Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With System Check "newest TDL rootkit"


  • Please log in to reply
25 replies to this topic

#1 johntt

johntt

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 14 February 2012 - 04:57 PM

Hi,

Thanks for taking the trouble to look at this, it's much appreciated.

My previous post was here - http://www.bleepingcomputer.com/forums/topic439522.html

I was instructed to start a new topic here, with the following info :-

DDS seemed to run ok and it produced the logs described. Both are attached to this post.

GMER seemed problematic.

When loaded, the check box options were not as shown in the guide. Some seemed greyed out and it was not possible to check or uncheck them as instructed.

It was only possible to check "Services", "Registry", "Files" (C Drive)" and "ADS". Everything else remained unchecked.

The result from GMER was "GMER hasn't found any system modification" and the report was empty.

I'll wait to hear from you and thanks again.

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 15 February 2012 - 06:51 PM

johntt, welcome to the forum!

Please copy and paste the contents of the DDS.txt in your reply (not the Attach.txt).

Thanks!


Also, please download: Listparts64
Save to the Desktop
Double-click the downloaded file to run the program.
Click: Scan
When done, please post the Result.txt in your reply.


Last, please see if you have the Repair your computer option in the Advanced Boot Options menu:
Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?
If you do not have that option, do you have a Windows Seven installation DVD available?


On GMER...
Your system is 64-bit, and GMER is meant to run on 32-bit systems.
That is why it is not showing all the options mentioned.
Not to worry...

Edited by Aaflac, 15 February 2012 - 07:24 PM.

Old duck...


#3 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 16 February 2012 - 06:13 PM

Hi Aaflac, thanks for your help.

DDS.txt


DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by John at 19:28:58 on 2012-02-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8191.5669 [GMT 0:00]
.
AV: AVG Internet Security *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\StartupMonitor.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Run StartupMonitor] StartupMonitor.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\OFFICE11\REFIEBAR.DLL
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20101011044214
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://webconnect.webex.com/client/T27L10NSP11EP11/event/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BD958F6F-1437-48EC-857D-391387DFF845} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO-X64: Sopcast Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Sopcast Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [Run StartupMonitor] StartupMonitor.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\5y9e0bzc.default\
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\John\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\John\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 RapportKE64;RapportKE64;C:\Windows\system32\Drivers\RapportKE64.sys --> C:\Windows\system32\Drivers\RapportKE64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 RapportCerberus_34302;RapportCerberus_34302;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_34302.sys [2012-1-25 397520]
R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-1-25 55056]
R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-1-25 61712]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-10-25 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2008-8-11 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-1-25 931640]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-6-24 92008]
R2 VmbService;Vodafone Mobile Broadband Service;C:\Program Files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-12-31 9216]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\system32\DRIVERS\ew_jubusenum.sys --> C:\Windows\system32\DRIVERS\ew_jubusenum.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
R3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;C:\Windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys --> C:\Windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-5 135664]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys --> C:\Windows\system32\DRIVERS\ggflt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-5 135664]
S3 nmwcdcx64;Nokia USB Generic;C:\Windows\system32\drivers\ccdcmbox64.sys --> C:\Windows\system32\drivers\ccdcmbox64.sys [?]
S3 nmwcdx64;Nokia USB Phone Parent;C:\Windows\system32\drivers\ccdcmbx64.sys --> C:\Windows\system32\drivers\ccdcmbx64.sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 Ph3xIB64;Philips 713x Inbox PCI TV Card;C:\Windows\system32\DRIVERS\Ph3xIB64.sys --> C:\Windows\system32\DRIVERS\Ph3xIB64.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2010-12-15 155344]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;C:\Windows\system32\DRIVERS\gtkdrv.sys --> C:\Windows\system32\DRIVERS\gtkdrv.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-02-12 12:49:56 -------- d-----w- C:\Program Files\iTunes
2012-02-12 12:49:56 -------- d-----w- C:\Program Files\iPod
2012-01-24 14:51:14 63760 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
2012-01-24 14:50:58 -------- d-----w- C:\Users\John\AppData\Local\Trusteer
2012-01-24 14:50:53 -------- d-----w- C:\Program Files (x86)\Trusteer
2012-01-24 14:49:53 -------- d-----w- C:\ProgramData\Trusteer
2012-01-23 21:05:26 -------- d-----w- C:\$RECYCLE.BIN
2012-01-23 20:19:52 98816 ----a-w- C:\Windows\sed.exe
2012-01-23 20:19:52 518144 ----a-w- C:\Windows\SWREG.exe
2012-01-23 20:19:52 256000 ----a-w- C:\Windows\PEV.exe
2012-01-23 20:19:52 208896 ----a-w- C:\Windows\MBR.exe
2012-01-23 20:18:46 -------- d-----w- C:\ComboFix
2012-01-22 21:31:30 -------- d-----w- C:\Users\John\AppData\Roaming\AVG2012
2012-01-22 21:29:40 -------- d-----w- C:\Windows\System32\drivers\AVG
2012-01-22 21:29:40 -------- d-----w- C:\ProgramData\AVG2012
2012-01-22 21:24:23 -------- d-----w- C:\ProgramData\MFAData
2012-01-21 19:14:52 -------- d-----w- C:\Program Files (x86)\GridinSoft Trojan Killer
.
==================== Find3M ====================
.
2012-01-04 14:28:36 16640 ----a-w- C:\Windows\System32\drivers\gtkdrv.sys
2011-12-24 14:58:35 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-24 14:58:35 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-21 20:07:10 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-12-13 12:09:49 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-07 22:43:28 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-19 14:58:00 77312 ----a-w- C:\Windows\System32\packager.dll
2011-11-19 14:01:00 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2011-11-17 06:49:14 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2011-11-17 06:41:18 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2011-11-17 06:35:28 395776 ----a-w- C:\Windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:38:39 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 19:37:49.72 ===============






