Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows 7 startup repair virus


  • Please log in to reply
11 replies to this topic

#1 kgoolsby

kgoolsby

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 28 February 2013 - 06:31 AM

Hi. I've read on this forum about other people getting this startup repair virus. It runs in safe mode. I can't get around it. It's on my daughter's laptop making it literally unusable. I'm hoping for the same quality help that has been provided to other members. I downloaded the farbar recovery scan tool and used it on her laptop. I have the text file on the thumb drive. I can't get to the internet from her laptop. I want to use it on my laptop to send info to you, but I'm worried that the thumb drive is vulnerable to infection. I tried making a system image of my laptop, but 1) it was going to take about 20 DVDs 2) the first 2 encountered errors trying to write so 3) I would like to not have to take the time to do that. I will take a system restore point before attaching the thumb drive. Am I worrying too much about possibly infecting my computer? Thanks in advance.

 


*Moderator Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Queen-Evie*


 


Edited by Queen-Evie, 28 February 2013 - 08:41 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:38 PM

Posted 28 February 2013 - 05:39 PM

Welcome aboard

 

I'll report this topic to appropriate helpers.

Hold on...


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:38 PM

Posted 28 February 2013 - 06:32 PM

Format the flash drive. That will erase everything on it. Run FRST once again and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:38 PM

Posted 28 February 2013 - 07:30 PM

Hello, Just letting you know I moved this to the  Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 kgoolsby

kgoolsby
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 28 February 2013 - 07:50 PM

I did some explorering while I was on my daughter's computer at the command prompt. The default directory is x:\windows\system32. When I switch to the C: drive, it's empty and says it's "SYSTEM RESERVED". My laptop doesn't say that when I do a dir. I've attached the frst.txt file. My computer is an emachines which I think is from Acer. I've seen that Acer normally has an x: partitionAttached File  FRST.txt   29.26KB   1 downloads

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2013 01
Ran by SYSTEM at 26-02-2013 20:56:28
Running from G:\
Windows 7 Home Premium  Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [2589992 2011-04-05] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Power Management] C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [1796200 2011-02-22] (Acer Incorporated)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1092688 2011-03-31] (Dritek System Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-01-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Memeo Instant Backup] C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui [136416 2010-12-10] (Memeo Inc.)
HKLM-x32\...\Run: [Seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui [79112 2010-12-14] ()
HKLM-x32\...\Run: [iolo Startup] "C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe" [606392 2011-08-08] (iolo technologies, LLC)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-12-10] (Sendori, Inc.)
HKLM-x32\...\Run: [SMessaging] C:\Users\Arianne Goolsby\AppData\Local\Strongvault Online Backup\SMessaging.exe [31664 2012-04-04] (Stronghold Online Backup)
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE [1683456 2013-02-14] (Bandoo Media Inc)
HKU\Arianne Goolsby\...\Run: [DriverScanner] "C:\Program Files (x86)\Uniblue\DriverScanner\launcher.exe" delay 20000  [338848 2012-07-10] (Uniblue Systems Limited)
HKU\Arianne Goolsby\...\Run: [Google Update] "C:\Users\Arianne Goolsby\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-12-15] (Google Inc.)
HKU\Arianne Goolsby\...\Run: [Messenger] "C:\Program Files (x86)\Strongvault Online Backup\SMessenger.exe" [209856 2012-12-13] (Stronghold LLC)
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe /default [154144 2010-07-29] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll
Tcpip\..\Interfaces\{025D9D59-04DC-4117-944D-D66D473651CD}: [NameServer]216.146.35.240,216.146.36.240,192.168.1.1
Startup: C:\ProgramData\Start Menu\Programs\Startup\StrongVaultApp.exe.lnk
ShortcutTarget: StrongVaultApp.exe.lnk -> C:\Users\Arianne Goolsby\AppData\Local\StrongVault\StrongVaultApp.exe ()
Startup: C:\Users\Arianne Goolsby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Arianne Goolsby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-12-10] (Sendori, Inc.)
2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [568832 2012-11-13] ()
2 DefaultTabUpdate; "C:\Users\Arianne Goolsby\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe" [107520 2013-01-12] ()
2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [873064 2011-02-22] (Acer Incorporated)
2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
2 ioloSystemService; "C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe" [722616 2011-08-08] (iolo technologies, LLC)
2 Live Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [244624 2011-01-31] (Acer Incorporated)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-12-10] (sendori)
2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-12-10] (Sendori)
2 vseamps; "C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe" [121152 2011-01-21] (Authentium, Inc)
2 vsedsps; "C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe" [119104 2011-01-21] (Authentium, Inc)
3 vseqrts; "C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe" [179008 2011-01-21] (Authentium, Inc)
2 CxAudMsg; C:\Windows\system32\CxAudMsg64.exe [x]

