black screen at start up with Toshiba laptop

Been struggling to get my niece's laptops up and running. Windows 7 on a Toshiba satellite L655-S5150. Both laptops do the same thing at start up...freeze at a black screen with a blinking cursor. I have tried the following:

windows 7 system repair disk...no errors found
Kapersky repair disk...does not seem to load at times but did get it to load fully once in graphical mode and a few viruses were found but some could not be healed, or whatever they called it
AVG and Bit something or other were also tried...


I have booted via a CD and a USB stick but still in the end when I try to boot the windows 7 system it hangs on the black screen

Thinking of purchasing the Toshiba HDD drive utility or whatever it is called...$39... in laws don't have any disks that came with these laptops...windows 7 home premium version


help???

Thanks....dan

Hi Dan!

Both laptops do the same thing at start up...freeze at a black screen with a blinking cursor. I have tried the following:

You're experiencing this issue on 2 laptops? I just want to make sure I'm understanding things correctly.

Sounds like you might be infected with an infection known as ZeroAccess.

Could you please describe what issues you were experiencing before the freezing issue at boot-up started? Do you happen to know if it's a 32 bit version of Windows 7 or if it's 64 bits?

Let me know.

Warmest Regards,
ST.

sorry if I was unclear...two nieces so two laptops...both are Toshiba satellites, both have the blinking cursor and black screen at startup. Not sure what issues they were having before the black screen, but I have helped them in the past with virus issues using this forum (different computers). I know they had Kapersky on the laptops but I also know that my brother in law told me it had expired and they did not renew it !! I've suggested to them to use the microsoft virus program, can't remember the name, but I use it on my HP laptop that runs XP and I have been very happy with it. Of course I don't download stuff like they probably do!

They didn't have a windows 7 disk, so I made a recovery disk using a computer at work that runs windows 7. It was a 64 bit version and I was able to boot to it with one of the laptops. It found no errors though and black screen returned at the next boot.


If it is zeroaccess, how do I proceed? The Kapersky recue disk that I used did find some viruses and even a Trojan something or other, but I don't remember the names....I could run that again if it helps.

dan

Hi Dan,

No, don't worry about that for right now.

I'm actually going to provide you instructions for downloading and running a specialized tool.

I've asked a moderator to move this thread over to the Malware Removal forum, where we can use more powerful tools unrestricted.

Before I give you these instructions, please read the following below:

---------

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

• Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  
• Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
• In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  
• Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  
• I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
  
  
  • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
• Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.
  
  
  • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

Running FRST

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64) and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Please let me know how the above goes.

-ST.

I will indeed download FRST and put it on a flash drive. Do I need to make it bootable to boot from the usb stick? I have pressed F8 multiple times on the laptops and have not managed to get them to respond with F8.... At startup I can either use F2 or F12 to get into things like startup options to boot from a CD or USB stick. Pressing F8 doesn't get me anything except a black screen with a blinking cursor. So when you say restart the computer do you mean to the usb brive?

dan

Hi Dan!

I just looked at the manual for the laptop, and it says that F8 is the button to press to get into that. So not too sure what's going on their, but no worries, we'll try and get into it using the System Repair Disc that you created.

You'll want to put that disc, and then we'll need to boot from this disc.

Try these instructions:

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Let me know if you have better luck.

-ST.

ST,

Thanks for the help... was able to run the first tool on one of the laptops...the other is giving me trouble even getting it to boot to the CD...will work on that (thinking I might switch out the drive to the machine that does boot to the CD, but won't do that for the moment)


