72 hours to pay - Locked out!

[Bmatheny]

Hello all,

 

I was working on my laptop today when it, all the sudden, froze up, took a picture of me and then showed me a screen saying I was in violation of numerous laws and had 72 hours to pay $300 using a greendot prepaid credit card.  I assume this happened from searching the internet and clicking on bogus links.  I did have one issue with numerous popups today, but I was trying to close them as fast as I could.

 

Anyway, I've spent quite a bit of time reading on this forum and trying to make sure I get the right instructions to clean my laptop?  When I restart my laptop, it goes to the same screen.  A grey/white screen reporting NSA or some other logo saying I'm in violation of some laws and demanding $300 within 72 hours".  I can't access anything windows.  This screen is blocknig all of my activity (but I can hear skype running in the background).  I've also tried SAFE MODE...  It simply reboots into normal windows mode and I'm locked again.

 

Thus, I was hoping there was a command line function that would allow me to scan my laptop from DOS?  I see other instructions for Cryptolock cleaning, but wanted to make sure I don't follow the wrong instructions.  Can someone please assist when they have the time?

 

Thank you in advance..

 

 

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

• Please download Farbar Recovery Scan Tool and save it to a flash drive.

  Please make sure you click download buttons that look like this, not "sponsored ad links":

  

  Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  Plug the flash drive into the infected PC.

• If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

  If you are using Vista or Windows 7 enter System Recovery Options.

  To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

  To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

  To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
• On the System Recovery Options menu you will get the following options:

  • • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

      Select Command Prompt

      Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[VinnyCrew]

I have run the frst64 and now I have the frst.txt  saved in the same place as my frst64 file.  I have copied the txt. NOW WHAT? When I go to fix I'm being told that the frst.txt.cannot be found? It tells me that it should be in the same pot the original frst64 file is and it is in there.

[MrCharlie]

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[VinnyCrew]

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013

Ran by SYSTEM on MININT-IDSH8NJ on 07-11-2013 17:12:37

Running from I:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)

HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0AMgAwADIANwA5ADUANwA5ADEALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgAtAFgATwA5ACsAMQAtAEYAOQBNADIAKwAxAC0ARABEAFQAKwA0ADAAOQA1ADMALQBEAEQAOQAwAEYAKwAxAC0AUwBUADkAMABGAEEAUABQACsAMQAtAEYAOQAwAE0AMQAyAEEATgArADEALQBGADkAMABNADEAMgBBACsAMQAtAEYAOQAwAE0AMQAyAEEAQgArADEALQBVADkANQArADEALQBGADkAMABNADEAMgBBAFQAQgBOACsAMQAtAFQAQgBWAFUAUABHACsAMQAyAC0ARgA5ADAATQAxADIARgBUACsAMQAtAFQAQgBOACsAMQA"&"prod=90"&"ver=9.0.894 [x]

HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2011-01-25] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe [35736 2011-01-30] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-10] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AVG_TRAY] - C:\Program Files (x86)\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Secure Search\vprot.exe [2236080 2013-06-26] ()

HKLM-x32\...\Run: [instaLAN] - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe [1885088 2012-02-23] (Affinegy, Inc.)

HKU\Ben\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-11-20] (Google Inc.)

HKU\Ben\...\Winlogon: [shell] explorer.exe,C:\Users\Ben\AppData\Roaming\cache.dat [80896 2013-11-05] () <==== ATTENTION 

HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()

HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()

Startup: C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

 

==================== Services (Whitelisted) =================

 

S2 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [563104 2012-02-23] (Affinegy, Inc.)

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)

S2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [625184 2009-04-19] ()

S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)

S2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)

S2 Norton Internet Security; C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [117640 2009-11-20] (Symantec Corporation)

S2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [207904 2009-04-19] ()

S2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search)

 

==================== Drivers (Whitelisted) ====================

 

S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )

S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)

S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-11] (AVG Technologies CZ, s.r.o.)

