Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infamous Win7 Black Screen/Blinking Cursor


  • This topic is locked This topic is locked
18 replies to this topic

#1 knight1fox3

knight1fox3

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 April 2014 - 12:43 PM

Basically the title says it all.  I have an HP Pavilion G7 laptop that simply won't boot up.  This was given to me under the premise that the HDD was most likely ready to fail.  I was able to image the existing drive and restore to a new fully function HDD.  Only as indicated, the system will not boot.  I suspect this machine had a few infections at one time or another based on all the anti-malware directories I can see in the root directory.  This is issue is almost identical to another user's post in this thread.  Obviously each scenario is unique so the steps listed there won't necessarily apply to my situation.

 

WHAT I'VE TRIED SO FAR:

- Cannot boot in any other mode since system will not proceed passed a flashing cursor (i.e. safe mode, safe mode w/ networking, etc.)

- Created Win7 boot disk (no install disk provided since PC has recovery partition).  Also with boot disk, tried system repair, chkdisk, master boot record fix, etc.  No luck there.

- BIOS is set to only boot to HDD, no other devices attached except for the DVDROM (empty tray).

- Downloaded to a flash drive "Farbar Recovery Scan tool" and have the results of the scan log.

 

I'd like to avoide a clean install/complete recovery if possible since this isn't my own machine and I'd like to perserve the user's other installed programs and corresponding software licenses.  Once I can get the machine to boot, I can take it from there in the way of any malware that may exist on the machine.  Any help/suggestions would be greatly appreciated.  Thank you in advance.  :)



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 24 April 2014 - 10:29 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi knight1fox3,
 
Please copy and paste the FRST log you created into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 24 April 2014 - 10:35 AM

Hello Toffee!  Many thanks for your reply and assistance.  Below is the FRST log file contents you requested.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-04-2014
Ran by SYSTEM on MININT-OOBACO2 on 22-04-2014 13:13:01
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2480936 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [524800 2010-12-13] (IDT, Inc.)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [111640 2010-07-23] ()
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [976832 2010-06-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [318520 2010-12-13] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Garmin Lifetime Updater] => C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe [1466760 2012-06-04] (Garmin)
HKLM-x32\...\Run: [UVS10 Preload] => C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe [36864 2006-08-09] (Ulead Systems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SearchProtectAll] => C:\Program Files (x86)\SearchProtect\bin\cltmng.exe
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4851248 2013-08-26] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2285232 2013-09-08] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Kevin\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\Kevin\...\Run: [Messenger (Yahoo!)] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [6276408 2011-08-21] (Yahoo! Inc.)
HKU\Kevin\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59872 2012-12-17] (Apple Inc.)
HKU\Kevin\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59872 2012-12-17] (Apple Inc.)
HKU\Kevin\...\Run: [SearchProtect] => C:\Users\Kevin\AppData\Roaming\SearchProtect\bin\cltmng.exe
HKU\Kevin\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Kevin\...\Run: [Google Update] => C:\Users\Kevin\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-09-07] (Google Inc.)

==================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3534896 2013-08-27] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [300640 2013-08-20] (AVG Technologies CZ, s.r.o.)
S2 IBUpdaterService; C:\Windows\system32\dmwu.exe [1453872 2013-05-21] ()
S2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-02-28] ()
S2 vToolbarUpdater15.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe [1616048 2013-09-08] (AVG Secure Search)
S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [X]
S4 NIApplicationWebServer64; "C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe" -user [X]
S3 OpcEnum; No ImagePath

==================== Drivers (Whitelisted) ====================

S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [147768 2013-08-01] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [241464 2013-08-22] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192824 2013-08-22] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-08-22] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-08-22] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-08-20] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-08-01] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-09-08] (AVG Technologies)
S3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
S3 OV550I; C:\Windows\System32\Drivers\FilmScan.sys [196992 2008-02-21] (Omnivision Technologies, Inc.)
S3 pfc; C:\Windows\SysWOW64\drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.)
S3 SMIGrabber3C; C:\Windows\System32\Drivers\SmiUsbGrabber3C.sys [821888 2011-01-26] (Windows ® Win 7 DDK provider)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-22 13:11 - 2014-04-22 13:13 - 00000000 ____D () C:\FRST
2014-04-22 12:03 - 2014-04-22 12:03 - 00016384 _____ () C:\BCD_Backup
2014-04-22 12:03 - 2014-04-22 12:03 - 00013312 ___SH () C:\BCD_Backup.LOG

==================== One Month Modified Files and Folders =======

2014-04-22 13:13 - 2014-04-22 13:11 - 00000000 ____D () C:\FRST
2014-04-22 12:03 - 2014-04-22 12:03 - 00016384 _____ () C:\BCD_Backup
2014-04-22 12:03 - 2014-04-22 12:03 - 00013312 ___SH () C:\BCD_Backup.LOG