here is the text of the first log

Scan result of Farbar Recovery Scan Tool Version: 18-05-2012 02
Ran by SYSTEM at 19-05-2012 10:45:36
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [161304 2010-08-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [386584 2010-08-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [415256 2010-08-10] (Intel Corporation)
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM\...\Run: [PC MightyMax 2011 Tray Icon] "C:\Program Files (x86)\PC MightyMax 2011\TrayIcon.exe" [122368 2011-04-08] ()
HKLM\...\Run: [MRT] "C:\windows\system32\MRT.exe" /R [54585368 2012-04-05] (Microsoft Corporation)
HKLM\...\Run: [wmuine] rundll32.exe "C:\windows\TEMP\wmuine.dll",CreateRenderToEnvMap [x]
HKLM\...\Run: [octsra] rundll32.exe "C:\windows\TEMP\octsra.dll",BAOCloseFile [x]
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-01-25] (Apple Inc.)
HKLM-x32\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwsoemon.exe [32849 2011-04-13] (MyWebSearch.com)
HKLM-x32\...\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~2\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h [x]
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [397992 2011-07-26] (Ask)
HKLM-x32\...\Run: [iBryte browseforchange Desktop] C:\Program Files (x86)\iBryte\browseforchange\ibrytedesktop.exe [163840 2011-12-23] (iBryte)
HKLM-x32\...\Run: [iBryte playbryte Desktop] C:\Program Files (x86)\iBryte\playbryte\ibrytedesktop.exe [163840 2011-12-23] (iBryte)
HKLM-x32\...\Run: [configremote] C:\ProgramData\configremote.exe [x]
HKLM-x32\...\Run: [krnlhtml] C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe [x]
HKLM-x32\...\Run: [dplaysvr] %LOCALAPPDATA%\dplaysvr.exe [x]
HKU\Haley\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-14] (Google Inc.)
HKU\Haley\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [15028104 2011-01-03] (Skype Technologies S.A.)
HKU\Haley\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwsoemon.exe [32849 2011-04-13] (MyWebSearch.com)
HKU\Haley\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [21975120 2011-08-14] (ooVoo LLC)
HKU\Haley\...\Run: [configremote] C:\ProgramData\configremote.exe [x]
HKU\Haley\...\Run: [krnlhtml] C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe [x]
HKU\Haley\...\Run: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
HKU\Haley\...\Run: [Internet Security] C:\ProgramData\isecurity.exe [x]
HKU\Haley\...\CurrentVersion\Windows: [Load] C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr
HKLM\...\Policies\Explorer\Run: [20540] C:\PROGRA~3\LOCALS~1\Temp\msaquvw.bat
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ======

2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwssvc.exe [28762 2011-04-13] (MyWebSearch.com)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-18] (Intel Corporation)
2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] ()
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [10610400 2010-07-29] (Intel Corporation)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [239136 2010-02-08] (Realtek Semiconductor Corp.)
3 rtl8192Ce; C:\Windows\System32\Drivers\rtl8192Ce.sys [877088 2010-02-12] (Realtek Semiconductor Corporation )

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-05-19 10:45 - 2012-05-19 10:45 - 0000000 ____D C:\FRST
2012-05-14 17:19 - 2012-05-14 17:20 - 0000000 ____D C:\bd_logs
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\Users\All Users\Kaspersky Lab
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\ProgramData\Kaspersky Lab

============ 3 Months Modified Files and Folders =============

2012-05-19 10:45 - 2012-05-19 10:45 - 0000000 ____D C:\FRST
2012-05-14 17:20 - 2012-05-14 17:19 - 0000000 ____D C:\bd_logs
2012-05-13 16:29 - 2011-11-01 23:05 - 0000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\Users\All Users\Kaspersky Lab
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\ProgramData\Kaspersky Lab
2012-04-09 11:38 - 2010-11-22 09:44 - 1488234 ____A C:\Windows\WindowsUpdate.log
2012-04-09 11:35 - 2009-07-13 21:13 - 0760338 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-09 11:31 - 2010-10-14 20:04 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-09 11:31 - 2010-10-14 20:04 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-05 10:20 - 2012-04-05 10:20 - 0000000 ____D C:\Windows\system64
2012-04-05 10:19 - 2012-04-05 10:19 - 0000649 ____A C:\Users\Public\Desktop\Internet Security.lnk
2012-04-05 10:13 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-05 10:13 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-05 10:06 - 2009-07-13 20:45 - 0414656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-05 10:05 - 2010-11-22 09:38 - 3062255616 __ASH C:\hiberfil.sys
2012-04-05 10:05 - 2010-10-14 20:05 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-04-05 10:05 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-05 10:05 - 2009-07-13 20:51 - 0040180 ____A C:\Windows\setupact.log
2012-04-05 09:52 - 2011-02-02 19:28 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-05 09:52 - 2011-02-02 19:28 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-05 09:44 - 2011-01-29 14:22 - 0000000 ____D C:\Users\Haley\AppData\Local\Google
2012-04-05 09:34 - 2011-11-03 04:40 - 0000129 ____A C:\Windows\System32\MRT.INI
2012-04-05 09:30 - 2011-11-03 04:37 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-05 09:23 - 2012-04-05 09:23 - 0278952 ____A C:\Windows\Minidump\040512-34460-01.dmp
2012-04-05 09:23 - 2011-10-06 16:22 - 531132363 ____A C:\Windows\MEMORY.DMP
2012-04-05 09:23 - 2011-10-06 16:22 - 0000000 ____D C:\Windows\Minidump
2012-04-05 08:57 - 2009-07-13 18:34 - 0000882 ___RH C:\Windows\System32\Drivers\etc\hosts
2012-03-04 14:23 - 2011-11-05 14:14 - 0000000 ____D C:\Users\Haley\Documents\social studies 2011-2012
2012-03-04 14:21 - 2011-01-30 15:47 - 0000000 ____D C:\Users\Haley\AppData\Local\CrashDumps
2012-03-04 14:02 - 2012-03-04 14:02 - 0000000 ____A C:\Users\Haley\Documents\New Microsoft Word Document.docx
2012-03-04 14:02 - 2012-03-04 14:02 - 0000000 ____A C:\Users\Haley\Documents\New Microsoft Word Document (2).docx
2012-03-04 13:24 - 2010-10-14 20:32 - 0280970 ____A C:\Windows\PFRO.log
2012-03-03 15:41 - 2011-08-04 05:13 - 0000000 ____D C:\Program Files (x86)\AppGraffiti

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe
[2009-07-13 15:34] - [2009-07-13 17:14] - 0026112 ____A (Microsoft Corporation) 6DE80F60D7DE9CE6B8C2DDFDF79EF175

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: l??? <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3893.86 MB
Available physical RAM: 3329.7 MB
Total Pagefile: 3892.06 MB
Available Pagefile: 3321.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:239.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
5 Drive g: () (Removable) (Total:7.47 GB) (Free:2.34 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 7663 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 284 GB 1501 MB
Partition 3 Primary 11 GB 286 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106033W0C NTFS Partition 284 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7655 MB 22 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 7655 MB Healthy

======================================================================================================
==========================================================
TDL4: custom:26000022 <===== ATTENTION!


==========================================================

Last Boot: 2011-05-22 16:00

======================= End Of Log ==========================

Hi Dan!

Glad to hear that you were able to run the tool on one of the laptops.

My suspicions was correct.

The FRST log you posted indicates we are dealing with ZeroAccess, a TDL4 infection, as well as a few other things.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

• Dissecting the ZeroAccess Rootkit
• ZeroAccess / Max++ / Smiscer Crimeware Rootkit
• MAX++ sets its sights on x64 platforms
• ZeroAccess (Max++) Rootkit
• ZeroAccess Gets Another Update
• ZeroAccess – an advanced kernel mode rootkit

Special thanks to quietman7 for providing the above information.


NEXT:



One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running FRST Fix

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
HKLM\...\Run: [PC MightyMax 2011 Tray Icon] "C:\Program Files (x86)\PC MightyMax 2011\TrayIcon.exe" [122368 2011-04-08] ()
HKLM\...\Run: [wmuine] rundll32.exe "C:\windows\TEMP\wmuine.dll",CreateRenderToEnvMap [x]
C:\windows\TEMP\wmuine.dll
HKLM\...\Run: [octsra] rundll32.exe "C:\windows\TEMP\octsra.dll",BAOCloseFile [x]
C:\windows\TEMP\octsra.dll
HKLM-x32\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwsoemon.exe [32849 2011-04-13] (MyWebSearch.com)
HKLM-x32\...\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~2\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h [x]
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [iBryte browseforchange Desktop] C:\Program Files (x86)\iBryte\browseforchange\ibrytedesktop.exe [163840 2011-12-23] (iBryte)
HKLM-x32\...\Run: [iBryte playbryte Desktop] C:\Program Files (x86)\iBryte\playbryte\ibrytedesktop.exe [163840 2011-12-23] (iBryte)
HKLM-x32\...\Run: [configremote] C:\ProgramData\configremote.exe [x]
C:\ProgramData\configremote.exe
HKLM-x32\...\Run: [krnlhtml] C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe [x]
C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe
HKLM-x32\...\Run: [dplaysvr] %LOCALAPPDATA%\dplaysvr.exe [x]
%LOCALAPPDATA%\dplaysvr.exe
HKU\Haley\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwsoemon.exe [32849 2011-04-13] (MyWebSearch.com)
HKU\Haley\...\Run: [configremote] C:\ProgramData\configremote.exe [x]
C:\ProgramData\configremote.exe
HKU\Haley\...\Run: [krnlhtml] C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe [x]
C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe
HKU\Haley\...\Run: [dplaysvr] C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe [x]
C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
HKU\Haley\...\Run: [Internet Security] C:\ProgramData\isecurity.exe [x]
C:\ProgramData\isecurity.exe
HKU\Haley\...\CurrentVersion\Windows: [Load] C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr
C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr
HKLM\...\Policies\Explorer\Run: [20540] C:\PROGRA~3\LOCALS~1\Temp\msaquvw.bat
C:\PROGRA~3\LOCALS~1\Temp\msaquvw.bat
HKLM\...\.exe: l??? <===== ATTENTION!
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
TDL4: custom:26000022 <===== ATTENTION!
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

In Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.



NEXT:


We need to remove a program. To do this please do the following:

• Click Start
• Go to Control Panel
• Double click on Programs and Features
• Find and click the Uninstall button to uninstall the following (if present):
  
• PC MightyMax 2011
• MyWebSearch
• iBryte

NEXT:


Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.



NEXT:


Re-Running OTL

We need to create a New FULL OTL Report

• Please download OTL from here if you have not done so already:
  
  • Main Mirror
  • Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Change the "Extra Registry" option to "SafeList"
• In the box Copy & Paste the following:
  

  msconfig
  safebootminimal
  activex
  drivers32
  netsvcs
  "%WinDir%\$NtUninstallKB*$." /30
  C:\Program Files\Common Files\ComObjects\*.* /s
  %systemroot%\*. /mp /s
  %systemroot%\*. /rp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\drivers\*.sys /90
  %SYSTEMDRIVE%\*.exe
  /md5start
  volsnap.sys
  atapi.sys
  explorer.exe
  winlogon.exe
  wininit.exe
  tdx.sys
  /md5stop
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Push the button.
• Two reports will open, copy and paste them in a reply here:
  
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized

NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. FRST fixlog.txt
3. GMER.txt log
4. OTL.txt & Extras.txt log files.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

ST,

I'll go ahead and try to remove the infection. I ran first with the fix list on the flash drive and the following is the lag

question...how do I do the next step that says to remove a program by clicking on start? I can't start the machine up in windows and the system restore cd interface doesn't have a start choice does it?

thanks,

dan

here is the fix log

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 18-05-2012 02
Ran by SYSTEM at 2012-05-19 12:47:50 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PC MightyMax 2011 Tray Icon Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wmuine Value deleted successfully.
C:\windows\TEMP\wmuine.dll not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\octsra Value deleted successfully.
C:\windows\TEMP\octsra.dll not found.
HKLM-x32\\\.\.\.\\Run\\MyWebSearch Email Plugin Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\My Web Search Bar Search Scope Monitor Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKLM-x32\\\.\.\.\\Run\\iBryte browseforchange Desktop Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\iBryte playbryte Desktop Value deleted successfully.
HKLM-x32\\\.\.\.\\Run\\configremote Value deleted successfully.
C:\ProgramData\configremote.exe not found.
HKLM-x32\\\.\.\.\\Run\\krnlhtml Value deleted successfully.
C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe not found.
HKLM-x32\\\.\.\.\\Run\\dplaysvr Value deleted successfully.
HKEY_USERS\Haley\Software\Microsoft\Windows\CurrentVersion\Run\\MyWebSearch Email Plugin Value deleted successfully.
HKEY_USERS\Haley\Software\Microsoft\Windows\CurrentVersion\Run\\configremote Value deleted successfully.
C:\ProgramData\configremote.exe not found.
HKEY_USERS\Haley\Software\Microsoft\Windows\CurrentVersion\Run\\krnlhtml Value deleted successfully.
C:\windows\system32\config\systemprofile\AppData\Roaming\krnlhtml.exe not found.
HKEY_USERS\Haley\Software\Microsoft\Windows\CurrentVersion\Run\\dplaysvr Value deleted successfully.
C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe not found.
HKEY_USERS\Haley\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security Value deleted successfully.
C:\ProgramData\isecurity.exe not found.
HKEY_USERS\Haley\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load Value not found.
C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr not found.
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\20540 Value not found.
C:\PROGRA~3\LOCALS~1\Temp\msaquvw.bat not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\Default value was restored successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

