windows\system32\drivers\mbamswissarmy.sys

[keevans]

Hello, I am having problems with my windows 7 laptop. Every time I try to start it up it enters recovery mode and cannot normal OR safe mode boot anymore...I checked the logs from the recovery mode and it said that the mbamswissarmy.sys is corrupt. Any suggestions as to how I can around this and get it booting again?

[kevinf80]

Hello keevans and welcome to Malwarebytes,

Continue with the following:

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you may get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Thank you, Kevin

[keevans]

Dear Kevin

These are results

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-05-2017

Ran by SYSTEM on MININT-OLDCVQ8 (21-05-2017 15:37:48)

Running from G:\

Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)

Internet Explorer Version 11

Boot Mode: Recovery

Default: ControlSet001

ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

 

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Registry (Whitelisted) ====================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [PfNet] => C:\Program Files\Fujitsu\Plugfree NETWORK\PfNet.exe [6310912 2010-06-24] (FUJITSU LIMITED)

HKLM\...\Run: [PSUTility] => C:\Program Files\Fujitsu\PSUtility\TrayManager.exe [188264 2009-07-30] (FUJITSU LIMITED)

HKLM\...\Run: [FDM7] => C:\Program Files\Fujitsu\FDM7\FdmDaemon.exe [164712 2009-11-26] (FUJITSU LIMITED)

HKLM\...\Run: [LoadFujitsuQuickTouch] => C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [157544 2009-10-15] (FUJITSU LIMITED)

HKLM\...\Run: [LoadBtnHnd] => C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe [35176 2009-10-15] (FUJITSU LIMITED)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8312352 2009-10-28] (Realtek Semiconductor)

HKLM\...\Run: [ConMgr] => C:\Program Files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe [535440 2009-12-24] (CSR, plc)

HKLM\...\Run: [CSRSkype] => C:\Program Files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe [431504 2009-12-24] (CSR, plc)

HKLM\...\Run: [DLPSP] => C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [913216 2010-06-01] (Dell Inc.)

HKLM\...\Run: [DLUPDR] => C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE [587584 2010-06-01] (Dell Inc.)

HKLM\...\Run: [DLQLU] => C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE [1284416 2010-06-01] (Dell Inc.)

HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-04-27] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [iTunesHelper] => "C:\Program Files\iTunes\iTunesHelper.exe"

HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)

HKLM-x32\...\Run: [ZoneAlarm] => C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [144696 2017-02-14] (Check Point Software Technologies Ltd.)

HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-04-27] (AVG Technologies CZ, s.r.o.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION

SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\system32\CbFsMntNtf3.dll (EldoS Corporation)

SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} -  No File

GroupPolicy\User: Restriction <======= ATTENTION

 

==================== Services (Whitelisted) ====================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [1002552 2017-03-23] (AVG Technologies CZ, s.r.o.)

S2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5334432 2017-03-23] (AVG Technologies CZ, s.r.o.)

S2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1428656 2017-04-27] (AVG Technologies CZ, s.r.o.)

S2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [729048 2017-03-23] (AVG Technologies CZ, s.r.o.)

S2 DLPWD; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [155888 2009-10-16] (Dell Inc.)

S2 DLSDB; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [344384 2010-06-01] (Dell Inc.)

S2 EventService; C:\Program Files (x86)\MR APP\MRAPP.Event.Service.exe [33280 2014-06-20] (Digital Market Research Apps Pty Ltd)

S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)

S2 PFNService; C:\Program Files\Fujitsu\Plugfree NETWORK\PFNService.exe [330240 2010-06-24] (FUJITSU LIMITED)

S2 PowerSavingUtilityService; C:\Program Files\Fujitsu\PSUtility\PSUService.exe [63336 2009-07-30] (FUJITSU LIMITED)

S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)

S2 TransferService; C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe [32256 2014-06-20] (Digital Market Research Apps Pty Ltd)

S2 VFPRadioSupportService; C:\Program Files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe [145840 2009-12-24] (CSR, plc)

S2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [4076744 2017-02-14] (Check Point Software Technologies Ltd.)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

S3 ZAPrivacyService; C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe [114936 2016-11-01] (Check Point Software Technologies, Ltd.)