==================== Drivers (Whitelisted) =====================

2 AMP; C:\Windows\System32\Drivers\AMP.sys [173376 2011-01-21] (Authentium, Inc)
2 AMPSE; C:\Windows\System32\Drivers\AMPSE.sys [1465664 2011-01-21] (Authentium, Inc)
1 ElRawDisk; \??\C:\Windows\system32\drivers\ElRawDsk.sys [23464 2008-12-09] (EldoS Corporation)
1 FileDisk;  [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-02-25 13:54 - 2013-02-25 14:29 - 00015744 ____H C:\Users\Arianne Goolsby\Documents\~WRL1894.tmp
2013-02-25 13:41 - 2013-02-25 13:41 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{857772B6-62EA-4C51-98DB-88A378195A0D}
2013-02-24 20:15 - 2013-02-24 20:16 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{77A1615D-8EBF-4994-8DF6-F72C13F12F71}
2013-02-24 08:15 - 2013-02-24 08:15 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{428D80C0-994B-4857-AF57-5F48E61F97DA}
2013-02-23 07:19 - 2013-02-23 07:19 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{759FE643-7EBF-4B9A-B6E8-9B38E6A0D37D}
2013-02-22 19:00 - 2013-02-22 19:00 - 00016973 ____H C:\Users\Arianne Goolsby\Documents\~WRL2570.tmp
2013-02-22 11:43 - 2013-02-22 11:43 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{ACF68D43-66C0-4EA8-82EB-61B5916FEE54}
2013-02-21 17:09 - 2013-02-21 17:09 - 00000000 ____D C:\ProgramData\Browser Manager
2013-02-21 14:54 - 2013-02-21 14:56 - 00002157 ____A C:\Users\Arianne Goolsby\Desktop\Facebook.lnk
2013-02-21 14:54 - 2013-02-21 14:56 - 00002155 ____A C:\Users\Arianne Goolsby\Desktop\Youtube.lnk
2013-02-21 14:54 - 2013-02-21 14:56 - 00001332 ____A C:\Users\Arianne Goolsby\Desktop\Torch.lnk
2013-02-21 14:52 - 2013-02-21 14:55 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\Torch
2013-02-21 14:51 - 2013-02-21 14:51 - 00001068 ____A C:\Users\Arianne Goolsby\Desktop\iLivid.lnk
2013-02-21 14:48 - 2013-02-21 14:48 - 00000000 ____D C:\ProgramData\Wincert
2013-02-21 14:47 - 2013-02-21 14:47 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-02-21 14:46 - 2013-02-21 14:51 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\iLivid
2013-02-21 14:46 - 2013-02-21 14:48 - 00000000 ____D C:\Program Files (x86)\Search Results Toolbar
2013-02-21 13:05 - 2013-02-21 13:06 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8510D6B1-9647-4F8C-8CC6-6F3AB3EA9BED}
2013-02-20 14:05 - 2013-02-20 14:06 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8582A957-D986-413B-A7F8-6476F3FF4F28}
2013-02-19 16:54 - 2013-02-19 16:54 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{81188C1E-7D63-4280-A3B2-7B82AAAE2626}
2013-02-19 04:54 - 2013-02-19 04:54 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{5A32C662-916D-4C11-8552-F7FBDB5398A6}
2013-02-18 08:10 - 2013-02-18 08:10 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{60C4F9A8-CC7A-4254-9691-B0E6C8373939}
2013-02-17 20:09 - 2013-02-17 20:09 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{64D80E71-CC5A-42CE-9DE4-A87478348DB3}
2013-02-17 08:09 - 2013-02-17 08:09 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{C1B9993B-9B4A-4B5D-A65E-E595F88A625F}
2013-02-16 18:36 - 2013-02-16 18:36 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{CFD74540-1CB1-47C1-B293-76AFE20AC386}
2013-02-16 06:32 - 2013-02-16 06:32 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{0BEA4EB9-D4FA-471E-9D92-4F32E7706578}
2013-02-15 18:31 - 2013-02-15 18:31 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{D9CE7765-188B-4516-A4A0-FD05568A3F6A}
2013-02-15 06:30 - 2013-02-15 06:30 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{60A04752-4644-435C-97E8-6C2925CA1099}
2013-02-14 13:22 - 2013-01-08 17:19 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-02-14 13:22 - 2013-01-08 17:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-02-14 13:22 - 2013-01-08 17:11 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-02-14 13:22 - 2013-01-08 17:10 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-02-14 13:22 - 2013-01-08 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-02-14 13:22 - 2013-01-08 17:06 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-02-14 13:22 - 2013-01-08 17:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-02-14 13:22 - 2013-01-08 17:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-02-14 13:22 - 2013-01-08 17:00 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-02-14 13:22 - 2013-01-08 14:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-02-14 13:22 - 2013-01-08 14:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-02-14 13:22 - 2013-01-08 14:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-02-14 13:22 - 2013-01-08 13:59 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-02-14 13:22 - 2013-01-08 13:58 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-02-14 13:22 - 2013-01-08 13:56 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-02-14 13:22 - 2013-01-08 13:56 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-02-14 13:22 - 2013-01-08 13:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-02-14 13:21 - 2013-01-08 17:48 - 17812992 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-02-14 13:21 - 2013-01-08 17:22 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-02-14 13:21 - 2013-01-08 17:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-02-14 13:21 - 2013-01-08 17:09 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-02-14 13:21 - 2013-01-08 17:07 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-02-14 13:21 - 2013-01-08 17:07 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-02-14 13:21 - 2013-01-08 17:05 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-02-14 13:21 - 2013-01-08 14:23 - 12321280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-02-14 13:21 - 2013-01-08 14:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-02-14 13:21 - 2013-01-08 14:09 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-02-14 13:21 - 2013-01-08 14:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-02-14 13:21 - 2013-01-08 14:00 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-02-14 13:21 - 2013-01-08 13:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-02-14 13:21 - 2013-01-08 13:57 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-02-14 13:21 - 2013-01-08 13:56 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-02-14 13:13 - 2013-02-14 13:13 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8D3584F4-8FF3-4BB5-A477-062B2634BFFA}
2013-02-13 14:21 - 2013-01-04 21:53 - 05553512 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-02-13 14:21 - 2013-01-04 21:00 - 03967848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-02-13 14:21 - 2013-01-04 21:00 - 03913064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-02-13 14:21 - 2013-01-03 19:26 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-02-13 14:20 - 2013-01-03 21:46 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-02-13 14:20 - 2013-01-03 20:51 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-02-13 14:20 - 2013-01-03 18:47 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-02-13 14:20 - 2013-01-03 18:47 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-02-13 14:20 - 2013-01-03 18:47 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-02-13 14:20 - 2013-01-03 18:47 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-02-13 14:19 - 2013-01-02 22:00 - 01913192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-02-13 14:19 - 2013-01-02 22:00 - 00288088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2013-02-13 14:01 - 2013-02-13 14:02 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{85A9CCA1-E1EB-4521-B268-94082B431400}
2013-02-12 12:45 - 2013-02-12 12:45 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{AC533C13-F090-4D06-8BFE-FC4799110830}
2013-02-11 12:28 - 2013-02-11 12:29 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{515C3B63-F4A2-4D18-ACDE-64F962F6E5E8}
2013-02-10 09:44 - 2013-02-10 09:44 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{5BB82DBC-F442-4275-901A-D55EFC98735B}
2013-02-09 14:04 - 2013-02-09 14:04 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{9EFC6CA1-A569-424E-A635-820598E46984}
2013-02-08 13:08 - 2013-02-08 13:09 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{65B2D88F-8806-4017-95C2-7854FC2B5371}
2013-02-07 16:43 - 2013-02-07 16:44 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{566ADABA-AA81-4BF3-B2DD-5D4CCF3AB12C}
2013-02-06 14:05 - 2013-02-06 14:05 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{35133672-5DC1-4440-B12F-69E4477B70E0}
2013-02-05 14:08 - 2013-02-05 14:08 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{9BDDA9A5-82E9-4F94-989D-AC2FC30C879B}
2013-02-04 13:11 - 2013-02-04 13:12 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{23A952AC-A420-4441-A5E4-B721C6D95CF5}
2013-02-03 18:49 - 2013-02-03 18:49 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{07ABB54E-BA2C-4E07-9F78-E413905895F1}
2013-02-03 06:49 - 2013-02-03 06:49 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{DB4A898B-CEDE-4395-A298-C5FC61D1CD84}
2013-02-02 18:48 - 2013-02-02 18:48 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{ABF3A085-D368-4879-9AC0-B2183003AB27}
2013-02-01 19:51 - 2013-02-01 19:51 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{38786ECC-D3EC-45C2-A58A-DDBCCFBFDBAC}
2013-01-31 14:17 - 2013-01-31 14:17 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{F34C22C1-227D-4F6C-B70B-6639CCC94312}
2013-01-30 14:06 - 2013-01-30 14:06 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{AEFE4A2E-C1FF-4821-9CD2-CA3E51C069E6}
2013-01-29 13:05 - 2013-01-29 13:05 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{55D78BBC-19AA-48C3-827F-4F9010CD46AE}
2013-01-28 14:08 - 2013-01-28 14:08 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{63751652-2F45-44DE-A7E1-B8AE9707BAC6}
2013-01-27 08:41 - 2013-01-27 08:41 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8C83CC46-0C0C-4283-8281-006DA9519C8F}


