Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 wouldn't boot, found some virus, some indication it may be a boot sector virus


  • This topic is locked This topic is locked
32 replies to this topic

#1 CoastalData

CoastalData

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 29 October 2012 - 09:18 AM

Hello, a friend brought me their laptop that wouldn't boot up; it only went to a black screen with the blinking cursor in the upper left hand corner. I extracted the hdd, and tested it and scanned it from my workstation, where I found no hardware errors, but did find some virii... forgot to record exactly which ones, though!

Upon replacing the drive in the computer, I now get past the black screen, but get a BSOD, with a stop error, 0x7B, which some say indicates a boot sector virus. None of my scanners are able to find anything left over though; can someone reccomend a procedure to clear this error out?

Thanks in advance,

--Jon

Edited by CoastalData, 29 October 2012 - 09:19 AM.


BC AdBot (Login to Remove)

 


#2 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:07 AM

Posted 29 October 2012 - 09:27 AM

Please list your OS as you very likely have an infection in the MBR. This will help someone know how to better help you.

#3 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 29 October 2012 - 11:48 AM

It is Windows 7, Home Premium Edition.

#4 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:07 AM

Posted 29 October 2012 - 02:10 PM

You could try this scan with the drive as a slave to your desktop as well. It may get rid of the rootkit, if there is one.

Download

Kaspersky AV Tool

Accept the license agreement and click start
Click the (gear) settings tab
select everything through "Local Disk (c:)", provided c: is your OS drive
Start Automatic scan
Go with the recomended options if anything is detected

Post the log results here

#5 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 30 October 2012 - 03:09 PM

When I try to download that, it sends me to the following link which results in a 404 error...

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/avptool11/setup_11.0.0.1245.x01_2012_10_29_09_16.exe

Maybe due to hurricane?

#6 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:07 AM

Posted 30 October 2012 - 03:27 PM

So... "The Kaspersky AV Tool" link I provided does not work, correct?

I can click on it and it takes me to their page to download and install the tool. Try it again and let me know. If it still does not work we will try something else.

#7 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 31 October 2012 - 03:52 PM

Okay, I finally got that downloaded, and then had to reboot into safe mode to run it on my machine (Win8 64 bit) and it said that it found nothing.

What next?

#8 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:07 AM

Posted 31 October 2012 - 04:21 PM

You may have gotten the malware but in the process ended up with a corrupt MBR. You probably will be better served by the Malware Response Team. I will see if I can help get someone to help you.

Someone will be with you soon, please remember that the MRT is very busy so it may take a day or two.

Edited by Jimbob85, 31 October 2012 - 04:41 PM.


#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:07 AM

Posted 31 October 2012 - 04:50 PM

Hi,

I just wanted to let you know that I have moved this topic the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay. Someone will be along to help you soon.

Good luck!

bloopie

#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:07 AM

Posted 01 November 2012 - 10:18 AM

Hello CoastalData :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

First, please put the hard drive with issues back into its original computer case. Leave it there for the remainder of our time working together.

Next:

Posted Image Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please post the contents of FRST.txt into your next reply.


#11 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 01 November 2012 - 03:22 PM

Hello, Thank you very much, I'm reinstalling the drive now, and will report back shortly with the results as you have requested.

#12 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 01 November 2012 - 03:45 PM

I used the 64 bit version of FRST, and here's the results of the log file:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-10-2012
Ran by SYSTEM at 01-11-2012 16:41:13
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060320 2010-02-09] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] %ProgramFiles%\Apoint\Apoint.exe [x]
HKLM\...\Run: [lxdimon.exe] "C:\Program Files (x86)\Lexmark 3500-4500 Series\lxdimon.exe" [434864 2007-07-16] ()
HKLM\...\Run: [lxdiamon] "C:\Program Files (x86)\Lexmark 3500-4500 Series\lxdiamon.exe" [25264 2007-07-16] ()
HKLM\...\Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe" [196648 2011-05-02] (ActivIdentity)
HKLM\...\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [489512 2011-05-02] (ActivIdentity)
HKLM-x32\...\Run: [SmartWiHelper] "C:\Program Files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup [80384 2009-10-05] (Sony Electronics Corporation)
HKLM-x32\...\Run: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe" [320880 2009-08-26] (Sony Corporation)
HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [597792 2009-10-24] (Sony Corporation)
HKLM-x32\...\Run: [FaxCenterServer] "C:\Program Files (x86)\\Lexmark Fax Solutions\fm3032.exe" /s [311984 2007-07-16] ()
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AprvRemoveLegacyExcelKeys] "C:\Program Files (x86)\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn [x]
HKLM-x32\...\Run: [AprvRemoveLegacyWordKeys] "C:\Program Files (x86)\ApproveIt\Support\Tools\AprvClean.exe" -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn [x]
HKLM-x32\...\Run: [ApproveItForOfficeSetup] "C:\Program Files (x86)\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe " /1 /p "C:\Program Files (x86)\ApproveIt\" [155648 2010-01-26] (Silanis Technology Inc.)
HKLM-x32\...\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [268640 2011-11-12] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s [619008 2010-05-25] (Nikon Corporation)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKU\McCandless Family\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-12-09] (Google Inc.)
HKU\McCandless Family\...\Run: [Broadcom] rundll32.exe "C:\Users\McCandless Family\AppData\Local\Conduit\Broadcom\jzmttchd.dll",DllRegisterServerW [327168 2012-09-26] (Microsoft Corporation)
HKU\Mcx1-SUPERBEAST\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)
HKU\UpdatusUser.Superbeast\...\Run: [Broadcom] rundll32.exe "C:\Users\McCandless Family\AppData\Local\Conduit\Broadcom\jzmttchd.dll",DllRegisterServerW [327168 2012-09-26] (Microsoft Corporation)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk
ShortcutTarget: ActivClient Agent.lnk -> C:\Program Files\ActivIdentity\ActivClient\acsagent.exe (ActivIdentity)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\ApproveIt StartUp.lnk
ShortcutTarget: ApproveIt StartUp.lnk -> C:\Windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico ()
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\McCandless Family\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
Startup: C:\Users\McCandless Family\Start Menu\Programs\Startup\scandisk.lnk
ShortcutTarget: scandisk.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation)
Startup: C:\Users\Mcx1-SUPERBEAST\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\UpdatusUser\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\UpdatusUser.Superbeast\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

==================== Services (Whitelisted) ===================

2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [277032 2009-06-03] (ActivIdentity)
2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 DiskDoctorService; C:\Program Files (x86)\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe [1029480 2010-11-29] (Symantec Corporation)
2 lxdi_device; C:\Windows\system32\lxdicoms.exe -service [876976 2007-06-11] ( )
2 lxdi_device; C:\Windows\SysWow64\lxdicoms.exe -service [517040 2007-06-11] ( )
3 MSSQL$DDNI; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe" -sDDNI [43010392 2009-03-30] (Microsoft Corporation)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
3 Roxio UPnP Renderer 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [313840 2009-08-31] (Sonic Solutions)
2 Roxio Upnp Server 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe" [362992 2009-08-31] (Sonic Solutions)
3 SampleCollector; "C:\Program Files\Sony\VAIO Care\collsvc.exe" "/service" "/counter=\Processor(_Total)\% Processor Time:5" "/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5" "/counter=\Network Interface(*)\Bytes Total/sec:5" "/directory=inteldata" [167424 2009-09-16] (Intel Corporation)
3 SOHDBSvr; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe" [70952 2009-10-15] (Sony Corporation)
3 SOHPlMgr; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe" [91432 2009-10-15] (Sony Corporation)
2 SpeedDiskService; C:\Program Files (x86)\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe [1037672 2010-11-29] (Symantec Corporation)
4 SQLAgent$DDNI; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE" -i DDNI [366936 2009-03-30] (Microsoft Corporation)
2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)
3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe" [69632 2009-09-14] (Sony Corporation)
2 VzCdbSvc; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [206336 2009-09-14] (Sony Corporation)

==================== Drivers (Whitelisted) =====================

2 6077757b; \??\C:\Windows\system32\drivers\regi.sys [14112 2007-04-17] (InterVideo)
3 ArcSoftKsUFilter; C:\Windows\System32\Drivers\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
3 bcm; C:\Windows\System32\DRIVERS\drxvi314_64.sys [316928 2009-09-03] (Beceem communications pvt ltd.)
3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr_64.sys [62976 2009-09-03] (Beceem communications pvt ltd.)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120928.001\BHDrvx64.sys [1385120 2012-08-31] (Symantec Corporation)
3 cm_net; C:\Windows\System32\Drivers\cm_net.sys [133120 2008-05-29] (C-motech Co.,Ltd.)
3 cm_ser; C:\Windows\System32\Drivers\cm_ser.sys [118272 2008-05-29] (C-motech Co.,Ltd.)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)
3 EMVSCARD; C:\Windows\System32\Drivers\EMVSCARD.sys [28544 2006-12-13] (USB Smart Card Reader)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20121005.002\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20121005.025\ENG64.SYS [126112 2012-09-26] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20121005.025\EX64.SYS [2084000 2012-09-26] (Symantec Corporation)
2 regi; C:\Windows\SysWow64\Drivers\regi.sys [11032 2007-04-17] (InterVideo)
1 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [34304 2009-12-02] ()
3 swmsflt; C:\Windows\SysWow64\Drivers\swmsflt.sys [28808 2008-10-15] ()
3 SWNC5E00; C:\Windows\System32\Drivers\SWNC5E00.sys [202248 2009-12-02] (Sierra Wireless Inc.)
0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
3 SymDSMon; C:\Windows\System32\Drivers\SymDSMon.sys [191232 2010-11-29] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-09] (Symantec Corporation)
1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [43640 2011-03-30] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
3 SYMSpeedDisk; C:\Windows\System32\Drivers\SYMSpeedDisk.sys [163384 2010-11-29] (Symantec Corporation)
3 SYMSpeedDisk; C:\Windows\SysWow64\Drivers\SYMSpeedDisk.sys [108800 2010-11-29] (Symantec Corporation)
3 TVICHW64; C:\Windows\System32\Drivers\TVICHW64.sys [21200 2011-03-14] (EnTech Taiwan)
2 IAStorDataMgrSvc; [x]
3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-01 16:40 - 2012-11-01 16:40 - 00000000 ____D C:\FRST
2012-10-05 05:04 - 2012-10-05 05:04 - 00000000 ____D C:\228c02c48e056a798a0e4a

