TechSpot

ZeroAccess, FRST fix

Solved
By JCharles007
Aug 23, 2012
Topic Status:
Not open for further replies.
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     
  2. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    What should the boot priority be? I followed the instructions and was unable to boot successfully (still same screen as before). I then went to the boot manager and moved HDD/SSD higher up the list. I currently have these settings:
    1. CD/DVD
    2. USB
    3. HDD/SSD Toshiba MK3265GSXN (S1)
    4. eSATA
    5. FDD
    6. LAN

    Now that the HDD/SSD is higher up the list, I'm not getting the same screen. I'm only getting a blinking cursor.

    Here's the log: Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-09-02 07:51:46 Run:8
    Running from G:\

    ==============================================


    ========= dir /a c:\ =========

    Volume in drive C is TI106033W0C
    Volume Serial Number is 5ACC-503C

    Directory of c:\

    02/14/2011 08:49 PM <DIR> $Recycle.Bin
    10/14/2010 07:45 PM <DIR> Boot
    07/13/2009 05:38 PM 383,562 bootmgr
    10/14/2010 07:45 PM 8,192 BOOTSECT.BAK
    03/13/2012 12:09 PM <DIR> codec-info
    03/25/2012 09:50 PM <DIR> Config.Msi
    07/13/2009 09:08 PM <JUNCTION> Documents and Settings [C:\Users]
    08/22/2012 06:05 PM <DIR> FRST
    03/28/2012 07:12 PM 3,062,255,616 hiberfil.sys
    01/20/2011 12:25 AM <DIR> Intel
    02/14/2011 09:42 PM <DIR> MSOCache
    03/28/2012 07:13 PM 4,083,007,488 pagefile.sys
    03/23/2012 06:24 PM <DIR> Program Files
    03/25/2012 09:50 PM <DIR> Program Files (x86)
    08/24/2012 10:40 PM <DIR> ProgramData
    02/16/2012 07:37 AM 510 settings.ini
    03/28/2012 04:11 PM <DIR> System Volume Information
    02/14/2011 08:47 PM <DIR> Users
    08/24/2012 10:40 PM <DIR> Windows
    5 File(s) 7,145,655,368 bytes
    14 Dir(s) 252,893,216,768 bytes free

    ========= End of CMD: =========


    ========= dir /a e:\ =========

    Volume in drive E is System
    Volume Serial Number is E4A5-287C

    Directory of e:\

    01/20/2011 01:20 AM <DIR> Boot
    07/13/2009 05:38 PM 383,562 bootmgr
    02/14/2011 08:47 PM <DIR> Recovery
    02/14/2011 09:02 PM <DIR> System Volume Information
    10/22/2010 04:45 AM 189 WinREPartition.ini
    2 File(s) 383,751 bytes
    3 Dir(s) 1,367,330,816 bytes free

    ========= End of CMD: =========


    ========= dir /a y:\ =========

    The system cannot find the path specified.

