Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 will not boot after virus removal


  • This topic is locked This topic is locked
49 replies to this topic

#1 yb125

yb125

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 16 February 2013 - 08:00 PM

So my windows 7 (installed on drive c:)had been acting funny, windows live could not open mail I was getting odd request to download ,htm files and it would boot fine once, but then not boot the next time and then boot fine again. I ran male-ware bytes and it found several infections, after removal it reset and now will not boot past the logo screen.

 

As it turns out I still had my windows 7 RC installed on one of my other drive (drive H:) so I was able to boot to that.  When I ran a virus scan on drive C: it says there are not infections found, however I copied everything from drive c: to a backup folder on drive h: and when I scan the backed up folder it now identifies infections. It will not boot to safe mode, it claims there are no system restore points and system repair run from my windows 7 DvD says that it cannot repair the system. chkdsk also does not work although it says there is data in bad sectors. Anything help would be greatly appreciated. 



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:49 PM

Posted 16 February 2013 - 08:13 PM

Let me ask a  malware response team member to help you

 

good luck



#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 PM

Posted 16 February 2013 - 11:54 PM

Lets give it a try. You will need a USB Flash drive.
 

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html
     


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 02:13 AM

OK , Just a note, before I saw the reply I did use AVG's rescue disk to run a virus scan, and it did find clean some infected flies.

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-02-2013
Ran by SYSTEM at 17-02-2013 06:59:18
Running from H:\
Windows 7 Home Premium   (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [415816 2010-02-18] (Logitech Inc.)
HKLM\...\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE [4271688 2010-02-18] (Logitech Inc.)
HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2093128 2010-02-18] (Logitech Inc.)
HKLM\...\Run: [MsmqIntCert] regsvr32 /s mqrt.dll [x]
HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [37888 2010-01-13] (Nullsoft, Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2583040 2009-09-21] (VIA)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [300472 2010-05-12] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288080 2009-07-17] (Microsoft Corporation)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1230704 2011-03-21] ()
HKLM-x32\...\Run: [QuickTime Task] "F:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [x]
HKLM-x32\...\Run: [iTunesHelper] "F:\Program Files (x86)\iTunes\iTunesHelper.exe" [x]
HKLM-x32\...\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun [614400 2009-08-28] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NoteBurner] f:\Program Files (x86)\NoteBurner\VTBurnerGUI.exe /silence [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [TkBellExe] "f:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [x]
HKU\Nissah\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [x]
HKU\Nissah\...\Run: [Google Update] "C:\Users\Nissah\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-04] (Google Inc.)
HKU\Nissah\...\Run: [DirectPlayerCore] "f:\Program Files (x86)\NBC Direct\DirectPlayerCore.exe" [x]
HKU\Nissah\...\Run: [Steam] "D:\Program Files (x86)\Steam\Steam.exe" -silent [x]
HKU\Nissah\...\Run: [SansaDispatch] C:\Users\Nissah\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-07-21] (SanDisk Corporation)
HKU\Nissah\...\Run: [DW7] "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe" [13102080 2013-02-04] (The Weather Channel)
HKU\Nissah\...\Run: [chromium] C:\Users\Nissah\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1248208 2013-01-25] (Google Inc.)
HKLM-x32\...\Runonce: [Malwarebytes Anti-Malware] f:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [x]
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1091432 2012-12-14] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 132.239.0.252 128.54.16.2
Startup: C:\Users\Nissah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
 
==================== Services (Whitelisted) ===================
 
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
2 MSMQ; C:\Windows\System32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)
2 MSMQTriggers; C:\Windows\System32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)
2 RealNetworks Downloader Resolver Service; "C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe" [38608 2012-11-29] ()
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 NMSAccess64; C:\Program Files\CDBurnerXP2\NMSAccessU.exe [x]
 
