1. #1
    Wrench97's Avatar
    Join Date
    Feb 2012
    Location
    S.E. Pennsylvania
    Posts
    2,625

    FRST fix

    I have a PC the owner ran the MSE offline scanner on, he says it removed a virus named Al--- something (I have a feeling it may have been one of the Alureon variants). Ever since it will not boot and runs a startup repair but can't repair loop.

    I ran FRST the .txt file is attached if anyone can offer the fix text I'd appreciate it.

    FRST.txt

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
    Ran by SYSTEM on MININT-IIHTIIS (25-03-2016 14:13:28)
    Running from f:\
    Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 9
    Boot Mode: Recovery
    Default: ControlSet002
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-29] (Microsoft Corporation)
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Winlogon\Notify\igfxcui: igfxdev.dll [X]
    HKU\Pete User\...\Run: [Best Buy pc app] => C:\Users\Pete User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
    Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2010-10-05]
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-10-05]
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2010-10-05]
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-10-05]
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-29] (Microsoft Corporation)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-29] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
    S3 WinHttpAutoProxySvc; winhttp.dll [X]

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
    S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    S3 honeywell_cdc; C:\Windows\System32\DRIVERS\honeywell_cdc_21617.sys [90248 2010-05-10] (Jungo)
    S3 honeywell_enum; C:\Windows\System32\DRIVERS\honeywell_enum_21617.sys [85640 2010-05-10] (Jungo)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
    S1 MpKslcba2af36; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F659B4FA-4F21-451B-8C95-C89CBBD89C9B}\MpKslcba2af36.sys [44928 2016-03-25] (Microsoft Corporation)
    S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 eethwqqr; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    S3 pbtscicw; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    S3 tjpyuckk; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    S3 yzewtrbe; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-03-25 14:13 - 2016-03-25 14:13 - 00000000 ____D C:\FRST
    2016-03-25 03:26 - 2016-03-25 03:26 - 00000000 _____ C:\Users\Pete\AppData\Local\{CD8A7F1B-1AD7-4963-8D08-DF345BD95505}

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-03-25 03:26 - 2011-01-31 10:01 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2016-03-25 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-03-25 03:12 - 2010-10-05 08:54 - 00000000 ____D C:\dell
    2016-03-24 12:35 - 2011-01-31 12:11 - 00000000 ____D C:\MVIRS Database
    2016-03-24 12:35 - 2011-01-31 09:38 - 00000269 _____ C:\Windows\Brownie.ini
    2016-03-24 12:32 - 2011-01-31 10:01 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2016-03-24 12:15 - 2012-05-07 03:12 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2016-03-24 10:16 - 2011-01-31 12:11 - 00000000 ____D C:\MVIRS Backups
    2016-03-24 10:16 - 2011-01-31 12:11 - 00000000 ____D C:\MVIRS
    2016-03-24 08:15 - 2012-05-07 03:12 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-03-24 08:15 - 2012-05-07 03:12 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2016-03-24 08:15 - 2011-05-20 03:30 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2016-03-24 03:55 - 2009-07-13 20:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-03-24 03:55 - 2009-07-13 20:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-03-24 03:53 - 2009-07-13 21:13 - 00786502 _____ C:\Windows\System32\PerfStringBackup.INI
    2016-03-24 03:53 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
    2016-03-15 08:34 - 2011-10-17 03:41 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk

    ZeroAccess:
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{b2e02660-936d-6f97-131a-a30d1afd2a2a}
    C:\Windows\svchost.exe
    ATTENTION ====> Check for partition/boot infection.

