[ryan8410]

Windows 7, Dell inspiron---Downloaded Windows Defender Offline as recommended after a scan of Microsoft Security Essentials, now can only operate in recovery mode and cannot access safe mode.  Defender found one aleuron and removed it.  After hours upon hours of trying to resolve the issue, I dowloaded FarBar to my flash drive, ran the inital scan, which created a log which I will post below.  I followed previous post instructions--copied to new notepad, saved as FixList.txt, but now cannot run the Fix option.  I've made several attempts and no success.  Please advise and thank you.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-06-2014
Ran by SYSTEM on MININT-LE5157L on 02-06-2014 23:20:18
Running from F:\
Platform: Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingc...can-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingc...can-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8321568 2009-11-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-07-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] => C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] => C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Desktop Disc Tool] => c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) =================

S2 mcmscsvc; C:\Program Files (x86)\McAfee\MSC\mcmscsvc.exe [865832 2009-05-01] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [696848 2009-06-16] (McAfee, Inc.)
S3 McShield; C:\Program Files\McAfee\VirusScan\Mcshield.exe [155456 2009-06-18] (McAfee, Inc.)
S3 McSysmon; C:\Program Files (x86)\McAfee\VirusScan\mcsysmon.exe [606736 2009-06-16] (McAfee, Inc.)
S4 MpfService; C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe [893112 2009-06-09] (McAfee, Inc.)
S2 0207191268791044mcinstcleanup; C:\Users\ADMINI~1\AppData\Local\Temp\020719~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S4 McNASvc; %CommonProgramFiles(x86)%\mcafee\mna\mcnasvc.exe [X]
S4 McProxy; %CommonProgramFiles(x86)%\mcafee\mcproxy\mcproxy.exe [X]

==================== Drivers (Whitelisted) ====================

S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [102600 2009-06-18] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [41032 2009-06-18] (McAfee, Inc.)
S1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [307400 2009-06-18] (McAfee, Inc.)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2009-06-18] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2009-06-18] (McAfee, Inc.)
S1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [176144 2009-04-09] (McAfee, Inc.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-02 21:52 - 2014-06-02 23:20 - 00000000 ____D () C:\FRST

==================== One Month Modified Files and Folders =======

2014-06-02 23:20 - 2014-06-02 21:52 - 00000000 ____D () C:\FRST
2014-06-02 16:46 - 2010-03-16 20:20 - 00000000 ____D () C:\dell

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2010-03-16 20:30] - [2010-03-16 20:30] - 2868736 ____A (Microsoft Corporation) 6D4F9E4B640B413C6F73414327484C80

C:\Windows\SysWOW64\explorer.exe
[2010-03-16 20:30] - [2010-03-16 20:30] - 2613248 ____A (Microsoft Corporation) FC89FACA0473641CB625EDA9277D0885

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3838.98 MB
Available physical RAM: 3283.34 MB
Total Pagefile: 3837.13 MB
Available Pagefile: 3265.43 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:581.48 GB) (Free:571.21 GB) NTFS
Drive f: (WDO_MEDIA64) (Removable) (Total:7.63 GB) (Free:7.63 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.2 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596 GB) (Disk ID: D5F7CC89)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=581 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 8 GB) (Disk ID: 04030201)
Partition 1: (Active) - (Size=8 GB) - (Type=0B)

LastRegBack: 2010-03-16 19:33

==================== End Of Log ============================

 

 

[Advertisements]

 

Download the enclosed file. 

 

Save it in the same location FRST is saved.

 

Launch FRST and click on the Fix button.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

 

 

Attempt to boot in Normal Mode.

 

If successful, Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

 

• Then click on Change parameters in TDSSKiller.

• Another window will appear.

• Check all boxes then click OK.

• Click the Start Scan button.

 

• The scan should take no longer than 2 minutes.

• If a suspicious object is detected, the default action will be Skip, click on Continue.

 

•  

• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

 

Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

[JSntgRvr]

 

Download the enclosed file. 

 

Save it in the same location FRST is saved.

 

Launch FRST and click on the Fix button.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

 

 

Attempt to boot in Normal Mode.

 

If successful, Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

 

• Then click on Change parameters in TDSSKiller.

• Another window will appear.

• Check all boxes then click OK.

• Click the Start Scan button.

 

• The scan should take no longer than 2 minutes.

• If a suspicious object is detected, the default action will be Skip, click on Continue.

 

•  

• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

 

Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

[ryan8410]

It worked.  Thanks!!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2014
Ran by SYSTEM at 2014-06-03 20:00:44 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Start
TDL4: custom:26000022 <===== ATTENTION!
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
ATTENTION: Malware custom entry on BCD on drive y: detected.
End
*****************

The operation completed successfully.
The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====

 

 TDSSKiller.3.0.0.37_03.06.2014_20.30.40_log.txt   1.25MB   476 downloads

[JSntgRvr]

Lets scan the computer.

 

  Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

 

 

Download : ADWCleaner to your desktop.

NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close  all programs and click on the AdwCleaner icon.



Click on Scan  and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder. as AdwCleaner[S0].txt
 

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup-2.0..exe to install the application. (The revision number may vary.)

• Select the language and click OK.
• Accept the agreement
• Make sure a checkmark is placed next to Enable the Free Trial and Launch
• Malwarebytes' Anti-Malware, then click on finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Scan Now".
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click on Quanrantee All,.
• When disinfection is completed, a dialog will open and you may be prompted to Restart.(See Extra Note)
• Upon restart, launch Malwarebytes Antimalware and select History.
• Double click on the last scan done, then on Copy to Clipboard.
• Right click on your next reply and select Paste.
• Submit your reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 

 

[ryan8410]

 AdwCleanerS0.txt   3.25KB   468 downloads

 JRT.txt   632bytes   419 downloads

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/4/2014
Scan Time: 7:17:49 PM
Logfile: malwarerbytesscaneport.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.04.12
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Ryan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 255465
Time Elapsed: 4 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 2
PUP.Optional.Speedial.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://speedial.com/...cr=319793413=, Good: (www.google.com), Bad: (http://speedial.com/...4e64f1044c0b54b]
PUP.Optional.Speedial.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://speedial.com/...cr=319793413=, Good: (www.google.com), Bad: (http://speedial.com/...496fd62ad574bb5]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

Protection, 6/4/2014 7:15:55 PM, SYSTEM, RYAN-PC, Protection, Malware Protection, Starting,
Protection, 6/4/2014 7:15:55 PM, SYSTEM, RYAN-PC, Protection, Malware Protection, Started,
Protection, 6/4/2014 7:15:55 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Starting,
Protection, 6/4/2014 7:16:13 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Started,
Update, 6/4/2014 7:16:51 PM, SYSTEM, RYAN-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.6.2.1,
Update, 6/4/2014 7:16:54 PM, SYSTEM, RYAN-PC, Manual, Malware Database, 2014.3.4.9, 2014.6.4.12,
Protection, 6/4/2014 7:16:54 PM, SYSTEM, RYAN-PC, Protection, Refresh, Starting,
Protection, 6/4/2014 7:16:54 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Stopping,
Protection, 6/4/2014 7:16:54 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Stopped,
Protection, 6/4/2014 7:16:58 PM, SYSTEM, RYAN-PC, Protection, Refresh, Success,
Protection, 6/4/2014 7:16:58 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Starting,
Protection, 6/4/2014 7:16:58 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Started,
Protection, 6/4/2014 7:25:09 PM, SYSTEM, RYAN-PC, Protection, Malware Protection, Starting,
Protection, 6/4/2014 7:25:09 PM, SYSTEM, RYAN-PC, Protection, Malware Protection, Started,
Protection, 6/4/2014 7:25:09 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Starting,
Protection, 6/4/2014 7:25:30 PM, SYSTEM, RYAN-PC, Protection, Malicious Website Protection, Started,

(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

 

[JSntgRvr]

How is the computer doing?

[ryan8410]

Operating well.  Thanks

[JSntgRvr]

Congratulations.

Lets remove the tools we used during this session.

Run AdwCleaner and click on uninstall.

• Download Delfix from here
• Ensure Remove disinfection tools is ticked
  Also tick:
  • Create registry backup
  • Purge system restore
  
• Click Run

Manually remove any file and folder left.

Here are some suggestions.

• Always keep your JAVA updated. Older versions will make your computer vulnerable.
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

[ryan8410]

Could the Malwarebytes have removed the Adware application?  I can't find it anywhere....done search, etc, everything.  The scan report still exists on my desktop.

[JSntgRvr]

You mean the ADWCleaner aplication. If so, perhaps Delfix, may have deleted it. Delete the Report. You can always download the application and then uninstall.

[ryan8410]

Thanks again so much.  Is there a antivirus/antimalware app to keep installed that you recommend over others?

[JSntgRvr]

I use AVAST over others. It has kept many nasties out.