S2 ZoneAlarm ICM Service; C:\Program Files (x86)\CheckPoint\ZoneAlarm\ICM-Service.exe [1037624 2017-02-14] (Check Point Software Technologies Ltd.)

S2 BT Help Wizard; "C:\Program Files (x86)\BT Broadband Desktop Help\btbb\MA\8.4.0.53.bt.10\ma\bin\MAHostService.exe" [X]

S2 PnkBstrA; no ImagePath

 

===================== Drivers (Whitelisted) ======================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [163072 2016-05-13] (AVG Technologies CZ, s.r.o.)

S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [313088 2017-02-20] (AVG Technologies CZ, s.r.o.)

S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [267008 2016-10-05] (AVG Technologies CZ, s.r.o.)

S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [298240 2016-11-30] (AVG Technologies CZ, s.r.o.)

S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)

S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [254208 2016-09-26] (AVG Technologies CZ, s.r.o.)

S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [52992 2016-06-01] (AVG Technologies CZ, s.r.o.)

S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [299264 2016-07-27] (AVG Technologies CZ, s.r.o.)

S0 Avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [77056 2016-06-20] (AVG Technologies CZ, s.r.o.)

S1 BTOWSFF; C:\Windows\System32\Drivers\BTOWSFF.sys [33024 2016-02-26] (Toolwiz.com)

S0 BTOWSVF; C:\Windows\System32\Drivers\BTOWSVF.sys [52480 2016-02-26] (Toolwiz.com)

S3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [352144 2012-04-09] (EldoS Corporation)

S1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77440 2017-05-19] ()

S3 FUJ02B1; C:\Windows\System32\DRIVERS\FUJ02B1.sys [59152 2016-05-11] (FUJITSU LIMITED)

S3 FUJ02E3; C:\Windows\System32\DRIVERS\FUJ02E3.sys [7296 2006-11-01] (FUJITSU LIMITED)

S0 KL1; C:\Windows\System32\DRIVERS\kl1.sys [554416 2016-08-02] (AO Kaspersky Lab)

S3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [180560 2016-08-02] (AO Kaspersky Lab)

S1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [292176 2016-08-02] (AO Kaspersky Lab)

S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [1015120 2016-08-02] (AO Kaspersky Lab)

S0 KSafeDISK; C:\Windows\System32\Drivers\KSafeDISK.sys [52992 2016-02-26] (Toolwiz.com)

S2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [187320 2017-05-19] (Malwarebytes)

S3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [113592 2017-05-20] (Malwarebytes)

S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-05-20] () <==== ATTENTION (zero byte File/Folder)

S3 secdrv; C:\Windows\SysWow64\Drivers\secdrv.sys [29392 2016-07-28] ()

S3 usbUDisc; C:\Windows\System32\DRIVERS\USBDrv_AMD64.sys [17280 2012-07-09] (Scott)

S1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [461240 2017-03-16] (Check Point Software Technologies Ltd.)

S3 clwvd; system32\DRIVERS\clwvd.sys [X]

S3 iswSvc; no ImagePath

S3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [X]

S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]

S3 MREMPR5; \??\C:\PROGRA~2\COMMON~1\Motive\MREMPR5.SYS [X]

S3 MRENDIS5; \??\C:\PROGRA~2\COMMON~1\Motive\MRENDIS5.SYS [X]

S3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [X]

S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]

S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]

S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]

S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== One Month Created files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2017-05-21 23:42 - 2017-05-21 23:42 - 00000000 ____D C:\Windows\System32\config\HiveBackup

2017-05-21 23:40 - 2017-05-21 15:37 - 00000000 ____D C:\FRST

2017-05-21 06:03 - 2017-05-21 06:03 - 00024576 _____ C:\BCD_BAckup

2017-05-20 14:13 - 2017-05-20 14:13 - 00000000 _____ C:\Windows\System32\Drivers\78834934.sys

2017-05-19 10:45 - 2017-05-19 10:45 - 00000000 _____ C:\Windows\System32\Drivers\27095B6D.sys

2017-05-17 17:46 - 2017-05-17 17:46 - 00000000 _____ C:\Windows\System32\Drivers\43FB0185.sys

