Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus dealing with requesting money

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus dealing with requesting money

Unread postby palii » October 15th, 2013, 1:37 am

hello,
I am sending this on another computer I have in my home.
My Daughter got a message on her screen stating that is had visited a "Pron" site and if she paid $750 dollars they would not call the police. The computer is locked and she can not do anything on it.. Can not run programs, get on the internet...it seems to be frozen.

She has a Dell laptop, but I can not get into the settings or any programs to tell all the specs.

Can you help me with this problem,...

thanks
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am
Advertisement
Register to Remove

Re: Virus dealing with requesting money

Unread postby Gary R » October 15th, 2013, 3:29 am

Do you know which operating system she is using ? (XP, Vista, Windows 7 or Windows 8)
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Virus dealing with requesting money

Unread postby palii » October 15th, 2013, 10:24 am

I believe it is windows 7. I know it is not windows 8.
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby Gary R » October 15th, 2013, 1:12 pm

OK, let's see if we can find out a bit of information about what's causing the problems with your daughter's computer.

To do this I'm going to need you to run a scan from Recovery Environment, which is a special boot environment that is built into Windows, you'll also need to have access to a USB (key) type drive which you can download tools onto using another computer.

I don't know which version of Windows 7 you have, it could be either 32 bit or 64 bit, so I've included instructions for scanning both types, it's most probable that you've got the 64 bit version since that's the one that most manufacturers chose to install, so I'd try that first. If it works then post me the log, if not try the 32 bit option and post me the log from that instead.

  • Download FRST to a USB flash drive.
  • Download FRST64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Image

  • Select the Command Prompt option.
  • A command window will open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.
  • Back in the command window ....
    • (if you're using the 32 bit version) Type e:/frst.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • (if you're using the 64 bit version) Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • FRST will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • When finished scanning it will make a log FRST.txt on the flash drive.
  • Boot back into normal mode and post me the FRST.txt log please.

If you have any problems following the instructions above please let me know.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Virus dealing with requesting money

Unread postby palii » October 15th, 2013, 2:12 pm

ok.... I will find another computer as I am using a MAC...guess I could use that to get to the other computer.... I will try that. In our home I am an apple true blood ;) but the rest of the family loves their PC's

I will get back to you about this...thanks for your help...

Additional Note...

I was able to download to a usb drive and will proceed to your other instructions. Also, I do not believe she has a 64 bit machine and it is not a Dell, but an HP (sorry about that). Will run over to her house this evening and will post the information you need

Thanks for your help and working with an old guy :D
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby Gary R » October 15th, 2013, 5:02 pm

You're welcome. :)
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Virus dealing with requesting money

Unread postby palii » October 15th, 2013, 9:46 pm

Hello,

After a couple of hours of trying to get to the file you need let me explain my process.

I followed your process, however started getting the blue screen of death...so, I followed the computer directions several times and ran chkdsk as it was stating was unable to restart, But I was able to restart and did get a couple of messages some was like "Host process for windows not responing".

By the way, when I started her computer there was a statement saying it was from the FBI and wanted $450.00
The computer is running very, very slow. Unable to use mouse pad on computer for scrolling up and down.

The computer is a 64 bit machine

So, here is the log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-NVDVD7F on 15-10-2013 19:23:51
Running from I:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-01-10] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2011-06-18] (Realtek Semiconductor)
HKLM\...\Run: [RtkOSD] - C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2010-01-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [172032 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [600936 2009-06-29] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WirelessAssistant] - C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [Guffins Browser Plugin Loader] - C:\Program Files (x86)\Guffins\bar\1.bin\u4brmon.exe [30096 2011-10-13] (VER_COMPANY_NAME)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [InboxToolbar] - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe [1705608 2013-03-18] (Inbox.com, Inc.)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKU\Deborah\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Deborah\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-07-04] (Google Inc.)
HKU\Deborah\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [18642024 2013-02-28] (Skype Technologies S.A.)
HKU\Deborah\...\Winlogon: [Shell] explorer.exe,C:\Users\Deborah\AppData\Roaming\skype.dat [161280 2011-11-16] (HSN Software LLC) <==== ATTENTION
HKU\Default\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()

