Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

another mbamswissarmy.sys FRST attached [Solved]

Started by short12v , Mar 05 2017 07:09 PM

  • This topic is locked This topic is locked

#1
short12v
Posted 05 March 2017 - 07:09 PM

short12v

    New Member

  • Member
  • Pip
  • 2 posts

Working on a machine for a friend and I'm stuck on this corrupted file.  I cannot reset pc because there is no room on hard drive.  I have attached log from frst.  It would be greatly appreciated for any suggestions on how to get this machine booted up.  Thanks 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
Ran by SYSTEM on MININT-ERB9FCN (05-03-2017 16:51:11)
Running from f:\
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202008 2013-10-17] (Realtek Semiconductor)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-27] (Microsoft Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [596640 2016-11-04] (Razer Inc.)
HKLM-x32\...\Run: [Kraken71ChromaHelper] => C:\Program Files (x86)\Razer\Razer_Kraken71Chroma_Driver\Drivers\SysAudio\Kraken71ChromaHelper.exe [1600320 2015-08-12] (Razer Inc)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595992 2016-05-20] (Oracle Corporation)
HKLM-x32\...\Run: [ManOWarHelper] => C:\Program Files (x86)\Razer\Razer_ManOWar_Driver\Drivers\SysAudio\ManOWarHelper.exe [1599464 2016-04-06] (Razer Inc)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe [9926112 2016-03-10] (Malwarebytes)
Startup: C:\Users\Tony Gomez\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PlutoTV.lnk [2016-07-18]
ShortcutTarget: PlutoTV.lnk -> C:\Users\Tony Gomez\AppData\Roaming\Pluto TV\PlutoTV.exe ()
GroupPolicy: Restriction <======= ATTENTION
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1447944 2016-12-12] ()
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [243984 2016-04-23] (EasyAntiCheat Ltd)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 MSI_Trigger_Service; C:\Program Files (x86)\MSI\MSITrigger\MSI_Trigger_Service.exe [30240 2013-09-26] (MICRO-STAR INTERNATIONAL CO., LTD.)
S2 NS; C:\Program Files (x86)\Norton Security\Engine\22.8.1.14\NS.exe [289080 2016-11-11] (Symantec Corporation)
S2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-01-20] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-01-20] (NVIDIA Corporation)
S2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-11] (NVIDIA Corporation)
S2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [425408 2017-01-20] (NVIDIA Corporation)
S2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2016-04-21] ()
S2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [69744 2016-10-17] (Razer Inc.)
S2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] ()
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-07-16] (Microsoft Corporation)
S3 Survarium-Steam Update Service; C:\Program Files (x86)\Steam\steamapps\common\Survarium\game\binaries\x86\survarium_service.exe [214104 2016-05-09] ()
S2 Unchecky; C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe [255256 2016-08-23] (RaMMicHaeL)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 BHDrvx64; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\BASHDefs\20160627.002\BHDrvx64.sys [1832176 2016-05-20] (Symantec Corporation)
S1 ccSet_NS; C:\Windows\system32\drivers\NSx64\1608010.00E\ccSetx64.sys [174328 2016-06-01] (Symantec Corporation)
S1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [40224 2014-12-25] (Windows ® Win 7 DDK provider)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [130688 2016-07-22] (Samsung Electronics Co., Ltd.)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-05-31] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156912 2016-05-31] (Symantec Corporation)
S1 IDSVia64; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\IPSDefs\20160630.001\IDSvia64.sys [876248 2016-05-30] (Symantec Corporation)
S3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [47008 2013-07-30] ()
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-01-24] () <==== ATTENTION (zero byte File/Folder)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
S3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [83096 2015-11-25] (McAfee, Inc.)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 nvlddmkm; C:\Windows\System32\DriverStore\FileRepository\nv_desktop_ref4i.inf_amd64_e9418cd4947d9b45\nvlddmkm.sys [14200880 2016-12-12] (NVIDIA Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27584 2017-01-20] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [46016 2017-01-20] (NVIDIA Corporation)
S3 nvvhci; C:\Windows\System32\drivers\nvvhci.sys [57792 2017-01-20] (NVIDIA Corporation)
S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [52240 2016-10-30] (Razer Inc)
S3 rzmpos; C:\Windows\System32\drivers\rzmpos.sys [48144 2016-10-30] (Razer Inc)
S2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.)
S2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [130880 2015-12-14] (Razer, Inc.)
S3 SRTSP; C:\Windows\System32\Drivers\NSx64\1608010.00E\SRTSP64.SYS [784624 2016-11-11] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NSx64\1608010.00E\SRTSPX64.SYS [49400 2016-11-11] (Symantec Corporation)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [164992 2016-07-22] (Samsung Electronics Co., Ltd.)
S0 SymEFASI; C:\Windows\System32\drivers\NSx64\1608010.00E\SYMEFASI64.SYS [1628888 2016-11-11] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\NSx64\1608010.00E\SymELAM.sys [24192 2015-09-23] (Symantec Corporation)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS [100592 2016-12-10] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NSx64\1608010.00E\Ironx64.SYS [289520 2016-11-11] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\NSx64\1608010.00E\SYMNETS.SYS [567512 2016-11-11] (Symantec Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 XtuAcpiDriver; C:\Windows\System32\drivers\XtuAcpiDriver.sys [63840 2015-06-06] (Intel Corporation)
S3 MWAC; \??\C:\WINDOWS\system32\drivers\ [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-05 16:51 - 2017-03-05 16:51 - 00000000 ____D C:\FRST
2017-03-05 16:38 - 2017-03-05 16:38 - 00000000 ___HD C:\$SysReset
2017-03-05 16:38 - 2017-03-05 16:38 - 00000000 ____D C:\$WINDOWS.~BT
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
 
Files to move or delete:
====================
C:\Windows\Tasks\{091AF566-E686-A2DC-8998-6689138B5E4B}.job
 
 
Some files in TEMP:
====================
2016-09-27 15:13 - 2017-01-24 16:35 - 0619840 ____N () C:\Users\Tony Gomez\AppData\Local\Temp\0Kraken71ChromaDevProps.dll
2016-12-26 13:42 - 2017-01-24 16:35 - 0619616 ____N () C:\Users\Tony Gomez\AppData\Local\Temp\0ManOWarDevProps.dll
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0674304 ____A (Microsoft Corporation) 770DB86BF679CA34FC927F25FBAA350C
 
C:\Windows\System32\wininit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0304240 ____A (Microsoft Corporation) 99A19C9A74E2F9820E501DCE77F84F70
 
C:\Windows\explorer.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 4673304 ____A (Microsoft Corporation) 05181A5AC4197D6C5C02ACE6070AF234
 
C:\Windows\SysWOW64\explorer.exe
[2016-07-16 03:43] - [2016-07-16 03:43] - 4312248 ____A (Microsoft Corporation) 8931C71ADDC9B0944332336B9F4A3505
 
C:\Windows\System32\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0044496 ____A (Microsoft Corporation) 36F670D89040709013F6A460176767EC
 
C:\Windows\SysWOW64\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0038792 ____A (Microsoft Corporation) 1F8434DD4907C832E6E90D6298EAB85B
 
C:\Windows\System32\services.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0454600 ____A (Microsoft Corporation) 133390D061D94917125DC666DA67ECD0
 
C:\Windows\System32\User32.dll
[2016-09-27 15:02] - [2016-09-27 15:02] - 1461200 ____A (Microsoft Corporation) 958AD14CDF4EBB6BADDB13F8B39A97CF
 
C:\Windows\SysWOW64\User32.dll
[2016-09-27 15:02] - [2016-09-27 15:02] - 1435896 ____A (Microsoft Corporation) 039C8465C730E7E9713819AB859505E9
 
C:\Windows\System32\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0033280 ____A (Microsoft Corporation) C1B1FFC800BE2F31EB2CF8CB40629C69
 
C:\Windows\SysWOW64\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0027648 ____A (Microsoft Corporation) FA900E6CCCF0A429D5B720C6F0E2274B
 
C:\Windows\System32\rpcss.dll
[2016-07-16 03:42] - [2016-07-16 03:42] - 0888320 ____A (Microsoft Corporation) 7BD259FC59CF9C2AE1B979564B374CC6
 
C:\Windows\System32\dnsapi.dll
[2016-07-16 03:42] - [2016-07-16 03:42] - 0646136 ____A (Microsoft Corporation) 9BA2C83C355EAC4278F17BEF0852823A
 
C:\Windows\SysWOW64\dnsapi.dll
[2016-07-16 03:42] - [2016-07-16 03:42] - 0496872 ____A (Microsoft Corporation) 6C1D303C703B27FE40D392899BC22E14
 
C:\Windows\System32\Drivers\volsnap.sys
[2016-07-16 03:42] - [2016-07-16 03:42] - 0391520 ____A (Microsoft Corporation) BF2546583BB75F01DDA60A7921DFB230
 
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 10%
Total physical RAM: 8119.64 MB
Available physical RAM: 7292.91 MB
Total Virtual: 8119.64 MB
Available Virtual: 7336.87 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:921.23 GB) (Free:0.12 GB) NTFS
Drive e: (Recovery Image) (Fixed) (Total:9.77 GB) (Free:4.12 GB) NTFS
Drive f: (PATRIOT) (Removable) (Total:28.85 GB) (Free:28.85 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: BB69BB69)
 
Partition: GPT.
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 28.9 GB) (Disk ID: A652735A)
Partition 1: (Not Active) - (Size=28.9 GB) - (Type=0C)
 
LastRegBack: 2017-01-19 22:15
 
==================== End of FRST.txt ============================

Attached Files

  • Attached File  FRST.txt   13.36KB   578 downloads

  • 0

Advertisements

#2
JSntgRvr
Posted 05 March 2017 - 10:54 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Welcome :)

 

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

 

Boot in Normal Mode and let me know the outcome.
 

 


  • 0

#3
short12v
Posted 07 March 2017 - 07:21 PM

short12v

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

Thank you very much!  The machine booted properly.  Here is the fix log.  Thanks again for your help!

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by SYSTEM (05-03-2017 23:14:49) Run:1
Running from f:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log. 
GroupPolicy: Restriction <======= ATTENTION 
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-01-24] () <==== ATTENTION (zero byte File/Folder) 
2016-09-27 15:13 - 2017-01-24 16:35 - 0619840 ____N () C:\Users\Tony Gomez\AppData\Local\Temp\0Kraken71ChromaDevProps.dll 
2016-12-26 13:42 - 2017-01-24 16:35 - 0619616 ____N () C:\Users\Tony Gomez\AppData\Local\Temp\0ManOWarDevProps.dll 
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe [9926112 2016-03-10] (Malwarebytes) 
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes) 
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) 
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes) 
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes) 
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) 
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes) 
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-01-24] () <==== ATTENTION (zero byte File/Folder) 
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation) 
C:\Windows\System32\drivers\MBAMSwissArmy.sys
*****************
 
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log. => Error: No automatic fix found for this entry.
C:\Windows\System32\GroupPolicy\Machine => moved successfully
C:\Windows\System32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\System\ControlSet001\Services\MBAMSwissArmy => key removed successfully
MBAMSwissArmy => service removed successfully
C:\Users\Tony Gomez\AppData\Local\Temp\0Kraken71ChromaDevProps.dll => moved successfully
C:\Users\Tony Gomez\AppData\Local\Temp\0ManOWarDevProps.dll => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware => value removed successfully
HKLM\System\ControlSet001\Services\MBAMScheduler => key removed successfully
MBAMScheduler => service removed successfully
HKLM\System\ControlSet001\Services\MBAMService => key removed successfully
MBAMService => service removed successfully
HKLM\System\ControlSet001\Services\MBAMProtector => key removed successfully
MBAMProtector => service removed successfully
MBAMScheduler => service not found.
MBAMService => service not found.
MBAMProtector => service not found.
MBAMSwissArmy => service not found.
HKLM\System\ControlSet001\Services\MBAMWebAccessControl => key removed successfully
MBAMWebAccessControl => service removed successfully
C:\Windows\System32\drivers\MBAMSwissArmy.sys => moved successfully
 
==== End of Fixlog 23:14:49 ====

Attached Files


  • 0

#4
JSntgRvr
Posted 08 March 2017 - 08:04 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Is there anything else I can do for you?


  • 0

#5
JSntgRvr
Posted 16 March 2017 - 02:10 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


  • 0
Back to Computer Won't Boot - Malware Related · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Computer Won't Boot - Malware Related

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP