FRST fix

[Wrench97]

I have a PC the owner ran the MSE offline scanner on, he says it removed a virus named Al--- something (I have a feeling it may have been one of the Alureon variants). Ever since it will not boot and runs a startup repair but can't repair loop.

I ran FRST the .txt file is attached if anyone can offer the fix text I'd appreciate it.

View attachment FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by SYSTEM on MININT-IIHTIIS (25-03-2016 14:13:28)
Running from f:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery
Default: ControlSet002
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-29] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\Pete User\...\Run: [Best Buy pc app] => C:\Users\Pete User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2010-10-05]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-10-05]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2010-10-05]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-10-05]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-29] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S3 WinHttpAutoProxySvc; winhttp.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 honeywell_cdc; C:\Windows\System32\DRIVERS\honeywell_cdc_21617.sys [90248 2010-05-10] (Jungo)
S3 honeywell_enum; C:\Windows\System32\DRIVERS\honeywell_enum_21617.sys [85640 2010-05-10] (Jungo)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
S1 MpKslcba2af36; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F659B4FA-4F21-451B-8C95-C89CBBD89C9B}\MpKslcba2af36.sys [44928 2016-03-25] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 eethwqqr; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
S3 pbtscicw; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
S3 tjpyuckk; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
S3 yzewtrbe; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-25 14:13 - 2016-03-25 14:13 - 00000000 ____D C:\FRST
2016-03-25 03:26 - 2016-03-25 03:26 - 00000000 _____ C:\Users\Pete\AppData\Local\{CD8A7F1B-1AD7-4963-8D08-DF345BD95505}

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-25 03:26 - 2011-01-31 10:01 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-03-25 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-25 03:12 - 2010-10-05 08:54 - 00000000 ____D C:\dell
2016-03-24 12:35 - 2011-01-31 12:11 - 00000000 ____D C:\MVIRS Database
2016-03-24 12:35 - 2011-01-31 09:38 - 00000269 _____ C:\Windows\Brownie.ini
2016-03-24 12:32 - 2011-01-31 10:01 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-24 12:15 - 2012-05-07 03:12 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-24 10:16 - 2011-01-31 12:11 - 00000000 ____D C:\MVIRS Backups
2016-03-24 10:16 - 2011-01-31 12:11 - 00000000 ____D C:\MVIRS
2016-03-24 08:15 - 2012-05-07 03:12 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-03-24 08:15 - 2012-05-07 03:12 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-03-24 08:15 - 2011-05-20 03:30 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-24 03:55 - 2009-07-13 20:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-24 03:55 - 2009-07-13 20:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-24 03:53 - 2009-07-13 21:13 - 00786502 _____ C:\Windows\System32\PerfStringBackup.INI
2016-03-24 03:53 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2016-03-15 08:34 - 2011-10-17 03:41 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk

ZeroAccess:
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{b2e02660-936d-6f97-131a-a30d1afd2a2a}
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.

Some files in TEMP:
====================
C:\Users\Pete\AppData\Local\Temp\43eceahh.dll


==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION

==================== EXE Association (Whitelisted) =============


==================== Restore Points =========================

Restore point date: 2016-02-19 04:59
Restore point date: 2016-02-23 05:08
Restore point date: 2016-02-29 05:01
Restore point date: 2016-03-04 05:02
Restore point date: 2016-03-09 05:06
Restore point date: 2016-03-14 08:37
Restore point date: 2016-03-18 04:05
Restore point date: 2016-03-23 03:57
Restore point date: 2016-03-24 08:16

==================== BCD ================================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=Y:
description Windows Boot Manager
locale en-us
inherit {globalsettings}
default {default}
resumeobject {ac25b60c-d0a1-11df-8762-b8ac6fd8f7ea}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-us
inherit {bootloadersettings}
recoverysequence {ac25b60e-d0a1-11df-8762-b8ac6fd8f7ea}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {ac25b60c-d0a1-11df-8762-b8ac6fd8f7ea}
nx OptIn

Windows Boot Loader
-------------------
identifier {ac25b60e-d0a1-11df-8762-b8ac6fd8f7ea}
device ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{ac25b60f-d0a1-11df-8762-b8ac6fd8f7ea}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[Y:]\Recovery\WindowsRE\Winre.wim,{ac25b60f-d0a1-11df-8762-b8ac6fd8f7ea}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {ac25b60c-d0a1-11df-8762-b8ac6fd8f7ea}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=Y:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
custom:26000022 Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {ac25b60f-d0a1-11df-8762-b8ac6fd8f7ea}
description Ramdisk Options
ramdisksdidevice partition=Y:
ramdisksdipath \Recovery\WindowsRE\boot.sdi


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4060.98 MB
Available physical RAM: 3446.45 MB
Total Virtual: 4059.18 MB
Available Virtual: 3456.15 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:455.84 GB) (Free:403.46 GB) NTFS
Drive f: () (Removable) (Total:15.14 GB) (Free:11.98 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:9.88 GB) (Free:4.37 GB) NTFS ==>[system with boot components (obtained from drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 259D4594)
Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=9.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=455.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 15.1 GB) (Disk ID: C81D4316)
Partition 1: (Active) - (Size=15.1 GB) - (Type=07 NTFS)


LastRegBack: 2016-03-21 04:17

==================== End of FRST.txt ============================

 

[Corrine]

For starters, let's see what this does.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

TDL4: custom:26000022 <===== ATTENTION!
CMD: bootrec /FixMbr
Winlogon\Notify\igfxcui: igfxdev.dll [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 eethwqqr; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
S3 pbtscicw; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
S3 tjpyuckk; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
S3 yzewtrbe; \??\C:\Windows\system32\drivers\ngiodriver_x64 [X]
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{b2e02660-936d-6f97-131a-a30d1afd2a2a}
C:\Windows\svchost.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.

Let me know if the computer can be booted to normal mode.

 

[Wrench97]

Thanks Corrine, It still wouldn't boot stuck in the same startup repair I opted to format and reinstall after digging into it there is only 1 program I need to reinstall :)

 

[Corrine]

That was just the first step. However, I agree with the decision to format and I'm sure you'll also get the system updated for the PC owner, including "Internet Explorer Version 9".

 

[Wrench97]

Yes it appears updates have been hung for well over a year that was one of the influencing factors as well