==================== 3 Months Modified Files ==================

2012-10-05 23:00 - 2009-12-22 13:17 - 01242996 ____A C:\Windows\WindowsUpdate.log
2012-10-05 22:54 - 2009-12-09 19:55 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-05 22:51 - 2012-05-24 15:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-05 16:54 - 2009-12-09 19:55 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-05 15:00 - 2011-02-02 17:25 - 00000284 ____A C:\Windows\Tasks\NUSchedule.job
2012-10-01 11:18 - 2012-10-01 11:18 - 00089227 ____A C:\Users\McCandless Family\AppData\Local\recently-used.xbel
2012-10-01 09:36 - 2012-05-11 13:06 - 00005194 ____A C:\Windows\setupact.log
2012-09-29 13:41 - 2009-07-13 20:45 - 00010096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-29 13:41 - 2009-07-13 20:45 - 00010096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-28 12:25 - 2009-07-13 21:13 - 00821928 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-28 12:20 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-28 12:19 - 2012-05-25 10:39 - 00021490 ____A C:\Windows\PFRO.log
2012-09-27 11:43 - 2012-09-27 11:42 - 166934149 ____A C:\Users\McCandless Family\Desktop\FotoFunBackgrounds.zip
2012-09-27 11:43 - 2012-09-27 11:42 - 00000574 ____A C:\Users\McCandless Family\Desktop\FotoFunBackgrounds.zip.lnk
2012-09-27 07:57 - 2012-09-18 16:15 - 00002378 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-09-25 11:08 - 2012-09-25 11:08 - 01296240 ____A (Coupons.com Incorporated) C:\Users\McCandless Family\Downloads\couponprinter.exe
2012-09-25 11:08 - 2012-09-25 11:08 - 01296240 ____A (Coupons.com Incorporated) C:\Users\McCandless Family\Downloads\couponprinter (1).exe
2012-09-18 16:36 - 2012-05-24 15:01 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-18 16:36 - 2011-09-19 14:19 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-12 23:03 - 2010-12-16 00:04 - 00000129 ____A C:\Windows\System32\MRT.INI
2012-09-12 23:00 - 2010-02-15 13:09 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-11 09:26 - 2012-09-11 09:26 - 00001857 ____A C:\Users\Public\Desktop\ooVoo.lnk
2012-09-09 15:02 - 2012-09-09 15:01 - 00290392 ____A C:\Windows\Minidump\090912-60325-01.dmp
2012-09-09 15:02 - 2009-07-13 21:08 - 00032650 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-09 15:01 - 2012-05-14 23:02 - 869931028 ____A C:\Windows\MEMORY.DMP
2012-09-08 00:25 - 2012-08-10 17:04 - 00000000 ____A C:\Windows\Model.log
2012-09-08 00:25 - 2010-12-23 18:52 - 00000021 ____A C:\Windows\Model.txt
2012-09-06 15:47 - 2012-09-06 15:47 - 00036320 ____A C:\Users\McCandless Family\Desktop\MYERBbleep!.htm
2012-08-30 15:08 - 2012-08-30 15:08 - 00001705 ____A C:\Users\Public\Desktop\NavyFIELD Launcher.lnk
2012-08-24 16:22 - 2012-08-24 16:22 - 03578428 ____A C:\Users\McCandless Family\Desktop\OneInchBottlecap-GIMP.zip
2012-08-24 08:30 - 2012-08-24 08:30 - 00000000 ____A C:\Users\McCandless Family\Desktop\CouponPrinter_exe.vr70zo7.partial
2012-08-24 03:15 - 2012-09-21 23:00 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 02:39 - 2012-09-21 23:00 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 02:31 - 2012-09-21 23:00 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 02:22 - 2012-09-21 23:00 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 02:21 - 2012-09-21 23:00 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 02:20 - 2012-09-21 23:00 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 02:18 - 2012-09-21 23:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 02:17 - 2012-09-21 23:00 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 02:14 - 2012-09-21 23:00 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 02:14 - 2012-09-21 23:00 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 02:13 - 2012-09-21 23:00 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 02:12 - 2012-09-21 23:00 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 02:11 - 2012-09-21 23:00 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 02:10 - 2012-09-21 23:00 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 02:09 - 2012-09-21 23:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 02:04 - 2012-09-21 23:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 23:27 - 2012-09-21 23:00 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 23:03 - 2012-09-21 23:00 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 22:59 - 2012-09-21 23:00 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 22:51 - 2012-09-21 23:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 22:51 - 2012-09-21 23:00 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 22:51 - 2012-09-21 23:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 22:49 - 2012-09-21 23:00 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 22:48 - 2012-09-21 23:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 22:47 - 2012-09-21 23:00 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 22:47 - 2012-09-21 23:00 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-23 22:47 - 2012-09-21 23:00 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 22:45 - 2012-09-21 23:00 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-23 22:44 - 2012-09-21 23:00 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 22:44 - 2012-09-21 23:00 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 22:43 - 2012-09-21 23:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 22:40 - 2012-09-21 23:00 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-22 10:12 - 2012-09-12 12:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 10:12 - 2012-09-12 12:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 10:12 - 2012-09-12 12:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 10:12 - 2012-09-12 12:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 13:01 - 2012-09-25 12:13 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
2012-08-17 06:40 - 2012-08-17 06:40 - 00281432 ____A C:\Windows\Minidump\081712-133817-01.dmp
2012-08-16 07:33 - 2012-08-16 07:33 - 00000892 ____A C:\Users\McCandless Family\Desktop\GIMP 2.lnk
2012-08-15 05:05 - 2010-10-04 14:38 - 00000952 __ASH C:\Users\All Users\KGyGaAvL.sys
2012-08-14 23:31 - 2009-07-13 20:45 - 00450136 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-14 11:14 - 2012-08-14 11:14 - 00187425 ____A C:\Users\McCandless Family\Desktop\Attachments_2012_08_14.zip
2012-08-13 15:13 - 2012-08-13 15:13 - 00000020 ___SH C:\Users\UpdatusUser.Superbeast\ntuser.ini
2012-08-12 12:58 - 2012-01-14 12:10 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-12 09:34 - 2012-08-12 09:34 - 00000040 ____A C:\Windows\RSoftInfo.dat
2012-08-12 09:32 - 2012-08-12 09:32 - 00000963 ____A C:\Users\Public\Desktop\Game Manager.lnk
2012-08-12 09:32 - 2012-08-12 09:32 - 00000231 ____A C:\Users\Public\Desktop\More Great Games.url
2012-08-10 11:23 - 2011-10-17 12:09 - 00001068 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
2012-08-10 06:45 - 2012-08-10 06:45 - 00036429 ____A C:\Users\McCandless Family\Desktop\LES 2012.htm
2012-08-08 08:26 - 2012-08-08 08:26 - 00000534 ____A C:\Users\McCandless Family\Desktop\Scan+122210000.pdf.lnk


