Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan in C:\Windows\SysWOW64\explorer.exe? Win7 not booting


  • This topic is locked This topic is locked
6 replies to this topic

#1 DuncR

DuncR

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Merseyside, UK
  • Local time:06:26 PM

Posted 28 June 2016 - 01:50 AM

Hi Folks

 

I have a Win7 system that's failing to boot. The Windows Auto Repair is unable to fix. Windows rollbacks from the Recovery environment fails. Can't boot in safe mode either. Can get into Recovery environment.

 

Problem Signature 1: 6.1.7600.16385
Problem Signature 2: 6.1.7600.16385

 

I've run FRST and I don't like the look of a couple of explorer.exe items but I'm unsure of the removal syntax and would like a sanity check from someone used to looking at these logs :)

 

*********

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-06-2016 02

Ran by SYSTEM on MININT-1M0T2U6 (27-06-2016 21:40:36)
Running from F:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [VIAAUD] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [2792448 2009-12-03] (VIA)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [gmsd_gb_004010012] => [X]
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4431848 2015-12-15] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Carbonite Backup] => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1103056 2016-02-10] (Carbonite, Inc.)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2016-04-08] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] explorer.exe [3231232 2016-01-21] ()
HKLM-x32\...\Winlogon: [Shell] explorer.exe [2973184 2016-01-21] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
AppInit_DLLs: c:\progra~3\bitguard\271769~1.27\{c16c1~1\loader.dll => No File
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avgfws; C:\Program Files (x86)\AVG\AVG2013\avgfws.exe [1442344 2015-12-15] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4948456 2015-10-05] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-19] (AVG Technologies CZ, s.r.o.)
S3 PNRPsvc; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 QWAVE; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 SensrSvc; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7028496 2016-05-12] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [73688 2015-06-03] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-11-24] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [158160 2015-05-21] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [209720 2014-11-03] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360400 2015-05-21] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [204192 2016-03-02] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-10-22] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [249296 2015-05-26] (AVG Technologies CZ, s.r.o.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S0 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [95464 2016-04-08] ()
S0 KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys [154344 2016-04-08] ()
S3 mrxsmb; C:\Windows\System32\DRIVERS\mrxsmb.sys [159744 2016-04-08] ()
S3 mrxsmb20; C:\Windows\System32\DRIVERS\mrxsmb20.sys [129536 2016-04-08] ()
S5 stisvc; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 WNDA3100v3; C:\Windows\System32\DRIVERS\WNDA3100v3.sys [2222224 2014-10-08] (MediaTek Inc.)
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-27 21:39 - 2016-06-27 21:40 - 00000000 ____D C:\FRST
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-27 11:50 - 2015-06-25 06:36 - 00000000 ____D C:\ProgramData\MFAData
2016-06-27 11:50 - 2014-12-11 23:56 - 00000000 ____D C:\Windows\System32\appraiser
2016-06-27 11:50 - 2012-11-07 09:56 - 00000000 ____D C:\users\LogMeInRemoteUser
2016-06-27 11:50 - 2011-11-11 04:19 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-06-27 11:50 - 2011-11-11 04:19 - 00000000 ____D C:\Windows\System32\Macromed
2016-06-27 11:50 - 2011-11-10 07:54 - 00000000 ____D C:\users\Southport FC
2016-06-27 11:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2016-06-27 11:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2016-06-27 11:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2016-06-27 11:50 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2016-06-27 11:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2016-06-27 11:47 - 2015-09-22 23:08 - 00000000 __RHD C:\MSOCache
2016-06-15 05:36 - 2014-02-14 00:40 - 00000000 ____D C:\Windows\System32\MRT
2016-06-15 05:18 - 2012-04-03 23:15 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-15 05:17 - 2014-08-01 22:58 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-15 04:28 - 2009-07-13 20:45 - 00028944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-15 04:28 - 2009-07-13 20:45 - 00028944 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-14 23:17 - 2014-08-01 22:58 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-14 22:55 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-01 03:11 - 2015-10-30 01:42 - 00000000 ___HD C:\$WINDOWS.~BT
2016-06-01 01:40 - 2011-11-10 14:20 - 00000000 ____D C:\Windows\Panther
2016-05-31 22:58 - 2015-09-15 06:56 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-05-31 22:56 - 2015-09-15 06:53 - 00000000 ____D C:\Program Files\Microsoft Office 15
 
