Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WIndows 7 start up repair post malware/virus removal


  • This topic is locked This topic is locked
2 replies to this topic

#1 msrinivasa

msrinivasa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 04 August 2013 - 11:00 AM

I'm not quite sure how this works, but if someone could please assist me, here is the info from the FRST.exe scan. Thank you ahead of time!

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-08-2013 01
Ran by SYSTEM on 04-08-2013 11:43:44
Running from F:\
Windows 7 Ultimate (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM\...\Run: [] -  [x]
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [348664 2012-09-07] (Avira Operations GmbH & Co. KG)
 
========================== Services (Whitelisted) =================
 
S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [86224 2012-09-07] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [110032 2012-09-07] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [465360 2012-09-07] (Avira Operations GmbH & Co. KG)
S2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1251840 2010-09-17] ()
S2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1724192 2013-01-31] (TuneUp Software)
 
==================== Drivers (Whitelisted) ====================
 
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-09-07] (Avira GmbH)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-09-07] (Avira GmbH)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2012-09-07] (Avira GmbH)
S3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347136 2009-07-13] (Realtek Semiconductor Corporation                           )
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
S3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [10088 2012-11-16] (TuneUp Software)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-30 15:40 - 2013-07-30 15:40 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-07-30 15:39 - 2013-07-30 15:39 - 00000000 ____D C:\Users\Sabrina\AppData\Roaming\WinBatch
2013-07-30 15:39 - 2013-07-30 15:39 - 00000000 ____D C:\Users\Sabrina\AppData\Roaming\InstallShield
2013-07-30 14:50 - 2013-07-30 15:38 - 00000280 _____ C:\Windows\setupact.log
2013-07-30 14:50 - 2013-07-30 14:50 - 00000000 _____ C:\Windows\setuperr.log
2013-07-30 14:49 - 2013-07-30 15:34 - 00005903 _____ C:\Windows\WindowsUpdate.log
11
 
==================== One Month Modified Files and Folders =======
 
2013-08-04 11:37 - 2012-09-17 15:49 - 00000000 ____D C:\Windows\AutoKMS
2013-08-04 11:37 - 2012-08-05 08:37 - 00000000 ____D C:\users\Sabrina
2013-08-04 11:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-08-04 11:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-08-04 11:26 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-07-30 16:42 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-07-30 16:24 - 2009-09-23 18:34 - 00000000 ____D C:\Users\Sabrina\Documents\TLOD
2013-07-30 16:16 - 2012-08-05 14:41 - 00000355 _____ C:\Users\Sabrina\Documents\The Earth Mission Inc..QBW.ND
2013-07-30 16:16 - 2012-08-05 14:39 - 10108928 ____R C:\Users\Sabrina\Documents\The Earth Mission Inc..QBW
2013-07-30 16:16 - 2012-08-05 14:39 - 00327680 ____R C:\Users\Sabrina\Documents\The Earth Mission Inc..QBW.TLG
2013-07-30 15:40 - 2013-07-30 15:40 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-07-30 15:39 - 2013-07-30 15:39 - 00000000 ____D C:\Users\Sabrina\AppData\Roaming\WinBatch
2013-07-30 15:39 - 2013-07-30 15:39 - 00000000 ____D C:\Users\Sabrina\AppData\Roaming\InstallShield
2013-07-30 15:38 - 2013-07-30 14:50 - 00000280 _____ C:\Windows\setupact.log
2013-07-30 15:34 - 2013-07-30 14:49 - 00005903 _____ C:\Windows\WindowsUpdate.log
2013-07-30 15:34 - 2009-07-13 20:34 - 00016384 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-30 15:34 - 2009-07-13 20:34 - 00016384 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-30 15:30 - 2012-08-05 08:42 - 00736514 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-30 14:50 - 2013-07-30 14:50 - 00000000 _____ C:\Windows\setuperr.log
2013-07-30 14:48 - 2012-08-05 14:56 - 00000000 ____D C:\Windows\Minidump
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2013-01-08 04:09] - [2012-09-06 08:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E
 
 
TDL4: custom:26000022 <===== ATTENTION!
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-01-07 18:29:52
Restore point made on: 2013-02-04 03:13:26
Restore point made on: 2013-02-05 01:16:35
Restore point made on: 2013-02-07 01:00:46
Restore point made on: 2013-04-19 10:18:52
Restore point made on: 2013-04-19 10:50:33
Restore point made on: 2013-04-19 10:56:17
Restore point made on: 2013-07-30 15:40:13
 
==================== Memory info =========================== 
 
Percentage of memory in use: 18%
Total physical RAM: 2038.4 MB
Available physical RAM: 1660.86 MB
Total Pagefile: 2038.4 MB
Available Pagefile: 1656.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1932.91 MB
 
==================== Drives ================================
 
Drive c: (SQ004585V03) (Fixed) (Total:110.32 GB) (Free:55.56 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS
Drive f: () (Removable) (Total:0.94 GB) (Free:0.3 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 112 GB) (Disk ID: 32FC1A2F)
Partition 1: (Not Active) - (Size=1 GB) - (Type=27)
Partition 2: (Active) - (Size=110 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 962 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=962 MB) - (Type=0B)
 
 
LastRegBack: 2013-02-04 03:40
 
==================== End Of Log ============================
 

 



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 06 August 2013 - 04:12 PM

Good evening. :)

Open Notepad and copy and paste the following text into it and save it alongside FRST on the flashdrive as fixlist.txt:

TDL4: custom:26000022 <===== ATTENTION!

Run FRST as previously, but this time click the Fix button just once and wait.
Once complete the results will be written to the textfile Fixlog.txt, saved alongside FRST as before - please let me have the contents of the file in your next reply.

Also, try to boot the PC normally and tell me what happens.

 


So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:18 PM

Posted 11 August 2013 - 01:13 PM

As there has been no response for five days this thread is now closed.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users