Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus repeat


  • This topic is locked This topic is locked
38 replies to this topic

#1 bd43stew

bd43stew

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 02:18 PM

I was hit with a virus a few months ago and it looks like I may have been reinfected after trying to synch my iphone with the PC.



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 20 August 2015 - 02:21 PM

Greetings bd43stew and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please run this program for me.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • From a working computer please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 04:00 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-08-2015
Ran by SYSTEM on MININT-TJ3UKE5 (20-08-2015 16:55:13)
Running from H:\
Platform: WIN_7 (X64) Language: English (United States)
Boot Mode: Recovery

Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

ATTENTION: Software hive is not loaded.
BootExecute: autocheck autochk * PCloudBroom64.exe \systemroot\system32\BroomData.bitPCloudBroom64.exe \systemroot\system32\BroomData.bit

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-07] (AVAST Software)
S2 MSSQL$MYMOVIES; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S5 ACPI; C:\Windows\System32\drivers\ACPI.sys [334208 2010-11-20] (Microsoft Corporation)
S5 amdxata; C:\Windows\System32\drivers\amdxata.sys [27008 2011-03-10] (Advanced Micro Devices)
S3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
S3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-07] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-07] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-07] (AVAST Software)
S5 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-07] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-07] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-07] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-07] (AVAST Software)
S5 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-07] ()
S5 atapi; C:\Windows\System32\drivers\atapi.sys [24128 2009-07-13] (Microsoft Corporation)
S5 CLFS; C:\Windows\System32\CLFS.sys [367696 2009-07-13] (Microsoft Corporation)
S5 CNG; C:\Windows\System32\Drivers\cng.sys [458712 2013-07-04] (Microsoft Corporation)
S5 Disk; C:\Windows\System32\DRIVERS\disk.sys [73280 2009-07-13] (Microsoft Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-13] (Symantec Corporation)
S5 FileInfo; C:\Windows\System32\drivers\fileinfo.sys [70224 2009-07-13] (Microsoft Corporation)
S5 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [289664 2010-11-20] (Microsoft Corporation)
S5 Fs_Rec; C:\Windows\System32\Drivers\Fs_Rec.sys [23408 2012-02-29] (Microsoft Corporation)
S5 fvevol; C:\Windows\System32\DRIVERS\fvevol.sys [223752 2013-01-23] (Microsoft Corporation)
S5 hwpolicy; C:\Windows\System32\drivers\hwpolicy.sys [14720 2010-11-20] (Microsoft Corporation)
S5 iaStor; C:\Windows\System32\DRIVERS\iaStor.sys [409624 2009-10-13] (Intel Corporation)
S5 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [115824 2009-10-29] (JMicron Technology Corp.)
S5 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [95680 2014-04-11] (Microsoft Corporation)
S5 KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys [155064 2014-10-13] (Microsoft Corporation)
S5 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [94592 2010-11-20] (Microsoft Corporation)
S5 msahci; C:\Windows\System32\drivers\msahci.sys [31104 2010-11-20] (Microsoft Corporation)
S5 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [15424 2009-07-13] (Microsoft Corporation)
S5 Mup; C:\Windows\System32\Drivers\mup.sys [60496 2009-07-13] (Microsoft Corporation)
S5 NDIS; C:\Windows\System32\drivers\ndis.sys [950128 2012-08-22] (Microsoft Corporation)
S5 partmgr; C:\Windows\System32\drivers\partmgr.sys [75120 2012-03-16] (Microsoft Corporation)
S5 pci; C:\Windows\System32\drivers\pci.sys [184704 2010-11-20] (Microsoft Corporation)
S5 pcw; C:\Windows\System32\drivers\pcw.sys [50768 2009-07-13] (Microsoft Corporation)
S5 rdyboost; C:\Windows\System32\drivers\rdyboost.sys [213888 2010-11-20] (Microsoft Corporation)
S5 sbp2port; C:\Windows\System32\drivers\sbp2port.sys [103808 2010-11-20] (Microsoft Corporation)
S5 spldr; C:\Windows\System32\Drivers\spldr.sys [19008 2009-07-13] (Microsoft Corporation)
S5 Tcpip; C:\Windows\System32\drivers\tcpip.sys [1903552 2014-04-04] (Microsoft Corporation)
S5 vdrvroot; C:\Windows\System32\drivers\vdrvroot.sys [36432 2009-07-13] (Microsoft Corporation)
S5 volmgr; C:\Windows\System32\drivers\volmgr.sys [71552 2010-11-20] (Microsoft Corporation)
S5 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [363392 2010-11-20] (Microsoft Corporation)
S5 volsnap; C:\Windows\System32\drivers\volsnap.sys [295808 2010-11-20] (Microsoft Corporation)
S5 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [785624 2013-06-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-20 16:55 - 2015-01-07 16:57 - 00000000 ____D C:\FRST
2015-08-08 10:15 - 2010-06-16 21:23 - 01967543 _____ C:\Windows\WindowsUpdate.log
2015-08-08 09:42 - 2012-07-07 14:06 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-08 09:33 - 2009-07-13 20:51 - 00077561 _____ C:\Windows\setupact.log
2015-08-08 09:31 - 2010-06-18 03:34 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-07 22:31 - 2010-06-18 03:34 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-07 18:16 - 2011-08-06 08:54 - 00000406 ____H C:\Windows\Tasks\Norton Security Scan for Brian.job
2015-08-06 16:37 - 2009-07-13 21:13 - 00849462 _____ C:\Windows\System32\PerfStringBackup.INI
2015-08-06 16:37 - 2009-07-13 20:45 - 00018736 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-06 16:37 - 2009-07-13 20:45 - 00018736 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-06 16:28 - 2013-04-06 07:56 - 00000000 ____D C:\Program Files (x86)\Steam
2015-08-06 16:27 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-25 19:13 - 2011-02-28 16:41 - 00003922 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{C56969D9-E45A-40FE-B401-F7EF6324816F}
2015-07-25 17:12 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp

Some files in TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7380012.dll
C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjukz1o.dll
C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprwxbpx.dll
C:\Users\Brian\AppData\Local\Temp\Quarantine.exe
C:\Users\Brian\AppData\Local\Temp\sqlite3.dll
C:\Users\Mcx1-GATEWAY\AppData\Local\Temp\uw1bugix.dll

==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2015-07-17 20:00:21
Restore point made on: 2015-07-25 22:15:42
Restore point made on: 2015-08-05 16:25:36

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8151.09 MB
Available physical RAM: 7321.43 MB
Total Virtual: 8149.24 MB
Available Virtual: 7315.84 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:1381.17 GB) (Free:1.04 GB) NTFS
Drive d: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive f: (PQSERVICE) (Fixed) (Total:16 GB) (Free:5.87 GB) NTFS
Drive g: (RONGOLD1) (CDROM) (Total:0.56 GB) (Free:0 GB) CDFS
Drive h: (Lexar) (Removable) (Total:14.61 GB) (Free:14.58 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (Media) (Fixed) (Total:1863.01 GB) (Free:6.78 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 39020B5F)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 40F2CD64)
Partition 1: (Not Active) - (Size=16 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1381.2 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.6 GB) (Disk ID: 17888B7C)
Partition 1: (Not Active) - (Size=14.6 GB) - (Type=0B)

LastRegBack: 2015-08-05 16:18

 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 20 August 2015 - 04:52 PM

Hi Brian,

When did this first start?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 05:05 PM

August 8th

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 20 August 2015 - 05:21 PM

Thanks, please attempt this.

===================================================

System Restore from System Recovery Options

--------------------

Use one of the following two ways to enter System Recovery Options from the Advanced Boot Options:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

Once you are in the System Recovery Options menu you will get the following options:


Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select System Restore (please be patient as it may take a minute or two to load)
  • Select Next
  • If necessary check Show restore points older than 5 days
  • Left click on the Restore Point dated 2015-08-05 16:25:36, then click Next
  • If you receive a caution screen, make sure your System Drive (C:) is checked, then click Next
  • Click Finish and allow System Restore to run.
  • Attempt to boot your computer into Normal Mode or, if unsuccessful, Safe Mode

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

  • Are you able to boot?

Edited by Oh My!, 20 August 2015 - 05:23 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 08:00 PM

I got an error when trying the system restore from August.  Details say 'System restore failed while copying the registry from the restore point.  The registry in the restore point was damaged and could not be restored'.  It says I can try a different restore point but before I did that wanted to send this note.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 20 August 2015 - 09:11 PM

You can attempt the previous restore points.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 10:25 PM

Same error for other 2 restore points.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 20 August 2015 - 10:28 PM

Please run this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
LastRegBack: 2015-08-05 16:18
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt). Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Can you boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 11:04 PM

I was able to boot up (although it did take a lot longer than usual).

