FBI moneypak with no safe mode options working

DPANN · May 11, 2013

Not sure if this is a newer better version unlucky for me but have my PC running Vista pro 32 bit system hostage from FBI money pack $300 ransom. I attempted to start in all safe mode options & none worked just restarted PC back into lockdown. Also wont let me in setup F2 nor using F12 to boot from Usb device screen just sits there doing nothing. Thanks for the help.

MrCharlie · May 11, 2013

Welcome to the forum, here's how we deal with that malware:

Please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Plug the flash drive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
  Select Command Prompt
  Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

DPANN · May 11, 2013

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-05-2013 01

Ran by SYSTEM on 11-05-2013 12:11:44

Running from E:\

Windows Vista Business (X86) OS Language: English(US)

Internet Explorer Version 7

Boot Mode: Recovery

The current controlset is ControlSet003

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide [1004136 2006-11-02] (Microsoft Corporation)

HKLM\...\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart [90191 2006-12-07] (NVIDIA Corporation)

HKLM\...\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup [7766016 2006-12-07] (NVIDIA Corporation)

HKLM\...\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2006-12-07] (NVIDIA Corporation)

HKLM\...\Run: [sigmatelSysTrayApp] "sttray.exe" [x]

HKLM\...\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [151552 2006-09-29] (Intel Corporation)

HKLM\...\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2004-07-27] (InstallShield Software Corporation)

HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [118784 2006-10-20] (CyberLink Corp.)

HKLM\...\Run: [ECenter] "c:\dell\E-Center\EULALauncher.exe" [17920 2007-04-02] ( )

HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-07-21] (Google)

HKLM\...\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [90112 2006-11-10] ()

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [385024 2008-01-10] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [267048 2008-01-15] (Apple Inc.)

HKLM\...\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1037736 2007-08-31] (Microsoft Corporation)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM\...\Run: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul [729528 2013-03-29] (Webroot)

HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [243544 2010-04-27] (Microsoft Corp.)

HKLM\...\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation)

HKU\dennis\...\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter [x]

HKU\dennis\...\Run: [Google Update] "C:\Users\dennis\AppData\Local\Google\Update\GoogleUpdate.exe" /c [ 2011-07-29] (Google Inc.)

HKU\dennis\...\Run: [Download] "C:\Users\dennis\AppData\Local\SupportSoft\ddoctorv2\dennis\ssGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe" [x]

HKU\dennis\...\Run: [Desktop Software] "C:\Program Files\Common Files\SupportSoft\bin\bcont.exe" /ini "C:\Program Files\ComcastUI\Desktop Software\uinstaller.ini" /fromrun /starthidden [ 2012-03-15] ()

HKU\dennis\...\Run: [update] rundll32.exe "C:\Users\dennis\AppData\Roaming\ATI\ATI\mijimxh.dll",DllRegisterServer [x]

HKU\dennis\...\Run: [lptmp29552] rundll32.exe "C:\Users\dennis\AppData\Local\lptmp30119\lptmp29552\itryw.dll",sf_commandW [x]

HKU\dennis\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2006-11-02] (Microsoft Corporation)

HKU\dennis\...\Run: [Netscape] RunDLL32.exe C:\Users\dennis\AppData\Local\Netscape\iowctlrc.dll,UnPackFolder [x]

HKU\dennis\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\dennis\Documents\2e1d049a.exe [ 2013-05-10] ()

HKU\dennis\...\Policies\system: [DisableCMD] 0

HKU\dennis\...\Policies\system: [NoDispAppearancePage] 0

HKU\dennis\...\Policies\system: [NoDispBackgroundPage] 0

HKU\dennis\...\Policies\system: [NoDispSettingsPage] 0

HKU\dennis\...\Winlogon: [shell] cmd.exe [ 2006-11-02] (Microsoft Corporation)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Install Webroot FF RunOnce.lnk

ShortcutTarget: Install Webroot FF RunOnce.lnk -> C:\Program Files\Common Files\wruninstall.exe (Webroot Software, Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Install Webroot IE RunOnce.lnk

ShortcutTarget: Install Webroot IE RunOnce.lnk -> C:\Program Files\Common Files\wruninstall.exe (Webroot Software, Inc.)

Startup: C:\Users\dennis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk

ShortcutTarget: PalTalk.lnk -> C:\Program Files\Paltalk Messenger\paltalk.exe (AVM Software Inc.)

========================== Services (Whitelisted) =================

S2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [110592 2007-09-06] (Apple, Inc.)

S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-21] (Google)

S2 STacSV; C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe [90112 2007-02-07] (SigmaTel, Inc.)

S2 WRSVC; C:\Program Files\Webroot\WRSA.exe [729528 2013-03-29] (Webroot)

S3 msiserver; %systemroot%\system32\msiexec /V [x]

==================== Drivers (Whitelisted) ====================

S3 AtiDCM; C:\Program Files\ATI\CIM\Bin\atidcmxx.sys [20480 2007-05-29] (Advanced Micro Devices, Inc.)

S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [51056 2003-05-14] (HP)

S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2003-05-14] (HP)

S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21488 2003-05-14] (HP)

S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [18856 2007-08-31] (Microsoft Corporation)

S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2007-02-07] (SigmaTel, Inc.)

S0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [114688 2013-04-06] (Webroot)

S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

S0 SR;

S2 srservice;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-11 12:11 - 2013-05-11 12:11 - 00000000 ____D C:\FRST

2013-05-10 16:29 - 2013-05-10 16:29 - 00174373 ____A C:\ProgramData\2433f433

2013-05-10 16:29 - 2013-05-10 16:29 - 00174363 ____A C:\Users\dennis\AppData\Roaming\2433f433

2013-05-10 16:29 - 2013-05-10 16:29 - 00174348 ____A C:\Users\dennis\AppData\Local\2433f433

2013-05-10 16:29 - 2013-05-10 16:29 - 00030208 ____A C:\Users\dennis\Documents\2e1d049a.exe

2013-05-10 16:29 - 2013-05-10 16:29 - 00030208 ____A C:\Users\dennis\Documents\2e1d049a.dll

2013-05-09 11:36 - 2008-06-19 17:18 - 00105016 ____A (Microsoft Corporation) C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll

2013-05-09 11:36 - 2008-06-19 17:17 - 00097800 ____A (Microsoft Corporation) C:\Windows\System32\infocardapi.dll

2013-05-09 11:36 - 2008-06-19 17:17 - 00037384 ____A (Microsoft Corporation) C:\Windows\System32\infocardcpl.cpl

2013-05-09 11:35 - 2008-06-19 17:18 - 00781344 ____A (Microsoft Corporation) C:\Windows\System32\PresentationNative_v0300.dll

2013-05-09 11:35 - 2008-06-19 17:18 - 00326160 ____A (Microsoft Corporation) C:\Windows\System32\PresentationHost.exe

2013-05-09 11:35 - 2008-06-19 17:18 - 00043544 ____A (Microsoft Corporation) C:\Windows\System32\PresentationHostProxy.dll

2013-05-09 11:35 - 2008-06-19 17:17 - 00622080 ____A (Microsoft Corporation) C:\Windows\System32\icardagt.exe

2013-05-09 11:35 - 2008-06-19 17:17 - 00011264 ____A (Microsoft Corporation) C:\Windows\System32\icardres.dll

2013-05-09 11:22 - 2008-07-27 10:00 - 00282112 ____A (Microsoft Corporation) C:\Windows\System32\mscoree.dll

2013-05-09 11:22 - 2008-07-27 10:00 - 00096760 ____A (Microsoft Corporation) C:\Windows\System32\dfshim.dll

2013-05-09 11:21 - 2008-07-27 10:00 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\mscorier.dll

2013-05-09 11:21 - 2008-07-27 10:00 - 00083968 ____A (Microsoft Corporation) C:\Windows\System32\mscories.dll

2013-05-09 11:21 - 2008-07-27 10:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\netfxperf.dll

2013-05-09 11:17 - 2013-05-09 11:42 - 00000000 ____D C:\Users\dennis\AppData\Roaming\Garmin

2013-05-01 07:55 - 2013-05-01 07:55 - 00000000 ____A C:\Users\dennis\csrss.exe

2013-05-01 07:55 - 2013-05-01 07:55 - 00000000 ____A C:\Users\dennis\alg.exe

2013-04-20 03:51 - 2013-04-20 03:51 - 00002054 ____A C:\Users\dennis\Desktop\GooredFix.txt

2013-04-20 03:51 - 2013-04-20 03:51 - 00000000 ____D C:\Users\dennis\Desktop\GooredFix Backups

2013-04-20 03:50 - 2013-04-20 03:50 - 00071398 ____A (jpshortstuff) C:\Users\dennis\Desktop\GooredFix.exe

2013-04-20 03:49 - 2013-04-20 03:49 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\dennis\Desktop\tdsskiller.exe

==================== One Month Modified Files and Folders ========

2013-05-11 12:11 - 2013-05-11 12:11 - 00000000 ____D C:\FRST

2013-05-11 06:12 - 2007-06-09 00:27 - 02085212 ____A C:\Windows\WindowsUpdate.log

2013-05-11 06:09 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-11 06:09 - 2006-11-02 04:52 - 00027606 ____A C:\Windows\setupact.log

2013-05-11 06:09 - 2006-11-02 04:47 - 00003456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-11 06:09 - 2006-11-02 04:47 - 00003456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-11 05:58 - 2006-11-02 04:47 - 00230808 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-11 05:05 - 2011-07-29 08:53 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1356234744-4171324481-2857267226-1000UA.job

2013-05-11 05:00 - 2006-11-02 05:01 - 00032600 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-05-11 04:46 - 2006-11-02 02:33 - 00716948 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-11 04:43 - 2012-11-15 23:43 - 09842040 ____A (Webroot Software, Inc.) C:\Program Files\Common Files\wruninstall.exe

2013-05-11 04:43 - 2012-02-06 05:48 - 00000000 ____D C:\ProgramData\WRData

2013-05-11 04:42 - 2012-02-06 05:49 - 00150160 ____A (Webroot) C:\Windows\System32\WRusr.dll

2013-05-11 04:31 - 2012-02-06 05:49 - 00000741 ____A C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk

2013-05-11 04:21 - 2006-11-02 05:00 - 00045504 ____A C:\Windows\PFRO.log

2013-05-11 01:05 - 2011-07-29 08:53 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1356234744-4171324481-2857267226-1000Core.job

2013-05-10 16:29 - 2013-05-10 16:29 - 00174373 ____A C:\ProgramData\2433f433

2013-05-10 16:29 - 2013-05-10 16:29 - 00174363 ____A C:\Users\dennis\AppData\Roaming\2433f433

2013-05-10 16:29 - 2013-05-10 16:29 - 00174348 ____A C:\Users\dennis\AppData\Local\2433f433

2013-05-10 16:29 - 2013-05-10 16:29 - 00030208 ____A C:\Users\dennis\Documents\2e1d049a.exe

2013-05-10 16:29 - 2013-05-10 16:29 - 00030208 ____A C:\Users\dennis\Documents\2e1d049a.dll

2013-05-09 14:38 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET

2013-05-09 14:25 - 2012-04-17 09:39 - 00000000 ____D C:\MDT

2013-05-09 14:22 - 2006-11-02 04:37 - 00000000 ____D C:\Windows\System32\XPSViewer