==================== Services (Whitelisted) =================

S2 GuffinsService; C:\PROGRA~2\Guffins\bar\1.bin\u4barsvc.exe [42504 2011-10-13] (COMPANYVERS_NAME)
S2 MediaMall Server; C:\Program Files (x86)\MediaMall\MediaMallServer.exe [2062200 2012-03-13] (MediaMall Technologies, Inc.)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [126392 2009-08-24] (Symantec Corporation)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()

==================== Drivers (Whitelisted) ====================

S3 msvad_simple; C:\Windows\System32\drivers\povrtdev.sys [28528 2010-04-29] (MediaMall Technologies, Inc.)
S1 SRTSP; C:\Windows\system32\drivers\NISx64\1100000.088\SRTSP64.SYS [504880 2009-08-29] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1100000.088\SRTSPX64.SYS [32304 2009-08-29] (Symantec Corporation)
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20090829.019\ENG64.SYS [x]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20090829.019\EX64.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-15 19:23 - 2013-10-15 19:23 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-10-15 19:23 - 2013-10-15 19:23 - 00000000 ____D C:\FRST
2013-10-15 16:17 - 2013-05-30 19:37 - 00000004 _____ C:\Users\Deborah\AppData\Roaming\skype.ini
2013-10-15 16:06 - 2010-12-26 05:57 - 00000000 ____D C:\Users\Deborah\AppData\Roaming\HpUpdate
2013-10-15 16:04 - 2011-07-04 22:19 - 00000000 ____D C:\Users\Deborah\AppData\Roaming\Skype

Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow.dll

Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow64.dll

Files to move or delete:
====================
C:\Users\Deborah\AppData\Roaming\skype.dat
C:\Users\Deborah\AppData\Roaming\skype.ini
C:\Users\Deborah\0.944271476802374.exe
C:\Users\Deborah\Guffins.exe
C:\Users\Deborah\jagex_runescape_preferences.dat
C:\Users\Deborah\jagex_runescape_preferences2.dat
C:\Users\Deborah\msiexec.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

12
Restore point made on: 2013-03-20 21:58:27
Restore point made on: 2013-03-24 17:50:29
Restore point made on: 2013-03-30 23:25:38
Restore point made on: 2013-04-03 18:28:05
Restore point made on: 2013-04-10 19:00:09
Restore point made on: 2013-04-10 21:35:04
Restore point made on: 2013-04-12 18:05:19
Restore point made on: 2013-04-17 18:27:28
Restore point made on: 2013-04-22 18:13:44
Restore point made on: 2013-04-24 20:47:28
Restore point made on: 2013-04-26 19:23:43
Restore point made on: 2013-05-06 20:22:53

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3002.92 MB
Available physical RAM: 2349.45 MB
Total Pagefile: 3001.07 MB
Available Pagefile: 2340.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:283.49 GB) (Free:196.95 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:14.31 GB) (Free:2.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
Drive i: (MEMORIX1G) (Removable) (Total:0.96 GB) (Free:0.42 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (ATTENTION: ===> MBR IS INFECTED. Use FixMbr command in Recovery Mode) (Size: 298 GB) (Disk ID: 7D497DE8)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=283 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 2 (Size: 984 MB) (Disk ID: 4D63645D)
Partition 1: (Active) - (Size=984 MB) - (Type=06)


LastRegBack: 2013-04-15 10:43

==================== End Of Log ============================
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby Gary R » October 16th, 2013, 1:41 am

Your logs show signs of a Remote Access Infection on your computer.

Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow.dll

Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow64.dll

Disk: 0 (ATTENTION: ===> MBR IS INFECTED. Use FixMbr command in Recovery Mode) (Size: 298 GB) (Disk ID: 7D497DE8)


These indicate you are infected with ....

http://www.microsoft.com/security/porta ... %2FAlureon

Please take time to carefully read all THIS topic, then let me know how you want to proceed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Virus dealing with requesting money

Unread postby palii » October 16th, 2013, 7:08 am

Well......

Interesting as heck..... is there a way to know how she got this???

Her computer came with pre-installed software and she tells me she did not or does not remember making backup or a restore disk as it has been about 2 years she thinks since she got this computer from her kids for a gift.

After reading all your articles, it seems that it would be best to repave as you highly suggest, Can you help me with that process?

I have looked into ordering the disk, and it will take two days for them to arrive here if I order them.

Thanks very much for your help and guidance with this problem....

I wait for your reply and instructions.
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby palii » October 16th, 2013, 7:11 am

also, how can i gain your knowledge like this? Is there a book you recommend?
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby palii » October 16th, 2013, 10:56 am

Another quick question before we begin.

In reading all the items you assigned me to read :) , I was wondering if maybe this was just a "ransom" virus and if we just removed it from my daughter's computer everything else would be ok?

This is just a question and if you think it is still better to repave the hard drive, then I am with you on that. (Just got to teach her again about what to do and not to do on her computer :? )

Thanks for your help....
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby Gary R » October 16th, 2013, 11:14 am

First of all, if your daughter's machine is an OEM (original equipment manufacturers) machine, by which I mean one made by one of the main manufacturers like Dell, Hewlett-Packard or such, it will almost certainly have a "recovery partition" on the hard drive, so it's usually not necessary to send of for a set of recovery disks.

The recovery option is often found on the list of options in Recovery Environment, which I explained how to get to when you ran FRST.

The option will usually say something like "Return your computer to factory condition" or something along those lines. Just select the option and it will wipe the hard drive and re-install Windows exactly as it was when you first bought the machine.

However, you must be aware that selecting this option will erase everything on the hard drive, including your daughter's personal files and folders.

Because of this, if the files are important to your daughter, then we can try to see if we can recover those files before you reformat. This may or may not be possible, dependant upon whether the infection on her machine has actually encrypted her files, or has merely denied access to them.

If it is the latter, you may be able to access them and take a copy using a Linux distro, I've written an article on how to do this ... HERE


As far as learning about how to remove Malware goes, I learned here at Malware Removals. We run a course on how to become a helper in the Forums, details of which can be found HERE


Sorry, just saw your latest post ...

Although your daughter's machine does indeed have a ransomeware infection, it also has Alurean, which is why I posted the warning. Both can probably be removed (it depends on whether the hard drive has truly been encrypted or not), but the process can be a long and involved one, and as I pointed out in the article I wrote on Remote Access Infections, we could never give you a guarantee that we had removed all changes made to the infected machine.

Many malware removal sites will just remove these type of infections, and if that's what you wanted then we can do that too, but here we believe it is important that people are made fully aware of the risks that come with remote access infections, so that you can make an informed decision.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Virus dealing with requesting money

Unread postby palii » October 16th, 2013, 4:09 pm

Thank you very much for your reply.

Can we go ahead and first help me remove the infection from her computer, as she states there are some files she would like to get. If that option is ok with you, then after we do that I will reformat the drive, install windows, do all the updates, get a virus protection for her, and a firewall up and running. Really not sure how she got it, but could it have been using Skype? She does have a daughter about 13 that spends a lot of time on the computer :( so I am not sure where she has gone on the computer.

If you have the time, I would like to remove the virus .... and I understand you point of view if you think it is just better to move on.

Thank you and your groups outstanding and fast service to help people. I would love to be involved, but I am an apple mac user and have stepped away from the PC world for a couple of years.

So, do we go ahead and remove the virus? I am willing to spend the time to try...

