Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran HitmanPro 3 - 64bit and now computer won't start/re-boot


  • This topic is locked This topic is locked
10 replies to this topic

#1 windsorjedi

windsorjedi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 PM

Posted 30 May 2013 - 09:17 AM

Hello I ran Malwarebyte.org's malware removal tool and it identified 13 issues, which it seemed to repair (or quarantine).  Computer was still really, really slow and lagging, so I decided to run hitmanpro 3 64-bit for Windows 7 on a Dell laptop to remove virus/malware, it also identified issues, when I opted to remove them, it asked to reboot my computer and I said yes (one of the virus/malware it identified was "Babylon").  When the computer tried to reboot it couldn't. I am not a computer guru by any means and am completely lost...I am so worried that I have lost everything on my computer :(   When the computer tries to start, it fails and defaults me to "startup repair" which fails, and then I have tried a "system restore" which also fails, and then I tried "Dell DataSafe Restore and Emergency Backup" which took around 7 hrs to backup...then it also failed.  I am at a loss....

Can you help me please?

 



BC AdBot (Login to Remove)

 


#2 windsorjedi

windsorjedi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 PM

Posted 30 May 2013 - 10:53 AM

I have ran the Farbar Recovery Scan Tool, here is the report: 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-05-2013
Ran by SYSTEM on 30-05-2013 16:46:51
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2818856 2011-08-26] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [7284328 2011-08-30] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3  [2277480 2011-08-16] (Realtek Semiconductor)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [317248 2011-10-17] (NVIDIA Corporation)
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-17] ()
HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [10357008 2011-10-18] (Intel Corporation)
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-09-15] (Intel® Corporation)
HKLM\...\Run: [QuickSet] c:\Program Files\Dell\QuickSet\QuickSet.exe [4146848 2011-08-29] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207845 2011-04-29] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1658440 2011-03-12] (McAfee, Inc.)
HKLM-x32\...\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 [75064 2011-07-07] ()
HKLM-x32\...\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup [885760 2011-04-29] ()
AppInit_DLLs: C:\Windows\system32\nvinitx.dll [228672 2011-10-17] (NVIDIA Corporation)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel® Turbo Boost Technology Monitor 2.0.lnk
ShortcutTarget: Intel® Turbo Boost Technology Monitor 2.0.lnk -> C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (Intel® Corporation)

==================== Services (Whitelisted) =================

S3 McAWFwk; c:\PROGRA~1\mcafee\msc\mcawfwk.exe [224704 2011-03-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [501768 2011-03-17] (McAfee, Inc.)
S2 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [197960 2011-03-13] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-03-13] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [158832 2011-03-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-09-15] ()

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)
S3 NvStUSB; C:\Windows\system32\drivers\nvstusb.sys [122472 2011-06-12] ()

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-30 16:46 - 2013-05-30 16:46 - 00000000 ____D C:\FRST
2013-05-30 03:29 - 2013-05-30 03:29 - 00000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk
2013-05-30 03:29 - 2013-05-30 03:29 - 00000452 ____A C:\ProgramData\Desktop\Emergency Backup.lnk
2013-05-30 01:31 - 2013-05-30 01:31 - 00000000 ____D C:\Emergency
2013-05-30 01:13 - 2013-05-30 01:13 - 00000000 ____D C:\Windows\SMINST

==================== One Month Modified Files and Folders =======

2013-05-30 16:46 - 2013-05-30 16:46 - 00000000 ____D C:\FRST
2013-05-30 03:29 - 2013-05-30 03:29 - 00000452 ____A C:\Users\Public\Desktop\Emergency Backup.lnk
2013-05-30 03:29 - 2013-05-30 03:29 - 00000452 ____A C:\ProgramData\Desktop\Emergency Backup.lnk
2013-05-30 01:31 - 2013-05-30 01:31 - 00000000 ____D C:\Emergency
2013-05-30 01:31 - 2012-01-12 04:13 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-05-30 01:13 - 2013-05-30 01:13 - 00000000 ____D C:\Windows\SMINST

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-02-28 15:48:13
Restore point made on: 2013-03-22 18:07:06
Restore point made on: 2013-03-25 02:00:58
Restore point made on: 2013-04-28 18:22:52
Restore point made on: 2013-05-26 16:32:17
Restore point made on: 2013-05-28 02:00:35
Restore point made on: 2013-05-29 09:07:51

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8086.17 MB
Available physical RAM: 7308.54 MB
Total Pagefile: 8084.37 MB
Available Pagefile: 7299.07 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:678.99 GB) (Free:530.21 GB) NTFS (Disk=0 Partition=3)
Drive e: (RECOVERY) (Fixed) (Total:19.53 GB) (Free:10.58 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive e: detected.
Drive f: () (Removable) (Total:1.91 GB) (Free:0.33 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows Vista) (Size: 699 GB) (Disk ID: 07F2837E)
Partition 1: (Not Active) - (Size=102 MB) - (Type=DE)
Partition 2: (Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=679 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 6F20736B)
Partition 1: (Not Active) - (Size=544 GB) - (Type=72)
Partition 2: (Not Active) - (Size=923 GB) - (Type=65)
Partition 3: (Not Active) - (Size=923 GB) - (Type=79)
Partition 4: (Not Active) - (Size=-336763289600) - (Type=0D)

Last Boot: 2011-02-10 11:02

==================== End Of Log ============================



#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 PM

Posted 30 May 2013 - 11:05 AM

Hi windsorjedi,

 

Welcome to the forum.

 

Please download Attached File  fixlist.txt   39bytes   5 downloads
Save it to your flash drive.
Boot to System Recovery Options and select "Command Prompt".

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Also please restart, let it boot normally and tell me how it went.



#4 windsorjedi

windsorjedi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 PM

Posted 30 May 2013 - 11:29 AM

Here is the fix log:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-05-2013
Ran by SYSTEM at 2013-05-30 17:12:27 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

 

 

 

 

 

 

So my computer, restarted as though I was turning it on for the first time ever.  I had to enter in Wi-Fi password, accept terms & agreements, etc.  I should mention that I am using the wrong battery for the computer...I can't find the right one...not sure if this affects any of the information you have been giving me (I keep receiving error message on computer stating I am using the wrong battery, therefore computer won't charge). 

 

I am now at a window entitled, "Dell Getting Started User Guide", it would like me to set up "Nero", and security, Create Recovery Disc, Setup Needed, Learn More.   Not sure what I do next...do I try these things?

 

 

 



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 PM

Posted 30 May 2013 - 11:44 AM

The battery issue is different. Your computer was infected with a bootkit. The tools you used (in this case Hitmanpr) could not remove it fully leading to a boot issue. Then you attempted a factory restore which failed because the malware entry was still there. If you have not attempted a factory restore we could just bring back the system to prior to infection. Now we removed the malware entry and the system could finish up the factory restore process. I hope this makes all sense to you. So you need to deal with the computer as if you got it from the seller and turned it on.



#6 windsorjedi

windsorjedi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 PM

Posted 30 May 2013 - 12:20 PM

Alright, I understand what you are saying.  I am going to create a system recovery disc before I do anything else as it is recommending that I complete this.   It also wants me to restart to "finish installing important updates"...is this okay?   As well, I can see that the computer has a folder on the desktop entitled "Emergency Backup".  I am assuming that this is the files that I saved when I did the "Dell DataSafe Restore and Emergency Backup".  Would it be safe to open that folder? or will it have the "bootkit" in it...I think that is where all my pictures/media/videos/documents/personal files would be stored?  As well, will my computer still be infected with anything?  or is it wiped clean of viruses,malware,rootkit,bootkits?

 

I really, really appreciate all of your help :)



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 PM

Posted 30 May 2013 - 12:55 PM

I am going to create a system recovery disc before I do anything else as it is recommending that I complete this.

Yes, that is recommended. You have a recovery partition from where you attempted the factory restore. But if the recovery partition ever gets corrupted you will have your recovery discs to use.

 

It also wants me to restart to "finish installing important updates"...is this okay?

Sure. Please do it.

 

As well, I can see that the computer has a folder on the desktop entitled "Emergency Backup".  I am assuming that this is the files that I saved when I did the "Dell DataSafe Restore and Emergency Backup".  Would it be safe to open that folder? or will it have the "bootkit" in it...I think that is where all my pictures/media/videos/documents/personal files would be stored?

Indeed in that folder are all your previous personal files and folders are saved. This infection only targets the partitions. So all your personal files are as clean as they were before the infection. Additionally I recommend you to backup your personal data on an external hard drive on a regular basis. Apart from malware infection there is always a risk of hardware failure.

 

As well, will my computer still be infected with anything?  or is it wiped clean of viruses,malware,rootkit,bootkits?

Your computer is as clean as when you bought it.

 

And you are most welcome. If you have any other question before closing the topic please let me know. :)



#8 windsorjedi

windsorjedi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 PM

Posted 30 May 2013 - 01:11 PM

What would you recommend that I install to prevent virus/malware/bootkit/rootkit?  Friends have recommend Microsoft Security Essentials, and that I should also use the free version of malwarebytes.org...I really don't want any of this to happen to my computer again.  It not been working for about 6 months or so, and yesterday I decided to tackle it...and look what happened :(    Thank goodness for you guys!!

 

As well, we have a second laptop (which I have been using to communicate with you)...I believe it is also infected with something, but not to the extent that the other computer is.  Where should I start with it?  Is there a special back up I should do first? How do I create system recovery discs, etc....I do not want a repeat of the other computer.  Are there things I should be doing on a regular basis, etc.?

 

As I have mentioned earlier, I am pretty computer illiterate....



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 PM

Posted 30 May 2013 - 03:23 PM

 I recommend you install one of these good free antiviruses:

Avira
Avast

 

For the laptop you may start a separate topic at this forum.

 

For the other questions regarding making back up, recovery discs, etc., you can start a topic at technical forums.


Edited by Farbar, 30 May 2013 - 03:23 PM.


#10 windsorjedi

windsorjedi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 PM

Posted 30 May 2013 - 03:29 PM

thank you once again!!!



#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 PM

Posted 30 May 2013 - 04:23 PM

You are most welcome. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users