2013-05-09 11:42 - 2013-05-09 11:17 - 00000000 ____D C:\Users\dennis\AppData\Roaming\Garmin

2013-05-08 05:38 - 2007-06-14 14:00 - 00000000 ____D C:\users\dennis

2013-05-01 07:55 - 2013-05-01 07:55 - 00000000 ____A C:\Users\dennis\csrss.exe

2013-05-01 07:55 - 2013-05-01 07:55 - 00000000 ____A C:\Users\dennis\alg.exe

2013-04-22 14:12 - 2012-02-08 05:30 - 00001176 ____A C:\Users\dennis\Desktop\Upgrade to Paltalk Extreme.lnk

2013-04-22 14:12 - 2011-06-02 06:43 - 00001782 ____A C:\Users\dennis\Desktop\Paltalk Messenger.lnk

2013-04-22 14:12 - 2011-06-02 06:43 - 00000000 ____D C:\Program Files\Paltalk Messenger

2013-04-20 04:07 - 2013-01-25 21:04 - 00005912 ____A C:\Windows\IE9_main.log

2013-04-20 03:51 - 2013-04-20 03:51 - 00002054 ____A C:\Users\dennis\Desktop\GooredFix.txt

2013-04-20 03:51 - 2013-04-20 03:51 - 00000000 ____D C:\Users\dennis\Desktop\GooredFix Backups

2013-04-20 03:50 - 2013-04-20 03:50 - 00071398 ____A (jpshortstuff) C:\Users\dennis\Desktop\GooredFix.exe

2013-04-20 03:49 - 2013-04-20 03:49 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\dennis\Desktop\tdsskiller.exe

2013-04-16 19:28 - 2007-06-18 08:12 - 00007160 ____A C:\Users\dennis\AppData\Local\d3d9caps.dat

Other Malware:

===========

C:\Users\dennis\alg.exe

C:\Users\dennis\csrss.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2006-11-02 00:52] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-30 04:15:58

Restore point made on: 2013-04-30 20:00:06

Restore point made on: 2013-05-01 20:00:16

Restore point made on: 2013-05-02 20:00:15

Restore point made on: 2013-05-03 12:37:58

Restore point made on: 2013-05-04 20:00:11

Restore point made on: 2013-05-05 20:00:04

Restore point made on: 2013-05-06 20:00:14

Restore point made on: 2013-05-07 20:00:13

Restore point made on: 2013-05-08 20:00:14

Restore point made on: 2013-05-09 11:20:51

Restore point made on: 2013-05-09 11:35:39

Restore point made on: 2013-05-10 20:00:13

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 2045.04 MB

Available physical RAM: 1815.5 MB

Total Pagefile: 1978.68 MB

Available Pagefile: 1854.84 MB

Total Virtual: 2047.88 MB

Available Virtual: 1975.72 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:72.45 GB) (Free:40.58 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive e: () (Removable) (Total:7.45 GB) (Free:7.33 GB) FAT32

Drive x: (RECOVERY) (Fixed) (Total:2 GB) (Free:1.41 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows Vista) (Size: 75 GB) (Disk ID: 40000000)

Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)

Partition 2: (Not Active) - (Size=2 GB) - (Type=07 NTFS)

Partition 3: (Active) - (Size=72 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

Last Boot: 2013-05-11 04:47

==================== End Of Log ============================

MrCharlie · May 11, 2013

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

DPANN · May 11, 2013

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-05-2013 01

Ran by SYSTEM at 2013-05-11 12:50:56 Run:1

Running from E:\

Boot Mode: Recovery

==============================================

HKEY_USERS\dennis\Software\Microsoft\Windows\CurrentVersion\Run\\Update => Value deleted successfully.

HKEY_USERS\dennis\Software\Microsoft\Windows\CurrentVersion\Run\\lptmp29552 => Value deleted successfully.

HKEY_USERS\dennis\Software\Microsoft\Windows\CurrentVersion\Run\\Netscape => Value deleted successfully.