 

 

Here is the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:20-08-2015
Ran by SYSTEM (2015-08-20 23:46:05) Run:2(
Running from H:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
LastRegBack: 2015-08-05 16:18
*****************

DEFAULT => copied successfully to System32\config\HiveBackup
DEFAULT => restored successfully from registry back up
SAM => copied successfully to System32\config\HiveBackup
SAM => restored successfully from registry back up
SECURITY => copied successfully to System32\config\HiveBackup
SECURITY => restored successfully from registry back up
SOFTWARE => Could not copy
SOFTWARE => restored successfully from registry back up
SYSTEM => copied successfully to System32\config\HiveBackup
SYSTEM => restored successfully from registry back up

==== End of Fixlog 23:55:58 ====



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 20 August 2015 - 11:09 PM

Very good. I am ending for the evening but would like you to create a System Restore Point. I will be back online in the morning.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 August 2015 - 11:30 PM

System restore point is all set. Thanks again for your help! Back at it tomorrow...

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:29 PM

Posted 21 August 2015 - 08:46 AM

Excellent, thank you.

Please rerun FRST making sure to check Addition.txt and post both logs.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 21 August 2015 - 09:19 AM

Below is the rerun of the FRST log.  I didn't see anywhere to check Addition.txt.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-08-2015
Ran by SYSTEM on MININT-SC6G57P (21-08-2015 09:57:03)
Running from H:\
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8312352 2009-10-28] (Realtek Semiconductor)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-19] ()
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe [244480 2009-08-12] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [My Movies Tray] => C:\Program Files (x86)\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe [501280 2014-01-19] (Binnerup Consult)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Codec Settings UAC Manager] => C:\Windows\SysWOW64\C2MP\CodecUACManager.exe [58648 2014-09-27] ()
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-27] (AVAST Software)
HKLM\...\Winlogon: [Userinit] C:\Windows\SysWOW64\userinit.exe,
HKU\Brian\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE [239488 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\Brian\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\Brian\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\Brian\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\Brian\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1940160 2014-11-18] (Valve Corporation)
HKU\Brian\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE [239488 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\Brian\...\Run: [AnyDVD] => C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe [93096 2014-03-02] (SlySoft, Inc.)
HKU\Brian\...\Run: [Hobbyist Software VLC Streamer] => C:\Program Files (x86)\Hobbyist Software\VLC Streamer\VLC Streamer Configuration.exe [1190728 2014-06-07] (Hobbyist Software)
HKU\Brian\...\Run: [Spotify Web Helper] => C:\Users\Brian\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-11-28] (Spotify Ltd)
HKU\Default\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2011-03-11]
ShortcutTarget: Dropbox.lnk ->  (No File)
BootExecute: autocheck autochk * PCloudBroom64.exe \systemroot\system32\BroomData.bitPCloudBroom64.exe \systemroot\system32\BroomData.bit

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-07] (AVAST Software)
S2 MSSQL$MYMOVIES; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S5 ACPI; C:\Windows\System32\drivers\ACPI.sys [334208 2010-11-20] (Microsoft Corporation)
S5 amdxata; C:\Windows\System32\drivers\amdxata.sys [27008 2011-03-10] (Advanced Micro Devices)
S3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
S3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-07] ()
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-07] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-07] (AVAST Software)
S5 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-07] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-07] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-07] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-07] (AVAST Software)
S5 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-07] ()
S5 atapi; C:\Windows\System32\drivers\atapi.sys [24128 2009-07-13] (Microsoft Corporation)
S5 CLFS; C:\Windows\System32\CLFS.sys [367696 2009-07-13] (Microsoft Corporation)
S5 CNG; C:\Windows\System32\Drivers\cng.sys [458712 2013-07-04] (Microsoft Corporation)
S5 Disk; C:\Windows\System32\DRIVERS\disk.sys [73280 2009-07-13] (Microsoft Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-13] (Symantec Corporation)
S5 FileInfo; C:\Windows\System32\drivers\fileinfo.sys [70224 2009-07-13] (Microsoft Corporation)
S5 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [289664 2010-11-20] (Microsoft Corporation)
S5 Fs_Rec; C:\Windows\System32\Drivers\Fs_Rec.sys [23408 2012-02-29] (Microsoft Corporation)
S5 fvevol; C:\Windows\System32\DRIVERS\fvevol.sys [223752 2013-01-23] (Microsoft Corporation)
S5 hwpolicy; C:\Windows\System32\drivers\hwpolicy.sys [14720 2010-11-20] (Microsoft Corporation)
S5 iaStor; C:\Windows\System32\DRIVERS\iaStor.sys [409624 2009-10-13] (Intel Corporation)
S5 JRAID; C:\Windows\System32\DRIVERS\jraid.sys [115824 2009-10-29] (JMicron Technology Corp.)
S5 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [95680 2014-04-11] (Microsoft Corporation)
S5 KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys [155064 2014-10-13] (Microsoft Corporation)
S5 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [94592 2010-11-20] (Microsoft Corporation)
S5 msahci; C:\Windows\System32\drivers\msahci.sys [31104 2010-11-20] (Microsoft Corporation)
S5 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [15424 2009-07-13] (Microsoft Corporation)
S5 Mup; C:\Windows\System32\Drivers\mup.sys [60496 2009-07-13] (Microsoft Corporation)
S5 NDIS; C:\Windows\System32\drivers\ndis.sys [950128 2012-08-22] (Microsoft Corporation)
S5 partmgr; C:\Windows\System32\drivers\partmgr.sys [75120 2012-03-16] (Microsoft Corporation)
S5 pci; C:\Windows\System32\drivers\pci.sys [184704 2010-11-20] (Microsoft Corporation)
S5 pcw; C:\Windows\System32\drivers\pcw.sys [50768 2009-07-13] (Microsoft Corporation)
S5 rdyboost; C:\Windows\System32\drivers\rdyboost.sys [213888 2010-11-20] (Microsoft Corporation)
S5 sbp2port; C:\Windows\System32\drivers\sbp2port.sys [103808 2010-11-20] (Microsoft Corporation)
S5 spldr; C:\Windows\System32\Drivers\spldr.sys [19008 2009-07-13] (Microsoft Corporation)
S5 Tcpip; C:\Windows\System32\drivers\tcpip.sys [1903552 2014-04-04] (Microsoft Corporation)
S5 vdrvroot; C:\Windows\System32\drivers\vdrvroot.sys [36432 2009-07-13] (Microsoft Corporation)
S5 volmgr; C:\Windows\System32\drivers\volmgr.sys [71552 2010-11-20] (Microsoft Corporation)
S5 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [363392 2010-11-20] (Microsoft Corporation)
S5 volsnap; C:\Windows\System32\drivers\volsnap.sys [295808 2010-11-20] (Microsoft Corporation)
S5 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [785624 2013-06-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-20 23:46 - 2015-08-20 23:55 - 00000000 ____D C:\Windows\System32\config\HiveBackup

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-21 09:57 - 2015-01-07 16:57 - 00000000 ____D C:\FRST
2015-08-20 20:28 - 2010-06-16 21:23 - 01974915 _____ C:\Windows\WindowsUpdate.log
2015-08-20 20:28 - 2009-07-13 20:45 - 00018736 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-20 20:28 - 2009-07-13 20:45 - 00018736 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-20 20:24 - 2009-07-13 21:13 - 00849462 _____ C:\Windows\System32\PerfStringBackup.INI
2015-08-20 20:23 - 2014-09-08 16:48 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-08-20 20:21 - 2013-04-06 07:56 - 00000000 ____D C:\Program Files (x86)\Steam
2015-08-20 20:21 - 2010-06-18 03:34 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-20 20:19 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-20 20:19 - 2009-07-13 20:51 - 00077729 _____ C:\Windows\setupact.log
2015-08-08 09:42 - 2012-07-07 14:06 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-08 09:31 - 2010-06-18 03:34 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-07 18:16 - 2011-08-06 08:54 - 00000406 ____H C:\Windows\Tasks\Norton Security Scan for Brian.job
2015-07-25 19:13 - 2011-02-28 16:41 - 00003922 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{C56969D9-E45A-40FE-B401-F7EF6324816F}
2015-07-25 17:12 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp

Some files in TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7380012.dll
C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqunlxr.dll
C:\Users\Brian\AppData\Local\Temp\Quarantine.exe
C:\Users\Brian\AppData\Local\Temp\sqlite3.dll
C:\Users\Mcx1-GATEWAY\AppData\Local\Temp\uw1bugix.dll

==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2015-07-17 20:00:21
Restore point made on: 2015-07-25 22:15:42
Restore point made on: 2015-08-05 16:25:36
Restore point made on: 2015-08-20 20:26:11

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8151.09 MB
Available physical RAM: 7220.45 MB
Total Virtual: 8149.24 MB
Available Virtual: 7215.2 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:1381.17 GB) (Free:1 GB) NTFS
Drive d: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive f: (PQSERVICE) (Fixed) (Total:16 GB) (Free:5.87 GB) NTFS
Drive g: (RONGOLD1) (CDROM) (Total:0.56 GB) (Free:0 GB) CDFS
Drive h: (Lexar) (Removable) (Total:14.61 GB) (Free:14.58 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (Media) (Fixed) (Total:1863.01 GB) (Free:6.78 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 39020B5F)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 40F2CD64)
Partition 1: (Not Active) - (Size=16 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1381.2 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.6 GB) (Disk ID: 17888B7C)
Partition 1: (Not Active) - (Size=14.6 GB) - (Type=0B)

LastRegBack: 2015-08-05 16:18

==================== End of log ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users