http://disorderstatus.ru/order.php & http://differentia.ru/diff.php

[REDACTED]

Info:
- The virus came from an infected USB (not currently connected).

[jefferson sant]

Hello

I will notify a malware removal specialist who is available (online)
I hope you're here to help.

[dbrisendine]

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Pandora Service
µTorrent

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Also, how is your system running now?

(Note: uTorrent is installed improperly; that is why it need to be removed for now.)

[REDACTED]

uTorrent uninstalled normally, I guess. I removed the settings as well.

The Pandora Service uninstaller informed me that some "...elements could not be removed. These can be removed manually."

Should I proceed with Step 2?

[dbrisendine]

Yes; proceed with the next step.  There are commands in it to handle the errors of the first step but it is always best to do the standard uninstall first.  You did fine so far.

[REDACTED]

My computer now runs seemingly fine...

Certain files can still be seen on my MBAM Quarantine.

Is it safe to reinstall uTorrent?

[dbrisendine]

You can have MBAM delete what it has in Quarantine by going to MBAM > History > Quarantine and selecting Delete All.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
If you must have uTorrent at least make sure you download it from here (http://www.utorrent.com/).  You can install it but please don't run it until we clean off our tools and you are cleared to go on.

[REDACTED]

Done.

When I used the previous "Fixlist", a window telling me that the Windows I use is genuine used to pop-up everytime I start using my computer.

Now, I get this...

"Windows 7
Build 7600
This copy of Windows is not genuine"

...at the bottom right of my Desktop.

[dbrisendine]

There are two possibilities here - one should be a quick fix, while the other may take some time.
 
1) go to www.microsoft.com/genuine/validate  - what happens? If validation passes, you'll be offered MSE and IE9. If it fails, it'll be obvious :)
 
2) Your Licensing Store may be corrupt.....
Recreate the Licensing Store
    1) Click Start button.
    2) Type: CMD.exe into the 'Search programs and files' field
    3) Right-Click on CMD.exe and select Run as Administrator
    4) Type: net stop sppsvc   (It may ask you if you are sure, select yes)  Note: the Software Protection service may not be running, this is ok.
    5) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
    6) Type: rename tokens.dat tokens.bar
    7) Type: cd %windir%\system32
    8) Type: net start sppsvc
    9) Type: slui.exe
    10) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may occur automatically.  Let me know what happens and we will continue on from there.

[REDACTED]

Unfortunately, neither did it ask me for the Product Key nor the Activation Key or maybe it's just me...you can look at the attachment.

Also, do you suggest that the virus has been completely removed at this point?

[dbrisendine]

Close; one more scan and we will know ....



AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it will ask to reboot, allow this

• On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
  
  Optional:
  
  NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

[REDACTED]

This is actually my second scan; I had to do it again because I probably forgot to run as Admin.
I don't think anything appeared after either scan was finished.

[dbrisendine]

How is your system running now?

IF everything is fine then we need to clean our tools off your system and get you on your way ...  (If there are still problems, come back and tell me what they are.  Thanks.)


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

• Download Delfix from here to your desktop and double click it to start the program
  
• Ensure Remove disinfection tools is ticked
  Also tick:
  
• Activate UAC
• Create registry backup
• Purge system restore
• Reset system settings

• Click Run
  
• The program will run for a few moments and then notepad will open with a log. Please attach the log in your next reply.
  

You can delete any log files left on your desktop as these are no longer needed.

[REDACTED]

This computer runs fine.

The "This copy of Windows is not genuine" problem still persists...

Besides that, any additional things I need to know?

[dbrisendine]

No, your system should be fine; at least the current malware problem was fixed.

Can you handle the Windows Genuine error?