Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD after running Windows Defender Offline


  • This topic is locked This topic is locked
13 replies to this topic

#1 natehammer

natehammer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 14 May 2013 - 10:53 AM

Mod edit; moved to Virus, Trojan, Spyware, and Malware Removal Logs no   w that FRST log is posted  ~~boopme          

 

 

I've been working on a Dell Laptop with WIndows 7.  It had multiple infections.  I had to uninstall the existing AV software as it would not update (Avast).  I installed Windows Security Essentials and ran a scan.  It found multiple items and cleaned what it could but then said I needed to run Windows Defender Offline.  I booted from CD into Windows Defender Offline and ran the full scan.  It found and removed several.  I rebooted the computer and now it gives a BSOD every time.  I cannot boot into safe mode either.  I have attempted system restore and start up repair...both unsuccessful.

 

Any chance anyone has some expertise in this area?


Edited by boopme, 14 May 2013 - 08:47 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 natehammer

natehammer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 14 May 2013 - 03:46 PM

I have seen discussion of using FRST64 to provide a log file.  I have coppied the FST.txt file to this post if it helps.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013
Ran by SYSTEM on 14-05-2013 14:02:03
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [6492672 2011-01-15] (Dell Inc.)
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [DFEPApplication] c:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077272 2011-08-24] (Dell Inc.)
HKLM\...\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [257392 2011-05-27] (Wave Systems Corp.)
HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2012-04-02] (LogMeIn, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$967e1397e77b3c7f6c5e4acb920fa134\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [462993 2010-03-12] (Creative Technology Ltd)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickFinder Scheduler] "c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [128440 2012-09-21] (Corel Corporation)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot [296096 2012-10-18] (RealNetworks, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini" [333088 2010-07-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [1297728 2013-02-23] (Spigot, Inc.)
HKU\Kirk\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-26] (Google Inc.)
HKU\Kirk\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\Kirk\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\kmorgan\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [719672 2012-01-20] (Microsoft Corporation)
HKU\kmorgan\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [222496 2009-05-05] (Acresso Corporation)
HKU\kmorgan\...\Run: [Advanced SystemCare 6] "C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [491840 2013-01-15] (IObit)
Lsa: [Authentication Packages] msv1_0 wvauth
Lsa: [Notification Packages] scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\Users\Administrator.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\kmorgan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\kmorgan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\LogMeInRemoteUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)