S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies)

S1 BHDrvx64; C:\Windows\System32\Drivers\NISx64\1008000.029\BHDrvx64.sys [334384 2010-01-20] (Symantec Corporation)

S1 ccHP; C:\Windows\System32\Drivers\NISx64\1008000.029\ccHPx64.sys [583296 2010-11-10] (Symantec Corporation)

S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [475696 2010-11-09] (Symantec Corporation)

S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20101109.001\IDSvia64.sys [476720 2010-10-19] (Symantec Corporation)

S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1008000.029\SRTSP64.SYS [476720 2009-11-20] (Symantec Corporation)

S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1008000.029\SRTSPX64.SYS [32304 2009-11-20] (Symantec Corporation)

S0 SymEFA; C:\Windows\System32\drivers\NISx64\1008000.029\SYMEFA64.SYS [402992 2009-11-20] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2010-11-09] (Symantec Corporation)

S3 SYMFW; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMFW.SYS [120880 2009-11-20] (Symantec Corporation)

S1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [31280 2009-11-20] (Symantec Corporation)

S3 SYMNDISV; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMNDISV.SYS [56880 2009-11-20] (Symantec Corporation)

S1 SYMTDI; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMTDI.SYS [278576 2009-11-20] (Symantec Corporation)

S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20101110.039\ENG64.SYS [x]

S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20101110.039\EX64.SYS [x]

S3 sxuptp; system32\DRIVERS\sxuptp.sys [x]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2013-11-05 21:08 - 2013-11-07 17:10 - 00000000 ____D C:\FRST

2013-11-05 18:56 - 2013-11-05 09:57 - 00080896 ____R C:\Users\Ben\AppData\Roaming\cache.dat

2013-11-05 14:58 - 2013-11-05 14:58 - 00003352 ____N C:\bootsqm.dat

2013-11-05 14:57 - 2013-11-05 14:57 - 00000000 __SHD C:\found.000

2013-11-05 09:58 - 2013-11-06 18:52 - 00000004 _____ C:\Users\Ben\AppData\Roaming\cache.ini

2013-10-27 09:25 - 2013-10-27 09:25 - 00000000 ____D C:\Users\Ben\AppData\Roaming\TuneUp Software

2013-10-26 16:13 - 2013-10-26 16:13 - 00000000 ____D C:\Windows\System32\Macromed

 

==================== One Month Modified Files and Folders =======

 

2013-11-07 17:10 - 2013-11-05 21:08 - 00000000 ____D C:\FRST

2013-11-06 18:52 - 2013-11-05 09:58 - 00000004 _____ C:\Users\Ben\AppData\Roaming\cache.ini

2013-11-06 18:52 - 2013-06-07 10:55 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job

2013-11-06 18:52 - 2013-06-03 18:51 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job

2013-11-06 18:52 - 2010-04-20 15:13 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-11-06 18:52 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2013-11-06 18:52 - 2009-07-13 20:51 - 00074725 _____ C:\Windows\setupact.log

2013-11-06 17:55 - 2010-03-18 03:41 - 01869499 _____ C:\Windows\WindowsUpdate.log

2013-11-06 17:25 - 2010-04-20 15:13 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-11-06 17:21 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-11-06 17:21 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-11-06 17:20 - 2009-07-13 21:13 - 00726444 _____ C:\Windows\System32\PerfStringBackup.INI

2013-11-05 21:28 - 2013-02-19 09:36 - 00000000 ____D C:\Program Files (x86)\GUME149.tmp

2013-11-05 21:28 - 2012-02-13 16:34 - 00000000 ____D C:\c3e31db91a00c3a43c073240

2013-11-05 21:28 - 2012-01-16 12:24 - 00000000 ____D C:\Users\Ben\AppData\Roaming\AVG2012

2013-11-05 21:28 - 2012-01-16 12:19 - 00000000 ____D C:\ProgramData\AVG Secure Search

2013-11-05 21:28 - 2012-01-16 12:19 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search

2013-11-05 21:28 - 2012-01-16 12:17 - 00000000 ____D C:\ProgramData\AVG2012

2013-11-05 21:28 - 2012-01-16 12:12 - 00000000 ____D C:\ProgramData\MFAData

2013-11-05 21:28 - 2011-11-18 18:43 - 00000000 ____D C:\f0016d68ebbfd85ce6

2013-11-05 21:28 - 2011-08-23 10:39 - 00000000 ____D C:\Program Files (x86)\FrostWire 5

2013-11-05 21:28 - 2010-11-10 13:14 - 00000000 ____D C:\Windows\Minidump

2013-11-05 21:28 - 2010-10-12 12:04 - 00000000 ____D C:\Program Files (x86)\Ask.com

2013-11-05 21:28 - 2010-04-20 18:29 - 00000000 ____D C:\Program Files (x86)\Full Tilt Poker

2013-11-05 21:28 - 2010-04-20 14:53 - 00000000 ____D C:\users\Ben

2013-11-05 21:28 - 2009-11-20 12:34 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2013-11-05 21:28 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal

2013-11-05 21:28 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar

2013-11-05 21:28 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices

2013-11-05 21:28 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer

2013-11-05 21:28 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker

2013-11-05 21:28 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices

2013-11-05 21:28 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer

2013-11-05 21:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing

2013-11-05 21:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-11-05 21:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas

2013-11-05 21:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-11-05 21:28 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System

2013-11-05 21:27 - 2012-07-02 15:38 - 00000000 ____D C:\Windows\System32\SPReview

2013-11-05 21:27 - 2012-07-02 15:37 - 00000000 ____D C:\Windows\System32\EventProviders

2013-11-05 21:27 - 2012-01-16 12:17 - 00000000 ____D C:\Windows\System32\Drivers\AVG

2013-11-05 21:27 - 2010-04-21 12:51 - 00000000 ____D C:\Windows\SysWOW64\Drivers\avg

2013-11-05 21:27 - 2009-11-20 12:46 - 00000000 ____D C:\Windows\SysWOW64\Macromed

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\sppui

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sppui

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore

2013-11-05 21:27 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism

2013-11-05 21:25 - 2010-08-01 19:50 - 00000000 ____D C:\Windows\{113016FE-E013-4FAF-85FB-8649DEED76B2}

2013-11-05 14:58 - 2013-11-05 14:58 - 00003352 ____N C:\bootsqm.dat

2013-11-05 14:57 - 2013-11-05 14:57 - 00000000 __SHD C:\found.000

2013-11-05 09:57 - 2013-11-05 18:56 - 00080896 ____R C:\Users\Ben\AppData\Roaming\cache.dat

2013-11-03 16:39 - 2010-09-26 14:27 - 00000000 ____D C:\Users\Ben\Documents\ACID Xpress 7.0 Projects

2013-11-03 12:06 - 2009-11-20 12:15 - 00029442 _____ C:\Windows\PFRO.log

2013-11-03 11:20 - 2010-04-20 15:13 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2013-11-03 11:20 - 2010-04-20 15:13 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2013-11-01 17:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-11-01 17:49 - 2010-12-06 08:58 - 00000000 ____D C:\Program Files (x86)\Belkin

2013-10-27 09:25 - 2013-10-27 09:25 - 00000000 ____D C:\Users\Ben\AppData\Roaming\TuneUp Software

2013-10-26 16:13 - 2013-10-26 16:13 - 00000000 ____D C:\Windows\System32\Macromed

2013-10-26 11:57 - 2013-08-26 07:42 - 00000000 ____D C:\Users\Ben\Documents\BEN RAPS!!

2013-10-21 08:54 - 2010-04-20 15:02 - 00000000 ____D C:\Users\Ben\AppData\Local\Google

2013-10-20 08:37 - 2012-01-16 12:39 - 00000000 ____D C:\Users\Ben\Documents\LOOPERMAN 1-16-12 and newer

2013-10-17 09:12 - 2010-12-12 14:39 - 00000000 ____D C:\Users\Ben\Documents\Looperman

2013-10-15 07:42 - 2012-08-31 21:36 - 00000000 ____D C:\Users\Ben\Documents\Youtube to Mp3 conversions

 

Files to move or delete:

====================

C:\Users\Ben\AppData\Roaming\cache.dat

C:\Users\Ben\AppData\Roaming\cache.ini

ZeroAccess:

C:\Users\Ben\AppData\Local\Google\Desktop\Install

C:\ProgramData\4489882.pad

C:\ProgramData\dsgsdgdsgdsgw.pad

 

 

Some content of TEMP:

====================

C:\Users\Ben\AppData\Local\Temp\aacdec.exe

C:\Users\Ben\AppData\Local\Temp\AskSLib.dll

C:\Users\Ben\AppData\Local\Temp\avguidx.dll

C:\Users\Ben\AppData\Local\Temp\CommonInstaller.exe

C:\Users\Ben\AppData\Local\Temp\contentDATs.exe

C:\Users\Ben\AppData\Local\Temp\Couninst.exe

C:\Users\Ben\AppData\Local\Temp\iGearedHelper.dll

C:\Users\Ben\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe

C:\Users\Ben\AppData\Local\Temp\MachineIdCreator.exe

C:\Users\Ben\AppData\Local\Temp\mp3el.exe

C:\Users\Ben\AppData\Local\Temp\SearchWithGoogleUpdate.exe

C:\Users\Ben\AppData\Local\Temp\SecurityScan_Release.exe

C:\Users\Ben\AppData\Local\Temp\soxdec.exe

C:\Users\Ben\AppData\Local\Temp\ToolbarInstaller.exe

C:\Users\Ben\AppData\Local\Temp\uninst.exe

C:\Users\Ben\AppData\Local\Temp\wpsetup.exe

C:\Users\Ben\AppData\Local\Temp\zulusetup.exe

C:\Users\Ben\AppData\Local\Temp\{C0B24C8C-1355-4242-A8BA-63B92217E680}-GoogleUpdateSetup.exe

 

 

==================== Known DLLs (Whitelisted) ================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

8

Restore point made on: 2013-07-11 10:25:52

Restore point made on: 2013-07-24 08:11:01

Restore point made on: 2013-08-07 10:01:25

Restore point made on: 2013-10-06 20:46:57

Restore point made on: 2013-10-26 18:32:26

Restore point made on: 2013-10-30 13:01:32

Restore point made on: 2013-11-01 16:35:38

Restore point made on: 2013-11-02 14:06:23

 

==================== Memory info =========================== 

 

Percentage of memory in use: 34%

Total physical RAM: 1790.49 MB

Available physical RAM: 1169.25 MB

Total Pagefile: 1790.49 MB

Available Pagefile: 1192.48 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

 

==================== Drives ================================

 

Drive c: (eMachines) (Fixed) (Total:285.99 GB) (Free:182.59 GB) NTFS

Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:2.92 GB) NTFS

Drive i: (LEXAR) (Removable) (Total:0.47 GB) (Free:0.47 GB) FAT

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 298 GB) (Disk ID: 60CC7B61)

Partition 1: (Not Active) - (Size=12 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=286 GB) - (Type=07 NTFS)

 

========================================================

Disk: 3 (MBR Code: Windows XP) (Size: 484 MB) (Disk ID: C3072E18)

Partition 1: (Not Active) - (Size=483 MB) - (Type=06)

 

 

LastRegBack: 2013-06-03 22:28

 

==================== End Of Log ============================

[MrCharlie]

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR

If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[VinnyCrew]

WOW that is so AWESOME!!!!  THANKS MR.C I WILL REPAY YOU IN A DONATION. JUST GIVE ME A LITTLE BIT TO COME UP WITH SOME EXTRA CHING. I DONT KNOW WHAT I WOULD HAVE DONE IF I DIDN'T FIND YOU. 

                                                                                    THANKYOU AGAIN

                                                                                         VINNYCREW

                                                                                         (so thankful)

[MrCharlie]

OK......

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.