FBI Moneypack, White screen, Can't start in safe mode

[mario422]

Hello, I followed some of the instructions I saw around here for the virus I have.

I downloaded Farbar Recovery Tool

I started in repair mode and did the scan.

Thank you for future assistance! I really appreciate it!

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-04-2013 01

Ran by SYSTEM on 21-04-2013 00:39:03

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Winlogon: [shell] C:\ProgramData\SystemRoot.exe [x ] ()

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [DisplaySwitch] "C:\ProgramData\SystemRoot.exe" [33280 2013-04-10] ()

HKU\Brian Jr\...\Run: [Google Update] "C:\Users\Brian Jr\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-18] (Google Inc.)

HKU\Brian Jr\...\Winlogon: [shell] explorer.exe,C:\Users\Brian Jr\AppData\Roaming\skype.dat [129024 2011-11-16] (Paragon Software)

Startup: C:\Users\Brian Jr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk

ShortcutTarget: ctfmon.lnk -> C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation)

Startup: C:\Users\Brian Jr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2012-12-03] ()

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [291696 2012-03-26] (Microsoft Corporation)

S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [x]

S2 HPSLPSVC; C:\Users\BRIANJ~1\AppData\Local\Temp\7zS0781\hpslpsvc64.dll [x]

S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [x]

==================== Drivers (Whitelisted) ====================

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-10] (AVG Technologies CZ, s.r.o.)

S3 iLokDrvr; C:\Windows\System32\DRIVERS\iLokDrvr.sys [24728 2012-11-17] ()

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)

S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)

S3 TASCAM_US1641; C:\Windows\System32\Drivers\tus1641u.sys [408128 2010-12-18] (TASCAM)

S3 TASCAM_US1641_MIDI; C:\Windows\System32\drivers\tus1641m.sys [31296 2010-12-18] (TASCAM)

S3 TASCAM_US1641_WDM; C:\Windows\System32\drivers\tus1641a.sys [50240 2010-12-18] (TASCAM)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-21 00:28 - 2013-04-21 00:28 - 00000000 ____D C:\FRST

2013-04-19 21:58 - 2013-04-20 20:21 - 00000004 ____A C:\Users\Brian Jr\AppData\Roaming\skype.ini

2013-04-19 21:55 - 2013-04-19 21:55 - 00129024 ____A (Paragon Software) C:\Users\Brian Jr\jqs.exe

2013-04-19 21:55 - 2013-04-19 21:55 - 00044175 ____A C:\Users\Brian Jr\mstsc.exe

2013-04-19 21:55 - 2013-04-19 21:55 - 00000000 ____A C:\Users\Brian Jr\vlcplayer.exe

2013-04-19 21:55 - 2013-04-19 21:55 - 00000000 ____A C:\Users\Brian Jr\chrome.exe

2013-04-19 21:46 - 2013-04-19 21:46 - 00025795 ____A C:\Users\Brian Jr\Desktop\hs_err_pid10252.log

2013-04-19 08:26 - 2013-04-19 08:26 - 00013403 ____A C:\Users\Brian Jr\Desktop\MinecraftDev - Shortcut.lnk

2013-04-18 13:44 - 2013-04-18 13:44 - 00258164 ____A C:\Users\Brian Jr\Downloads\MinecraftDev.exe

2013-04-14 22:07 - 2013-04-14 22:07 - 00025402 ____A C:\Users\Brian Jr\Desktop\hs_err_pid7508.log

2013-04-10 23:18 - 2013-04-10 23:18 - 00384800 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys

2013-04-10 23:05 - 2013-04-11 00:03 - 00011908 ____A C:\Users\Brian Jr\Desktop\avgrep.txt

2013-04-10 22:56 - 2013-04-10 22:56 - 00280648 ____A C:\Windows\Minidump\041113-45692-01.dmp

2013-04-10 22:44 - 2013-04-10 22:44 - 00033280 ____A C:ProgramData\SystemRoot.exe

2013-04-01 16:34 - 2013-04-01 16:34 - 00000000 ____D C:\Program Files (x86)\AMD APP

2013-04-01 16:33 - 2013-04-01 16:33 - 00000000 ____D C:\Program Files\ATI

2013-04-01 16:32 - 2013-04-01 16:32 - 00000000 ____D C:\Program Files\ATI Technologies

2013-04-01 16:26 - 2013-04-01 16:26 - 00000000 ____D C:\AMD

2013-04-01 16:18 - 2013-04-01 16:26 - 153569432 ____A (Advanced Micro Devices, Inc.) C:\Users\Brian Jr\Downloads\13-1_vista_win7_win8_64_dd_ccc_whql.exe

2013-03-28 19:32 - 2013-03-21 22:28 - 39012355 ____A C:\Users\Brian Jr\Desktop\Captives.m4a

2013-03-26 12:36 - 2013-03-26 12:46 - 00000000 ___AD C:ProgramData\TEMP

2013-03-26 12:35 - 2013-03-26 12:46 - 00000000 ____D C:\Program Files (x86)\Trojan Remover

2013-03-26 12:35 - 2013-03-26 12:35 - 00000000 ____D C:ProgramData\Simply Super Software

2013-03-26 12:35 - 2013-03-26 12:35 - 00000000 ____D C:\Users\Brian Jr\Documents\Simply Super Software

2013-03-26 12:34 - 2013-03-26 12:34 - 00393040 ____A (Softonic ) C:\Users\Brian Jr\Downloads\SoftonicDownloader_for_trojan-remover.exe

2013-03-25 22:18 - 2013-04-02 22:07 - 00043520 ____A C:\Windows\SysWOW64\CmdLineExt03.dll

2013-03-25 21:51 - 2013-03-25 21:51 - 00002047 ____A C:\Users\Public\Desktop\Star Wars Knights of the Old Republic II - The Sith Lords.lnk

2013-03-25 21:29 - 2013-03-25 21:29 - 00000000 ____D C:\Program Files (x86)\LucasArts

2013-03-25 14:56 - 2013-03-25 14:57 - 897248870 ____A C:\Users\Brian Jr\Desktop\DSCN1043.MOV

==================== One Month Modified Files and Folders =======

2013-04-21 00:28 - 2013-04-21 00:28 - 00000000 ____D C:\FRST

2013-04-20 20:21 - 2013-04-19 21:58 - 00000004 ____A C:\Users\Brian Jr\AppData\Roaming\skype.ini

2013-04-20 20:20 - 2013-02-19 18:55 - 00000420 ____A C:\Windows\Tasks\Quick PC Booster64 startups.job

2013-04-20 20:20 - 2013-01-21 15:16 - 00000370 ___AH C:\Windows\Tasks\{67C444E3-A7ED-4E1A-B713-205D253CC47E}.job

2013-04-20 20:20 - 2013-01-21 15:16 - 00000368 ____A C:\Windows\Tasks\AmiUpdXp.job

2013-04-20 20:19 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-04-20 20:19 - 2009-07-13 20:51 - 00445782 ____A C:\Windows\setupact.log

2013-04-20 08:11 - 2009-07-13 21:13 - 00782096 ____A C:\Windows\System32\PerfStringBackup.INI

2013-04-19 22:33 - 2012-05-28 16:19 - 00000000 ____D C:\Users\Brian Jr\AppData\Roaming\Dropbox

2013-04-19 22:18 - 2012-07-18 22:50 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444624676-3212473436-2602917289-1000UA.job

2013-04-19 22:18 - 2012-07-18 22:50 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444624676-3212473436-2602917289-1000Core.job

2013-04-19 22:13 - 2012-05-28 16:25 - 00000000 ___RD C:\Users\Brian Jr\Dropbox

2013-04-19 22:01 - 2012-08-26 12:12 - 00000000 ____D C:ProgramData\AVG2012

2013-04-19 22:01 - 2012-05-11 22:53 - 00013106 ____A C:\Windows\PFRO.log

2013-04-19 22:01 - 2012-02-07 13:51 - 00000000 ___HD C:\users\Brian Jr

2013-04-19 21:56 - 2012-04-23 10:22 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-04-19 21:55 - 2013-04-19 21:55 - 00129024 ____A (Paragon Software) C:\Users\Brian Jr\jqs.exe

2013-04-19 21:55 - 2013-04-19 21:55 - 00044175 ____A C:\Users\Brian Jr\mstsc.exe

2013-04-19 21:55 - 2013-04-19 21:55 - 00000000 ____A C:\Users\Brian Jr\vlcplayer.exe

2013-04-19 21:55 - 2013-04-19 21:55 - 00000000 ____A C:\Users\Brian Jr\chrome.exe

2013-04-19 21:46 - 2013-04-19 21:46 - 00025795 ____A C:\Users\Brian Jr\Desktop\hs_err_pid10252.log

2013-04-19 21:26 - 2012-08-26 12:12 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-04-19 21:23 - 2013-02-19 18:55 - 00000444 ____A C:\Windows\Tasks\Quick PC Booster Updates.job

2013-04-19 08:52 - 2012-06-06 08:04 - 00000000 ____D C:\Users\Brian Jr\AppData\Roaming\.minecraft

2013-04-19 08:26 - 2013-04-19 08:26 - 00013403 ____A C:\Users\Brian Jr\Desktop\MinecraftDev - Shortcut.lnk

2013-04-18 13:44 - 2013-04-18 13:44 - 00258164 ____A C:\Users\Brian Jr\Downloads\MinecraftDev.exe

2013-04-18 13:24 - 2009-07-13 19:20 - 00000000 __ASD C:ProgramData\Microsoft

2013-04-18 07:00 - 2013-02-19 18:55 - 00000412 ____A C:\Windows\Tasks\Quick PC Booster64 Scan.job

2013-04-17 05:19 - 2012-08-26 12:13 - 00000965 ____A C:\Users\Public\Desktop\AVG 2012.lnk

2013-04-17 05:19 - 2012-07-17 17:42 - 00000000 ____D C:ProgramData\MFAData

2013-04-15 19:40 - 2012-02-07 13:32 - 01853931 ____A C:\Windows\WindowsUpdate.log

2013-04-14 22:07 - 2013-04-14 22:07 - 00025402 ____A C:\Users\Brian Jr\Desktop\hs_err_pid7508.log

2013-04-14 16:50 - 2012-08-27 17:58 - 00006624 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-04-14 16:50 - 2012-08-27 17:58 - 00006624 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-04-13 19:34 - 2013-02-19 18:45 - 00000000 ____D C:\Program Files\Quick PC Booster

2013-04-11 00:03 - 2013-04-10 23:05 - 00011908 ____A C:\Users\Brian Jr\Desktop\avgrep.txt

2013-04-10 23:18 - 2013-04-10 23:18 - 00384800 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys

2013-04-10 22:56 - 2013-04-10 22:56 - 00280648 ____A C:\Windows\Minidump\041113-45692-01.dmp

2013-04-10 22:56 - 2012-08-27 17:56 - 00000000 ____D C:\Windows\Minidump

2013-04-10 22:56 - 2012-08-27 17:55 - 670718153 ____A C:\Windows\MEMORY.DMP

2013-04-10 22:44 - 2013-04-10 22:44 - 00033280 ____A C:ProgramData\SystemRoot.exe

2013-04-09 21:13 - 2013-01-18 23:16 - 00000000 ____D C:\Users\Brian Jr\Desktop\Cleaning out ableton!

2013-04-09 21:12 - 2013-03-07 19:28 - 00000000 ____D C:\Users\Brian Jr\Desktop\Moms Pics (1)

2013-04-02 22:07 - 2013-03-25 22:18 - 00043520 ____A C:\Windows\SysWOW64\CmdLineExt03.dll

2013-04-01 16:34 - 2013-04-01 16:34 - 00000000 ____D C:\Program Files (x86)\AMD APP

2013-04-01 16:33 - 2013-04-01 16:33 - 00000000 ____D C:\Program Files\ATI

2013-04-01 16:32 - 2013-04-01 16:32 - 00000000 ____D C:\Program Files\ATI Technologies

2013-04-01 16:26 - 2013-04-01 16:26 - 00000000 ____D C:\AMD

2013-04-01 16:26 - 2013-04-01 16:18 - 153569432 ____A (Advanced Micro Devices, Inc.) C:\Users\Brian Jr\Downloads\13-1_vista_win7_win8_64_dd_ccc_whql.exe

2013-03-28 02:40 - 2012-05-28 16:25 - 00001028 ____A C:\Users\Brian Jr\Desktop\Dropbox.lnk

2013-03-26 12:46 - 2013-03-26 12:36 - 00000000 ___AD C:ProgramData\TEMP

2013-03-26 12:46 - 2013-03-26 12:35 - 00000000 ____D C:\Program Files (x86)\Trojan Remover

2013-03-26 12:39 - 2012-07-18 22:16 - 00000000 ____D C:\Windows\pss

2013-03-26 12:37 - 2012-02-08 03:54 - 00000000 __SHD C:\Users\Brian Jr\AppData\Local\{83f45dd9-ede4-58cd-aca6-95266ea62e29}

2013-03-26 12:35 - 2013-03-26 12:35 - 00000000 ____D C:ProgramData\Simply Super Software

2013-03-26 12:35 - 2013-03-26 12:35 - 00000000 ____D C:\Users\Brian Jr\Documents\Simply Super Software

2013-03-26 12:34 - 2013-03-26 12:34 - 00393040 ____A (Softonic ) C:\Users\Brian Jr\Downloads\SoftonicDownloader_for_trojan-remover.exe

2013-03-26 12:31 - 2012-10-23 19:55 - 00000000 ____D C:\Users\Brian Jr\AppData\Roaming\Skype

2013-03-25 21:51 - 2013-03-25 21:51 - 00002047 ____A C:\Users\Public\Desktop\Star Wars Knights of the Old Republic II - The Sith Lords.lnk

2013-03-25 21:29 - 2013-03-25 21:29 - 00000000 ____D C:\Program Files (x86)\LucasArts

2013-03-25 21:29 - 2012-02-07 23:15 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information

2013-03-25 16:06 - 2012-03-13 15:44 - 00000000 ____D C:\Program Files (x86)\Steam

2013-03-25 14:57 - 2013-03-25 14:56 - 897248870 ____A C:\Users\Brian Jr\Desktop\DSCN1043.MOV

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2444624676-3212473436-2602917289-1000\$83f45dd9ede458cdaca695266ea62e29

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$83f45dd9ede458cdaca695266ea62e29

Other Malware:

===========

C:\Users\Brian Jr\AppData\Roaming\skype.dat

C:\Users\Brian Jr\AppData\Roaming\skype.ini

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-02 01:09:44

Restore point made on: 2013-04-09 10:32:40

Restore point made on: 2013-04-16 23:41:07

==================== Memory info ===========================

Percentage of memory in use: 9%

Total physical RAM: 8125.39 MB

Available physical RAM: 7321.81 MB

Total Pagefile: 8123.54 MB

Available Pagefile: 7319.11 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:460.45 GB) NTFS (Disk=0 Partition=2)

Drive e: (KOTOR2_1) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS

Drive f: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 1920 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 8444ADBB

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 728C5CC1

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1919 MB 236 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT Removable 1919 MB Healthy

=========================================================

============================== MBR & Partition Table ==================

====================================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 8444ADBB)

Partition 1: (Active) - (Size=100 MB) - (Type=07) (NTFS)

Partition 2: (Not Active) - (Size=931 GB) - (Type=07) (NTFS)

====================================================================

Disk: 1 (Size: 2 GB) (Disk ID: 728C5CC1)

Partition 1: (Not Active) - (Size=2 GB) - (Type=06)

Last Boot: 2013-04-13 21:31

==================== End Of Log ============================

[gringo_pr]

Hello mario422

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• 
  
• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
    

  [*]Please do not attach logs or use code boxes, just copy and paste the text.

  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
    

  [*]Please read every post completely before doing anything.

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
    

  [*]Please provide feedback about your experience as we go.

  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
  
  

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKLM-x32\...\Run: [DisplaySwitch] "C:\ProgramData\SystemRoot.exe" [33280 2013-04-10] ()
HKU\Brian Jr\...\Winlogon: [Shell] explorer.exe,C:\Users\Brian Jr\AppData\Roaming\skype.dat [129024 2011-11-16] (Paragon Software)
C:\Users\Brian Jr\jqs.exe
C:\Users\Brian Jr\mstsc.exe
C:\Users\Brian Jr\vlcplayer.exe
C:\Users\Brian Jr\chrome.exe
C:\Windows\Tasks\Quick PC Booster64 startups.job
C:\Windows\Tasks\{67C444E3-A7ED-4E1A-B713-205D253CC47E}.job
C:\Windows\Tasks\AmiUpdXp.job
C:\$Recycle.Bin\S-1-5-21-2444624676-3212473436-2602917289-1000\$83f45dd9ede458cdaca695266ea62e29
C:\$Recycle.Bin\S-1-5-18\$83f45dd9ede458cdaca695266ea62e29
C:\Users\Brian Jr\AppData\Roaming\skype.dat
C:\Users\Brian Jr\AppData\Roaming\skype.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

[mario422]

Hello! Thank you!

The results are below and I logged in normal mode and It's seems like it's running fine now! Is there anything else I should do?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-04-2013 01

Ran by SYSTEM at 2013-04-21 01:13:57 Run:1

Running from F:\

Boot Mode: Recovery

==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch value deleted successfully.

HKEY_USERS\Brian Jr\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell value deleted successfully.

C:\Users\Brian Jr\jqs.exe moved successfully.

C:\Users\Brian Jr\mstsc.exe moved successfully.

C:\Users\Brian Jr\vlcplayer.exe moved successfully.

C:\Users\Brian Jr\chrome.exe moved successfully.

C:\Windows\Tasks\Quick PC Booster64 startups.job moved successfully.

C:\Windows\Tasks\{67C444E3-A7ED-4E1A-B713-205D253CC47E}.job moved successfully.

C:\Windows\Tasks\AmiUpdXp.job moved successfully.

C:\$Recycle.Bin\S-1-5-21-2444624676-3212473436-2602917289-1000\$83f45dd9ede458cdaca695266ea62e29 moved successfully.

C:\$Recycle.Bin\S-1-5-18\$83f45dd9ede458cdaca695266ea62e29 moved successfully.

C:\Users\Brian Jr\AppData\Roaming\skype.dat moved successfully.

C:\Users\Brian Jr\AppData\Roaming\skype.ini moved successfully.

==== End of Fixlog ====

[gringo_pr]

Hello mario422

These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.

-AdwCleaner-

• Please download

AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
  
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile with your next answer.
  
• You can find the logfile at C:\AdwCleaner[s1].txt as well.
  

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  
  • Quit all programs that you may have started.
    
  • Please disconnect any USB or external drives from the computer before you run this scan!
    
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    
  • For Windows XP, double-click to start.
    
  • Wait until Prescan has finished ...
    
  • Then Click on "Scan" button
    
  • Wait until the Status box shows "Scan Finished"
    
  • click on "delete"
    
  • Wait until the Status box shows "Deleting Finished"
    
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    
  • The log should be found in RKreport[1].txt on your Desktop
    
  • Exit/Close RogueKiller+
    

Gringo

[mario422]

Thank you so much! I really appreciate your help!

[gringo_pr]

Hello

we will get this computer in top shape again - let me have those two reports and we will do some more checking

[gringo_pr]

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

[gringo_pr]

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!
  

Gringo

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!