File Recovery Virus Problem

I have been infected with the File Recovery Virus and it has locked me out of internet explorer as well as taken control of my desktop screen/programs. I have found a recent article with removal guidelines for this virus but wanted to go through this channel first since I am unfamiliar with the individual who wrote the “removal guide” for this virus. The following link is what I found…http://pcinfected.com/file-recovery-removal-guide/.

I would appreciate any help or suggestions. Thank you.

follow this guide: http://forum.avast.com/index.php?topic=53253.0

attach all logs here…

Use RogueKiller as the first programme and do not empty any temporary files yet

All of my desktop icons/system tray are missing from the system. The only folders that appear on the desktop are Recycle Bin and the folder for this “File Recovery” virus. I have booted up in safe mode with networking but can’t figure out how to access internet to be able to download your fixes. Any way to access internet on this system?

From the blank desktop press the windows key + R
This should open a run Dialogue
Type in Iexplorer.exe
And IE should open

Tried and it says that windows can’t find iexplorer.exe.

Still could not access iexplorer but was able to access internet by listing program files and choosing AOL to gain internet access.

Proceeding with prior instructions now.

RogueKiller logs attached.

OTL logs attached. MBAM pasted below. I downloaded aswMBR twice but the file would not run.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.02.03

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
PL :: HARKINS-PC [administrator]

9/2/2012 8:05:09 AM
mbam-log-2012-09-02 (08-05-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202159
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 28
HKCR\CLSID{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr.1 (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr (PUP.Funmoods) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\CLSID{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\TypeLib{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\CLSID{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\escort.escortIEPane (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\CLSID{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\TypeLib{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\funmoods.dskBnd (PUP.Funmoods) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\CLSID{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\TypeLib{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\CLSID{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\f (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\Typelib{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCR\Interface{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) → Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods (PUP.Funmoods) → Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → Data: Funmoods Toolbar → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → Data: → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Funmoods\1.5.23.22 (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\bh (PUP.Funmoods) → Quarantined and deleted successfully.

Files Detected: 14
C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escorTlbr.dll (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortApp.dll (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortEng.dll (PUP.Funmoods) → Quarantined and deleted successfully.
C:\ProgramData\ACqX9RnkWbItFO.exe (Trojan.Killav) → Quarantined and deleted successfully.
C:\ProgramData\KbTTesIdWitxJO.exe (Trojan.Killav) → Quarantined and deleted successfully.
C:\Users\PL\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Users\PL\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Users\PL\AppData\Local\funmoods.crx (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Users\PL\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortShld.dll (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\FavIcon.ico (PUP.Funmoods) → Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\uninstall.exe (PUP.Funmoods) → Quarantined and deleted successfully.

(end)

OK you should have the desktop and icons back now. While I look at the logs :

RogueKiller is showing a bad partition which we will need to kill next

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

You should be here… Press ENTER

https://dl.dropbox.com/u/73555776/Gpart-Start.GIF

By default, “do not touch keymap” is highlighted.

https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

https://dl.dropbox.com/u/73555776/Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF

According to your logs, the partition that you want to delete is <1 MB

Right click this partition and select delete .

https://dl.dropbox.com/u/73555776/GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

https://dl.dropbox.com/u/73555776/Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

https://dl.dropbox.com/u/73555776/GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close :

https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF

Under File select Quit

https://dl.dropbox.com/u/73555776/Gpart-quit.GIF

You will see this small Popup

https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF

Choose reboot and then press OK.

I have gone through the process booting by cd and got down to exit after managing files…the next box that you choose to reboot does not appear and the computer is locked up at the main vmware player screen.

Not sure what to do?

Could you click exit … If you achieved the close part after managing flags then that part should now be complete

Otherwise reboot the computer

Then in normal windows try aswMBR

I clicked Quit under the Gparted tab just as the diagram showed and then the next box that was supposed to come up for Exit/Reboot never appeared and the system froze at the main window. I have removed the bootable cd and tried a reboot but getting error message that BOOTMGR is missing and to restart but keeps going back to this point.

OK reboot from Gparted disc

Then follow the steps as before :

From the manage flags portion

I tried again…same as in Reply #12. The exit/Reboot window is not coming up and the system is frozen at the main gparted screen.

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows Vista RC
  3. Farbar Recovery Scan Tool

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Ok, I guess I am a little confused. The system won’t boot up so therefore I can’t get to the point to download the prior steps. What do I do to get the system to boot up so I can do this?

If you do not have access to another computer then reboot the Computer
Immediately press and Hold F8
Is there the option repair my computer if so select startup repair

Are you able to access another computer to create the USB ?

Yes I am using another computer…my apologies…I thought that I needed to download the items to the infected system.

No problem I have been there before ;D

The programmes you are going to run will install the recovery console onto your computer. And that is something everyone should have