Files to move or delete:
====================
C:\Users\Kevin\lock.dat


Some content of TEMP:
====================
C:\Users\Kevin\AppData\Local\Temp\-ub58sfx.dll
C:\Users\Kevin\AppData\Local\Temp\3ep_mrdl.dll
C:\Users\Kevin\AppData\Local\Temp\3wjbfjx-.dll
C:\Users\Kevin\AppData\Local\Temp\5qr3ft-b.dll
C:\Users\Kevin\AppData\Local\Temp\9dtwa55o.dll
C:\Users\Kevin\AppData\Local\Temp\Extract.exe
C:\Users\Kevin\AppData\Local\Temp\gveyrxnn.dll
C:\Users\Kevin\AppData\Local\Temp\h-anbvgs.dll
C:\Users\Kevin\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Kevin\AppData\Local\Temp\joua51sg.dll
C:\Users\Kevin\AppData\Local\Temp\klep8oeg.dll
C:\Users\Kevin\AppData\Local\Temp\l9zydk43.dll
C:\Users\Kevin\AppData\Local\Temp\mzhbfxnd.dll
C:\Users\Kevin\AppData\Local\Temp\ofauvvlw.dll
C:\Users\Kevin\AppData\Local\Temp\oi_{AB09D9FB-4430-46FF-B8E6-F9C60C9E11FF}.exe
C:\Users\Kevin\AppData\Local\Temp\ok4r__gc.dll
C:\Users\Kevin\AppData\Local\Temp\r1yvaxhz.dll
C:\Users\Kevin\AppData\Local\Temp\Resource.exe
C:\Users\Kevin\AppData\Local\Temp\ric_fq15.dll
C:\Users\Kevin\AppData\Local\Temp\rrdi_klv.dll
C:\Users\Kevin\AppData\Local\Temp\s9pi7a3o.dll
C:\Users\Kevin\AppData\Local\Temp\sjyix5ij.dll
C:\Users\Kevin\AppData\Local\Temp\SP52407.exe
C:\Users\Kevin\AppData\Local\Temp\SP52509.exe
C:\Users\Kevin\AppData\Local\Temp\sp58915.exe
C:\Users\Kevin\AppData\Local\Temp\tmp449D.exe
C:\Users\Kevin\AppData\Local\Temp\tv81a8il.dll
C:\Users\Kevin\AppData\Local\Temp\tvxt5l2m.dll
C:\Users\Kevin\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Kevin\AppData\Local\Temp\ut5i7wlv.dll
C:\Users\Kevin\AppData\Local\Temp\yu-fh0c2.dll
C:\Users\Kevin\AppData\Local\Temp\yxa1rhdp.dll
C:\Users\Kevin\AppData\Local\Temp\ziar5orf.dll
C:\Users\Kevin\AppData\Local\Temp\zprr4apt.dll
C:\Users\Kevin\AppData\Local\Temp\_whwabkp.dll


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3893.86 MB
Available physical RAM: 3055.27 MB
Total Pagefile: 3892.06 MB
Available Pagefile: 3042.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:450.9 GB) (Free:309.94 GB) NTFS
Drive e: (RECOVERY) (Fixed) (Total:14.56 GB) (Free:1.82 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.31 GB) (Free:0 GB) UDF
Drive g: (REDLION) (Removable) (Total:1.86 GB) (Free:1.59 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: F4AEA3A7)
Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=451 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 4F57666F)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)


LastRegBack: 2013-09-08 02:38

==================== End Of Log ============================



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 24 April 2014 - 11:30 AM

Hi knight1fox3,

 

MBR Dump Using Farbar's Recvovery Scan Tool in the Recovery Environment:
  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

SaveMbr: Drive=0
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool

 

On a clean machine, please download Farbar Recovery Scan Tool and save it to the flashdrive (if you still have FRST on the flashdrive, then no need to download it again).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

 

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive (it should be G).
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the USB called (MBRDUMP.txt)
  • Attach the file to your reply.

 

--------------

To recap, in your next reply I would like to see the following:

  • MBRDUMP.txt (attached)

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 24 April 2014 - 11:56 AM

Below is the Fixlog log file contents you requested.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-04-2014
Ran by SYSTEM at 2014-04-24 12:53:41 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
SaveMbr: Drive=0
*****************

MBRDUMP.txt is made successfully.

==== End of Fixlog ====



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 24 April 2014 - 11:58 AM

Hi knight1fox3,

 

You should have a file named MBRDUMP.txt on your USB, please attach the file to your next reply.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 24 April 2014 - 12:03 PM

Hi knight1fox3,

 

You should have a file named MBRDUMP.txt on your USB, please attach the file to your next reply.

 

xXToffeeXx~

Sorry about that.  Well this is interesting.

