Jump to content

Rootkit? Computer Will Not Boot from HDD or Live CD or Windows 7 CD


Recommended Posts

WOW!  My friend's computer will not boot from Hard Drive (freezes at Welcome screen), into Safe Mode (freezes after loading ATIPCIE.sys), Windows 7 DVD (freezes at Welcome Screen).  Tried to run Kaspersky Live CD (found nothing).  Ran Trinity Resource Kit Remove Viruses (found infection in syswow64/cmd.ex and system32/loadperf.dll).  Tried to run Avira Rescue CD and it crashes.  Don't know what to try if I can't even get to a DOS prompt.  I know there is a way to fix this, but not sure what to fix.  Any ideas.

 

System is Windows 7 Home Premium.  I have the Windows 7 Home Premium DVD and several Rescue CDs but nothing seems to work as it normally does.

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

These symptoms may indicate a dying hard drive... run seagate seatools from following link:

 

http://www.computerhope.com/issues/ch001091.htm

 

Kevin...

Link to post
Share on other sites

I can't get into the computer to run anything.  Boot CDs only sometimes work.  I can boot from USB and it scans the hard drive fine.  I see all files on there from Linux environment.  I scanned hard drive using diagnostics in BIOS and hard drive and memory tested fine.  Really think it is malware.  I could run a chkdsk or sfc if I could just get into the command prompt, but I can't get into command prompt using anything yet.  Maybe system files need to be replaced or malware still on computer.  Any other ideas?

Link to post
Share on other sites

Forgot to mention...been working on this so long...when I first got computer it did boot into safe mode with networking once and I downloaded Malwarebytes and updated it.  It found several PUP infections and something about Search Protect.  This also transferred to my laptop via USB until I turned off autoplay.  I was able to catch infection with my AV before it spread.  What is this thing?

Link to post
Share on other sites

If you can boot from USB stick do the following:

 

As you have access to another PC create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.

 

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

 

You will have to select the correct version for your system, either 32 or 64 bit

 

Run the tool, Windows 7/8 or Vista user right click and select "Run as Administrator"

 

Read the instructions in the new window and select "Next"

 

WD2.png

 

In the new window accept the agreement:

 

WD2a.png

 

In the new window select your USB Flash Drive, then select "Next"

 

WD3.png

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

WD3a.png

 

In the new window accept the formatting alert by selecting "Next"

 

WD3b.png

 

Files will be Downloaded:

 

WD4.png

 

Files will be processed and created

 

WD5.png

 

Flash drive will be formatted and prepared

 

WD6.png

 

Files will be added to the Flash Drive and the tool will be created.

 

WD7.png

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

WD8.png

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key it will try to boot into regular windows. if this now works continue:

 

Navigate to the following file:

 

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

 

Open with notepad and copy and paste it into a reply.

 

Thanks,

 

Kevin...

Link to post
Share on other sites

When booting up with Windows Defender Offline USB, I see a couple of bars on bottom stating something about loading windows files, then changes screen to black screen with "Starting Windows" and some colorful dots swirling around.  Well, these dots freeze almost immediately and I guess computer is stuck.  Any more ideas please?

Link to post
Share on other sites

I did that and Malwarebytes found about 20 conduit and search protect malware.  After this I was able somehow to get into safemode after waiting for 30 minutes.  Once in safe mode it was really sluggish but I was able to do a sfc /scannow.  It said it repaired files but was unable to repair some.  I scanned with ESET and it found no more malware.  Tried to boot into Windows 7 USB stick to try to repair startup files and do chkdsk but gets stuck at starting windows screen.  Also gets stuck trying to boot normally.  I did another scan on HDD using ESET rescue CD and it said HDD was good.

Link to post
Share on other sites

Don't know why it is freezing when I try to boot from the Windows 7 DVD!  That is the most puzzling part.  Has to be a rootkit embedded somewhere.  I'm almost about to give up and reformat drive.  Oh yeah, while in Safe Mode I was able to run TDSSKiller and it found nothing.

Link to post
Share on other sites

See if you can run the following and post the produced log.....

 

Please download Farbar Recovery Scan Tool from here:                                                                   

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options I give two methods, use whichever is convenient for you.

 

To enter System Recovery Options from the Advanced Boot Options:


Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

 

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

 

On the System Recovery Options menu you may get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

Kevin...

Link to post
Share on other sites

When I select F8 to go to Advanced Boot Options and select "Repair Your Computer" the computer says loading Windows files and then goes to a black screen with a bar and Microsoft Corporation underneath the bar and then the computer does nothing.