    ========= End of CMD: =========


    ========================= folder: e:\boot ========================

    2011-01-20 01:20 - 2012-03-28 21:24 - 0024576 ____A () e:\boot\BCD
    2011-01-20 01:20 - 2012-03-28 19:23 - 0021504 __ASH () e:\boot\BCD.LOG
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 __ASH () e:\boot\BCD.LOG1
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 __ASH () e:\boot\BCD.LOG2
    2011-01-20 01:20 - 2011-01-20 01:20 - 0065536 __ASH () e:\boot\BOOTSTAT.DAT
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\cs-CZ
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\da-DK
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\de-DE
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\el-GR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\en-US
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\es-ES
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\fi-FI
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\Fonts
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\fr-FR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\hu-HU
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\it-IT
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\ja-JP
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\ko-KR
    2011-01-20 01:20 - 2009-07-13 17:20 - 0485440 ____A (Microsoft Corporation) e:\boot\memtest.exe
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\nb-NO
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\nl-NL
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\pl-PL
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\pt-BR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\pt-PT
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\ru-RU
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\sv-SE
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\tr-TR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\zh-CN
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\zh-HK
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\zh-TW
    2011-01-20 01:20 - 2009-07-13 17:17 - 0089168 ____A (Microsoft Corporation) e:\boot\cs-CZ\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0087616 ____A (Microsoft Corporation) e:\boot\da-DK\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0091712 ____A (Microsoft Corporation) e:\boot\de-DE\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0094800 ____A (Microsoft Corporation) e:\boot\el-GR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0085056 ____A (Microsoft Corporation) e:\boot\en-US\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 18:11 - 0043600 ____A (Microsoft Corporation) e:\boot\en-US\memtest.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090192 ____A (Microsoft Corporation) e:\boot\es-ES\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0089152 ____A (Microsoft Corporation) e:\boot\fi-FI\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-06-10 12:31 - 3694080 ____A () e:\boot\Fonts\chs_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 3876772 ____A () e:\boot\Fonts\cht_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 1984228 ____A () e:\boot\Fonts\jpn_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 2371360 ____A () e:\boot\Fonts\kor_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 0047452 ____A () e:\boot\Fonts\wgl4_boot.ttf
    2011-01-20 01:20 - 2009-07-13 17:17 - 0093248 ____A (Microsoft Corporation) e:\boot\fr-FR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090688 ____A (Microsoft Corporation) e:\boot\hu-HU\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090704 ____A (Microsoft Corporation) e:\boot\it-IT\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0076352 ____A (Microsoft Corporation) e:\boot\ja-JP\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0075344 ____A (Microsoft Corporation) e:\boot\ko-KR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0088144 ____A (Microsoft Corporation) e:\boot\nb-NO\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090704 ____A (Microsoft Corporation) e:\boot\nl-NL\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090704 ____A (Microsoft Corporation) e:\boot\pl-PL\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090176 ____A (Microsoft Corporation) e:\boot\pt-BR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0089664 ____A (Microsoft Corporation) e:\boot\pt-PT\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090192 ____A (Microsoft Corporation) e:\boot\ru-RU\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0087616 ____A (Microsoft Corporation) e:\boot\sv-SE\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0087104 ____A (Microsoft Corporation) e:\boot\tr-TR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0070720 ____A (Microsoft Corporation) e:\boot\zh-CN\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0070224 ____A (Microsoft Corporation) e:\boot\zh-HK\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0070208 ____A (Microsoft Corporation) e:\boot\zh-TW\bootmgr.exe.mui

    ====== End of Folder: ======

    ========================= folder: y:\boot ========================

    Directory Not Found

    ====== End of Folder: ======

    ========= bcdedit /enum all /store c:\boot\BCD_Backup =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store c:\boot\BCD_Backup =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /store y:\boot\BCD =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store y:\boot\BCD =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /store e:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device partition=E:
    description Windows Boot Manager
    locale en-US
    inherit {globalsettings}
    default {default}
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    displayorder {default}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {default}
    device partition=C:
    path \windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {bootloadersettings}
    recoverysequence {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \windows
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    device ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {bootloadersettings}
    osdevice ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    systemroot \windows
    nx OptIn
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    device partition=C:
    path \windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {resumeloadersettings}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device partition=E:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    Device options
    --------------
    identifier {75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    description Ramdisk Options
    ramdisksdidevice partition=E:
    ramdisksdipath \Recovery\WindowsRE\boot.sdi

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store e:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=E:
    description Windows Boot Manager
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {75a9f6bd-2476-11e0-8911-f50c2d86a5b2}
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    displayorder {75a9f6bd-2476-11e0-8911-f50c2d86a5b2}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {75a9f6bd-2476-11e0-8911-f50c2d86a5b2}
    device partition=C:
    path \windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \windows
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    device ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    osdevice ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    systemroot \windows
    nx OptIn
    winpe Yes
    custom:46000010 Yes

    Resume from Hibernate
    ---------------------
    identifier {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    device partition=C:
    path \windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=E:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    {7ff607e0-4395-11db-b0de-0800200c9a66}

    Hypervisor Settings
    -------------------
    identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Device options
    --------------
    identifier {75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    description Ramdisk Options
    ramdisksdidevice partition=E:
    ramdisksdipath \Recovery\WindowsRE\boot.sdi

    ========= End of CMD: =========


    ========= bcdedit /enum all /store c:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device locate=unknown
    description Windows Boot Manager
    locale en-us
    inherit {globalsettings}
    default {default}
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    displayorder {default}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {default}
    device locate=\Windows\system32\winload.exe
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-us
    inherit {bootloadersettings}
    osdevice locate=\Windows
    systemroot \Windows
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    nx OptIn