==================== Drivers (Whitelisted) =====================
 
1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
3 DbusAudio; C:\Windows\System32\Drivers\DbusAudio.sys [34040 2011-12-19] (Windows ® Win 7 DDK provider)
3 elxstor; C:\Windows\System32\Drivers\elxstor.sys [530496 2009-07-13] ()
3 EthDriver; C:\Windows\System32\DRIVERS\TEGPCI.sys [88064 2007-05-11] ()
3 irsir; C:\Windows\System32\Drivers\irsir.sys [27648 2008-01-19] (Microsoft Corporation)
3 MQAC; C:\Windows\System32\Drivers\MQAC.sys [189440 2009-07-13] (Microsoft Corporation)
0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows ® Server 2003 DDK provider)
2 SSPORT; C:\Windows\SysWow64\Drivers\SSPORT.sys [11576 2009-08-26] (Samsung Electronics)
3 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5504 2009-11-12] ()
3 StarOpen; C:\Windows\SysWow64\Drivers\StarOpen.sys [7168 2009-11-12] ()
3 cpuz132; \??\C:\Users\Nissah\AppData\Local\Temp\cpuz132\cpuz132_x64.sys [x]
2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [x]
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-02-17 06:59 - 2013-02-17 06:59 - 00000000 ____D C:\FRST
2013-02-12 19:27 - 2013-02-12 19:27 - 00000000 __SHD C:\found.000
2013-02-11 20:07 - 2013-02-11 20:07 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\RealNetworks
2013-02-11 20:06 - 2013-02-11 20:06 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00000995 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-02-11 20:06 - 2013-02-11 20:06 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-02-11 20:05 - 2013-02-12 12:43 - 00000000 ____D C:\Users\Nissah\Documents\?4
2013-02-11 20:05 - 2013-02-11 20:05 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (3).exe
2013-02-11 20:04 - 2013-02-11 20:04 - 39447008 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (2).exe
2013-02-11 19:58 - 2013-02-11 19:58 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (1).exe
2013-02-06 18:46 - 2013-02-06 18:46 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-02-01 17:54 - 2013-02-01 17:54 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-01-18 08:56 - 2013-01-19 10:35 - 00000298 ____A C:\Windows\Tasks\ROC_REG_JAN_DELETE.job
2013-01-18 08:56 - 2013-01-18 08:58 - 00000000 ____D C:\ProgramData\AVG January 2013 Campaign
 