Thanks
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am

Re: Virus dealing with requesting money

Unread postby Gary R » October 16th, 2013, 5:18 pm

OK, our first step is to see if we can get the computer to a stage where we can boot it into Normal Mode, so first I want you to do this ....

  • Click Start
  • Type notepad.exe in the search programs and files box and clcik Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
HKLM-x32\...\Run: [Guffins Browser Plugin Loader] - C:\Program Files (x86)\Guffins\bar\1.bin\u4brmon.exe [30096 2011-10-13] (VER_COMPANY_NAME)
HKLM-x32\...\Run: [InboxToolbar] - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe [1705608 2013-03-18] (Inbox.com, Inc.)
S2 GuffinsService; C:\PROGRA~2\Guffins\bar\1.bin\u4barsvc.exe [42504 2011-10-13] (COMPANYVERS_NAME)
Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow.dll
Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow64.dll
C:\Users\Deborah\0.944271476802374.exe
C:\Users\Deborah\Guffins.exe
C:\Users\Deborah\jagex_runescape_preferences.dat
C:\Users\Deborah\jagex_runescape_preferences2.dat
C:\Users\Deborah\msiexec.exe

    • Save it to your USB flashdrive as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Boot into Recovery Environment

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your USB flashdrive.
  • Exit out of Recovery Environment and post me the log please.

Try booting the computer into Normal Mode now.

Please let me know if you're able (or not able) to do this.


There's a whole lot more things that need doing to the machine, but to do them we need to be able to boot the computer normally.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Virus dealing with requesting money

Unread postby palii » October 17th, 2013, 1:23 am

Hello Again...

here is the list that was produced. When I restarted the computer it took sometime, but I think normal for windows and booted in the windows. After a few minutes, I got the "Blue Screen" with a bunch of code looking lines and gave me a screen to go into safe mode or boot normally. I choose boot normally and the system booted into the windows screen again....waited a few minutes and then again the "Blue Screen" of death! If you think this is going on because of the virus, then maybe it is just best to repave....your thoughts?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by SYSTEM at 2013-10-17 00:07:42 Run:2
Running from I:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Code: Select all
HKLM-x32\...\Run: [Guffins Browser Plugin Loader] - C:\Program Files (x86)\Guffins\bar\1.bin\u4brmon.exe [30096 2011-10-13] (VER_COMPANY_NAME)
HKLM-x32\...\Run: [InboxToolbar] - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe [1705608 2013-03-18] (Inbox.com, Inc.)
S2 GuffinsService; C:\PROGRA~2\Guffins\bar\1.bin\u4barsvc.exe [42504 2011-10-13] (COMPANYVERS_NAME)
Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow.dll
Alureon:
C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow64.dll
C:\Users\Deborah\0.944271476802374.exe
C:\Users\Deborah\Guffins.exe
C:\Users\Deborah\jagex_runescape_preferences.dat
C:\Users\Deborah\jagex_runescape_preferences2.dat
C:\Users\Deborah\msiexec.exe
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Guffins Browser Plugin Loader => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\InboxToolbar => Value not found.
GuffinsService => Service not found.
"C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow.dll" => File/Directory not found.
"C:\Users\Deborah\AppData\Local\Temp\stpxixy\sxkkxwy\wow64.dll" => File/Directory not found.
"C:\Users\Deborah\0.944271476802374.exe" => File/Directory not found.
"C:\Users\Deborah\Guffins.exe" => File/Directory not found.
"C:\Users\Deborah\jagex_runescape_preferences.dat" => File/Directory not found.
"C:\Users\Deborah\jagex_runescape_preferences2.dat" => File/Directory not found.
"C:\Users\Deborah\msiexec.exe" => File/Directory not found.

==== End of Fixlog ====
palii
Regular Member
 
Posts: 37
Joined: October 15th, 2013, 1:31 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 391 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware