Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that caused Windows 7 64bit Startup Repair loop


  • This topic is locked This topic is locked
3 replies to this topic

#1 c1n29

c1n29

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 20 September 2012 - 03:31 PM

I saw Farbar's fix for this but am new to the site and wanted to see if he could provide a fix for mine? details below.. thanks in advance.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-09-2012
Ran by SYSTEM at 20-09-2012 15:20:27
Running from F:\
Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [x]
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [x]
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [x]
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [x]
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [x]
HKLM\...\Run: [GlobalProtect] C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe [x]
HKLM\...\Winlogon: [Shell] explorer.exe [x ] ()
HKLM-x32\...\Winlogon: [Shell] explorer.exe [x ] ()
Winlogon\Notify\igfxcui: igfxdev.dll [X]
Tcpip\Parameters: [DhcpNameServer] 10.90.97.3 10.1.1.30 10.90.145.13

==================== Services (Whitelisted) ===================

4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-13] (Microsoft Corporation)
2 uvnc_service; "C:\Program Files\UltraVNC\WinVNC.exe" -service [2169592 2011-05-18] (UltraVNC)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [x]
2 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [x]
2 Client32; "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* * [x]
2 clr_optimization_v4.0.30319_32; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [x]
2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
2 CVPND; "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe" [x]
3 EFS; C:\Windows\System32\lsass.exe [x]
3 EhttpSrv; "C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" [x]
2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe" [x]
3 ESET Remote Installer; C:\Windows\einstaller.exe -Service="ESET Remote Installer" [x]
3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [x]
3 FLEXnet Licensing Service 64; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe" [x]
2 FontCache; C:\Windows\System32\FntCache.dll [x]
2 Iap; "C:\Program Files\Dell\OpenManage\Client\Iap.exe" [x]
3 KeyIso; C:\Windows\System32\lsass.exe [x]
2 MSSQL$HAZUSPLUSSRVR; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.HAZUSPLUSSRVR\MSSQL\Binn\sqlservr.exe" -sHAZUSPLUSSRVR [x]
4 MSSQLServerADHelper100; "C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [x]
2 Netlogon; C:\Windows\System32\lsass.exe [x]
4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [x]
3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [x]
2 PanGPS; C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe [x]
2 PanGPUpdater; C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPUpdater.exe [x]
2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [x]
3 ProtectedStorage; C:\Windows\System32\lsass.exe [x]
3 PSEXESVC; C:\Windows\PSEXESVC.EXE [x]
2 SamSs; C:\Windows\System32\lsass.exe [x]
4 SQLAgent$HAZUSPLUSSRVR; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.HAZUSPLUSSRVR\MSSQL\Binn\SQLAGENT.EXE" -i HAZUSPLUSSRVR [x]
2 SQLBrowser; "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
3 VaultSvc; C:\Windows\System32\lsass.exe [x]
4 WSearch; C:\Windows\System32\SearchIndexer.exe /Embedding [x]

==================== Drivers (Whitelisted) =====================

3 ApfiltrService; C:\Windows\System32\DRIVERS\Apfiltr.sys [x]
3 bowser; C:\Windows\System32\DRIVERS\bowser.sys [x]
3 BthEnum; C:\Windows\System32\DRIVERS\BthEnum.sys [x]
3 BthPan; C:\Windows\System32\DRIVERS\bthpan.sys [x]
3 BTHPORT; C:\Windows\System32\Drivers\BTHport.sys [x]
3 BTHUSB; C:\Windows\System32\Drivers\BTHUSB.sys [x]
0 CNG; C:\Windows\System32\Drivers\cng.sys [x]
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA64.sys [x]
3 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [x]
3 DNE; C:\Windows\System32\DRIVERS\dne64x.sys [x]
2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [x]
1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [x]
2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [x]
0 Fs_Rec; [x]
3 gdihook5; C:\Windows\System32\DRIVERS\gdihook5.sys [x]
3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [x]
0 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [x]
0 KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys [x]
3 mrxsmb; C:\Windows\System32\DRIVERS\mrxsmb.sys [x]
3 mrxsmb10; C:\Windows\System32\DRIVERS\mrxsmb10.sys [x]
3 mrxsmb20; C:\Windows\System32\DRIVERS\mrxsmb20.sys [x]
3 nskbfltr; \??\C:\Windows\system32\drivers\nskbfltr.sys [x]
1 omci; C:\Windows\System32\DRIVERS\omci.sys [x]
3 PanGpd; C:\Windows\System32\DRIVERS\pangpd.sys [x]
1 PCISys; C:\Windows\System32\drivers\pcisys.sys [x]
3 RDPWD; [x]
3 RFCOMM; C:\Windows\System32\DRIVERS\rfcomm.sys [x]
0 Tcpip; C:\Windows\System32\drivers\tcpip.sys [x]
3 TCPIP6; C:\Windows\System32\DRIVERS\tcpip.sys [x]
3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-09-20 14:51 - 2012-09-20 14:51 - 00000000 ____D C:\Windows\System32\config\backup
2012-09-20 13:10 - 2012-09-20 13:10 - 00000000 ____D C:\mybackup
2012-09-20 11:35 - 2012-09-20 11:35 - 00000000 ____D C:\Windows\System32\config\mybackup
2012-09-16 11:28 - 2012-09-16 20:30 - 00000048 ____A C:\Users\ktillman\PanGpMPR.dat
2012-09-16 10:27 - 2012-09-16 10:27 - 00005824 ____A C:\Users\ktillman\PanPortalCfg.dat
2012-09-16 10:26 - 2012-09-18 15:39 - 00036940 ____A C:\Users\ktillman\PanGPA.log
2012-09-16 10:25 - 2012-09-16 10:25 - 00000000 ____D C:\Program Files\Palo Alto Networks
2012-09-02 13:23 - 2012-09-02 13:23 - 00000000 ____D C:\Users\All Users\NetSupport
2012-09-02 13:23 - 2012-09-02 13:23 - 00000000 ____D C:\Program Files (x86)\NetSupport


==================== 3 Months Modified Files ==================

2012-09-18 15:39 - 2012-09-16 10:26 - 00036940 ____A C:\Users\ktillman\PanGPA.log
2012-09-18 13:05 - 2011-08-20 08:05 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2012-09-16 20:30 - 2012-09-16 11:28 - 00000048 ____A C:\Users\ktillman\PanGpMPR.dat
2012-09-16 10:30 - 2011-08-24 07:20 - 00002160 ____A C:\Users\ktillman\Desktop\TerminalServer.rdp
2012-09-16 10:27 - 2012-09-16 10:27 - 00005824 ____A C:\Users\ktillman\PanPortalCfg.dat
2012-09-16 09:59 - 2009-07-13 21:13 - 00873090 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-16 09:54 - 2009-07-13 20:45 - 00023360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-16 09:54 - 2009-07-13 20:45 - 00023360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-16 09:46 - 2012-03-16 10:44 - 00023271 ____A C:\Windows\setupact.log
2012-09-16 09:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-16 09:45 - 2011-08-20 09:45 - 01311550 ____A C:\Windows\WindowsUpdate.log
2012-08-28 06:51 - 2012-06-20 05:40 - 00000158 ____A C:\Users\ktillman\userdata.dat
2012-08-10 08:02 - 2012-08-10 06:37 - 00028265 ____A C:\Users\ktillman\Documents\Grand Prairie Pipe Bursting Engineering Fees Detailed Breakdown 8-10-12.xlsx
2012-08-02 09:28 - 2011-08-23 05:35 - 00014974 ____A C:\Users\ktillman\Documents\plot.log
2012-07-23 02:57 - 2009-07-13 21:08 - 00032594 ____A C:\Windows\Tasks\SCHEDLGU.TXT

==================== Known DLLs (Whitelisted) =================

C:\Windows\System32\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\IMAGEHLP.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IMAGEHLP.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\kernel32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\MSVCRT.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\MSVCRT.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\SHELL32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\SHELL32.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\System32\WININET.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WININET.dll IS MISSING <==== ATTENTION!

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-15 08:45:50
Restore point made on: 2012-09-16 10:05:35
Restore point made on: 2012-09-16 10:25:03

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 4085.97 MB
Available physical RAM: 3250.12 MB
Total Pagefile: 4084.17 MB
Available Pagefile: 3244.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:111.69 GB) (Free:21.74 GB) NTFS
2 Drive e: (W7SP1_PROFESSIONAL) (CDROM) (Total:5.23 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:3.75 GB) (Free:3.67 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 111 GB 0 B
Disk 1 Online 3843 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 111 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 111 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3843 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================

Last Boot: 2012-09-17 06:14

==================== End Of Log =============================

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 AM

Posted 21 September 2012 - 10:14 AM

Hello c1n29,

Welcome to the forum.

Unfortunately I have got bad news. Looking at the log tells me there are a lot of system files missing. You should know better where they are gone.

In those situations the best option is to reformat and reinstall.

As a long shot you can use System Restore and hope it is not corrupted. But looking at those missing entries, I doubt it works.

To use the system restore, after entering System Recovery Options select System Restore and try the restore point made on 2012-09-15.

If that failed the best way is to reformat and reinstall.

Edited by Farbar, 24 September 2012 - 09:22 AM.
typo


#3 c1n29

c1n29
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 24 September 2012 - 08:51 AM

thanks for the response.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:17 AM

Posted 24 September 2012 - 09:24 AM

You are most welcome. :)

This thread will now be closed.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users