==================== One Month Modified Files and Folders =======
 
2013-02-16 22:49 - 2010-08-13 16:38 - 00000000 ____D C:\Users\Nissah\AppData\Local\Windows Server
2013-02-12 20:00 - 2012-10-10 07:32 - 03914096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-12 20:00 - 2011-07-01 05:35 - 00337408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2013-02-12 19:58 - 2011-07-01 05:35 - 00503296 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2013-02-12 19:56 - 2011-04-13 23:54 - 00518672 ____A (Microsoft Corporation) C:\Windows\System32\winresume.exe
2013-02-12 19:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\bg-BG
2013-02-12 19:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-02-12 19:27 - 2013-02-12 19:27 - 00000000 __SHD C:\found.000
2013-02-12 19:22 - 2010-03-03 18:33 - 01168976 ____A C:\Windows\WindowsUpdate.log
2013-02-12 19:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
2013-02-12 19:21 - 2009-07-13 20:51 - 03684386 ____A C:\Windows\setupact.log
2013-02-12 19:11 - 2012-07-14 15:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-02-12 19:11 - 2012-07-14 15:50 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-02-12 18:48 - 2010-03-04 12:03 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-937359758-3070799903-2594050803-1001UA.job
2013-02-12 18:10 - 2012-08-19 23:12 - 00000826 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-12 18:10 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-02-12 18:10 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-02-12 18:08 - 2009-07-13 21:13 - 00864940 ____A C:\Windows\System32\PerfStringBackup.INI
2013-02-12 18:06 - 2011-04-24 17:54 - 00000000 ____D C:\ProgramData\MFAData
2013-02-12 18:03 - 2010-03-03 18:32 - 00000000 ____D C:\users\Nissah
2013-02-12 18:02 - 2012-09-05 19:31 - 00000000 ____D C:\ProgramData\NVIDIA
2013-02-12 18:02 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-02-12 18:01 - 2011-12-16 22:03 - 00000000 ____D C:\ProgramData\Real
2013-02-12 18:01 - 2011-10-16 10:59 - 00000000 ____D C:\users\DefaultAppPool
2013-02-12 18:01 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-02-12 15:01 - 2011-10-13 07:00 - 00000099 ____A C:\Users\Public\LMDebug.log
2013-02-12 12:43 - 2013-02-11 20:05 - 00000000 ____D C:\Users\Nissah\Documents\?4
2013-02-12 09:06 - 2012-12-12 11:39 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-02-12 08:17 - 2010-03-04 22:41 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\NBC Direct
2013-02-12 08:17 - 2010-03-04 12:03 - 00000000 ____D C:\Users\Nissah\AppData\Local\Deployment
2013-02-12 00:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-02-11 21:01 - 2012-09-07 09:07 - 00000773 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
2013-02-11 20:07 - 2013-02-11 20:07 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\RealNetworks
2013-02-11 20:07 - 2011-12-16 22:03 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\Real
2013-02-11 20:06 - 2013-02-11 20:06 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00000995 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-02-11 20:06 - 2013-02-11 20:06 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-02-11 20:06 - 2011-12-16 22:03 - 00000000 ____D C:\Program Files (x86)\Real
2013-02-11 20:06 - 2011-08-16 10:48 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2013-02-11 20:06 - 2011-05-27 11:12 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2013-02-11 20:05 - 2013-02-11 20:05 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (3).exe
2013-02-11 20:04 - 2013-02-11 20:04 - 39447008 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (2).exe
2013-02-11 19:58 - 2013-02-11 19:58 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (1).exe
2013-02-11 14:29 - 2010-03-04 12:03 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-937359758-3070799903-2594050803-1001Core.job
2013-02-06 18:46 - 2013-02-06 18:46 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-02-04 10:36 - 2012-09-05 19:50 - 00001308 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
2013-02-02 11:33 - 2010-03-03 18:55 - 00042252 ____A C:\Windows\PFRO.log
2013-02-01 22:45 - 2010-03-04 12:04 - 00002370 ____A C:\Users\Nissah\Desktop\Google Chrome.lnk
2013-02-01 17:54 - 2013-02-01 17:54 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-01-26 21:10 - 2012-09-26 13:10 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\Mumble
2013-01-23 09:56 - 2012-12-13 06:08 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-23 09:56 - 2011-06-13 16:53 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-21 15:07 - 2012-12-12 11:36 - 00000000 ____D C:\Users\Nissah\AppData\Local\Avg2013
2013-01-19 10:35 - 2013-01-18 08:56 - 00000298 ____A C:\Windows\Tasks\ROC_REG_JAN_DELETE.job
2013-01-18 08:58 - 2013-01-18 08:56 - 00000000 ____D C:\ProgramData\AVG January 2013 Campaign
 
 
==================== Known DLLs (Whitelisted) =================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 28%
Total physical RAM: 1791.3 MB
Available physical RAM: 1282.45 MB
Total Pagefile: 1791.3 MB
Available Pagefile: 1264.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Partitions =============================
 
2 Drive c: () (Fixed) (Total:59.53 GB) (Free:3.84 GB) NTFS
3 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: () (Removable) (Total:0.99 GB) (Free:0.99 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (Data) (Fixed) (Total:298.09 GB) (Free:20.77 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB  1024 KB         
  Disk 1    Online           59 GB      0 B         
  Disk 2    Online          596 GB  1024 KB         
  Disk 3    Online         1012 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: D6392AF0
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            298 GB    31 KB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   Data         NTFS   Partition    298 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: F20F44B8
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary             59 GB   101 MB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   System Rese  NTFS   Partition    100 MB  Healthy            
 
=========================================================
 
Disk: 1
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     C                NTFS   Partition     59 GB  Healthy            
 
=========================================================
 
Partitions of Disk 2:
===============
 
Disk ID: D3BFCA8B
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            596 GB    31 KB
 
==================================================================================
 
Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      NTFS   Partition    596 GB  Healthy            
 
=========================================================
 
Partitions of Disk 3:
===============
 
Disk ID: 014AFC6C
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1012 MB    16 KB
 
==================================================================================
 
Disk: 3
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H                FAT    Removable   1012 MB  Healthy            
 
=========================================================
 
Last Boot: 2013-02-03 16:55
 
==================== End Of Log =============================


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 PM

Posted 17 February 2013 - 08:57 AM

Still unable to boot? How many hard drives are installed?

