.88 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 931 GB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Disk 6 Online 15 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 2BD2C32A

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 451 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 10 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 451 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 1EC41EC3

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D MYEXFAT FAT Partition 100 MB Healthy

=========================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 6:

===============

Disk ID: C3072E18

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 15 GB 1752 KB

==================================================================================

Disk: 6

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 9 L USB20FD FAT32 Removable 15 GB Healthy

=========================================================

Last Boot: 2013-02-23 06:41

==================== End Of Log =============================

MrCharlie · March 2, 2013

Looking at it now. MrC

MrCharlie · March 2, 2013

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

gene23baltimore · March 2, 2013

Thanks a lot Mr. C, great job!!! The Safe Mode works and the system is clean now.

Just one question: When starting up I get a "Windows Boot Manager" screen that gives me 2 choices:

1. Windows 7

2. Windows 7 Ultimate (Recovered)

Option (2) doesn't work, and shuts down after the logo screen. Option (1) works and that's the one I'm using.

I didn't have this screen before, is there a way to suppress it, or to get rid of the nonfunctional Option #2 (7 Ultimate Recovered)?

Thanks again so much!!!

MrCharlie · March 2, 2013

Yes. we can fix that but I'm not sure that the system is clean, we have so more scans to run.

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

gene23baltimore · March 2, 2013

Thanks again MrC. Here are the two text files after running MB-AntiRootKit.

It found 1 malware and fixed it, and I also ran FixDamage and it applied its own fix.

My only issue right now is that I'm still getting the Boot Manager boot-up menu: (1) Windows 7 or (2) Windows 7 Ultimate (Recovered). I didn't have that before.

Thanks!

mbar-log-2013-03-02 (17-14-24).txt

system-log.txt

MrCharlie · March 2, 2013

Carefully follow the directions at the link below:

http://answers.microsoft.com/en-us/windows/forum/windows_7-system/boot-manager-installed-windows-7-twice-how-to/a8ece38a-2de8-4931-9068-d86aeb4e4da4

MrC

gene23baltimore · March 3, 2013

Perfect, all problems solved. Thank you so much Mr.C, and I will be donating via PayPal shortly to show my appreciation.

MrCharlie · March 3, 2013

OK...........

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Maurice Naggar · March 4, 2013

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

FBI Screen Virus + Safe Mode Does Not Work (shuts down)

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information