2017-05-14 14:27 - 2017-05-20 14:13 - 00113592 _____ (Malwarebytes) C:\Windows\System32\Drivers\farflt.sys

2017-05-14 14:27 - 2017-05-20 14:13 - 00000000 _____ C:\Windows\System32\Drivers\mwac.sys

2017-05-14 14:27 - 2017-05-20 14:13 - 00000000 _____ C:\Windows\System32\Drivers\MBAMSwissArmy.sys

2017-05-14 14:27 - 2017-05-20 14:13 - 00000000 _____ C:\Windows\System32\Drivers\mbam.sys

2017-05-14 14:27 - 2017-05-19 10:11 - 00077440 _____ C:\Windows\System32\Drivers\mbae64.sys

2017-05-14 14:27 - 2017-05-19 10:08 - 00187320 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMChameleon.sys

2017-05-14 14:27 - 2017-05-14 14:27 - 00001873 ____N C:\Users\Public\Desktop\Malwarebytes.lnk

2017-05-14 14:27 - 2017-05-14 14:27 - 00000000 ____D C:\Program Files\Malwarebytes

2017-05-14 14:02 - 2017-05-14 14:02 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2017-05-14 13:24 - 2017-02-16 21:01 - 00453352 _____ C:\Windows\System32\Drivers\etc\hosts.20170514-132413.backup

2017-05-12 12:25 - 2017-05-20 09:13 - 00004344 _____ C:\Windows\System32\Tasks\SmartAppLiveUpdater

2017-05-11 19:03 - 2017-05-11 19:03 - 00740248 _____ C:\Windows\System32\dll

2017-05-06 11:03 - 2017-02-16 21:01 - 00453352 _____ C:\Windows\System32\Drivers\etc\hosts.20170506-110329.backup

2017-04-28 18:41 - 2017-02-16 21:01 - 00453352 _____ C:\Windows\System32\Drivers\etc\hosts.20170428-184108.backup

2017-04-21 13:39 - 2017-02-16 21:01 - 00453352 _____ C:\Windows\System32\Drivers\etc\hosts.20170421-133900.backup

 

==================== One Month Modified files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2017-05-20 17:15 - 2013-10-23 18:30 - 00000378 _____ C:\Windows\Tasks\CI_DCA_UA{C3717BD3-6AC2-4dcd-83DE-F865C33AC5D9}.job

2017-05-20 17:11 - 2012-07-04 22:25 - 00000000 ____D C:\Users\keith\AppData\Roaming\Skype

2017-05-20 16:06 - 2017-04-17 14:13 - 66684103 _____ C:\Users\keith\Desktop\city (v02) (v02) (v03) (Backup) (Backup) (Backup)-2 (Backup) (Backup) (Backup) (v03).fm

2017-05-20 15:16 - 2017-04-17 14:13 - 65439838 _____ C:\Users\keith\Desktop\city (v02) (v02) (v03) (Backup) (Backup) (Backup)-2 (Backup) (Backup) (Backup) (v03) (v02).fm

2017-05-20 14:48 - 2017-04-17 14:13 - 64575254 _____ C:\Users\keith\Desktop\city (v02) (v02) (v03) (Backup) (Backup) (Backup)-2 (Backup) (Backup) (Backup) (v03) (v03).fm

2017-05-20 14:18 - 2016-03-31 19:17 - 00000000 ____D C:\Program Files (x86)\Steam

2017-05-20 11:07 - 2012-07-04 18:46 - 00000000 ____D C:\users\keith

2017-05-20 11:07 - 2008-11-06 17:35 - 00305664 _____ C:\Users\keith\Spending.xls

2017-05-20 10:51 - 2016-09-20 21:10 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task

2017-05-20 09:15 - 2009-07-14 05:45 - 00024608 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2017-05-20 09:15 - 2009-07-14 05:45 - 00024608 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2017-05-20 09:12 - 2016-05-22 20:30 - 00003298 _____ C:\Windows\System32\Tasks\SmartAppMonitor

2017-05-20 09:05 - 2012-07-04 21:40 - 00000000 ____D C:\ProgramData\MFAData

2017-05-20 09:02 - 2009-07-14 06:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT

2017-05-20 09:02 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2017-05-19 17:45 - 2012-07-13 16:36 - 00000000 ____D C:\Users\keith\AppData\Local\CrashDumps

2017-05-19 14:06 - 2012-07-04 22:25 - 00000000 ____D C:\ProgramData\Skype

2017-05-19 14:05 - 2017-03-22 19:39 - 00000000 ___RD C:\Program Files (x86)\Skype

2017-05-19 14:02 - 2012-11-07 20:00 - 00000000 ____D C:\ProgramData\Package Cache

2017-05-19 13:37 - 2012-07-20 17:43 - 00000000 ____D C:\ProgramData\Apple

2017-05-19 13:29 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf

2017-05-19 13:15 - 2014-09-14 19:31 - 00000000 ____D C:\Users\keith\.get_iplayer

2017-05-19 13:14 - 2014-04-26 16:04 - 00000000 ____D C:\Users\keith\Desktop\iPlayer Recordings

2017-05-17 22:03 - 2012-07-13 20:30 - 00000000 ____D C:\Users\keith\AppData\Roaming\SoftGrid Client

2017-05-16 22:19 - 2011-04-16 11:56 - 00767906 _____ C:\Windows\SysWOW64\PerfStringBackup.INI

2017-05-16 22:19 - 2009-07-14 06:13 - 00767906 _____ C:\Windows\System32\PerfStringBackup.INI

2017-05-14 20:50 - 2016-09-14 14:54 - 00001008 ____N C:\Users\Public\Desktop\AVG.lnk

2017-05-14 14:27 - 2012-12-26 10:12 - 00000000 ____D C:\ProgramData\Malwarebytes

2017-05-10 18:39 - 2012-07-04 19:28 - 00803320 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2017-05-10 18:39 - 2012-07-04 19:28 - 00144888 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2017-05-10 18:39 - 2012-07-04 19:28 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

2017-05-10 18:38 - 2012-07-04 19:28 - 00000000 ____D C:\Windows\SysWOW64\Macromed

2017-05-10 18:38 - 2012-07-04 19:27 - 00000000 ____D C:\Windows\System32\Macromed

2017-05-07 20:04 - 2015-06-22 20:55 - 00026886 _____ C:\Users\keith\Desktop\Target.xlsx

2017-05-06 09:37 - 2015-12-22 21:10 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task

2017-05-05 11:01 - 2013-06-30 22:48 - 00000000 ____D C:\Program Files (x86)\get_iplayer

2017-04-28 19:49 - 2013-03-16 10:34 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2017-04-28 19:49 - 2013-03-16 10:34 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2017-04-25 17:56 - 2017-01-12 14:00 - 00000000 ____D C:\Users\keith\AppData\Local\Verto Analytics

2017-04-21 10:29 - 2010-12-14 20:29 - 00000711 _____ C:\Users\keith\.swfinfo

 

Files to move or delete:

====================

C:\Users\keith\AppData\Roaming\AltShell.ini

C:\Users\Public\dcmsvcsetup.exe

C:\Users\Public\invokesi.exe

 

 

Some files in TEMP:

====================

2017-05-19 14:01 - 2017-05-19 14:01 - 14456872 _____ (Microsoft Corporation) C:\Users\keith\AppData\Local\Temp\vc_redist.x86.exe

 

==================== Known DLLs (Whitelisted) =========================

 

 

==================== Bamital & volsnap ======================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll

[2016-09-14 14:50] - [2016-08-16 18:36] - 1009152 _____ (Microsoft Corporation) 8F4B991E7837E8E0F90C856659456652

 

C:\Windows\SysWOW64\User32.dll

[2016-09-14 14:50] - [2016-08-16 03:48] - 0833024 _____ (Microsoft Corporation) 0FBC0E335B65EE5A0175631237817510

 

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

C:\Windows\System32\dnsapi.dll => MD5 is legit

C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

safeboot: Network => The system is configured to boot to Safe Mode <===== ATTENTION

 

==================== Association (Whitelisted) =============

 

 

==================== Restore Points =========================

 

 