 

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
 

start
HKLM-x32\...\Runonce: [Malwarebytes Anti-Malware] f:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [x]
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1091432 2012-12-14] (Malwarebytes Corporation)
SaveMbr: Drive=0
end


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system



Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.
 


Edited by JSntgRvr, 17 February 2013 - 09:10 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 01:47 PM

Here we go. There are three physical drives in the computer, one has windows 7 home (what I am trying to recover) and one has my old windows 7 Ultimate RC. The third has no OS. Early in the recover process windows system repair did seem to create a partition called "system reserved".
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2013
Ran by SYSTEM at 2013-02-18 10:13:54 Run:1
Running from H:\
 
==============================================
 
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware (cleanup) Value deleted successfully.
MBRDUMP.txt is made successfully.
 
==== End of Fixlog ====

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 PM

Posted 17 February 2013 - 02:28 PM

Would you be able to disconnect the two physical drives we are not working on? Then run FRST once again to obtain a report from that drive only.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 02:29 PM

No problem.



#9 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 02:45 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-02-2013
Ran by SYSTEM at 18-02-2013 11:32:59
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [415816 2010-02-18] (Logitech Inc.)
HKLM\...\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE [4271688 2010-02-18] (Logitech Inc.)
HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2093128 2010-02-18] (Logitech Inc.)
HKLM\...\Run: [MsmqIntCert] regsvr32 /s mqrt.dll [x]
HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [37888 2010-01-13] (Nullsoft, Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r [2583040 2009-09-21] (VIA)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [300472 2010-05-12] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288080 2009-07-17] (Microsoft Corporation)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1230704 2011-03-21] ()
HKLM-x32\...\Run: [QuickTime Task] "F:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [x]
HKLM-x32\...\Run: [iTunesHelper] "F:\Program Files (x86)\iTunes\iTunesHelper.exe" [x]
HKLM-x32\...\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\ssmmgr.exe /autorun [614400 2009-08-28] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NoteBurner] f:\Program Files (x86)\NoteBurner\VTBurnerGUI.exe /silence [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [TkBellExe] "f:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [x]
HKU\Nissah\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [x]
HKU\Nissah\...\Run: [Google Update] "C:\Users\Nissah\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-04] (Google Inc.)
HKU\Nissah\...\Run: [DirectPlayerCore] "f:\Program Files (x86)\NBC Direct\DirectPlayerCore.exe" [x]
HKU\Nissah\...\Run: [Steam] "D:\Program Files (x86)\Steam\Steam.exe" -silent [x]
HKU\Nissah\...\Run: [SansaDispatch] C:\Users\Nissah\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-07-21] (SanDisk Corporation)
HKU\Nissah\...\Run: [DW7] "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe" [13102080 2013-02-04] (The Weather Channel)
HKU\Nissah\...\Run: [chromium] C:\Users\Nissah\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1248208 2013-01-25] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 132.239.0.252 128.54.16.2
Startup: C:\Users\Nissah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
 
==================== Services (Whitelisted) ===================
 
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
2 MSMQ; C:\Windows\System32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)
2 MSMQTriggers; C:\Windows\System32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)
2 RealNetworks Downloader Resolver Service; "C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe" [38608 2012-11-29] ()
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 NMSAccess64; C:\Program Files\CDBurnerXP2\NMSAccessU.exe [x]
 