    Some files in TEMP:
    ====================
    C:\Users\Pete\AppData\Local\Temp\43eceahh.dll


    ==================== Known DLLs (Whitelisted) =========================


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\dnsapi.dll => MD5 is legit
    C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    TDL4: custom:26000022 <===== ATTENTION

    ==================== EXE Association (Whitelisted) =============


    ==================== Restore Points =========================

    Restore point date: 2016-02-19 04:59
    Restore point date: 2016-02-23 05:08
    Restore point date: 2016-02-29 05:01
    Restore point date: 2016-03-04 05:02
    Restore point date: 2016-03-09 05:06
    Restore point date: 2016-03-14 08:37
    Restore point date: 2016-03-18 04:05
    Restore point date: 2016-03-23 03:57
    Restore point date: 2016-03-24 08:16

    ==================== BCD ================================

    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device partition=Y:
    description Windows Boot Manager
    locale en-us
    inherit {globalsettings}
    default {default}
    resumeobject {ac25b60c-d0a1-11df-8762-b8ac6fd8f7ea}
    displayorder {default}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {default}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-us
    inherit {bootloadersettings}
    recoverysequence {ac25b60e-d0a1-11df-8762-b8ac6fd8f7ea}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {ac25b60c-d0a1-11df-8762-b8ac6fd8f7ea}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {ac25b60e-d0a1-11df-8762-b8ac6fd8f7ea}
    device ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{ac25b60f-d0a1-11df-8762-b8ac6fd8f7ea}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {bootloadersettings}
    osdevice ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{ac25b60f-d0a1-11df-8762-b8ac6fd8f7ea}
    systemroot \windows
    nx OptIn
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {ac25b60c-d0a1-11df-8762-b8ac6fd8f7ea}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {resumeloadersettings}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device partition=Y:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    custom:26000022 Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    Device options
    --------------
    identifier {ac25b60f-d0a1-11df-8762-b8ac6fd8f7ea}
    description Ramdisk Options
    ramdisksdidevice partition=Y:
    ramdisksdipath \Recovery\WindowsRE\boot.sdi


    ==================== Memory info ===========================

    Percentage of memory in use: 15%
    Total physical RAM: 4060.98 MB
    Available physical RAM: 3446.45 MB
    Total Virtual: 4059.18 MB
    Available Virtual: 3456.15 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:455.84 GB) (Free:403.46 GB) NTFS
    Drive f: () (Removable) (Total:15.14 GB) (Free:11.98 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (RECOVERY) (Fixed) (Total:9.88 GB) (Free:4.37 GB) NTFS ==>[system with boot components (obtained from drive)]
    ATTENTION: Malware custom entry on BCD on drive y: detected.

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 465.8 GB) (Disk ID: 259D4594)
    Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=9.9 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=455.8 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows 7 or 8) (Size: 15.1 GB) (Disk ID: C81D4316)
    Partition 1: (Active) - (Size=15.1 GB) - (Type=07 NTFS)


    LastRegBack: 2016-03-21 04:17

    ==================== End of FRST.txt ============================
    Last edited by Corrine; 03-25-2016 at 07:25 PM. Reason: Log Posted


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,988

    Re: FRST fix

    For starters, let's see what this does.

    Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
    Code:
    TDL4: custom:26000022 <===== ATTENTION!
    CMD: bootrec /FixMbr
    Winlogon\Notify\igfxcui: igfxdev.dll [X]
    S3 WinHttpAutoProxySvc; winhttp.dll [X]
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 eethwqqr; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    S3 pbtscicw; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    S3 tjpyuckk; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    S3 yzewtrbe; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{b2e02660-936d-6f97-131a-a30d1afd2a2a}
    C:\Windows\svchost.exe
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


    On Vista or Windows 7: Now please enter System Recovery Options.

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.

    Let me know if the computer can be booted to normal mode.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  3. #3
    Wrench97's Avatar
    Join Date
    Feb 2012
    Location
    S.E. Pennsylvania
    Posts
    2,625

    Re: FRST fix

    Thanks Corrine, It still wouldn't boot stuck in the same startup repair I opted to format and reinstall after digging into it there is only 1 program I need to reinstall :)

  4. #4
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,988

    Re: FRST fix

    That was just the first step. However, I agree with the decision to format and I'm sure you'll also get the system updated for the PC owner, including "Internet Explorer Version 9".


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  5. #5
    Wrench97's Avatar
    Join Date
    Feb 2012
    Location
    S.E. Pennsylvania
    Posts
    2,625

    Re: FRST fix

    Yes it appears updates have been hung for well over a year that was one of the influencing factors as well

Log in

Log in