==================== One Month Modified Files and Folders =======

2013-02-25 20:07 - 2012-10-21 14:42 - 00000360 ____A C:\Windows\Tasks\DriverScanner.job
2013-02-25 20:07 - 2011-04-22 13:56 - 01913171 ____A C:\Windows\WindowsUpdate.log
2013-02-25 20:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-02-25 19:45 - 2012-12-15 15:34 - 00000948 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2173615117-1529651052-3643563325-1000UA.job
2013-02-25 19:35 - 2011-10-01 16:16 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\CrashDumps
2013-02-25 16:34 - 2013-01-12 17:15 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\Strongvault Online Backup
2013-02-25 14:45 - 2012-12-15 15:34 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2173615117-1529651052-3643563325-1000Core.job
2013-02-25 14:45 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-02-25 14:45 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-02-25 14:30 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-02-25 14:30 - 2009-07-13 20:51 - 00086624 ____A C:\Windows\setupact.log
2013-02-25 14:29 - 2013-02-25 13:54 - 00015744 ____H C:\Users\Arianne Goolsby\Documents\~WRL1894.tmp
2013-02-25 14:17 - 2011-11-08 16:37 - 00000392 ____A C:\Windows\SysWOW64\iolo.ini.txt
2013-02-25 13:41 - 2013-02-25 13:41 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{857772B6-62EA-4C51-98DB-88A378195A0D}
2013-02-24 20:16 - 2013-02-24 20:15 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{77A1615D-8EBF-4994-8DF6-F72C13F12F71}
2013-02-24 08:15 - 2013-02-24 08:15 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{428D80C0-994B-4857-AF57-5F48E61F97DA}
2013-02-24 07:55 - 2012-12-15 15:36 - 00002432 ____A C:\Users\Arianne Goolsby\Desktop\Google Chrome.lnk
2013-02-23 07:19 - 2013-02-23 07:19 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{759FE643-7EBF-4B9A-B6E8-9B38E6A0D37D}
2013-02-22 19:00 - 2013-02-22 19:00 - 00016973 ____H C:\Users\Arianne Goolsby\Documents\~WRL2570.tmp
2013-02-22 11:43 - 2013-02-22 11:43 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{ACF68D43-66C0-4EA8-82EB-61B5916FEE54}
2013-02-21 17:09 - 2013-02-21 17:09 - 00000000 ____D C:\ProgramData\Browser Manager
2013-02-21 14:56 - 2013-02-21 14:54 - 00002157 ____A C:\Users\Arianne Goolsby\Desktop\Facebook.lnk
2013-02-21 14:56 - 2013-02-21 14:54 - 00002155 ____A C:\Users\Arianne Goolsby\Desktop\Youtube.lnk
2013-02-21 14:56 - 2013-02-21 14:54 - 00001332 ____A C:\Users\Arianne Goolsby\Desktop\Torch.lnk
2013-02-21 14:55 - 2013-02-21 14:52 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\Torch
2013-02-21 14:51 - 2013-02-21 14:51 - 00001068 ____A C:\Users\Arianne Goolsby\Desktop\iLivid.lnk
2013-02-21 14:51 - 2013-02-21 14:46 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\iLivid
2013-02-21 14:48 - 2013-02-21 14:48 - 00000000 ____D C:\ProgramData\Wincert
2013-02-21 14:48 - 2013-02-21 14:46 - 00000000 ____D C:\Program Files (x86)\Search Results Toolbar
2013-02-21 14:47 - 2013-02-21 14:47 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-02-21 13:06 - 2013-02-21 13:05 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8510D6B1-9647-4F8C-8CC6-6F3AB3EA9BED}
2013-02-20 14:06 - 2013-02-20 14:05 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8582A957-D986-413B-A7F8-6476F3FF4F28}
2013-02-19 16:54 - 2013-02-19 16:54 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{81188C1E-7D63-4280-A3B2-7B82AAAE2626}
2013-02-19 04:54 - 2013-02-19 04:54 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{5A32C662-916D-4C11-8552-F7FBDB5398A6}
2013-02-18 08:10 - 2013-02-18 08:10 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{60C4F9A8-CC7A-4254-9691-B0E6C8373939}
2013-02-17 20:09 - 2013-02-17 20:09 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{64D80E71-CC5A-42CE-9DE4-A87478348DB3}