==================== Drivers (Whitelisted) =====================
 
1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
3 DbusAudio; C:\Windows\System32\Drivers\DbusAudio.sys [34040 2011-12-19] (Windows ® Win 7 DDK provider)
3 elxstor; C:\Windows\System32\Drivers\elxstor.sys [530496 2009-07-13] ()
3 EthDriver; C:\Windows\System32\DRIVERS\TEGPCI.sys [88064 2007-05-11] ()
3 irsir; C:\Windows\System32\Drivers\irsir.sys [27648 2008-01-19] (Microsoft Corporation)
3 MQAC; C:\Windows\System32\Drivers\MQAC.sys [189440 2009-07-13] (Microsoft Corporation)
0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows ® Server 2003 DDK provider)
2 SSPORT; C:\Windows\SysWow64\Drivers\SSPORT.sys [11576 2009-08-26] (Samsung Electronics)
3 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5504 2009-11-12] ()
3 StarOpen; C:\Windows\SysWow64\Drivers\StarOpen.sys [7168 2009-11-12] ()
3 cpuz132; \??\C:\Users\Nissah\AppData\Local\Temp\cpuz132\cpuz132_x64.sys [x]
2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [x]
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-02-17 06:59 - 2013-02-17 06:59 - 00000000 ____D C:\FRST
2013-02-12 19:27 - 2013-02-12 19:27 - 00000000 __SHD C:\found.000
2013-02-11 20:07 - 2013-02-11 20:07 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\RealNetworks
2013-02-11 20:06 - 2013-02-11 20:06 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00000995 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-02-11 20:06 - 2013-02-11 20:06 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-02-11 20:05 - 2013-02-12 12:43 - 00000000 ____D C:\Users\Nissah\Documents\?4
2013-02-11 20:05 - 2013-02-11 20:05 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (3).exe
2013-02-11 20:04 - 2013-02-11 20:04 - 39447008 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (2).exe
2013-02-11 19:58 - 2013-02-11 19:58 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (1).exe
2013-02-06 18:46 - 2013-02-06 18:46 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-02-01 17:54 - 2013-02-01 17:54 - 00000000 ____D C:\Users\Nissah\Documents\????
 