Hi!

question...how do I do the next step that says to remove a program by clicking on start? I can't start the machine up in windows and the system restore cd interface doesn't have a start choice does it?

Those steps were for if you were able to boot up your computer successfully after running that FRST fix.

I take it we're still not able to boot up.

Please do me a favor and run a new scan with FRST if this is the case, and post the log file for me to review.

-ST.

I did try a reboot although it hung for awhile, so I shut it down and rebooted to the CD

here is the second first scan

Scan result of Farbar Recovery Scan Tool Version: 18-05-2012 02
Ran by SYSTEM at 19-05-2012 12:57:23
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [161304 2010-08-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [386584 2010-08-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [415256 2010-08-10] (Intel Corporation)
HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM\...\Run: [MRT] "C:\windows\system32\MRT.exe" /R [54585368 2012-04-05] (Microsoft Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-01-25] (Apple Inc.)
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [397992 2011-07-26] (Ask)
HKU\Haley\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-14] (Google Inc.)
HKU\Haley\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [15028104 2011-01-03] (Skype Technologies S.A.)
HKU\Haley\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [21975120 2011-08-14] (ooVoo LLC)
HKU\Haley\...\CurrentVersion\Windows: [Load] C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr
HKLM\...\Policies\Explorer\Run: [20540] C:\PROGRA~3\LOCALS~1\Temp\msaquvw.bat
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

==================== Services (Whitelisted) ======

2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\2.bin\mwssvc.exe [28762 2011-04-13] (MyWebSearch.com)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-18] (Intel Corporation)
2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [244960 2011-10-25] ()
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [10610400 2010-07-29] (Intel Corporation)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [239136 2010-02-08] (Realtek Semiconductor Corp.)
3 rtl8192Ce; C:\Windows\System32\Drivers\rtl8192Ce.sys [877088 2010-02-12] (Realtek Semiconductor Corporation )

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-05-19 10:45 - 2012-05-19 12:57 - 0000000 ____D C:\FRST
2012-05-14 17:19 - 2012-05-14 17:20 - 0000000 ____D C:\bd_logs
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\Users\All Users\Kaspersky Lab
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\ProgramData\Kaspersky Lab

============ 3 Months Modified Files and Folders =============

2012-05-19 12:57 - 2012-05-19 10:45 - 0000000 ____D C:\FRST
2012-05-14 17:20 - 2012-05-14 17:19 - 0000000 ____D C:\bd_logs
2012-05-13 16:29 - 2011-11-01 23:05 - 0000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\Users\All Users\Kaspersky Lab
2012-05-12 04:07 - 2012-05-12 04:07 - 0000000 ____D C:\ProgramData\Kaspersky Lab
2012-04-09 11:38 - 2010-11-22 09:44 - 1488234 ____A C:\Windows\WindowsUpdate.log
2012-04-09 11:35 - 2009-07-13 21:13 - 0760338 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-09 11:31 - 2010-10-14 20:04 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-09 11:31 - 2010-10-14 20:04 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-05 10:20 - 2012-04-05 10:20 - 0000000 ____D C:\Windows\system64
2012-04-05 10:19 - 2012-04-05 10:19 - 0000649 ____A C:\Users\Public\Desktop\Internet Security.lnk
2012-04-05 10:13 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-05 10:13 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-05 10:06 - 2009-07-13 20:45 - 0414656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-05 10:05 - 2010-11-22 09:38 - 3062255616 __ASH C:\hiberfil.sys
2012-04-05 10:05 - 2010-10-14 20:05 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-04-05 10:05 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-05 10:05 - 2009-07-13 20:51 - 0040180 ____A C:\Windows\setupact.log
2012-04-05 09:52 - 2011-02-02 19:28 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-05 09:52 - 2011-02-02 19:28 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-05 09:44 - 2011-01-29 14:22 - 0000000 ____D C:\Users\Haley\AppData\Local\Google
2012-04-05 09:34 - 2011-11-03 04:40 - 0000129 ____A C:\Windows\System32\MRT.INI
2012-04-05 09:30 - 2011-11-03 04:37 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-05 09:23 - 2012-04-05 09:23 - 0278952 ____A C:\Windows\Minidump\040512-34460-01.dmp
2012-04-05 09:23 - 2011-10-06 16:22 - 531132363 ____A C:\Windows\MEMORY.DMP
2012-04-05 09:23 - 2011-10-06 16:22 - 0000000 ____D C:\Windows\Minidump
2012-04-05 08:57 - 2009-07-13 18:34 - 0000882 ___RH C:\Windows\System32\Drivers\etc\hosts
2012-03-04 14:23 - 2011-11-05 14:14 - 0000000 ____D C:\Users\Haley\Documents\social studies 2011-2012
2012-03-04 14:21 - 2011-01-30 15:47 - 0000000 ____D C:\Users\Haley\AppData\Local\CrashDumps
2012-03-04 14:02 - 2012-03-04 14:02 - 0000000 ____A C:\Users\Haley\Documents\New Microsoft Word Document.docx
2012-03-04 14:02 - 2012-03-04 14:02 - 0000000 ____A C:\Users\Haley\Documents\New Microsoft Word Document (2).docx
2012-03-04 13:24 - 2010-10-14 20:32 - 0280970 ____A C:\Windows\PFRO.log
2012-03-03 15:41 - 2011-08-04 05:13 - 0000000 ____D C:\Program Files (x86)\AppGraffiti

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe
[2009-07-13 15:34] - [2009-07-13 17:14] - 0026112 ____A (Microsoft Corporation) 6DE80F60D7DE9CE6B8C2DDFDF79EF175

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3893.86 MB
Available physical RAM: 3317.85 MB
Total Pagefile: 3892.06 MB
Available Pagefile: 3301.92 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:239.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
5 Drive g: () (Removable) (Total:7.47 GB) (Free:2.34 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 7663 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 284 GB 1501 MB
Partition 3 Primary 11 GB 286 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106033W0C NTFS Partition 284 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7655 MB 22 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 7655 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2011-05-22 16:00

======================= End Of Log ==========================

Hi!

Try this fix for me:

Running FRST Fix

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
TDL4: custom:26000022 <===== ATTENTION!
HKU\Haley\...\CurrentVersion\Windows: [Load] C:\Users\Haley\LOCALS~1\Temp\mssaensm.scr
Folder:
C:\bd_logs
C:\Users\All Users\Kaspersky Lab
C:\ProgramData\Kaspersky Lab
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

In Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

ok, ran the fix again with the second fix list...here is the new log

dan


Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 18-05-2012 02
Ran by SYSTEM at 2012-05-19 13:59:23 Run:2
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

An error occurred while attempting to delete the specified data element.
Element not found.
The operation completed successfully.
HKEY_USERS\Haley\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load Value not found.

========================= Folder: ========================

Directory Not Found

====== End of Folder: ======
C:\bd_logs moved successfully.
C:\Users\All Users\Kaspersky Lab moved successfully.
C:\ProgramData\Kaspersky Lab not found.

==== End of Fixlog ====

Still not able to boot it up?

doesn't look like I can boot. I do have to say that even boring to the CD requires me to restart the computer multiple times. restarting three -four times and going each time to the boot sequence using F12 and choosing CD/DVD seems to get it to recognize the cd boot system. don't know if that has anything to do with things


ah, just noticed that a screen entitled windows setup [EMS enabled] came up with choices I had not seen before...pressed F8 and...I get to the advanced boot option menu...shall I choose safe mode? normal...? not sure if this means I have booted via the hard drive

dan