Some files in TEMP:
====================
C:\Users\Southport FC\AppData\Local\Temp\ose00000.exe
C:\Users\Southport FC\AppData\Local\Temp\uninst1.exe
 
 
==================== Known DLLs (Whitelisted) =========================
 
[2016-05-11 01:33] - [2016-04-22 20:04] - 2285568 ____A () C:\Windows\SysWOW64\IERTUTIL.dll
[2016-05-11 00:47] - [2016-04-08 22:54] - 0666112 ____A () C:\Windows\SysWOW64\rpcrt4.dll
[2016-02-10 00:47] - [2016-01-21 22:19] - 14179840 ____A () C:\Windows\System32\SHELL32.dll
[2016-02-10 00:47] - [2016-01-21 22:05] - 12877824 ____A () C:\Windows\SysWOW64\SHELL32.dll
[2016-05-11 01:33] - [2016-04-22 19:09] - 1312256 ____A () C:\Windows\SysWOW64\URLMON.dll
[2016-05-11 01:33] - [2016-04-22 19:51] - 2596864 ____A () C:\Windows\System32\WININET.dll
[2016-05-11 01:33] - [2016-04-22 19:12] - 2121216 ____A () C:\Windows\SysWOW64\WININET.dll
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2016-02-10 00:47] - [2016-01-21 21:19] - 3231232 ____A () FE233FBB6844F7EEE569F798D78EA361
 
C:\Windows\explorer.exe => no Company Name <===== ATTENTION
 
C:\Windows\SysWOW64\explorer.exe
[2016-02-10 00:47] - [2016-01-21 21:12] - 2973184 ____A () 69AF9415C769E7E71E63C42B57198AF1
 
C:\Windows\SysWOW64\explorer.exe => no Company Name <===== ATTENTION
 
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points =========================
 