 

I've taken the drive out and slaved it externally (USB) to another Windows 7 machine and ran sfc /scannow with proper extensions and it found some errors each time I ran it (ran it four times) and stated it was unable to repair some files.  I then ran a chkdsk /R on the drive and it repaired some errors in free space the first time and then found no errors the second time.  I also ran another malware scan while it was slaved using Malwarebytes and ESET and it found no more infections on the drive.

 

I can't get to a command prompt at boot, but can possibly get to command prompt by going into safe mode.  It let me into safe mode with networking once before.  Would this work?

Link to post
Share on other sites

If you can get to safemode with networking run FRST as follows;

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

What about the second option in reply #12, boot from the installation CD

 

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

 

On the System Recovery Options menu you may get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-10-2014 01

Ran by Michanne (administrator) on MICHANNE-PC on 08-10-2014 20:06:29

Running from C:\Users\Michanne\Desktop

Loaded Profile: Michanne (Available profiles: Michanne)

Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal


 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(AMD) C:\Windows\System32\atiesrxx.exe

(AMD) C:\Windows\System32\atieclxx.exe

(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe

(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe

(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

(Microsoft Corporation) C:\Windows\System32\rundll32.exe

(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE

() C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\Buttons & OSDs control application gen3\FastUserSwitching.exe

(Hewlett-Packard) C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe

(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\Buttons & OSDs control application gen3\JAN2OSD.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

() C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe

(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [soundMAX] => C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe [3866624 2009-06-22] (Analog Devices, Inc.)

HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)

HKLM-x32\...\Run: [HP KEYBOARDx] => C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE [715264 2009-07-15] (Hewlett-Packard)

HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()

HKLM-x32\...\Run: [startCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-06-14] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [soundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)

HKLM-x32\...\Run: [buttons & OSDs control application gen3] => c:\Program Files (x86)\Hewlett-Packard\Buttons & OSDs control application gen3\FastUserSwitching.exe [212992 2009-07-03] (Hewlett-Packard)

HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)

HKLM-x32\...\Run: [] => [X]

HKLM-x32\...\Run: [NortonOnlineBackupReminder] => C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [581480 2009-05-12] (Symantec Corporation)

HKLM-x32\...\Run: [updatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKU\S-1-5-18\...\RunOnce: [sPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-11-16] (Microsoft Corporation)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.38searchengines.com/?hp=G1&opts=no&d=2014-03-14&hpa=yes

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.38searchengines.com/?hp=G1&opts=no&d=2014-03-14&hpa=yes

HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = 

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.38searchengines.com/?hp=G1&opts=no&d=2014-03-14&hpa=yes

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.38searchengines.com/?hp=G1&opts=no&d=2014-03-14&hpa=yes

HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = 

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKLM - {41B1120F-A5C8-40EB-ABFB-160C97725538} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKLM - {AE986AAE-21E4-49ED-8A99-6C9A7E4FF4D9} URL = http://www.38searchengines.com/?tag=abs&q={searchTerms}

SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKLM-x32 - {41B1120F-A5C8-40EB-ABFB-160C97725538} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKCU - {41B1120F-A5C8-40EB-ABFB-160C97725538} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKCU - {AE986AAE-21E4-49ED-8A99-6C9A7E4FF4D9} URL = http://www.38searchengines.com/?tag=abs&q={searchTerms}

BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Microsoft Live Search Toolbar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msneshellx.dll (Microsoft Corp.)

BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM-x32 - Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msneshellx.dll (Microsoft Corp.)

Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

FireFox:

========

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()

FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\2.0.31005.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll No File

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll No File

FF HKLM-x32\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn

 

Chrome: 

=======

CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter}

CHR Profile: C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Docs) - C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-11-06]

CHR Extension: (Google Drive) - C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-06]

CHR Extension: (YouTube) - C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-11-06]

CHR Extension: (Google Search) - C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-11-06]

CHR Extension: (Google Wallet) - C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-06]

CHR Extension: (Gmail) - C:\Users\Michanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-11-06]

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2008-07-15] (Andrea Electronics Corporation)

R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [124928 2009-07-09] (Hewlett-Packard) [File not signed]

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R3 ACPIService; C:\Windows\system32\DRIVERS\OSDACPI.SYS [17992 2009-06-17] ()

R3 AVerAVF2; C:\Windows\System32\DRIVERS\AVerAVF2.sys [1018624 2009-07-14] (AVerMedia TECHNOLOGIES, Inc.)

S3 NW1950; C:\Windows\system32\DRIVERS\NW1950.sys [24568 2009-07-29] ()

S3 SPPD; \??\C:\Windows\system32\drivers\SPPD.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-10-08 20:06 - 2014-10-08 23:04 - 02109952 _____ (Farbar) C:\Users\Michanne\Desktop\FRST64.exe

2014-10-08 20:06 - 2014-10-08 20:07 - 00010701 _____ () C:\Users\Michanne\Desktop\FRST.txt

2014-10-08 20:06 - 2014-10-08 20:06 - 00000000 ____D () C:\FRST

2014-10-07 19:10 - 2014-09-30 15:09 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Michanne\Desktop\tdsskiller (1).exe

2014-10-07 02:40 - 2014-10-07 02:43 - 524288000 _____ () C:\REMOVE_THIS_FILE.livecd.swap

2014-10-06 06:20 - 2014-10-06 10:03 - 32679528 _____ () C:\bdscan-sda2.log

2014-10-05 16:23 - 2014-10-06 03:12 - 00032355 _____ () C:\clamscan-sda2.log

2014-10-04 15:53 - 2014-10-04 23:08 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0

2014-10-03 12:03 - 2014-10-07 19:09 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-10-03 12:03 - 2014-10-03 12:03 - 00001104 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-10-03 12:03 - 2014-10-03 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-10-03 12:03 - 2014-10-03 12:03 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-10-03 12:03 - 2014-10-03 12:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-10-03 12:03 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-10-03 12:03 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-10-03 12:03 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-10-03 12:02 - 2014-05-14 09:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll

2014-10-03 12:02 - 2014-05-14 09:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe

2014-10-03 12:02 - 2014-05-14 09:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll

2014-10-03 12:02 - 2014-05-14 09:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll

2014-10-03 12:01 - 2014-10-03 12:01 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Michanne\Downloads\mbam-setup-2.0.2.1012.exe

2014-10-03 12:00 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll

2014-10-03 12:00 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll

2014-10-03 12:00 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe

2014-10-03 12:00 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-10-08 20:06 - 2013-11-06 17:50 - 01127102 _____ () C:\Windows\WindowsUpdate.log

2014-10-08 20:05 - 2009-07-13 21:45 - 00015792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-10-08 20:05 - 2009-07-13 21:45 - 00015792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-10-08 20:04 - 2009-07-13 21:51 - 00026855 _____ () C:\Windows\setupact.log

2014-10-08 20:03 - 2013-11-06 15:25 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-10-08 20:02 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-10-07 18:48 - 2009-09-07 03:49 - 00182272 _____ () C:\Windows\PFRO.log

2014-10-03 11:59 - 2009-07-13 20:20 - 00000000 __RHD () C:\Users\Public\Libraries

2014-10-03 11:48 - 2013-11-06 15:25 - 00003898 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2014-10-03 11:48 - 2013-11-06 15:25 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-10-03 11:45 - 2009-09-07 04:38 - 00000000 ____D () C:\ProgramData\Norton

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-03-14 16:07

 

==================== End Of Log ============================

Link to post
Share on other sites

You`ve only posted one log from FRST, there would also have been a second log "Addition.txt" Logs are saved here: C:\FRST\Logs

 

There is no obvious malware/infection showing in the primary log "FRT.txt" maybe the current issues are down to system damage. Run the following and see if there is any improvement:

 

Download Portable Windows Repair (all in one) from one of the following:

 

http://www.tweaking.com/content/page/windows_repair_all_in_one.html

http://www.majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html

http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/

 

Unzip the contents into a newly created folder on your desktop.

 

Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

 

 

tweak1.jpg

 

From the main GUI do the following:

 

 

Select Tab 3 and allow it to run Disk check

 

 

tweak2.jpg

 

Select Tab 4 and allow it to run SFC

 

 

tweak3.jpg

 

Select Tab 5 and Create System Restore Point

 

 

tweak4.jpg

 

Select Start Repairs tab => Click the Start

 

 

tweak5.jpg

 

The repairs window will open, Check the boxes as indicated, also the "Restart" option, then select Start...

 

 

tweak6.jpg

 

DON'T use the computer while each scan is in progress.

 

Post the log, to access select "settings" tab > "open log folder" tab, log will be named _Windows_Repair_Log

 

 

tweak7.jpg

 

 

Let me see that log,

 

Kevin...

Link to post
Share on other sites

I had to get the computer back but everything you did helped get the computer back to perfect working state.  Thanks so much for the advice on all the tools!  They worked seamlessly and the computer looks great!!!  i cant believe it came back!  I thought it was gone for sure.  I learned a lot on that one!  Thanks again!!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.