Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system restore not helping....infected boot?


  • This topic is locked This topic is locked
8 replies to this topic

#1 skeeterbyte

skeeterbyte

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 15 February 2013 - 11:32 AM

Hi,

 

On a computer I'm working on, which will not boot, the system restore as well as any other option will not work. After reviewing previous posts, it appears this computer has the same issue as posted by wolfpackfans and worked on by Farbar from BC. I have run all the hardward diagnostics and everything passed with no issues. After completeing a scan using the Farbar Recovery Scan Tool from a flash drive, it appears this computer has an infected boot with a possibly fake svchost.exe entry? I have attached the FRST.txt file. In case it's needed, this computer is a HP laptop dv7-4270 running Windows 7 Home Premium.

 

Thanks in advance,

Skeeter

Attached Files

  • Attached File  FRST.txt   7.29KB   18 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:20 AM

Posted 15 February 2013 - 02:34 PM

Hi skeeter,

 

We will remove the infection, boot normally and bring the system back to full functionality. Please refrain from doing any fix or making any changes to the system from now on until we are done unless you decide you can do the rest on your own. Thank you.

 

  • You version of FRST is too old. Please download the latest version of FRST64.

     

  • Please download MBRFix. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix64 application to the USB drive. You don't need to run the tool. FRST will use the tool automatically.

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    SaveMbr: Drive=0

    Now please enter System Recovery Options and select "Command Prompt".

    Run FRST64 and press the Fix button just once and wait.

    The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your reply. It will also produce another file, MBRDUMP.txt, on the flash drive that although it may look a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

     

  • Also while still in recovery mode please run a fresh scan with FRST64 and copy and paste the log. No need to attacht the log.

 



#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:20 AM

Posted 15 February 2013 - 03:15 PM

Also please make sure you run FRST64 from the command prompt by typing e:\frst64 and pressing Enter.



#4 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 15 February 2013 - 03:58 PM

Thanks Farbar.

 

Here's the contents of the fixlog.txt file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2013
Ran by SYSTEM at 2013-02-15 15:50:39 Run:1
Running from G:\

==============================================

MBRDUMP.txt is made successfully.

==== End of Fixlog ====

 

 

Here's the contents of the fresh scan with the FRST64:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-02-2013
Ran by SYSTEM at 15-02-2013 15:52:00
Running from G:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-10-05] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-09-14] (IDT, Inc.)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-08-31] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-09-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [587320 2011-06-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [ZumoDrive] "C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2080 2012-01-15] ()
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKU\Cody\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-08-16] (Hewlett-Packard Company)
HKU\Cody\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Cody\...\Run: [ZumoDrive] C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk [2080 2012-01-15] ()
HKU\Cody\...\Run: [Facebook Update] "C:\Users\Cody\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-17] (Facebook Inc.)
HKU\Cody\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_ActiveX.exe -update activex [232912 2010-10-23] (Adobe Systems, Inc.)
HKU\Mcx1-CODY-HP\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe, [739664 2010-09-15] (DigitalPersona, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Services (Whitelisted) ===================

2 CLKMSVC10_C6F09094; "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe" /svc [245232 2010-09-21] (CyberLink)
2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [375728 2012-11-05] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [147888 2012-11-05] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [407424 2011-09-16] (LogMeIn, Inc.)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2011-09-16] (LogMeIn, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
4 LMIRfsClientNP;  [x]
1 MpKsl4fe6951d; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F9B5762-1EF9-48B8-854F-14DB30230E2D}\MpKsl4fe6951d.sys [x]
1 MpKsleee9e51b; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F9B5762-1EF9-48B8-854F-14DB30230E2D}\MpKsleee9e51b.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer
2013-01-17 05:07 - 2013-01-17 05:07 - 00000000 ____D C:\Users\Cody\AppData\Local\{294CB3AE-9912-41EC-98AC-57849119BA90}


