ZeroAccess, FRST fix

Solved
By JCharles007
Aug 23, 2012
Topic Status:
Not open for further replies.
  1. Hi!
    I am trying to help a buddy of mine out with his Toshiba. The guy is a marine just getting out of the service and I thought it would be cool to thank him for his service by getting his lap top back up and running. Any help would be a blessing. I don't want to apply the fix from somebody else's machine, as per your directions.

    I used a Windows 7 (x64) boot disc to start the machine and have this log.
    --------------------------------------------------------------------------------------------------------
    Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
    Ran by SYSTEM at 22-08-2012 18:05:33
    Running from H:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [] [x]
    HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
    HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
    HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
    HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
    HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)
    HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
    HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
    HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
    HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
    HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
    HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [352976 2011-02-14] (Kaspersky Lab ZAO)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [WirelessUSBManager] "C:\Program Files (x86)\Wireless USB\Components\WirelessUSBManager\WirelessUSBManager.exe" [4110672 2011-03-01] (Wisair Ltd.)
    HKLM-x32\...\Run: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
    HKLM-x32\...\Run: [qeSKkLWiSNH.exe] C:\ProgramData\qeSKkLWiSNH.exe [448512 2012-03-28] ( )
    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Smith Family\...\Run: [Best Buy pc app] C:\Users\Smith Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
    HKU\Smith Family\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-14] (Google Inc.)
    Winlogon\Notify\klogon: %SystemRoot%\System32\klogon.dll (Kaspersky Lab ZAO)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    SubSystems: [Windows] ATTENTION! ====> ZeroAccess
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

    ==================== Services (Whitelisted) ======

    2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" -r [352976 2011-02-14] (Kaspersky Lab ZAO)
    2 CableAssociation; "C:\Program Files (x86)\Wireless USB\Components\Association\CableAssociation.exe" [1457480 2010-12-08] (Wisair Ltd.)
    2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [9464168 2010-11-25] (DisplayLink Corp.)
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2320920 2010-03-18] (Intel Corporation)

    ========================== Drivers (Whitelisted) =============

    3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.5.29055.0.sys [17408 2012-03-23] (http://libusb-win32.sourceforge.net)
    3 DLCopyFilter; C:\Windows\System32\Drivers\wsr_tbf.sys [52736 2010-07-21] ()
    3 dlkmd; C:\Windows\System32\Drivers\dlkmd.sys [203376 2010-11-25] (DisplayLink Corp.)
    0 dlkmdldr; C:\Windows\System32\Drivers\dlkmdldr.sys [13936 2010-11-25] (DisplayLink Corp.)
    3 DWA; C:\Windows\System32\DRIVERS\WSR_DWA.SYS [578048 2010-11-18] ()
    3 hwa; C:\Windows\System32\DRIVERS\WSR_HWA.SYS [1028096 2010-11-18] ()
    3 HWARadio; C:\Windows\System32\DRIVERS\WSR_RCI.SYS [167424 2010-11-18] ()
    0 KL1; C:\Windows\System32\Drivers\KL1.sys [460888 2010-06-09] (Kaspersky Lab ZAO)
    1 kl2; C:\Windows\System32\Drivers\kl2.sys [11864 2010-06-09] (Kaspersky Lab ZAO)
    1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [556120 2011-02-14] (Kaspersky Lab)
    1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [27736 2010-04-22] (Kaspersky Lab ZAO)
    3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [22544 2009-11-02] (Kaspersky Lab)
    3 QIOMem; C:\Windows\System32\Drivers\QIOMem.sys [12800 2009-06-15] (TOSHIBA)
    3 WSR_USF; C:\Windows\System32\Drivers\WSR_USF.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============



    ============ 3 Months Modified Files ========================


    ZeroAccess:
    C:\Windows\assembly\temp\U

    ZeroAccess:
    C:\Windows\assembly\temp\@
    C:\Windows\assembly\temp\@

    ZeroAccess:
    c:\Windows\System32\consrv.dll

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    Type 00 partition infection:
    C:\Windows\svchost.exe

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 15%
    Total physical RAM: 3893.86 MB
    Available physical RAM: 3287.56 MB
    Total Pagefile: 3892.06 MB
    Available Pagefile: 3285.64 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:235.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    5 Drive h: (My GS Drive) (Removable) (Total:1.86 GB) (Free:1.82 GB) FAT
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (HDDRECOVERY) (Fixed) (Total:11.72 GB) (Free:0.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 1924 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 1500 MB 1024 KB
    Partition 2 Primary 284 GB 1501 MB
    Partition 3 Primary 11 GB 286 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E System NTFS Partition 1500 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C TI106033W0C NTFS Partition 284 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 Y HDDRECOVERY NTFS Partition 11 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1907 MB 64 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H My GS Drive FAT Removable 1907 MB Healthy

    ==================================================================================

    Last Boot: 2011-05-10 18:59

    ======================= End Of Log ==========================
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  3. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    Ok, did as instructed-
    1. Fixlog run and details follow
    2. Boot computer as normal (without windows recovery disc)

    1. Fixlog as follows:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-08-23 06:34:23 Run:1
    Running from G:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
    HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ dplaysvr Value not found.
    HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ qeSKkLWiSNH.exe Value not found.

    ========= bootrec /FixMBR =========

    ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

    ========= End of CMD: =========


    ==== End of Fixlog ====

    2. Toshiba boot screen with F2/12 menu appears. 2 seconds later black screen with flashing cursor reads:
    Intel UNDI, PXE-2.0 (build 083)
    Copyright (C) 1997-2000 Intel Corporation

    For Atheros PCIE Ethernet Controllerv2.0.2.7(11/02/10)
    Check cable connection!
    PXE-M0F: Exiting Intel PXE ROM

    Stuck on this screen.
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    New log from FRST please. :)
  5. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
    Ran by SYSTEM at 24-08-2012 07:37:57
    Running from G:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [] [x]
    HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
    HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
    HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
    HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
    HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)
    HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
    HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
    HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
    HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
    HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
    HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [352976 2011-02-14] (Kaspersky Lab ZAO)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [WirelessUSBManager] "C:\Program Files (x86)\Wireless USB\Components\WirelessUSBManager\WirelessUSBManager.exe" [4110672 2011-03-01] (Wisair Ltd.)
    HKLM-x32\...\Run: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
    HKLM-x32\...\Run: [qeSKkLWiSNH.exe] C:\ProgramData\qeSKkLWiSNH.exe [448512 2012-03-28] ( )
    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Smith Family\...\Run: [Best Buy pc app] C:\Users\Smith Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
    HKU\Smith Family\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-14] (Google Inc.)
    Winlogon\Notify\klogon: %SystemRoot%\System32\klogon.dll (Kaspersky Lab ZAO)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

    ==================== Services (Whitelisted) ======

    2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" -r [352976 2011-02-14] (Kaspersky Lab ZAO)
    2 CableAssociation; "C:\Program Files (x86)\Wireless USB\Components\Association\CableAssociation.exe" [1457480 2010-12-08] (Wisair Ltd.)
    2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [9464168 2010-11-25] (DisplayLink Corp.)
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2320920 2010-03-18] (Intel Corporation)

    ========================== Drivers (Whitelisted) =============

    3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.5.29055.0.sys [17408 2012-03-23] (http://libusb-win32.sourceforge.net)
    3 DLCopyFilter; C:\Windows\System32\Drivers\wsr_tbf.sys [52736 2010-07-21] ()
    3 dlkmd; C:\Windows\System32\Drivers\dlkmd.sys [203376 2010-11-25] (DisplayLink Corp.)
    0 dlkmdldr; C:\Windows\System32\Drivers\dlkmdldr.sys [13936 2010-11-25] (DisplayLink Corp.)
    3 DWA; C:\Windows\System32\DRIVERS\WSR_DWA.SYS [578048 2010-11-18] ()
    3 hwa; C:\Windows\System32\DRIVERS\WSR_HWA.SYS [1028096 2010-11-18] ()
    3 HWARadio; C:\Windows\System32\DRIVERS\WSR_RCI.SYS [167424 2010-11-18] ()
    0 KL1; C:\Windows\System32\Drivers\KL1.sys [460888 2010-06-09] (Kaspersky Lab ZAO)
    1 kl2; C:\Windows\System32\Drivers\kl2.sys [11864 2010-06-09] (Kaspersky Lab ZAO)
    1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [556120 2011-02-14] (Kaspersky Lab)
    1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [27736 2010-04-22] (Kaspersky Lab ZAO)
    3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [22544 2009-11-02] (Kaspersky Lab)
    3 QIOMem; C:\Windows\System32\Drivers\QIOMem.sys [12800 2009-06-15] (TOSHIBA)
    3 WSR_USF; C:\Windows\System32\Drivers\WSR_USF.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============



    ============ 3 Months Modified Files ========================


    ZeroAccess:
    C:\Windows\assembly\temp\U

    ZeroAccess:
    C:\Windows\assembly\temp\@
    C:\Windows\assembly\temp\@

    ZeroAccess:
    c:\Windows\System32\consrv.dll

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    Type 00 partition infection:
    C:\Windows\svchost.exe

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 15%
    Total physical RAM: 3893.86 MB
    Available physical RAM: 3300.56 MB
    Total Pagefile: 3892.06 MB
    Available Pagefile: 3283.48 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:235.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    4 Drive g: (My GS Drive) (Removable) (Total:1.86 GB) (Free:1.82 GB) FAT
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (HDDRECOVERY) (Fixed) (Total:11.72 GB) (Free:0.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 1924 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 1500 MB 1024 KB
    Partition 2 Primary 284 GB 1501 MB
    Partition 3 Primary 11 GB 286 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E System NTFS Partition 1500 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C TI106033W0C NTFS Partition 284 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 Y HDDRECOVERY NTFS Partition 11 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1907 MB 64 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G My GS Drive FAT Removable 1907 MB Healthy

    ==================================================================================

    Last Boot: 2011-05-10 18:59

    ======================= End Of Log ==========================
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  7. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    Goes to the same screen (see last entry) on boot.

    Here are log results:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-08-24 22:40:47 Run:2
    Running from G:\

    ==============================================

    HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\dplaysvr Value deleted successfully.
    HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\qeSKkLWiSNH.exe Value deleted successfully.
    C:\Windows\assembly\temp\ moved successfully.
    C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe not found.
    C:\ProgramData\qeSKkLWiSNH.exe moved successfully.
    C:\Windows\System32\consrv.dll moved successfully.
    C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
    C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
    C:\Windows\svchost.exe moved successfully.

    ========= bootrec /fixboot =========

    ÿþE l e m e n t n o t f o u n d .


    ========= End of CMD: =========


    ==== End of Fixlog ====
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  9. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    Still no normal boot. Same screen as before.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-08-25 14:38:30 Run:4
    Running from G:\

    ==============================================


    ========= bootrec /FixBoot =========

    ÿþE l e m e n t n o t f o u n d .


    ========= End of CMD: =========


    ==== End of Fixlog ====
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    More commands for Boot Recovery. Because that just confirmed that your Boot Configuration Data is missing or corrupted (aka no boot information means the computer doesn't know where your operating system is).

    Never give up! :)

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  11. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    I followed the directions above and the machine has been on the FRST64 screen saying "Fixing Started" for the last 12 hours. At what point should I shut it down?
  12. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Try again, but only place this in Notepad for the fixlist.txt and save it as usual (and run it as usual):

    start
    CMD: bootrec /RebuildBCD
    end
     
  14. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    Same issue. FRST just keeps running. Here's a fixlog:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-08-28 20:31:07 Run:6
    Running from G:\

    ==============================================


    ========= bootrec /RebuildBCD =========

    ÿþS c a n n I n g a l l d I s k s f o r W I n d o w s I n s t a l l a t I o n s .

    P l e a s e w a I t , s I n c e t h I s m a y t a k e a w h I l e . . .

    S u c c e s s f u l l y s c a n n e d W I n d o w s I n s t a l l a t I o n s .
    T o t a l I d e n t I f I e d W I n d o w s I n s t a l l a t I o n s : 1
    [ 1 ] C : \ W I n d o w s
    A d d I n s t a l l a t I o n t o b o o t l I s t ? Y e s ( Y ) / N o ( N ) / A l l ( A ) :

    And here's a scan:
    Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
    Ran by SYSTEM at 29-08-2012 07:08:32
    Running from G:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [] [x]
    HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
    HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
    HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
    HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
    HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
    HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
    HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)
    HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
    HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
    HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
    HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
    HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
    HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
    HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
    HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [352976 2011-02-14] (Kaspersky Lab ZAO)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [WirelessUSBManager] "C:\Program Files (x86)\Wireless USB\Components\WirelessUSBManager\WirelessUSBManager.exe" [4110672 2011-03-01] (Wisair Ltd.)
    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Smith Family\...\Run: [Best Buy pc app] C:\Users\Smith Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [x]
    HKU\Smith Family\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-14] (Google Inc.)
    Winlogon\Notify\klogon: %SystemRoot%\System32\klogon.dll (Kaspersky Lab ZAO)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

    ==================== Services (Whitelisted) ======

    2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" -r [352976 2011-02-14] (Kaspersky Lab ZAO)
    2 CableAssociation; "C:\Program Files (x86)\Wireless USB\Components\Association\CableAssociation.exe" [1457480 2010-12-08] (Wisair Ltd.)
    2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [9464168 2010-11-25] (DisplayLink Corp.)
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2320920 2010-03-18] (Intel Corporation)

    ========================== Drivers (Whitelisted) =============

    3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.5.29055.0.sys [17408 2012-03-23] (http://libusb-win32.sourceforge.net)
    3 DLCopyFilter; C:\Windows\System32\Drivers\wsr_tbf.sys [52736 2010-07-21] ()
    3 dlkmd; C:\Windows\System32\Drivers\dlkmd.sys [203376 2010-11-25] (DisplayLink Corp.)
    0 dlkmdldr; C:\Windows\System32\Drivers\dlkmdldr.sys [13936 2010-11-25] (DisplayLink Corp.)
    3 DWA; C:\Windows\System32\DRIVERS\WSR_DWA.SYS [578048 2010-11-18] ()
    3 hwa; C:\Windows\System32\DRIVERS\WSR_HWA.SYS [1028096 2010-11-18] ()
    3 HWARadio; C:\Windows\System32\DRIVERS\WSR_RCI.SYS [167424 2010-11-18] ()
    0 KL1; C:\Windows\System32\Drivers\KL1.sys [460888 2010-06-09] (Kaspersky Lab ZAO)
    1 kl2; C:\Windows\System32\Drivers\kl2.sys [11864 2010-06-09] (Kaspersky Lab ZAO)
    1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [556120 2011-02-14] (Kaspersky Lab)
    1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [27736 2010-04-22] (Kaspersky Lab ZAO)
    3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [22544 2009-11-02] (Kaspersky Lab)
    3 QIOMem; C:\Windows\System32\Drivers\QIOMem.sys [12800 2009-06-15] (TOSHIBA)
    3 WSR_USF; C:\Windows\System32\Drivers\WSR_USF.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============



    ============ 3 Months Modified Files ========================


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 15%
    Total physical RAM: 3893.86 MB
    Available physical RAM: 3301.07 MB
    Total Pagefile: 3892.06 MB
    Available Pagefile: 3287.89 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:235.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    4 Drive g: (My GS Drive) (Removable) (Total:1.86 GB) (Free:1.82 GB) FAT
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (HDDRECOVERY) (Fixed) (Total:11.72 GB) (Free:0.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 1924 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 1500 MB 1024 KB
    Partition 2 Primary 284 GB 1501 MB
    Partition 3 Primary 11 GB 286 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E System NTFS Partition 1500 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C TI106033W0C NTFS Partition 284 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 Y HDDRECOVERY NTFS Partition 11 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1907 MB 64 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G My GS Drive FAT Removable 1907 MB Healthy

    ==================================================================================

    Last Boot: 2011-05-10 18:59

    ======================= End Of Log ==========================
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Can the machine boot normally now?
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Due to developer correspondence, @Farbar, we'll do the following fix:

    Download ListParts64 to a USB flash drive.

    Make a fix.txt (not a fixlist.txt) with the following script:


    Let them save it to the flash drive where ListParts64 is located.

    To run it type g:/listparts64 in the command window and hit Enter
    ListParts will start to run.
    • Press the Fix button.
    • ListParts will process the script in Fix.txt
    • When finished clsoe the notification of finishing, please check "List BCD" and then press the Scan button.
    • A log Result.txt will be saved to the flash drive. Post it to your reply.
    • Also restart, let it boot normally and tell me how it went.
  17. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    On reboot, I continue to get the same screen:
    Intel UNDI, PXE-2.0 (build 083)
    Copyright (C) 1997-2000 Intel Corporation

    For Atheros PCIE Ethernet Controller v2.0.2.7(11/02/10)

    Check cable connection!
    PXE-MOF: Exiting Intel PXE ROM.

    ------------------------------------------------------------------------------------------------------------
    Here's the Result.txt-
    ListParts by Farbar Version: 10-08-2012
    Ran by SYSTEM (administrator) on 31-08-2012 at 08:40:09
    Windows 7 (X64)
    Running From: G:\
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 3893.86 MB
    Available physical RAM: 3414.97 MB
    Total Pagefile: 3892.06 MB
    Available Pagefile: 3392.93 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (HDDRECOVERY) (Fixed) (Total:11.72 GB) (Free:0.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive d: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:235.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    5 Drive g: (My GS Drive) (Removable) (Total:1.86 GB) (Free:1.82 GB) FAT
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 1924 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 1500 MB 1024 KB
    Partition 2 Primary 284 GB 1501 MB
    Partition 3 Primary 11 GB 286 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E System NTFS Partition 1500 MB Healthy Hidden

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D TI106033W0C NTFS Partition 284 GB Healthy

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C HDDRECOVERY NTFS Partition 11 GB Healthy

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1907 MB 64 KB

    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G My GS Drive FAT Removable 1907 MB Healthy

    ======================================================================================================
    The boot configuration data store could not be opened.
    The requested system device cannot be found.


    ****** End Of Log ******
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download the attached fix.txt and save it to the flash drive to replace the current fix.txt where ListParts64 is located.

    To run it type g:/listparts64 in the command window and hit Enter
    ListParts will start to run.
    • Press the Fix button.
    • ListParts will process the script in Fix.txt
    • When finished close the notification of finishing, please check "List BCD" and then press the Scan button.
    • A log Result.txt will be saved to the flash drive. Post it to your reply.
    • Also restart, let it boot normally and tell me how it went.

    Attached Files:

    • fix.txt
      File size:
      62 bytes
      Views:
      4
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  20. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    In response to last post: "Also, for my post here, how did you do that... http://www.techspot.com/community/topics/zeroaccess-frst-fix.184571/#post-1225795 ? Were you able to copy it as such and run the tool? Just hoping we're on the same page here."
    My mistake, I just copied the text:
    Disk=0 Partition=3 inactive
    Disk=0 Partition=3 active
    Disk=0 Partition=3 inactive
    Disk=0 Partition=3 active
    custom
    into Notepad and ran that as the fix. Sorry, I didn't realize those instructions were for you and not me. I appreciate your help, please forgive my ignorance.

    After following instructions and downloading, running file, here is the result:

    On reboot, I continue to get the same screen:
    Intel UNDI, PXE-2.0 (build 083)
    Copyright (C) 1997-2000 Intel Corporation

    For Atheros PCIE Ethernet Controller v2.0.2.7(11/02/10)

    Check cable connection!
    PXE-MOF: Exiting Intel PXE ROM.
    ---------------------------------------------------------------------------------------------------------------------------------------
    ListParts by Farbar Version: 10-08-2012
    Ran by SYSTEM (administrator) on 31-08-2012 at 15:43:47
    Windows 7 (X64)
    Running From: G:\
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 3893.86 MB
    Available physical RAM: 3414.45 MB
    Total Pagefile: 3892.06 MB
    Available Pagefile: 3397.07 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.92 MB

    ======================= Partitions =========================

    1 Drive c: (HDDRECOVERY) (Fixed) (Total:11.72 GB) (Free:0.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive d: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:235.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    5 Drive g: (My GS Drive) (Removable) (Total:1.86 GB) (Free:1.82 GB) FAT
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 1924 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 1500 MB 1024 KB
    Partition 2 Primary 284 GB 1501 MB
    Partition 3 Primary 11 GB 286 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E System NTFS Partition 1500 MB Healthy Hidden

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D TI106033W0C NTFS Partition 284 GB Healthy

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C HDDRECOVERY NTFS Partition 11 GB Healthy

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1907 MB 64 KB

    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G My GS Drive FAT Removable 1907 MB Healthy

    ======================================================================================================
    The boot configuration data store could not be opened.
    The requested system device cannot be found.


    ****** End Of Log ******
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sorry this gets complicated. You're doing well.

    FRST64 MBRFix

    Please download MBRFix. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix64 application to the USB drive.

    Also download the attached fixlist.txt and save it to the flash drive.

    Now please enter System Recovery Options and select "Command Prompt".

    Run FRST64 and press the Fix button just once and wait.

    The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your reply. It will also produce another file, MBRDUMP.txt, on the flash drive that although it may look a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

    Attached Files:

  22. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-09-01 07:55:47 Run:7
    Running from G:\

    ==============================================


    ========= bcdedit /store y:\boot\bcd /enum all =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /store y:\boot\bcd /enum all /v =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========

    MBRDUMP.txt is made successfully.

    ==== End of Fixlog ====

    Attached Files:

  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi again. Just waiting on the developer of the FRST tool to get back with me via PM. Give me the next couple of days. Sorry for any delay! :)
  24. JCharles007

    JCharles007 Newcomer, in training Topic Starter Posts: 19

    I'll be patient, thanks.
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Download the attached file, please. Save it on your flash drive to replace the current fixlist.txt. Make sure it maintains its current name fixlist.txt.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Additional instructions:
    1. Content of the Fixlog.txt (it could be attached if it is a large file)
    2. Attach the fresh MBRDUMP.txt (any old one will be overwritten, so no need to remove the old one)
    3. After the fix restart, let it boot normally and tell us how it went.

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.