==================== One Month Modified Files and Folders =======
 
2013-02-17 06:59 - 2013-02-17 06:59 - 00000000 ____D C:\FRST
2013-02-16 22:49 - 2010-08-13 16:38 - 00000000 ____D C:\Users\Nissah\AppData\Local\Windows Server
2013-02-12 20:00 - 2012-10-10 07:32 - 03914096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-12 20:00 - 2011-07-01 05:35 - 00337408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2013-02-12 19:58 - 2011-07-01 05:35 - 00503296 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2013-02-12 19:56 - 2011-04-13 23:54 - 00518672 ____A (Microsoft Corporation) C:\Windows\System32\winresume.exe
2013-02-12 19:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\bg-BG
2013-02-12 19:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-02-12 19:27 - 2013-02-12 19:27 - 00000000 __SHD C:\found.000
2013-02-12 19:22 - 2010-03-03 18:33 - 01168976 ____A C:\Windows\WindowsUpdate.log
2013-02-12 19:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
2013-02-12 19:21 - 2009-07-13 20:51 - 03684386 ____A C:\Windows\setupact.log
2013-02-12 19:11 - 2012-07-14 15:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-02-12 19:11 - 2012-07-14 15:50 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-02-12 18:48 - 2010-03-04 12:03 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-937359758-3070799903-2594050803-1001UA.job
2013-02-12 18:10 - 2012-08-19 23:12 - 00000826 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-02-12 18:10 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-02-12 18:10 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-02-12 18:08 - 2009-07-13 21:13 - 00864940 ____A C:\Windows\System32\PerfStringBackup.INI
2013-02-12 18:06 - 2011-04-24 17:54 - 00000000 ____D C:\ProgramData\MFAData
2013-02-12 18:03 - 2010-03-03 18:32 - 00000000 ____D C:\users\Nissah
2013-02-12 18:02 - 2012-09-05 19:31 - 00000000 ____D C:\ProgramData\NVIDIA
2013-02-12 18:02 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-02-12 18:01 - 2011-12-16 22:03 - 00000000 ____D C:\ProgramData\Real
2013-02-12 18:01 - 2011-10-16 10:59 - 00000000 ____D C:\users\DefaultAppPool
2013-02-12 18:01 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-02-12 15:01 - 2011-10-13 07:00 - 00000099 ____A C:\Users\Public\LMDebug.log
2013-02-12 12:43 - 2013-02-11 20:05 - 00000000 ____D C:\Users\Nissah\Documents\?4
2013-02-12 09:06 - 2012-12-12 11:39 - 00000965 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-02-12 08:17 - 2010-03-04 22:41 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\NBC Direct
2013-02-12 08:17 - 2010-03-04 12:03 - 00000000 ____D C:\Users\Nissah\AppData\Local\Deployment
2013-02-12 00:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-02-11 21:01 - 2012-09-07 09:07 - 00000773 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
2013-02-11 20:07 - 2013-02-11 20:07 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\RealNetworks
2013-02-11 20:07 - 2011-12-16 22:03 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\Real
2013-02-11 20:06 - 2013-02-11 20:06 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2013-02-11 20:06 - 2013-02-11 20:06 - 00000995 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2013-02-11 20:06 - 2013-02-11 20:06 - 00000000 ____D C:\Program Files (x86)\RealNetworks
2013-02-11 20:06 - 2011-12-16 22:03 - 00000000 ____D C:\Program Files (x86)\Real
2013-02-11 20:06 - 2011-08-16 10:48 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2013-02-11 20:06 - 2011-05-27 11:12 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2013-02-11 20:05 - 2013-02-11 20:05 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (3).exe
2013-02-11 20:04 - 2013-02-11 20:04 - 39447008 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (2).exe
2013-02-11 19:58 - 2013-02-11 19:58 - 00765104 ____A (RealNetworks, Inc.) C:\Users\Nissah\Downloads\RealPlayer (1).exe
2013-02-11 14:29 - 2010-03-04 12:03 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-937359758-3070799903-2594050803-1001Core.job
2013-02-06 18:46 - 2013-02-06 18:46 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-02-04 10:36 - 2012-09-05 19:50 - 00001308 ____A C:\Users\Public\Desktop\The Weather Channel App.lnk
2013-02-02 11:33 - 2010-03-03 18:55 - 00042252 ____A C:\Windows\PFRO.log
2013-02-01 22:45 - 2010-03-04 12:04 - 00002370 ____A C:\Users\Nissah\Desktop\Google Chrome.lnk
2013-02-01 17:54 - 2013-02-01 17:54 - 00000000 ____D C:\Users\Nissah\Documents\????
2013-01-26 21:10 - 2012-09-26 13:10 - 00000000 ____D C:\Users\Nissah\AppData\Roaming\Mumble
2013-01-23 09:56 - 2012-12-13 06:08 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-23 09:56 - 2011-06-13 16:53 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-21 15:07 - 2012-12-12 11:36 - 00000000 ____D C:\Users\Nissah\AppData\Local\Avg2013
2013-01-19 10:35 - 2013-01-18 08:56 - 00000298 ____A C:\Windows\Tasks\ROC_REG_JAN_DELETE.job
 
 
==================== Known DLLs (Whitelisted) =================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 28%
Total physical RAM: 1791.3 MB
Available physical RAM: 1288.74 MB
Total Pagefile: 1791.3 MB
Available Pagefile: 1268.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Partitions =============================
 
2 Drive c: () (Fixed) (Total:59.53 GB) (Free:3.84 GB) NTFS
4 Drive f: () (Removable) (Total:0.99 GB) (Free:0.99 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online           59 GB      0 B         
  Disk 1    Online         1012 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: F20F44B8
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary             59 GB   101 MB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   System Rese  NTFS   Partition    100 MB  Healthy            
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition     59 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 014AFC6C
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1012 MB    16 KB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F                FAT    Removable   1012 MB  Healthy            
 
=========================================================
 
Last Boot: 2013-02-03 16:55
 
==================== End Of Log =============================


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 PM

Posted 17 February 2013 - 04:10 PM

Lets review the status of these partitions. Rmember, just the drive we are working on.