Result.txt

ListParts by Farbar
Ran by John on 16-02-2012 at 23:08:47
Windows 7 (X64)
Running From: C:\Users\John\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 8191.18 MB
Available physical RAM: 6173.8 MB
Total Pagefile: 16380.55 MB
Available Pagefile: 14003.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Windows7) (Fixed) (Total:911.98 GB) (Free:684.41 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 19 GB 1024 KB
Partition 2 Primary 911 GB 19 GB
Partition 3 Primary 2768 KB 931 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Win_RE NTFS Partition 19 GB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Windows7 NTFS Partition 911 GB Healthy System (partition with boot components)

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.



****** End Of Log ******




I'll check about the Repair your computer option and post again.

#4 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 16 February 2012 - 06:20 PM

Yep, I have the 'Repair your computer' option within the Advanced Boot Options.

Don't think I have an installation DVD in any event.

I'll wait to hear from you, thanks again.

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 16 February 2012 - 08:33 PM

Thanks for posting DDS, johntt.

System Check is a member of the FakeHDD family, and is known to bundle with the new TDL rootkit.
It looks as if you have both.

Let's work on System Check first...

Looks like you can download, so, please download RogueKiller
>>The dark blue circle to the right of:
(Download link)
'Lien de téléchargement' <<

This will not take long...

•Save to the Desktop
•Close all windows and browsers
•Windows Seven: Double-click the program and select 'Run as Administrator'
•On the program window, press: SCAN
•A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.

Note:
If RogueKiller is blocked by the malware, try running it again.
If it still fails to run, right-click on the downloaded program and select: Rename
Rename it to winlogon.exe and try again.


Also, need to know three things...
1. Do you have access to another computer? Malware is unpredictable, and if we run into a stumbling block, another PC comes in handy.
2. Do you have a USB Flash Drive (pen drive) available?
3. System Check and its infection family is known for hiding files. Are you having that problem also?

Edited by Aaflac, 16 February 2012 - 09:37 PM.

Old duck...


#6 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 17 February 2012 - 04:45 AM

Hi Aaflac,

I really appreciate how quickly you are responding to each post, thanks for that.

RogueKiller seemed to work ok, here is the report :-


RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: John [Admin rights]
Mode: Scan -- Date: 02/17/2012 09:30:36

Bad processes: 0

Registry Entries: 10
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

Particular Files / Folders:

Driver: [NOT LOADED]

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] 2697ca85ce494dd2f02388f91c6e77cb
[BSP] 3b4da75efa69b2b300eb9acd60b30195 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20001 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 933864 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] eea6e43edb4d096f6770e459cc385391
[BSP] 3b4da75efa69b2b300eb9acd60b30195 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20001 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 933864 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953519616 | Size: 2 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt



I do have access to another computer and I also have a flash drive.