 

3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~  |…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu    ÷Á tþFf`€~ t&fh    fÿvh  h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþNu€~ €„Š ²€ë„U2äŠV Í]ëž>þ}Uªunÿv è uú°Ñædèƒ °ßæ`è| °ÿædèu û¸ »Íf#Àu;fûTCPAu2ùr,fh»  fh   fh   fSfSfUfh    fh |  fah  ÍZ2öê |  Í ·ë ¶ë µ2ä ‹ð¬< t    » ´Íëòôëý+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system   c{š§£®ô  € )     (       € ! ~%    8  ~&þÿÿ @  ð\8 þÿÿþÿÿ 0c8 ðÑUª



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 24 April 2014 - 12:31 PM

Hi knight1fox3,

 

You will need to attach the file, otherwise the contents will make no sense and I need a special program like a hex editor to read it. Please click on More Reply Options at the bottom of the page and then under Attach Files click on Choose Files... Use the window that appears to navigate to your USB, double click on MBRDUMP.txt on there and then click on Add Reply once it has finished uploading.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 24 April 2014 - 12:44 PM

Hi knight1fox3,

 

You will need to attach the file, otherwise the contents will make no sense and I need a special program like a hex editor to read it. Please click on More Reply Options at the bottom of the page and then under Attach Files click on Choose Files... Use the window that appears to navigate to your USB, double click on MBRDUMP.txt on there and then click on Add Reply once it has finished uploading.

 

xXToffeeXx~

Attached File  MBRDUMP.txt   512bytes   2 downloads



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 24 April 2014 - 01:22 PM

Hi knight1fox3,

 

Thank you for that, I saw what I needed to.

 

Download ListParts to your USB flash drive using your clean computer. Plug the USB drive into the infected machine.

 

Boot your computer into Recovery Environment:

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.

Back in the command window ....

  • Type e:/listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive which you found out during the notepad steps).
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
  • Close the command window and then shutdown the computer.
  • Plug the USB into your clean computer, then copy and paste the result.txt log in your next reply.

 

--------------

To recap, in your next reply I would like to see the following:

  • result.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 24 April 2014 - 01:36 PM

Following the instructions above, I receive the message in CMD prompt: 

 

The subsystem needed to support the image type is not present.

 

a17iid.jpg



#12 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 25 April 2014 - 11:02 AM

I've got the PC booting to Win7 now.  For whatever reason, the system reserved partition wasn't marked as "active".  I'm not going to try and figure out why that was but the important part is that the PC is now booting.  Thank you so much for all your help.  Very much appreciated.



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 25 April 2014 - 11:07 AM

Hi knight1fox3,

 

Please still do this for me, I want to see something related to why the computer could not boot before.

 

I have some bad news:

 

Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.

 

--------------

 

Try these instructions:

 

Download ListParts to your USB flash drive using your clean computer. Plug the USB drive into the infected machine.

 

Boot your computer into Recovery Environment:

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.

Back in the command window ....

  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive which you found out during the notepad steps).
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
  • Close the command window and then shutdown the computer.
  • Plug the USB into your clean computer, then copy and paste the result.txt log in your next reply.

--------------

 

To recap, in your next reply I would like to see the following:

  • result.txt

xXToffeeXx~


Edited by xXToffeeXx, 25 April 2014 - 11:09 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:37 PM

Posted 25 April 2014 - 11:12 AM

Hi knight1fox3,

 

The reason the computer was not booting was to do with a rootkit and how it changed the mbr to boot from a 00 partition which is invalid. I would like to make sure it is gone as it will make your life cleaning the rest of the computer easier.

If you want to do this on your own then I suggest running TDSSKiller.

 

Please tell me what you want to do though.

 

xXToffeeXx~


Edited by xXToffeeXx, 25 April 2014 - 11:22 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 knight1fox3

knight1fox3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 25 April 2014 - 12:48 PM

Hi knight1fox3,

 

Please still do this for me, I want to see something related to why the computer could not boot before.

 

I have some bad news:

 

Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.

 


To recap, in your next reply I would like to see the following:

  • result.txt

xXToffeeXx~

Since I can boot the machine (note I made sure to keep internet disconnected), I ran this within Windows instead of in Recovery.  Here's the contents of result.txt.  Also thank you for the word of caution on this machine being comprimised.  I will do my best to clean it up, install secondary AV and firewall protection, and clear up any unwanted programs.  After that I will pass on your advice for the owner of this PC to wipe and reinstall everything.

 

ListParts by Farbar Version: 17-04-2014
Ran by Kevin (administrator) on 25-04-2014 at 13:40:49
Windows 7 (X64)
Running From: E:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 57%
Total physical RAM: 3893.86 MB
Available physical RAM: 1640.34 MB
Total Pagefile: 7785.91 MB
Available Pagefile: 5481.27 MB
Total Virtual: 4095.88 MB
Available Virtual: 3991.46 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:450.9 GB) (Free:309.18 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.56 GB) (Free:1.82 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (REDLION) (Removable) (Total:1.86 GB) (Free:1.3 GB) FAT

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB   103 MB         
  Disk 1    Online         1909 MB      0 B         

Partitions of Disk 0:
===============

Disk ID: F4AEA3A7

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            450 GB   200 MB
  Partition 3    Primary             14 GB   451 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         SYSTEM       NTFS   Partition    199 MB  Healthy    System (partition with boot components)  

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    450 GB  Healthy    Boot    

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   RECOVERY     NTFS   Partition     14 GB  Healthy            

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 4F57666F

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1909 MB    31 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     E   REDLION      FAT    Removable   1909 MB  Healthy            

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: F4AEA3A7
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=451 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 4F57666F
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)


****** End Of Log ******






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users