2013-02-17 08:09 - 2013-02-17 08:09 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{C1B9993B-9B4A-4B5D-A65E-E595F88A625F}
2013-02-16 18:36 - 2013-02-16 18:36 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{CFD74540-1CB1-47C1-B293-76AFE20AC386}
2013-02-16 06:32 - 2013-02-16 06:32 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{0BEA4EB9-D4FA-471E-9D92-4F32E7706578}
2013-02-15 18:31 - 2013-02-15 18:31 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{D9CE7765-188B-4516-A4A0-FD05568A3F6A}
2013-02-15 06:30 - 2013-02-15 06:30 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{60A04752-4644-435C-97E8-6C2925CA1099}
2013-02-15 06:24 - 2009-07-13 20:45 - 00425560 ____A C:\Windows\System32\FNTCACHE.DAT
2013-02-14 14:20 - 2011-12-05 05:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-02-14 13:58 - 2009-07-13 21:13 - 00758198 ____A C:\Windows\System32\PerfStringBackup.INI
2013-02-14 13:13 - 2013-02-14 13:13 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8D3584F4-8FF3-4BB5-A477-062B2634BFFA}
2013-02-13 14:02 - 2013-02-13 14:01 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{85A9CCA1-E1EB-4521-B268-94082B431400}
2013-02-12 12:45 - 2013-02-12 12:45 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{AC533C13-F090-4D06-8BFE-FC4799110830}
2013-02-11 12:29 - 2013-02-11 12:28 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{515C3B63-F4A2-4D18-ACDE-64F962F6E5E8}
2013-02-10 13:52 - 2013-01-12 17:10 - 00000000 ____D C:\Program Files (x86)\DefaultTab
2013-02-10 09:44 - 2013-02-10 09:44 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{5BB82DBC-F442-4275-901A-D55EFC98735B}
2013-02-09 14:04 - 2013-02-09 14:04 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{9EFC6CA1-A569-424E-A635-820598E46984}
2013-02-08 13:09 - 2013-02-08 13:08 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{65B2D88F-8806-4017-95C2-7854FC2B5371}
2013-02-07 19:45 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-02-07 16:44 - 2013-02-07 16:43 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{566ADABA-AA81-4BF3-B2DD-5D4CCF3AB12C}
2013-02-06 14:05 - 2013-02-06 14:05 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{35133672-5DC1-4440-B12F-69E4477B70E0}
2013-02-05 14:08 - 2013-02-05 14:08 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{9BDDA9A5-82E9-4F94-989D-AC2FC30C879B}
2013-02-04 13:12 - 2013-02-04 13:11 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{23A952AC-A420-4441-A5E4-B721C6D95CF5}
2013-02-03 18:49 - 2013-02-03 18:49 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{07ABB54E-BA2C-4E07-9F78-E413905895F1}
2013-02-03 06:49 - 2013-02-03 06:49 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{DB4A898B-CEDE-4395-A298-C5FC61D1CD84}
2013-02-02 18:48 - 2013-02-02 18:48 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{ABF3A085-D368-4879-9AC0-B2183003AB27}
2013-02-01 19:51 - 2013-02-01 19:51 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{38786ECC-D3EC-45C2-A58A-DDBCCFBFDBAC}
2013-01-31 14:17 - 2013-01-31 14:17 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{F34C22C1-227D-4F6C-B70B-6639CCC94312}
2013-01-30 14:06 - 2013-01-30 14:06 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{AEFE4A2E-C1FF-4821-9CD2-CA3E51C069E6}
2013-01-29 21:44 - 2013-01-12 17:14 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\StrongVault
2013-01-29 13:05 - 2013-01-29 13:05 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{55D78BBC-19AA-48C3-827F-4F9010CD46AE}
2013-01-28 14:08 - 2013-01-28 14:08 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{63751652-2F45-44DE-A7E1-B8AE9707BAC6}
2013-01-27 08:41 - 2013-01-27 08:41 - 00000000 ____D C:\Users\Arianne Goolsby\AppData\Local\{8C83CC46-0C0C-4283-8281-006DA9519C8F}


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-14 13:46:03
Restore point made on: 2013-01-18 15:51:18
Restore point made on: 2013-01-22 12:26:39
Restore point made on: 2013-01-29 13:09:53
Restore point made on: 2013-02-01 19:55:13
Restore point made on: 2013-02-05 14:19:05
Restore point made on: 2013-02-13 14:04:07
Restore point made on: 2013-02-14 13:18:44
Restore point made on: 2013-02-19 04:48:45
Restore point made on: 2013-02-22 12:03:05

==================== Memory info ===========================

Percentage of memory in use: 33%
Total physical RAM: 1770.9 MB
Available physical RAM: 1181.33 MB
Total Pagefile: 1770.9 MB
Available Pagefile: 1171.61 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (eMachines) (Fixed) (Total:217.79 GB) (Free:92.01 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:4.22 GB) NTFS
4 Drive g: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          232 GB      0 B         
  Disk 1    Online          249 MB      0 B         
  Disk 2    No Media           0 B      0 B         

Partitions of Disk 0:
===============

Disk ID: 31E1279C

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            15 GB  1024 KB
  Partition 2    Primary            100 MB    15 GB
  Partition 3    Primary            217 GB    15 GB

==================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     15 GB  Healthy    Hidden  

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM RESE  NTFS   Partition    100 MB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   eMachines    NTFS   Partition    217 GB  Healthy            

=========================================================

Partitions of Disk 1:
===============

Disk ID: 014372AC

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            249 MB    16 KB

==================================================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT    Removable    249 MB  Healthy            

=========================================================

Last Boot: 2013-02-07 19:30

==================== End Of Log =============================


Edited by JSntgRvr, 28 February 2013 - 08:31 PM.


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:38 PM

Posted 28 February 2013 - 08:56 PM

There is a lot of Adware in that computer.

 

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive, next to FRST64.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

 

Attempt to boot in Normal Mode or Safe Mode with Networking. If successful, run adwCleaner.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this.


On reboot a log will be produced at C:\ADWCleaner[XX].txt please post that in a reply.

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 kgoolsby

kgoolsby
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 02 March 2013 - 08:37 AM

Hi. I did what you said. I booted in normal mode first and then in safe mode with networking. I'm not sure if the order was a mistake, but the problem still occurs. Here's the text from fixlog.txt. The mbrdump.txt file is attached.

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-02-2013 01
Ran by SYSTEM at 2013-03-02 08:27:08 Run:1
Running from G:\


 

==============================================


 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully .
MBRDUMP.txt is made successfully.


 

==== End of Fixlog ====

Attached Files



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:38 PM

Posted 02 March 2013 - 01:39 PM

There is a Zero Byte partition in the Master Boot Record.

For x64 bit systems please download  Listparts64
and save it to a flash drive.

