[markusg]

can you perhaps start in safe mode with network, loggin as infected user and post a otl log?
http://oldtimer.geekstogo.com/OTL.exe

[bsteo]

Fixed it with Malwarebytes Anti-Malware.

Found 2 files:

%WINDIR%\system\svchost.exe and %AppData%\Roaming\skype.dat

Any idea? Doesn't seem to be Reveton or at least not what I saw till now?

[Ramtadryla]

From design it's Urausy/Reveton, targeted at PC users from Romania. To remove it you can do a system restore using Safe Mode with command prompt:

1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. When command prompt mode loads enter the following line: cd restore and press ENTER.
3. Next type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available restore point and click "Next"
6. In the opened window click "Yes".
7. After restoring your computer to a previous date download Malwarebytes Anti-Malware and run a full system scan.

[bsteo]

From design it's Urausy/Reveton, targeted at PC users from Romania. To remove it you can do a system restore using Safe Mode with command prompt:

1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. When command prompt mode loads enter the following line: cd restore and press ENTER.
3. Next type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available restore point and click "Next"
6. In the opened window click "Yes".
7. After restoring your computer to a previous date download Malwarebytes Anti-Malware and run a full system scan.

Dude, thanks...but, no offence, I'm not retarded :)

[Ramtadryla]

Just wanted to be helpful :D

[bsteo]

Thanks!

[EP_X0FF]

It was Urausy.C

Check %AppData% folder

skype.dat - this is a copy of the trojan
skype.ini - this is a data file used by the trojan as an "infection marker" to prevent multiple instances of the malware from running in the infected computer

HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
"Shell" = "explorer.exe,%AppData%\skype.dat"

Update or remove Java, Adobe zeroday software, etc.

[bsteo]

It was Urausy.C

Check %AppData% folder

skype.dat - this is a copy of the trojan
skype.ini - this is a data file used by the trojan as an "infection marker" to prevent multiple instances of the malware from running in the infected computer

HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
"Shell" = "explorer.exe,%AppData%\skype.dat"

Update or remove Java, Adobe zeroday software, etc.

Yup, EP_X0FF, you are right, just found "skype.ini" file too and the registry value. Thanks!

[bsteo]

Got rid of the malware binary now I have a hard time to remove a registry key (as admin, yes) and seems Malwarebytes can't remove it also (asks for reboot but won't remove it!)
Any idea?

[EP_X0FF]

Reset key security permissions or take ownership.