Restore point date: 2016-01-26 05:29
Restore point date: 2016-01-27 01:53
Restore point date: 2016-02-02 05:00
Restore point date: 2016-02-05 01:00
Restore point date: 2016-02-10 00:10
Restore point date: 2016-02-10 01:14
Restore point date: 2016-02-11 00:09
Restore point date: 2016-02-11 03:37
Restore point date: 2016-02-11 23:58
Restore point date: 2016-02-18 23:57
Restore point date: 2016-02-19 02:54
Restore point date: 2016-02-27 00:18
Restore point date: 2016-02-27 01:45
Restore point date: 2016-02-29 00:07
Restore point date: 2016-03-05 09:52
Restore point date: 2016-03-07 00:03
Restore point date: 2016-03-10 00:10
Restore point date: 2016-03-10 01:26
Restore point date: 2016-03-15 00:09
Restore point date: 2016-03-22 02:44
Restore point date: 2016-03-23 00:06
Restore point date: 2016-03-24 06:51
Restore point date: 2016-03-26 00:09
Restore point date: 2016-03-26 03:08
Restore point date: 2016-03-26 07:32
Restore point date: 2016-04-02 06:35
Restore point date: 2016-04-02 07:04
Restore point date: 2016-04-06 03:08
Restore point date: 2016-04-06 05:09
Restore point date: 2016-04-07 01:23
Restore point date: 2016-04-07 04:16
Restore point date: 2016-04-08 00:24
Restore point date: 2016-04-08 02:26
Restore point date: 2016-04-08 03:58
Restore point date: 2016-04-11 00:17
Restore point date: 2016-04-11 01:04
Restore point date: 2016-04-11 02:54
Restore point date: 2016-04-11 04:11
Restore point date: 2016-04-11 05:32
Restore point date: 2016-04-11 06:22
Restore point date: 2016-04-11 06:51
Restore point date: 2016-04-11 07:48
Restore point date: 2016-04-11 09:14
Restore point date: 2016-04-11 10:07
Restore point date: 2016-04-11 10:40
Restore point date: 2016-04-11 11:27
Restore point date: 2016-04-11 12:22
Restore point date: 2016-04-12 00:33
Restore point date: 2016-04-12 01:02
Restore point date: 2016-04-12 01:41
Restore point date: 2016-04-12 02:21
Restore point date: 2016-04-12 02:38
Restore point date: 2016-04-12 02:54
Restore point date: 2016-04-12 03:06
Restore point date: 2016-04-12 03:40
Restore point date: 2016-04-12 23:49
Restore point date: 2016-04-13 00:19
Restore point date: 2016-04-13 00:41
Restore point date: 2016-04-13 01:00
Restore point date: 2016-04-13 01:54
Restore point date: 2016-04-13 02:35
Restore point date: 2016-04-13 23:06
Restore point date: 2016-04-13 23:06
Restore point date: 2016-04-13 23:10
Restore point date: 2016-04-14 23:06
Restore point date: 2016-04-14 23:13
Restore point date: 2016-04-15 03:45
Restore point date: 2016-04-20 23:04
Restore point date: 2016-04-30 05:32
Restore point date: 2016-04-30 05:38
Restore point date: 2016-05-03 05:42
Restore point date: 2016-05-11 06:19
Restore point date: 2016-05-11 23:09
Restore point date: 2016-05-12 02:56
Restore point date: 2016-05-12 23:15
Restore point date: 2016-05-12 23:37
Restore point date: 2016-05-17 23:03
Restore point date: 2016-05-26 22:55
Restore point date: 2016-05-26 22:56
Restore point date: 2016-05-26 22:58
Restore point date: 2016-05-31 23:05
Restore point date: 2016-05-31 23:15
Restore point date: 2016-05-31 23:16
Restore point date: 2016-06-01 03:15
Restore point date: 2016-06-02 03:17
Restore point date: 2016-06-06 03:03
Restore point date: 2016-06-08 23:05
Restore point date: 2016-06-10 03:42
Restore point date: 2016-06-10 03:43
Restore point date: 2016-06-13 00:27
Restore point date: 2016-06-14 23:04
Restore point date: 2016-06-14 23:05
Restore point date: 2016-06-14 23:08
Restore point date: 2016-06-15 05:33
Restore point date: 2016-06-15 23:01
Restore point date: 2016-06-21 04:38
Restore point date: 2016-06-22 05:32
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 7933.09 MB
Available physical RAM: 7056.69 MB
Total Virtual: 7931.29 MB
Available Virtual: 7017.7 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.66 GB) (Free:268.27 GB) NTFS
Drive f: (CLICKSCR) (Removable) (Total:29.8 GB) (Free:29.79 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 8A248A24)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 29.8 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
 
LastRegBack: 2016-06-07 03:57
 
==================== End of FRST.txt ============================

 

 

Many Thanks!

 



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:26 PM

Posted 28 June 2016 - 04:09 AM

Hi DuncR,
 
You are correct that explorer.exe has been replaced. Let's see if we can find a clean copy:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive (if you already have FRST64.exe saved on the USB then skip this step).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • In the search box, type explorer.exe
  • Press Search File(s) button.
  • It will make a log (Search.txt) on the flash drive. Please copy and paste it to your reply.

--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Search.txt log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 DuncR

DuncR
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Merseyside, UK
  • Local time:06:26 PM

Posted 28 June 2016 - 05:05 AM

Hi Toffee & thanks for the assist.

 

Farbar Recovery Scan Tool (x64) Version: 26-06-2016 02
Ran by SYSTEM (2016-06-28 10:45:57)
Running from F:\
Boot Mode: Recovery
 
================== Search Files: "explorer.exe" =============
 
C:\Windows\explorer.exe
[2016-02-10 00:47][2016-01-21 21:19] 3231232 ____A () FE233FBB6844F7EEE569F798D78EA361
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.23338_none_baa721acdde733d0\explorer.exe
[2016-02-10 00:47][2016-01-21 22:07] 2973696 ____A (Microsoft Corporation) CEA6C2000AEC6CAF3CD6F3F73848E40A
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2011-11-11 04:34][2011-02-25 21:19] 2616320 ____A (Microsoft Corporation) 0FB9C74046656D1579A64660AD67B746
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.19135_none_ba1a821dc4cc4ada\explorer.exe
[2016-02-10 00:47][2016-01-21 21:12] 2973184 ____A () 69AF9415C769E7E71E63C42B57198AF1
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2011-11-11 04:34][2011-02-24 21:30] 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E
 
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2010-11-20 19:24][2010-11-20 19:24] 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.23338_none_b052775aa98671d5\explorer.exe
[2016-02-10 00:47][2016-01-21 22:27] 3231232 ____A (Microsoft Corporation) 20DBEE43BF607324BFC79A02F3467DCD
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2011-11-11 04:34][2011-02-25 22:14] 2871808 ____A (Microsoft Corporation) 3B69712041F3D63605529BD66DC00C48
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.19135_none_afc5d7cb906b88df\explorer.exe
[2016-02-10 00:47][2016-01-21 21:19] 3231232 ____A () FE233FBB6844F7EEE569F798D78EA361
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2011-11-11 04:34][2011-02-24 22:19] 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3
 
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[2010-11-20 19:24][2010-11-20 19:24] 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24
 
C:\Windows\SysWOW64\explorer.exe
[2016-02-10 00:47][2016-01-21 21:12] 2973184 ____A () 69AF9415C769E7E71E63C42B57198AF1
 
====== End of Search ======


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:26 PM

Posted 28 June 2016 - 05:47 AM

Hi DuncR,
 
Running a fix Using Farbar's Recovery Scan Tool in the Recovery Environment:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
Replace: C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.23338_none_b052775aa98671d5\explorer.exe C:\Windows\explorer.exe
Replace: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe C:\Windows\SysWOW64\explorer.exe
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recovery Scan Tool.

On a clean machine, please download Farbar Recovery Scan Tool and save it to the USB (feel free to use the frst download from my last instructions, if you still have it on the USB).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Try and reboot the computer normally. Let me know what happens.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 DuncR

DuncR
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Merseyside, UK
  • Local time:06:26 PM

Posted 28 June 2016 - 06:34 AM

Hi

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-06-2016 02
Ran by SYSTEM (2016-06-28 12:30:27) Run:1
Running from F:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
Replace: C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.23338_none_b052775aa98671d5\explorer.exe C:\Windows\explorer.exe
Replace: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe C:\Windows\SysWOW64\explorer.exe
*****************
 
C:\Windows\explorer.exe => moved successfully
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.23338_none_b052775aa98671d5\explorer.exe copied successfully to C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe => moved successfully
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe copied successfully to C:\Windows\SysWOW64\explorer.exe
 
==== End of Fixlog 12:30:28 ====
 
Rebooted system.
 
Windows attempts to start but then drops into the automated startup repair which ends at the "Windows cannot repair this computer automatically" message.


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:26 PM

Posted 29 June 2016 - 03:50 PM

Hi DuncR,

 

Please boot into the Recovery Environment and run FRST64 like you did before. Then press scan and open the FRST.txt log it creates on your clean computer, and copy it into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:26 PM

Posted 26 August 2016 - 11:37 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users