Yes I was affected by the hidden file issue. I managed to get some of these back following some instructions on my earlier thread using 'Unhide' (http://www.bleepingcomputer.com/forums/topic439522.html) but I suspect some are still missing. I also have issues where folders are locked and I get an "access denied" message when I try and open them, not sure if that's related.

I'll wait for your instructions and as always, thanks for your help.

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 17 February 2012 - 01:29 PM

The Registry entries showing in RogueKiller are of no concern.

However, the MBR Check also shows the TDL4 partition:
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953519616 | Size: 2 Mo

So, let's press on...

You may want to print these instructions so you can have access to them while this procedure is going on.


Please plug your flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.



Now, please plug the flash drive into the infected computer.

Open Notepad (Press 'Start' orb 'R', and in the Open area, type: notepad)

Copy/paste the following information inside the code box to Notepad:

Disk=0 Partition=2 active
bcdedit
Disk=0 Partition=3 type=07

In Notepad, go to File > Save as...
Save to: the USB flash drive
In File name use: fix.txt
Click: Save


Now, save ListParts64.exe (which should be on the Desktop), and the fix.txt file on the flash drive.


Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the Command window, at the bliking cursor type notepad and press: Enter
[*]In Notepad, under the File menu select: Open
[*]Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
[*]With the flash drive and Notepad open, click the Command window
[*]Type e:\listparts64.exe, and press: Enter
Note: Replace the drive letter e with the drive letter of your flash drive!
[*]ListParts64 now shows on the screen.
[*]Press the Fix button.
[*]When done, check the List BCD option on the ListParts64 screen, and click: Scan
[*]If successful, the following appears: "Scan completed. Result.txt was saved in the same directory the tool is run.", click: OK
[*]The program saves the Result.txt, on the flash drive.
[*]Click the Command prompt window, type exit, and press: Enter
[*]Close out of everything else.
[*]Back at the System Recovery Options, press: Restart, and boot normally into Windows.[/list]

Once back in Windows, open the USB flash drive, copy/paste the Result.txt, and provide it in your reply.


Then, run a new Scan with ListParts64 in normal Windows, and also post the new Result.txt in your reply.


If you encounter any obstacles, go to your other computer and post what is happening, any error messages, etc., so we can work the issue.

Edited by Aaflac, 18 February 2012 - 10:54 AM.

Old duck...


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 18 February 2012 - 10:53 AM

johntt,

Please note the Edit in the code box above.

The tool was updated last night.

If you havent done these instructions yet, please use:

Disk=0 Partition=2 active
bcdedit
Disk=0 Partition=3 type=07

Thanks!

Edited by Aaflac, 18 February 2012 - 10:53 AM.

Old duck...


#9 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 19 February 2012 - 05:06 PM

Hi Aaflac,

I followed your instructions but when I got to choosing 'Repair your computer', the screen went black apart from the message "Windows is loading files..." with a solid white bar across the length of the bottom of the screen.

I waited 10 minutes and nothing else happened. Then I forced a power off.

Was able to restart normally without problems.

Tried the process 3 times, with exactly the same outcome.

Presume that isn't good? No doubt you'll let me know.

Thanks.

John

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 19 February 2012 - 07:33 PM

If the following is what you are getting, that is what it is supposed to be.

Posted Image

Does the Progress Bar reach the end and then nothing happens, or does it give you any kind of message?

What model is your ACER?


In any event, let's try creating a Windows 7 System Repair Disk to get to the Recovery Environment:

Note: The below can only be done if your machine has a CD/R or DVD/R optical drive installed. Also, depending on the exact type of OEM (Original Equipment Manufacturer) your machine has, you may be unable to actually create a System Repair Disk.
However, let's give it a shot...

  • Click on Start orb > Run...(or the Windows key and R together) to bring up the Run box
    Copy/paste the following command into the box and click on OK:

    recdisc.exe
  • Allow the UAC (User Account Control) prompt, via selecting: Yes
  • You should now see a menu like the one below:
Posted Image

  • Place a blank rewritable CD/DVD in your optical (CD/DVD) drive, and then click on: Create Disc
  • Note: If an AutoPlay window pops up, just close it.
  • When the System Repair Disk is created, you will see the folowing:
Posted Image

  • Now, click on Close > OK
  • Leave the disc in the drive as we will use it next


From the previous instructions, make sure the following is ready:
Open Notepad (Press 'Start' orb 'R', and in the Open area, type: notepad)

Copy/paste the following information inside the code box to Notepad:

Disk=0 Partition=2 active
bcdedit
Disk=0 Partition=3 type=07

In Notepad, go to File > Save as...
Save to: the USB flash drive
In File name use: fix.txt
Click: Save


Now, save ListParts64.exe (which should be on the Desktop), and the fix.txt file on the flash drive.