==================== Services (Whitelisted) =================

S2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [528192 2013-02-25] (IObit)
S2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [158720 2010-06-29] (Broadcom Corporation)
S2 DFEPService; c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2279320 2011-08-24] (Dell Inc.)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [375728 2012-11-08] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [147888 2012-11-08] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2012-04-02] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 O2SDIOAssist; c:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1633280 2011-02-17] ()
S2 TSScheduleBackup; C:\Windows\SysWOW64\TSSchBkpService.exe [737096 2011-05-31] (Sage)
S2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1600000 2011-07-01] (Wave Systems Corp.)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5839872 2011-01-15] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-03-06] ()
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178624 2013-03-06] ()
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [163368 2012-03-31] (Broadcom Corporation.)
S3 HBtnKey; C:\Windows\system32\drivers\HBtnKey.sys [20424 2011-07-19] (Dell Inc.)
S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2012-04-02] (LogMeIn, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S4 LMIRfsClientNP; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-14 14:01 - 2013-05-14 14:01 - 00000000 ____D C:\FRST
2013-05-10 15:04 - 2013-05-13 10:04 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-05-10 07:52 - 2013-05-10 07:53 - 00000000 ____D C:\6e3d30ba9ca9e1198f2624540fbe54
2013-05-09 12:07 - 2013-05-09 12:07 - 00000385 ____A C:\Users\kmorgan\Desktop\Dell PC Diagnostics  Dell US.website
2013-05-09 09:12 - 2013-05-09 09:12 - 00000000 ____D C:\Users\kmorgan\AppData\Local\Deployment
2013-05-08 15:21 - 2013-05-08 15:21 - 00001945 ____A C:\Windows\epplauncher.mif
2013-05-08 15:21 - 2013-05-08 15:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-05-08 15:21 - 2013-05-08 15:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-05-08 15:10 - 2013-05-08 15:10 - 464077832 ____A C:\Windows\MEMORY.DMP
2013-05-08 15:10 - 2013-05-08 15:10 - 00262144 ____A C:\Windows\Minidump\050813-18267-01.dmp
2013-05-08 15:00 - 2013-05-08 15:00 - 00006724 ____A C:\Windows\PFRO.log
2013-05-08 14:59 - 2013-05-08 14:59 - 00000000 ____A C:\asc_rdflag
2013-05-08 14:58 - 2013-05-10 06:05 - 00000224 ____A C:\Windows\setupact.log
2013-05-08 14:58 - 2013-05-08 14:58 - 00000000 ____A C:\Windows\setuperr.log
2013-05-08 14:57 - 2013-01-15 16:49 - 00026432 ____A (IObit) C:\Windows\System32\RegistryDefragBootTime.exe
2013-05-08 14:26 - 2013-05-08 14:26 - 00000000 ____D C:\Program Files (x86)\IObit Apps Toolbar
2013-05-08 14:25 - 2013-05-08 14:25 - 00001202 ____A C:\Users\Public\Desktop\Uninstaller.lnk
2013-05-08 14:25 - 2013-05-08 14:25 - 00001151 ____A C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-05-08 14:25 - 2013-05-08 14:25 - 00000000 ____D C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-05-08 14:23 - 2013-05-10 08:02 - 00000000 ____D C:\Program Files (x86)\Application Updater
2013-05-08 14:23 - 2013-05-08 14:23 - 00000000 ____D C:\Program Files (x86)\IObit Toolbar
2013-05-08 14:22 - 2013-05-08 14:25 - 00000000 ____D C:\Users\kmorgan\AppData\Roaming\IObit
2013-05-08 14:22 - 2013-05-08 14:25 - 00000000 ____D C:\ProgramData\IObit
2013-05-08 14:22 - 2013-05-08 14:25 - 00000000 ____D C:\Program Files (x86)\IObit
2013-05-08 11:34 - 2013-05-08 11:34 - 00139584 ____A C:\Users\kmorgan\Documents\cc_20130508_133407.reg
2013-05-08 11:34 - 2013-05-08 11:34 - 00001890 ____A C:\Users\kmorgan\Documents\cc_20130508_133444.reg
2013-05-08 08:26 - 2013-05-08 08:26 - 00000000 __SHD C:\found.001
2013-05-02 08:04 - 2013-05-02 08:04 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-05-02 08:03 - 2013-05-08 07:45 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-05-02 07:59 - 2013-05-02 08:06 - 00000000 ____D C:\Windows\System32\appmgmt
2013-05-01 15:08 - 2013-05-01 15:08 - 00016402 ____A C:\Users\kmorgan\Documents\Draft Letter of TerminationAnnette McFarland.wpd
2013-04-24 01:00 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders =======

2013-05-14 14:01 - 2013-05-14 14:01 - 00000000 ____D C:\FRST
2013-05-13 10:05 - 2012-10-27 14:20 - 00000000 ____D C:\users\kmorgan
2013-05-13 10:05 - 2012-01-31 17:17 - 00000000 ____D C:\users\Administrator.000
2013-05-13 10:05 - 2012-01-31 16:39 - 00000000 ____D C:\users\Kirk
2013-05-13 10:04 - 2013-05-10 15:04 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-05-13 10:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-05-13 10:01 - 2012-10-27 16:47 - 00000000 ____D C:\Users\kmorgan\AppData\Roaming\PCDr
2013-05-13 10:01 - 2012-06-16 16:13 - 00000000 ____D C:\Program Files\Dell Support Center
2013-05-10 08:02 - 2013-05-08 14:23 - 00000000 ____D C:\Program Files (x86)\Application Updater
2013-05-10 08:02 - 2012-07-24 09:55 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-10 08:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-05-10 07:53 - 2013-05-10 07:52 - 00000000 ____D C:\6e3d30ba9ca9e1198f2624540fbe54
2013-05-10 06:09 - 2012-01-20 06:33 - 01568135 ____A C:\Windows\WindowsUpdate.log
2013-05-10 06:05 - 2013-05-08 14:58 - 00000224 ____A C:\Windows\setupact.log
2013-05-10 06:05 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-09 22:24 - 2012-06-16 16:56 - 00000000 ____D C:\ProgramData\LogMeIn
2013-05-09 12:07 - 2013-05-09 12:07 - 00000385 ____A C:\Users\kmorgan\Desktop\Dell PC Diagnostics  Dell US.website
2013-05-09 09:12 - 2013-05-09 09:12 - 00000000 ____D C:\Users\kmorgan\AppData\Local\Deployment
2013-05-09 09:12 - 2013-04-12 13:56 - 00000000 ____D C:\Users\kmorgan\AppData\Local\Apps\2.0
2013-05-09 07:55 - 2012-06-16 16:13 - 00000000 ____D C:\ProgramData\PCDr
2013-05-09 06:37 - 2012-02-15 08:03 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-09 06:36 - 2012-02-15 08:03 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-08 15:21 - 2013-05-08 15:21 - 00001945 ____A C:\Windows\epplauncher.mif
2013-05-08 15:21 - 2013-05-08 15:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-05-08 15:21 - 2013-05-08 15:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-05-08 15:17 - 2009-07-13 20:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-08 15:17 - 2009-07-13 20:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-08 15:14 - 2009-07-13 21:13 - 00797806 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-08 15:10 - 2013-05-08 15:10 - 464077832 ____A C:\Windows\MEMORY.DMP
2013-05-08 15:10 - 2013-05-08 15:10 - 00262144 ____A C:\Windows\Minidump\050813-18267-01.dmp
2013-05-08 15:10 - 2012-10-03 11:26 - 00000000 ____D C:\Windows\Minidump
2013-05-08 15:00 - 2013-05-08 15:00 - 00006724 ____A C:\Windows\PFRO.log
2013-05-08 14:59 - 2013-05-08 14:59 - 00000000 ____A C:\asc_rdflag
2013-05-08 14:58 - 2013-05-08 14:58 - 00000000 ____A C:\Windows\setuperr.log
2013-05-08 14:57 - 2012-10-27 16:39 - 00000000 ____D C:\Users\kmorgan\Documents\backup
2013-05-08 14:49 - 2012-04-26 13:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-08 14:42 - 2012-02-01 07:17 - 00000000 ____D C:\ProgramData\AVAST Software
2013-05-08 14:38 - 2012-01-20 05:22 - 00000000 ____D C:\ProgramData\Sonic
2013-05-08 14:26 - 2013-05-08 14:26 - 00000000 ____D C:\Program Files (x86)\IObit Apps Toolbar
2013-05-08 14:25 - 2013-05-08 14:25 - 00001202 ____A C:\Users\Public\Desktop\Uninstaller.lnk
2013-05-08 14:25 - 2013-05-08 14:25 - 00001151 ____A C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-05-08 14:25 - 2013-05-08 14:25 - 00000000 ____D C:\ProgramData\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-05-08 14:25 - 2013-05-08 14:22 - 00000000 ____D C:\Users\kmorgan\AppData\Roaming\IObit
2013-05-08 14:25 - 2013-05-08 14:22 - 00000000 ____D C:\ProgramData\IObit
2013-05-08 14:25 - 2013-05-08 14:22 - 00000000 ____D C:\Program Files (x86)\IObit
2013-05-08 14:23 - 2013-05-08 14:23 - 00000000 ____D C:\Program Files (x86)\IObit Toolbar
2013-05-08 14:12 - 2012-05-21 08:02 - 00004704 __ASH C:\ProgramData\KGyGaAvL.sys
2013-05-08 14:12 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-05-08 14:11 - 2012-10-27 16:43 - 00000000 ____D C:\Users\kmorgan\Documents\Outlook Files
2013-05-08 14:10 - 2012-01-20 05:27 - 00000031 ____A C:\tmuninst.ini
2013-05-08 14:09 - 2012-01-20 05:24 - 01834292 ____A C:\Windows\System32\TmInstall.log
2013-05-08 11:34 - 2013-05-08 11:34 - 00139584 ____A C:\Users\kmorgan\Documents\cc_20130508_133407.reg
2013-05-08 11:34 - 2013-05-08 11:34 - 00001890 ____A C:\Users\kmorgan\Documents\cc_20130508_133444.reg
2013-05-08 08:26 - 2013-05-08 08:26 - 00000000 __SHD C:\found.001
2013-05-08 07:51 - 2012-10-16 07:39 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-08 07:49 - 2013-04-09 07:34 - 00000000 ____D C:\Users\kmorgan\AppData\Roaming\FLEXnet
2013-05-08 07:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-08 07:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2013-05-08 07:48 - 2013-04-09 07:34 - 00000000 ____D C:\ProgramData\Nuance
2013-05-08 07:48 - 2013-04-09 07:33 - 00000000 ____D C:\Program Files (x86)\Nuance
2013-05-08 07:48 - 2012-03-27 12:26 - 00000000 ____D C:\ProgramData\Adobe
2013-05-08 07:48 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-05-08 07:45 - 2013-05-02 08:03 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-05-08 07:43 - 2012-10-27 11:44 - 00000112 ____A C:\Windows\System32\config\netlogon.ftl
2013-05-08 05:33 - 2009-07-13 21:38 - 00067584 ___AS C:\Windows\bootstat(111).dat
2013-05-02 08:06 - 2013-05-02 07:59 - 00000000 ____D C:\Windows\System32\appmgmt
2013-05-02 08:06 - 2013-04-09 07:38 - 00000000 ____D C:\Users\kmorgan\AppData\Roaming\Nuance
2013-05-02 08:04 - 2013-05-02 08:04 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-05-01 15:08 - 2013-05-01 15:08 - 00016402 ____A C:\Users\kmorgan\Documents\Draft Letter of TerminationAnnette McFarland.wpd
2013-04-30 09:54 - 2009-07-13 18:36 - 00674356 ____A C:\Windows\System32\perfh009(127).dat
2013-04-30 09:54 - 2009-07-13 18:36 - 00125680 ____A C:\Windows\System32\perfc009(126).dat
2013-04-16 13:04 - 2012-10-27 14:20 - 00000816 _RASH C:\Users\kmorgan\ntuser.pol
2013-04-16 08:11 - 2012-10-16 07:39 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2700678172-3572627288-2758586092-1172\$967e1397e77b3c7f6c5e4acb920fa134

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$967e1397e77b3c7f6c5e4acb920fa134

Other Malware:
===========
C:\Users\kmorgan\g2mdlhlpx.exe
C:\ProgramData\ssrsc.pad

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-08 14:40:18
Restore point made on: 2013-05-08 15:22:44
Restore point made on: 2013-05-09 06:39:12
Restore point made on: 2013-05-10 06:09:46

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2982.93 MB
Available physical RAM: 2403.85 MB
Total Pagefile: 2981.13 MB
Available Pagefile: 2399.7 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:286.36 GB) (Free:230.95 GB) NTFS (Disk=0 Partition=3)
Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive f: (GR8) (Removable) (Total:7.87 GB) (Free:4.36 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:11.69 GB) (Free:5.04 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 298 GB) (Disk ID: D80A85E5)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=286 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 8 GB) (Disk ID: 00256657)
Partition 1: (Active) - (Size=8 GB) - (Type=0C)


Last Boot: 2013-05-03 22:35

==================== End Of Log ============================

 



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 16 May 2013 - 01:06 AM


Hello natehammer

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$967e1397e77b3c7f6c5e4acb920fa134\n. ATTENTION! ====> ZeroAccess
C:\$Recycle.Bin\S-1-5-21-2700678172-3572627288-2758586092-1172\$967e1397e77b3c7f6c5e4acb920fa134
C:\$Recycle.Bin\S-1-5-18\$967e1397e77b3c7f6c5e4acb920fa134
C:\Users\kmorgan\g2mdlhlpx.exe
C:\ProgramData\ssrsc.pad
TDL4: custom:26000022 <===== ATTENTION!
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 19 May 2013 - 03:12 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 natehammer

natehammer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 20 May 2013 - 02:21 PM

I appologize, I missed the response on the 16th.  By friday,  I gave up and did a factory restore from it's restore partition (It's a Dell Lattitude) hoping that reinstalling windows would take care of the problem...by this time, I thought it was a corrupt system files.  Unfortunately, after the restore, the pc rebooted and had a BSOD immediately as well.  Can we back up a step?  do I need to rerun FRST?



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 20 May 2013 - 02:54 PM

Hello


do I need to rerun FRST? yes do run it again and send me the report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 natehammer

natehammer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 20 May 2013 - 03:15 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM on 20-05-2013 20:13:52
Running from F:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [6492672 2011-01-15] (Dell Inc.)
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [DFEPApplication] c:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077272 2011-08-24] (Dell Inc.)
HKLM\...\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [257392 2011-05-27] (Wave Systems Corp.)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [462993 2010-03-12] (Creative Technology Ltd)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [OfficeScanNT Monitor] "c:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow [1708048 2011-02-26] (Trend Micro Inc.)
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)

==================== Services (Whitelisted) =================

S2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [158720 2010-06-29] (Broadcom Corporation)
S2 DFEPService; c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2279320 2011-08-24] (Dell Inc.)
S2 ntrtscan; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe [1836616 2011-02-18] (Trend Micro Inc.)
S2 O2SDIOAssist; c:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
S2 svcGenericHost; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [50704 2011-04-07] (Trend Micro Inc.)
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1633280 2011-02-17] ()
S2 tmlisten; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe [2060896 2011-02-18] (Trend Micro Inc.)
S3 TmPfw; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [596032 2010-07-21] (Trend Micro Inc.)
S3 TmProxy; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [917840 2010-07-21] (Trend Micro Inc.)
S2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1600000 2011-07-01] (Wave Systems Corp.)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5839872 2011-01-15] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S3 HBtnKey; C:\Windows\system32\drivers\HBtnKey.sys [20424 2011-07-19] (Dell Inc.)
S2 TmFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [310032 2011-03-24] (Trend Micro Inc.)
S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [196688 2010-11-08] (Trend Micro Inc.)
S2 TmPreFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [42768 2011-03-24] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [108624 2010-11-08] (Trend Micro Inc.)
S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [338000 2010-11-08] (Trend Micro Inc.)
S2 VSApiNt; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys [1988368 2011-03-24] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-20 20:13 - 2013-05-20 20:13 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-05-20 20:13 - 2013-05-20 20:13 - 00000000 ____D C:\FRST
2013-05-17 20:03 - 2011-02-10 06:25 - 00000000 ____D C:\dell

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2982.93 MB
Available physical RAM: 2409.24 MB
Total Pagefile: 2981.13 MB
Available Pagefile: 2379.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:286.36 GB) (Free:271.66 GB) NTFS (Disk=0 Partition=3)
Drive f: (GR8) (Removable) (Total:7.87 GB) (Free:0.6 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.02 GB) (Free:0.02 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:11.69 GB) (Free:5.04 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 298 GB) (Disk ID: D80A85E5)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=286 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 8 GB) (Disk ID: 00256657)
Partition 1: (Active) - (Size=8 GB) - (Type=0C)


Last Boot: 2011-02-10 08:26

==================== End Of Log ============================



#8 natehammer

natehammer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 20 May 2013 - 05:44 PM

I did notice under "drives" section it says:

 

ATTENTION: Malware custom entry on BCD on drive y: detected.

 

Y: being the recovery partition.

 

Nate



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 20 May 2013 - 09:04 PM



Hello natehammer



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
TDL4: custom:26000022 <===== ATTENTION!
CMD: bootrec /FixMbr


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 natehammer

natehammer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 21 May 2013 - 09:04 AM

Thank you Gringo.  SO far so good.  It is now booting into finish the windows setup.  I wish I hadn't missed your post before I did a restore.  Do I need to be concerned about the entry in the FRST report that says the following:

 

I did notice under "drives" section it says:

 

ATTENTION: Malware custom entry on BCD on drive y: detected.

 

Y: being the recovery partition.



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 21 May 2013 - 02:42 PM

The above fixed that entry that is what was causing the problem - let me know how things went and when you get the system back up and running




gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 natehammer

natehammer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 21 May 2013 - 03:05 PM

Looks great.  Windows finished the install and I just finished doing all updates and installing software.  Thanks for the help!



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 21 May 2013 - 05:01 PM

Glad things worked out and happy to have helped


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:43 PM

Posted 24 May 2013 - 12:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users