==================== One Month Modified Files and Folders =======

2013-02-15 15:38 - 2010-10-23 11:23 - 00000000 ____D C:\ProgramData\Recovery
2013-02-14 21:13 - 2013-02-14 21:13 - 00000000 ____D C:\FRST
2013-02-14 20:05 - 2013-01-12 10:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-02-14 20:05 - 2012-11-19 06:13 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-14 20:05 - 2012-05-08 12:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-02-14 20:05 - 2012-01-16 10:31 - 00000000 ____D C:\Users\Cody\AppData\Roaming\ZumoDrive
2013-02-14 20:05 - 2012-01-14 09:38 - 00000000 ____D C:\users\Mcx1-CODY-HP
2013-02-14 20:05 - 2011-08-18 12:27 - 00000000 ____D C:\Windows\Minidump
2013-02-14 20:05 - 2011-06-06 06:49 - 00000000 ____D C:\ProgramData\Yahoo! Companion
2013-02-14 20:05 - 2011-05-25 08:25 - 00000000 ____D C:\users\Cody
2013-02-14 20:05 - 2011-04-13 01:27 - 00000000 ____D C:\ProgramData\RoxioNow
2013-02-14 20:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-02-14 20:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-02-14 20:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-02-14 20:00 - 2011-05-26 19:46 - 00000000 ____D C:\Users\Cody\AppData\Roaming\Skype
2013-02-14 20:00 - 2011-05-25 08:27 - 00000000 ____D C:\Users\Cody\AppData\Local\Hewlett-Packard
2013-02-14 19:59 - 2011-06-13 17:27 - 00000000 __RHD C:\MSOCache
2013-01-31 20:50 - 2012-01-13 14:46 - 00000000 ____D C:\ProgramData\LogMeIn
2013-01-23 19:30 - 2012-10-31 14:44 - 00000000 ____D C:\Users\Cody\AppData\Local\Deployment
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer
2013-01-20 17:44 - 2013-01-20 17:44 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer
2013-01-17 05:07 - 2013-01-17 05:07 - 00000000 ____D C:\Users\Cody\AppData\Local\{294CB3AE-9912-41EC-98AC-57849119BA90}
2013-01-16 19:58 - 2011-05-26 19:19 - 00000000 ____D C:\Users\Cody\AppData\Local\CrashDumps
2013-01-16 14:42 - 2011-04-13 00:50 - 01748179 ____A C:\Windows\WindowsUpdate.log
2013-01-16 14:36 - 2012-07-20 00:30 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-16 14:33 - 2012-07-20 00:30 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-16 14:32 - 2012-04-22 18:43 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4101795249-2678508952-988791912-1000Core.job
2013-01-16 14:24 - 2013-01-15 05:03 - 00000000 ____D C:\Users\Cody\AppData\Local\{6EECECFD-C492-4EBB-9EF9-91DB6683FBC9}
2013-01-16 14:24 - 2012-04-22 18:43 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4101795249-2678508952-988791912-1000UA.job
2013-01-16 14:24 - 2012-02-29 18:45 - 00000000 ____D C:\Users\Cody\AppData\Local\Windows Live

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-12 10:18:31
Restore point made on: 2013-01-16 14:43:14
Restore point made on: 2013-01-16 20:19:07
Restore point made on: 2013-01-20 17:36:11
Restore point made on: 2013-01-23 18:19:20
Restore point made on: 2013-01-28 15:01:02

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3834.9 MB
Available physical RAM: 3120.87 MB
Total Pagefile: 3833.05 MB
Available Pagefile: 3110.07 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:571.57 GB) (Free:452.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:24.3 GB) (Free:3.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:1.86 GB) (Free:0.11 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          596 GB   103 MB         
  Disk 1    Online         1907 MB      0 B         
  Disk 2    No Media           0 B      0 B         

Partitions of Disk 0:
===============

Disk ID: F30902DC

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            571 GB   200 MB
  Partition 3    Primary             24 GB   571 GB

==================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM       NTFS   Partition    199 MB  Healthy            

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    571 GB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   RECOVERY     NTFS   Partition     24 GB  Healthy            

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1907 MB    64 KB

==================================================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT    Removable   1907 MB  Healthy            

=========================================================

Last Boot: 2013-01-23 21:54

==================== End Of Log =============================

 

 

Attached the MBRDUMP.txt as directed.

Thank you for your help with this.

Skeeter

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:20 AM

Posted 15 February 2013 - 04:24 PM

Well done.

 

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\svchost.exe
TDL4: custom:26000022 <===== ATTENTION!
end


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Also restart, let it boot normally and tell me how it went.



#6 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 15 February 2013 - 05:19 PM

thanks Farbar.

 

Here's the contents of the fixlog.txt file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2013
Ran by SYSTEM at 2013-02-15 17:13:32 Run:2
Running from G:\

==============================================

C:\Windows\svchost.exe moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

 

Computer restarted and allowed to boot normally. All is good and computered booted.

Can you give me some additional info about the problem that was indicated with this computer?

 

Skeeter


Edited by skeeterbyte, 15 February 2013 - 05:22 PM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:20 AM

Posted 15 February 2013 - 05:32 PM

Greet. thumbup2.gif

 

This was a variant of bootkit partition infection also known as Pihar.C. In addition of creating a zero byte partition it adds a custom entry to BCD. If the malware removed improperly, the system becomes unbootable.

 

The main infection is taken care off and there is nothing on the log to be taken care of. You stated in your PM that you are good at computers. Can you run the usal scans for eventual (harmless) leftovers, update the system fully and do the rest?



#8 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 15 February 2013 - 05:40 PM

Thank you so much Farbar.

Yes, I believe I can take care of the rest. Appreciate your help so much. If I were to

come across any problems, I'll update you on those as well. But thanks to you, I think I can finish up.

Like I mentioned to you, it is so wonderful to have the BC community to turn to when

faced with certain issues and failures. Yes, I have been working on computers for many years

but we all need help from time to time :)

 

Hope you have a wonderful weekend!

Skeeter



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:20 AM

Posted 15 February 2013 - 05:50 PM

You are most welcome and have a great weekend too Skeeter. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users