==================== Memory info ===========================

 

Percentage of memory in use: 13%

Total physical RAM: 5940.55 MB

Available physical RAM: 5161.59 MB

Total Virtual: 5938.75 MB

Available Virtual: 5156.39 MB

 

==================== Drives ================================

 

Drive c: (System) (Fixed) (Total:60 GB) (Free:0 GB) NTFS ==>[system with boot components (obtained from drive)]

Drive d: (Data) (Fixed) (Total:403.76 GB) (Free:284.37 GB) NTFS

Drive e: (WINRE) (Fixed) (Total:2 GB) (Free:1.35 GB) NTFS ==>[system with boot components (obtained from drive)]

Drive f: (RDVDW7HPX64M05) (CDROM) (Total:4.8 GB) (Free:0 GB) UDF

Drive g: () (Removable) (Total:3.84 GB) (Free:3.78 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.13 GB) (Free:0.12 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: B477DB1C)

Partition 1: (Active) - (Size=2 GB) - (Type=27)

Partition 2: (Not Active) - (Size=60 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=403.8 GB) - (Type=07 NTFS)

 

========================================================

Disk: 1 (Size: 3.8 GB) (Disk ID: 00000000)

 

Partition: GPT.

 

LastRegBack: 2017-05-19 12:08

 

==================== End of FRST.txt ============================

Best wishes

Keith

 

[kevinf80]

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Re-boot, see if Windows will boot Normally...

Thank you,

Kevin...

fixlist.txt

[keevans]

Dear Kevin

It booted into safe mode, log attached below

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-05-2017
Ran by SYSTEM (21-05-2017 16:26:17) Run:2
Running from G:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Start
LastRegBack: 2017-05-19 12:08
end

*****************

DEFAULT => Could not copy
DEFAULT => restored successfully from registry back up
SAM => copied successfully to System32\config\HiveBackup
SAM => restored successfully from registry back up
SECURITY => copied successfully to System32\config\HiveBackup
SECURITY => restored successfully from registry back up
SOFTWARE => Could not copy
SOFTWARE => restored successfully from registry back up
SYSTEM => Could not copy
SYSTEM => restored successfully from registry back up

==== End of Fixlog 16:26:31 ====

[kevinf80]

Can you boot normal mode...?

[keevans]

Dear Kevin

Yes I can reboot in normal mode

[kevinf80]

Totally Remove Malwarebytes from your system: Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop.. If applicable, backup your Malwarebytes license key information and deactivate the product. Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step To deactivate Malwarebytes: Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...   Double-click mb-clean.exe to run it A prompt to confirm the cleanup will appear, select Yes or No Yes - will proceed with the cleanup process <---- Select this option to start the tool No - will exit the utility The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes. Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot We recommend an immediate reboot <--- Do Not miss out this step Suppressing the reboot may result in an incomplete cleanup Upon reboot Malwarebytes will be totally removed from your system To re-install Malwarebytes: Download Malwarebytes version 3 from the following link: https://www.malwarebytes.com/mwb-download/thankyou/   Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes and is updated do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs.... Thank you, Kevin

[keevans]

Dear Kevin

These should be all the logs

Best wishes

Keith

MBscan.txt

Addition.txt

FRST.txt

[kevinf80]

Malwarebytes log shows No Action By User against found entries, can you run again and quarantine all found entries...?

[keevans]

Dear Kevin

Quarantined them , its just restarted OK

[kevinf80]

Thanks for the update, wil be checking through FRST logs shortly...

[kevinf80]

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop. Or from this Mirror   Double click on Adwcleaner.exe to run the tool Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs, also tell me if there are any remaining issues or concerns... Thank you, Kevin....

 

fixlist.txt

[keevans]

Dear Kevin

Logs attached

AdwCleaner[C0].txt

mrt.log

Fixlog.txt

[kevinf80]

Thanks for those logs, how is your PC responding, do you have any remaining issues or concerns....?

[keevans]

Dear Kevin

All seems to work fine, rebooting as normal thankfully!! Thanks so much for all your help

Best wishes

Keith

[kevinf80]

Thanks for the update Keith, and thank you very much for the donation... Continue with the following to clean up:

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.