To use the created System Repair Disc to get to the Recovery Environment...

Restart the computer using the Power button
  • If prompted, press any key to start the computer from the System Repair Disc.
  • If your computer isn't configured to start from a CD or DVD, check the information that came with your computer. You might need to change your computer's BIOS settings.
  • Select your language settings, and then click: Next
  • On the System Recovery Options menu you get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Scan your computer's memory for errors.
      Command Prompt
    >>>
  • Select Command Prompt, and click: Next
  • In the Command window, at the bliking cursor type notepad and press: Enter
  • In Notepad, under the File menu select: Open
  • Double-click Computer, find the flash drive letter, remember the letter it is, click on it, and press: Open
  • With the flash drive and Notepad open, click the Command window again
  • Type e:\listparts64.exe, and press: Enter
    Note: Replace the drive letter e with the drive letter of your flash drive!
  • ListParts64 now shows on the screen.
  • Press the Fix button.
  • When done, check the List BCD option on the ListParts64 screen, and click: Scan
  • If successful, the following appears: "Scan completed. Result.txt was saved in the same directory the tool is run.", click: OK
  • The program saves the Result.txt, on the flash drive.
  • Click the Command prompt window, type exit, and press: Enter
  • Close out of everything else.
  • Back at the System Recovery Options, press: Restart, and boot normally into Windows.


Once back in Windows, open the USB flash drive, copy/paste the Result.txt, and provide it in your reply.


Then, run a new Scan with ListParts64 in normal Windows, and also post the new Result.txt in your reply.


If you encounter any obstacles, go to your other computer and post what is happening, any error messages, etc., so we can work the issue.


Also, if the System Repair Disk does not work, we still have another option, so, stay with it, yet. :wink:

Edited by Aaflac, 29 February 2012 - 07:11 PM.

Old duck...


#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 23 February 2012 - 08:48 PM

How is it going with the Windows 7 System Repair Disk?

Old duck...


#12 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 February 2012 - 03:33 PM

Hi Aaflac,

I'm sorry for the delay.

To cut a long story short, I can't try the process you outlined until Weds night (29th).

Hopefully you can bear with me until then and I'll post the results that night.

Thanks.

John

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 26 February 2012 - 05:12 PM

No problem, johntt.

Will await the results.

Old duck...


#14 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 29 February 2012 - 05:53 PM

Hi Aaflac,

Thanks for your patience.

I created the system repair disk and got to the stage where I pressed any key to start the computer from this disk.

Then the 'Windows is loading files...' screen appeared and the progress bar reached the end.

A new screen appeared with 'Microsoft Corporation' at the bottom and a new progress bar. It stayed for about a minute.

I was then presented with a new screen titled 'System Recovery Options'.

The language was pre selected to US and the box greyed out.

Underneath that was an option for keyboard layout and I chose 'US' and clicked next.

The following appeared :-

System Recovery Options

Select an operating system to repair and click next. Note : This feature cannot repair operating systems earlier than Windows Vista.

There was a table underneath with three columns

Operating System
Partition Size
Location

The message continued...'If you do not see your operating system listed, click load drivers to load drivers for your hard disk'.

There was no info at all in the table and no sign of any operating system.

As this was all a bit different to what you described, I thought it best to let you know where I got to before progressing any further.

I was able to reboot the computer normally after that point using the power button.

In answer to your earlier questions, the progress bar reached the end and then things just seemed to hang, I waited around ten minutes on a couple of occasions.

You also asked me what model my ACER was. At the risk of sounding stupid I'm not sure what you mean? I think my computer has an ASUS? mainboard (M4A79XTD EVO) but don't know about any ACER. Sorry if I'm being an idiot here but that's the level I'm at!

I'll wait to hear from you and thanks again for your help.

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:41 PM

Posted 29 February 2012 - 07:15 PM

If you do not have any OS listed in the following:

Posted Image

What happens if you click Next?

Does it take you to: Use Recovery Tools That Can Help Fix Problems Starting Windows
If so, click: Next

Do you get: Choose a Recovery Tool?

If so, can you select: Command Prompt?

If that is the case, then follow the rest of the instructions from the >>> onwards...

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users