    Resume from Hibernate
    ---------------------
    identifier {976be343-d80e-11df-96e6-00269eeaa3d0}
    device locate=\Windows\system32\winresume.exe
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-us
    inherit {resumeloadersettings}
    filedevice locate=\hiberfil.sys
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device locate=\boot\memtest.exe
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-us
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store c:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device locate=custom:12000002
    description Windows Boot Manager
    locale en-us
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {976be344-d80e-11df-96e6-00269eeaa3d0}
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    displayorder {976be344-d80e-11df-96e6-00269eeaa3d0}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {976be344-d80e-11df-96e6-00269eeaa3d0}
    device locate=custom:12000002
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-us
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    osdevice locate=custom:22000002
    systemroot \Windows
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    nx OptIn

    Resume from Hibernate
    ---------------------
    identifier {976be343-d80e-11df-96e6-00269eeaa3d0}
    device locate=custom:12000002
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-us
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice locate=custom:22000002
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device locate=custom:12000002
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-us
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    {7ff607e0-4395-11db-b0de-0800200c9a66}

    Hypervisor Settings
    -------------------
    identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    ========= End of CMD: =========


    ========= bootrec /FixMbr =========

    ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

    ========= End of CMD: =========

    MBRDUMP.txt is made successfully.

    ==== End of Fixlog ====
     
  3. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    Here's the info you requested: Additional instructions:
    1. Content of the Fixlog.txt (it could be attached if it is a large file)
    2. Attach the fresh MBRDUMP.txt (any old one will be overwritten, so no need to remove the old one)
    3. After the fix restart, let it boot normally and tell us how it went.
    Still blinking cursor, no boot.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-09-07 13:21:03 Run:9
    Running from G:\

    ==============================================


    ========= dir /a c:\ =========

    Volume in drive C is TI106033W0C
    Volume Serial Number is 5ACC-503C

    Directory of c:\

    02/14/2011 08:49 PM <DIR> $Recycle.Bin
    10/14/2010 07:45 PM <DIR> Boot
    07/13/2009 05:38 PM 383,562 bootmgr
    10/14/2010 07:45 PM 8,192 BOOTSECT.BAK
    03/13/2012 12:09 PM <DIR> codec-info
    03/25/2012 09:50 PM <DIR> Config.Msi
    07/13/2009 09:08 PM <JUNCTION> Documents and Settings [C:\Users]
    08/22/2012 06:05 PM <DIR> FRST
    03/28/2012 07:12 PM 3,062,255,616 hiberfil.sys
    01/20/2011 12:25 AM <DIR> Intel
    02/14/2011 09:42 PM <DIR> MSOCache
    03/28/2012 07:13 PM 4,083,007,488 pagefile.sys
    03/23/2012 06:24 PM <DIR> Program Files
    03/25/2012 09:50 PM <DIR> Program Files (x86)
    08/24/2012 10:40 PM <DIR> ProgramData
    02/16/2012 07:37 AM 510 settings.ini
    03/28/2012 04:11 PM <DIR> System Volume Information
    02/14/2011 08:47 PM <DIR> Users
    08/24/2012 10:40 PM <DIR> Windows
    5 File(s) 7,145,655,368 bytes
    14 Dir(s) 252,893,179,904 bytes free

    ========= End of CMD: =========


    ========= dir /a e:\ =========

    Volume in drive E is System
    Volume Serial Number is E4A5-287C

    Directory of e:\

    01/20/2011 01:20 AM <DIR> Boot
    07/13/2009 05:38 PM 383,562 bootmgr
    02/14/2011 08:47 PM <DIR> Recovery
    02/14/2011 09:02 PM <DIR> System Volume Information
    10/22/2010 04:45 AM 189 WinREPartition.ini
    2 File(s) 383,751 bytes
    3 Dir(s) 1,367,330,816 bytes free

    ========= End of CMD: =========


    ========= dir /a y:\ =========

    The system cannot find the path specified.

    ========= End of CMD: =========


    ========================= folder: e:\boot ========================

    2011-01-20 01:20 - 2012-09-07 12:51 - 0024576 ____A () e:\boot\BCD
    2011-01-20 01:20 - 2012-09-07 12:51 - 0021504 __ASH () e:\boot\BCD.LOG
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 __ASH () e:\boot\BCD.LOG1
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 __ASH () e:\boot\BCD.LOG2
    2011-01-20 01:20 - 2011-01-20 01:20 - 0065536 __ASH () e:\boot\BOOTSTAT.DAT
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\cs-CZ
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\da-DK
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\de-DE
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\el-GR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\en-US
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\es-ES
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\fi-FI
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\Fonts
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\fr-FR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\hu-HU
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\it-IT
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\ja-JP
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\ko-KR
    2011-01-20 01:20 - 2009-07-13 17:20 - 0485440 ____A (Microsoft Corporation) e:\boot\memtest.exe
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\nb-NO
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\nl-NL
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\pl-PL
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\pt-BR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\pt-PT
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\ru-RU
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\sv-SE
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\tr-TR
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\zh-CN
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\zh-HK
    2011-01-20 01:20 - 2011-01-20 01:20 - 0000000 ____D () e:\boot\zh-TW
    2011-01-20 01:20 - 2009-07-13 17:17 - 0089168 ____A (Microsoft Corporation) e:\boot\cs-CZ\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0087616 ____A (Microsoft Corporation) e:\boot\da-DK\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0091712 ____A (Microsoft Corporation) e:\boot\de-DE\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0094800 ____A (Microsoft Corporation) e:\boot\el-GR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0085056 ____A (Microsoft Corporation) e:\boot\en-US\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 18:11 - 0043600 ____A (Microsoft Corporation) e:\boot\en-US\memtest.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090192 ____A (Microsoft Corporation) e:\boot\es-ES\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0089152 ____A (Microsoft Corporation) e:\boot\fi-FI\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-06-10 12:31 - 3694080 ____A () e:\boot\Fonts\chs_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 3876772 ____A () e:\boot\Fonts\cht_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 1984228 ____A () e:\boot\Fonts\jpn_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 2371360 ____A () e:\boot\Fonts\kor_boot.ttf
    2011-01-20 01:20 - 2009-06-10 12:31 - 0047452 ____A () e:\boot\Fonts\wgl4_boot.ttf
    2011-01-20 01:20 - 2009-07-13 17:17 - 0093248 ____A (Microsoft Corporation) e:\boot\fr-FR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090688 ____A (Microsoft Corporation) e:\boot\hu-HU\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090704 ____A (Microsoft Corporation) e:\boot\it-IT\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0076352 ____A (Microsoft Corporation) e:\boot\ja-JP\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0075344 ____A (Microsoft Corporation) e:\boot\ko-KR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0088144 ____A (Microsoft Corporation) e:\boot\nb-NO\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090704 ____A (Microsoft Corporation) e:\boot\nl-NL\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090704 ____A (Microsoft Corporation) e:\boot\pl-PL\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090176 ____A (Microsoft Corporation) e:\boot\pt-BR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0089664 ____A (Microsoft Corporation) e:\boot\pt-PT\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0090192 ____A (Microsoft Corporation) e:\boot\ru-RU\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0087616 ____A (Microsoft Corporation) e:\boot\sv-SE\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0087104 ____A (Microsoft Corporation) e:\boot\tr-TR\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0070720 ____A (Microsoft Corporation) e:\boot\zh-CN\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0070224 ____A (Microsoft Corporation) e:\boot\zh-HK\bootmgr.exe.mui
    2011-01-20 01:20 - 2009-07-13 17:17 - 0070208 ____A (Microsoft Corporation) e:\boot\zh-TW\bootmgr.exe.mui

    ====== End of Folder: ======

    ========================= folder: y:\boot ========================

    Directory Not Found

    ====== End of Folder: ======

    ========= bcdedit /enum all /store c:\boot\BCD_Backup =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store c:\boot\BCD_Backup =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /store y:\boot\BCD =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store y:\boot\BCD =========

    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ========= End of CMD: =========


    ========= bcdedit /enum all /store e:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device partition=E:
    description Windows Boot Manager
    locale en-US
    inherit {globalsettings}
    default {default}
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    displayorder {default}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {default}
    device partition=C:
    path \windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {bootloadersettings}
    recoverysequence {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \windows
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    device ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {bootloadersettings}
    osdevice ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    systemroot \windows
    nx OptIn
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    device partition=C:
    path \windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {resumeloadersettings}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device partition=E:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    Device options
    --------------
    identifier {75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    description Ramdisk Options
    ramdisksdidevice partition=E:
    ramdisksdipath \Recovery\WindowsRE\boot.sdi

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store e:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device partition=E:
    description Windows Boot Manager
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {75a9f6bd-2476-11e0-8911-f50c2d86a5b2}
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    displayorder {75a9f6bd-2476-11e0-8911-f50c2d86a5b2}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {75a9f6bd-2476-11e0-8911-f50c2d86a5b2}
    device partition=C:
    path \windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    recoverysequence {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \windows
    resumeobject {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {75a9f6be-2476-11e0-8911-f50c2d86a5b2}
    device ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    osdevice ramdisk=[E:]\Recovery\WindowsRE\Winre.wim,{75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    systemroot \windows
    nx OptIn
    winpe Yes
    custom:46000010 Yes

    Resume from Hibernate
    ---------------------
    identifier {75a9f6bc-2476-11e0-8911-f50c2d86a5b2}
    device partition=C:
    path \windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device partition=E:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    {7ff607e0-4395-11db-b0de-0800200c9a66}

    Hypervisor Settings
    -------------------
    identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    Device options
    --------------
    identifier {75a9f6bf-2476-11e0-8911-f50c2d86a5b2}
    description Ramdisk Options
    ramdisksdidevice partition=E:
    ramdisksdipath \Recovery\WindowsRE\boot.sdi

    ========= End of CMD: =========


    ========= bcdedit /enum all /store c:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device locate=unknown
    description Windows Boot Manager
    locale en-us
    inherit {globalsettings}
    default {default}
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    displayorder {default}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {default}
    device locate=\Windows\system32\winload.exe
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-us
    inherit {bootloadersettings}
    osdevice locate=\Windows
    systemroot \Windows
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    nx OptIn

    Resume from Hibernate
    ---------------------
    identifier {976be343-d80e-11df-96e6-00269eeaa3d0}
    device locate=\Windows\system32\winresume.exe
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-us
    inherit {resumeloadersettings}
    filedevice locate=\hiberfil.sys
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device locate=\boot\memtest.exe
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-us
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    ========= End of CMD: =========


    ========= bcdedit /enum all /v /store c:\boot\BCD =========


    Windows Boot Manager
    --------------------
    identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
    device locate=custom:12000002
    description Windows Boot Manager
    locale en-us
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    default {976be344-d80e-11df-96e6-00269eeaa3d0}
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    displayorder {976be344-d80e-11df-96e6-00269eeaa3d0}
    toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {976be344-d80e-11df-96e6-00269eeaa3d0}
    device locate=custom:12000002
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-us
    inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    osdevice locate=custom:22000002
    systemroot \Windows
    resumeobject {976be343-d80e-11df-96e6-00269eeaa3d0}
    nx OptIn

    Resume from Hibernate
    ---------------------
    identifier {976be343-d80e-11df-96e6-00269eeaa3d0}
    device locate=custom:12000002
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-us
    inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
    filedevice locate=custom:22000002
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
    device locate=custom:12000002
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-us
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {4636856e-540f-4170-a130-a84776f4c654}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Global Settings
    ---------------
    identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    inherit {4636856e-540f-4170-a130-a84776f4c654}
    {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
    {5189b25c-5558-4bf2-bca4-289b11bd29e2}

    Boot Loader Settings
    --------------------
    identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
    {7ff607e0-4395-11db-b0de-0800200c9a66}

    Hypervisor Settings
    -------------------
    identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
    inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

    ========= End of CMD: =========


    ========= bootrec /FixMbr =========

    ÿþT h e o p e r a t I o n c o m p l e t e d s u c c e s s f u l l y .

    ========= End of CMD: =========

    MBRDUMP.txt is made successfully.

    ==== End of Fixlog ====
     

    Attached Files:

  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I'm waiting to the developer to get back with me, hopefully to catch up soon here...
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okie dokie. Current boot priority is good. :)

    FRST Fixlist

    Download the attached file, please. Save it on your flash drive to replace the current fixlist.txt. Make sure it maintains its current name fixlist.txt.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Additional instructions:
    1. Content of the Fixlog.txt (it could be attached if it is a large file)
    2. Attach the fresh MBRDUMP.txt (any old one will be overwritten, so no need to remove the old one)
     

    Attached Files:

  6. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-09-11 21:03:25 Run:10
    Running from G:\

    ==============================================

    MBRDUMP.txt is made successfully.

    ========= FixMbr64 /drive 0 fixmbr /win7 /yes =========

    'FixMbr64' is not recognized as an internal or external command,
    operable program or batch file.

    ========= End of CMD: =========

    MBRDUMP.txt is made successfully.

    ==== End of Fixlog ====

    When I reboot I just get flashing cursor on black screen. This is a tough-E, huh? I really appreciate the help. I know you'll get it running. Thanks.
     

    Attached Files:

  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's right, don't give up. I'm sure we'll get this.

    Keep in mind the MBR is still very infected with TDL4. While you're waiting, please consider reading, if you like: http://en.wikipedia.org/wiki/Alureon
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please do the same in the post here, except with a new fixlist.

    The developer, Farbar, and myself apologize, but there was an error in the script. But no worries, we're not trying to waste time.
     

    Attached Files:

  9. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    Sure, no problem. Here's the fixlog and MBRDump:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
    Ran by SYSTEM at 2012-09-15 22:42:48 Run:11
    Running from G:\

    ==============================================

    MBRDUMP.txt is made successfully.

    ========= MbrFix64 /drive 0 fixmbr /win7 /yes =========


    ========= End of CMD: =========

    MBRDUMP.txt is made successfully.

    ==== End of Fixlog ====
     

    Attached Files:

  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That was a clean MBR. Before I report back to Farbar, please attempt to boot the computer. Let me know what happens, please.
     
  11. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    Successful boot without CD. Do I need to run a specific antivirus tool?
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great! :)

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

    AdwCleaner Scan
    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
     
  13. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    OK, here are the files:
    ADWCleaner-
    # AdwCleaner v2.002 - Logfile created 09/16/2012 at 14:45:11
    # Updated 16/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium (64 bits)
    # User : Smith Family - SMITHFAMILY-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Smith Family\Downloads\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Found : C:\ProgramData\InstallMate
    Folder Found : C:\ProgramData\Premium
    Folder Found : C:\Users\Smith Family\AppData\Roaming\Mozilla\Firefox\Profiles\b5r7jg9n.default\extensions\info@allpremiumplay.info

    ***** [Registry] *****

    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
    Key Found : HKLM\SOFTWARE\Software

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Users\Smith Family\AppData\Roaming\Mozilla\Firefox\Profiles\b5r7jg9n.default\prefs.js

    Found : user_pref("extensions.nurit5562nurit235.scode", "(function(){try{if('aol.com,mystart.incredibar.com,[...]

    *************************

    AdwCleaner[R1].txt - [1501 octets] - [16/09/2012 14:45:11]

    ########## EOF - C:\AdwCleaner[R1].txt - [1561 octets] ##########

    ComboFix:

    ComboFix 12-09-15.02 - Smith Family 09/16/2012 14:11:45.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2627 [GMT -7:00]
    Running from: c:\users\Smith Family\Desktop\ComboFix.exe
    AV: Kaspersky Anti-Virus *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
    SP: Kaspersky Anti-Virus *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Codec-C
    c:\programdata\Codec-C\background.html
    c:\programdata\Codec-C\bhoclass.dll
    c:\programdata\Codec-C\content.js
    c:\programdata\Codec-C\data\content.js
    c:\programdata\Codec-C\data\jsondb.js
    c:\programdata\Codec-C\ekdjfcdinekpfcedakhpngcnaamhiihn.crx
    c:\programdata\Codec-C\settings.ini
    c:\programdata\Codec-C\uninstall.exe
    c:\users\Smith Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\{529E7CDC-C1DF-4407-AB5D-8E0375822219}.xps
    c:\users\Smith Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FCC19056-CCEF-42D3-8C11-A042B38680D1}.xps
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-16 21:16 . 2012-09-16 21:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-16 20:31 . 2012-09-16 21:11 747928 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-08-23 02:05 . 2012-08-23 02:05 -------- d-----w- C:\FRST
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-15 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
    "ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
    "TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "WirelessUSBManager"="c:\program files (x86)\Wireless USB\Components\WirelessUSBManager\WirelessUSBManager.exe" [2011-03-01 4110672]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176]
    R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.5.29055.0.sys [2012-03-24 17408]
    R3 DLCopyFilter;DLCopyFilter;c:\windows\system32\Drivers\wsr_tbf.sys [2010-07-21 52736]
    R3 DWA;Wireless USB Device Adapter;c:\windows\system32\DRIVERS\WSR_DWA.SYS [2010-11-18 578048]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176]
    R3 hwa;Wireless USB Host Adapter;c:\windows\system32\DRIVERS\WSR_HWA.SYS [2010-11-18 1028096]
    R3 HWARadio;Wireless USB Host Radio;c:\windows\system32\DRIVERS\WSR_RCI.SYS [2010-11-18 167424]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-09 239136]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-19 1255736]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
    R3 WSR_USF;Debug1;c:\windows\system32\Drivers\WSR_USF.sys [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2010-11-26 13936]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 CableAssociation;CableAssociation;c:\program files (x86)\Wireless USB\Components\Association\CableAssociation.exe [2010-12-08 1457480]
    S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2010-11-26 9464168]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928]
    S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
    S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2010-11-26 203376]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-02-23 75304]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
    S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2009-06-15 12800]
    S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-02-12 877088]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
    S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd944d9cc2e9ab.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 04:04]
    .
    2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cd944d9d248217.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 04:04]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-10 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-10 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-10 415256]
    "cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
    "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://us.mg4.mail.yahoo.com/neo/launch?.rand=9fc0i0kfknj7f
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: myitlab.com
    Trusted Zone: pearsoncmg.com
    Trusted Zone: pearsoned.com
    TCP: DhcpNameServer = 192.168.2.2
    FF - ProfilePath - c:\users\Smith Family\AppData\Roaming\Mozilla\Firefox\Profiles\b5r7jg9n.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    FF - Ext: Codec-C: info@allpremiumplay.info - c:\users\Smith Family\AppData\Roaming\Mozilla\Firefox\Profiles\b5r7jg9n.default\extensions\info@allpremiumplay.info
    FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    FF - Ext: Codec-C: info@allpremiumplay.info - %profile%\extensions\info@allpremiumplay.info
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{5055EDC9-A18F-4B5E-A182-8C425E15659B} - c:\programdata\Codec-C\bhoclass.dll
    Toolbar-Locked - (no file)
    Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
    Toolbar-Locked - (no file)
    HKLM-Run-(Default) - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
    HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
    HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
    HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    AddRemove-{2EF17083-57D4-4D64-AE4F-55F32A2C4571} - c:\programdata\Codec-C\uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files (x86)\Mozilla Firefox\firefox.exe
    c:\program files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    c:\program files (x86)\Mozilla Firefox\plugin-container.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-16 14:27:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-16 21:27
    .
    Pre-Run: 253,678,493,696 bytes free
    Post-Run: 253,581,500,416 bytes free
    .
    - - End Of File - - 4E335169A2C1268AB12AB1F0259F3B1A
     

    Attached Files:

  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    AdwCleaner FIX
    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  15. JCharles007

    JCharles007 TS Rookie Topic Starter Posts: 19

    ADW Cleaner:

    # AdwCleaner v2.002 - Logfile created 09/17/2012 at 19:17:29
    # Updated 16/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium (64 bits)
    # User : Smith Family - SMITHFAMILY-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Smith Family\Desktop\adwcleaner(1).exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Premium
    Folder Deleted : C:\Users\Smith Family\AppData\Roaming\Mozilla\Firefox\Profiles\b5r7jg9n.default\extensions\info@allpremiumplay.info

    ***** [Registry] *****

    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
    Key Deleted : HKLM\SOFTWARE\Software

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Users\Smith Family\AppData\Roaming\Mozilla\Firefox\Profiles\b5r7jg9n.default\prefs.js

    Deleted : user_pref("extensions.nurit5562nurit235.scode", "(function(){try{if('aol.com,mystart.incredibar.com,[...]

    *************************

    AdwCleaner[R1].txt - [1624 octets] - [16/09/2012 14:45:11]
    AdwCleaner[S1].txt - [2197 octets] - [17/09/2012 19:17:29]

    ########## EOF - C:\AdwCleaner[S1].txt - [2257 octets] ##########

    ESET:

    C:\FRST\Quarantine\consrv.dll Win64/Sirefef.G trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\qeSKkLWiSNH.exe a variant of Win32/Kryptik.ADIQ trojan cleaned by deleting - quarantined
    C:\ProgramData\Microsoft\Windows\DRM\E043.tmp Win64/Olmarik.AH trojan cleaned by deleting - quarantined
    C:\ProgramData\Microsoft\Windows\DRM\E054.tmp Win64/Olmarik.AH trojan cleaned by deleting - quarantined
    C:\Users\Smith Family\Downloads\mplayer_Setup.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job! :) If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advanced System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Topic marked solved.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.