 

For x86 (x32) bit systems please download  Listparts
For x64 bit systems please download  Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on  Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
 

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 05:22 PM

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 18-02-2013 at 14:10:02
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 19%
Total physical RAM: 1791.3 MB
Available physical RAM: 1442.48 MB
Total Pagefile: 1791.3 MB
Available Pagefile: 1415.96 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
 
======================= Partitions =========================
 
2 Drive c: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: () (Fixed) (Total:59.53 GB) (Free:3.65 GB) NTFS
5 Drive f: () (Removable) (Total:0.99 GB) (Free:0.99 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online           59 GB      0 B         
  Disk 1    Online         1012 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: F20F44B8
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary             59 GB   101 MB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   System Rese  NTFS   Partition    100 MB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D                NTFS   Partition     59 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 014AFC6C
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1012 MB    16 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F                FAT    Removable   1012 MB  Healthy            
 
======================================================================================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
path                    \bootmgr
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {33b413d6-2735-11df-a0d8-821de052a339}
displayorder            {default}
                        {33b413da-2735-11df-a0d8-821de052a339}
                        {33b413db-2735-11df-a0d8-821de052a339}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=D:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=D:
systemroot              \Windows
resumeobject            {33b413d6-2735-11df-a0d8-821de052a339}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[D:]\Recovery\33b413d8-2735-11df-a0d8-821de052a339\Winre.wim,{33b413d9-2735-11df-a0d8-821de052a339}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\33b413d8-2735-11df-a0d8-821de052a339\Winre.wim,{33b413d9-2735-11df-a0d8-821de052a339}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Windows Boot Loader
-------------------
identifier              {33b413da-2735-11df-a0d8-821de052a339}
device                  unknown
path                    \old_pc\Windows\system32\winload.exe
description             Windows 7 Home Premium (recovered) 
locale                  en-US
osdevice                unknown
systemroot              \old_pc\Windows
 
Windows Boot Loader
-------------------
identifier              {33b413db-2735-11df-a0d8-821de052a339}
device                  unknown
path                    \Windows\system32\winload.exe
description             Windows 7 Ultimate (recovered) 
locale                  en-US
osdevice                unknown
systemroot              \Windows
resumeobject            {bdc67ec0-7738-11e2-a8c1-806e6f6e6963}
 
Windows Boot Loader
-------------------
identifier              {33b413dc-2735-11df-a0d8-821de052a339}
 
Resume from Hibernate
---------------------
identifier              {33b413d6-2735-11df-a0d8-821de052a339}
device                  partition=D:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=D:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Resume from Hibernate
---------------------
identifier              {bdc67ec0-7738-11e2-a8c1-806e6f6e6963}
device                  unknown
path                    \Windows\system32\winresume.exe
description             Windows 7 Ultimate (recovered) 
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              unknown
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {33b413d9-2735-11df-a0d8-821de052a339}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\33b413d8-2735-11df-a0d8-821de052a339\boot.sdi
 
Device options
--------------
identifier              {33b413dd-2735-11df-a0d8-821de052a339}
ramdisksdidevice        unknown
ramdisksdipath          \Recovery\53b88e7e-3fc4-11de-b545-d6c8d3def4fe\boot.sdi
 
 
****** End Of Log ****** 


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 PM

Posted 17 February 2013 - 09:46 PM

Seems you have ran out of space. I will consult these results with an expert.

 

Open notepad (Start =>All Programs => Accessories =>Notepad). Please copy the entire contents of the quote box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
 

start
SaveMbr: Drive=0
end



NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.



Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 10:25 PM

 OK here we go, if I need to make space on the drive that is not problem.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2013
Ran by SYSTEM at 2013-02-18 19:14:22 Run:2
Running from F:\
 
==============================================
 
MBRDUMP.txt is made successfully.
 
==== End of Fixlog ====

Attached Files



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:49 PM

Posted 17 February 2013 - 11:33 PM

The MBR looks clear. Will post back as soon as I receive an answer from my colleague.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 yb125

yb125
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 17 February 2013 - 11:51 PM

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users