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-26 23:00:26
Restore point made on: 2012-09-27 23:00:27
Restore point made on: 2012-09-28 23:00:35
Restore point made on: 2012-09-29 23:00:25
Restore point made on: 2012-09-30 15:00:51
Restore point made on: 2012-09-30 23:00:17
Restore point made on: 2012-10-01 23:00:23
Restore point made on: 2012-10-02 23:00:54
Restore point made on: 2012-10-03 23:00:21
Restore point made on: 2012-10-04 23:00:22
Restore point made on: 2012-10-05 23:00:25
Restore point made on: 2012-10-06 23:00:28
Restore point made on: 2012-10-07 23:00:22

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 6126.07 MB
Available physical RAM: 5341.18 MB
Total Pagefile: 6124.27 MB
Available Pagefile: 5337.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:457 GB) (Free:318.98 GB) NTFS
2 Drive e: (Recovery) (Fixed) (Total:8.66 GB) (Free:0.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (GSP1RMCULXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
4 Drive g: () (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7633 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 8 GB 1024 KB
Partition 2 Primary 100 MB 8 GB
Partition 3 Primary 456 GB 8 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 8 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 456 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 7633 MB Healthy

=========================================================

Last Boot: 2012-10-05 20:27

==================== End Of Log =============================

#13 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 02 November 2012 - 02:15 PM

Ready when you are!

#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:07 AM

Posted 02 November 2012 - 02:47 PM

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Open Notepad.
  • Then copy the text in the code box below and paste it into the Notepad window.
    start
    HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
    TDL4: custom:26000022 <===== ATTENTION!
    cmd: bootrec /fixmbr
    C:\Windows\svchost.exe
    cmd: bcdedit /enum all /v
    end
  • Save this Notepad file as fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Post the contents of Fixlog.txt into your next reply and attempt to boot normally.

#15 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 02 November 2012 - 03:40 PM

I'd left the computer running, with FRST open... do I actually need to reboot, or can I just exit and reopen FRST?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users