Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem after removing ICE Cyber Crime Center


  • This topic is locked This topic is locked
24 replies to this topic

#1 tcrochet

tcrochet

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 01 June 2014 - 04:37 AM

This occurred on two dell inspiron windows 7 computers:

 

After removing the ICE Cyber Crime Center ransomware with Hitmanpro Kickstart I am no longer able to boot to windows. I only can get the screen where you can choose to run startup repair or start windows normally. Both choices cause computers to automatically restart themselves over and over. Tried to restore one to factory condition and after going through all the recovery disks and restarting, the same screen with startup repair and start windows normally appears. It did not reformat. So I tried Killdisk to reformat it and same result. It returned to the same screen with startup repair and start windows normally.

 

Does anyone have any idea what I can do next?


Edited by hamluis, 01 June 2014 - 10:15 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,559 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:14 AM

Posted 01 June 2014 - 07:07 AM

Posted link on Umbootable Due To Malware List.

 

Please be patient, someone from BC Staff will assist you shortly.

 

Louis



#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 01 June 2014 - 09:40 AM

:welcome:

 

We will need to work each computer separately.
 
Please download Farbar Recovery Scan Tool and save it to a flash drive.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
     
    If you are using Vista or Windows 7 enter System Recovery Options.
     
    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

     
     
    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
     
    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 tcrochet

tcrochet
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 02 June 2014 - 03:39 PM

Had to use win 7 64 bit repair disk. All other options did not work.
Thanks in advance for your assistance!
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-06-2014 01
Ran by SYSTEM on MININT-7KBV72I on 02-06-2014 21:32:52
Running from F:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2055016 2011-04-29] ()
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1658440 2011-03-12] (McAfee, Inc.)
HKLM-x32\...\Run: [NeroLauncher] => C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe [75064 2011-07-07] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [885760 2011-04-29] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
 
==================== Services (Whitelisted) =================
 
S3 McAWFwk; C:\Program Files\mcafee\msc\McAWFwk.exe [224704 2011-03-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [501768 2011-03-17] (McAfee, Inc.)
S2 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [197960 2011-03-13] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-03-13] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [158832 2011-03-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-02 21:32 - 2014-06-02 21:32 - 00000000 ____D () C:\FRST
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\Users\Public\Desktop\Emergency Backup.lnk
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\ProgramData\Desktop\Emergency Backup.lnk
2014-06-02 18:04 - 2014-06-02 18:04 - 00000000 ____D () C:\Emergency
2014-06-02 17:49 - 2014-06-02 17:49 - 00000000 ____D () C:\Windows\SMINST
 
==================== One Month Modified Files and Folders =======
 
2014-06-02 21:32 - 2014-06-02 21:32 - 00000000 ____D () C:\FRST
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\Users\Public\Desktop\Emergency Backup.lnk
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\ProgramData\Desktop\Emergency Backup.lnk
2014-06-02 18:04 - 2014-06-02 18:04 - 00000000 ____D () C:\Emergency
2014-06-02 18:04 - 2012-02-21 16:01 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-06-02 17:49 - 2014-06-02 17:49 - 00000000 ____D () C:\Windows\SMINST
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2014-04-28 22:54:37
Restore point made on: 2014-05-03 03:00:22
Restore point made on: 2014-05-07 03:00:22
Restore point made on: 2014-05-14 03:00:27
Restore point made on: 2014-05-21 05:18:09
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 4060.98 MB
Available physical RAM: 3431.21 MB
Total Pagefile: 4059.18 MB
Available Pagefile: 3434.71 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:453.69 GB) (Free:410.47 GB) NTFS
Drive d: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.18 GB) (Free:0 GB) UDF
Drive f: (8GB) (Removable) (Total:7.52 GB) (Free:7.52 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:12.03 GB) (Free:3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 86C69001)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 8 GB) (Disk ID: 19D07B90)
Partition 1: (Active) - (Size=8 GB) - (Type=0B)
 
 
LastRegBack: 2011-02-10 11:02
 
==================== End Of Log ============================

Edited by tcrochet, 02 June 2014 - 03:41 PM.


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 02 June 2014 - 10:07 PM

There is no sign of malware. Is this computer unbootable? The only entries I can see are McAfee entries.

 

Run FRST64 once again. This time around put a check mark on List BCD and run a scan. Post its report


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 tcrochet

tcrochet
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 03 June 2014 - 12:23 AM

This computer is unbootable. After removing the ICE Cyber Crime Center ransomware with Hitmanpro Kickstart I am no longer able to boot to windows. I only can get the screen where you can choose to run startup repair or start windows normally. Both choices cause computer to automatically restart over and over. As a matter of fact, I was unable to get to system recovery by advanced boot options or by windows install disk. Every time I would choose the repair your computer option it would just restart as noted above. I had to use the windows 7 64 bit repair disk to get to the option "repair your computer" to work without automatically restarting.

And what is really strange is that this occurred exactly the same way to another computer infected with the ICE Cyber Crime Center. The computer that I did not try your procedure on, I reformatted the hard drive with hirens boot disk and I ordered recovery disks. Hoping that will work to resolve the issue.  But for the other computer I will continue to follow your instructions to hopefully get it to boot to windows again.

Thanks again for sharing your knowledge and your time.

Tomorrow morning I will run the FRST64 again with checking the list BCD option and post the results.


Edited by tcrochet, 03 June 2014 - 12:25 AM.


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 03 June 2014 - 07:44 AM

Run FRST64 once again. This time around put a check mark on List BCD and run a scan. Post its report


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 tcrochet

tcrochet
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 03 June 2014 - 12:14 PM

Here are the results of the scan you requested:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-06-2014 01
Ran by SYSTEM on MININT-36DD3EO on 03-06-2014 21:08:20
Running from F:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2055016 2011-04-29] ()
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1658440 2011-03-12] (McAfee, Inc.)
HKLM-x32\...\Run: [NeroLauncher] => C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe [75064 2011-07-07] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [885760 2011-04-29] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
 
==================== Services (Whitelisted) =================
 
S3 McAWFwk; C:\Program Files\mcafee\msc\McAWFwk.exe [224704 2011-03-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [501768 2011-03-17] (McAfee, Inc.)
S2 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [197960 2011-03-13] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-03-13] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [158832 2011-03-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
 
==================== Drivers (Whitelisted) ====================
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-06-02 21:32 - 2014-06-03 21:08 - 00000000 ____D () C:\FRST
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\Users\Public\Desktop\Emergency Backup.lnk
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\ProgramData\Desktop\Emergency Backup.lnk
2014-06-02 18:04 - 2014-06-02 18:04 - 00000000 ____D () C:\Emergency
2014-06-02 17:49 - 2014-06-02 17:49 - 00000000 ____D () C:\Windows\SMINST
 
==================== One Month Modified Files and Folders =======
 
2014-06-03 21:08 - 2014-06-02 21:32 - 00000000 ____D () C:\FRST
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\Users\Public\Desktop\Emergency Backup.lnk
2014-06-02 18:08 - 2014-06-02 18:08 - 00000452 _____ () C:\ProgramData\Desktop\Emergency Backup.lnk
2014-06-02 18:04 - 2014-06-02 18:04 - 00000000 ____D () C:\Emergency
2014-06-02 18:04 - 2012-02-21 16:01 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-06-02 17:49 - 2014-06-02 17:49 - 00000000 ____D () C:\Windows\SMINST
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2014-04-28 22:54:37
Restore point made on: 2014-05-03 03:00:22
Restore point made on: 2014-05-07 03:00:22
Restore point made on: 2014-05-14 03:00:27
Restore point made on: 2014-05-21 05:18:09
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-us
inherit                 {globalsettings}
default                 {default}
resumeobject            {8e2216c4-5cd8-11e1-8af1-d4bed9c0b1ed}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {10d5783e-5cd4-11e1-aabe-d4bed9c0b1ed}
device                  ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{10d5783f-5cd4-11e1-aabe-d4bed9c0b1ed}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{10d5783f-5cd4-11e1-aabe-d4bed9c0b1ed}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-us
inherit                 {bootloadersettings}
recoverysequence        {10d5783e-5cd4-11e1-aabe-d4bed9c0b1ed}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {8e2216c4-5cd8-11e1-8af1-d4bed9c0b1ed}
nx                      OptIn
bootstatuspolicy        IgnoreShutdownFailures
 
Resume from Hibernate
---------------------
identifier              {8e2216c4-5cd8-11e1-8af1-d4bed9c0b1ed}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {10d5783f-5cd4-11e1-aabe-d4bed9c0b1ed}
description             Ramdisk Options
ramdisksdidevice        partition=Y:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 4060.98 MB
Available physical RAM: 3434.34 MB
Total Pagefile: 4059.18 MB
Available Pagefile: 3423.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:453.69 GB) (Free:410.47 GB) NTFS
Drive d: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.18 GB) (Free:0 GB) UDF
Drive f: (8GB) (Removable) (Total:7.52 GB) (Free:7.52 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:12.03 GB) (Free:3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 86C69001)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 8 GB) (Disk ID: 19D07B90)
Partition 1: (Active) - (Size=8 GB) - (Type=0B)
 
 
LastRegBack: 2011-02-10 11:02
 
==================== End Of Log ============================


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 03 June 2014 - 01:36 PM

Still unable to see what the issue is. Lets take a look at the MBR.
 
Download the enclosed file.
 
Save it in the same location FRST is saved.
 
Launch FRST and click on the Fix button.
 
The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

Please download  Listparts to a flash drive.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flashdrive into the infected PC.

From an Off position in the computer, enter the System Recovery Options.

To enter the System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on  Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

Edited by JSntgRvr, 03 June 2014 - 01:38 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 tcrochet

tcrochet
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 03 June 2014 - 03:06 PM

Thanks for your continued assistance. Here are the results of the scans:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-06-2014 01
Ran by SYSTEM at 2014-06-04 01:59:43 Run:1
Running from F:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
Start
SaveMbr: Drive=0
End
*****************
 
MBRDUMP.txt is made successfully.
 
==== End of Fixlog ====
 
3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~  |…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh    fÿvh  h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþN… €~ €„Š ²€ë‚U2äŠV Í]ëœ>þ}Uªunÿv èŠ … °Ñædè °ßæ`èx °ÿædèq ¸ »Íf#Àu;fûTCPAu2ùr,fh»  fh  fh   fSfSfUfh    fh |  fah  ÍZ2öê |  Í ·ë ¶ë µ2ä ‹ð¬< tü» ´Íëò+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating sys em    bz™Æ†   Þþ??   †9 €þÿÿ @  ð€ þÿÿþÿÿ 0‚ (¶8                Uª
 
ListParts by Farbar Version: 17-04-2014
Ran by SYSTEM (administrator) on 04-06-2014 at 02:01:53
Windows 7 (X64)
Running From: E:\
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 13%
Total physical RAM: 4060.98 MB
Available physical RAM: 3495.22 MB
Total Pagefile: 4059.18 MB
Available Pagefile: 3466.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
 
======================= Partitions =========================
 
1 Drive c: (OS) (Fixed) (Total:453.69 GB) (Free:410.47 GB) NTFS
2 Drive d: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.18 GB) (Free:0 GB) UDF
3 Drive e: () (Fixed) (Total:29.8 GB) (Free:27.28 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (RECOVERY) (Fixed) (Total:12.03 GB) (Free:3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online           29 GB      0 B         
  Disk 2    No Media           0 B      0 B         
  Disk 3    No Media           0 B      0 B         
  Disk 4    No Media           0 B      0 B         
  Disk 5    No Media           0 B      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 86C69001
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             12 GB    40 MB
  Partition 3    Primary            453 GB    12 GB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8                      FAT    Partition     39 MB  Healthy    Hidden  
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   RECOVERY     NTFS   Partition     12 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    453 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: C3D309B5
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             29 GB    16 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 0C
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E                FAT32  Partition     29 GB  Healthy            
 
======================================================================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: 86C69001
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
 
==============================
Partitions of Disk 1:
===============
Disk ID: C3D309B5
Partition 1: (Not Active) - (Size=30 GB) - (Type=0C)
 
 
****** End Of Log ****** 


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 04 June 2014 - 06:51 AM

3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~  |…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh    fÿvh  h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþN… €~ €„Š ²€ë‚U2äŠV Í]ëœ>þ}Uªunÿv èŠ … °Ñædè °ßæ`èx °ÿædèq ¸ »Íf#Àu;fûTCPAu2ùr,fh»  fh  fh   fSfSfUfh    fh |  fah  ÍZ2öê |  Í ·ë ¶ë µ2ä ‹ð¬< tü» ´Íëò+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating sys em    bz™Æ†   Þþ??   †9 €þÿÿ @  ð€ þÿÿþÿÿ 0‚ (¶8                Uª

 

Attach the MBRDUMP.txt, as it is a hex file.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 tcrochet

tcrochet
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 04 June 2014 - 10:13 AM

Here is what was on the MBRDUMP file:

 

3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾€~  |…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh    fÿvh  h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfasþN… €~ €„Š ²€ë‚U2äŠV Í]ëœ>þ}Uªunÿv èŠ … °Ñædè °ßæ`èx °ÿædèq ¸ »Íf#Àu;fûTCPAu2ùr,fh»  fh  fh   fSfSfUfh    fh |  fah  ÍZ2öê |  Í ·ë ¶ë µ2ä ‹ð¬< tü» ´Íëò+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating sys em    bz™Æ†   Þþ??   †9 €þÿÿ @  ð€ þÿÿþÿÿ 0‚ (¶8                Uª



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 04 June 2014 - 11:25 AM

Yes. In order to read this file you need a special program.

 

Click on Reply to this topic. Scroll down to Attach Files. Browse to the MBRDUMP.txt file and click on open, then on Attach This File. Write a small phrase if needed to the main window, then Add Reply.

 

That will attach the file to the reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 tcrochet

tcrochet
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 04 June 2014 - 06:14 PM

Attached File  MBRDUMP.txt   512bytes   3 downloads       Here is the attachment you requested:



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 AM

Posted 05 June 2014 - 12:49 PM

The MBR also looks clear.
 
Lets check the integrity of Windows Protected Files:
 
Boot to the Recovery Command prompt. At the prompt type the following and press Enter:

sfc /scannow /offbootdir=y:\ /offwindir=c:\windows

Leave a space among the following arguments:
 

sfc

/scannow

/offbootdir=y:\

/offwindir=c:\windows

 
Let me know the outcome.

Edited by JSntgRvr, 05 June 2014 - 12:50 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users