Also download the enclosed file and save it next to Listparts; 

Plug the flashdrive into the infected PC.

Enter System Recovery Options or boot to a command prompt with the Windows 7 Recovery CD.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on  Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
 

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button.
  • When it is done close the notification pop up.
  • Put check mark on List BCD.
  • Press the Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

Attempt to boot in Normal Mode and let me know the outcome

 


Edited by JSntgRvr, 02 March 2013 - 01:44 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 kgoolsby

kgoolsby
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 02 March 2013 - 03:35 PM

I followed your instructions. When it booted chkdsk ran. That was new. After that finished, it successfully started. Here is the result.txt file contents...

 

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 02-03-2013 at 14:36:59
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************


 

========================= Memory info ======================


 

Percentage of memory in use: 26%
Total physical RAM: 1770.9 MB
Available physical RAM: 1305.83 MB
Total Pagefile: 1770.9 MB
Available Pagefile: 1281.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB


 

======================= Partitions =========================


 

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (eMachines) (Fixed) (Total:217.79 GB) (Free:92.01 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:4.22 GB) NTFS
5 Drive g: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS


 

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          232 GB      0 B        
  Disk 1    Online          249 MB      0 B        
  Disk 2    No Media           0 B      0 B        


 

Partitions of Disk 0:
===============


 

Disk ID: 31E1279C


 

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            15 GB  1024 KB
  Partition 2    Primary            100 MB    15 GB
  Partition 3    Primary            217 GB    15 GB


 

======================================================================================================


 

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   PQSERVICE    NTFS   Partition     15 GB  Healthy    Hidden 


 

======================================================================================================


 

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   SYSTEM RESE  NTFS   Partition    100 MB  Healthy           


 

======================================================================================================


 

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   eMachines    NTFS   Partition    217 GB  Healthy           


 

======================================================================================================


 

Partitions of Disk 1:
===============


 

Disk ID: 014372AC


 

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            249 MB    16 KB


 

======================================================================================================


 

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes


 

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT    Removable    249 MB  Healthy           


 

======================================================================================================


 

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
path                    \bootmgr
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {68095698-6d31-11e0-a36c-b6e8babbfaa9}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30


 

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=D:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=D:
systemroot              \Windows
resumeobject            {68095698-6d31-11e0-a36c-b6e8babbfaa9}
nx                      OptIn


 

Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[D:]\Recovery\6809569a-6d31-11e0-a36c-b6e8babbfaa9\Winre.wim,{6809569b-6d31-11e0-a36c-b6e8babbfaa9}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\6809569a-6d31-11e0-a36c-b6e8babbfaa9\Winre.wim,{6809569b-6d31-11e0-a36c-b6e8babbfaa9}
systemroot              \windows
nx                      OptIn
winpe                   Yes


 

Resume from Hibernate
---------------------
identifier              {68095698-6d31-11e0-a36c-b6e8babbfaa9}
device                  partition=D:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=D:
filepath                \hiberfil.sys
debugoptionenabled      No


 

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes


 

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes


 

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200


 

RAM Defects
-----------
identifier              {badmemory}


 

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}


 

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}


 

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200


 

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}


 

Device options
--------------
identifier              {6809569b-6d31-11e0-a36c-b6e8babbfaa9}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\6809569a-6d31-11e0-a36c-b6e8babbfaa9\boot.sdi


 


****** End Of Log ******



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:38 PM

Posted 02 March 2013 - 09:48 PM

Great. Lets scan:

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 kgoolsby

kgoolsby
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 12 March 2013 - 02:20 PM

Sorry it took me so long to reply.Once the computer was usable, my daughter began using it for homework again. Cure was not an option for the one threat found. 2 files were created. I ran it twice when I didn't see the cure option. The first file is small and it's attached. The second file gets the message that the upload is skipped because the file is too big so I put it in zip file and attached it.

Attached Files



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:38 PM

Posted 12 March 2013 - 03:38 PM

Scan for remnants:

:step1: Run adwCleaner.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this.

On reboot a log will be produced at C:\ADWCleaner[XX].txt please post its contents in a reply.

:step2: Malwarebytes' Anti-Malware

bf_new.gif Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
  • Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

    :step3: ESET online scannner

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

    Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log in a reply to this topic.

Edited by JSntgRvr, 12 March 2013 - 03:39 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users