HKEY_USERS\dennis\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.

C:\Users\dennis\AppData\Roaming\ATI\ATI\mijimxh.dll => File/Directory not found.

C:\Users\dennis\AppData\Local\lptmp30119\lptmp29552\itryw.dll => Moved successfully.

C:\Users\dennis\AppData\Local\lptmp30119 => Moved successfully.

C:\ProgramData\2433f433 => Moved successfully.

C:\Users\dennis\AppData\Roaming\2433f433 => Moved successfully.

C:\Users\dennis\AppData\Local\2433f433 => Moved successfully.

C:\Users\dennis\Documents\2e1d049a.exe => Moved successfully.

C:\Users\dennis\Documents\2e1d049a.dll => Moved successfully.

C:\Users\dennis\alg.exe => Moved successfully.

C:\Users\dennis\csrss.exe => Moved successfully.

==== End of Fixlog ====

MrCharlie · May 11, 2013

Does it boot normally??? MrC

DPANN · May 11, 2013

No PC looks like booting ok but black screen comes up in top bar CMD.EXE in the box text reads C:\users\dennis\documents\2e1d049a.exe" is not recognized as an internal or external command operable program or batch file

MrCharlie · May 11, 2013

Run another scan with FRST and post the new log, MrC

DPANN · May 11, 2013

It wont scan says device not ready ??

MrCharlie · May 11, 2013

Does the computer boot up but you just have a black screen with that message??

Can you do anything on the computer??

MrC

DPANN · May 11, 2013

it appears to boot fine till starting windows is about to appear & then the black screen with command prompt comes on

MrCharlie · May 11, 2013

See if you can do this:

Tap the <F8> key during startup until the Windows Advanced Options menu appears. (If the Windows Advanced Options menu does not appear, restart the computer, and try again.)

Press the <Down Arrow> key until Repair Your Computer is highlighted, and press the <Enter> key.

When the System Recovery Options window appears, click to select your language, and click Next.

Log in as a user with administrative rights, and click OK. (The Windows Vista Recovery Environment appears.)

From the Choose a recovery tool menu, click Startup Repair. (Startup Repair proceeds to check the system for issues and resolve them.)

Once completed, click Finish.

Click Restart.

MrC (Be back in a little while)

DPANN · May 11, 2013

Gets all the way to Welcome screen then all goes black & command prompt box shows up

DPANN · May 11, 2013

ok will try your last suggestion as I just saw it

DPANN · May 11, 2013

first wouldn't allow me under administrator says no privileges did it under Dennis & repair says nothing detected wrong

MrCharlie · May 11, 2013

You have a bunch of good system restore points, see if you can use the one before the virus hit:

Restore point made on: 2013-04-30 04:15:58
Restore point made on: 2013-04-30 20:00:06
Restore point made on: 2013-05-01 20:00:16
Restore point made on: 2013-05-02 20:00:15
Restore point made on: 2013-05-03 12:37:58
Restore point made on: 2013-05-04 20:00:11
Restore point made on: 2013-05-05 20:00:04
Restore point made on: 2013-05-06 20:00:14
Restore point made on: 2013-05-07 20:00:13
Restore point made on: 2013-05-08 20:00:14
Restore point made on: 2013-05-09 11:20:51
Restore point made on: 2013-05-09 11:35:39
Restore point made on: 2013-05-10 20:00:13

Step 1: Use F8 to Boot to SafeMode With Command Prompt

Step 2: Type the word "explorer" in black screen

Step 3: Then Navigate to:

Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter (double click rstrui.exe)

Step 4: Restore Computer to Date you know you were virus free

Step 5: Run Malwarebytes

Let me know, MrC

DPANN · May 11, 2013

Started over in notepad & saw drive letter changed from E to D so here is the latest FRST scan results Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-05-2013 01

Ran by SYSTEM on 11-05-2013 14:18:55

Running from D:\